I was using the core feature but then I found it might be better to cut login authorisation and role/permission management into two. So that now we (our middleware) use core feature for enduser login with user id provided by the userinfo, then we use such user id to verify its role and permissions with authorisation extension.