CAIP-312: JSON-RPC Method for Retrieving Session Authorizations


Metadata
Status: DraftStandardCreated: 2024-07-13
Authors
Alex Donesky
Requires

Simple Summary


CAIP-312 introduces the wallet_getSession method for retrieving authorizations from an active CAIP-25 initiated session.

Abstract


This proposal aims to extend the CAIP-25 standard by defining a new JSON-RPC method for retrieving authorizations within a session. This method allows callers to dynamically retrieve authorizations and properties.

Motivation


The motivation behind this proposal is to enhance the flexibility of CAIP-25 by enabling the retrieval of session authorizations at any time. The proposed method provides an intuitive way to retrieve authorizations for an active session, allowing callers to access session data without having to persist and track it over the full life of the method.

Specification


Definition

The wallet_getSession method returns an active session. If a sessionId is provided, it returns the authorizations for that specific session; If no sessionId parameter is provided - and there is a single active session with no sessionId assigned - it returns the session authorizations and properties for that session; otherwise, an appropriate error message;

Parameters:

  • sessionId (string, optional): The session identifier.

Request

The caller would interface with a wallet via the same provider by which it called wallet_createSession to retrieve a session by calling the following JSON-RPC request:


Response

An example of a successful response follows:


Failure States

The response MUST NOT be a JSON-RPC success result in any of the following failure states.

Generic Failure Code

Unless the dapp is known to the wallet and trusted, the generic/undefined error response:


is RECOMMENDED for any of the following cases:

  • a sessionId is passed but not recognized,
  • no sessionId is passed and only active session(s) have sessionIds, or
  • there are no active sessions

Security Considerations


The introduction of this lifecycle method must ensure that only authorized parties can retrieve the authorizations of a session. Proper authentication and authorization mechanisms must be in place to prevent unauthorized access or modifications.

To achieve this, it is recommended to establish a connection over domain-bound or other 1:1 transports. Where applicable, additional binding to a sessionId is recommended to ensure secure session management. This approach helps to create a secure communication channel that can effectively authenticate and authorize session-related requests, minimizing the risk of unauthorized access or session hijacking.

Links


  • CAIP-25 - JSON-RPC Handshake Protocol Specification. i.e wallet_createSession
  • CAIP-217- Authorization Scopes, i.e. syntax for scopeObjects

Copyright


Copyright and related rights waived via CC0.