Do not use cookie for browser_state. It may not yet be there

oidc_provider/lib/endpoints/authorize.py

@@ -30,8 +30,7 @@ from oidc_provider.models import (
     UserConsent,
 )
 from oidc_provider import settings
-from oidc_provider.lib.utils.common import cleanup_url_from_query_string
-
+from oidc_provider.lib.utils.common import cleanup_url_from_query_string, get_browser_state_or_default
 
 logger = logging.getLogger(__name__)
 
@@ -197,7 +196,7 @@ class AuthorizeEndpoint(object):
                 session_state = '{client_id} {origin} {browser_state} {salt}'.format(
                     client_id=self.client.client_id,
                     origin=client_origin,
-                    browser_state=self.request.COOKIES['op_browser_state'],
+                    browser_state=get_browser_state_or_default(self.request),
                     salt=salt)
                 session_state = sha256(session_state.encode('utf-8')).hexdigest()
                 session_state += '.' + salt

oidc_provider/tests/test_authorize_endpoint.py

@@ -7,7 +7,7 @@ try:
 except ImportError:
     from urlparse import parse_qs, urlsplit
 import uuid
-from mock import patch
+from mock import patch, mock
 
 from django.contrib.auth.models import AnonymousUser
 from django.core.management import call_command
@@ -537,3 +537,14 @@ class TestCreateResponseURI(TestCase):
             authorization_endpoint.create_response_uri()
 
         log_exception.assert_called_once_with('[Authorize] Error when trying to create response uri: %s', exception)
+
+    @override_settings(OIDC_SESSION_MANAGEMENT_ENABLE=True)
+    def test_create_response_uri_generates_session_state_if_session_management_enabled(self):
+        # RequestFactory doesn't support sessions, so we mock it
+        self.request.session = mock.Mock(session_key=None)
+
+        authorization_endpoint = AuthorizeEndpoint(self.request)
+        authorization_endpoint.validate_params()
+
+        uri = authorization_endpoint.create_response_uri()
+        self.assertIn('session_state=', uri)