diff --git a/pkg/serviceaccount/jwt.go b/pkg/serviceaccount/jwt.go
index ecfb0655c2b..84792a88a5e 100644
--- a/pkg/serviceaccount/jwt.go
+++ b/pkg/serviceaccount/jwt.go
@@ -135,8 +135,6 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
 			return key, nil
 		})
 
-		claims, _ := parsedToken.Claims.(jwt.MapClaims)
-
 		if err != nil {
 			switch err := err.(type) {
 			case *jwt.ValidationError:
@@ -160,6 +158,8 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
 
 		// If we get here, we have a token with a recognized signature
 
+		claims, _ := parsedToken.Claims.(jwt.MapClaims)
+
 		// Make sure we issued the token
 		iss, _ := claims[IssuerClaim].(string)
 		if iss != Issuer {
diff --git a/pkg/serviceaccount/jwt_test.go b/pkg/serviceaccount/jwt_test.go
index 96989697654..1ade162009d 100644
--- a/pkg/serviceaccount/jwt_test.go
+++ b/pkg/serviceaccount/jwt_test.go
@@ -225,6 +225,12 @@ func TestTokenGenerateAndValidate(t *testing.T) {
 		getter := serviceaccountcontroller.NewGetterFromClient(tc.Client)
 		authenticator := serviceaccount.JWTTokenAuthenticator(tc.Keys, tc.Client != nil, getter)
 
+		// An invalid, non-JWT token should always fail
+		if _, ok, err := authenticator.AuthenticateToken("invalid token"); err != nil || ok {
+			t.Errorf("%s: Expected err=nil, ok=false for non-JWT token", k)
+			continue
+		}
+
 		user, ok, err := authenticator.AuthenticateToken(token)
 		if (err != nil) != tc.ExpectedErr {
 			t.Errorf("%s: Expected error=%v, got %v", k, tc.ExpectedErr, err)