From 3383a0b786cc5b7624076a72c9a7b1c57180fff1 Mon Sep 17 00:00:00 2001
From: Raphael Lullis <raphael@mushroomlabs.com>
Date: Mon, 27 Jan 2025 21:52:32 +0100
Subject: [PATCH] OIDC Session management
 (https://openid.net/specs/openid-connect-session-1_0.html)

To enable it, user must add OIDC_SESSION_MANAGEMENT_ENABLED and provide
OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY on OAUTH2_PROVIDER settings,
and add the proper middleware.

This PR contains:

 - change in AuthorizationView to return 'session_state' parameter in
   authentication response
 - a SessionIFrameView as part of the OIDC views, which renders the content
   of the iframe used by RPs to keep track of session state changes.
 - middleware that sets the cookie
 - Documentation
 - Test for the changed authentication view

To help with testing, there are also some improvements to the test RP.

 - Uses environment variables to allow connecting with other servers beyond localhost:8000
 - Monitors authentication session state using the OIDC provider's check_session_iframe endpoint
 - Periodically checks session status every 5 seconds via postMessage communication with hidden iframe
 - Handles discovery document fetching and validates provider support for session management
 - Update docker setup to use Node 22 and provides an optional docker-compose with cloudflared integration.
 - Vite server configuration to allow configurable hosts for development
---
 AUTHORS                                       |   1 +
 CHANGELOG.md                                  |   3 +-
 docs/oidc.rst                                 |  33 +
 docs/settings.rst                             |  18 +
 oauth2_provider/checks.py                     |  13 +
 oauth2_provider/middleware.py                 |  20 +
 oauth2_provider/settings.py                   |   4 +
 .../templates/oauth2_provider/base.html       |   2 +
 .../oauth2_provider/check_session_iframe.html |  63 ++
 oauth2_provider/urls.py                       |   1 +
 oauth2_provider/utils.py                      |  12 +
 oauth2_provider/views/__init__.py             |   8 +-
 oauth2_provider/views/base.py                 |  36 +-
 oauth2_provider/views/oidc.py                 |  39 +-
 tests/app/idp/idp/urls.py                     |   3 +-
 tests/app/rp/.env.example                     |  27 +
 tests/app/rp/Dockerfile                       |  13 +-
 tests/app/rp/docker-compose.yml               |  35 ++
 .../src/lib/components/SessionMonitor.svelte  | 580 ++++++++++++++++++
 tests/app/rp/src/routes/+layout.svelte        |  36 +-
 tests/app/rp/src/routes/+page.svelte          | 114 ++--
 tests/app/rp/src/routes/device/+page.svelte   |   9 +-
 tests/app/rp/src/routes/session/+page.svelte  |   9 +
 tests/app/rp/vite.config.ts                   |   5 +-
 tests/presets.py                              |   4 +
 tests/test_django_checks.py                   |  15 +
 tests/test_oauth2_validators.py               |   2 +-
 tests/test_oidc_views.py                      |  75 ++-
 tests/test_session_management.py              |  51 ++
 29 files changed, 1131 insertions(+), 100 deletions(-)
 create mode 100644 oauth2_provider/templates/oauth2_provider/check_session_iframe.html
 create mode 100644 tests/app/rp/.env.example
 create mode 100644 tests/app/rp/docker-compose.yml
 create mode 100644 tests/app/rp/src/lib/components/SessionMonitor.svelte
 create mode 100644 tests/app/rp/src/routes/session/+page.svelte
 create mode 100644 tests/test_session_management.py

diff --git a/AUTHORS b/AUTHORS
index 4ebe787cd..cd249c8b0 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -103,6 +103,7 @@ Peter McDonald
 Petr Dlouhý
 pySilver
 @realsuayip
+Raphael Lullis
 Rodney Richardson
 Rustem Saiargaliev
 Rustem Saiargaliev
diff --git a/CHANGELOG.md b/CHANGELOG.md
index a29772c13..c2f5ef7af 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,8 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 * Support for Django 5.2
 * Support for Python 3.14 (Django >= 5.2.8)
-* #1539 Add device authorization grant support
-
+* Support for OIDC Session Management (https://openid.net/specs/openid-connect-session-1_0.html)
 
 <!--
 ### Changed
diff --git a/docs/oidc.rst b/docs/oidc.rst
index 1669a00d4..cf92ff5ca 100644
--- a/docs/oidc.rst
+++ b/docs/oidc.rst
@@ -381,6 +381,39 @@ token, so you will probably want to reuse that::
             claims["color_scheme"] = get_color_scheme(request.user)
             return claims
 
+
+Session Management
+==================
+
+The `OpenID Connect Session Management 1.0
+<https://openid.net/specs/openid-connect-session-1_0.html>`_
+specification defines how to monitor the End-User's login status at
+the OpenID Provider on an ongoing basis so that the Relying Party can
+log out an End-User who has logged out of the OpenID Provider.
+
+To enable it, you will need to add
+``oauth2_provider.middleware.OIDCSessionManagementMiddleware`` to MIDDLEWARES and set
+``OIDC_SESSION_MANAGEMENT_ENABLED`` to ``True`` on
+``OAUTH2_PROVIDER``. You will also need to provide a string on
+``OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY``. This setting is
+needed to ensure that the browser state for all unauthenticated users
+is fixed and the same even if you are running multiple server
+processes :::
+
+    import os
+
+    MIDDLEWARES = [
+        # Other middleware...
+        oauth2_provider.middleware.OIDCSessionManagementMiddleware,
+    ]
+
+    OAUTH2_PROVIDER = {
+        # ... other settings
+        "OIDC_SESSION_MANAGEMENT_ENABLED": True,
+        "OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY": os.environ.get("OIDC_DEFAULT_SESSION_KEY"),
+    }
+
+
 Customizing the login flow
 ==========================
 
diff --git a/docs/settings.rst b/docs/settings.rst
index 9c71bb2a8..21b7fc0f9 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -315,6 +315,12 @@ Default: ``False``
 
 Whether or not :doc:`oidc` support is enabled.
 
+OIDC_SESSION_MANAGEMENT_ENABLED
+~~~~~~~~~~~~
+Default: ``False``
+
+Whether or not :doc:`oidc` support is enabled.
+
 OIDC_RSA_PRIVATE_KEY
 ~~~~~~~~~~~~~~~~~~~~
 Default: ``""``
@@ -353,6 +359,18 @@ this you must also provide the service at that endpoint.
 If unset, the default location is used, eg if ``django-oauth-toolkit`` is
 mounted at ``/o/``, it will be ``<server-address>/o/userinfo/``.
 
+OIDC_SESSION_IFRAME_ENDPOINT
+~~~~~~~~~~~~~~~~~~~~~~
+Default: ``""``
+
+The url of the session frame endpoint. Used to advertise the location of the
+endpoint in the OIDC discovery metadata. Changing this does not change the URL
+that ``django-oauth-toolkit`` adds for the userinfo endpoint, so if you change
+this you must also provide the service at that endpoint.
+
+If unset, the default location is used, eg if ``django-oauth-toolkit`` is
+mounted at ``/o/``, it will be ``<server-address>/o/session-iframe/``.
+
 OIDC_RP_INITIATED_LOGOUT_ENABLED
 ~~~~~~~~~~~~~~~~~~~~~~~~
 Default: ``False``
diff --git a/oauth2_provider/checks.py b/oauth2_provider/checks.py
index 848ba1af7..d6a124fd5 100644
--- a/oauth2_provider/checks.py
+++ b/oauth2_provider/checks.py
@@ -26,3 +26,16 @@ def validate_token_configuration(app_configs, **kwargs):
         return [checks.Error("The token models are expected to be stored in the same database.")]
 
