PDC JWT Token

Understanding the WHO & WHAT ..

JWT Token

In this hands-on workshop, you'll learn how to implement enterprise-grade identity federation using Keycloak and Pentaho Data Catalog (PDC). We'll walk through establishing a clear separation of concerns where Keycloak manages WHO people are (identity + organizational structure) and PDC manages WHAT data they can access (Communities + data governance). This WHO/WHAT separation is the proven enterprise approach for scaling data governance across thousands of users.

By the end of this workshop, you will be able to:

Configure enterprise identity federation between Keycloak and PDC
Understand the role of JWT tokens in identity management
Implement secure authentication workflows using JWT tokens
Decode and analyze JWT token contents for troubleshooting
Map organizational hierarchies to data access permissions
Create scalable data governance frameworks that separate identity from authorization
Bridge organizational structures with data catalog security models

This workshop will demonstrate how JWT tokens serve as the essential bridge between Adventure Works' organizational hierarchy and PDC's data governance model, enabling seamless, automated, and secure data access control at enterprise scale.

We need to confirm that PDC can authenticate users through Keycloak and receive role information via JWT tokens.

Log into Data Catalog:

https://pdc.pentaho.labpdc.pentaho.lab

Username: [email protected]

Password: Welcome123!

Observe the redirect to: https://pdc.pentaho.lab/keycloak/realms/pdc ...

PDC is configured to delegate authentication to Keycloak using OpenID Connect/OAuth 2.0 protocols. PDC trusts JWT tokens issued by Keycloak.

Verify successful return to PDC with user context.

JWT Token

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity-protected with a Message Authentication Code (MAC) and/or encrypted.

In a terminal enter the following command:

curl -k -L -X POST 'https://pdc.pentaho.lab/keycloak/realms/pdc/protocol/openid-connect/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=pdc-client' \
  --data-urlencode 'grant_type=password' \
  --data-urlencode '[email protected]' \
  --data-urlencode 'password=Welcome123!' | jq -r '.access_token'

This will return and output the JWT token as .access_token:

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJoTTRKdGZzc0tnWUdXOUJPMEVFeGNISWdDZ0FsWUFnOENQS1JvcWYzbUVvIn0.eyJleHAiOjE3NTM2MjY0ODgsImlhdCI6MTc1MzYxOTI4OCwianRpIjoiNWFjYTdjYWQtMGQzMS00YzlkLWEzYTEtODYwMjUwYWYwNTI1IiwiaXNzIjoiaHR0cHM6Ly9wZGMucGVudGFoby5sYWIva2V5Y2xvYWsvcmVhbG1zL3BkYyIsImF1ZCI6WyJwZGMtY2xpZW50IiwicmVhbG0tbWFuYWdlbWVudCIsImFjY291bnQiXSwic3ViIjoiYzhmMDhjZDEtNWI3OS00MWJmLTgwNTAtNzJkN2I4YzY3YzMxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicGRjLWNsaWVudCIsInNpZCI6IjNkNDMxOTZhLWYxM2QtNDU0OS1hNGM4LWNmNGRlNzZiN2Q4MiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiRGF0YV9TdGV3YXJkIiwiRGF0YV9TdG9yYWdlX0FkbWluaXN0cmF0b3IiLCJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtcGRjIiwiQnVzaW5lc3NfU3Rld2FyZCIsInVtYV9hdXRob3JpemF0aW9uIiwiQWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctdXNlcnMiLCJxdWVyeS1ncm91cHMiLCJxdWVyeS11c2VycyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwicmVhbG1fcm9sZXMiOlsiRGF0YV9TdGV3YXJkIiwiRGF0YV9TdG9yYWdlX0FkbWluaXN0cmF0b3IiLCJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtcGRjIiwiQnVzaW5lc3NfU3Rld2FyZCIsInVtYV9hdXRob3JpemF0aW9uIiwiQWRtaW4iXSwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJBZG1pbiBBZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZ2l2ZW5fbmFtZSI6IkFkbWluIiwiZmFtaWx5X25hbWUiOiJBZG1pbiIsImVtYWlsIjoiYWRtaW5AaHYuY29tIiwidGVuYW50LW5hbWUiOiJwZGMifQ.X0MsO_dpzhT8TwJIUon0_5TfXlWtZ5zFB528VAlAc3sKYzLzoUCMDDi1nC26NeDtV65BjerGfHCWL1q9SohLl2s1KmpiZllcX8YKdAyYkObUw-n4LTyPg_8k53HAs4cc-2PWruuydt_bnEvv3DtI1rGHLENhhfER_UnugnXeSzHyesxabYnAmvBbxuf04JPvDmQOjVzfBD2j_RudMiYnVhQA4QxXIUw41l5mtkgnNPtd06bD5Wl7thQvdw1KOvDcGoriHGvoGrennAYlHAS23LSLphq0C1v85hRuIzljlDbtS3m3wj7Fij3TOUkPFa71wecbo2CnuYNyUD_yQwo12A","expires_in":7200,"refresh_expires_in":7200,"refresh_token":"eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI1ZDkxZDM5ZS05YWM1LTQ3NGUtYWVhMC1lNDk5NDQ1MGFhZmMifQ.eyJleHAiOjE3NTM2MjY0ODgsImlhdCI6MTc1MzYxOTI4OCwianRpIjoiNmU4ZTc5ZGItM2JlYS00NzI4LWEwZDYtODdkMDg2MDVjODc2IiwiaXNzIjoiaHR0cHM6Ly9wZGMucGVudGFoby5sYWIva2V5Y2xvYWsvcmVhbG1zL3BkYyIsImF1ZCI6Imh0dHBzOi8vcGRjLnBlbnRhaG8ubGFiL2tleWNsb2FrL3JlYWxtcy9wZGMiLCJzdWIiOiJjOGYwOGNkMS01Yjc5LTQxYmYtODA1MC03MmQ3YjhjNjdjMzEiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoicGRjLWNsaWVudCIsInNpZCI6IjNkNDMxOTZhLWYxM2QtNDU0OS1hNGM4LWNmNGRlNzZiN2Q4MiIsInNjb3BlIjoicHJvZmlsZSByb2xlcyBhY3IgZW1haWwgd2ViLW9yaWdpbnMifQ.vweacCExoFy0h3pepmD-FGhtoGBRmU1zmtWaS0aM-BTiplsamKylxqhXkOK4oiagxDz_0lNpmp5QbkvllA90Cg

Copy the access_token value in the token_response.json to: https://jwt.io to decode it.

The scope parameter directly controls what information Keycloak includes in the JWT token.

The JWT token essentially is the bridge between Adventure Works' organizational hierarchy and PDC's data governance model, enabling seamless, automated, and secure data access control.

PreviousAW Organization NextAW Groups

Last updated 5 months ago

Was this helpful?

Good afternoon

hashtagJWT Token

hashtagExamine the PDC JWT Login token

hashtagJWT Token

JWT Token

Examine the PDC JWT Login token

JWT Token