OIDC: When is it a requirement to validate the iss?

The spec notes:

The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.

  • Does this mean that the issuer only needs to be validated if the auth was established via Discovery?
  • Is it requirement to validate iss for client specific connections (we’re a web app that pre-registers our providers, can securely store client_id/client_secret)?

Thank you!