From 4b1b91aeb0d29a8a9f2adb5cae50fd578d34750d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Mon, 9 Feb 2026 19:38:08 +0100
Subject: [PATCH] kanidm: enable legacy crypto (RS256) for openbao client

---
 services/kanidm/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/services/kanidm/default.nix b/services/kanidm/default.nix
index 394bb63..e34b153 100644
--- a/services/kanidm/default.nix
+++ b/services/kanidm/default.nix
@@ -49,6 +49,8 @@
         originLanding = "https://vault.home.2rjus.net:8200/";
         basicSecretFile = config.vault.secrets.openbao-oauth2.outputDir;
         preferShortUsername = true;
+        # Enable RS256 signing algorithm (required by OpenBao)
+        enableLegacyCrypto = true;
         # Allow groups scope for role binding
         scopeMaps.admins = [ "openid" "profile" "email" "groups" ];
         scopeMaps.users = [ "openid" "profile" "email" "groups" ];