RFC Errata
RFC 5802, "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms", July 2010
Note: This RFC has been updated by RFC 7677, RFC 9266
Source of RFC: sasl (sec)
Errata ID: 5271
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: David Golden
Date Reported: 2018-03-02
Section 5.1, 7 says:
Section 5.1:
o e: This attribute specifies an error that occurred during
authentication exchange. It is sent by the server in its final
message and can help diagnose the reason for the authentication
exchange failure. On failed authentication, the entire server-
final-message is OPTIONAL; specifically, a server implementation
MAY conclude the SASL exchange with a failure without sending the
server-final-message. This results in an application-level error
response without an extra round-trip. If the server-final-message
is sent on authentication failure, then the "e" attribute MUST be
included.
Section 7:
server-first-message =
[reserved-mext ","] nonce "," salt ","
iteration-count ["," extensions]
It should say:
Section 5.1:
o e: This attribute specifies an error that occurred during
authentication exchange. It is sent by the server in its first
or final message and can help diagnose the reason for the
authentication exchange failure. On failed authentication, the
entire server-first-message or server-final-message is OPTIONAL;
specifically, a server implementation MAY conclude the SASL
exchange with a failure without sending the a message. This
results in an application-level error response without an extra
round-trip. If a server message is sent on authentication
failure, then the "e" attribute MUST be included.
Section 7:
server-first-message-bare =
[reserved-mext ","] nonce "," salt ","
iteration-count
server-first-message = (server-error / server-first-message-bare)
["," extensions]
Notes:
Many of the server-error message options in the formal syntax apply to fields received in the client-first message, e.g. "invalid-username-encoding" or "extensions-not-supported". There is no existing provision in the formal syntax for a server to return a server-error in response to a client-first message. The intent of the server-error field appears to include responses to the client-first message and there are no meaningful responses to such errors. E.g. what salt and iteration count should be returned in the case of invalid-username-encoding? Therefore, this proposed errata allows server-error to be returned as the server-first-message and amends the explanatory text of section 5.1 accordingly.