What would you like to be improved?
When a JWT token has expired, the server currently returns a generic error message ("JWT parse error" or "JWKS JWT validation error") rather than a specific authentication timeout message. This makes it impossible for clients to distinguish an expired token from a malformed token or invalid signature.
The issue affects two validators:
StaticSignKeyValidator — ExpiredJwtException is caught in the same multi-catch as MalformedJwtException, UnsupportedJwtException, SignatureException, etc., and returns the generic "JWT parse error".
JwksTokenValidator — All exceptions are caught generically and return "JWKS JWT validation error", regardless of whether the token was expired or had a different fault.
Clients receive a 401 Unauthorized with no way to determine whether they should refresh/re-authenticate vs. debug a misconfigured token.
How should we improve?
In StaticSignKeyValidator, split ExpiredJwtException into its own catch block and return "Authentication token is expired".
In JwksTokenValidator, add a catch (BadJWTException e) block that inspects the message for expiry and returns "Authentication token is expired".
This gives clients an actionable error and improves observability.
What would you like to be improved?
When a JWT token has expired, the server currently returns a generic error message ("JWT parse error" or "JWKS JWT validation error") rather than a specific authentication timeout message. This makes it impossible for clients to distinguish an expired token from a malformed token or invalid signature.
The issue affects two validators:
StaticSignKeyValidator — ExpiredJwtException is caught in the same multi-catch as MalformedJwtException, UnsupportedJwtException, SignatureException, etc., and returns the generic "JWT parse error".
JwksTokenValidator — All exceptions are caught generically and return "JWKS JWT validation error", regardless of whether the token was expired or had a different fault.
Clients receive a 401 Unauthorized with no way to determine whether they should refresh/re-authenticate vs. debug a misconfigured token.
How should we improve?
In StaticSignKeyValidator, split ExpiredJwtException into its own catch block and return "Authentication token is expired".
In JwksTokenValidator, add a catch (BadJWTException e) block that inspects the message for expiry and returns "Authentication token is expired".
This gives clients an actionable error and improves observability.