PAC4J JwtAuthenticator logging behavior when JWT is expired

Question

I am currently using PAC4j v5.4.3 for my Java application, and I am using the default JwtAuthenticator with DirectBasicAuthClient for authenticating API requests. The JWT is set to be expired after 30 mins. When the JWT is expired, we observed quite a few of occurrences of error log like below (until the client application re-login):

2023-02-06T08:02:24.557 ERROR [qtp1368888679-667] org.pac4j.jwt.credentials.authenticator.JwtAuthenticator - The JWT is expired: no profile is built

The error log here caused confusion and false alarm in our logging monitoring system and we do not really want to treat it like a real "error" when the JWT expires.

I thought of creating a simple customized JwtAuthenticator and override the protected method "createJwtProfile()", which I plan to log the corresponding error in either warning/info level.

However, before I proceed with my proposed solution above, I would like to seek for more views and see if there is any other better solution.

Answer 1

Yes, you're right, I think the ERROR level is too much here, WARN is enough.

Patched for the master: https://github.com/pac4j/pac4j/commit/c3ef714701086053e7be95cf93f51f995d9df643 and the 5.x branch: https://github.com/pac4j/pac4j/commit/cd4a091d9a68d194cc1499e74021e1d17a1bd9ad

You can patch the class for now before upgrading to pac4j v5.7.1 when it is released.