The default configuration of Spring Security 6.1.2 adds the WWW-Authenticate twice when an unauthenticated request comes in to an unauthorized endpoint.
This happens because the ExceptionTranslationFilter is invoked once for the REQUEST dispatch and then again for ERROR dispatch when handling the authorization error for the error page.
Comment From: marcusdacoregio
It is important to mention that RFC 7235 says (emphasized by me):
User agents are advised to take special care in parsing the field value, as it might contain more than one challenge, and each challenge can contain a comma-separated list of authentication parameters. Furthermore, the header field itself can occur multiple times.
I don't know that when an application has multiple authentication schemes we support responding with multi WWW-Authenticate headers, but it is important to keep that in mind.