Description of problem: User object doesn't have roles list. It would be useful to have a roles list in the user object, in the same way as Role object have users list. It should also be possible to update a user by modifying the roles list.
@Path /users/{uuid}/roles The User object has a Role set. We don't express it in the JSON because it will introduce an infinite recursion. As for updating a user by modifying the roles list, it could create a race condition and would not be healthy for the system.
POST roles/{role_id}/users/{username} DELETE roles/{role_id}/users/{username} Are used to update the relationships between user and role
1. If a user object will contain the role-ids not role objects it will not recourse. 2. I think updating role by role is acceptable as a work around. However it's not a transactive solution and may produce unexpected results in case of failure.
Most users are doing their own authn/authz. Closing until there is a project need.