In org.wildfly.security.http.oidc.TokenValidator#parseAndVerifyToken, it's possible for an InvalidJwtException to occur if there's a problem with parsing the ID token. However, the exception currently gets swallowed and so the underlying issue doesn't appear in the server log. It would be good to add trace logging to reveal more information about this exception.