更新时间:2023-02-15 08:29:01
第一个例子
https://login.microsoftonline.com/common/discovery/keys
中的
模数和指数(n
和 e
)被编码在 base64url
中而不是在 base64
中,因此解码它们的代码应该是
Modulus and Exponent (n
and e
) in https://login.microsoftonline.com/common/discovery/keys
are encoded in base64url
and not in base64
, so the code to decode them should be
byte[] modulusBytes = Base64.getUrlDecoder().decode(n);
BigInteger modulusInt = new BigInteger(1, modulusBytes);
不要使用旧的com.sun.misc.BASE64Decoder
如果 JWT 已签名,则不应使用 JWTParser.plaintextJwt()
.根据文档
If the JWT is signed you should not use JWTParser.plaintextJwt()
. According to documentation
plaintextJwt:一个紧凑的序列化无符号明文 JWT 字符串
plaintextJwt: a compact serialized unsigned plaintext JWT string
改为使用 parseClaimsJws
或 parsePlaintextJws
.第二种方法仅当有效负载是非 JSON 的字符串时
Use instead parseClaimsJws
or parsePlaintextJws
. The second method only if the payload is a string non-JSON
第二个例子
第二个例子基本正确.我假设 X509CertUtils.parse(certChain)
类似于
The second example is basically right. I assume X509CertUtils.parse(certChain)
is similar to
InputStream in = new ByteArrayInputStream(certChain);
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in);
证书的模数和指数和解码后的一样,所以公钥是等价的
Modulus and exponent of the certificate are the same that the decoded, so public key is equivalent
链接中有两个相似的证书,请检查两者.您应该能够验证签名.如果不是,则令牌未使用这些密钥进行签名
There are two similar certificates in the link, check both. You should be able to validate the signature. If not, then the token is not signed with those keys