AuthenticationSession

Represents an active authentication session after successful user login, managing security tokens, session state, and device context. Supports OAuth 2.0, OpenID Connect, and SAML protocols with token refresh, expiration policies, and session revocation. Enables session management across web, mobile, and API clients with security monitoring and audit capabilities.

26 properties

Schema

Properties

Property	Type	Mode	Description	Required
user	User	stored	Reference to the User who owns this authentication session	Required
sessionId	string	stored	Unique identifier for this session (used in cookies or session stores) Example: `"sess_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"`	Required
status	string	stored	Current status of this session Values: `active, expired, revoked, terminated` Example: `"active"`	Required
accessToken	string	stored	JWT or opaque access token for API authorization	Required
refreshToken	string	stored	Long-lived token used to obtain new access tokens	Optional
idToken	string	stored	OpenID Connect ID token containing user identity claims (JWT format)	Optional
tokenType	string	stored	Type of token issued (typically 'Bearer' for OAuth 2.0) Example: `"Bearer"`	Optional
scopes	string[]	stored	OAuth scopes granted in this session (defines access permissions) Example: `["openid","profile","email","api:read","api:write"]`	Optional
initiatedAt	datetime	stored	Date/time when this session was initiated (login time) Example: `"2024-11-22T08:15:00Z"`	Required
expiresAt	datetime	stored	Date/time when this session expires and must be renewed or re-authenticated Example: `"2024-11-22T16:15:00Z"`	Required
lastActivityAt	datetime	stored	Date/time of the most recent activity in this session (for idle timeout) Example: `"2024-11-22T14:30:00Z"`	Required
refreshTokenExpiresAt	datetime	stored	Date/time when the refresh token expires (longer than access token) Example: `"2024-11-29T08:15:00Z"`	Optional
deviceInfo	json	stored	Information about the device used for this session including userAgent, deviceType, osName, osVersion, browserName, browserVersion	Required
ipAddress	string	stored	IP address from which this session was initiated Example: `"203.0.113.45"`	Optional
location	json	stored	Geographic location derived from IP address including country, region, city (for security monitoring)	Optional
authenticationMethod	AuthenticationMethod	stored	Reference to the AuthenticationMethod used to establish this session	Optional
identityProvider	IdentityProvider	stored	Reference to IdentityProvider if this session was established via federated authentication	Optional
isMfaVerified	boolean	stored	Whether multi-factor authentication was completed for this session Example: `true`	Required
mfaVerifiedAt	datetime	stored	Date/time when MFA was verified in this session Example: `"2024-11-22T08:15:30Z"`	Optional
deviceTrustLevel	string	stored	Trust level of the device used for this session Values: `trusted, recognized, unknown, suspicious` Example: `"trusted"`	Optional
revokedAt	datetime	stored	Date/time when this session was manually revoked (logout or security event) Example: `"2024-11-22T15:00:00Z"`	Optional
revokeReason	string	stored	Reason for session revocation (user-logout, admin-revoke, security-incident, password-change) Values: `user-logout, admin-revoke, security-incident, password-change, idle-timeout, token-expired` Example: `"user-logout"`	Optional
metadata	json	stored	Additional session metadata including protocol-specific data, security flags, or custom attributes	Optional
isExpired	boolean	calculated	Whether this session has expired based on expiresAt timestamp	Optional
durationMinutes	number	calculated	Session duration in minutes from creation to current time or expiration	Optional
idleMinutes	number	calculated	Minutes since last activity in this session	Optional

Examples

Example 1

{
  "@type": "AuthenticationSession",
  "user": {
    "@type": "User",
    "username": "john.doe"
  },
  "sessionId": "sess_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
  "status": "active",
  "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "rt_9x8y7z6w5v4u3t2s1r0q9p8o7n6m5l4k3j2i1h",
  "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0...",
  "tokenType": "Bearer",
  "scopes": [
    "openid",
    "profile",
    "email",
    "api:read",
    "api:write"
  ],
  "initiatedAt": "2024-11-22T08:15:00Z",
  "expiresAt": "2024-11-22T16:15:00Z",
  "lastActivityAt": "2024-11-22T14:30:00Z",
  "refreshTokenExpiresAt": "2024-11-29T08:15:00Z",
  "deviceInfo": {
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
    "deviceType": "desktop",
    "osName": "Windows",
    "osVersion": "10",
    "browserName": "Chrome",
    "browserVersion": "119.0.0.0"
  },
  "ipAddress": "203.0.113.45",
  "location": {
    "country": "United States",
    "region": "California",
    "city": "San Francisco"
  },
  "authenticationMethod": {
    "@type": "AuthenticationMethod",
    "name": "password-mfa"
  },
  "isMfaVerified": true,
  "mfaVerifiedAt": "2024-11-22T08:15:30Z",
  "deviceTrustLevel": "trusted"
}

