Right now the scram support does not run the password through sasl prep, so not all technically valid passwords will be able to authenticate using scram. I decided to release scram support even with this deficiency, since without scram support 100% of the passwords for scram would fail ;)

Some information from copied from @jkatz's comments on #176

The password needs to be normalized with SASLPrep (well, PostgreSQL flavored SASLPrep), otherwise some valid passwords will fail. Here is an example of how to do it:
https://github.com/MagicStack/asyncpg/blob/master/asyncpg/protocol/scram.pyx#L263

and

So what PostgreSQL does is that any UTF8 string goes through SASLprep. If it's not a UTF-8 string, or if it fails at certain parts of the SASLprep, then it just passes the string through. The server-side implementation can be found here:

https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/common/saslprep.c

Certain password will fail without following it. Here's an example of some of the test cases to try:

https://github.com/MagicStack/asyncpg/blob/master/tests/test_connect.py#L238

It doesn't look like Crystal has unicode_normalize_kc or any sort of unicode normalization yet.

Also I'm not sure all of the tables in crystal's stdlib src/unicode/data.cr exactly match up for the things needed for saslprep, so some custom tables might need to be added.

I pushed a branch that mostly just has failing tests, but this seems like it'll be a bit of work before it comes together. So any help here would be welcome.

https://paquier.xyz/postgresql-2/postgres-10-saslprep-scram/