RFC Errata
RFC 5802, "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms", July 2010
Note: This RFC has been updated by RFC 7677, RFC 9266
Source of RFC: sasl (sec)
Errata ID: 5580
Status: Reported
Type: Editorial
Publication Format(s) : TEXT
Reported By: Wang Xin
Date Reported: 2018-12-19
Section 7 says:
server-error-value = "invalid-encoding" / "extensions-not-supported" / ; unrecognized 'm' value "invalid-proof" / "channel-bindings-dont-match" / "server-does-support-channel-binding" / ; server does not support channel binding "channel-binding-not-supported" / "unsupported-channel-binding-type" / "unknown-user" / "invalid-username-encoding" / ; invalid username encoding (invalid UTF-8 or ; SASLprep failed) "no-resources" / "other-error" / server-error-value-ext ; Unrecognized errors should be treated as "other-error". ; In order to prevent information disclosure, the server ; may substitute the real reason with "other-error".
It should say:
server-error-value = "invalid-encoding" / "extensions-not-supported" / ; unrecognized 'm' value "invalid-proof" / "channel-bindings-dont-match" / "server-does-support-channel-binding" / ; the client thinks the server does not support ; channel binding, but the server does "channel-binding-not-supported" / "unsupported-channel-binding-type" / "unknown-user" / "invalid-username-encoding" / ; invalid username encoding (invalid UTF-8 or ; SASLprep failed) "no-resources" / "other-error" / server-error-value-ext ; Unrecognized errors should be treated as "other-error". ; In order to prevent information disclosure, the server ; may substitute the real reason with "other-error".
Notes:
See Section 6, "If the flag is set to "y" and the server supports channel binding, the server MUST fail authentication. "
I assume the server-error-value "server-does-support-channel-binding" is designed for such situation.