diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
index 058e1363..4110cdeb 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -198,10 +198,10 @@ public class OidcTokenExchanger {
         if (providerMetadata == null || !issuerUri.equals(cachedIssuerUri)) {
             synchronized (this) {
                 if (providerMetadata == null || !issuerUri.equals(cachedIssuerUri)) {
-                    // Fetch the discovery document from the URI as-is — do not append
-                    // .well-known/openid-configuration automatically, the user provides
-                    // the complete URL.
-                    URL discoveryUrl = new URI(issuerUri).toURL();
+                    String discoveryPath = issuerUri.endsWith("/")
+                            ? issuerUri + ".well-known/openid-configuration"
+                            : issuerUri + "/.well-known/openid-configuration";
+                    URL discoveryUrl = new URI(discoveryPath).toURL();
                     try (InputStream in = InsecureTlsHelper.openStream(discoveryUrl, securityProperties.isOidcTlsSkipVerify())) {
                         JSONObject json = (JSONObject) new JSONParser(JSONParser.DEFAULT_PERMISSIVE_MODE)
                                 .parse(in);