From 5b77eeb0d694677cc1853799888533f07cf9ea7f Mon Sep 17 00:00:00 2001
From: Raphael Lullis <raphael@mushroomlabs.com>
Date: Mon, 27 Jan 2025 21:52:32 +0100
Subject: [PATCH] OIDC Session management
 (https://openid.net/specs/openid-connect-session-1_0.html)

To enable it, user must add OIDC_SESSION_MANAGEMENT_ENABLED and provide
OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY on OAUTH2_PROVIDER settings,
and add the proper middleware.

This PR contains:

 - change in AuthorizationView to return 'session_state' parameter in
   authentication response
 - a SessionIFrameView as part of the OIDC views, which renders the content
   of the iframe used by RPs to keep track of session state changes.
 - middleware that sets the cookie
 - Documentation
 - Test for the changed authentication view
---
 AUTHORS                                       |  1 +
 CHANGELOG.md                                  |  1 +
 docs/oidc.rst                                 | 33 ++++++++++
 docs/settings.rst                             | 18 ++++++
 oauth2_provider/checks.py                     | 13 ++++
 oauth2_provider/middleware.py                 | 20 ++++++
 oauth2_provider/settings.py                   |  4 ++
 .../templates/oauth2_provider/base.html       |  2 +
 .../oauth2_provider/check_session_iframe.html | 63 +++++++++++++++++++
 oauth2_provider/urls.py                       |  1 +
 oauth2_provider/utils.py                      | 11 ++++
 oauth2_provider/views/__init__.py             |  8 ++-
 oauth2_provider/views/base.py                 | 36 +++++++++--
 oauth2_provider/views/oidc.py                 | 39 +++++++++---
 tests/presets.py                              |  4 ++
 tests/test_oidc_views.py                      | 50 ++++++++++++++-
 tests/test_session_management.py              | 46 ++++++++++++++
 17 files changed, 335 insertions(+), 15 deletions(-)
 create mode 100644 oauth2_provider/templates/oauth2_provider/check_session_iframe.html
 create mode 100644 tests/test_session_management.py

diff --git a/AUTHORS b/AUTHORS
index e2da60020..6b9632b18 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -99,6 +99,7 @@ Peter Karman
 Peter McDonald
 Petr Dlouhý
 pySilver
+Raphael Lullis
 Rodney Richardson
 Rustem Saiargaliev
 Rustem Saiargaliev
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8c4770459..cae4b0deb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [unreleased]
 ### Added
 * #1506 Support for Wildcard Origin and Redirect URIs
+* Support for OIDC Session Management (https://openid.net/specs/openid-connect-session-1_0.html)
 <!--
 ### Changed
 ### Deprecated
diff --git a/docs/oidc.rst b/docs/oidc.rst
index 1669a00d4..cf92ff5ca 100644
--- a/docs/oidc.rst
+++ b/docs/oidc.rst
@@ -381,6 +381,39 @@ token, so you will probably want to reuse that::
             claims["color_scheme"] = get_color_scheme(request.user)
             return claims
 
+
+Session Management
+==================
+
+The `OpenID Connect Session Management 1.0
+<https://openid.net/specs/openid-connect-session-1_0.html>`_
+specification defines how to monitor the End-User's login status at
+the OpenID Provider on an ongoing basis so that the Relying Party can
+log out an End-User who has logged out of the OpenID Provider.
+
+To enable it, you will need to add
+``oauth2_provider.middleware.OIDCSessionManagementMiddleware`` to MIDDLEWARES and set
+``OIDC_SESSION_MANAGEMENT_ENABLED`` to ``True`` on
+``OAUTH2_PROVIDER``. You will also need to provide a string on
+``OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY``. This setting is
+needed to ensure that the browser state for all unauthenticated users
+is fixed and the same even if you are running multiple server
+processes :::
+
+    import os
+
+    MIDDLEWARES = [
+        # Other middleware...
+        oauth2_provider.middleware.OIDCSessionManagementMiddleware,
+    ]
+
+    OAUTH2_PROVIDER = {
+        # ... other settings
+        "OIDC_SESSION_MANAGEMENT_ENABLED": True,
+        "OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY": os.environ.get("OIDC_DEFAULT_SESSION_KEY"),
+    }
+
+
 Customizing the login flow
 ==========================
 
diff --git a/docs/settings.rst b/docs/settings.rst
index 985ca5d2c..646f0ba38 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -315,6 +315,12 @@ Default: ``False``
 
