The spec notes:
The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
- Does this mean that the issuer only needs to be validated if the auth was established via Discovery?
- Is it requirement to validate
issfor client specific connections (we’re a web app that pre-registers our providers, can securely store