     return []
+
+
+@checks.register()
+def validate_session_management_configuration(app_configs, **kwargs):
+    oidc_session_enabled = oauth2_settings.OIDC_SESSION_MANAGEMENT_ENABLED
+    has_default_key = oauth2_settings.OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY is not None
+    if oidc_session_enabled and not has_default_key:
+        return [
+            checks.Error(
+                "OIDC Session management is enabled, OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY is required."
+            )
+        ]
+    return []
diff --git a/oauth2_provider/middleware.py b/oauth2_provider/middleware.py
index 5a8a86d87..7bd7bd6a4 100644
--- a/oauth2_provider/middleware.py
+++ b/oauth2_provider/middleware.py
@@ -5,6 +5,7 @@
 from django.utils.cache import patch_vary_headers
 
 from oauth2_provider.models import get_access_token_model
+from oauth2_provider.settings import oauth2_settings
 
 
 log = logging.getLogger(__name__)
@@ -64,3 +65,22 @@ def __call__(self, request):
                 log.exception(e)
         response = self.get_response(request)
         return response
+
+
+class OIDCSessionManagementMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+        if not oauth2_settings.OIDC_SESSION_MANAGEMENT_ENABLED:
+            return response
+
+        cookie_name = oauth2_settings.OIDC_SESSION_MANAGEMENT_COOKIE_NAME
+        if request.user.is_authenticated:
+            session_key_bytes = request.session.session_key.encode("utf-8")
+            hashed_key = hashlib.sha256(session_key_bytes).hexdigest()
+            response.set_cookie(cookie_name, hashed_key)
+        else:
+            response.delete_cookie(cookie_name)
+        return response
diff --git a/oauth2_provider/settings.py b/oauth2_provider/settings.py
index 216f36ba8..a562c581a 100644
--- a/oauth2_provider/settings.py
+++ b/oauth2_provider/settings.py
@@ -82,7 +82,11 @@
     "ALLOWED_SCHEMES": ["https"],
     "ALLOW_URI_WILDCARDS": False,
     "OIDC_ENABLED": False,
+    "OIDC_SESSION_MANAGEMENT_ENABLED": False,
+    "OIDC_SESSION_MANAGEMENT_COOKIE_NAME": "oidc_ua_agent_state",
+    "OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY": None,
     "OIDC_ISS_ENDPOINT": "",
+    "OIDC_SESSION_IFRAME_ENDPOINT": "",
     "OIDC_USERINFO_ENDPOINT": "",
     "OIDC_RSA_PRIVATE_KEY": "",
     "OIDC_RSA_PRIVATE_KEYS_INACTIVE": [],
diff --git a/oauth2_provider/templates/oauth2_provider/base.html b/oauth2_provider/templates/oauth2_provider/base.html
index 048c41f46..a3f3ad3e8 100644
--- a/oauth2_provider/templates/oauth2_provider/base.html
+++ b/oauth2_provider/templates/oauth2_provider/base.html
@@ -35,6 +35,8 @@
         }
 
     </style>
+    {% block js %}
+    {% endblock js %}
 </head>
 
 <body>
diff --git a/oauth2_provider/templates/oauth2_provider/check_session_iframe.html b/oauth2_provider/templates/oauth2_provider/check_session_iframe.html
new file mode 100644
index 000000000..37e7706a6
--- /dev/null
+++ b/oauth2_provider/templates/oauth2_provider/check_session_iframe.html
@@ -0,0 +1,63 @@
+{% extends "oauth2_provider/base.html" %}
+
+{% block title %}Check Session IFrame{% endblock %}
+
+{% block js %}
+<script language="JavaScript" type="text/javascript">
+ async function sha256(message) {
+   // Encode the message as UTF-8
+   const msgBuffer = new TextEncoder().encode(message)
+
+   // Generate the hash
+   const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer)
+   const hashArray = Array.from(new Uint8Array(hashBuffer))
+   return hashArray.map(b => b.toString(16).padStart(2, '0')).join('')
+ }
+
+ window.addEventListener("message", receiveMessage)
+
+ async function receiveMessage(e) {
+   // e.data has client_id and session_state
+   if (!e.data || typeof e.data != 'string' || e.data == 'error') {
+     return
+   }
+
+   try {
+     const [clientId, sessionStateImage] = e.data.split(' ')
+     const [sessionState, salt] = sessionStateImage.split('.')
+
+     let userAgentState
+     try {
+       userAgentState = getUserAgentState()
+     }
+     catch (err) {
+       userAgentState = ''
+     }
+     const knownImage = await sha256(`${clientId} ${e.origin} ${userAgentState} ${salt}`)
+
+     const status = sessionState == knownImage ? 'unchanged' : 'changed'
+     e.source.postMessage(status, e.origin)
+   } catch(err) {
+     e.source.postMessage(`error: ${err}`, e.origin)
+   }
+ }
+
+
+ function getUserAgentState() {
+   const cookieName = "{{ cookie_name }}"
+   if (document.cookie && document.cookie !== '') {
+     const cookies = document.cookie.split(';')
+     for (var i = 0; i < cookies.length; i++) {
+       const cookie = cookies[i].trim()
+       // Does this cookie string begin with the name we want?
+       if (cookie.substring(0, cookieName.length + 1) === (cookieName + '=')) {
+         return decodeURIComponent(cookie.substring(cookieName.length + 1))
+       }
+     }
+   }
+   throw new Error('OIDC Session Cookie not set')
+ }
+</script>
+{% endblock %}
+
+{% block content %}OIDC Session Management OP Iframe{% endblock content %}
diff --git a/oauth2_provider/urls.py b/oauth2_provider/urls.py
index ea974e045..c4d4542e0 100644
--- a/oauth2_provider/urls.py
+++ b/oauth2_provider/urls.py
@@ -54,6 +54,7 @@
     ),
     path(".well-known/jwks.json", views.JwksInfoView.as_view(), name="jwks-info"),
     path("userinfo/", views.UserInfoView.as_view(), name="user-info"),
+    path("session-iframe/", views.SessionIFrameView.as_view(), name="session-iframe"),
     path("logout/", views.RPInitiatedLogoutView.as_view(), name="rp-initiated-logout"),
 ]
 
diff --git a/oauth2_provider/utils.py b/oauth2_provider/utils.py
index a009d8a0e..5a164d8c4 100644
--- a/oauth2_provider/utils.py
+++ b/oauth2_provider/utils.py
@@ -1,4 +1,5 @@
 import functools
+import hashlib
 import random
 
 from django.conf import settings
@@ -100,3 +101,14 @@ def set_oauthlib_user_to_device_request_user(request: Request) -> None:
 
     device: DeviceGrant = get_device_grant_model().objects.get(device_code=request._params["device_code"])
     request.user = device.user
+
+
+def session_management_state_key(request):
+    """
+    Determine value to use as session state.
+    """
+
+    from oauth2_provider.settings import oauth2_settings
+
+    key = request.session.session_key or str(oauth2_settings.OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY)
+    return hashlib.sha256(key.encode("utf-8")).hexdigest()
diff --git a/oauth2_provider/views/__init__.py b/oauth2_provider/views/__init__.py
index 24022f55e..48922764c 100644
--- a/oauth2_provider/views/__init__.py
+++ b/oauth2_provider/views/__init__.py
@@ -15,6 +15,12 @@
     ScopedProtectedResourceView,
 )
 from .introspect import IntrospectTokenView
-from .oidc import ConnectDiscoveryInfoView, JwksInfoView, RPInitiatedLogoutView, UserInfoView
+from .oidc import (
+    ConnectDiscoveryInfoView,
+    JwksInfoView,
+    RPInitiatedLogoutView,
+    SessionIFrameView,
+    UserInfoView,
+)
 from .token import AuthorizedTokenDeleteView, AuthorizedTokensListView
 from .device import DeviceAuthorizationView, DeviceUserCodeView, DeviceConfirmView, DeviceGrantStatusView
diff --git a/oauth2_provider/views/base.py b/oauth2_provider/views/base.py
index 43c8e3213..adb74ee61 100644
--- a/oauth2_provider/views/base.py
+++ b/oauth2_provider/views/base.py
@@ -1,6 +1,7 @@
 import hashlib
 import json
 import logging
+import secrets
 from urllib.parse import parse_qsl, urlencode, urlparse
 
 from django import http
@@ -25,6 +26,7 @@
 from ..scopes import get_scopes_backend
 from ..settings import oauth2_settings
 from ..signals import app_authorized
+from ..utils import session_management_state_key
 from .mixins import OAuthLibMixin
 