 Whether or not :doc:`oidc` support is enabled.
 
+OIDC_SESSION_MANAGEMENT_ENABLED
+~~~~~~~~~~~~
+Default: ``False``
+
+Whether or not :doc:`oidc` support is enabled.
+
 OIDC_RSA_PRIVATE_KEY
 ~~~~~~~~~~~~~~~~~~~~
 Default: ``""``
@@ -353,6 +359,18 @@ this you must also provide the service at that endpoint.
 If unset, the default location is used, eg if ``django-oauth-toolkit`` is
 mounted at ``/o/``, it will be ``<server-address>/o/userinfo/``.
 
+OIDC_SESSION_IFRAME_ENDPOINT
+~~~~~~~~~~~~~~~~~~~~~~
+Default: ``""``
+
+The url of the session frame endpoint. Used to advertise the location of the
+endpoint in the OIDC discovery metadata. Changing this does not change the URL
+that ``django-oauth-toolkit`` adds for the userinfo endpoint, so if you change
+this you must also provide the service at that endpoint.
+
+If unset, the default location is used, eg if ``django-oauth-toolkit`` is
+mounted at ``/o/``, it will be ``<server-address>/o/session-iframe/``.
+
 OIDC_RP_INITIATED_LOGOUT_ENABLED
 ~~~~~~~~~~~~~~~~~~~~~~~~
 Default: ``False``
diff --git a/oauth2_provider/checks.py b/oauth2_provider/checks.py
index 848ba1af7..d6a124fd5 100644
--- a/oauth2_provider/checks.py
+++ b/oauth2_provider/checks.py
@@ -26,3 +26,16 @@ def validate_token_configuration(app_configs, **kwargs):
         return [checks.Error("The token models are expected to be stored in the same database.")]
 
     return []
+
+
+@checks.register()
+def validate_session_management_configuration(app_configs, **kwargs):
+    oidc_session_enabled = oauth2_settings.OIDC_SESSION_MANAGEMENT_ENABLED
+    has_default_key = oauth2_settings.OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY is not None
+    if oidc_session_enabled and not has_default_key:
+        return [
+            checks.Error(
+                "OIDC Session management is enabled, OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY is required."
+            )
+        ]
+    return []
diff --git a/oauth2_provider/middleware.py b/oauth2_provider/middleware.py
index 65c9cf03c..de6fe7482 100644
--- a/oauth2_provider/middleware.py
+++ b/oauth2_provider/middleware.py
@@ -5,6 +5,7 @@
 from django.utils.cache import patch_vary_headers
 
 from oauth2_provider.models import get_access_token_model
+from oauth2_provider.settings import oauth2_settings
 
