diff --git a/test/DiscoveryTest.hs b/test/DiscoveryTest.hs
index db313ad..bf1cb99 100644
--- a/test/DiscoveryTest.hs
+++ b/test/DiscoveryTest.hs
@@ -22,10 +22,12 @@ module DiscoveryTest
   ) where
 
 --------------------------------------------------------------------------------
+import Data.List.NonEmpty (fromList)
 import HttpHelper
 import qualified Network.HTTP.Client.Internal as HTTP
 import Network.URI (parseURI)
 import qualified Network.URI.Static as Network
+import OpenID.Connect.Authentication
 import OpenID.Connect.Client.Provider
 import OpenID.Connect.Scope
 import Test.Tasty (TestTree, testGroup)
@@ -35,6 +37,7 @@ import Test.Tasty.HUnit
 test :: TestTree
 test = testGroup "Discovery"
   [ testCase "discovery" testDiscoveryParsing
+  , testCase "discovery auth method extensions" testDiscoveryAuthExtParsing
   ]
 
 --------------------------------------------------------------------------------
@@ -60,3 +63,24 @@ testDiscoveryParsing = do
       fmap (`hasScope` "email") scopesSupported   @?= Just True
       fmap (`hasScope` "profile") scopesSupported @?= Just True
       fmap show cache                             @?= Just "2020-02-20 20:40:21 UTC"
+
+testDiscoveryAuthExtParsing :: Assertion
+testDiscoveryAuthExtParsing = do
+  let fake = defaultFakeHTTPS "test/data/discovery-extensions.json"
+      https = mkHTTPS fake
+  url <- maybe (fail "WTF?") pure (parseURI "https://oidc.example")
+  (res, _) <- runHTTPS (discovery https url)
+
+  case res of
+    Left e -> fail (show e)
+    Right (Discovery{..}, _) -> do
+      tokenEndpointAuthMethodsSupported
+        @?=
+          Just
+            (fromList
+              [ PrivateKeyJwt
+              , ClientSecretBasic
+              , ClientSecretPost
+              , UnsupportedAuthentication "tls_client_auth"
+              , ClientSecretJwt
+              ])
diff --git a/test/data/discovery-extensions.json b/test/data/discovery-extensions.json
new file mode 100644
index 0000000..da08fb4
--- /dev/null
+++ b/test/data/discovery-extensions.json
@@ -0,0 +1,174 @@
+{
+  "issuer": "https://oidc.example",
+  "authorization_endpoint": "https://oidc.example/openid-connect/auth",
+  "token_endpoint": "https://oidc.example/openid-connect/token",
+  "introspection_endpoint": "https://oidc.example/openid-connect/token/introspect",
+  "userinfo_endpoint": "https://oidc.example/openid-connect/userinfo",
+  "end_session_endpoint": "https://oidc.example/openid-connect/logout",
+  "jwks_uri": "https://oidc.example/openid-connect/certs",
+  "check_session_iframe": "https://oidc.example/openid-connect/login-status-iframe.html",
+  "grant_types_supported": [
+    "authorization_code",
+    "implicit",
+    "refresh_token",
+    "password",
+    "client_credentials"
+  ],
+  "response_types_supported": [
+    "code",
+    "none",
+    "id_token",
+    "token",
+    "id_token token",
+    "code id_token",
+    "code token",
+    "code id_token token"
+  ],
+  "subject_types_supported": [
+    "public",
+    "pairwise"
+  ],
+  "id_token_signing_alg_values_supported": [
+    "PS384",
+    "ES384",
+    "RS384",
+    "HS256",
+    "HS512",
+    "ES256",
+    "RS256",
+    "HS384",
+    "ES512",
+    "PS256",
+    "PS512",
+    "RS512"
+  ],
+  "id_token_encryption_alg_values_supported": [
+    "RSA-OAEP",
+    "RSA-OAEP-256",
+    "RSA1_5"
+  ],
+  "id_token_encryption_enc_values_supported": [
+    "A256GCM",
+    "A192GCM",
+    "A128GCM",
+    "A128CBC-HS256",
+    "A192CBC-HS384",
+    "A256CBC-HS512"
+  ],
+  "userinfo_signing_alg_values_supported": [
+    "PS384",
+    "ES384",
+    "RS384",
+    "HS256",
+    "HS512",
+    "ES256",
+    "RS256",
+    "HS384",
+    "ES512",
+    "PS256",
+    "PS512",
+    "RS512",
+    "none"
+  ],
+  "request_object_signing_alg_values_supported": [
+    "PS384",
+    "ES384",
+    "RS384",
+    "HS256",
+    "HS512",
+    "ES256",
+    "RS256",
+    "HS384",
+    "ES512",
+    "PS256",
+    "PS512",
+    "RS512",
+    "none"
+  ],
+  "response_modes_supported": [
+    "query",
+    "fragment",
+    "form_post"
+  ],
+  "registration_endpoint": "https://oidc.example/clients-registrations/openid-connect",
+  "token_endpoint_auth_methods_supported": [
+    "private_key_jwt",
+    "client_secret_basic",
+    "client_secret_post",
+    "tls_client_auth",
+    "client_secret_jwt"
+  ],
+  "token_endpoint_auth_signing_alg_values_supported": [
+    "PS384",
+    "ES384",
+    "RS384",
+    "HS256",
+    "HS512",
+    "ES256",
+    "RS256",
+    "HS384",
+    "ES512",
+    "PS256",
+    "PS512",
+    "RS512"
+  ],
+  "claims_supported": [
+    "aud",
+    "sub",
+    "iss",
+    "auth_time",
+    "name",
+    "given_name",
+    "family_name",
+    "preferred_username",
+    "email",
+    "acr"
+  ],
+  "claim_types_supported": [
+    "normal"
+  ],
+  "claims_parameter_supported": true,
+  "scopes_supported": [
+    "openid",
+    "offline_access",
+    "profile",
+    "email",
+    "address",
+    "phone",
+    "roles",
+    "web-origins",
+    "microprofile-jwt"
+  ],
+  "request_parameter_supported": true,
+  "request_uri_parameter_supported": true,
+  "require_request_uri_registration": true,
+  "code_challenge_methods_supported": [
+    "plain",
+    "S256"
+  ],
+  "tls_client_certificate_bound_access_tokens": true,
+  "revocation_endpoint": "https://oidc.example/openid-connect/revoke",
+  "revocation_endpoint_auth_methods_supported": [
+    "private_key_jwt",
+    "client_secret_basic",
+    "client_secret_post",
+    "tls_client_auth",
+    "client_secret_jwt"
+  ],
+  "revocation_endpoint_auth_signing_alg_values_supported": [
+    "PS384",
+    "ES384",
+    "RS384",
+    "HS256",
+    "HS512",
+    "ES256",
+    "RS256",
+    "HS384",
+    "ES512",
+    "PS256",
+    "PS512",
+    "RS512"
+  ],
+  "backchannel_logout_supported": true,
+  "backchannel_logout_session_supported": true
+}