diff --git a/oauth3.core.js b/oauth3.core.js
index 526be8e..93f3b9a 100644
--- a/oauth3.core.js
+++ b/oauth3.core.js
@@ -480,13 +480,15 @@
           // info about the newly-discovered token
           oldSession.token = OAUTH3.jwt.decode(oldSession.access_token).payload;
 
-          oldSession.token.sub = oldSession.token.sub || oldSession.token.acx.id;
+          oldSession.token.sub = oldSession.token.sub || (oldSession.token.acx||{}).id
+            || ((oldSession.token.axs||[])[0]||{}).id;
           oldSession.token.client_uri = clientUri;
           oldSession.token.provider_uri = providerUri;
 
           if (oldSession.refresh_token) {
             oldSession.refresh = OAUTH3.jwt.decode(oldSession.refresh_token).payload;
-            oldSession.refresh.sub = oldSession.refresh.sub || oldSession.refresh.acx.id;
+            oldSession.refresh.sub = oldSession.refresh.sub || (oldSession.refresh.acx||{}).id
+              || ((oldSession.refresh.axs||[])[0]||{}).id;
             oldSession.refresh.provider_uri = providerUri;
           }