Right now the mechanism plugins set the username portion of JIDs, but some auth plugins need to override the user specified username based on credentials (eg, exchanging an OAuth token for a JID).
The SASL API does not provide enough flexibility to auth plugins here.
The workaround until now has been rolling your own SASL object in the plugin, but this is a lot of boilerplate. An example is mod_auth_phpbb3, which does automatic username escaping: http://hg.prosody.im/prosody-modules/file/e8eebf281405/mod_auth_phpbb3/mod_auth_phpbb3.lua#l230
I don't believe this will make it to 0.10, bumping milestone.