Clarify OAuth issuer checking behavior

api/src/main/java/io/strimzi/api/kafka/model/kafka/listener/KafkaListenerAuthenticationOAuth.java

@@ -124,7 +124,8 @@ public void setValidIssuerUri(String validIssuerUri) {
     }
 
     @Description("Enable or disable issuer checking. By default issuer is checked using the value configured by `validIssuerUri`. " +
-            "Default value is `true`.")
+            "If `validIssuerUri` is configured, issuer checking is performed even when this property is set to `false`. " +
+            "To disable issuer checking, set this property to `false` and leave `validIssuerUri` unset. Default value is `true`.")
     @JsonInclude(JsonInclude.Include.NON_DEFAULT)
     public boolean isCheckIssuer() {
         return checkIssuer;

documentation/modules/oauth/con-oauth-server-config.adoc

@@ -49,6 +49,9 @@ To enable OAuth 2.0 token-based authentication on a Kafka listener, configure th
 
 All OAuth 2.0 validation settings (such as JWKS or token introspection) are provided through the JAAS configuration string inside the listener configuration.
 
+If you disable issuer checking by setting `oauth.check.issuer="false"`, do not configure `oauth.valid.issuer.uri`.
+When `oauth.valid.issuer.uri` is configured, the issuer is checked against that value.
+
 === JWT validation example
 
 The following example shows a minimal listener configuration that validates JSON Web Tokens (JWTs) using a JWKS endpoint.
@@ -149,4 +152,4 @@ To configure HTTP Bearer authentication, set one of the following properties:
 * `oauth.server.bearer.token` to specify the bearer token in clear text.
 
 NOTE: In production environments, avoid storing credentials or bearer tokens in clear text. 
-Use a secure mechanism to provide these values to the broker.
+Use a secure mechanism to provide these values to the broker.