[Standards] rfc3920bis: SASL "fallback" on auth failure

Ralph Meijer jabber.org at ralphm.ik.nu
Wed Mar 26 09:33:29 UTC 2008


On Tue, 2008-03-25 at 15:16 -0600, Peter Saint-Andre wrote:
> Evan Schoenberg of the Adium project pinged offlist regarding the proper
> behavior for a client to follow if SASL authentication fails using one
> mechanism but other mechanisms are available.
> [..]

If one mechanism fails with <not-authorized/>, why would another one
succeed, exactly? I would say that a client should choose one mechanism
that is offered by the server (maybe the 'strongest', whatever that is)
and stick to it.

Note that for other failures, like <mechanism-too-weak/>, changing
mechanisms might be useful.

-- 
Groetjes,

ralphm




More information about the Standards mailing list