diff --git a/ChangeLog b/ChangeLog
index 58c7abd..71f7b9a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,5 @@
 02/10/2025
-- add skeleton for updated AWS ALB JWK retrieval which supports key rotation
+- add updated AWS ALB JWKs retrieval supporting new "signer"/"region" logic and key rotation
   see: https://github.com/OpenIDC/mod_oauth2/issues/73
 
 01/02/2024
diff --git a/src/jose.c b/src/jose.c
index dce08d3..acaf016 100644
--- a/src/jose.c
+++ b/src/jose.c
@@ -740,6 +740,7 @@ _oauth2_jose_jwks_provider_init(oauth2_log_t *log,
 		provider->resolve = oauth2_jose_jwks_eckey_url_resolve;
 		break;
 	case OAUTH2_JOSE_JWKS_PROVIDER_AWS_ALB:
+		provider->jwks_uri = oauth2_uri_ctx_init(log);
 		provider->resolve = oauth2_jose_jwks_aws_alb_resolve;
 		provider->alb_arn = NULL;
 		provider->alb_base_url = NULL;
@@ -773,6 +774,7 @@ _oauth2_jose_jwks_provider_clone(oauth2_log_t *log,
 		dst->jwks_uri = oauth2_uri_ctx_clone(log, src->jwks_uri);
 		break;
 	case OAUTH2_JOSE_JWKS_PROVIDER_AWS_ALB:
+		dst->jwks_uri = oauth2_uri_ctx_clone(log, src->jwks_uri);
 		dst->alb_arn = oauth2_strdup(src->alb_arn);
 		dst->alb_base_url = oauth2_strdup(src->alb_base_url);
 		break;
@@ -802,6 +804,8 @@ _oauth2_jose_jwks_provider_free(oauth2_log_t *log,
 			oauth2_uri_ctx_free(log, provider->jwks_uri);
 		break;
 	case OAUTH2_JOSE_JWKS_PROVIDER_AWS_ALB:
+		if (provider->jwks_uri)
+			oauth2_uri_ctx_free(log, provider->jwks_uri);
 		if (provider->alb_arn)
 			oauth2_mem_free(provider->alb_arn);
 		if (provider->alb_base_url)
@@ -1890,6 +1894,9 @@ _OAUTH_CFG_CTX_CALLBACK(oauth2_jose_verify_options_jwk_set_aws_alb)
 		ptr->jwks_provider->alb_base_url = oauth2_strdup(alb_base_url);
 	}
 
+	rv = oauth2_jose_options_uri_ctx(
+	    log, value, params, ptr->jwks_provider->jwks_uri, "aws_alb");
+
 end:
 
 	oauth2_debug(log, "leave: %s", rv);
@@ -2313,15 +2320,13 @@ oauth2_jose_jwks_aws_alb_resolve(oauth2_log_t *log,
 	}
 	oauth2_debug(log, "constructed ALB JWKs URL: %s", url);
 
-	provider->jwks_uri = oauth2_uri_ctx_init(log);
-	oauth2_jose_options_uri_ctx(log, url, NULL, provider->jwks_uri, NULL);
+	provider->jwks_uri->endpoint->url = url;
 
 	oauth2_jose_jwk_list_t *result = _oauth2_jose_jwks_resolve_from_uri(
 	    log, provider, refresh,
 	    _oauth2_jose_jwks_eckey_url_resolve_response_callback);
 
-	oauth2_uri_ctx_free(log, provider->jwks_uri);
-	provider->jwks_uri = NULL;
+	provider->jwks_uri->endpoint->url = NULL;
 	oauth2_mem_free(url);
 
 	return result;