Is it possible to use ASP.NET Core + IdentityServer4 JWT in AWS PrivateLink?

Question

I've been running my web API under AWS Windows VM with IIS using Asp.Net Core and IdentityServer4. The Identity Server is running on the same application of my secured controller. This is running perfectly with no issue using my external domain of 'http://{my-external-domain}'.

My StartUp.cs relevant portion looks like the following:

            .AddJwtBearer(options =>
        {
            options.Authority = xyzConfig.Authority; //http://{my-external-domain}
            options.Audience = "xyz";
            options.RequireHttpsMetadata = false;

I'm using http://{my-external-domain}/connect/token and then I can request the authorized content successfully.

However, when setting this flow using the AWS PrivateLink some combinations aren't working including the desired one of http://{my-internal-domain} as the issuer/authority and the secured controller.

Using the StartUp settings above I get a 500 error saying the following:

IOException: IDX20804: Unable to retrieve document from: 'http://{my-internal-domain}/.well-known/openid-configuration'.

However, from the same machine it's possible to retrieve this information:

{
"issuer": "http://{my-internal-domain}",
"jwks_uri": "http://{my-internal-domain}/.well-known/openid-configuration/jwks",
"authorization_endpoint": "http://{my-internal-domain}/connect/authorize",
"token_endpoint": "http://{my-internal-domain}/connect/token",
"userinfo_endpoint": "http://{my-internal-domain}/connect/userinfo",
"end_session_endpoint": "http://{my-internal-domain}/connect/endsession",
"check_session_iframe": "http://{my-internal-domain}/connect/checksession",
"revocation_endpoint": "http://{my-internal-domain}/connect/revocation",
"introspection_endpoint": "http://{my-internal-domain}/connect/introspect",
"device_authorization_endpoint": "http://{my-internal-domain}/connect/deviceauthorization",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"scopes_supported": [
    "openid",
    "email",
    "profile",
    "xyz",
    "offline_access"
],
"claims_supported": [
    "sub",
    "email",
    "email_verified",
    "name",
    "family_name",
    "given_name",
    "middle_name",
    "nickname",
    "preferred_username",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "updated_at"
],
"grant_types_supported": [
    "authorization_code",
    "client_credentials",
    "refresh_token",
    "implicit",
    "password",
    "urn:ietf:params:oauth:grant-type:device_code"
],
"response_types_supported": [
    "code",
    "token",
    "id_token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
],
"response_modes_supported": [
    "form_post",
    "query",
    "fragment"
],
"token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
],
"subject_types_supported": [
    "public"
],
"id_token_signing_alg_values_supported": [
    "RS256"
],
"code_challenge_methods_supported": [
    "plain",
    "S256"
],
"request_parameter_supported": true

}

When I changed the StartUp.cs settings to the following:

var key = System.Text.Encoding.ASCII.GetBytes(xyzConfig.Secret); 
        
        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(options =>
        {
            //options.Authority = xyzConfig.Authority;
            options.Audience = "xyz";
            options.RequireHttpsMetadata = false;
           
            options.SaveToken = true;
            options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
            {
                ValidateIssuerSigningKey = true,
                IssuerSigningKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(key),
                ValidateIssuer = false,
                ValidateAudience = false
            };
        });

Now I get 401 with the following message in the response header:

Bearer error="invalid_token", error_description="The signature key was not found"

This was pretty interesting as the token used here seems valid when parsed in jsonwebtoken.io:

{
"nbf": 1602077163,
"exp": 1602080774,
"iss": "http://{my-internal-domain}",
"aud": [
 "http://{my-internal-domain}/resources",
 "xyz"
],
"client_id": "789456",
"sub": "23de9244-86ba-4553-845f-1cbe6bac0536",
"auth_time": 1602077162,
"idp": "local",
"given_name": "gname",
"email": "[email protected]",
"scope": [
 "openid",
 "xyz"
],
"amr": [
 "pwd"
],
"jti": "921552fd-da9b-49b0-98a6-c7c0dcb2d865",
"iat": 1602077174

}

That also comes with the Signing Key Verified so now I don't know which way should we go now and if anyways we can run the JWT authentication using AWS PrivateLink that uses their Network Load Balancer (NLB)

If any other info is required I'll be happy to provide here. Any help is appreciated here, thanks!