It's a source of problems and pain points...
Can we use the non forked version of league/oauth2-server in release branches, or have we got code inside the OAuth extension that depends on it?
https://doc.wikimedia.org/cover-extensions/OAuth/ is very low, so I wouldn't like to just use "do the tests pass" as the benchmark...
See also: