Scorpil

**Name of the Vulnerable Software and Affected Versions** Wasp versions prior to 0.16.6 **Description** The issue concerns the implementation of OAuth authentication in Wasp, specifically affecting Keycloak with a particular configuration. Wasp's behavior of lowercasing OAuth user IDs before storing or fetching them violates OAuth and OpenID Connect specifications. This can lead to user impersonation, account collisions, and privilege escalation. Keycloak is affected when configured to be case-sensitive, while Google, GitHub, and Discord are not affected due to their use of numerical IDs. **Recommendations** For versions prior to 0.16.6, update to version 0.16.6 to resolve the issue. For users of Keycloak, as a temporary workaround, consider not using a case-sensitive user ID in the realm configuration to minimize the risk of exploitation.