 
 log = logging.getLogger(__name__)
@@ -63,3 +64,22 @@ def __call__(self, request):
                 log.exception(e)
         response = self.get_response(request)
         return response
+
+
+class OIDCSessionManagementMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+        if not oauth2_settings.OIDC_SESSION_MANAGEMENT_ENABLED:
+            return response
+
+        cookie_name = oauth2_settings.OIDC_SESSION_MANAGEMENT_COOKIE_NAME
+        if request.user.is_authenticated:
+            session_key_bytes = request.session.session_key.encode("utf-8")
+            hashed_key = hashlib.sha256(session_key_bytes).hexdigest()
+            response.set_cookie(cookie_name, hashed_key)
+        else:
+            response.delete_cookie(cookie_name)
+        return response
diff --git a/oauth2_provider/settings.py b/oauth2_provider/settings.py
index 9771aa4e7..8c5796a5c 100644
--- a/oauth2_provider/settings.py
+++ b/oauth2_provider/settings.py
@@ -73,7 +73,11 @@
     "ALLOWED_SCHEMES": ["https"],
     "ALLOW_URI_WILDCARDS": False,
     "OIDC_ENABLED": False,
+    "OIDC_SESSION_MANAGEMENT_ENABLED": False,
+    "OIDC_SESSION_MANAGEMENT_COOKIE_NAME": "oidc_ua_agent_state",
+    "OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY": None,
     "OIDC_ISS_ENDPOINT": "",
+    "OIDC_SESSION_IFRAME_ENDPOINT": "",
     "OIDC_USERINFO_ENDPOINT": "",
     "OIDC_RSA_PRIVATE_KEY": "",
     "OIDC_RSA_PRIVATE_KEYS_INACTIVE": [],
diff --git a/oauth2_provider/templates/oauth2_provider/base.html b/oauth2_provider/templates/oauth2_provider/base.html
index 048c41f46..a3f3ad3e8 100644
--- a/oauth2_provider/templates/oauth2_provider/base.html
+++ b/oauth2_provider/templates/oauth2_provider/base.html
@@ -35,6 +35,8 @@
         }
 
     </style>
+    {% block js %}
+    {% endblock js %}
 </head>
 
 <body>
diff --git a/oauth2_provider/templates/oauth2_provider/check_session_iframe.html b/oauth2_provider/templates/oauth2_provider/check_session_iframe.html
new file mode 100644
index 000000000..37e7706a6
--- /dev/null
+++ b/oauth2_provider/templates/oauth2_provider/check_session_iframe.html
@@ -0,0 +1,63 @@
+{% extends "oauth2_provider/base.html" %}
+
+{% block title %}Check Session IFrame{% endblock %}
+
+{% block js %}
+<script language="JavaScript" type="text/javascript">
+ async function sha256(message) {
+   // Encode the message as UTF-8
+   const msgBuffer = new TextEncoder().encode(message)
+
+   // Generate the hash
+   const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer)
+   const hashArray = Array.from(new Uint8Array(hashBuffer))
+   return hashArray.map(b => b.toString(16).padStart(2, '0')).join('')
+ }
+
+ window.addEventListener("message", receiveMessage)
+
+ async function receiveMessage(e) {
+   // e.data has client_id and session_state
+   if (!e.data || typeof e.data != 'string' || e.data == 'error') {
+     return
+   }
+
+   try {
+     const [clientId, sessionStateImage] = e.data.split(' ')
+     const [sessionState, salt] = sessionStateImage.split('.')
+
+     let userAgentState
+     try {
+       userAgentState = getUserAgentState()
+     }
+     catch (err) {
+       userAgentState = ''
+     }
+     const knownImage = await sha256(`${clientId} ${e.origin} ${userAgentState} ${salt}`)
+
+     const status = sessionState == knownImage ? 'unchanged' : 'changed'
+     e.source.postMessage(status, e.origin)
+   } catch(err) {
+     e.source.postMessage(`error: ${err}`, e.origin)
+   }
+ }
+
+
+ function getUserAgentState() {
+   const cookieName = "{{ cookie_name }}"
+   if (document.cookie && document.cookie !== '') {
+     const cookies = document.cookie.split(';')
+     for (var i = 0; i < cookies.length; i++) {
+       const cookie = cookies[i].trim()
+       // Does this cookie string begin with the name we want?
+       if (cookie.substring(0, cookieName.length + 1) === (cookieName + '=')) {
+         return decodeURIComponent(cookie.substring(cookieName.length + 1))
+       }
+     }
+   }
+   throw new Error('OIDC Session Cookie not set')
+ }
+</script>
+{% endblock %}
+
+{% block content %}OIDC Session Management OP Iframe{% endblock content %}
diff --git a/oauth2_provider/urls.py b/oauth2_provider/urls.py
index 155822f45..237bee4c1 100644
--- a/oauth2_provider/urls.py
+++ b/oauth2_provider/urls.py
@@ -42,6 +42,7 @@
     ),
     path(".well-known/jwks.json", views.JwksInfoView.as_view(), name="jwks-info"),
     path("userinfo/", views.UserInfoView.as_view(), name="user-info"),
+    path("session-iframe/", views.SessionIFrameView.as_view(), name="session-iframe"),
     path("logout/", views.RPInitiatedLogoutView.as_view(), name="rp-initiated-logout"),
 ]
 
