Hi all,
a minor security bug [1] has been fixed in the OAuth extension:
* a connected application could use the /identify endpoint to learn the
username of a user even if the application has been disabled.
* a connected application could use the /identify endpoint to learn the
username of a user
The recent OAuth security fix [1] had a bug [2] which caused some
legitimate OAuth requests to be rejected. The affected versions have been
updated to work properly. Apologies for the disruption.
Gergő
https://www.mediawiki.org/wiki/User:Tgr_(WMF)
[1]