Skip to content

Sessions stores session information on a per authentication module basis.

For each authentication modules you can configure the session details individually. For some modules - such as password - you might want to remember the users session, while on other modules - such as Facebook - you might choose not to remember session information.

Upon logout, all session information is destroyed.


Sessions are stored per authentication module.

Go to Authentication and select one of the authentication modules. Consider remember my device or remember my login.


Related to sessions are access tokens. When using OAuth 2.0 or OpenID Connect an access token is issued with a certain lifetime.

While all access tokens issued by are JSON Web Tokens (JWT), they can nevertheless be revoked. When a client calls the OAuth 2.0 introspection endpoint, the state of the token is returned.

Whether a resource servers accepts this status depends on its implementation. If your setup allows tokens to be revoked resource servers should use introspection to ensure a token is valid.


At the end of succesful passing the presented list of authentication modules, a Subject entity is created in This one is unique for every log in action. A Subject is related to a User stored in or to a federated identity.

Federated Identity

In it is possible to log in users who are not registered. This can be done by configuration several authentication modules, such as the OpenID Connect module. If one logs in via this module, there is not need to be registered in After someone logs in, a Session, a Token and a Subject entity is created. In contrast to regular users, this subject is now not related to an user object.

This functionality can be leveraged to configure your tenant as an identity broker.