Hi all,
a minor security bug [1] has been fixed in the OAuth extension:
* a connected application could use the /identify endpoint to learn the
username of a user even if the application has been disabled.
* a connected application could use the /identify endpoint to learn the
username of a user even if the user was locked or blocked from login (this
could be problematic when OAuth is used for authentication, such as with
the OAuthAuthentication [2] extension).
The fix has been backported to all supported versions (those for MediaWiki
1.23, 1.26 and 1.27).
Gergő
https://www.mediawiki.org/wiki/User:Tgr_(WMF)
[1]
https://phabricator.wikimedia.org/T148600
[2]
https://www.mediawiki.org/wiki/Extension:OAuthAuthentication