 
@@ -144,6 +146,35 @@ def form_valid(self, form):
         except OAuthToolkitError as error:
             return self.error_response(error, application)
 
+        if oauth2_settings.OIDC_SESSION_MANAGEMENT_ENABLED:
+            # https://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdatingSessions
+
+            # When the OP supports session management, it MUST also
+            # return the Session State as an additional session_state
+            # parameter in the Authentication Response, the value is
+            # based on a salted cryptographic hash of Client ID,
+            # origin URL, and OP User Agent state.
+            parsed = urlparse(uri)
+            client_origin = f"{parsed.scheme}://{parsed.netloc}"
+
+            # Create random salt.
+            salt = secrets.token_urlsafe(16)
+            encoded = " ".join(
+                [
+                    credentials["client_id"],
+                    client_origin,
+                    session_management_state_key(self.request),
+                    salt,
+                ]
+            ).encode("utf-8")
+            hashed = hashlib.sha256(encoded)
+            session_state = f"{hashed.hexdigest()}.{salt}"
+
+            # Add the session_state parameter to the query string
+            qs = dict(parse_qsl(parsed.query))
+            qs["session_state"] = session_state
+            uri = parsed._replace(query=urlencode(qs)).geturl()
+
         self.success_url = uri
         log.debug("Success url for the request: {0}".format(self.success_url))
         return self.redirect(self.success_url, application)
@@ -218,10 +249,7 @@ def get(self, request, *args, **kwargs):
                 for token in tokens:
                     if token.allow_scopes(scopes):
                         uri, headers, body, status = self.create_authorization_response(
-                            request=self.request,
-                            scopes=" ".join(scopes),
-                            credentials=credentials,
-                            allow=True,
+                            request=self.request, scopes=" ".join(scopes), credentials=credentials, allow=True
                         )
                         return self.redirect(uri, application)
 
diff --git a/oauth2_provider/views/oidc.py b/oauth2_provider/views/oidc.py
index a252f1be4..bb4beed7c 100644
--- a/oauth2_provider/views/oidc.py
+++ b/oauth2_provider/views/oidc.py
@@ -6,8 +6,9 @@
 from django.http import HttpResponse, JsonResponse
 from django.urls import reverse
 from django.utils.decorators import method_decorator
+from django.views.decorators.clickjacking import xframe_options_exempt
 from django.views.decorators.csrf import csrf_exempt
-from django.views.generic import FormView, View
+from django.views.generic import FormView, TemplateView, View
 from jwcrypto import jwt
 from jwcrypto.common import JWException
 from jwcrypto.jws import InvalidJWSObject
@@ -57,6 +58,10 @@ def get(self, request, *args, **kwargs):
             userinfo_endpoint = oauth2_settings.OIDC_USERINFO_ENDPOINT or request.build_absolute_uri(
                 reverse("oauth2_provider:user-info")
             )
+            session_iframe_endpoint = (
+                oauth2_settings.OIDC_SESSION_IFRAME_ENDPOINT
+                or request.build_absolute_uri(reverse("oauth2_provider:session-iframe"))
+            )
             jwks_uri = request.build_absolute_uri(reverse("oauth2_provider:jwks-info"))
             if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ENABLED:
                 end_session_endpoint = request.build_absolute_uri(
@@ -70,6 +75,9 @@ def get(self, request, *args, **kwargs):
             userinfo_endpoint = oauth2_settings.OIDC_USERINFO_ENDPOINT or "{}{}".format(
                 host, reverse("oauth2_provider:user-info")
             )
+            session_iframe_endpoint = oauth2_settings.OIDC_SESSION_IFRAME_ENDPOINT or "{}{}".format(
+                host, reverse("oauth2_provider:session-iframe")
+            )
             jwks_uri = "{}{}".format(host, reverse("oauth2_provider:jwks-info"))
             if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ENABLED:
                 end_session_endpoint = "{}{}".format(host, reverse("oauth2_provider:rp-initiated-logout"))
@@ -103,6 +111,10 @@ def get(self, request, *args, **kwargs):
         }
         if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ENABLED:
             data["end_session_endpoint"] = end_session_endpoint
+
+        if oauth2_settings.OIDC_SESSION_MANAGEMENT_ENABLED:
+            data["check_session_iframe"] = session_iframe_endpoint
+
         response = JsonResponse(data)
         response["Access-Control-Allow-Origin"] = "*"
         return response
@@ -136,6 +148,23 @@ def get(self, request, *args, **kwargs):
         return response
 
 
+@method_decorator(csrf_exempt, name="dispatch")
+@method_decorator(login_not_required, name="dispatch")
+@method_decorator(xframe_options_exempt, name="dispatch")
+class SessionIFrameView(OIDCOnlyMixin, OAuthLibMixin, TemplateView):
+    """
+    Render OP Session IFrame:
+    https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.3.2
+    """
+
+    template_name = "oauth2_provider/check_session_iframe.html"
+
+    def get_context_data(self, *args, **kwargs):
+        context = super().get_context_data(*args, **kwargs)
+        context.update({"cookie_name": oauth2_settings.OIDC_SESSION_MANAGEMENT_COOKIE_NAME})
+        return context
+
+
 @method_decorator(csrf_exempt, name="dispatch")
 @method_decorator(login_not_required, name="dispatch")
 class UserInfoView(OIDCOnlyMixin, OAuthLibMixin, View):
@@ -221,10 +250,7 @@ class RPInitiatedLogoutView(OIDCLogoutOnlyMixin, FormView):
     form_class = ConfirmLogoutForm
     # Only delete tokens for Application whose client type and authorization
     # grant type are in the respective lists.
-    token_deletion_client_types = [
-        Application.CLIENT_PUBLIC,
-        Application.CLIENT_CONFIDENTIAL,
-    ]
+    token_deletion_client_types = [Application.CLIENT_PUBLIC, Application.CLIENT_CONFIDENTIAL]
     token_deletion_grant_types = [
         Application.GRANT_AUTHORIZATION_CODE,
         Application.GRANT_IMPLICIT,
@@ -465,8 +491,7 @@ def do_logout(self, application=None, post_logout_redirect_uri=None, state=None,
                 return OAuth2ResponseRedirect(post_logout_redirect_uri, application.get_allowed_schemes())
         else:
             return OAuth2ResponseRedirect(
-                self.request.build_absolute_uri("/"),
-                oauth2_settings.ALLOWED_REDIRECT_URI_SCHEMES,
+                self.request.build_absolute_uri("/"), oauth2_settings.ALLOWED_REDIRECT_URI_SCHEMES
             )
 
     def error_response(self, error):
diff --git a/tests/app/idp/idp/urls.py b/tests/app/idp/idp/urls.py
index 8be65c35b..ccd10bc25 100644
--- a/tests/app/idp/idp/urls.py
+++ b/tests/app/idp/idp/urls.py
@@ -21,7 +21,8 @@
 
