While io.undertow.servlet.core.DeploymentManagerImpl passes the deployment IdentityManager to the well known auth mechanisms, BASIC, FORM, ... it is not part of the io.undertow.security.api.AuthenticationMechanismFactory interface contract.

This leaves accessing the IdentityManager from the io.undertow.security.api.SecurityContext#getIdentityManager() method which is deprecated.

Since it looks like Java 8 is required, this could easily be updated via a new default method in AuthenticationMechanismFactory. I'll create a pull request for an example solution for review.