Orchestration SDKs

Managing sessions and tokens on iOS

PingOne Advanced Identity Cloud PingAM iOS

After a user successfully authenticates, you can manage their session and associated tokens.

This section covers how to obtain a user object and session token, sign the user out, and manage OpenID Connect (OIDC) tokens, including retrieving, refreshing, and revoking them.

Getting a user object and session token

After successfully navigating a journey and reaching a successNode, you can use successNode.session to obtain the users' session token, and successNode.input to obtain the raw JSON response.

You can also use the journey.journeyUser() method to get an object that represents the authenticated user.

Getting the user and session token on iOS
let node = await journey.start()  // Initiate the authentication flow

// Determine the type of the current Node
switch node {
case let continueNode as ContinueNode:
    // ...
case let errorNode as ErrorNode:
    // ...
case let failureNode as FailureNode:
    // ...
case let successNode as SuccessNode:
    // Authentication successful, retrieve the session
    let session = successNode.session
    // Get a user object
    let journeyUser = await journey.journeyUser()
}

The session object contains the following properties:

value

The session token string itself.

For example, nlw0pDx5TBk3Rvq7T5tjJYI.*AAJTSQACMDIAAE1TkyMWVhTLABwyajjliTTAydzg9AARWZW9lZU5yd1FeXBlAANDVFMAAlMxIwMQ..*

successUrl

The URL a user could be redirected to after authentication, such as their profile page.

For example, /enduser/?realm=/alpha

realm

The realm of the authenticated user.

For example, /alpha

Signing users out

To sign a user out of the server, call the logout() method on the journeyUser object:

Signing users out on iOS
journeyUser.logout()

This clears the user’s session, both locally and on the server, and revokes any associated OAuth 2.0 tokens.

Managing OIDC tokens

If you integrated the OIDC module with the Journey, you can interact with the issued OpenID Connect tokens, such as obtaining data from the user info endpoint, or revoking the access token.

Retrieving an access token

Use the journeyUser.token() method to obtain an OIDC access token on behalf of the user.

Obtaining user info

Use the journeyUser.userInfo() method to call the OIDC /oauth2/userinfo endpoint with the access token to retrieve details of the relevant user account.

The response contains values such as first and last name, and other details:

{
  "name": "Babs Jensen",
  "family_name": "Jensen",
  "given_name": "Babs",
  "sub": "a0325ea4-9d9b-4056-931b-ab64704cc3da",
  "subname": "a0325ea4-9d9b-4056-931b-ab64704cc3da"
}
Refreshing an access token

The OIDC module automatically refreshes access tokens if required, but you can also manually refresh them by using the journeyUser.refresh() method.

Revoking an access token

Use the journeyUser.revoke() method to invalidate OAuth 2.0 access and refresh tokens on the server, and remove them from local storage.

This does not affect any session tokens, which remain intact.

You can also use the journeyUser.logout() method to revoke OIDC tokens, as well as the user’s session tokens.

Example

The following code shows how to get a user object followed by their SSO token.

The code then calls each of the methods provided by the journeyUser object, such as obtaining and refreshing access tokens, getting user info, and revoking the tokens.

The code then shows how to sign the user out of the server, which terminates the session on the server, revokes associated tokens, and clears any related tokens from client storage:

Managing OpenID Connect tokens with the OIDC module integrated
let node = await journey.start()  // Initiate the authentication flow

// Determine the type of the current Node
switch node {
case let continueNode as ContinueNode:
    // ...
case let errorNode as ErrorNode:
    // ...
case let failureNode as FailureNode:
    // ...
case let successNode as SuccessNode:
    // Get session object
    let session = successNode.session

    // Get journeyUser object
    let journeyUser = await journey.journeyUser()

    // Get OIDC token object
    let token: Result<Token, OidcError>?
    token = journeyUser.token()

    switch token {
    case .success(let token):
        await MainActor.run {
            self.token = String(describing: token)
            let accessToken = token.accessToken
        }
        LogManager.standard.i("AccessToken: \(self.token.accessToken)")
    case .failure(let error):
        await MainActor.run {
            self.token = "Error: \(error.localizedDescription)"
        }
        LogManager.standard.e("", error: error)
    case .none:
        break
    }

    // Fetch user information using the access token (if valid)
    journeyUser.userinfo()

    // Use a refresh token to renew the access token, if available
    journeyUser.refresh()

    // Revoke current OAuth 2.0 access and refresh tokens
    //  - Revokes OAuth 2.0 access and refresh tokens on the server
    //  - Deletes locally-stored OAuth 2.0 tokens
    //  - Does not affect session tokens
    journeyUser.revoke()

    // Initiate the logout process
    //  - Revokes OAuth 2.0 access and refresh tokens on the server
    //  - Deletes locally-stored OAuth 2.0 tokens
    //  - Terminates sessions on the server
    //  - Deletes locally-stored session tokens
    journeyUser.logout()
}