Use client OIDC access token of the logged in operator.
This implies that only those API endpoints not accessible from the proband part of the frontend app must be authenticated on the backend.
Steps:
frontend sends OIDC access token in the HTTP Authorization header in the format Authorization: Bearer access_token
backend receives access_token and calls OIDC UserInfo/Introspection endpoint (check which one to use!)
if the access_token is valid, verify obtained username againts our database - check that user is valid operator
if the verification is succesfull, proceed and perform this frontend request
Use client OIDC access token of the logged in operator. This implies that only those API endpoints not accessible from the proband part of the frontend app must be authenticated on the backend.
Steps:
Authorization: Bearer access_tokenaccess_tokenand calls OIDC UserInfo/Introspection endpoint (check which one to use!)access_tokenis valid, verify obtained username againts our database - check that user is valid operator