Protect API using IdP token

[esune]

The api methods used by issuer-admin should require a bearer token in the headers of each request and use it to:

• validate with the IdP whether it is valid or not
• restrict API access based on the token validity
• extract the current user username from the token, rather than requiring it in the payload