diff --git a/server/channels/web/oauth.go b/server/channels/web/oauth.go
index 5ba95ed890b..fedc3c7a4eb 100644
--- a/server/channels/web/oauth.go
+++ b/server/channels/web/oauth.go
@@ -29,7 +29,8 @@ const (
 
 func (w *Web) InitOAuth() {
 	// OAuth 2.0 Authorization Server Metadata endpoint (RFC 8414)
-	w.MainRouter.Handle(model.OAuthMetadataEndpoint, w.APIHandlerTrustRequester(getAuthorizationServerMetadata)).Methods(http.MethodGet)
+	// Match the exact path and any path with additional segments after it
+	w.MainRouter.PathPrefix(model.OAuthMetadataEndpoint).Handler(w.APIHandlerTrustRequester(getAuthorizationServerMetadata)).Methods(http.MethodGet)
 
 	// API version independent OAuth 2.0 as a service provider endpoints
 	w.MainRouter.Handle(model.OAuthAuthorizeEndpoint, w.APIHandlerTrustRequester(authorizeOAuthPage)).Methods(http.MethodGet)
diff --git a/server/public/model/oauth_metadata.go b/server/public/model/oauth_metadata.go
index 954c65f4b1e..7fc7e451631 100644
--- a/server/public/model/oauth_metadata.go
+++ b/server/public/model/oauth_metadata.go
@@ -58,7 +58,8 @@ func GetDefaultMetadata(siteURL string) (*AuthorizationServerMetadata, error) {
 			GrantTypeRefreshToken,
 		},
 		TokenEndpointAuthMethodsSupported: []string{
-			ClientAuthMethodClientSecretPost,
+			ClientAuthMethodNone,             // Public clients (PKCE)
+			ClientAuthMethodClientSecretPost, // Confidential clients
 		},
 		ScopesSupported: []string{
 			ScopeUser,