MediaWiki should be setting an issuer claim on the access token JWT it emits - this is generally useful, conforms the protocol and is generally good. Unfortunately, the oauth2-server library we are using does not support it.
Plan:
- Open a proposal upstream to support issuer claim https://github.com/thephpleague/oauth2-server/issues/1137
- Implement issuer claim in our fork of the oauth library. https://github.com/wikimedia/oauth2-server/pull/1
- Open a PR upstream with the same changes. It seems like the required changes are going to be minimal https://github.com/thephpleague/oauth2-server/pull/1138
- Vendor new version of the forked library https://gerrit.wikimedia.org/r/c/mediawiki/vendor/+/623430
- Use it in OAuth extension to emit issuer claim https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/623434