irmago v0.10.0 introduced chained (a.k.a. next-session) sessions: a session request can declare a `nextSession` block pointing at a follow-up requestor URL, and the server links the two sessions together so the second one runs immediately after the first succeeds. See irma.app/docs/chained-sessions.
This is a server-side requestor feature, fully wire-compatible — irmars works today with chained-session requests if a caller hand-constructs the JSON, but the typed builders don't expose it.
Proposed surface
Add an optional `next_session: Option` field to `ExtendedIrmaRequest` (the JWT-wrappable variant), with at least:
- `url: String` — the next requestor URL.
- `authmethod`, `key` — optional auth fields if signing the next-session request differently.
Caveat
The exact JSON field name (`nextSession` vs `next_session` etc.) should be confirmed against the irmago `RequestorRequest` Go struct before implementing — the CHANGELOG entry alone doesn't pin it down.
Security note
irmago v0.19.0 ships GHSA-pv8v-c99h-c5q4, which tightens permission handling for next-session requests. If we add this feature, the README should note the minimum server version (v0.19.0) recommended for production use.
References
irmago v0.10.0 introduced chained (a.k.a. next-session) sessions: a session request can declare a `nextSession` block pointing at a follow-up requestor URL, and the server links the two sessions together so the second one runs immediately after the first succeeds. See irma.app/docs/chained-sessions.
This is a server-side requestor feature, fully wire-compatible — irmars works today with chained-session requests if a caller hand-constructs the JSON, but the typed builders don't expose it.
Proposed surface
Add an optional `next_session: Option` field to `ExtendedIrmaRequest` (the JWT-wrappable variant), with at least:
Caveat
The exact JSON field name (`nextSession` vs `next_session` etc.) should be confirmed against the irmago `RequestorRequest` Go struct before implementing — the CHANGELOG entry alone doesn't pin it down.
Security note
irmago v0.19.0 ships GHSA-pv8v-c99h-c5q4, which tightens permission handling for next-session requests. If we add this feature, the README should note the minimum server version (v0.19.0) recommended for production use.
References