I was thinking about it and I think we could do it by having hasRole tied to security implementation that is being applied. How about we will always have hasRole enabled when one of the security mechanisms will be passed. This will help us to abstract hasRole from keycloak and allow users to build their own auth mechanism but still benefit from hasRole implementation.