diff --git a/services/kanidm/default.nix b/services/kanidm/default.nix
index 394bb63..e34b153 100644
--- a/services/kanidm/default.nix
+++ b/services/kanidm/default.nix
@@ -49,6 +49,8 @@
         originLanding = "https://vault.home.2rjus.net:8200/";
         basicSecretFile = config.vault.secrets.openbao-oauth2.outputDir;
         preferShortUsername = true;
+        # Enable RS256 signing algorithm (required by OpenBao)
+        enableLegacyCrypto = true;
         # Allow groups scope for role binding
         scopeMaps.admins = [ "openid" "profile" "email" "groups" ];
         scopeMaps.users = [ "openid" "profile" "email" "groups" ];