 
 urlpatterns = [
-    path('', TemplateView.as_view(template_name='home/index.html'), name='home'), # Maps the root URL to your home_view
+    # Maps the root URL to your home_view
+    path("", TemplateView.as_view(template_name="home/index.html"), name="home"),
     path("admin/", admin.site.urls),
     path("o/", include("oauth2_provider.urls", namespace="oauth2_provider")),
     path("accounts/", include("django.contrib.auth.urls")),
diff --git a/tests/app/rp/.env.example b/tests/app/rp/.env.example
new file mode 100644
index 000000000..bda77a68b
--- /dev/null
+++ b/tests/app/rp/.env.example
@@ -0,0 +1,27 @@
+# Set this if you want to run this on a public URL
+# PUBLIC_HOST=localhost
+
+# OAuth Configuration
+# OIDC Issuer URL (Identity Provider endpoint)
+PUBLIC_OIDC_ISSUER=http://localhost:8000/o
+
+# OAuth Client ID
+PUBLIC_OAUTH_CLIENT_ID=2EIxgjlyy5VgCp2fjhEpKLyRtSMMPK0hZ0gBpNdm
+
+# Redirect URI after authentication
+PUBLIC_OIDC_REDIRECT_URI=http://localhost:5173
+
+# Post logout redirect URI
+PUBLIC_OIDC_POST_LOGOUT_REDIRECT_URI=http://localhost:5173
+
+# Identity Provider base URL (for device authorization flow)
+PUBLIC_IDP_URL=http://127.0.0.1:8000
+
+# Device authorization client ID (can be different from OIDC client ID)
+PUBLIC_DEVICE_CLIENT_ID=Qg8AaxKLs1c2W3PR70Sv5QxuSEREicKUlf83iGX3
+
+# OIDC Discovery endpoint path (relative to IDP URL)
+PUBLIC_OIDC_DISCOVERY_PATH=/o/.well-known/openid-configuration
+
+# Session monitoring client ID (can be same as OIDC client ID)
+PUBLIC_SESSION_CLIENT_ID=2EIxgjlyy5VgCp2fjhEpKLyRtSMMPK0hZ0gBpNdm
\ No newline at end of file
diff --git a/tests/app/rp/Dockerfile b/tests/app/rp/Dockerfile
index a719a1eb4..04ad2d5d3 100644
--- a/tests/app/rp/Dockerfile
+++ b/tests/app/rp/Dockerfile
@@ -1,16 +1,23 @@
-FROM node:18-alpine AS builder
+FROM node:22-alpine AS base
 WORKDIR /app
 COPY package*.json .
+
+
+FROM base AS builder
 RUN npm ci
 COPY . .
 RUN npm run build
 RUN npm prune --production
 
