第一个例子

https://login.microsoftonline.com/common/discovery/keys 中的

模数和指数(n 和 e)被编码在 base64url 中而不是在 base64 中，因此解码它们的代码应该是

Modulus and Exponent (n and e) in https://login.microsoftonline.com/common/discovery/keys are encoded in base64url and not in base64, so the code to decode them should be

byte[] modulusBytes = Base64.getUrlDecoder().decode(n);
BigInteger modulusInt = new BigInteger(1, modulusBytes);

不要使用旧的com.sun.misc.BASE64Decoder

如果 JWT 已签名，则不应使用 JWTParser.plaintextJwt().根据文档

If the JWT is signed you should not use JWTParser.plaintextJwt(). According to documentation

plaintextJwt:一个紧凑的序列化无符号明文 JWT 字符串

plaintextJwt: a compact serialized unsigned plaintext JWT string

改为使用 parseClaimsJws 或 parsePlaintextJws.第二种方法仅当有效负载是非 JSON 的字符串时

Use instead parseClaimsJws or parsePlaintextJws. The second method only if the payload is a string non-JSON

第二个例子

第二个例子基本正确.我假设 X509CertUtils.parse(certChain) 类似于

The second example is basically right. I assume X509CertUtils.parse(certChain) is similar to

 InputStream in = new ByteArrayInputStream(certChain);
 CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
 X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in);

证书的模数和指数和解码后的一样，所以公钥是等价的

Modulus and exponent of the certificate are the same that the decoded, so public key is equivalent

链接中有两个相似的证书，请检查两者.您应该能够验证签名.如果不是，则令牌未使用这些密钥进行签名

There are two similar certificates in the link, check both. You should be able to validate the signature. If not, then the token is not signed with those keys