Receiving "(using password: NO)" when password was given

[raulsh]

Issue description

I'm connecting to MySQL using a password (token) generated through AWS IAM (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.Go.html#UsingWithRDS.IAMDBAuth.Connecting.GoV2).

So the user needs to be created with a specific authentication and not "just" password:
CREATE USER jane_doe IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS'; (but the token is still a password that expire after 15 minutes).

When I use that token or even a random input (invalid password, of course) with that user, I receive the message that i'm not using a password.
Error 1045 (28000): Access denied for user 'XXXX'@'YY.YY.YY.YY' (using password: NO)

The weird thing is the (using password: NO) is just with my code, but in terminal the behaviour is OK (even with an incorrect password - just to ensure). To test if the token generation is valid or not, I printed the token generated with my code and I used it in the terminal (mysql -h ... -u .... -p(token)) and it works fine.

My last test, just to ensure if users without IAM authentication have the same behaviour, I tried with another user (without IAM auth - traditional password access) with an invalid password, and I'm receiving the expected output: Error 1045 (28000): Access denied for user 'XXXX'@'YY.YY.YY.YY' (using password: YES)

I changed all the settings that I can, but is still not working. I don't know if is a problem from my side or it's a lib issue.

Example code

	username := m.Username
	password, err := auth.BuildAuthToken(
		m.ctx, endpoint, m.Region, m.Username, m.Creds,
	)
	if err != nil {
		return err
	}

	cfg := mysql.NewConfig()
	cfg.User = username
	cfg.Passwd = password
	cfg.Net = "tcp"
	cfg.Addr = endpoint
	cfg.DBName = "XXXXX"
	cfg.AllowCleartextPasswords = true
	cfg.ParseTime = true

	fmt.Printf("%+v\n", cfg)

	connector, err := mysql.NewConnector(cfg)
	if err != nil {
		return err
	}

	db := sql.OpenDB(connector)

Error log

2024-03-23T15:43:59.536-0300    ERROR   provisioner/router.go:91        error getting databases {"error": "Error 1045 (28000): Access denied for user 'XXX'@'YY.YY.YY.YY' (using password: NO)"}

Configuration

Driver version (or git SHA): v1.8.0

Go version: go1.21.5 linux/amd64

Server version: MySQL 8.0.28

Server OS: AWS RDS

[methane]

Is that an only log message? No log like "unknown auth plugin"?

I haven't use cleartext plugin so don't expect quick fix.
If you are Go developer, you can debug it by seeing around here.

mysql/auth.go

Lines 348 to 354 in d7ddb8b

	authData, newPlugin, err := mc.readAuthResult()
	if err != nil {
	return err
	}
	// handle auth plugin switch, if requested
	if newPlugin != "" {

mysql/auth.go

Lines 277 to 302 in d7ddb8b

	func (mc *mysqlConn) auth(authData []byte, plugin string) ([]byte, error) {
	switch plugin {
	case "caching_sha2_password":
	authResp := scrambleSHA256Password(authData, mc.cfg.Passwd)
	return authResp, nil
	case "mysql_old_password":
	if !mc.cfg.AllowOldPasswords {
	return nil, ErrOldPassword
	}
	if len(mc.cfg.Passwd) == 0 {
	return nil, nil
	}
	// Note: there are edge cases where this should work but doesn't;
	// this is currently "wontfix":
	// https://github.com/go-sql-driver/mysql/issues/184
	authResp := append(scrambleOldPassword(authData[:8], mc.cfg.Passwd), 0)
	return authResp, nil
	case "mysql_clear_password":
	if !mc.cfg.AllowCleartextPasswords {
	return nil, ErrCleartextPassword
	}
	// http://dev.mysql.com/doc/refman/5.7/en/cleartext-authentication-plugin.html
	// http://dev.mysql.com/doc/refman/5.7/en/pam-authentication-plugin.html
	return append([]byte(mc.cfg.Passwd), 0), nil

[shogo82148]

It is not the driver issue.
I've connected to Amazon RDS Aurora using AWS IAM authentication, and it worked fine.

My tested code is here:
https://github.com/shogo82148/rdsmysql/blob/main/v2/README.md

There might be a problem with your code. Possible causes include:

• TLS is not enabled
• Please check the format of the endpoint. While the port number can be omitted in mysql.Config, it cannot be omitted in the arguments for auth.BuildAuthToken.