diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs
index 4ae03b96..cb501c82 100644
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@@ -2549,6 +2549,15 @@ pub struct IdentityProvider {
 	/// example: "/etc/tuwunel/.client_secret"
 	pub client_secret_file: Option<PathBuf>,
 
+	/// Issuer URL the provider publishes for you. We have pre-supplied default
+	/// values for some of the canonical public providers, making this field
+	/// optional based on the `brand` set above. Otherwise it is required to
+	/// find self-hosted providers. It must be identical to what is configured
+	/// and expected by the provider and must never change because we associate
+	/// identities to it. If the `/.well-known/openid-configuration` is not
+	/// found behind this URL see `base_path` below as a workaround.
+	pub issuer_url: Option<Url>,
+
 	/// The callback URL configured when registering the OAuth application with
 	/// the provider. Tuwunel's callback URL must be strictly formatted exactly
 	/// as instructed. The URL host must point directly at the matrix server and
@@ -2592,31 +2601,25 @@ pub struct IdentityProvider {
 	#[serde(default)]
 	pub scope: BTreeSet<String>,
 
-	/// List of userinfo claims which shape and restrict the way we compute a
-	/// Matrix UserId for new registrations. Reviewing Tuwunel's documentation
-	/// will be necessary for a complete description in detail. An empty array
-	/// imposes no restriction here, avoiding generated fallbacks as much as
-	/// possible. For simplicity we reserve a claim called "unique" which can be
-	/// listed alone to ensure *only* generated ID's are used for registrations.
+	/// Optional list of userinfo claims which shape and restrict the way we
+	/// compute a Matrix UserId for new registrations. Reviewing Tuwunel's
+	/// documentation will be necessary for a complete description in detail. An
+	/// empty array imposes no restriction here, avoiding generated fallbacks as
+	/// much as possible. For simplicity we reserve a claim called "unique"
+	/// which can be listed alone to ensure *only* generated ID's are used for
+	/// registrations.
 	///
 	/// default: []
 	#[serde(default)]
 	pub userid_claims: BTreeSet<String>,
 
-	/// Issuer URL the provider publishes for you. We have pre-supplied default
-	/// values for some of the canonical providers, making this field optional
-	/// based on the `brand` set above. Otherwise it is required for OIDC
-	/// discovery to acquire additional provider configuration, and it must be
-	/// correct to pass validations during various interactions.
-	pub issuer_url: Option<Url>,
-
-	/// Extra path components after the issuer_url leading to the location of
-	/// the `.well-known` directory used for discovery. This will be empty for
-	/// specification-compliant providers. We have supplied any known values
-	/// based on `brand` (e.g. `/login/oauth` for GitHub).
+	/// Optional extra path components after the issuer_url leading to the
+	/// location of the `.well-known` directory used for discovery. This will be
+	/// empty for specification-compliant providers. We have supplied any known
+	/// values based on `brand` (e.g. `/login/oauth` for GitHub).
 	pub base_path: Option<String>,
 
-	/// Overrides the `.well-known` location where the provider's OIDC
+	/// Overrides the `.well-known` location where the provider's openid
 	/// configuration is found. It is very unlikely you will need to set this;
 	/// available for developers or special purposes only.
 	pub discovery_url: Option<Url>,
diff --git a/src/service/oauth/sessions.rs b/src/service/oauth/sessions.rs
index 56e382a4..947b4879 100644
--- a/src/service/oauth/sessions.rs
+++ b/src/service/oauth/sessions.rs
@@ -170,7 +170,7 @@ pub async fn put(&self, sess_id: &str, session: &Session) {
 	}
 }
 
-/// Fetch database state for a session from its associated `sub`, in case
+/// Fetch database state for a session from its associated `(iss,sub)`, in case
 /// `sess_id` is not known.
 #[implement(Sessions)]
 #[tracing::instrument(level = "debug", skip(self), ret(level = "debug"))]
@@ -213,7 +213,7 @@ pub async fn get_sess_id_by_user(&self, user_id: &UserId) -> Result<String> {
 		.deserialized()
 }
 
-/// Resolve the `sess_id` from an associated provider subject id.
+/// Resolve the `sess_id` from an associated provider issuer and subject hash.
 #[implement(Sessions)]
 #[tracing::instrument(level = "debug", skip(self), ret(level = "debug"))]
 pub async fn get_sess_id_by_unique_id(&self, unique_id: &str) -> Result<String> {
diff --git a/tuwunel-example.toml b/tuwunel-example.toml
index b76a050f..84572bc6 100644
--- a/tuwunel-example.toml
+++ b/tuwunel-example.toml
@@ -2168,6 +2168,16 @@
 #
 #client_secret_file =
 
+# Issuer URL the provider publishes for you. We have pre-supplied default
+# values for some of the canonical public providers, making this field
+# optional based on the `brand` set above. Otherwise it is required to
+# find self-hosted providers. It must be identical to what is configured
+# and expected by the provider and must never change because we associate
+# identities to it. If the `/.well-known/openid-configuration` is not
+# found behind this URL see `base_path` below as a workaround.
+#
+#issuer_url =
+
 # The callback URL configured when registering the OAuth application with
 # the provider. Tuwunel's callback URL must be strictly formatted exactly
 # as instructed. The URL host must point directly at the matrix server and
@@ -2212,31 +2222,24 @@
 #
 #scope = []
 
-# List of userinfo claims which shape and restrict the way we compute a
-# Matrix UserId for new registrations. Reviewing Tuwunel's documentation
-# will be necessary for a complete description in detail. An empty array
-# imposes no restriction here, avoiding generated fallbacks as much as
-# possible. For simplicity we reserve a claim called "unique" which can be
-# listed alone to ensure *only* generated ID's are used for registrations.
+# Optional list of userinfo claims which shape and restrict the way we
+# compute a Matrix UserId for new registrations. Reviewing Tuwunel's
+# documentation will be necessary for a complete description in detail. An
+# empty array imposes no restriction here, avoiding generated fallbacks as
+# much as possible. For simplicity we reserve a claim called "unique"
+# which can be listed alone to ensure *only* generated ID's are used for
+# registrations.
 #
 #userid_claims = []
 
-# Issuer URL the provider publishes for you. We have pre-supplied default
-# values for some of the canonical providers, making this field optional
-# based on the `brand` set above. Otherwise it is required for OIDC
-# discovery to acquire additional provider configuration, and it must be
-# correct to pass validations during various interactions.
-#
-#issuer_url =
-
-# Extra path components after the issuer_url leading to the location of
-# the `.well-known` directory used for discovery. This will be empty for
-# specification-compliant providers. We have supplied any known values
-# based on `brand` (e.g. `/login/oauth` for GitHub).
+# Optional extra path components after the issuer_url leading to the
+# location of the `.well-known` directory used for discovery. This will be
+# empty for specification-compliant providers. We have supplied any known
+# values based on `brand` (e.g. `/login/oauth` for GitHub).
 #
 #base_path =
 
-# Overrides the `.well-known` location where the provider's OIDC
+# Overrides the `.well-known` location where the provider's openid
 # configuration is found. It is very unlikely you will need to set this;
 # available for developers or special purposes only.
 #