--- title: Managing sessions and tokens on iOS description: PingOne Advanced Identity Cloud PingAM iOS component: orchsdks page_id: orchsdks:journey:usage/ios/06-handling-sessions canonical_url: https://developer.pingidentity.com/orchsdks/journey/usage/ios/06-handling-sessions.html revdate: Tue, 2 Dec 2025 16:32:08 +0000 section_ids: getting_a_user_object_and_session_token: Getting a user object and session token signing_users_out: Signing users out managing_oidc_tokens: Managing OIDC tokens example: Example --- # Managing sessions and tokens on iOS [icon: circle-check, set=far]PingOne Advanced Identity Cloud [icon: circle-check, set=far]PingAM [icon: apple, set=fab]iOS * [Prepare](01-configuring-the-server.html) * [Install](02-installing-the-journey-module.html) * [Configure](03-configuring-the-journey-module.html) * [Start](04-starting-an-authentication-journey.html) * [Navigate](05-navigating-an-authentication-journey.html) * **Manage** After a user successfully authenticates, you can manage their session and associated tokens. This section covers how to obtain a user object and session token, sign the user out, and manage OpenID Connect (OIDC) tokens, including retrieving, refreshing, and revoking them. ## Getting a user object and session token After successfully navigating a journey and reaching a `successNode`, you can use `successNode.session` to obtain the users' session token, and `successNode.input` to obtain the raw JSON response. You can also use the `journey.journeyUser()` method to get an object that represents the authenticated user. Getting the user and session token on iOS ```swift let node = await journey.start() // Initiate the authentication flow // Determine the type of the current Node switch node { case let continueNode as ContinueNode: // ... case let errorNode as ErrorNode: // ... case let failureNode as FailureNode: // ... case let successNode as SuccessNode: // Authentication successful, retrieve the session let session = successNode.session // Get a user object let journeyUser = await journey.journeyUser() } ``` The `session` object contains the following properties: * `value` The session token string itself. For example, `nlw0pDx5TBk3Rvq7T5tjJYI.*AAJTSQACMDIAAE1TkyMWVhTLABwyajjliTTAydzg9AARWZW9lZU5yd1FeXBlAANDVFMAAlMxIwMQ..*` * `successUrl` The URL a user could be redirected to after authentication, such as their profile page. For example, `/enduser/?realm=/alpha` * `realm` The realm of the authenticated user. For example, `/alpha` ## Signing users out To sign a user out of the server, call the `logout()` method on the `journeyUser` object: Signing users out on iOS ```swift journeyUser.logout() ``` This clears the user's session, both locally and on the server, and revokes any associated OAuth 2.0 tokens. ## Managing OIDC tokens If you integrated the **OIDC** module with the **Journey**, you can interact with the issued OpenID Connect tokens, such as obtaining data from the user info endpoint, or revoking the access token. * Retrieving an access token Use the `journeyUser.token()` method to obtain an OIDC access token on behalf of the user. * Obtaining user info Use the `journeyUser.userInfo()` method to call the OIDC `/oauth2/userinfo` endpoint with the access token to retrieve details of the relevant user account. The response contains values such as first and last name, and other details: ```json { "name": "Babs Jensen", "family_name": "Jensen", "given_name": "Babs", "sub": "a0325ea4-9d9b-4056-931b-ab64704cc3da", "subname": "a0325ea4-9d9b-4056-931b-ab64704cc3da" } ``` * Refreshing an access token The **OIDC** module automatically refreshes access tokens if required, but you can also manually refresh them by using the `journeyUser.refresh()` method. * Revoking an access token Use the `journeyUser.revoke()` method to invalidate OAuth 2.0 access and refresh tokens on the server, and remove them from local storage. This does not affect any session tokens, which remain intact. | | | | - | --------------------------------------------------------------------------------------------------------------- | | | You can also use the `journeyUser.logout()` method to revoke OIDC tokens, as well as the user's session tokens. | ## Example The following code shows how to get a user object followed by their SSO token. The code then calls each of the methods provided by the `journeyUser` object, such as obtaining and refreshing access tokens, getting user info, and revoking the tokens. The code then shows how to sign the user out of the server, which terminates the session on the server, revokes associated tokens, and clears any related tokens from client storage: Managing OpenID Connect tokens with the OIDC module integrated ```swift let node = await journey.start() // Initiate the authentication flow // Determine the type of the current Node switch node { case let continueNode as ContinueNode: // ... case let errorNode as ErrorNode: // ... case let failureNode as FailureNode: // ... case let successNode as SuccessNode: // Get session object let session = successNode.session // Get journeyUser object let journeyUser = await journey.journeyUser() // Get OIDC token object let token: Result? token = journeyUser.token() switch token { case .success(let token): await MainActor.run { self.token = String(describing: token) let accessToken = token.accessToken } LogManager.standard.i("AccessToken: \(self.token.accessToken)") case .failure(let error): await MainActor.run { self.token = "Error: \(error.localizedDescription)" } LogManager.standard.e("", error: error) case .none: break } // Fetch user information using the access token (if valid) journeyUser.userinfo() // Use a refresh token to renew the access token, if available journeyUser.refresh() // Revoke current OAuth 2.0 access and refresh tokens // - Revokes OAuth 2.0 access and refresh tokens on the server // - Deletes locally-stored OAuth 2.0 tokens // - Does not affect session tokens journeyUser.revoke() // Initiate the logout process // - Revokes OAuth 2.0 access and refresh tokens on the server // - Deletes locally-stored OAuth 2.0 tokens // - Terminates sessions on the server // - Deletes locally-stored session tokens journeyUser.logout() } ```