We had the same issue with mediawiki.org oauth logins, thus blocked wiki users could still log in to phabricator. In fact they could even create new phab accounts while blocked on wiki.
Presumably the same problem exists for wikitech logins and we should probably address this, I'm just not sure WHERE it would be best to implement a block. Most likely in the ldap server or?
Related to Incident: 20170617-Phabricator-spam