Hi,
I have found that .well-known and jwks_uri endpoints are left unsecured
meaning that unauthenticated clients can discover auth server configuration
and signing keys.
surely we should require minimum of basic authentication using client id
and secret?
thanks
Simon.