According to https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding verifying the JWT claims for an AWS ALB is a simple matter of calling https://public-keys.auth.elb.$region.amazonaws.com/$key-id, but for some reason that always gives a 403 Access Denied -error. The region is set to be the same as the ALB, and the $key-id is taken from the JWT header (kid). Calling from within AWS network or from local computer made no difference.
ALB is configured to authenticate using Okta OIDC and then forward to internal EC2/EKS boxes. The JWT payload is correct. What could cause the 403?
It seems AWS does not support JWT verification in the eu-north-1 region. Works fine elsewhere.