Use session_state to backup consumer state if available

src/oic/oic/consumer.py

@@ -461,7 +461,12 @@ def parse_authz(
             self.verify_id_token(idt, self.authz_req.get(_state or atr["state"]))
         return aresp, atr, idt
 
-    def complete(self, state, authn_method: str = "client_secret_basic"):
+    def complete(
+        self,
+        state,
+        session_state: Optional[str] = None,
+        authn_method: str = "client_secret_basic",
+    ):
         """
         Do the access token request, the last step in a code flow.
 
@@ -496,7 +501,12 @@ def complete(self, state, authn_method: str = "client_secret_basic"):
         if resp.type() == "ErrorResponse":
             raise TokenError(resp.error, resp)
 
-        self._backup(state)
+        if session_state:
+            # Use session_state from Authorization server, as per §2
+            # from https://openid.net/specs/openid-connect-session-1_0.html
+            self._backup(session_state)
+        else:
+            self._backup(state)
 
         return resp