kanidm: enable legacy crypto (RS256) for openbao client

2026-02-09 19:38:08 +01:00
parent c091852d9e
commit 4b1b91aeb0
1 changed files with 2 additions and 0 deletions
--- a/services/kanidm/default.nix
+++ b/services/kanidm/default.nix
@@ -49,6 +49,8 @@
        originLanding = "https://vault.home.2rjus.net:8200/";
        basicSecretFile = config.vault.secrets.openbao-oauth2.outputDir;
        preferShortUsername = true;
+        # Enable RS256 signing algorithm (required by OpenBao)
+        enableLegacyCrypto = true;
        # Allow groups scope for role binding
        scopeMaps.admins = [ "openid" "profile" "email" "groups" ];
        scopeMaps.users = [ "openid" "profile" "email" "groups" ];