-FROM node:18-alpine
+FROM node:22-alpine
 WORKDIR /app
 COPY --from=builder /app/build build/
 COPY --from=builder /app/node_modules node_modules/
 COPY package.json .
 EXPOSE 3000
 ENV NODE_ENV=production
-CMD [ "node", "build" ]
\ No newline at end of file
+CMD [ "node", "build" ]
+
+FROM base AS dev
+RUN npm install -g pnpm
+RUN pnpm install
diff --git a/tests/app/rp/docker-compose.yml b/tests/app/rp/docker-compose.yml
new file mode 100644
index 000000000..96318f8ce
--- /dev/null
+++ b/tests/app/rp/docker-compose.yml
@@ -0,0 +1,35 @@
+services:
+  cloudflared:
+    image: cloudflare/cloudflared
+    user: root:root
+    command: tunnel run ${APP_CLOUDFLARE_TUNNEL_ID}
+    networks:
+      - default
+      - internal
+
+    environment:
+      TUNNEL_TOKEN: ${APP_CLOUDFLARE_TUNNEL_TOKEN}
+
+  frontend:
+    user: '${UID:-1000}:${GID:-1000}'
+    build:
+      context: ./
+      target: dev
+    restart: unless-stopped
+    networks:
+      - internal
+    command: pnpm run dev --host
+    healthcheck:
+      test: ['CMD', 'wget', '--no-verbose', '--tries=1', '--spider', 'http://localhost:5173']
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+    volumes:
+      - './:/app'
+
+    env_file:
+      - .env
+
+networks:
+  internal:
diff --git a/tests/app/rp/src/lib/components/SessionMonitor.svelte b/tests/app/rp/src/lib/components/SessionMonitor.svelte
new file mode 100644
index 000000000..aae33b911
--- /dev/null
+++ b/tests/app/rp/src/lib/components/SessionMonitor.svelte
@@ -0,0 +1,580 @@
+<script>
+	import { browser } from '$app/environment';
+	import { onMount, onDestroy, getContext } from 'svelte';
+	import { isAuthenticated, OIDC_CONTEXT_CLIENT_PROMISE } from '@dopry/svelte-oidc';
+	import { env } from '$env/dynamic/public';
+
+	// Configuration - must match the layout's OidcContext
+	const IDP_URL = env.PUBLIC_IDP_URL || 'http://localhost:8000';
+	const CLIENT_ID = env.PUBLIC_OAUTH_CLIENT_ID || '2EIxgjlyy5VgCp2fjhEpKLyRtSMMPK0hZ0gBpNdm';
+	const OIDC_DISCOVERY_PATH =
+		env.PUBLIC_OIDC_DISCOVERY_PATH || '/o/.well-known/openid-configuration';
+
+	// State variables
+	let checkSessionIframeUrl = null;
+	let sessionState = null;
+	let sessionSupported = false;
+	let sessionStatus = 'unknown'; // 'unknown', 'unchanged', 'changed'
+	let monitoringActive = false;
+	let lastCheckTime = null;
+	let sessionChanged = false;
+	let sessionChangeTime = null;
+	let opIframe = null;
+	let checkInterval = null;
+	let discoveryError = null;
+	let sessionStateAvailable = false;
+
+	// Get UserManager from context (called during component initialization)
+	const userManagerPromise = getContext(OIDC_CONTEXT_CLIENT_PROMISE);
+
+	/**
+	 * Extract session_state from User object
+	 */
+	async function updateSessionState() {
+		if (!browser || !$isAuthenticated) {
+			sessionState = null;
+			sessionStateAvailable = false;
+			return;
+		}
+
+		try {
+			const userManager = await userManagerPromise;
+			const user = await userManager.getUser();
+
+			if (user && user.session_state) {
+				sessionState = user.session_state;
+				sessionStateAvailable = true;
+			} else {
+				sessionState = null;
+				sessionStateAvailable = false;
+				console.debug('session_state NOT found in user object');
+			}
+		} catch (error) {
+			console.error('Error getting session_state from User object:', error);
+			sessionState = null;
+			sessionStateAvailable = false;
+		}
+	}
+
+	// Reactive statement to update session state when authentication changes
+	$: if (browser && $isAuthenticated) {
+		// Fetch discovery and update session state when user becomes authenticated
+		Promise.all([fetchDiscoveryDocument(), updateSessionState()]).then(() => {
+			// Check if we should start monitoring
+			if (sessionSupported && sessionStateAvailable && !monitoringActive) {
+				setTimeout(() => {
+					startMonitoring();
+				}, 1000);
+			}
+		});
+	} else if (browser && !$isAuthenticated) {
+		sessionState = null;
+		sessionStateAvailable = false;
+	}
+
+	/**
+	 * Fetch OIDC discovery document
+	 */
+	async function fetchDiscoveryDocument() {
+		try {
+			discoveryError = null;
+			const response = await fetch(`${IDP_URL}${OIDC_DISCOVERY_PATH}`);
+
+			if (!response.ok) {
+				throw new Error(`Failed to fetch discovery document: ${response.status}`);
+			}
+
+			const metadata = await response.json();
+
+			if (metadata.check_session_iframe) {
+				checkSessionIframeUrl = metadata.check_session_iframe;
+				sessionSupported = true;
+			} else {
+				sessionSupported = false;
+			}
+		} catch (error) {
+			console.error('Error fetching discovery document:', error);
+			discoveryError = error.message;
+			sessionSupported = false;
+		}
+	}
+
+	/**
+	 * Format time for display
+	 */
+	function formatTime() {
+		return new Date().toLocaleTimeString();
+	}
+
+	/**
+	 * Get origin from URL
+	 */
+	function getOriginFromUrl(url) {
+		try {
+			const parsedUrl = new URL(url);
+			return parsedUrl.origin;
+		} catch (e) {
+			console.error('Invalid URL:', url);
+			return '';
+		}
+	}
+
+	/**
+	 * Check session status
+	 */
+	function checkSession() {
+		if (!opIframe || !opIframe.contentWindow || !sessionState) {
+			console.debug('Skipping session check - iframe not ready or no session state');
+			return;
+		}
+
+		// Construct message with client_id and session_state
+		const message = `${CLIENT_ID} ${sessionState}`;
+
+		// Send message to OP iframe
+		try {
+			const targetOrigin = getOriginFromUrl(checkSessionIframeUrl);
+			opIframe.contentWindow.postMessage(message, targetOrigin);
+			lastCheckTime = formatTime();
+		} catch (error) {
+			console.error('Error posting message to OP iframe:', error);
+		}
+	}
+
+	/**
+	 * Handle messages from the session iframe
+	 */
+	function handleSessionMessage(event) {
+		// Verify the message is from the expected origin
+		const expectedOrigin = getOriginFromUrl(checkSessionIframeUrl);
+
+		if (expectedOrigin !== event.origin) {
+			return;
+		}
+
+		console.log('Session status:', event.data);
+
+		if (event.data === 'unchanged') {
+			sessionStatus = 'unchanged';
+		} else if (event.data === 'changed') {
+			sessionStatus = 'changed';
+			if (!sessionChanged) {
+				sessionChanged = true;
+				sessionChangeTime = formatTime();
+			}
+		} else {
+			sessionStatus = 'unknown';
+		}
+	}
+
+	/**
+	 * Start monitoring session
+	 */
+	function startMonitoring() {
+		if (!sessionSupported || !sessionStateAvailable) {
+			return;
+		}
+
+		// Add message listener
+		window.addEventListener('message', handleSessionMessage);
+
+		// Set up periodic check (every 5 seconds)
+		checkInterval = setInterval(() => {
+			checkSession();
+		}, 5000);
+
+		monitoringActive = true;
+
+		// Initial check after iframe loads
+		if (opIframe) {
+			opIframe.onload = () => {
+				setTimeout(checkSession, 500);
+			};
+		}
+	}
+
+	/**
+	 * Stop monitoring session
+	 */
+	function stopMonitoring() {
+		window.removeEventListener('message', handleSessionMessage);
+		if (checkInterval) {
+			clearInterval(checkInterval);
+			checkInterval = null;
+		}
+		monitoringActive = false;
+	}
+
+	/**
+	 * Reset session change state
+	 */
+	function resetSessionChange() {
+		sessionChanged = false;
+		sessionChangeTime = null;
+		sessionStatus = 'unchanged';
+	}
+
+	// Lifecycle hooks
+	onMount(async () => {
+		if (browser && $isAuthenticated) {
+			await updateSessionState();
+			await fetchDiscoveryDocument();
+			if (sessionSupported && sessionStateAvailable) {
+				// Wait a bit for the iframe to be ready
+				setTimeout(() => {
+					startMonitoring();
+				}, 1000);
+			}
+		}
+	});
+
+	onDestroy(() => {
+		if (browser) {
+			stopMonitoring();
+		}
+	});
+
+	// Stop monitoring when user logs out
+	$: if (browser && !$isAuthenticated && monitoringActive) {
+		stopMonitoring();
+	}
+</script>
+
+<div class="card">
+	<h2>OIDC Session Management</h2>
+	<p>
+		This page tests the OpenID Connect Session Management 1.0 specification. It monitors the
+		authentication session state with the OIDC provider and detects when the session changes
+		(e.g., when you log out from the provider in another tab).
+	</p>
+</div>
+
+{#if !$isAuthenticated}
+	<div class="card">
+		<h3>Not Authenticated</h3>
+		<p>You must be logged in to test session management.</p>
+		<p>Please use the "OIDC Authorization Code Flow" tab to log in first.</p>
+	</div>
+{:else if discoveryError}
+	<div class="card error">
+		<h3>Discovery Error</h3>
+		<p>Failed to fetch OIDC discovery document: {discoveryError}</p>
+	</div>
+{:else if !sessionSupported}
+	<div class="card error">
+		<h3>Session Management Not Supported</h3>
+		<p>
+			The OIDC provider does not support session management. The discovery document does not
+			include a <code>check_session_iframe</code> endpoint.
+		</p>
+		<p>
+			To use this feature, the provider must expose a <code>check_session_iframe</code> in its
+			discovery document at <code>{IDP_URL}{OIDC_DISCOVERY_PATH}</code>.
+		</p>
+	</div>
+{:else if !sessionStateAvailable}
+	<div class="card error">
+		<h3>Session State Not Available</h3>
+		<p>
+			The authentication response does not contain a <code>session_state</code> parameter. The server
+			may not be configured to support session management.
+		</p>
+		<p>
+			The OIDC provider must include the <code>session_state</code> parameter in the authentication
+			response for session monitoring to work.
+		</p>
+	</div>
+{:else}
+	<!-- Session monitoring is active -->
+	<div class="card success">
+		<h3>Session Monitoring Active</h3>
+
+		<div class="status-container">
+			<div class="status-indicator status-{sessionStatus}">
+				<div class="status-dot"></div>
+				<div class="status-text">
+					{#if sessionStatus === 'unchanged'}
+						Session Active
+					{:else if sessionStatus === 'changed'}
+						Session Changed
+					{:else}
+						Session Status Unknown
+					{/if}
+				</div>
+			</div>
+		</div>
+
+		{#if sessionChanged}
+			<div class="warning-box">
+				<h4>⚠ Session State Change Detected</h4>
+				<p>
+					Your session state with the OIDC provider has changed at {sessionChangeTime}.
+					This might mean that you have logged out from the provider in another tab or
+					browser.
+				</p>
+				<div class="action-buttons">
+					<button on:click={resetSessionChange} class="btn-secondary">
+						Acknowledge & Continue Monitoring
+					</button>
+				</div>
+			</div>
+		{/if}
+
+		<div class="info-box">
+			<h4>Session Information</h4>
+			<table>
+				<tbody>
+					<tr>
+						<td><strong>Session State</strong></td>
+						<td><code>{sessionState || 'Not available'}</code></td>
+					</tr>
+					<tr>
+						<td><strong>Client ID</strong></td>
+						<td><code>{CLIENT_ID}</code></td>
+					</tr>
+					<tr>
+						<td><strong>Monitoring Status</strong></td>
+						<td>{monitoringActive ? 'Active' : 'Inactive'}</td>
+					</tr>
+					<tr>
+						<td><strong>Last Check</strong></td>
+						<td>{lastCheckTime || 'Never'}</td>
+					</tr>
+					<tr>
+						<td><strong>Check Session Iframe</strong></td>
+						<td><code>{checkSessionIframeUrl || 'Not available'}</code></td>
+					</tr>
+				</tbody>
+			</table>
+		</div>
+
+		<!-- Hidden iframe for session monitoring -->
+		{#if checkSessionIframeUrl}
+			<iframe
+				bind:this={opIframe}
+				src={checkSessionIframeUrl}
+				style="display: none;"
+				title="OIDC Session Check Iframe"
+			></iframe>
+		{/if}
+	</div>
+{/if}
+
+<div class="card info">
+	<h3>How OIDC Session Management Works</h3>
+	<ol>
+		<li>
+			<strong>Check Discovery:</strong> The application fetches the OIDC provider's discovery
+			document to find the <code>check_session_iframe</code> endpoint.
+		</li>
+		<li>
+			<strong>Load Iframe:</strong> A hidden iframe is created pointing to the provider's check_session_iframe
+			endpoint.
+		</li>
+		<li>
+			<strong>Periodic Checks:</strong> Every 5 seconds, the application sends a message to the
+			iframe containing the client ID and session state.
+		</li>
+		<li>
+			<strong>Status Response:</strong> The iframe responds with one of three values:
+			<ul>
+				<li><code>"unchanged"</code> - Session is still active</li>
+				<li><code>"changed"</code> - Session has changed (user logged out elsewhere)</li>
+				<li><code>"error"</code> - An error occurred</li>
+			</ul>
+		</li>
+		<li>
+			<strong>UI Update:</strong> The application updates the UI based on the session status, alerting
+			the user if their session has changed.
+		</li>
+	</ol>
+	<p>
+		This implements the <a
+			href="https://openid.net/specs/openid-connect-session-1_0.html"
+			target="_blank"
+			rel="noopener noreferrer">OpenID Connect Session Management 1.0</a
+		> specification.
+	</p>
+</div>
+
+<style>
+	h2,
+	h3,
+	h4 {
+		color: #555;
+		margin-top: 0;
+	}
+
+	.card {
+		background: white;
+		border-radius: 8px;
+		padding: 1.5rem;
+		margin-bottom: 1.5rem;
+		box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
+	}
+
+	.card.success {
+		border-left: 4px solid #4caf50;
+	}
+
+	.card.error {
+		border-left: 4px solid #f44336;
+	}
+
+	.card.info {
+		background: #f5f5f5;
+	}
+
+	.status-container {
+		display: flex;
+		justify-content: center;
+		margin: 1.5rem 0;
+	}
+
+	.status-indicator {
+		display: flex;
+		align-items: center;
+		padding: 0.75rem 1.5rem;
+		border-radius: 2rem;
+		background: #f5f5f5;
+		gap: 0.5rem;
+	}
+
+	.status-dot {
+		width: 12px;
+		height: 12px;
+		border-radius: 50%;
+		background: #ccc;
+	}
+
+	.status-indicator.status-unchanged {
+		background-color: rgba(76, 175, 80, 0.1);
+	}
+
+	.status-indicator.status-unchanged .status-dot {
+		background-color: #4caf50;
+	}
+
+	.status-indicator.status-changed {
+		background-color: rgba(244, 67, 54, 0.1);
+	}
+
+	.status-indicator.status-changed .status-dot {
+		background-color: #f44336;
+	}
+
+	.status-text {
+		font-weight: 500;
+		font-size: 1rem;
+	}
+
+	.warning-box {
+		background: rgba(255, 152, 0, 0.1);
+		border: 1px solid #ff9800;
+		border-radius: 4px;
+		padding: 1rem;
+		margin: 1rem 0;
+	}
+
+	.warning-box h4 {
+		margin-top: 0;
+		color: #f57c00;
+	}
+
+	.action-buttons {
+		margin-top: 1rem;
+		display: flex;
+		gap: 0.5rem;
+		flex-wrap: wrap;
+	}
+
+	.info-box {
+		background: #f9f9f9;
+		border: 1px solid #ddd;
+		border-radius: 4px;
+		padding: 1rem;
+		margin: 1rem 0;
+	}
+
+	.info-box h4 {
+		margin-top: 0;
+	}
+
+	table {
+		width: 100%;
+		border-collapse: collapse;
+		margin-top: 1rem;
+	}
+
+	table td {
+		padding: 0.5rem;
+		border-bottom: 1px solid #eee;
+	}
+
+	table tr:last-child td {
+		border-bottom: none;
+	}
+
+	table td:first-child {
+		width: 200px;
+	}
+
+	code {
+		background: #f5f5f5;
+		padding: 0.2rem 0.4rem;
+		border-radius: 3px;
+		font-family: 'Courier New', monospace;
+		font-size: 0.9em;
+	}
+
+	button {
+		padding: 0.75rem 1.5rem;
+		border: none;
+		border-radius: 4px;
+		font-size: 1rem;
+		cursor: pointer;
+		margin-right: 0.5rem;
+		margin-top: 0.5rem;
+	}
+
+	.btn-primary {
+		background: #2196f3;
+		color: white;
+	}
+
+	.btn-primary:hover {
+		background: #1976d2;
+	}
+
+	.btn-secondary {
+		background: #757575;
+		color: white;
+	}
+
+	.btn-secondary:hover {
+		background: #616161;
+	}
+
+	ol {
+		line-height: 1.8;
+		padding-left: 1.5rem;
+	}
+
+	ol li {
+		margin-bottom: 0.5rem;
+	}
+
+	ul {
+		line-height: 1.6;
+		margin-top: 0.5rem;
+	}
+
+	a {
+		color: #2196f3;
+		text-decoration: none;
+	}
+
+	a:hover {
+		text-decoration: underline;
+	}
+</style>
diff --git a/tests/app/rp/src/routes/+layout.svelte b/tests/app/rp/src/routes/+layout.svelte
index b631c5162..c0f7ff914 100644
--- a/tests/app/rp/src/routes/+layout.svelte
+++ b/tests/app/rp/src/routes/+layout.svelte
@@ -1,6 +1,12 @@
 <script>
+	import { browser } from '$app/environment';
 	import { onMount } from 'svelte';
 	import { page } from '$app/stores';
+	import { OidcContext } from '@dopry/svelte-oidc';
+	import { env } from '$env/dynamic/public';
+
+	// OIDC Configuration
+	const metadata = {};
 
