In theory, all of the HTTP clients for Java should work in an authentication plugin. I know of Apache HTTPClient and Netty that they work perfectly for such tasks. I've created an example plugin on Github to show a proof of concept with Apache HTTPClient. Although the API is a bit clumsy, HTTPClient is rock solid (and threadsafe!).
As you already stated, proper caching is very important when you want to scale with the mechanism. Blocking is not a problem in the AuthenticationCallback, because HiveMQ needs to wait for the answer of the server which provides the restful API. I personally would use a small timeout, though.
I hope this helps for getting you started with the REST authentication. For more in-depth discussions about that topic, there is also a HiveMQ Google Group.