feat: fixing exclude _sd_alg when no disclosure

[lukasjhan]

I always set _sd_alg in payload even if there is no disclosure. But I think it's better not to include when there is nothing.
I guess it's more complaint.

When used, this claim MUST appear at the top level of the SD-JWT payload.

The payload MAY contain the _sd_alg key described in Section 5.1.1.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.54%. Comparing base (d503996) to head (43f4b0f).

Additional details and impacted files

@@           Coverage Diff           @@
##             next     #120   +/-   ##
=======================================
  Coverage   95.54%   95.54%           
=======================================
  Files          21       21           
  Lines        1705     1705           
  Branches      246      247    +1     
=======================================
  Hits         1629     1629           
  Misses         72       72           
  Partials        4        4           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cre8]

I reached out to the authors since the paragraph is confusing.

"If the _sd_alg claim is not present at the top level, a default value of sha-256 MUST be used."

I understand that the _sd_alg needs only be included in case I want to use a other algorithm than _sd_alg

[lukasjhan]

I reached out to the authors since the paragraph is confusing.

"If the _sd_alg claim is not present at the top level, a default value of sha-256 MUST be used."

I understand that the _sd_alg needs only be included in case I want to use a other algorithm than _sd_alg

FYI: @berendsliedrecht 's implementation doesn't have _sd_alg when there is no disclosure.

hmm... I thought that is for backward compatibility. I think excluding _sd_alg when using sha-256, It can be good. It's more compact

[cre8]

I reached out to the authors since the paragraph is confusing.
"If the _sd_alg claim is not present at the top level, a default value of sha-256 MUST be used."
I understand that the _sd_alg needs only be included in case I want to use a other algorithm than _sd_alg

FYI: @berendsliedrecht 's implementation doesn't have _sd_alg when there is no disclosure.

hmm... I thought that is for backward compatibility. I think excluding _sd_alg when using sha-256, It can be good. It's more compact

Your change is not violating the spec. And the small amount of chars in the JWT will have no negative effect. So from my point we can merge this and move on :)

[berendsliedrecht]

I did not include it, because when I started to implement on a lower draft version it basically stated that when no selectively disclosable items are included, it should be treated as a normal JWT. However, I think the point more is for verification as @cre8 mentioned, if it is not included assume sha2-256, but it does not always have to be set by default to sha2-256. If that makes sense.