You're right, in the sense that all of the plugins in the $auths array are tried in order to authenticate the user. But what's in the $auths array when you get to that point?
Here's the code above the section you quoted:
$authsenabled = get_enabled_auth_plugins();
if ($user = get_complete_user_data('username', $username)) {
$auth = empty($user->auth) ? 'manual' : $user->auth; // use manual if auth not set
if ($auth=='nologin' or !is_enabled_auth($auth)) {
add_to_log(0, 'login', 'error', 'index.php', $username);
error_log('[client '.$_SERVER['REMOTE_ADDR']."] $CFG->wwwroot Disabled Login: $username ".$_SERVER['HTTP_USER_AGENT']);
return false;
}
if (!empty($user->deleted)) {
add_to_log(0, 'login', 'error', 'index.php', $username);
error_log('[client '.$_SERVER['REMOTE_ADDR']."] $CFG->wwwroot Deleted Login: $username ".$_SERVER['HTTP_USER_AGENT']);
return false;
}
$auths = array($auth);
} else {
$auths = $authsenabled;
$user = new object();
$user->id = 0; // User does not exist
}
The main thing to note here is that
$auths does not always contain the entire list of enabled plugins. It does only if the username can't be found in mdl_user.
If Moodle already knows about the user, then $auths will contain exactly one element. That will either be the plugin named in the 'auth' field of the user record, or else 'manual' if for some reason there was no authentication method associated with that user.
So, the code makes it look like Moodle is trying multiple plugins, but in the case of a known user, it's looping over a list of one element, so that's the only one that's tried.