#Zegnataaronpk: yes, the MUST is to verify that. And there are basically 2 ways: 1/ the client already knows it has the same authorization_endpoint because the canonical profile URL was visited during initial discovery, or 2/ the client redoes discovery on the canonical profile URL