diff --git a/pkg/idp/third_party.go b/pkg/idp/third_party.go
index e8828d4868..cf53db1baa 100644
--- a/pkg/idp/third_party.go
+++ b/pkg/idp/third_party.go
@@ -55,14 +55,14 @@ type Configuration struct {
 	// AuthURL is the authorize url, typically something like: https://example.org/oauth2/auth
 	// Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
 	// `provider` is set to `generic`.
-	// validate that this field is required only when Provider field == "generic"
-	AuthURL string `json:"auth_url" yaml:"auth_url" validate:"required_if=Provider generic"`
+	// validate that this field is required only when Provider field == "generic" and IssuerURL is empty
+	AuthURL string `json:"auth_url" yaml:"auth_url"`
 
 	// TokenURL is the token url, typically something like: https://example.org/oauth2/token
 	// Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
 	// `provider` is set to `generic`.
-	// validate that this field is required only when Provider field == "generic"
-	TokenURL string `json:"token_url" yaml:"token_url" validate:"required_if=Provider generic"`
+	// validate that this field is required only when Provider field == "generic" and IssuerURL is empty
+	TokenURL string `json:"token_url" yaml:"token_url"`
 
 	// Tenant is the Azure AD Tenant to use for authentication, and must be set when `provider` is set to `microsoft`.
 	// Can be either `common`, `organizations`, `consumers` for a multitenant application or a specific tenant like
@@ -103,7 +103,7 @@ type Configuration struct {
 	// profile information) to hydrate the identity's data.
 	//
 	// It can be either a URL (file://, http(s)://, base64://) or an inline JSONNet code snippet.
-	Mapper string `json:"mapper_url" yaml:"mapper_url" validate:"required"`
+	Mapper string `json:"mapper_url" yaml:"mapper_url"`
 
 	// RequestedClaims string encoded json object that specifies claims and optionally their properties which should be
 	// included in the id_token or returned from the UserInfo Endpoint.
diff --git a/pkg/idp/validation.go b/pkg/idp/validation.go
index 46a548c277..f1b2b616b5 100644
--- a/pkg/idp/validation.go
+++ b/pkg/idp/validation.go
@@ -23,9 +23,24 @@ type PayloadValidator struct {
 	logger logging.LoggerInterface
 }
 
+func genericIssuerOAuth2URLsValidation(sl validator.StructLevel) {
+	configuration := sl.Current().Interface().(Configuration)
+
+	if configuration.Provider != "generic" {
+		return
+	}
+
+	// Kratos will try OIDC discovery, so if IssuerURL is not empty, AuthURL and TokenURL could be empty
+	// if IssuerURL is empty, then we need both AuthURL and TokenURL
+	if configuration.IssuerURL == "" && (configuration.AuthURL == "" || configuration.TokenURL == "") {
+		sl.ReportError(configuration.IssuerURL, "issuer_url", "IssuerURL", "issuer_urls", "")
+	}
+}
+
 func (p *PayloadValidator) setupValidator() {
 	// validate Provider to be one of the supported ones
 	p.validator.RegisterAlias("supported_provider", fmt.Sprintf("oneof=%s", SUPPORTED_PROVIDERS))
+	p.validator.RegisterStructValidation(genericIssuerOAuth2URLsValidation, Configuration{})
 }
 
 func (p *PayloadValidator) NeedsValidation(r *http.Request) bool {