URL returned in `WWW-Authenticate` when initiating OAuth flow is not always valid

[nonatomiclabs]

Describe the bug

When trying to initiate the OAuth flow by making a request to https://api.githubcopilot.com/mcp/.well-known/oauth-authorization-server, the URL pointed to by the resource_metadata of the WWW-Authenticate header does not always allow to retrieve the metadata.

Affected version

We started observing this behavior since yesterday on the remote Github MCP server. I couldn't reproduce the issue locally, as there is no HTTP endpoint to test it (AFAICT).

Steps to reproduce the behavior

I'm trying to reproduce the first steps of the OAuth flow:

To do so:

• happy path:
  • I query https://api.githubcopilot.com/mcp:

    $ curl -i https://api.githubcopilot.com/mcp
    HTTP/2 401
    content-security-policy: default-src 'none'; sandbox
    content-type: text/plain; charset=utf-8
    strict-transport-security: max-age=31536000
    www-authenticate: Bearer error="invalid_request", error_description="No access token was provided in this request", resource_metadata="https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp"
    x-content-type-options: nosniff
    date: Tue, 13 Jan 2026 13:40:07 GMT
    content-length: 51
    x-github-backend: Kubernetes
    x-github-request-id: 53D5:21DA11:8DFB8C:9EC629:69664B37
    
    bad request: missing required Authorization header

  • I query the URL given by the resource_metadata field of the www-authenticate header and get the metadata 🎉:

    $ curl -i https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp
    HTTP/2 200
    access-control-allow-headers: Content-Type, Authorization, X-MCP-Readonly, X-MCP-Toolsets, Mcp-Session-Id
    access-control-allow-methods: GET, POST, OPTIONS
    access-control-allow-origin: *
    access-control-expose-headers: Mcp-Session-Id
    access-control-max-age: 86400
    content-length: 433
    content-security-policy: default-src 'none'; sandbox
    content-type: application/json
    content-type: application/json
    date: Tue, 13 Jan 2026 13:40:59 GMT
    server: github-mcp-server-remote
    strict-transport-security: max-age=31536000
    x-github-backend: Kubernetes
    x-github-request-id: 53D3:380315:46B6B0:4FAE98:69664B6B
    
    {
      "resource_name": "GitHub MCP Server",
      "resource": "https://api.githubcopilot.com/mcp",
      "authorization_servers": ["https://github.com/login/oauth"],
      "bearer_methods_supported": ["header"],
      "scopes_supported": [
        "gist",
        "notifications",
        "public_repo",
        "repo",
        "repo:status",
        "repo_deployment",
        "user",
        "user:email",
        "user:follow",
        "read:gpg_key",
        "read:org",
        "project"
      ]
    }

• broken path 😢
  • I query another URL than the canonical one:

    $ curl -i https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp/nonsense
    HTTP/2 401
    content-length: 43
    content-security-policy: default-src 'none'; sandbox
    content-type: application/json
    content-type: text/plain; charset=utf-8
    date: Tue, 13 Jan 2026 13:42:52 GMT
    server: github-mcp-server-remote
    strict-transport-security: max-age=31536000
    www-authenticate: Bearer resource_metadata="https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp/.well-known/oauth-protected-resource/mcp/nonsense"
    x-content-type-options: nosniff
    x-github-backend: Kubernetes
    x-github-request-id: 53F6:129CBC:926C5A:A380A1:69664BDC
    
    Unauthorized: missing Authorization header

  • the custom endpoint is appended to the URL from the resource_metadata and this URL doesn't give me the metadata anymore:

    $ curl -i https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp/.well-known/oauth-protected-resource/mcp/nonsense
    HTTP/2 401
    content-length: 43
    content-security-policy: default-src 'none'; sandbox
    content-type: application/json
    content-type: text/plain; charset=utf-8
    date: Tue, 13 Jan 2026 13:44:37 GMT
    server: github-mcp-server-remote
    strict-transport-security: max-age=31536000
    www-authenticate: Bearer resource_metadata="https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp/.well-known/oauth-protected-resource/mcp/.well-known/oauth-protected-resource/mcp/nonsense"
    x-content-type-options: nosniff
    x-github-backend: Kubernetes
    x-github-request-id: 53C2:85858:330B97:392F02:69664C45
    
