In order to check roles for authenticated users we need to always use the IdentityManager(PicketLink IDM).

I think it is a lot easier for users to have a simple hasRole(String roleName) method on the Identity interface to check for that.

Also, this is a very common and helpful method for most use cases, including those that need to check for users roles from a JSF page using EL, for example.

Not sure if for this last case, we should recommend to access the IdentityManager directly from those pages or even force users to create a bean to encapsulate the logic.