diff --git a/oauth2_provider/utils.py b/oauth2_provider/utils.py
index 3f48723c5..bf014f28e 100644
--- a/oauth2_provider/utils.py
+++ b/oauth2_provider/utils.py
@@ -1,8 +1,11 @@
 import functools
+import hashlib
 
 from django.conf import settings
 from jwcrypto import jwk
 
+from .settings import oauth2_settings
+
 
 @functools.lru_cache()
 def jwk_from_pem(pem_string):
@@ -32,3 +35,11 @@ def get_timezone(time_zone):
 
             return pytz.timezone(time_zone)
         return zoneinfo.ZoneInfo(time_zone)
+
+
+def session_management_state_key(request):
+    """
+    Determine value to use as session state.
+    """
+    key = request.session.session_key or str(oauth2_settings.OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY)
+    return hashlib.sha256(key.encode("utf-8")).hexdigest()
diff --git a/oauth2_provider/views/__init__.py b/oauth2_provider/views/__init__.py
index 9e32e17d8..e42b723ce 100644
--- a/oauth2_provider/views/__init__.py
+++ b/oauth2_provider/views/__init__.py
@@ -15,5 +15,11 @@
     ScopedProtectedResourceView,
 )
 from .introspect import IntrospectTokenView
-from .oidc import ConnectDiscoveryInfoView, JwksInfoView, RPInitiatedLogoutView, UserInfoView
+from .oidc import (
+    ConnectDiscoveryInfoView,
+    JwksInfoView,
+    RPInitiatedLogoutView,
+    SessionIFrameView,
+    UserInfoView,
+)
 from .token import AuthorizedTokenDeleteView, AuthorizedTokensListView
diff --git a/oauth2_provider/views/base.py b/oauth2_provider/views/base.py
index c5c904b14..1d1e8492c 100644
--- a/oauth2_provider/views/base.py
+++ b/oauth2_provider/views/base.py
@@ -1,6 +1,7 @@
 import hashlib
 import json
 import logging
+import secrets
 from urllib.parse import parse_qsl, urlencode, urlparse
 
 from django.contrib.auth.mixins import LoginRequiredMixin
@@ -21,6 +22,7 @@
 from ..scopes import get_scopes_backend
 from ..settings import oauth2_settings
 from ..signals import app_authorized
+from ..utils import session_management_state_key
 from .mixins import OAuthLibMixin
 
 
@@ -140,6 +142,35 @@ def form_valid(self, form):
         except OAuthToolkitError as error:
             return self.error_response(error, application)
 
