Ralph Meijer wrote:
On Tue, 2008-03-25 at 15:16 -0600, Peter Saint-Andre wrote:
Evan Schoenberg of the Adium project pinged offlist regarding the proper
behavior for a client to follow if SASL authentication fails using one
mechanism but other mechanisms are available.
[..]
If one mechanism fails with <not-authorized/>, why would another one
succeed, exactly?
Because different mechanisms might be using different authentication
databases. For example DIGEST-MD5 and GSSAPI.
I would say that a client should choose one mechanism
that is offered by the server (maybe the 'strongest', whatever that is)
and stick to it.
Note that for other failures, like <mechanism-too-weak/>, changing
mechanisms might be useful.