What are the risks of disabling issuer URL validation?
According to the OIDC specification:
The issuer value returned MUST be identical to the Issuer URL that was
used as the prefix to /.well-known/openid-configuration to retrieve
the configuration information. This MUST also be identical to …