What do you mean by “authentication to do it’s job before authorization is even considered”? In the case of someone that’s not logged in, authentication has arguably done it’s job; it’s confirmed that there is nobody logged in. Allowing people who aren’t logged in access to some resources is a common requirement.
I have code like this in a number of policies where there is never any unauthenticated access allowed:
public function before($identity, $resource, $action) {
if (!$identity) {
throw new ForbiddenException();
}
}