MediaWiki should be setting an issuer claim on the access token JWT it emits - this is generally useful, conforms the protocol and is generally good. Unfortunately, the `oauth2-server` library we are using does not support it.
Plan:
[x] Open a proposal upstream to support issuer claim https://github.com/thephpleague/oauth2-server/issues/1137
[x] Implement issuer claim in our fork of the oauth library. https://github.com/wikimedia/oauth2-server/pull/1
[x] Open a PR upstream with the same changes. It seems like the required changes are going to be minimal https://github.com/thephpleague/oauth2-server/pull/1138
[] Vendor new version of the forked library https://gerrit.wikimedia.org/r/c/mediawiki/vendor/+/623430
[] Use it in OAuth extension to emit issuer claim https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/623434