diff --git a/hosts/vm/mediakiwi/WSOAuth.patch b/hosts/vm/mediakiwi/WSOAuth.patch
new file mode 100644
index 0000000..5da4498
--- /dev/null
+++ b/hosts/vm/mediakiwi/WSOAuth.patch
@@ -0,0 +1,38 @@
+diff --git a/src/WSOAuth.php b/src/WSOAuth.php
+index 3a94c87..e077b9e 100644
+--- a/src/WSOAuth.php
++++ b/src/WSOAuth.php
+@@ -308,11 +308,12 @@ class WSOAuth extends PluggableAuth {
+ 		// Set $realname and $email to the values returned from the authentication provider, if they are available
+ 		$realname = $remoteUserInfo['realname'] ?? null;
+ 		$email = $remoteUserInfo['email'] ?? null;
++		$username = ucfirst( $remoteUserInfo['name'] );
+ 
+-		$remoteUsername = ucfirst( $remoteUserInfo['name'] );
+-		$localUserId = $this->getLocalAccountID( $remoteUsername );
++		$remoteUserId = $remoteUserInfo['remoteUserId'] ?? $username;
++		$localUserId = $this->getLocalAccountID( $remoteUserId );
+ 
+-		$this->session->set( self::WSOAUTH_REMOTE_USERNAME_SESSION_KEY, $remoteUsername );
++		$this->session->set( self::WSOAUTH_REMOTE_USERNAME_SESSION_KEY, $remoteUserId );
+ 		$this->session->save();
+ 
+ 		if ( $localUserId !== 0 ) {
+@@ -326,7 +327,7 @@ class WSOAuth extends PluggableAuth {
+ 			$currentUser = RequestContext::getMain()->getUser();
+ 			$currentUserId = $currentUser->getId();
+ 
+-			$this->createMapping( $currentUserId, $remoteUsername );
++			$this->createMapping( $currentUserId, $remoteUserId );
+ 
+ 			// Log the account in like normal
+ 			$username = $currentUser->getName();
+@@ -339,7 +340,7 @@ class WSOAuth extends PluggableAuth {
+ 				throw new ContinuationException( wfMessage( "wsoauth-remote-only-accounts-disabled" )->parse() );
+ 			}
+ 
+-			$desiredLocalUsername = $this->useRealNameAsUsername && $realname !== null ? $realname : $remoteUsername;
++			$desiredLocalUsername = $this->useRealNameAsUsername && $realname !== null ? $realname : $username;
+ 			$userId = User::newFromName( $desiredLocalUsername )->idForName();
+ 
+ 			if ( $userId > 0 && $this->migrateUsersByUsername ) {
diff --git a/hosts/vm/mediakiwi/mediawiki.nix b/hosts/vm/mediakiwi/mediawiki.nix
index 1c6b622..f908495 100644
--- a/hosts/vm/mediakiwi/mediawiki.nix
+++ b/hosts/vm/mediakiwi/mediawiki.nix
@@ -292,15 +292,17 @@ in
         # Pas de meilleure solution à ma connaissance pour suivre les releases.
         sha256 = "sha256-oi5rliHb4KnLbvQxO7MGuLp/FEucoGR/Z0NP1gmbgMc=";
       };
-      WSOAuth = pkgs.fetctFromGitlab {
-        domain = "gitlab.crans.org";
-        name = "WSOAuth";
-        owner = "pyjacpp";
-        repo = "wsoauth";
-        rev = "master";
-        # Le SHA doit être changé à chaque nouveau commit de traduction.
-        # Pas de meilleure solution à ma connaissance pour suivre les releases.
-        sha256 = "sha256-8jrRuHcJZc+YNnfyYkNLwF4PEIiHfd27YnTVAZcxgoc=";
+      WSOAuth = pkgs.applyPatches {
+        src = pkgs.fetchFromGitHub {
+          name = "WSOAuth";
+          owner = "wikimedia";
+          repo = "mediawiki-extensions-WSOAuth";
+          rev = "REL" + major + "_" + minor;
+          # Le SHA doit être changé à chaque nouveau commit de traduction.
+          # Pas de meilleure solution à ma connaissance pour suivre les releases.
+          sha256 = "sha256-G2C/KuSgfWWftpHHhOABwFcOEb1zB8qmHi9KgrC6Jrc=";
+        };
+        patches = [ "${./WSOAuth.patch}" ];
       };
       WSONoteKfetAuth = "${./WSONoteKfetAuth}";
     };