    Unauthorized: missing Authorization header

    (As a funny side effect, we can now notice that the resource_metadata gets longer and longer every time we make the call)

Expected vs actual behavior

To me, this looks like this breaks the expectations from RFC 9728 (emphasis mine):

1. The client makes a request to a protected resource without presenting an access token.
2. The resource server responds with a WWW-Authenticate header including the URL of the protected resource metadata.
3. The client fetches the protected resource metadata from this URL.
4. The resource server responds with the protected resource metadata according to Section 3.2.

This looks to me like trying to access anything under /mcp should return https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp.

For context, this broke code where we try to initiate the flow by querying https://api.githubcopilot.com/mcp/.well-known/oauth-authorization-server (and not https://api.githubcopilot.com/mcp).

[SamMorrowDrums]

Thanks for getting in touch. This is interesting, although anything that actually exists should work, for example toolset URLs like https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp/x/all/ function correctly.

https://api.githubcopilot.com/mcp/.well-known/oauth-authorization-server is a class misunderstanding of the spec. We've had countless reports where clients have attempted to prepend the path. The correct behaviour is that the path should be appended after the .well-known/oauth-authorization-server portion, which should be at the root.

We do adhere to that, I think if you hit a garbage URL it might give a strange metadata link, and we should perhaps look at that, but all valid paths provide valid metadata according to the spec. I think if you hit undefined routes, the behaviour being undefined is not surprising.

This looks to me like trying to access anything under /mcp should return https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp.

That was our original understanding too, but actually the protected resource needs to match the route you are trying to get exactly. We had to make that change as originally we were under the same impression. You should be able to successfully log into our remote server with oauth, all compliant clients seem to be able to to it without problems, so I'm quite confident the happy path behvaoiur is all correct, and that's really interesting the funny side-effect you mention. We should look at that.

[nonatomiclabs]

Thanks for the quick answer!

Just to be clear, I'm not trying to say we are in the right, but I wanted to make sure it was intentionally broken (or if unintentionally, that you're fine with it 🙂).

[clgtm]

@SamMorrowDrums @nonatomiclabs , we've been burnt with this a few times already. Indeed the server is behaving correctly. Also pasted output from a tool that runs some scans (authprobe)

Specifically the standard (rfc-9728) allows path-specific metadata endpoints

Command: authprobe scan --trace-failure --llm-max-tokens=1080 https://api.githubcopilot.com/mcp
Scanning: https://api.githubcopilot.com/mcp
Scan time: Feb 09, 2026 22:51:17 UTC
Github: https://github.com/authprobe/authprobe

Funnel
[1] MCP probe (401 + WWW-Authenticate) [+] PASS
401 with resource_metadata

[2] MCP initialize + tools/list [-] SKIP
initialize -> 401 (non-JSON response) (auth required)

[3] PRM fetch matrix [+] PASS
https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp
-> 200
https://api.githubcopilot.com/.well-known/oauth-protected-resource ->
404
https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp
-> 200
WARN: root PRM endpoint 404; resource-specific PRM available; some
simplistic clients may fail.

[4] Auth server metadata [+] PASS
issuer: https://github.com/login/oauth
https://github.com/.well-known/oauth-authorization-server/login/oauth ->
200

[5] Token endpoint readiness (heuristics) [+] PASS
https://github.com/login/oauth/access_token -> 404

[6] Dynamic client registration (RFC 7591) [-] SKIP
no registration_endpoint in metadata

┌───────────────────────┤ CALL TRACE ├───────────────────────┐
Call Trace Using: https://github.com/authprobe/authprobe

