When credentials fail authentication, Spring Security conventionally throws BadCredentialsException.

OneTimeTokenAuthenticationProvider should catch UsernameNotFoundException, wrap it, and rethrow as BadCredentialsException.

Comment From: jzheaux

Closed in favor of https://github.com/spring-projects/spring-security/pull/16506