/.well-known/oauth-protected-resource
RFC 9728 Protected Resource Metadata; resource matches the served URL, authorization_servers resolves on this host, bearer methods are IANA-registered
chaos.catastrophic.ioGET /.well-known/oauth-protected-resource
RFC 9728 Protected Resource Metadata for the OAuth client-server chaos quartet. Default mode joins the conflicting-discovery group with an issuer that disagrees with the OIDC and AS documents; other modes exercise resource-server-specific flaws (unreachable AS, unregistered bearer methods, mismatched resource identifier).
mismatched-issuer
unreachable-as
invalid-bearer-methods
mismatched-resource-idnot.catastrophic.ioGET /.well-known/oauth-protected-resource
RFC 9728 Protected Resource Metadata; resource matches the served URL, authorization_servers resolves on this host, bearer methods are IANA-registered
Build against not.catastrophic.io/.well-known/oauth-protected-resource, then
flip the hostname to chaos.catastrophic.io to exercise the chaos.