Token Introspect: user access introspection.
Create or update an Auth0 token for an existing Person node, trigger a Token Introspect and link the token to the Person node.
Use case
When a user requests access to their Profile resource, an authorization check should happen, which must check the user's current authentication level.
For this, we need :
- a Token Instrospect configuration node
- an access token for the Person node
- create or update a node which has a _SAME_AS relationship with the Person node with information about the token corresponding
to the claims in the Token Introspect configuration.
Requirements
- ServiceAccount credentials created in the IndyKite Hub for your organization.
- AppAgent credentials created in the IndyKite Hub, using the REST endpoints or using Terraform for your Project / Application.
- Auth0 user token for the user who requires access.
Steps
1. Using the AppAgent credential as API Key (name: X-IK-ClientKey), ingest data in your IKG (IndyKite Knowledge Graph) using the script provided.
2. Get an access token for a Person node.
3. Using the ServiceAccount credential as environment variable, create a Token Introspect configuration.
4. Using the AppAgent credential as Bearer token, trigger a Token Introspect with the access token using the KBAC API.
5. Try with your own data.
Step 1
Ingest the node needed for this use case.
{
"nodes": [
{
"external_id": "alice",
"is_identity": true,
"type": "Person",
"properties": [
{
"type": "email",
"value": "alice@email.com"
},
{
"type": "given_name",
"value": "Alice"
},
{
"type": "last_name",
"value": "Smith"
}
]
}
]
}Step 2
Get an access token for the Person node.
In this example, we are using a Auth0 token with the following payload:
{
"profiles": [],
"email": "alice@email.com",
"iss": "issuer_url",
"sub": "sub_value",
"aud": [
"client_id",
"https://issuer/userinfo"
],
"iat": 1749319876,
"exp": 1749406276,
"scope": "openid profile email",
"azp": "client_id"
}Step 3
Create a Token Introspect configuration either in the hub or with Terraform.
We usually create a Token Introspect configuration per issuer / client_id.
If sub_claim is not provided, the token subject (sub) will be the external_id value of the Token node.
terraform {
required_providers {
indykite = {
source = "indykite/indykite"
version = 1.26. // or latest version
}
}
}
# indykite provider integrates IndyKite platform with Terraform scripting.
# Provider for now does not support any parameters and all is set within service account credential file.
provider "indykite" {}
resource "indykite_token_introspect" "token_config" {
name = "terraform-token-introspect"
display_name = "Terraform token introspect"
description = "Token introspect for DigitalTwin access token"
location = "ProjectGID"
jwt_matcher {
issuer = "https://example.com"
audience = "client-id"
}
offline_validation {}
ikg_node_type = "Token"
claims_mapping = {
"email" = "email"
}
perform_upsert = true
}
Step 4
Trigger a Token Introspect with the access token using the KBAC API.
We are using here the WhatAuthorized endpoint .
The Token Introspect will upsert a token node in the IKG if perform_upsert is true in the Token Introspect configuration.
{
"subject": {
"access_token": "{{accessToken}}"
},
"resourceTypes": [
{
"type": "Person",
"actions": [
"EXISTS"
]
}
]
}Response to the what_authorized request.
{
"decisionTime": "2025-06-07T18:46:25.236068434Z",
"decisions": {
"Person": {
"actions": {
"EXISTS": {
"resources": []
}
}
}
}
}If the Token node is not linked to the Alice Person node, you can perform a EntityMatching.
Tags
Related Resources
No related resources found.