Okta doc states ID token is signed by a public key.
ID token signature
This is the digital signature that Okta signs using the public key identified by the
kidproperty in the Header section.
This is not secure since others may have the public key, modify the JWT and re-sign it. I hope this is a typo and Okta is in fact signing JWTs with a private key.