> That's not really true, because the caller hardcodes the mechanism > descriptor.
I meant that the caller shouldn't depend on the implementation details of the mechanism. The abandoned comment says that '"Abandoned" is a SASL-specific state similar to STATUS_EOF ...', yet later it also depends on an implementation detail of which sasl mechanism actually use it. > (If more things than OAuth need this eventually, maybe it becomes > STATUS_SILENT_ERROR or something, to make it even more generic?) That's a good idea, better than my error level suggestion. The code would actually shorter, because you could remove the programmer error check from CheckSASLAuth. The diff also, because it would work without modifying the calls to it. The patch is also good as-is, all these comments in the last few messages are just very minor details, I probably spent way too much time thinging about how to make this not oauth specific in the generic part of the code.
