The OpenId standard has discovery URL which exposes on how to get, revoke token, the JWKS url and etc. JWKS url holds the key to encrypt and decrypt the token.
I tried to hide this url but my oidc middleware will not work and this will create login error in my front end application.
I don't understand as why OpenId work in this way? Why we can't hide the JWKS? How is this implement in the actual case? Purposely expose the JWKS url for people to hack the token?
The JWKs URI does not exactly "hold the key to encrypt and decrypt the token". It presents the public key of the public/private key pair that the Provider uses to sign the token that it produces/sends and (possibly) to decrypt any messages that it consumes/receives.
Since this is a public key, there's no point in hiding or protecting the endpoint on which it is served. It does not represent private or sensitive information. Note that the corresponding private key is never shared or published.
FWIW: the other answer and comments seem to conflate encryption and signing...