+        if oauth2_settings.OIDC_SESSION_MANAGEMENT_ENABLED:
+            # https://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdatingSessions
+
+            # When the OP supports session management, it MUST also
+            # return the Session State as an additional session_state
+            # parameter in the Authentication Response, the value is
+            # based on a salted cryptographic hash of Client ID,
+            # origin URL, and OP User Agent state.
+            parsed = urlparse(uri)
+            client_origin = f"{parsed.scheme}://{parsed.netloc}"
+
+            # Create random salt.
+            salt = secrets.token_urlsafe(16)
+            encoded = " ".join(
+                [
+                    credentials["client_id"],
+                    client_origin,
+                    session_management_state_key(self.request),
+                    salt,
+                ]
+            ).encode("utf-8")
+            hashed = hashlib.sha256(encoded)
+            session_state = f"{hashed.hexdigest()}.{salt}"
+
+            # Add the session_state parameter to the query string
+            qs = dict(parse_qsl(parsed.query))
+            qs["session_state"] = session_state
+            uri = parsed._replace(query=urlencode(qs)).geturl()
+
         self.success_url = uri
         log.debug("Success url for the request: {0}".format(self.success_url))
         return self.redirect(self.success_url, application)
@@ -214,10 +245,7 @@ def get(self, request, *args, **kwargs):
                 for token in tokens:
                     if token.allow_scopes(scopes):
                         uri, headers, body, status = self.create_authorization_response(
-                            request=self.request,
-                            scopes=" ".join(scopes),
-                            credentials=credentials,
-                            allow=True,
+                            request=self.request, scopes=" ".join(scopes), credentials=credentials, allow=True
                         )
                         return self.redirect(uri, application)
 
diff --git a/oauth2_provider/views/oidc.py b/oauth2_provider/views/oidc.py
index a252f1be4..bb4beed7c 100644
--- a/oauth2_provider/views/oidc.py
+++ b/oauth2_provider/views/oidc.py
@@ -6,8 +6,9 @@
 from django.http import HttpResponse, JsonResponse
 from django.urls import reverse
 from django.utils.decorators import method_decorator
+from django.views.decorators.clickjacking import xframe_options_exempt
 from django.views.decorators.csrf import csrf_exempt
-from django.views.generic import FormView, View
+from django.views.generic import FormView, TemplateView, View
 from jwcrypto import jwt
 from jwcrypto.common import JWException
 from jwcrypto.jws import InvalidJWSObject
@@ -57,6 +58,10 @@ def get(self, request, *args, **kwargs):
             userinfo_endpoint = oauth2_settings.OIDC_USERINFO_ENDPOINT or request.build_absolute_uri(
                 reverse("oauth2_provider:user-info")
             )
+            session_iframe_endpoint = (
+                oauth2_settings.OIDC_SESSION_IFRAME_ENDPOINT
+                or request.build_absolute_uri(reverse("oauth2_provider:session-iframe"))
+            )
             jwks_uri = request.build_absolute_uri(reverse("oauth2_provider:jwks-info"))
             if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ENABLED:
                 end_session_endpoint = request.build_absolute_uri(
@@ -70,6 +75,9 @@ def get(self, request, *args, **kwargs):
             userinfo_endpoint = oauth2_settings.OIDC_USERINFO_ENDPOINT or "{}{}".format(
                 host, reverse("oauth2_provider:user-info")
             )
+            session_iframe_endpoint = oauth2_settings.OIDC_SESSION_IFRAME_ENDPOINT or "{}{}".format(
+                host, reverse("oauth2_provider:session-iframe")
+            )
             jwks_uri = "{}{}".format(host, reverse("oauth2_provider:jwks-info"))
             if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ENABLED:
                 end_session_endpoint = "{}{}".format(host, reverse("oauth2_provider:rp-initiated-logout"))
@@ -103,6 +111,10 @@ def get(self, request, *args, **kwargs):
         }
         if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ENABLED:
             data["end_session_endpoint"] = end_session_endpoint
+
+        if oauth2_settings.OIDC_SESSION_MANAGEMENT_ENABLED:
+            data["check_session_iframe"] = session_iframe_endpoint
+
         response = JsonResponse(data)
         response["Access-Control-Allow-Origin"] = "*"
         return response
@@ -136,6 +148,23 @@ def get(self, request, *args, **kwargs):
         return response
 
