See T110235 for motivation.
On a code level this should be a near-trivial change: whenever sending an OAuth request as a response to a user request (ie. an action performed on the dashboard), if the user request does not have such a header, set X-Forwarded-For: <user ip>, otherwise just append , <user ip> to it. (Once the tool starts to make scheduled actions or other kinds of OAuth requests which are not direct, immediate responses to user action, things get more hairy.)
Probably requires a legal review / modification of the WikiEdu privacy policy.