Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java	(revision 1889945)
+++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java	(date 1621240196670)
@@ -25,6 +25,7 @@
 import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;
 import org.apache.jackrabbit.oak.spi.security.authentication.LoginModuleMonitor;
 import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConstants;
+import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenCredentialsExpiredException;
 import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo;
 import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider;
 import org.jetbrains.annotations.NotNull;
@@ -102,7 +103,7 @@
     }
 
     //------------------------------------------------------------< private >---
-    private boolean validateCredentials(@NotNull TokenCredentials tokenCredentials) {
+    private boolean validateCredentials(@NotNull TokenCredentials tokenCredentials) throws TokenCredentialsExpiredException {
         // credentials without userID -> check if attributes provide
         // sufficient information for successful authentication.
         String token = tokenCredentials.getToken();
@@ -116,9 +117,13 @@
         long loginTime = new Date().getTime();
         if (tokenInfo.isExpired(loginTime)) {
             // token is expired
-            log.debug("Token is expired");
+            String msg = "Token is expired";
+            log.debug(msg);
             tokenInfo.remove();
-            return false;
+            
+            TokenCredentialsExpiredException tce = new TokenCredentialsExpiredException(msg);
+            monitor.loginFailed(tce, tokenCredentials);
+            throw tce;
         }
 
         if (tokenInfo.matches(tokenCredentials)) {
Index: oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthenticationTest.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthenticationTest.java	(revision 1889945)
+++ oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthenticationTest.java	(date 1621242428150)
@@ -29,6 +29,7 @@
 import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
 import org.apache.jackrabbit.oak.spi.security.authentication.LoginModuleMonitor;
 import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConstants;
+import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenCredentialsExpiredException;
 import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo;
 import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider;
 import org.junit.After;
@@ -156,7 +157,8 @@
             fail("LoginException expected");
         } catch (LoginException e) {
             // success
-            verify(monitor).loginFailed(any(LoginException.class), any(Credentials.class));
+            assertTrue(e instanceof TokenCredentialsExpiredException);
+            verify(monitor).loginFailed(any(TokenCredentialsExpiredException.class), any(Credentials.class));
         }
 
         // expired token must have been removed
@@ -260,7 +262,8 @@
             fail("LoginException expected");
         } catch (LoginException e) {
             // success
-            verify(monitor).loginFailed(e, tc);
+            assertTrue(e instanceof TokenCredentialsExpiredException);
+            verify(monitor).loginFailed((TokenCredentialsExpiredException) e, tc);
         }
 
         verify(ti, Mockito.never()).matches(any());
Index: oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/package-info.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/package-info.java	(revision 1889945)
+++ oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/package-info.java	(date 1621239349224)
@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-@Version("1.7.0")
+@Version("1.8.0")
 package org.apache.jackrabbit.oak.spi.security.authentication.token;
 
 import org.osgi.annotation.versioning.Version;
Index: oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenCredentialsExpiredException.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenCredentialsExpiredException.java	(date 1621240640165)
+++ oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenCredentialsExpiredException.java	(date 1621240640165)
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authentication.token;
+
+import javax.security.auth.login.CredentialException;
+
+/**
+ * Subclass of {@link CredentialException} indicating that the token credentials used for repository login have expired.
+ * 
+ * @since Oak 1.40
+ */
+public class TokenCredentialsExpiredException extends CredentialException {
+
+    /**
+     * Constructs a {@code TokenCredentialsExpiredException} with the specified detail message describing this particular exception.
+     *
+     * @param msg the detail message.
+     */
+    public TokenCredentialsExpiredException(String msg) {
+        super(msg);
+    }
+}
\ No newline at end of file