Start your 30-day Pentaho Enterprise Evaluation ..

PDC JWT Token

Understanding the WHO & WHAT ..

JWT Token

In this hands-on workshop, you'll learn how to implement enterprise-grade identity federation using Keycloak and Pentaho Data Catalog (PDC). We'll walk through establishing a clear separation of concerns where Keycloak manages WHO people are (identity + organizational structure) and PDC manages WHAT data they can access (Communities + data governance). This WHO/WHAT separation is the proven enterprise approach for scaling data governance across thousands of users.

By the end of this workshop, you will be able to:

  • Configure enterprise identity federation between Keycloak and PDC

  • Understand the role of JWT tokens in identity management

  • Implement secure authentication workflows using JWT tokens

  • Decode and analyze JWT token contents for troubleshooting

  • Map organizational hierarchies to data access permissions

  • Create scalable data governance frameworks that separate identity from authorization

  • Bridge organizational structures with data catalog security models

This workshop will demonstrate how JWT tokens serve as the essential bridge between Adventure Works' organizational hierarchy and PDC's data governance model, enabling seamless, automated, and secure data access control at enterprise scale.

JWT Token

Examine the PDC JWT Login token

We need to confirm that PDC can authenticate users through Keycloak and receive role information via JWT tokens.

  1. Log into Data Catalog:

https://pdc.pentaho.labpdc.pentaho.lab

Username: [email protected]

Password: Welcome123!

Observe the redirect to: https://pdc.pentaho.lab/keycloak/realms/pdc ...

PDC is configured to delegate authentication to Keycloak using OpenID Connect/OAuth 2.0 protocols. PDC trusts JWT tokens issued by Keycloak.

  1. Verify successful return to PDC with user context.

JWT Token

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity-protected with a Message Authentication Code (MAC) and/or encrypted.

  1. In a terminal enter the following command:

curl -k -L -X POST 'https://pdc.pentaho.lab/keycloak/realms/pdc/protocol/openid-connect/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=pdc-client' \
  --data-urlencode 'grant_type=password' \
  --data-urlencode '[email protected]' \
  --data-urlencode 'password=Welcome123!' | jq -r '.access_token'

This will return and output the JWT token as .access_token:

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJoTTRKdGZzc0tnWUdXOUJPMEVFeGNISWdDZ0FsWUFnOENQS1JvcWYzbUVvIn0.eyJleHAiOjE3NTM2MjY0ODgsImlhdCI6MTc1MzYxOTI4OCwianRpIjoiNWFjYTdjYWQtMGQzMS00YzlkLWEzYTEtODYwMjUwYWYwNTI1IiwiaXNzIjoiaHR0cHM6Ly9wZGMucGVudGFoby5sYWIva2V5Y2xvYWsvcmVhbG1zL3BkYyIsImF1ZCI6WyJwZGMtY2xpZW50IiwicmVhbG0tbWFuYWdlbWVudCIsImFjY291bnQiXSwic3ViIjoiYzhmMDhjZDEtNWI3OS00MWJmLTgwNTAtNzJkN2I4YzY3YzMxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicGRjLWNsaWVudCIsInNpZCI6IjNkNDMxOTZhLWYxM2QtNDU0OS1hNGM4LWNmNGRlNzZiN2Q4MiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiRGF0YV9TdGV3YXJkIiwiRGF0YV9TdG9yYWdlX0FkbWluaXN0cmF0b3IiLCJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtcGRjIiwiQnVzaW5lc3NfU3Rld2FyZCIsInVtYV9hdXRob3JpemF0aW9uIiwiQWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctdXNlcnMiLCJxdWVyeS1ncm91cHMiLCJxdWVyeS11c2VycyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwicmVhbG1fcm9sZXMiOlsiRGF0YV9TdGV3YXJkIiwiRGF0YV9TdG9yYWdlX0FkbWluaXN0cmF0b3IiLCJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtcGRjIiwiQnVzaW5lc3NfU3Rld2FyZCIsInVtYV9hdXRob3JpemF0aW9uIiwiQWRtaW4iXSwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJBZG1pbiBBZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZ2l2ZW5fbmFtZSI6IkFkbWluIiwiZmFtaWx5X25hbWUiOiJBZG1pbiIsImVtYWlsIjoiYWRtaW5AaHYuY29tIiwidGVuYW50LW5hbWUiOiJwZGMifQ.X0MsO_dpzhT8TwJIUon0_5TfXlWtZ5zFB528VAlAc3sKYzLzoUCMDDi1nC26NeDtV65BjerGfHCWL1q9SohLl2s1KmpiZllcX8YKdAyYkObUw-n4LTyPg_8k53HAs4cc-2PWruuydt_bnEvv3DtI1rGHLENhhfER_UnugnXeSzHyesxabYnAmvBbxuf04JPvDmQOjVzfBD2j_RudMiYnVhQA4QxXIUw41l5mtkgnNPtd06bD5Wl7thQvdw1KOvDcGoriHGvoGrennAYlHAS23LSLphq0C1v85hRuIzljlDbtS3m3wj7Fij3TOUkPFa71wecbo2CnuYNyUD_yQwo12A","expires_in":7200,"refresh_expires_in":7200,"refresh_token":"eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI1ZDkxZDM5ZS05YWM1LTQ3NGUtYWVhMC1lNDk5NDQ1MGFhZmMifQ.eyJleHAiOjE3NTM2MjY0ODgsImlhdCI6MTc1MzYxOTI4OCwianRpIjoiNmU4ZTc5ZGItM2JlYS00NzI4LWEwZDYtODdkMDg2MDVjODc2IiwiaXNzIjoiaHR0cHM6Ly9wZGMucGVudGFoby5sYWIva2V5Y2xvYWsvcmVhbG1zL3BkYyIsImF1ZCI6Imh0dHBzOi8vcGRjLnBlbnRhaG8ubGFiL2tleWNsb2FrL3JlYWxtcy9wZGMiLCJzdWIiOiJjOGYwOGNkMS01Yjc5LTQxYmYtODA1MC03MmQ3YjhjNjdjMzEiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoicGRjLWNsaWVudCIsInNpZCI6IjNkNDMxOTZhLWYxM2QtNDU0OS1hNGM4LWNmNGRlNzZiN2Q4MiIsInNjb3BlIjoicHJvZmlsZSByb2xlcyBhY3IgZW1haWwgd2ViLW9yaWdpbnMifQ.vweacCExoFy0h3pepmD-FGhtoGBRmU1zmtWaS0aM-BTiplsamKylxqhXkOK4oiagxDz_0lNpmp5QbkvllA90Cg

  1. Copy the access_token value in the token_response.json to: https://jwt.io to decode it.

The scope parameter directly controls what information Keycloak includes in the JWT token.

The JWT token essentially is the bridge between Adventure Works' organizational hierarchy and PDC's data governance model, enabling seamless, automated, and secure data access control.

PreviousAW OrganizationionNextAW Groups

Last updated

Was this helpful?