-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: fixing exclude _sd_alg when no disclosure #120
feat: fixing exclude _sd_alg when no disclosure #120
Conversation
Signed-off-by: Lukas <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## next #120 +/- ##
=======================================
Coverage 95.54% 95.54%
=======================================
Files 21 21
Lines 1705 1705
Branches 246 247 +1
=======================================
Hits 1629 1629
Misses 72 72
Partials 4 4 ☔ View full report in Codecov by Sentry. |
I reached out to the authors since the paragraph is confusing. "If the _sd_alg claim is not present at the top level, a default value of sha-256 MUST be used." I understand that the _sd_alg needs only be included in case I want to use a other algorithm than _sd_alg |
FYI: @berendsliedrecht 's implementation doesn't have hmm... I thought that is for backward compatibility. I think excluding |
Your change is not violating the spec. And the small amount of chars in the JWT will have no negative effect. So from my point we can merge this and move on :) |
I did not include it, because when I started to implement on a lower draft version it basically stated that when no selectively disclosable items are included, it should be treated as a normal JWT. However, I think the point more is for verification as @cre8 mentioned, if it is not included assume sha2-256, but it does not always have to be set by default to sha2-256. If that makes sense. |
…n#120) Signed-off-by: Lukas <[email protected]> Signed-off-by: Mirko Mollik <[email protected]>
Signed-off-by: Lukas <[email protected]> Signed-off-by: Mirko Mollik <[email protected]>
I always set
_sd_alg
in payload even if there is no disclosure. But I think it's better not to include when there is nothing.I guess it's more complaint.