Hi, I have found that .well-known and jwks_uri endpoints are left unsecured meaning that unauthenticated clients can discover auth server configuration and signing keys. surely we should require minimum of basic authentication using client id and secret? thanks Simon.