diff --git a/CHANGELOG.md b/CHANGELOG.md
index 22165ea..ca3ae1f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- Dev: test fixtures use RFC 2606 reserved domains only —
+  `provider.example.org` for IdP-side URLs (metadata, authorization) and
+  `app.example.org` for application-side URLs (redirect/callback, CLI
+  login), replacing real registrable domains (`app.com`, `provider.com`,
+  `other.com`, `test.com`). No effect on the published package.
 - Dev: strengthened Security tests based on mutation testing findings —
   the redirect-route parameters are asserted to reach the router when
   building a provider redirect URI, `validateClaims` is asserted to look
diff --git a/tests/Controller/LoginControllerTest.php b/tests/Controller/LoginControllerTest.php
index 86e2db4..5303680 100644
--- a/tests/Controller/LoginControllerTest.php
+++ b/tests/Controller/LoginControllerTest.php
@@ -33,7 +33,7 @@ public function testLogin(): void
             ->expects($this->exactly(1))
             ->method('getAuthorizationUrl')
             ->with(['state' => 'abcd', 'nonce' => '1234', 'response_type' => 'code', 'scope' => 'openid email profile'])
-            ->willReturn('https://test.com');
+            ->willReturn('https://provider.example.org/authorize');
 
         $controller = $this->createController($mockProvider);
 
@@ -58,7 +58,7 @@ public function testLogin(): void
             });
 
         $response = $controller->login($request, $mockSession, 'test');
-        $this->assertSame('https://test.com', $response->getTargetUrl());
+        $this->assertSame('https://provider.example.org/authorize', $response->getTargetUrl());
     }
 
     public function testUnknownProviderKeyMapsTo404(): void
diff --git a/tests/DependencyInjection/ConfigurationTest.php b/tests/DependencyInjection/ConfigurationTest.php
index 170f116..079a55d 100644
--- a/tests/DependencyInjection/ConfigurationTest.php
+++ b/tests/DependencyInjection/ConfigurationTest.php
@@ -66,7 +66,7 @@ public function testFullConfig(): void
         $input['user_provider'] = 'my_user_provider';
         $input['openid_providers']['provider1']['options']['leeway'] = 30;
         $input['openid_providers']['provider1']['options']['cache_duration'] = 3600;
-        $input['openid_providers']['provider1']['options']['redirect_uri'] = 'https://app.com/callback';
+        $input['openid_providers']['provider1']['options']['redirect_uri'] = 'https://app.example.org/callback';
         $input['openid_providers']['provider1']['options']['allow_http'] = true;
 
         $config = $this->processor->processConfiguration(
@@ -79,7 +79,7 @@ public function testFullConfig(): void
         $provider = $config['openid_providers']['provider1']['options'];
         $this->assertSame(30, $provider['leeway']);
         $this->assertSame(3600, $provider['cache_duration']);
-        $this->assertSame('https://app.com/callback', $provider['redirect_uri']);
+        $this->assertSame('https://app.example.org/callback', $provider['redirect_uri']);
         $this->assertTrue($provider['allow_http']);
     }
 
@@ -100,7 +100,7 @@ public function testRedirectRouteConfig(): void
     public function testBothRedirectUriAndRouteThrows(): void
     {
         $input = $this->getMinimalConfig();
-        $input['openid_providers']['provider1']['options']['redirect_uri'] = 'https://app.com/callback';
+        $input['openid_providers']['provider1']['options']['redirect_uri'] = 'https://app.example.org/callback';
         $input['openid_providers']['provider1']['options']['redirect_route'] = 'my_route';
 
         $this->expectException(InvalidConfigurationException::class);
@@ -186,7 +186,7 @@ public function testMultipleProviders(): void
         $input = $this->getMinimalConfig();
         $input['openid_providers']['provider2'] = [
             'options' => [
-                'metadata_url' => 'https://other.com/.well-known/openid-configuration',
+                'metadata_url' => 'https://other-provider.example.org/.well-known/openid-configuration',
                 'client_id' => 'other_id',
                 'client_secret' => 'other_secret',
             ],
diff --git a/tests/Security/OpenIdConfigurationProviderManagerTest.php b/tests/Security/OpenIdConfigurationProviderManagerTest.php
index 8610db8..1da56bb 100644
--- a/tests/Security/OpenIdConfigurationProviderManagerTest.php
+++ b/tests/Security/OpenIdConfigurationProviderManagerTest.php
@@ -84,7 +84,7 @@ public function testGetProviderWithRedirectRoute(): void
         $mockRouter->expects($this->once())
             ->method('generate')
             ->with('my_route', ['param' => 'value'], UrlGeneratorInterface::ABSOLUTE_URL)
-            ->willReturn('https://app.com/callback');
+            ->willReturn('https://app.example.org/callback');
         $this->stubRouter = $mockRouter;
 
