Currently, Keycloak always use RS256 both for access tokens and id tokens. We're working on introducing support for more algorithms and the ability to change the default for a realm and also for a client. Now the question is should have we two options one for access token and another for ID token. Or just one for both?