Example 2

{
  "@type": "AuthenticationSession",
  "user": {
    "@type": "User",
    "username": "jane.smith"
  },
  "sessionId": "sess_b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7",
  "status": "active",
  "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "rt_8w7x6y5z4a3b2c1d0e9f8g7h6i5j4k3l2m",
  "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyLTk4NzYifQ...",
  "tokenType": "Bearer",
  "scopes": [
    "openid",
    "profile",
    "email"
  ],
  "initiatedAt": "2024-11-21T16:45:00Z",
  "expiresAt": "2024-11-22T00:45:00Z",
  "lastActivityAt": "2024-11-21T23:20:00Z",
  "refreshTokenExpiresAt": "2024-11-28T16:45:00Z",
  "deviceInfo": {
    "userAgent": "Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X)",
    "deviceType": "mobile",
    "osName": "iOS",
    "osVersion": "17.0",
    "browserName": "Safari",
    "browserVersion": "17.0"
  },
  "ipAddress": "198.51.100.78",
  "location": {
    "country": "France",
    "region": "Île-de-France",
    "city": "Paris"
  },
  "identityProvider": {
    "@type": "IdentityProvider",
    "name": "Enterprise OIDC Provider",
    "protocol": "oidc"
  },
  "isMfaVerified": false,
  "deviceTrustLevel": "recognized"
}

Example 3

{
  "@type": "AuthenticationSession",
  "user": {
    "@type": "User",
    "username": "bob.wilson"
  },
  "sessionId": "sess_c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8",
  "status": "revoked",
  "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "tokenType": "Bearer",
  "scopes": [
    "openid",
    "profile",
    "email",
    "api:read"
  ],
  "initiatedAt": "2024-11-22T07:30:00Z",
  "expiresAt": "2024-11-22T15:30:00Z",
  "lastActivityAt": "2024-11-22T12:15:00Z",
  "deviceInfo": {
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)",
    "deviceType": "desktop",
    "osName": "macOS",
    "osVersion": "10.15.7",
    "browserName": "Safari",
    "browserVersion": "16.6"
  },
  "ipAddress": "192.0.2.123",
  "location": {
    "country": "United States",
    "region": "New York",
    "city": "New York"
  },
  "identityProvider": {
    "@type": "IdentityProvider",
    "name": "Corporate SAML IdP",
    "protocol": "saml2"
  },
  "isMfaVerified": true,
  "mfaVerifiedAt": "2024-11-22T07:30:45Z",
  "deviceTrustLevel": "trusted",
  "revokedAt": "2024-11-22T13:00:00Z",
  "revokeReason": "user-logout",
  "metadata": {
    "saml_session_index": "s2a1b2c3d4e5f6g7h8i9j0"
  }
}

Example 4

{
  "@type": "AuthenticationSession",
  "user": {
    "@type": "User",
    "username": "alice.brown"
  },
  "sessionId": "sess_d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9",
  "status": "expired",
  "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "tokenType": "Bearer",
  "scopes": [
    "api:read"
  ],
  "initiatedAt": "2024-11-15T10:00:00Z",
  "expiresAt": "2024-11-15T18:00:00Z",
  "lastActivityAt": "2024-11-15T17:45:00Z",
  "deviceInfo": {
    "userAgent": "MyApp/1.2.3 (Android 13; Pixel 7)",
    "deviceType": "mobile",
    "osName": "Android",
    "osVersion": "13",
    "appName": "MyApp",
    "appVersion": "1.2.3"
  },
  "ipAddress": "198.18.0.45",
  "location": {
    "country": "Japan",
    "region": "Tokyo",
    "city": "Tokyo"
  },
  "authenticationMethod": {
    "@type": "AuthenticationMethod",
    "name": "password-basic"
  },
  "isMfaVerified": false,
  "deviceTrustLevel": "unknown"
}

Example 5

{
  "@type": "AuthenticationSession",
  "user": {
    "@type": "User",
    "username": "api.service.1"
  },
  "sessionId": "sess_e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0",
  "status": "active",
  "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "tokenType": "Bearer",
  "scopes": [
    "api:read",
    "api:write",
    "admin:read"
  ],
  "initiatedAt": "2024-11-01T00:00:00Z",
  "expiresAt": "2025-11-01T00:00:00Z",
  "lastActivityAt": "2024-11-22T15:45:00Z",
  "deviceInfo": {
    "userAgent": "ServiceClient/2.0.0",
    "deviceType": "server",
    "runtime": "Node.js",
    "runtimeVersion": "20.10.0"
  },
  "ipAddress": "10.0.1.50",
  "authenticationMethod": {
    "@type": "AuthenticationMethod",
    "name": "certificate"
  },
  "isMfaVerified": false,
  "deviceTrustLevel": "trusted",
  "metadata": {
    "clientType": "service-account",
    "apiKeyId": "key_abc123"
  }
}