我认为您正在寻找这个:

I think you're looking for this:

https://zhiliaxu.github.io/how-do-aspnet-core-services-validate-jwt-signature-signed-by-aad.html

这里zhiliaxu详细解释了使用.AddJwtBearer()时实际验证的方式和内容，他的结论是:

Here zhiliaxu explains in details how and what is actually validated when using .AddJwtBearer() and his conclusions are:

现在很明显

• 无需提供任何密钥或证书即可验证 JWT 签名在我们服务的源代码中.
• 从众所周知的 URL https://login.microsoftonline 检索 JWT 签名密钥.com/common/discovery/keys，基于JwtBearerOptions.Authority 属性.
• 签名密钥缓存在 JwtBearerHandler 单例实例中，因此我们的 ASP.NET Core 服务只需要检索它在整个生命周期中一次.

• JWT signature is validated without providing any key or certification in our service’s source code.
• JWT signing key is retrieved from the well-known URL https://login.microsoftonline.com/common/discovery/keys, based on JwtBearerOptions.Authority property.
• The signing key is cached in the JwtBearerHandler singleton instance, and so our ASP.NET Core service only needs to retrieve it once throughout its lifecycle.

同样基于这篇文章，我们可以查看 MSDN 上的 ValidateToken() 文档:https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=azure-dotnet 在哪里可以找到该方法抛出的不同异常:

Also based on this article we can take a look at the ValidateToken() documentation on MSDN: https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=azure-dotnet Where you can find the different exceptions the method throws:

• SecurityTokenDecryptionFailedException:令牌是无法解密的 JWE.
• SecurityTokenEncryptionKeyNotFoundException:令牌kid"标头声明不为空且解密失败.
• SecurityTokenException:令牌enc"标头声明为 null 或为空.
• SecurityTokenExpiredException:令牌exp"声明为 <日期时间.UtcNow.
• SecurityTokenInvalidAudienceException:令牌aud"声明与 ValidAudience 或 ValidAudience 之一不匹配.
• SecurityTokenInvalidLifetimeException:令牌nbf"声明是 >'exp' 声明.
• SecurityTokenInvalidSignatureException:token.signature 的格式不正确.
• SecurityTokenNoExpirationException:TokenReplayCache 不为 null，且 expireTime.HasValue 为 false.设置 TokenReplayCache 后，令牌需要一个过期时间.
• SecurityTokenNotYetValidException:令牌nbf"声明是 >日期时间.UtcNow.
• SecurityTokenReplayAddFailedException:无法将令牌添加到 TokenReplayCache.
• SecurityTokenReplayDetectedException:在缓存中找到令牌.

• SecurityTokenDecryptionFailedException: token was a JWE was not able to be decrypted.
• SecurityTokenEncryptionKeyNotFoundException: token 'kid' header claim is not null AND decryption fails.
• SecurityTokenException: token 'enc' header claim is null or empty.
• SecurityTokenExpiredException: token 'exp' claim is < DateTime.UtcNow.
• SecurityTokenInvalidAudienceException: token 'aud' claim did not match either ValidAudience or one of ValidAudiences.
• SecurityTokenInvalidLifetimeException: token 'nbf' claim is > 'exp' claim.
• SecurityTokenInvalidSignatureException: token.signature is not properly formatted.
• SecurityTokenNoExpirationException: TokenReplayCache is not null and expirationTime.HasValue is false. When a TokenReplayCache is set, tokens require an expiration time.
• SecurityTokenNotYetValidException: token 'nbf' claim is > DateTime.UtcNow.
• SecurityTokenReplayAddFailedException: token could not be added to the TokenReplayCache.
• SecurityTokenReplayDetectedException: token is found in the cache.