CentralAuth doesn't check if the user name it was given is usable, only if it's valid.
For MediaWiki with SessionManager, this isn't too bad of a problem: MediaWiki\Session\UserInfo::newFromName does throw an exception if given an unusable name, which makes the providers throw rather than failing more gracefully. This is why {T130099} was giving a 503 error rather than failing in a more user-friendly manner.
For MediaWiki without SessionManager, though, it's a security issue: It apparently just allows the login, which is why Xqbot only recently started failing as described in T130099, instead of failing as soon as Xqt mistranslated "Redirect fixer" on translatewiki back in 2009.
Since we'll probably want to backport a fix to 1.26 and earlier, I'm going to file this as a security bug.