In our tests for PLAIN SASL mechanism in the AS testsuite we realized a wrong SaslClient implementation is used. Instead of the Elytron one, the JDK provided one is used (com.sun.security.sasl.PlainClient).

The Elytron client builds the AuthenticationContext and runs executed code in this way:

AuthenticationConfiguration authnCfg = AuthenticationConfiguration.EMPTY.allowSaslMechanisms(MECHANISM_PLAIN)
        .useName(USERNAME).usePassword("wrongPassword")
        .useDefaultProviders();
AuthenticationContext.empty().with(MatchRule.ALL, authnCfg).run(...)

It seems to be related to what's included on classpath. When we use the same code in elytron-client-demo the correct mechanism is used.