Hello, We're facing a problem with operations performed through a gateway (using keycloak spring-security-adapter 3.4.0.Final). They result in "org.keycloak.exceptions.TokenNotActiveException: Token is not active" if attempted with expired token. Unlike "token is almost expired" error, which correctly returns 401, this one throws NullPointerException and as a result produces 500 status code, not 401: Caused by: java.lang.NullPointerException: null at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:44) This is observed even when accessing keycloak's own endponts (/users). I've seen an issue on JIRA https://issues.jboss.org/browse/KEYCLOAK-5195 which looks like it describes exactly out problem, but it's supposed to be fixed in 3.4.0.Final. Here's relevant part of our http security config (requestMatcher filters some requests bound for IdP itself) from the gateway: @Override @Bean @Primary protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter() throws Exception { return new KeycloakAuthenticationProcessingFilter(authenticationManagerBean(), new NeedValidateJwtTokenRequestMatcher(gatewayRoute)); } @Bean public HttpSecurityConfigurer getHttpSecurityConfigurer() { return httpSecurity -> { httpSecurity.authorizeRequests() .anyRequest().permitAll(); httpSecurity.addFilterBefore(traceMethodFilter, CorsFilter.class); httpSecurity.addFilterBefore(corsFilter, KeycloakAuthenticationProcessingFilter.class); }; } Is it something with how we use the adapter in the gateway or the fix from KEYCLOAK-5195 is missing from 3.4.0.Final (or maybe it is not even relevant in this case)? Best regards, Dmitry