[keycloak-dev] KEYCLOAK_IDENTITY encoding choose between HMAC and RSA

"encodeToken" method from "services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java " specifically uses hmac256 for its encoding and I get that this is done for speed but I would argue that this should be a choice in the configuration. So my use case sort of breaks outside the walls of Keycloak but I think this would be a great point to extend. I would like to make use of this JWT on the NGINX network layer to cryptographically verify against the RSA public key found at "/auth/realms/<realm-name>/.well-known/openid-configuration". This would be sort of a broad level scope authentication used for things like CDN assets. I get this looks kind of nasty as far as security concerns but how else could I include a cookie for a specific client purpose and at a specific subdomain without first adding in a minimal client frontend with the Keycloak js iframe check that then adds a cookie for that domain and then redirects them back to the URL? It seems kind of dumb this couldn't be done on a realm wide level. Thoughts? - Christian