I have a scenario where users log into Webfocus and get authenticated via IDP. One of the Webfocus pages calls a REST Api via JavaScript so the request is made directly from user's browser. The REST Api is a Spring Boot app that is running on the same WebSphere app server as Webfocus.

What are my options for verifying that the request coming into the REST Api is from the user that just logged in to the Webfocus app?

It does not look like an IDP access token is getting passed to the REST Api. But I do see a WF-JSESSIONID cookie. Can I somehow use that to verify authenticated session with Webfocus?