At the moment if a successful ServerAuthModule associated with the underlying session we restore it on future requests and skip the Jakarta Authentication call.

Instead we should still be running the SAMs to give them an opportunity to check they want to use the identity restored.