diff --git a/ckanext/ozwillo_pyoidc/oidc.py b/ckanext/ozwillo_pyoidc/oidc.py
index 0a9dce7..bb6218f 100755
--- a/ckanext/ozwillo_pyoidc/oidc.py
+++ b/ckanext/ozwillo_pyoidc/oidc.py
@@ -26,14 +26,14 @@ class Client(oic.Client):
         if behaviour:
             self.behaviour = behaviour
 
-    def create_authn_request(self, session, acr_value=None):
-        session["state"] = rndstr()
-        session["nonce"] = rndstr()
+    def create_authn_request(self, acr_value=None):
+        self.state = rndstr()
+        nonce = rndstr()
         request_args = {
             "response_type": self.behaviour["response_type"],
             "scope": self.behaviour["scope"],
-            "state": session["state"],
-            "nonce": session["nonce"],
+            "state": self.state,
+            "nonce": nonce,
             "redirect_uri": self.registration_response["redirect_uris"][0]
         }
 
@@ -64,6 +64,9 @@ class Client(oic.Client):
         authresp = self.parse_response(AuthorizationResponse, response,
                                        sformat="dict", keyjar=self.keyjar)
 
+        if self.state != authresp['state']:
+            raise OIDCError("Invalid state %s." % authresp["state"])
+
         if isinstance(authresp, ErrorResponse):
             return OIDCError("Access denied")
 
diff --git a/ckanext/ozwillo_pyoidc/plugin.py b/ckanext/ozwillo_pyoidc/plugin.py
index d479a9f..f9b313c 100755
--- a/ckanext/ozwillo_pyoidc/plugin.py
+++ b/ckanext/ozwillo_pyoidc/plugin.py
@@ -84,7 +84,7 @@ class OzwilloPyoidcPlugin(plugins.SingletonPlugin):
         if 'organization_id' in session:
             g = model.Group.get(session['organization_id'])
             client = Clients.get(g)
-            url, ht_args = client.create_authn_request(session, conf.ACR_VALUES)
+            url, ht_args = client.create_authn_request(conf.ACR_VALUES)
             if ht_args:
                 toolkit.request.headers.update(ht_args)
             redirect_to(url)