第一个例子

https：//中的模数和指数（ n 和 e ） login.microsoftonline.com/common/discovery/keys 以 base64url 编码，而不是 base64 ，所以解码它们的代码应该是

Modulus and Exponent (n and e) in https://login.microsoftonline.com/common/discovery/keys are encoded in base64url and not in base64, so the code to decode them should be

byte[] modulusBytes = Base64.getUrlDecoder().decode(n);
BigInteger modulusInt = new BigInteger(1, modulusBytes);

不要使用旧的 com.sun.misc.BASE64Decoder

如果JWT已签名，则不应使用 JWTParser.plaintextJwt（）。根据文档

If the JWT is signed you should not use JWTParser.plaintextJwt(). According to documentation

plaintextJwt：紧凑的序列化无符号明文JWT字符串

plaintextJwt: a compact serialized unsigned plaintext JWT string

改为使用 parseClaimsJws 或 parsePlaintextJws 。第二种方法，仅当有效负载是字符串非JSON

Use instead parseClaimsJws or parsePlaintextJws. The second method only if the payload is a string non-JSON

第二个示例

第二个例子基本上是正确的。我假设 X509CertUtils.parse（certChain）类似于

The second example is basically right. I assume X509CertUtils.parse(certChain) is similar to

 InputStream in = new ByteArrayInputStream(certChain);
 CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
 X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in);

证书的模数和指数与解码的模数和指数相同，因此公钥是等价的

Modulus and exponent of the certificate are the same that the decoded, so public key is equivalent

链接中有两个类似的证书，请同时检查两者。您应该能够验证签名。如果没有，则令牌未使用这些密钥签名

There are two similar certificates in the link, check both. You should be able to validate the signature. If not, then the token is not signed with those keys