diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtClaimValidator.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtClaimValidator.java
index f5cf23b4638..c9b4a91d5be 100644
--- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtClaimValidator.java
+++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtClaimValidator.java
@@ -15,6 +15,8 @@
  */
 package org.springframework.security.oauth2.jwt;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.OAuth2TokenValidator;
@@ -30,6 +32,7 @@
  * @since 5.3
  */
 public final class JwtClaimValidator<T> implements OAuth2TokenValidator<Jwt> {
+	private final Log logger = LogFactory.getLog(getClass());
 
 	private final String claim;
 	private final Predicate<T> test;
@@ -61,6 +64,7 @@ public OAuth2TokenValidatorResult validate(Jwt token) {
 		if (test.test(claimValue)) {
 			return OAuth2TokenValidatorResult.success();
 		} else {
+			logger.debug(error.getDescription());
 			return OAuth2TokenValidatorResult.failure(error);
 		}
 	}
diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java
index 1c8356851b9..f5c1e08155f 100644
--- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java
+++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java
@@ -15,17 +15,20 @@
  */
 package org.springframework.security.oauth2.jwt;
 
-import java.time.Clock;
-import java.time.Duration;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
-
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.OAuth2TokenValidator;
 import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
 import org.springframework.util.Assert;
 
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
+import java.time.format.DateTimeFormatter;
+import java.time.temporal.ChronoUnit;
+
 /**
  * An implementation of {@link OAuth2TokenValidator} for verifying claims in a Jwt-based access token
  *
@@ -41,6 +44,8 @@
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a>
  */
 public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
+	private final Log logger = LogFactory.getLog(getClass());
+
 	private static final Duration DEFAULT_MAX_CLOCK_SKEW = Duration.of(60, ChronoUnit.SECONDS);
 
 	private final Duration clockSkew;
@@ -56,7 +61,6 @@ public JwtTimestampValidator() {
 
 	public JwtTimestampValidator(Duration clockSkew) {
 		Assert.notNull(clockSkew, "clockSkew cannot be null");
-
 		this.clockSkew = clockSkew;
 	}
 
@@ -71,11 +75,8 @@ public OAuth2TokenValidatorResult validate(Jwt jwt) {
 
 		if (expiry != null) {
 			if (Instant.now(this.clock).minus(clockSkew).isAfter(expiry)) {
-				OAuth2Error error = new OAuth2Error(
-						OAuth2ErrorCodes.INVALID_REQUEST,
-						String.format("Jwt expired at %s", jwt.getExpiresAt()),
-						"https://tools.ietf.org/html/rfc6750#section-3.1");
-				return OAuth2TokenValidatorResult.failure(error);
+				OAuth2Error oAuth2Error = createOAuth2Error(String.format("Jwt expired at %s", jwt.getExpiresAt()));
+				return OAuth2TokenValidatorResult.failure(oAuth2Error);
 			}
 		}
 
@@ -83,17 +84,22 @@ public OAuth2TokenValidatorResult validate(Jwt jwt) {
 
 		if (notBefore != null) {
 			if (Instant.now(this.clock).plus(clockSkew).isBefore(notBefore)) {
-				OAuth2Error error = new OAuth2Error(
-						OAuth2ErrorCodes.INVALID_REQUEST,
-						String.format("Jwt used before %s", jwt.getNotBefore()),
-						"https://tools.ietf.org/html/rfc6750#section-3.1");
-				return OAuth2TokenValidatorResult.failure(error);
+				OAuth2Error oAuth2Error = createOAuth2Error(String.format("Jwt used before %s", jwt.getNotBefore()));
+				return OAuth2TokenValidatorResult.failure(oAuth2Error);
 			}
 		}
 
 		return OAuth2TokenValidatorResult.success();
 	}
 
+	private OAuth2Error createOAuth2Error(String reason) {
+		logger.debug(reason);
+		return new OAuth2Error(
+				OAuth2ErrorCodes.INVALID_REQUEST,
+				reason,
+				"https://tools.ietf.org/html/rfc6750#section-3.1");
+	}
+
 	/**
 	 * '
 	 * Use this {@link Clock} with {@link Instant#now()} for assessing