ID token signed by a public key?

Okta doc states ID token is signed by a public key.

ID token signature
This is the digital signature that Okta signs using the public key identified by the kid property in the Header section.

This is not secure since others may have the public key, modify the JWT and re-sign it. I hope this is a typo and Okta is in fact signing JWTs with a private key.

Hi @beyondbill

The paragraph is explaining only the structure of the ID token and how the signature is generated. The signature is generated internally by Okta and linked to the public key / modulus and exponent by kid.

@dragos So the signature is generated by Okta using a private key but kid is linked to the public key, right?

Hi @beyondbill

Yes, and the modulus (n) and exponent (e) available on /keys endpoint are used to calculate the public key to verify the signature locally.

@dragos Awesome! Thanks a lot! I still think the paragraph I quoted is quite misleading. Hope it can be revised to something more accurate.