I am trying 2.5.0 with sasl turned on and my consumer and producer clients receive:
I believe this is due to https://github.com/apache/kafka/commit/0a2569e2b9907a1217dd50ccbc320f8ad0b42fd0 which added flexible version support and bumped the protocol version.
It appears that the SaslClientAuthenticator uses the max version for SASL_HANDSHAKE received in the broker's AP_VERSIONS response, and then uses that version even though it may not support it. See https://github.com/apache/kafka/blob/eb09efa9ac79efa484307bdcf03ac8eb8a3a94e2/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslClientAuthenticator.java#L290.
This may make it hard to ever evolve this schema. In the short term I suggest we roll back the version bump and flexible schema until we figure out a path forward.
It appears that this may not have been a problem in the past because the schema versions were the same and maybe we didn't validate the version number https://github.com/apache/kafka/commit/0cf7708007b01faac5012d939f3c50db274f858d#diff-7f65552a2e23aa7028500f8db06cbb30R47