Once you have followed this  guideline, you can now try to provoke errors to learn how the system behaves, e.g.

• try to connect to IdentityServer when it is not running (unavailable)
• try to use an invalid client id or secret to request the token
• try to ask for an invalid scope during the token request
• try to call the API when it is not running (unavailable)
• don’t send the token to the API
• configure the API to require a different scope than the one in the token