Using incorrect oauth-authorization-server endpoint

[neilgrayton]

Describe the bug
When I configure the default challenge schema to be "McpAuthenticationDefaults.AuthenticationScheme" instead of using the authorisation server endpoint detailed in the oauth-protected-resource metadata returned from the MCP server, the oauth-authorisation-server is always attempted from the MCP server URL

I've also noticed that when not using the .AddMCP to the .AddAuthorisation configuration, an empty WWW-Authenticate header is added, even if I add my own in the event handlers

Expected behavior
As per the protocol this should use the server defined in the protected resource response

Logs
If applicable, add logs to help explain your problem.

Additional context
Add any other context about the problem here.

[pjirsa]

The ProtectedMCPClient and ProtectedMCPServer samples seem to work together. But I get the same problem as described above when attempting to add the ProtectedMCPServer example to my MCP Tools list in VSCode.