# PDC JWT  Token

{% hint style="success" %}

#### JWT Token

In this hands-on workshop, you'll learn how to implement enterprise-grade identity federation using Keycloak and Pentaho Data Catalog (PDC). We'll walk through establishing a clear separation of concerns where Keycloak manages WHO people are (identity + organizational structure) and PDC manages WHAT data they can access (Communities + data governance). This WHO/WHAT separation is the proven enterprise approach for scaling data governance across thousands of users.

By the end of this workshop, you will be able to:

* Configure enterprise identity federation between Keycloak and PDC
* Understand the role of JWT tokens in identity management
* Implement secure authentication workflows using JWT tokens
* Decode and analyze JWT token contents for troubleshooting
* Map organizational hierarchies to data access permissions
* Create scalable data governance frameworks that separate identity from authorization
* Bridge organizational structures with data catalog security models

This workshop will demonstrate how JWT tokens serve as the essential bridge between Adventure Works' organizational hierarchy and PDC's data governance model, enabling seamless, automated, and secure data access control at enterprise scale.
{% endhint %}

<figure><img src="/files/ybSw1RKmBwHggGkR3UNL" alt=""><figcaption><p>JWT Token</p></figcaption></figure>

***

{% hint style="info" %}

### Examine the PDC JWT Login token

We need to confirm that PDC can authenticate users through Keycloak and receive role information via JWT tokens.
{% endhint %}

1. Log into Data Catalog:

{% embed url="<https://pdc.pentaho.lab>" %}

Username: <admin@hv.com>

Password: Welcome123!

{% hint style="info" %}
Observe the redirect to: <https://pdc.pentaho.lab/keycloak/realms/pdc> ...

PDC is configured to delegate authentication to Keycloak using OpenID Connect/OAuth 2.0 protocols. PDC trusts JWT tokens issued by Keycloak.
{% endhint %}

2. Verify successful return to PDC with user context.

***

{% hint style="info" %}

### JWT Token

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity-protected with a Message Authentication Code (MAC) and/or encrypted.
{% endhint %}

1. In a terminal enter the following command:

```bash
curl -k -L -X POST 'https://pdc.pentaho.lab/keycloak/realms/pdc/protocol/openid-connect/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=pdc-client' \
  --data-urlencode 'grant_type=password' \
  --data-urlencode 'username=admin@hv.com' \
  --data-urlencode 'password=Welcome123!' | jq -r '.access_token'

```

{% hint style="info" %}
This will return and output the JWT token as .access\_token:

```
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJoTTRKdGZzc0tnWUdXOUJPMEVFeGNISWdDZ0FsWUFnOENQS1JvcWYzbUVvIn0.eyJleHAiOjE3NTM2MjY0ODgsImlhdCI6MTc1MzYxOTI4OCwianRpIjoiNWFjYTdjYWQtMGQzMS00YzlkLWEzYTEtODYwMjUwYWYwNTI1IiwiaXNzIjoiaHR0cHM6Ly9wZGMucGVudGFoby5sYWIva2V5Y2xvYWsvcmVhbG1zL3BkYyIsImF1ZCI6WyJwZGMtY2xpZW50IiwicmVhbG0tbWFuYWdlbWVudCIsImFjY291bnQiXSwic3ViIjoiYzhmMDhjZDEtNWI3OS00MWJmLTgwNTAtNzJkN2I4YzY3YzMxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicGRjLWNsaWVudCIsInNpZCI6IjNkNDMxOTZhLWYxM2QtNDU0OS1hNGM4LWNmNGRlNzZiN2Q4MiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiRGF0YV9TdGV3YXJkIiwiRGF0YV9TdG9yYWdlX0FkbWluaXN0cmF0b3IiLCJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtcGRjIiwiQnVzaW5lc3NfU3Rld2FyZCIsInVtYV9hdXRob3JpemF0aW9uIiwiQWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctdXNlcnMiLCJxdWVyeS1ncm91cHMiLCJxdWVyeS11c2VycyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwicmVhbG1fcm9sZXMiOlsiRGF0YV9TdGV3YXJkIiwiRGF0YV9TdG9yYWdlX0FkbWluaXN0cmF0b3IiLCJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtcGRjIiwiQnVzaW5lc3NfU3Rld2FyZCIsInVtYV9hdXRob3JpemF0aW9uIiwiQWRtaW4iXSwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJBZG1pbiBBZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZ2l2ZW5fbmFtZSI6IkFkbWluIiwiZmFtaWx5X25hbWUiOiJBZG1pbiIsImVtYWlsIjoiYWRtaW5AaHYuY29tIiwidGVuYW50LW5hbWUiOiJwZGMifQ.X0MsO_dpzhT8TwJIUon0_5TfXlWtZ5zFB528VAlAc3sKYzLzoUCMDDi1nC26NeDtV65BjerGfHCWL1q9SohLl2s1KmpiZllcX8YKdAyYkObUw-n4LTyPg_8k53HAs4cc-2PWruuydt_bnEvv3DtI1rGHLENhhfER_UnugnXeSzHyesxabYnAmvBbxuf04JPvDmQOjVzfBD2j_RudMiYnVhQA4QxXIUw41l5mtkgnNPtd06bD5Wl7thQvdw1KOvDcGoriHGvoGrennAYlHAS23LSLphq0C1v85hRuIzljlDbtS3m3wj7Fij3TOUkPFa71wecbo2CnuYNyUD_yQwo12A","expires_in":7200,"refresh_expires_in":7200,"refresh_token":"eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI1ZDkxZDM5ZS05YWM1LTQ3NGUtYWVhMC1lNDk5NDQ1MGFhZmMifQ.eyJleHAiOjE3NTM2MjY0ODgsImlhdCI6MTc1MzYxOTI4OCwianRpIjoiNmU4ZTc5ZGItM2JlYS00NzI4LWEwZDYtODdkMDg2MDVjODc2IiwiaXNzIjoiaHR0cHM6Ly9wZGMucGVudGFoby5sYWIva2V5Y2xvYWsvcmVhbG1zL3BkYyIsImF1ZCI6Imh0dHBzOi8vcGRjLnBlbnRhaG8ubGFiL2tleWNsb2FrL3JlYWxtcy9wZGMiLCJzdWIiOiJjOGYwOGNkMS01Yjc5LTQxYmYtODA1MC03MmQ3YjhjNjdjMzEiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoicGRjLWNsaWVudCIsInNpZCI6IjNkNDMxOTZhLWYxM2QtNDU0OS1hNGM4LWNmNGRlNzZiN2Q4MiIsInNjb3BlIjoicHJvZmlsZSByb2xlcyBhY3IgZW1haWwgd2ViLW9yaWdpbnMifQ.vweacCExoFy0h3pepmD-FGhtoGBRmU1zmtWaS0aM-BTiplsamKylxqhXkOK4oiagxDz_0lNpmp5QbkvllA90Cg
```

{% endhint %}

<figure><img src="/files/WjVR0UC9F8uiVDDekZ1j" alt=""><figcaption></figcaption></figure>

2. Copy the `access_token` value in the token\_response.json to: <https://jwt.io> to decode it.

<figure><img src="/files/pNvtpDuTA6hkOohBC21M" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
The `scope` parameter directly controls what information Keycloak includes in the JWT token.&#x20;

The JWT token essentially is the **bridge** between Adventure Works' organizational hierarchy and PDC's data governance model, enabling seamless, automated, and secure data access control.
{% endhint %}

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://academy.pentaho.com/pentaho-data-catalog-en/data-catalog/aw-organization/pdc-jwt-token.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.