AuthenticationProviderManager::isAuthenticated does not work in authentication request
If the client does not have a session and the client authenticates, then a new session is created. The method isAuthenticated checks if the current session canBeResumed(), but that method again checks for the session in $_COOKIE. Since the session was just created, the isAuthenticated method never works in the authentication request. It only starts working in all subsequent requests, since the new session is then available in $_COOKIE.