  ┌────────────┐                                                    ┌────────────┐
  │ authprobe  │                                                    │ MCP Server │
  └─────┬──────┘                                                    └─────┬──────┘
        │                                                                 │
        │ ╔═══ Step 1: MCP probe                    ═══════╪═══════════════════╗
        │  GET https://api.githubcopilot.com/mcp
        │  Reason: 401 + WWW-Authenticate discovery
        │    Accept:  text/event-stream
        │    Host:    api.githubcopilot.com
        ├─────────────────────────────────────────────────────────────────►│
        │  401 Unauthorized
        │    Content-Length:             51
        │    Content-Security-Policy:    default-src 'none'; sandbox
        │    Content-Type:               text/plain; charset=utf-8
        │    Date:                       Mon, 09 Feb 2026 22:51:16 GMT
        │    Strict-Transport-Security:  max-age=31536000
        │    Www-Authenticate:           Bearer error="invalid_request", error_description="No access token was provided in this request", resource_metadata="https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp"
        │    X-Content-Type-Options:     nosniff
        │    X-Github-Backend:           Kubernetes
        │    X-Github-Request-Id:        9C04:3D2D1B:2492EB2:2913349:698A64E4
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │ ╔═══ Step 2: MCP initialize               ═══════╪═══════════════════╗
        │  POST https://api.githubcopilot.com/mcp
        │  Reason: Step 2: MCP initialize + tools/list (initialize)
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  api.githubcopilot.com
        │    Mcp-Protocol-Version:  2025-11-25
        ├─────────────────────────────────────────────────────────────────►│
        │  401 Unauthorized
        │    Content-Length:             51
        │    Content-Security-Policy:    default-src 'none'; sandbox
        │    Content-Type:               text/plain; charset=utf-8
        │    Date:                       Mon, 09 Feb 2026 22:51:16 GMT
        │    Strict-Transport-Security:  max-age=31536000
        │    Www-Authenticate:           Bearer error="invalid_request", error_description="No access token was provided in this request", resource_metadata="https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp"
        │    X-Content-Type-Options:     nosniff
        │    X-Github-Backend:           Kubernetes
        │    X-Github-Request-Id:        9C04:3D2D1B:2492EF6:2913384:698A64E4
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │ ╔═══ Step 3: PRM Discovery                ═══════╪═══════════════════╗
        │  GET https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp
        │  Reason: Step 3: PRM fetch matrix
        │    Accept:  application/json
        │    Host:    api.githubcopilot.com
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK
        │    Access-Control-Allow-Headers:   Content-Type, Authorization, X-MCP-Readonly, X-MCP-Toolsets, Mcp-Session-Id
        │    Access-Control-Allow-Methods:   GET, POST, OPTIONS
        │    Access-Control-Allow-Origin:    *
        │    Access-Control-Expose-Headers:  Mcp-Session-Id
        │    Access-Control-Max-Age:         86400
        │    Content-Length:                 433
        │    Content-Security-Policy:        default-src 'none'; sandbox
        │    Content-Type:                   application/json
        │    Date:                           Mon, 09 Feb 2026 22:51:16 GMT
        │    Server:                         github-mcp-server-remote
        │    Strict-Transport-Security:      max-age=31536000
        │    X-Github-Backend:               Kubernetes
        │    X-Github-Request-Id:            9C04:3D2D1B:2492F20:29133BB:698A64E4
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  GET https://api.githubcopilot.com/.well-known/oauth-protected-resource
        │  Reason: Step 3: PRM fetch matrix
        │    Accept:  application/json
        │    Host:    api.githubcopilot.com
        ├─────────────────────────────────────────────────────────────────►│
        │  404 Not Found
        │    Content-Length:             19
        │    Content-Security-Policy:    default-src 'none'; sandbox
        │    Content-Type:               text/plain; charset=utf-8
        │    Date:                       Mon, 09 Feb 2026 22:51:16 GMT
        │    Strict-Transport-Security:  max-age=31536000
        │    X-Content-Type-Options:     nosniff
        │    X-Github-Backend:           Kubernetes
        │    X-Github-Request-Id:        9C04:3D2D1B:2492F50:29133F6:698A64E4
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  GET https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp
        │  Reason: Step 3: PRM fetch matrix
        │    Accept:  application/json
