Managing sessions and tokens on Android
PingOne Advanced Identity Cloud PingAM Android
After a user successfully authenticates, you can manage their session and associated tokens.
This section covers how to obtain a user object and session token, sign the user out, and manage OpenID Connect (OIDC) tokens, including retrieving, refreshing, and revoking them.
Getting a user object and session token
After successfully navigating a journey you can use the journey.user() method to get an object that represents the authenticated user.
With the user object, you can call user.session() to obtain details about the session token.
val node = journey.start() // Initiate the authentication flow
when (node) {
is ContinueNode -> {/* ... */}
is FailureNode -> {/* ... */}
is ErrorNode -> {/* ... */}
is SuccessNode -> {
// Checking the user object
val user: User? = journey.user()
// Retrieve the session token, if available
val ssoToken: SSOToken = user.session()
}
}The SSOToken object contains the following properties:
value-
The session token string itself.
For example,
nlw0pDx5TBk3Rvq7T5tjJYI.*AAJTSQACMDIAAE1TkyMWVhTLABwyajjliTTAydzg9AARWZW9lZU5yd1FeXBlAANDVFMAAlMxIwMQ..* successUrl-
The URL a user could be redirected to after authentication, such as their profile page.
For example,
/enduser/?realm=/alpha realm-
The realm of the authenticated user.
For example,
/alpha
Signing users out
To sign a user out of the server, call the logout() method on the user object:
user?.logout()This clears the user’s session, both locally and on the server, and revokes any associated OIDC tokens.
Managing OIDC tokens
If you integrated the OIDC module with the Journey, you can interact with the issued OpenID Connect tokens, such as obtaining data from the user info endpoint, or revoking the access token.
- Retrieving an access token
-
Use the
user.token()method to obtain an OIDC access token on behalf of the user. - Obtaining user info
-
Use the
user.userInfo()method to call the OIDC/oauth2/userinfoendpoint with the access token to retrieve details of the relevant user account.The response contains values such as first and last name, and other details:
{ "name": "Babs Jensen", "family_name": "Jensen", "given_name": "Babs", "sub": "a0325ea4-9d9b-4056-931b-ab64704cc3da", "subname": "a0325ea4-9d9b-4056-931b-ab64704cc3da" } - Refreshing an access token
-
The OIDC module automatically refreshes access tokens if required, but you can also manually refresh them by using the
user.refresh()method. - Revoking an access token
-
Use the
user.revoke()method to invalidate an access token and delete it from local storage.You can also use the
user.logout()method to revoke OIDC tokens, as well as the user’s session tokens.
Example
The following code shows how to get a user object followed by their SSO token.
The code then calls each of the methods provided by the user object, such as obtaining and refreshing access tokens, getting user info, and revoking the tokens.
The code then shows how to sign the user out of the server, which terminates the session on the server, revokes associated tokens, and clears any related tokens from client storage:
val node = journey.start() // Initiate the authentication flow
when (node) {
is ContinueNode -> {/* ... */}
is FailureNode -> {/* ... */}
is ErrorNode -> {/* ... */}
is SuccessNode -> {
// Checking the user object
val user: User? = journey.user()
// Retrieve the session token, if available
val ssoToken: SSOToken? = user?.session()
user?.let {
// Retrieve the current access token
val accessToken = (it.token() as Result.Success).value
// Fetch user information using the access token (if valid)
val userInfo = (it.userinfo() as Result.Success).value
// Use a refresh token to renew the access token, if available
it.refresh()
// Revoke the current access and refresh tokens
it.revoke()
// Initiate the logout process
// Also clears local session data
it.logout()
}
}
}