From 72f5235d33c2ded08e9d2b94c0ecb99bdee02a51 Mon Sep 17 00:00:00 2001
From: Mick Staugaard <mick@staugaard.com>
Date: Mon, 15 Dec 2025 20:31:11 +1300
Subject: [PATCH] Try OAuth Authorization Server Metadata first

---
 client/transport/oauth.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/client/transport/oauth.go b/client/transport/oauth.go
index 0fce1d80f..d7ae16bd0 100644
--- a/client/transport/oauth.go
+++ b/client/transport/oauth.go
@@ -414,14 +414,15 @@ func (h *OAuthHandler) getServerMetadata(ctx context.Context) (*AuthServerMetada
 		// Use the first authorization server
 		authServerURL := protectedResource.AuthorizationServers[0]
 
-		// Try OpenID Connect discovery first
-		h.fetchMetadataFromURL(ctx, authServerURL+"/.well-known/openid-configuration")
+
+		// Try OAuth Authorization Server Metadata first
+		h.fetchMetadataFromURL(ctx, authServerURL+"/.well-known/oauth-authorization-server")
 		if h.serverMetadata != nil {
 			return
 		}
 
-		// If OpenID Connect discovery fails, try OAuth Authorization Server Metadata
-		h.fetchMetadataFromURL(ctx, authServerURL+"/.well-known/oauth-authorization-server")
+		// If OAuth Authorization Server Metadata discovery fails, try OpenID Connect discovery
+		h.fetchMetadataFromURL(ctx, authServerURL+"/.well-known/openid-configuration")
 		if h.serverMetadata != nil {
 			return
 		}