Pentaho Academy Beta site ..
Start your 30-day Pentaho Enterprise Evaluation ..

PDC JWT Token

Understanding the WHO & WHAT ..

JWT Token

We're going to implement enterprise-grade identity federation where Keycloak manages WHO people are (identity + organizational structure) and PDC manages WHAT data they can access (Communities + data governance).

This separation of WHO & WHAT is how enterprises scale data governance across thousands of users.

JWT Token

Examine the PDC JWT Login token

We need to confirm that PDC can authenticate users through Keycloak and receive role information via JWT tokens.

  1. Log into Data Catalog:

https://pdc.pentaho.labpdc.pentaho.lab

Username: [email protected]

Password: Welcome123!

Observe the redirect to: https://pdc.pentaho.lab/keycloak/realms/pdc ...

PDC is configured to delegate authentication to Keycloak using OpenID Connect/OAuth 2.0 protocols. PDC trusts JWT tokens issued by Keycloak.

  1. Verify successful return to PDC with user context.

JWT Token

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity-protected with a Message Authentication Code (MAC) and/or encrypted.

  1. In a terminal enter the following command:

curl -k -L -X POST 'https://pdc.pentaho.lab/keycloak/realms/pdc/protocol/openid-connect/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=pdc-client' \
  --data-urlencode 'grant_type=password' \
  --data-urlencode '[email protected]' \
  --data-urlencode 'password=Welcome123!' | jq -r '.access_token'

This will return and output the JWT token as .access_token:

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJoTTRKdGZzc0tnWUdXOUJPMEVFeGNISWdDZ0FsWUFnOENQS1JvcWYzbUVvIn0.eyJleHAiOjE3NTM2MjY0ODgsImlhdCI6MTc1MzYxOTI4OCwianRpIjoiNWFjYTdjYWQtMGQzMS00YzlkLWEzYTEtODYwMjUwYWYwNTI1IiwiaXNzIjoiaHR0cHM6Ly9wZGMucGVudGFoby5sYWIva2V5Y2xvYWsvcmVhbG1zL3BkYyIsImF1ZCI6WyJwZGMtY2xpZW50IiwicmVhbG0tbWFuYWdlbWVudCIsImFjY291bnQiXSwic3ViIjoiYzhmMDhjZDEtNWI3OS00MWJmLTgwNTAtNzJkN2I4YzY3YzMxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicGRjLWNsaWVudCIsInNpZCI6IjNkNDMxOTZhLWYxM2QtNDU0OS1hNGM4LWNmNGRlNzZiN2Q4MiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiRGF0YV9TdGV3YXJkIiwiRGF0YV9TdG9yYWdlX0FkbWluaXN0cmF0b3IiLCJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtcGRjIiwiQnVzaW5lc3NfU3Rld2FyZCIsInVtYV9hdXRob3JpemF0aW9uIiwiQWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctdXNlcnMiLCJxdWVyeS1ncm91cHMiLCJxdWVyeS11c2VycyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwicmVhbG1fcm9sZXMiOlsiRGF0YV9TdGV3YXJkIiwiRGF0YV9TdG9yYWdlX0FkbWluaXN0cmF0b3IiLCJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtcGRjIiwiQnVzaW5lc3NfU3Rld2FyZCIsInVtYV9hdXRob3JpemF0aW9uIiwiQWRtaW4iXSwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJBZG1pbiBBZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZ2l2ZW5fbmFtZSI6IkFkbWluIiwiZmFtaWx5X25hbWUiOiJBZG1pbiIsImVtYWlsIjoiYWRtaW5AaHYuY29tIiwidGVuYW50LW5hbWUiOiJwZGMifQ.X0MsO_dpzhT8TwJIUon0_5TfXlWtZ5zFB528VAlAc3sKYzLzoUCMDDi1nC26NeDtV65BjerGfHCWL1q9SohLl2s1KmpiZllcX8YKdAyYkObUw-n4LTyPg_8k53HAs4cc-2PWruuydt_bnEvv3DtI1rGHLENhhfER_UnugnXeSzHyesxabYnAmvBbxuf04JPvDmQOjVzfBD2j_RudMiYnVhQA4QxXIUw41l5mtkgnNPtd06bD5Wl7thQvdw1KOvDcGoriHGvoGrennAYlHAS23LSLphq0C1v85hRuIzljlDbtS3m3wj7Fij3TOUkPFa71wecbo2CnuYNyUD_yQwo12A","expires_in":7200,"refresh_expires_in":7200,"refresh_token":"eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI1ZDkxZDM5ZS05YWM1LTQ3NGUtYWVhMC1lNDk5NDQ1MGFhZmMifQ.eyJleHAiOjE3NTM2MjY0ODgsImlhdCI6MTc1MzYxOTI4OCwianRpIjoiNmU4ZTc5ZGItM2JlYS00NzI4LWEwZDYtODdkMDg2MDVjODc2IiwiaXNzIjoiaHR0cHM6Ly9wZGMucGVudGFoby5sYWIva2V5Y2xvYWsvcmVhbG1zL3BkYyIsImF1ZCI6Imh0dHBzOi8vcGRjLnBlbnRhaG8ubGFiL2tleWNsb2FrL3JlYWxtcy9wZGMiLCJzdWIiOiJjOGYwOGNkMS01Yjc5LTQxYmYtODA1MC03MmQ3YjhjNjdjMzEiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoicGRjLWNsaWVudCIsInNpZCI6IjNkNDMxOTZhLWYxM2QtNDU0OS1hNGM4LWNmNGRlNzZiN2Q4MiIsInNjb3BlIjoicHJvZmlsZSByb2xlcyBhY3IgZW1haWwgd2ViLW9yaWdpbnMifQ.vweacCExoFy0h3pepmD-FGhtoGBRmU1zmtWaS0aM-BTiplsamKylxqhXkOK4oiagxDz_0lNpmp5QbkvllA90Cg

  1. Copy the access_token value in the token_response.json to: https://jwt.io to decode it.

The scope parameter directly controls what information Keycloak includes in the JWT token.

The JWT token essentially will become the bridge between Adventure Works' organizational hierarchy and PDC's data governance model, enabling seamless, automated, and secure data access control.

PreviousAW OrganizationNextAW Groups

Last updated

Was this helpful?