The User Identity object is kept in memory and is scoped to the current session.
In other words, the credentials are not persisted; one would need to dump the server memory and dig through it or connect with a debugger. It's considered secure. The production server is also supposed to run in a secure environment with limited access to the process, etc... of course.
The credentials stored in this object can be used by the adapter to authenticate with a back-end on behalf of the user.
- In a HTTP adapter, the authentication schemes Basic, Digest and NTLM use that technique
- In non-HTTP adapter and in custom authentication schemes, the developer can use those credentials as necessary.