RFC 9728 Support: Injecting resource_metadata into WWW-Authenticate header

[MonsieurRz]

Context
We are using mod_oauth2 as a Resource Server and we need to implement RFC 9728 (OAuth 2.0 Protected Resource Metadata).
According to the spec, we need to return a resource_metadata parameter in the WWW-Authenticate header upon a 401 response, allowing the client to discover the Authorization Server.
Desired Output

WWW-Authenticate: Bearer realm="MyAPI", resource_metadata="https://auth.example.com/.well-known/oauth-authorization-server", error="invalid_token"...

The Problem
We are unable to achieve this using standard Apache configuration directives due to what appears to be module execution ordering and input sanitization.
What we tried:

• Header edit / Header merge (mod_headers):
  We tried using Header always edit to append the parameter.
  • Result: It seems mod_oauth2 writes the WWW-Authenticate header to r->err_headers_out after mod_headers has run. The edit is ignored, or mod_oauth2 overwrites the line completely.
  • Result with merge: It creates a second, duplicate WWW-Authenticate header instead of appending to the Bearer challenge line.
• AuthName Injection:
  We tried injecting the parameter via the AuthName directive, hoping the module would concatenate it into the realm string.
  • Config: AuthName 'MyAPI", resource_metadata="https://..."'
  • Result: The module sanitizes/escapes the double quotes. We receive: realm="MyAPI", resource_metadata="https://...". This breaks the header syntax for the client.

Question
Is there a recommended way to append custom parameters (like resource_metadata) to the WWW-Authenticate header generated by mod_oauth2?
If not, would you be open to a Feature Request (or PR) adding a directive like OAuth2ResourceMetadata to support RFC 9728?

[zandbelt]

I agree, being able to configure the WWW-Authenticate header is a useful feature