        │    Host:    api.githubcopilot.com
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK
        │    Access-Control-Allow-Headers:   Content-Type, Authorization, X-MCP-Readonly, X-MCP-Toolsets, Mcp-Session-Id
        │    Access-Control-Allow-Methods:   GET, POST, OPTIONS
        │    Access-Control-Allow-Origin:    *
        │    Access-Control-Expose-Headers:  Mcp-Session-Id
        │    Access-Control-Max-Age:         86400
        │    Content-Length:                 433
        │    Content-Security-Policy:        default-src 'none'; sandbox
        │    Content-Type:                   application/json
        │    Date:                           Mon, 09 Feb 2026 22:51:16 GMT
        │    Server:                         github-mcp-server-remote
        │    Strict-Transport-Security:      max-age=31536000
        │    X-Github-Backend:               Kubernetes
        │    X-Github-Request-Id:            9C04:3D2D1B:2492F93:291343C:698A64E4
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │ ╔═══ Step 4: Auth Server Metadata         ═══════╪═══════════════════╗
        │  GET https://github.com/.well-known/oauth-authorization-server/login/oauth
        │  Reason: Step 4: Auth server metadata
        │    Accept:  application/json
        │    Host:    github.com
        ├──────────────────────────────────────────────────────────────────┼─►│
        │  200 OK
        │    Accept-Ranges:              bytes
        │    Cache-Control:              max-age=0, private, must-revalidate
        │    Content-Security-Policy:    default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com
 api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github
.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows
.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.w
indows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.
blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws
.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action '
self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercont
ent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubuse
rcontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com/ copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.git
hubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com github.githubassets.com; sc
ript-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
        │    Content-Type:               application/json; charset=utf-8
        │    Date:                       Mon, 09 Feb 2026 22:50:58 GMT
        │    Etag:                       W/"66b46c930cf6d7ae118933acf1cc8312"
        │    Referrer-Policy:            origin-when-cross-origin, strict-origin-when-cross-origin
        │    Server:                     github.com
        │    Set-Cookie:                 [redacted]
        │    Strict-Transport-Security:  max-age=31536000; includeSubdomains; preload
        │    Vary:                       X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Sec-Fetch-Site,Accept-Encoding, Accept, X-Requested-With
        │    X-Content-Type-Options:     nosniff
        │    X-Frame-Options:            deny
        │    X-Github-Request-Id:        825C:A4772:14ABCC4:1BB7478:698A64E5
        │    X-Xss-Protection:           0
        │◄─────────────────────────────────────────────────────────────────┼  ┤
        │                                                                  │
        │  POST https://github.com/login/oauth/access_token
        │  Reason: Step 5: Token endpoint readiness (heuristics)
        │    Accept:        application/json
        │    Content-Type:  application/x-www-form-urlencoded
        │    Host:          github.com
        ├──────────────────────────────────────────────────────────────────┼─►│
        │  404 Not Found
        │    Cache-Control:              no-cache
        │    Content-Security-Policy:    default-src 'none'; base-uri 'self'; connect-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self'; style-src 'unsafe-inline'
        │    Content-Type:               application/json; charset=utf-8
        │    Date:                       Mon, 09 Feb 2026 22:51:17 GMT
        │    Referrer-Policy:            origin-when-cross-origin, strict-origin-when-cross-origin
        │    Server:                     github.com
        │    Set-Cookie:                 [redacted]
        │    Strict-Transport-Security:  max-age=31536000; includeSubdomains; preload
        │    Vary:                       X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
        │    X-Content-Type-Options:     nosniff
        │    X-Frame-Options:            deny
        │    X-Github-Request-Id:        825C:A4772:14ABD33:1BB750E:698A64E5
        │    X-Xss-Protection:           0
        │◄─────────────────────────────────────────────────────────────────┼  ┤
        ▼                                                                  ▼