 	// Materialize tabs initialization
 	onMount(() => {
@@ -60,13 +66,37 @@
 					>Device Authorization Flow</a
 				>
 			</li>
+			<li class="tab">
+				<a href="/session" class:active={$page.url.pathname === '/session'}
+					>Session Management</a
+				>
+			</li>
 		</ul>
 	</div>
 </nav>
 
-<div class="container">
-	<slot />
-</div>
+{#if browser}
+	<OidcContext
+		issuer={env.PUBLIC_OIDC_ISSUER}
+		client_id={env.PUBLIC_OAUTH_CLIENT_ID}
+		redirect_uri={env.PUBLIC_OIDC_REDIRECT_URI}
+		post_logout_redirect_uri={env.PUBLIC_OIDC_POST_LOGOUT_REDIRECT_URI}
+		{metadata}
+		scope="openid"
+		extraOptions={{
+			mergeClaims: true,
+			monitorSession: true
+		}}
+	>
+		<div class="container">
+			<slot />
+		</div>
+	</OidcContext>
+{:else}
+	<div class="container">
+		<slot />
+	</div>
+{/if}
 
 <style>
 	.tabs .tab a {
diff --git a/tests/app/rp/src/routes/+page.svelte b/tests/app/rp/src/routes/+page.svelte
index 9641425b7..9697c7755 100644
--- a/tests/app/rp/src/routes/+page.svelte
+++ b/tests/app/rp/src/routes/+page.svelte
@@ -1,10 +1,8 @@
 <script>
-	import { browser } from '$app/environment';
 	import {
 		EventLog,
 		LoginButton,
 		LogoutButton,
-		OidcContext,
 		RefreshTokenButton,
 		accessToken,
 		authError,
@@ -13,72 +11,50 @@
 		isLoading,
 		userInfo
 	} from '@dopry/svelte-oidc';
-
-	const metadata = {};
 </script>
 
