diff --git a/dashboard/app.py b/dashboard/app.py
index 1bca22c9..f211e958 100644
--- a/dashboard/app.py
+++ b/dashboard/app.py
@@ -133,7 +133,6 @@ def forbidden():
         jws = request.args.get("error").encode()
 
     token_verifier = oidc_auth.tokenVerification(jws=jws, public_key=app.config["FORBIDDEN_PAGE_PUBLIC_KEY"])
-    """TODO: add code here to catch when the token is invalid"""
     token_verifier.verify
 
     return render_template("forbidden.html", token_verifier=token_verifier)
diff --git a/dashboard/oidc_auth.py b/dashboard/oidc_auth.py
index e8abf4bd..8ae74cd9 100644
--- a/dashboard/oidc_auth.py
+++ b/dashboard/oidc_auth.py
@@ -1,7 +1,9 @@
 import json
 import logging
+import traceback
 from josepy.jwk import JWK
 from josepy.jws import JWS
+from josepy.error import JWSErrors
 
 """Class that governs all authentication with open id connect."""
 from flask_pyoidc import OIDCAuthentication
@@ -95,6 +97,17 @@ def _verified(self):
                 self.jws_data["connection_name"] = self._get_connection_name(self.jws_data["connection"])
                 return True
         except UnicodeDecodeError:
+            logger.warning("UnicodeDecodeError: The jws {jws}".format(jws=self.jws))
+            return False
+        except JWSErrors.DeserializationError:
+            logger.warning("DeserializationError jws {jws}".format(jws=self.jws))
+            return False
+        except Exception: # pylint: disable=broad-exception-caught
+            # This is a broad except to catch every error.  It's not great but since we're
+            # in _validate, our job is to pass/fail everything, and letting code raise out
+            # of here blows up the website in front of customers.  Let's do something better
+            # as a last-choice, maybe we need more exceptions caught above
+            logger.warning("Unknown error occurred "+traceback.format_exc())
             return False
 
     def error_message(self):