         $manager = $this->createManager([
@@ -102,7 +102,7 @@ public function testGetProviderWithRedirectRouteNoParameters(): void
     {
         $this->stubRouter
             ->method('generate')
-            ->willReturn('https://app.com/callback');
+            ->willReturn('https://app.example.org/callback');
 
         $manager = $this->createManager([
             'test' => $this->getBaseProviderConfig() + [
@@ -118,7 +118,7 @@ public function testGetProviderWithLeeway(): void
     {
         $manager = $this->createManager([
             'test' => $this->getBaseProviderConfig() + [
-                'redirect_uri' => 'https://app.com/callback',
+                'redirect_uri' => 'https://app.example.org/callback',
                 'leeway' => 30,
             ],
         ]);
@@ -131,7 +131,7 @@ public function testGetProviderWithCacheDuration(): void
     {
         $manager = $this->createManager([
             'test' => $this->getBaseProviderConfig() + [
-                'redirect_uri' => 'https://app.com/callback',
+                'redirect_uri' => 'https://app.example.org/callback',
                 'cache_duration' => 3600,
             ],
         ]);
@@ -144,7 +144,7 @@ public function testGetProviderWithAllowHttp(): void
     {
         $manager = $this->createManager([
             'test' => $this->getBaseProviderConfig() + [
-                'redirect_uri' => 'https://app.com/callback',
+                'redirect_uri' => 'https://app.example.org/callback',
                 'allow_http' => true,
             ],
         ]);
@@ -172,7 +172,7 @@ public function testGetProviderForwardsHttpClientOptions(): void
     {
         $manager = $this->createManager([
             'test' => $this->getBaseProviderConfig() + [
-                'redirect_uri' => 'https://app.com/callback',
+                'redirect_uri' => 'https://app.example.org/callback',
                 'http_client_options' => [
                     'timeout' => 1.5,
                     'proxy' => 'http://proxy:8080',
@@ -195,7 +195,7 @@ public function testGetProviderWithoutHttpClientOptionsLeavesGuzzleDefaults(): v
     {
         $manager = $this->createManager([
             'test' => $this->getBaseProviderConfig() + [
-                'redirect_uri' => 'https://app.com/callback',
+                'redirect_uri' => 'https://app.example.org/callback',
             ],
         ]);
 
@@ -211,7 +211,7 @@ public function testGetProviderCachesInstance(): void
     {
         $manager = $this->createManager([
             'test' => $this->getBaseProviderConfig() + [
-                'redirect_uri' => 'https://app.com/callback',
+                'redirect_uri' => 'https://app.example.org/callback',
             ],
         ]);
 
diff --git a/tests/Security/OpenIdLoginAuthenticatorTest.php b/tests/Security/OpenIdLoginAuthenticatorTest.php
index 2145468..e2704cf 100644
--- a/tests/Security/OpenIdLoginAuthenticatorTest.php
+++ b/tests/Security/OpenIdLoginAuthenticatorTest.php
@@ -110,7 +110,7 @@ public function testValidateClaimsSuccess(): void
         $stubProvider = $this->createStub(OpenIdConfigurationProvider::class);
 
         $claims = new \stdClass();
-        $claims->email = 'test@test.com';
+        $claims->email = 'test@example.org';
         $claims->name = 'Test Tester';
         $stubProvider->method('validateIdToken')->willReturn($claims);
 
@@ -128,7 +128,7 @@ public function testValidateClaimsSuccess(): void
 
         $passport = $authenticator->authenticate($request);
 
-        $this->assertSame('test@test.com', $passport->getUser()->getUserIdentifier());
+        $this->assertSame('test@example.org', $passport->getUser()->getUserIdentifier());
 
         // The claims contract: the IdP claims plus the provider key that
         // authenticated the user.
diff --git a/tests/config/itkdev_openid_connect.yml b/tests/config/itkdev_openid_connect.yml
index 91c0f37..59d5054 100644
--- a/tests/config/itkdev_openid_connect.yml
+++ b/tests/config/itkdev_openid_connect.yml
@@ -7,14 +7,14 @@ itkdev_openid_connect:
   openid_providers:
     test_provider_1:
       options:
-        metadata_url: "https://provider.com/openid-configuration"
+        metadata_url: "https://provider.example.org/openid-configuration"
         client_id: "test_id"
         client_secret: "test_secret"
-        redirect_uri: "https://app.com/callback_uri"
+        redirect_uri: "https://app.example.org/callback_uri"
     test_provider_2:
       options:
-        metadata_url: "https://provider.com/openid-configuration"
+        metadata_url: "https://provider.example.org/openid-configuration"
         client_id: "test_id"
         leeway: 5
         client_secret: "test_secret"
-        redirect_uri: "https://app.com/callback_uri"
+        redirect_uri: "https://app.example.org/callback_uri"