Okta doc states ID token is signed by a public key.
ID token signature
This is the digital signature that Okta signs using the public key identified by the kid property in the Header section.
This is not secure since others may have the public key, modify the JWT and re-sign it. I hope this is a typo and Okta is in fact signing JWTs with a private key.
The paragraph is explaining only the structure of the ID token and how the signature is generated. The signature is generated internally by Okta and linked to the public key / modulus and exponent by kid.