I'm aware of many production deployments of authorization server metadata that,
for the issuer https://example.com/tenants/tenant123 use the OpenID Connect
.well-known path formulation
https://example.com/tenants/tenant123/.well-known/openid-configuration and none
that use
https://example.com/
Mike, Phil, Aaron,
The following is my shepherd review for OAuth 2.0 Protected Resource
Metadata
https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-05.html
*Comments/Questions*
5.4. Compatibility with other authentication methods
Would this not open the door for potential downg
