Event Set Authentication.IsAuthenticated=true did the trick.
Seems that initial authentication is 'persisted' in this way for following request.
Wonder how long this caching lasts.
the "caching" of authentication data in this case is valid for the connection. The CONNECT is authenticated and all the GETs/POSTs that are coming after the initial CONNECT are authenticated until the last request is processed and the client/server closes the connection.