diff --git a/oauth3.core.js b/oauth3.core.js
index cfad6ac..ea00f3d 100644
--- a/oauth3.core.js
+++ b/oauth3.core.js
@@ -485,14 +485,18 @@
           oldSession.token = OAUTH3.jwt.decode(oldSession.access_token).payload;
 
           oldSession.token.sub = oldSession.token.sub || (oldSession.token.acx||{}).id
-            || ((oldSession.token.axs||[])[0]||{}).id;
+            || ((oldSession.token.axs||[])[0]||{}).appScopedId
+            || ((oldSession.token.axs||[])[0]||{}).id
+            ;
           oldSession.token.client_uri = clientUri;
           oldSession.token.provider_uri = providerUri;
 
           if (oldSession.refresh_token) {
             oldSession.refresh = OAUTH3.jwt.decode(oldSession.refresh_token).payload;
             oldSession.refresh.sub = oldSession.refresh.sub || (oldSession.refresh.acx||{}).id
-              || ((oldSession.refresh.axs||[])[0]||{}).id;
+              || ((oldSession.refresh.axs||[])[0]||{}).appScopedId
+              || ((oldSession.refresh.axs||[])[0]||{}).id
+              ;
             oldSession.refresh.provider_uri = providerUri;
           }
 
@@ -1144,7 +1148,6 @@
 
         return OAUTH3.implicitGrant(me._providerDirectives, opts).then(function (session) {
           me._session = true;
-          me.__session = session;
           return session;
         });
       }
@@ -1168,7 +1171,6 @@
         return OAUTH3.request(preq, opts);
       }
     , logout: function (opts) {
-        this.__session = false;
         this._session = false;
         opts = opts || {};
         opts.client_uri = this._clientUri;
@@ -1180,7 +1182,7 @@
     , api: function (api, opts) {
         opts = opts || {};
         opts.api = api;
-        opts.session = this.__session || OAUTH3.hooks.session._getCached(this._providerUri);
+        opts.session = OAUTH3.hooks.session._getCached(this._providerUri);
 
         return OAUTH3.api(this._providerUri, opts);
       }