I am trying to build LTI app. 
On dev environment the OIDC Authorization is working correctly, while on local setup it is failing with 403 forbidden. 

It is not returning additional information so I could debug further.

I am able to do the postMessage and getting the response, as described in https://www.imsglobal.org/spec/lti-cs-oidc/v0p1

curl 

curl --location 'https://lti-service.svc.schoology.com/lti-service/authorize-redirect?iss=https%3A%2F%2Fschoology.schoology.com&lti_storage_target=lti-message-frame&target_link_uri=http%3A%2F%2Flocalhost%3A3002&client_id=6766438901&login_hint=6766438901-4800246504&lti_message_hint=2946ee66-1dd5-4de0-945a-68fe62f0eddb&state=86944d35-de6e-4fda-81a4-b54e9e9c915c&nonce=73ca9942-bcd6-42a9-bbd8-d696c0b2181d&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A3002%2F_api%2Flti%2Flti%2Fschoology%2Fcallback&response_mode=form_post&response_type=id_token&scope=openid' \
--header 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
--header 'accept-language: en-US,en;q=0.9' \
--header 'cache-control: no-cache' \
--header 'cookie: <some cookies>' \
--header 'dnt: 1' \
--header 'pragma: no-cache' \
--header 'priority: u=0, i' \
--header 'referer: http://localhost:3002/' \
--header 'sec-ch-ua: "Chromium";v="127", "Not)A;Brand";v="99"' \
--header 'sec-ch-ua-mobile: ?0' \
--header 'sec-ch-ua-platform: "macOS"' \
--header 'sec-fetch-dest: iframe' \
--header 'sec-fetch-mode: navigate' \
--header 'sec-fetch-site: cross-site' \
--header 'upgrade-insecure-requests: 1' \
--header 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36' \
--header 'x-kong-target-group: dev-ab'