Token Introspect configuration
Token Introspect validates access tokens and retrieves associated identity data from your Identity Knowledge Graph (IKG).
This Terraform configuration creates a Token Introspect setup that:
1. Accepts an access token containing an email claim.
2. Matches the email claim to a Person node in the IKG.
3. Returns the Person node data if a match is found.
Use case
Scenario: Your application receives access tokens from an identity provider and needs to enrich them with IKG data.
When a user authenticates, the Token Introspect configuration matches the token's email claim to a Person node, allowing your application to access identity attributes and relationships stored in the graph.
Requirements
- ServiceAccount credentials created in the IndyKite Hub for your organization.
- A Person node with an email property must exist in the IKG for matching to succeed.
Steps
1. Create the Token Introspect configuration using the Terraform file below.
2. Apply the Terraform configuration to your IndyKite project.
3. Call the Token Introspect endpoint with an access token containing an email claim.
4. Receive the matched Person node data in the response.
Create a Token Introspect configuration for a Person node with email claim.
terraform {
required_providers {
indykite = {
source = "indykite/indykite"
version = 1.26. // or latest version
}
}
}
# indykite provider integrates IndyKite platform with Terraform scripting.
# Provider for now does not support any parameters and all is set within service account credential file.
provider "indykite" {}
resource "indykite_token_introspect" "token_config" {
name = "terraform-token-introspect"
display_name = "Terraform token introspect"
description = "Token introspect for DigitalTwin access token"
location = "ProjectGID"
jwt_matcher {
issuer = "https://example.com"
audience = "client-id"
}
offline_validation {}
ikg_node_type = "Token"
claims_mapping = {
"email" = "email"
}
perform_upsert = true
}