-{#if browser}
-	<OidcContext
-		issuer="http://localhost:8000/o"
-		client_id="2EIxgjlyy5VgCp2fjhEpKLyRtSMMPK0hZ0gBpNdm"
-		redirect_uri="http://localhost:5173"
-		post_logout_redirect_uri="http://localhost:5173"
-		{metadata}
-		scope="openid"
-		extraOptions={{
-			mergeClaims: true
-		}}
-	>
-		<div class="row">
-			<div class="col s12">
-				<LoginButton>Login</LoginButton>
-				<LogoutButton>Logout</LogoutButton>
-				<RefreshTokenButton>refreshToken</RefreshTokenButton>
-			</div>
-		</div>
-		<div class="row">
-			<div class="col s12">
-				<table>
-					<thead>
-						<tr><th>isLoading</th><th>isAuthenticated</th><th>authError</th></tr>
-					</thead>
-					<tbody>
-						<tr>
-							<td>{$isLoading}</td>
-							<td>{$isAuthenticated}</td>
-							<td>{$authError || 'None'}</td>
-						</tr>
-					</tbody>
-				</table>
-			</div>
-		</div>
-		<div class="row">
-			<div class="col s12">
-				<table>
-					<thead>
-						<tr><th style="width: 20%;">store</th><th style="width: 80%;">value</th></tr
-						>
-					</thead>
-					<tbody>
-						<tr
-							><td>userInfo</td><td
-								><pre>{JSON.stringify($userInfo, null, 2) || ''}</pre></td
-							></tr
-						>
-						<tr
-							><td>accessToken</td><td style="word-break: break-all;"
-								>{$accessToken}</td
-							></tr
-						>
-						<tr><td>idToken</td><td style="word-break: break-all;">{$idToken}</td></tr>
-					</tbody>
-				</table>
-			</div>
-		</div>
-		<div class="row">
-			<div class="col s12">
-				<EventLog />
-			</div>
-		</div>
-	</OidcContext>
-{/if}
+<div class="row">
+	<div class="col s12">
+		<LoginButton>Login</LoginButton>
+		<LogoutButton>Logout</LogoutButton>
+		<RefreshTokenButton>refreshToken</RefreshTokenButton>
+	</div>
+</div>
+<div class="row">
+	<div class="col s12">
+		<table>
+			<thead>
+				<tr><th>isLoading</th><th>isAuthenticated</th><th>authError</th></tr>
+			</thead>
+			<tbody>
+				<tr>
+					<td>{$isLoading}</td>
+					<td>{$isAuthenticated}</td>
+					<td>{$authError || 'None'}</td>
+				</tr>
+			</tbody>
+		</table>
+	</div>
+</div>
+<div class="row">
+	<div class="col s12">
+		<table>
+			<thead>
+				<tr><th style="width: 20%;">store</th><th style="width: 80%;">value</th></tr>
+			</thead>
+			<tbody>
+				<tr
+					><td>userInfo</td><td><pre>{JSON.stringify($userInfo, null, 2) || ''}</pre></td
+					></tr
+				>
+				<tr><td>accessToken</td><td style="word-break: break-all;">{$accessToken}</td></tr>
+				<tr><td>idToken</td><td style="word-break: break-all;">{$idToken}</td></tr>
+			</tbody>
+		</table>
+	</div>
+</div>
+<div class="row">
+	<div class="col s12">
+		<EventLog />
+	</div>
+</div>
diff --git a/tests/app/rp/src/routes/device/+page.svelte b/tests/app/rp/src/routes/device/+page.svelte
index cfa9555e7..70b7c2563 100644
--- a/tests/app/rp/src/routes/device/+page.svelte
+++ b/tests/app/rp/src/routes/device/+page.svelte
@@ -1,10 +1,11 @@
 <script>
 	import { browser } from '$app/environment';
 	import { onDestroy } from 'svelte';
+	import { env } from '$env/dynamic/public';
 
 	// Configuration
-	const IDP_URL = 'http://127.0.0.1:8000';
-	const CLIENT_ID = 'Qg8AaxKLs1c2W3PR70Sv5QxuSEREicKUlf83iGX3';
+	const IDP_URL = env.PUBLIC_IDP_URL;
+	const CLIENT_ID = env.PUBLIC_DEVICE_CLIENT_ID;
 	const POLLING_INTERVAL = 5000; // 5 seconds
 
 	// State variables
@@ -313,8 +314,8 @@
 			and verification URI.
 		</li>
 		<li>
-			<strong>User authorizes:</strong> The user visits the verification URI on another device
-			(like a phone or computer), enters the user code, and approves the authorization.
+			<strong>User authorizes:</strong> The user visits the verification URI on another device (like
+			a phone or computer), enters the user code, and approves the authorization.
 		</li>
 		<li>
 			<strong>Device polls for token:</strong> Meanwhile, the device polls the token endpoint using
diff --git a/tests/app/rp/src/routes/session/+page.svelte b/tests/app/rp/src/routes/session/+page.svelte
new file mode 100644
index 000000000..460469918
--- /dev/null
+++ b/tests/app/rp/src/routes/session/+page.svelte
@@ -0,0 +1,9 @@
+<script>
+	import SessionMonitor from '$lib/components/SessionMonitor.svelte';
+</script>
+
+<svelte:head>
+	<title>OIDC Session Management Test</title>
+</svelte:head>
+
+<SessionMonitor />
diff --git a/tests/app/rp/vite.config.ts b/tests/app/rp/vite.config.ts
index bbf8c7da4..ee1ffe133 100644
--- a/tests/app/rp/vite.config.ts
+++ b/tests/app/rp/vite.config.ts
@@ -2,5 +2,8 @@ import { sveltekit } from '@sveltejs/kit/vite';
 import { defineConfig } from 'vite';
 
 export default defineConfig({
-	plugins: [sveltekit()]
+	plugins: [sveltekit()],
+	server: {
+		allowedHosts: [process.env.PUBLIC_HOST ?? 'localhost']
+	}
 });
diff --git a/tests/presets.py b/tests/presets.py
index 4538c64eb..6a1a2974e 100644
--- a/tests/presets.py
+++ b/tests/presets.py
@@ -37,6 +37,10 @@
 OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED["OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS"] = False
 OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS = deepcopy(OIDC_SETTINGS_RP_LOGOUT)
 OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS["OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS"] = False
+OIDC_SETTINGS_SESSION_MANAGEMENT = deepcopy(OIDC_SETTINGS_RW)
+OIDC_SETTINGS_SESSION_MANAGEMENT["OIDC_SESSION_MANAGEMENT_ENABLED"] = True
+OIDC_SETTINGS_SESSION_MANAGEMENT["OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY"] = "oidc-session-test-key"
+
 REST_FRAMEWORK_SCOPES = {
     "SCOPES": {
         "read": "Read scope",
diff --git a/tests/test_django_checks.py b/tests/test_django_checks.py
index 77025b115..baa1d1f17 100644
--- a/tests/test_django_checks.py
+++ b/tests/test_django_checks.py
@@ -1,8 +1,15 @@
+from copy import deepcopy
+
 from django.core.management import call_command
 from django.core.management.base import SystemCheckError
 from django.test import override_settings
 
 from .common_testing import OAuth2ProviderTestCase as TestCase
+from .presets import OIDC_SETTINGS_SESSION_MANAGEMENT
+
+
+MISSING_DEFAULT_SESSION_KEY = deepcopy(OIDC_SETTINGS_SESSION_MANAGEMENT)
+MISSING_DEFAULT_SESSION_KEY["OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY"] = None
 
 
 class DjangoChecksTestCase(TestCase):
@@ -18,3 +25,11 @@ def test_checks_fail_when_router_crosses_databases(self):
         message = "The token models are expected to be stored in the same database."
         with self.assertRaisesMessage(SystemCheckError, message):
             call_command("check")
+
+    @override_settings(OAUTH2_PROVIDER=MISSING_DEFAULT_SESSION_KEY)
+    def test_checks_fail_when_default_session_key_is_missing(self):
+        message = (
+            "OIDC Session management is enabled, OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY is required."
+        )
+        with self.assertRaisesMessage(SystemCheckError, message):
+            call_command("check")
diff --git a/tests/test_oauth2_validators.py b/tests/test_oauth2_validators.py
index 3fb292060..c412cd2a5 100644
--- a/tests/test_oauth2_validators.py
+++ b/tests/test_oauth2_validators.py
@@ -228,7 +228,7 @@ def test_load_application_uses_cached_when_request_has_valid_client_matching_cli
         self.assertIs(self.request.client, self.application)
 
