In nearly all cases, NimbusJwtDecoder and NimbusReactiveJwtDecoder throw aa OAuth2IntrospectionException when something goes wrong.
However, this makes it tricky to differentiate between invalid tokens and invalid application state.
One way to improve this would be to introduce a new exception that extends OAuth2IntrospectionException. Like BadCredentialsException, BadOpaqueTokenException could be a good name.
Then, if the exception is BadOpaqueTokenException, the application can know that it's an invalid token instead of invalid application state