WWW-Authenticate challenge incorrectly contains multiple `resource_metadata` params

[vorporeal]

Environment

Trying to connect to the hosted server (https://mcp.sentry.io.mcp) using a client built on the rmcp Rust crate/client library.

Steps to Reproduce

1. curl -I https://mcp.sentry.dev/mcp -H "mcp-protocol-version: 2024-11-05"

Expected Result

This should return a WWW-Authenticate header with a single resource_metadata parameter in the challenge, pointing at a valid protected resource endpoint.

Actual Result

The WWW-Authenticate header contains two resource_metadata parameters:

HTTP/2 401 
date: Fri, 08 May 2026 15:27:32 GMT
content-type: application/json
www-authenticate: Bearer realm="OAuth", resource_metadata="https://mcp.sentry.dev/.well-known/oauth-protected-resource", error="invalid_token", error_description="Missing or invalid access token", resource_metadata="https://mcp.sentry.dev/.well-known/oauth-protected-resource/mcp"
...

Making a request to the first URL returns a 404, but making a request to the second URL (with the trailing /mcp) returns a 200 with the appropriate resource metadata.

RFC 9110 says the following:

Authentication parameters are name/value pairs, where the name token is matched case-insensitively and each parameter name MUST only occur once per challenge.

While many parsers will use last-value-wins semantics for handling this case, such behavior is not defined in the spec, and so servers should not expect a client to behave this way. rmcp uses the first parameter value and therefore is unable to complete the authentication flow.