Why does keycloak use HS256 algorithm to sign access token when client settings specify RS256?

I have the following setup with a keycloak authentication server and an application:

  1. user logs in on application client side, send un/pw to server
  2. application server sends un/pw to keycloak server for a token
  3. keycloak server sends a token back to application server
  4. application server outputs web page with sensitive data

I want to use RS256 to sign my tokens. When I try to get a token on the client side, they are corectly signed with RS256, but as soon as I try to get one on the server, HS256 is used. How can I set keycloak to use RS256 in both cases?

I use the /auth/realms/{REALM_NAME}/protocol/openid-connect/token endpoint and keycloak 10.0.1.

Keycloak configuration:

  • keys
    • realm keys are HS256, AES, and RS256 (listed in this order) all with a priority of 100 (EDIT: even if I set the RS256 key priority to a higher value, HS256 is used)
    • default signing algorithm for the realm is set to RS256
  • client
    • access token signature algorithm and ID token signature algorithm for the client are set to RS256
    • the client is public
    • Valid redirect URIs contain the domain where the application server is currently running (which is localhost but my computer has a domain name)
    • Web origins is set to "+" (which as far as I’m aware copies entries from valid red. uris)

Google seems to return no results related to my problem.