We use ejabberd_http_auth and SASL Plain.
We have multiple passwords (which are in fact oauth tokens) per user.

When the auth cache is enabled if a user authenticates with a password then every other connected clients gets disconnected.

auth_use_cache: false fixes the issue

I can imagine why this happens and I'm not entirely sure if this should be considered a bug. If not, let me know and I can send a PR to the documentation.

I think that, if your custom auth script accepts different passwords for the same username, then you can't use ejabberd's caching. I'm curious to read your changes in the documentation.