 
+@method_decorator(csrf_exempt, name="dispatch")
+@method_decorator(login_not_required, name="dispatch")
+@method_decorator(xframe_options_exempt, name="dispatch")
+class SessionIFrameView(OIDCOnlyMixin, OAuthLibMixin, TemplateView):
+    """
+    Render OP Session IFrame:
+    https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.3.2
+    """
+
+    template_name = "oauth2_provider/check_session_iframe.html"
+
+    def get_context_data(self, *args, **kwargs):
+        context = super().get_context_data(*args, **kwargs)
+        context.update({"cookie_name": oauth2_settings.OIDC_SESSION_MANAGEMENT_COOKIE_NAME})
+        return context
+
+
 @method_decorator(csrf_exempt, name="dispatch")
 @method_decorator(login_not_required, name="dispatch")
 class UserInfoView(OIDCOnlyMixin, OAuthLibMixin, View):
@@ -221,10 +250,7 @@ class RPInitiatedLogoutView(OIDCLogoutOnlyMixin, FormView):
     form_class = ConfirmLogoutForm
     # Only delete tokens for Application whose client type and authorization
     # grant type are in the respective lists.
-    token_deletion_client_types = [
-        Application.CLIENT_PUBLIC,
-        Application.CLIENT_CONFIDENTIAL,
-    ]
+    token_deletion_client_types = [Application.CLIENT_PUBLIC, Application.CLIENT_CONFIDENTIAL]
     token_deletion_grant_types = [
         Application.GRANT_AUTHORIZATION_CODE,
         Application.GRANT_IMPLICIT,
@@ -465,8 +491,7 @@ def do_logout(self, application=None, post_logout_redirect_uri=None, state=None,
                 return OAuth2ResponseRedirect(post_logout_redirect_uri, application.get_allowed_schemes())
         else:
             return OAuth2ResponseRedirect(
-                self.request.build_absolute_uri("/"),
-                oauth2_settings.ALLOWED_REDIRECT_URI_SCHEMES,
+                self.request.build_absolute_uri("/"), oauth2_settings.ALLOWED_REDIRECT_URI_SCHEMES
             )
 
     def error_response(self, error):
diff --git a/tests/presets.py b/tests/presets.py
index 4538c64eb..6a1a2974e 100644
--- a/tests/presets.py
+++ b/tests/presets.py
@@ -37,6 +37,10 @@
 OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED["OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS"] = False
 OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS = deepcopy(OIDC_SETTINGS_RP_LOGOUT)
 OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS["OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS"] = False
+OIDC_SETTINGS_SESSION_MANAGEMENT = deepcopy(OIDC_SETTINGS_RW)
+OIDC_SETTINGS_SESSION_MANAGEMENT["OIDC_SESSION_MANAGEMENT_ENABLED"] = True
+OIDC_SETTINGS_SESSION_MANAGEMENT["OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY"] = "oidc-session-test-key"
+
 REST_FRAMEWORK_SCOPES = {
     "SCOPES": {
         "read": "Read scope",
diff --git a/tests/test_oidc_views.py b/tests/test_oidc_views.py
index 65197cbd1..e1237542a 100644
--- a/tests/test_oidc_views.py
+++ b/tests/test_oidc_views.py
@@ -1,5 +1,5 @@
 import pytest
-from django.contrib.auth import get_user
+from django.contrib.auth import get_user, get_user_model
 from django.contrib.auth.models import AnonymousUser
 from django.test import RequestFactory
 from django.urls import reverse
@@ -12,7 +12,12 @@
     InvalidOIDCClientError,
     InvalidOIDCRedirectURIError,
 )
-from oauth2_provider.models import get_access_token_model, get_id_token_model, get_refresh_token_model
+from oauth2_provider.models import (
+    get_access_token_model,
+    get_application_model,
+    get_id_token_model,
+    get_refresh_token_model,
+)
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from oauth2_provider.settings import oauth2_settings
 from oauth2_provider.views.oidc import RPInitiatedLogoutView, _load_id_token, _validate_claims
@@ -132,7 +137,10 @@ def test_get_connect_discovery_info_without_issuer_url(self):
             ],
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
-            "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "token_endpoint_auth_methods_supported": [
+                "client_secret_post",
+                "client_secret_basic",
+            ],
             "code_challenge_methods_supported": ["plain", "S256"],
             "claims_supported": ["sub"],
         }
@@ -206,6 +214,42 @@ def test_get_jwks_info_multiple_rsa_keys(self):
         assert response.json() == expected_response
 
