This problem happens only when using the temporary password (password sent in PasswordReset mail).
E:OpenID as consumer: ChangePassword page is shown twice when attaching an OpenID to an existing account using the _temporary_ password.
The data filled in the first ChangePassword page is totally ignored (for example, the new password values are not checked for equality).
The second ChangePassword is treated correctly and action ends successful when entering the temporary password and 2x the new passord, as it should be.
Look for function attachUser() in SpecialOpenIDLogin.body.php .
Can someone spot what's wrong there.
You also need the patch of core SpecialChangePassword https://gerrit.wikimedia.org/r/#/c/96651/ , otherwise SpecialChangePassword does not know that you were using the Temporary password, and want that dialog (text: 'Temporary password' instead of text 'Old password' on the Change Password page).
I found (and fixed locally in my test installations) this bug.
adding an additional check of the pre-login csrf token (which is injected in SpecialOpenIDLogin/ChooseName in SpecialChangePassword::execute().
So my patch changes that SpecialChangePassword (now) requires either the valid $wgUser( editToken) _or_ a valid preLogin-Token.
(Chris: you were correct! I could not find back the tip you've sent me, otherwsie I would have added a pointer here.)
A formal patch will follow.