Seems to be as a result of
QPID-3393 (i.e. regression since 0.12) which was a fix for CRAM-MD5. From a simplistic point of view it seems like the CRAM-MD5 mechanism requires an empty response string to be treated as null, whereas for the EXTERNAL mechanism an empty response should be treated as a zero length string. It may be though that there is more to this than that.