The piece I was missing was this:

private val Context.userRoles: Set<ApiRole>
    get() = this.basicAuthCredentials()?.let { (username, password) ->
        userRoleMap[Pair(username, password)] ?: setOf()
    } ?: setOf()

This is helpful do you know if there are plans to build out Javalin extension for things like OAuth, SSO etc. so that consumers don’t need to implement this functionality?

no plans

Thanks for the info

you're very welcome