Decoding the PLAIN exchange, Converse is sending both an authcid (authentication identity) and an authzid (authorization identity) for the same identity (although obviously the authcid is without the domain and the authzid is with). It MUST NOT do this:

If the initiating entity does not wish to act on
behalf of another entity, it MUST NOT provide an authorization
identity.

(RFC6120 6.3.8)