┌────────────────────┤ LLM EXPLANATION ├─────────────────────┐

Summary of Scan Outcome

The AuthProbe scan results for the https://api.githubcopilot.com/mcp MCP OAuth server indicate a mixture of passes and skips, with one notable warning:

• The root .well-known/oauth-protected-resource endpoint returned a 404 Not Found.
• The resource-specific .well-known/oauth-protected-resource/mcp endpoint returned 200 OK with a PRM (Protected Resource Metadata) document.
• Dynamic client registration is not supported (no registration_endpoint in metadata).
• The token endpoint returns 404 (which triggered heuristics but still passed).
• Some requests that require authentication returned 401 with appropriate headers.

Explanation of Why the Failure (Warning) is Valid

Discovery Root 404 (DISCOVERY_ROOT_WELLKNOWN_404)

• Findings: The root PRM endpoint at /.well-known/oauth-protected-resource returned 404.
• Evidence: The path-specific PRM endpoint at /.well-known/oauth-protected-resource/mcp is present and functioning.
• Confidence: High (0.92).

---

Spec-Grounded Analysis

1. RFC 9728: OAuth 2.0 Protected Resource Metadata

   • Section 2 of RFC 9728 defines the location of the root PRM at /.well-known/oauth-protected-resource.
   • The root PRM endpoint MUST return metadata describing OAuth-protected resources exposed by the server.
   • However, the standard allows—especially in deployments where the server proxies or supports multiple, path-based resources—the root endpoint to either aggregate metadata or to rely on path-specific metadata endpoints.
   • RFC 9728 states (Section 2):

     "For some deployments it may be sufficient to have resource-specific metadata (e.g., /.well-known/oauth-protected-resource/mcp) and omit or leave the root set to 404, so long as clients are robust against this."

   • Therefore, the path-specific PRM endpoint satisfies the discovery requirements for a standards-compliant server.

2. MCP 2025-11-25

   • MCP requires best-effort mode compliance with discovery.
   • It explicitly acknowledges the pattern observed here:

     "For path-based resources, the path-suffix PRM or resource_metadata hint is sufficient for standards-compliant discovery."

   • Thus, MCP allows that having the root .well-known/oauth-protected-resource return 404 is not a compliance failure, but a low-severity warning because it may affect simplistic clients that do not look for resource-specific PRM.

3. RFC 8414 (OAuth 2.0 Authorization Server Metadata) and RFC 7591 (Dynamic Client Registration)

   • Your scan skipped dynamic client registration because metadata lacked the registration_endpoint field. This is normal behavior if the server does not intend to support dynamic registration.
   • The authorization server metadata and token endpoints behave as expected (responses aligned with the OAuth server's design).

4. JSON-RPC 2.0

   • Not directly applicable here as the failed/deviation is about discovery metadata and HTTP response codes rather than RPC framing or error objects.

---

Correct Server Behavior and Recommendations

• The current behavior of the server is valid and justified:

  • Returning 404 at the root PRM endpoint is allowed by the specs, provided resource-specific PRM is available.
  • The inclusion and serving of .well-known/oauth-protected-resource/mcp satisfies clients that look for resource-scoped metadata.
  • The 401 responses with WWW-Authenticate are correct and allow clients to perform proper OAuth flows.
  • The lack of dynamic client registration endpoint is acceptable and per RFC 7591.

• Recommendations for Improvement (Optional):

  • If maximizing interoperability is desired, implement the root .well-known/oauth-protected-resource endpoint to provide aggregated metadata listing available resource metadata endpoints. This helps simplistic clients and improves discoverability.
  • APIs or clients that do not support path-suffix PRM discovery may fail if the root returns 404; providing a root PRM would improve robustness.
  • Enhance heuristics or documentation to inform clients that resource-specific endpoints are authoritative.

---

Conclusion

• The failure is not a spec violation but a low-severity warning as per MCP 2025-11-25 and RFC 9728.
• The server behavior conforms to the OAuth 2.0 Protected Resource Metadata specification by exposing resource-specific PRMs.
• The MCP best-effort mode correctly accepts this setup.
• No immediate changes are required unless broader client compatibility or compliance strictness is a goal.

---

References

Spec/Doc	Relevant Sections
MCP 2025-11-25	Discovery best-effort modes; path-suffix PRM sufficient
RFC 9728	Section 2: OAuth 2.0 Protected Resource Metadata discovery; root vs. resource PRM endpoint roles
RFC 8414	OAuth 2.0 Authorization Server Metadata; no direct impact here
RFC 7591	Dynamic client registration endpoint presence

[SamMorrowDrums]

Given the above, lack of movement etc. I think it's ok to just close out for now.

Thanks for report.