Spring Security JwtTimeStampValidator uses wrong error on token expiration

Summary

I think the JwtTimeStampValidator uses the wrong error type when a token expires: https://github.com/spring-projects/spring-security/blob/339a05312ed06561f3567ca4931d089a6a8891fa/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java#L93

As listed in https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 it should use INVALID_TOKEN error.

Actual Behavior

JwtTimeStampValidator uses INVALID_REQUEST error when a token expires

Expected Behavior

JwtTimeStampValidator should uses INVALID_TOKEN error when a token expires

Version

5.5.2

Sample

https://github.com/spring-projects/spring-security/blob/339a05312ed06561f3567ca4931d089a6a8891fa/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java#L93

Comment From: jzheaux

Thanks for the report, @jason076. This has now been fixed in main and backported to 5.5.x.