     def test_load_application_succeeds_when_request_has_invalid_client_valid_client_id(self):
-        self.request.client = 'invalid_client'
+        self.request.client = "invalid_client"
         application = self.validator._load_application("client_id", self.request)
         self.assertEqual(application, self.application)
         self.assertEqual(self.request.client, self.application)
diff --git a/tests/test_oidc_views.py b/tests/test_oidc_views.py
index 65197cbd1..f5ddcd62f 100644
--- a/tests/test_oidc_views.py
+++ b/tests/test_oidc_views.py
@@ -1,5 +1,5 @@
 import pytest
-from django.contrib.auth import get_user
+from django.contrib.auth import get_user, get_user_model
 from django.contrib.auth.models import AnonymousUser
 from django.test import RequestFactory
 from django.urls import reverse
@@ -12,10 +12,20 @@
     InvalidOIDCClientError,
     InvalidOIDCRedirectURIError,
 )
-from oauth2_provider.models import get_access_token_model, get_id_token_model, get_refresh_token_model
+from oauth2_provider.models import (
+    get_access_token_model,
+    get_application_model,
+    get_id_token_model,
+    get_refresh_token_model,
+)
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from oauth2_provider.settings import oauth2_settings
-from oauth2_provider.views.oidc import RPInitiatedLogoutView, _load_id_token, _validate_claims
+from oauth2_provider.views.oidc import (
+    RPInitiatedLogoutView,
+    SessionIFrameView,
+    _load_id_token,
+    _validate_claims,
+)
 
 from . import presets
 from .common_testing import OAuth2ProviderTestCase as TestCase
@@ -111,6 +121,13 @@ def test_get_connect_discovery_info_with_rp_logout(self):
         self.oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ENABLED = True
         self.expect_json_response_with_rp_logout(self.oauth2_settings.OIDC_ISS_ENDPOINT)
 
+    def test_get_session_manangement_iframe_endpoint(self):
+        self.oauth2_settings.OIDC_SESSION_MANAGEMENT_ENABLED = True
+        response = self.client.get(reverse("oauth2_provider:oidc-connect-discovery-info"))
+        self.assertEqual(response.status_code, 200)
+        response_data = response.json()
+        self.assertIn("check_session_iframe", response_data.keys())
+
     def test_get_connect_discovery_info_without_issuer_url(self):
         self.oauth2_settings.OIDC_ISS_ENDPOINT = None
         self.oauth2_settings.OIDC_USERINFO_ENDPOINT = None
@@ -132,7 +149,10 @@ def test_get_connect_discovery_info_without_issuer_url(self):
             ],
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
-            "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
+            "token_endpoint_auth_methods_supported": [
+                "client_secret_post",
+                "client_secret_basic",
+            ],
             "code_challenge_methods_supported": ["plain", "S256"],
             "claims_supported": ["sub"],
         }
@@ -206,6 +226,53 @@ def test_get_jwks_info_multiple_rsa_keys(self):
         assert response.json() == expected_response
 
 
+@pytest.mark.usefixtures("oauth2_settings")
+@pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_SESSION_MANAGEMENT)
+class TestSessionManagement(TestCase):
+    def setUp(self):
+        User = get_user_model()
+        Application = get_application_model()
+
+        self.user = User.objects.create_user("test_user", "test@example.com", "123456")
+        self.developer = User.objects.create_user("dev_user", "dev@example.com", "123456")
+
+        self.application = Application.objects.create(
+            name="Test Application",
+            redirect_uris=(
+                "http://localhost http://example.com http://example.org custom-scheme://example.com"
+            ),
+            user=self.developer,
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
+            client_secret="1234567890qwertyuiop",
+        )
+
+    def test_session_state_is_present_in_authorization(self):
+        self.client.login(username="test_user", password="123456")
+        response = self.client.post(
+            reverse("oauth2_provider:authorize"),
+            {
+                "client_id": self.application.client_id,
+                "response_type": "code",
+                "state": "random_state_string",
+                "scope": "read write",
+                "redirect_uri": "http://example.org",
+                "allow": True,
+            },
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertIn("session_state", response["Location"])
+
+    def test_cookie_name_is_included_in_iframe_endpoint(self):
+        request = RequestFactory().get(reverse("oauth2_provider:session-iframe"))
+        request.user = self.user
+        view = SessionIFrameView()
+        view.setup(request)
+        context = view.get_context_data()
+        self.assertIn("cookie_name", context)
+        self.assertEqual(context["cookie_name"], "oidc_ua_agent_state")
+
+
 def mock_request():
     """
     Dummy request with an AnonymousUser attached.
diff --git a/tests/test_session_management.py b/tests/test_session_management.py
new file mode 100644
index 000000000..5b956047a
--- /dev/null
+++ b/tests/test_session_management.py
@@ -0,0 +1,51 @@
+from copy import deepcopy
+from http.cookies import SimpleCookie
+
+import pytest
+from django.contrib.auth import get_user_model
+from django.test.utils import modify_settings
+
+from . import presets
+from .common_testing import OAuth2ProviderTestCase as TestCase
+
+
+PRESET_OIDC_MIDDLEWARE = deepcopy(presets.OIDC_SETTINGS_SESSION_MANAGEMENT)
+PRESET_OIDC_MIDDLEWARE["OIDC_SESSION_MANAGEMENT_COOKIE_NAME"] = "oidc-session-test"
+
+User = get_user_model()
+
+
+@pytest.mark.usefixtures("oauth2_settings")
+@pytest.mark.oauth2_settings(PRESET_OIDC_MIDDLEWARE)
+@modify_settings(MIDDLEWARE={"append": "oauth2_provider.middleware.OIDCSessionManagementMiddleware"})
+class TestOIDCSessionManagementMiddleware(TestCase):
+    def setUp(self):
+        User.objects.create_user("test_user", "test@example.com", "123456")
+
+    def test_response_is_intact_if_session_management_is_disabled(self):
+        self.oauth2_settings.OIDC_SESSION_MANAGEMENT_ENABLED = False
+        response = self.client.get("/a-resource")
+        self.assertFalse("oidc-session-test" in response.cookies.keys())
+
+    def test_session_cookie_is_set_for_logged_users(self):
+        self.client.login(username="test_user", password="123456")
+        response = self.client.get("/a-resource")
+        self.assertTrue(isinstance(response.cookies, SimpleCookie))
+        self.assertTrue("oidc-session-test" in response.cookies.keys())
+        self.assertNotEqual(response.cookies["oidc-session-test"].value, "")
+
+    def test_session_cookie_is_cleared_for_anonymous_users(self):
+        response = self.client.get("/a-resource")
+        self.assertTrue(isinstance(response.cookies, SimpleCookie))
+        self.assertTrue("oidc-session-test" in response.cookies.keys())
+        self.assertEqual(response.cookies["oidc-session-test"].value, "")
+
+    def test_session_cookie_is_not_set_after_logging_out(self):
+        self.client.login(username="test_user", password="123456")
+        self.client.get("/a-resource")
+        self.client.logout()
+
+        response = self.client.get("/another-resource")
+        self.assertTrue(isinstance(response.cookies, SimpleCookie))
+        self.assertTrue("oidc-session-test" in response.cookies.keys())
+        self.assertEqual(response.cookies["oidc-session-test"].value, "")