 
+@pytest.mark.usefixtures("oauth2_settings")
+@pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_SESSION_MANAGEMENT)
+class TestAuthorizationView(TestCase):
+    def test_session_state_is_present_in_url(self):
+        User = get_user_model()
+        Application = get_application_model()
+
+        User.objects.create_user("test_user", "test@example.com", "123456")
+        dev_user = User.objects.create_user("dev_user", "dev@example.com", "123456")
+
+        application = Application.objects.create(
+            name="Test Application",
+            redirect_uris=(
+                "http://localhost http://example.com http://example.org custom-scheme://example.com"
+            ),
+            user=dev_user,
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
+            client_secret="1234567890qwertyuiop",
+        )
+        self.client.login(username="test_user", password="123456")
+        response = self.client.post(
+            reverse("oauth2_provider:authorize"),
+            {
+                "client_id": application.client_id,
+                "response_type": "code",
+                "state": "random_state_string",
+                "scope": "read write",
+                "redirect_uri": "http://example.org",
+                "allow": True,
+            },
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertTrue("session_state" in response["Location"])
+
+
 def mock_request():
     """
     Dummy request with an AnonymousUser attached.
diff --git a/tests/test_session_management.py b/tests/test_session_management.py
new file mode 100644
index 000000000..df33f82bf
--- /dev/null
+++ b/tests/test_session_management.py
@@ -0,0 +1,46 @@
+from copy import deepcopy
+from http.cookies import SimpleCookie
+
+import pytest
+from django.contrib.auth import get_user_model
+from django.test.utils import modify_settings
+
+from . import presets
+from .common_testing import OAuth2ProviderTestCase as TestCase
+
+
+PRESET_OIDC_MIDDLEWARE = deepcopy(presets.OIDC_SETTINGS_SESSION_MANAGEMENT)
+PRESET_OIDC_MIDDLEWARE["OIDC_SESSION_MANAGEMENT_COOKIE_NAME"] = "oidc-session-test"
+
+User = get_user_model()
+
+
+@pytest.mark.usefixtures("oauth2_settings")
+@pytest.mark.oauth2_settings(PRESET_OIDC_MIDDLEWARE)
+@modify_settings(MIDDLEWARE={"append": "oauth2_provider.middleware.OIDCSessionManagementMiddleware"})
+class TestOIDCSessionManagementMiddleware(TestCase):
+    def setUp(self):
+        User.objects.create_user("test_user", "test@example.com", "123456")
+
+    def test_session_cookie_is_set_for_logged_users(self):
+        self.client.login(username="test_user", password="123456")
+        response = self.client.get("/a-resource")
+        self.assertTrue(isinstance(response.cookies, SimpleCookie))
+        self.assertTrue("oidc-session-test" in response.cookies.keys())
+        self.assertNotEqual(response.cookies["oidc-session-test"].value, "")
+
+    def test_session_cookie_is_cleared_for_anonymous_users(self):
+        response = self.client.get("/a-resource")
+        self.assertTrue(isinstance(response.cookies, SimpleCookie))
+        self.assertTrue("oidc-session-test" in response.cookies.keys())
+        self.assertEqual(response.cookies["oidc-session-test"].value, "")
+
+    def test_session_cookie_is_not_set_after_logging_out(self):
+        self.client.login(username="test_user", password="123456")
+        self.client.get("/a-resource")
+        self.client.logout()
+
+        response = self.client.get("/another-resource")
+        self.assertTrue(isinstance(response.cookies, SimpleCookie))
+        self.assertTrue("oidc-session-test" in response.cookies.keys())
+        self.assertEqual(response.cookies["oidc-session-test"].value, "")