Skip to content

Support chained sessions (nextSession request field) #9

Description

@rubenhensen

irmago v0.10.0 introduced chained (a.k.a. next-session) sessions: a session request can declare a `nextSession` block pointing at a follow-up requestor URL, and the server links the two sessions together so the second one runs immediately after the first succeeds. See irma.app/docs/chained-sessions.

This is a server-side requestor feature, fully wire-compatible — irmars works today with chained-session requests if a caller hand-constructs the JSON, but the typed builders don't expose it.

Proposed surface

Add an optional `next_session: Option` field to `ExtendedIrmaRequest` (the JWT-wrappable variant), with at least:

  • `url: String` — the next requestor URL.
  • `authmethod`, `key` — optional auth fields if signing the next-session request differently.

Caveat

The exact JSON field name (`nextSession` vs `next_session` etc.) should be confirmed against the irmago `RequestorRequest` Go struct before implementing — the CHANGELOG entry alone doesn't pin it down.

Security note

irmago v0.19.0 ships GHSA-pv8v-c99h-c5q4, which tightens permission handling for next-session requests. If we add this feature, the README should note the minimum server version (v0.19.0) recommended for production use.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions