Impact

Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation.

In practice, out of the OAuth providers that Wasp auth supports:

• Google uses a numerical ID (not affected)
• GitHub uses a numerical ID (not affected)
• Discord uses a numerical ID (not affected)
• Keycloak uses a lowercase UUID by default, but users can configure it to be case sensitive (affected)

Users with IDs abc and ABC would be considered the same person even though that's against the OAuth and OpenID Connect specifications.

Patches

Users should update their Wasp version to 0.16.6 which has a fix for the problematic behavior.

Workarounds

Users using Keycloak can workaround the issue by not using a case sensitive user ID in their realm configuration.

References

Here's a more detailed write up: https://wasp-lang.notion.site/PUB-Case-insensitive-OAuth-ID-vulnerability-20018a74854c8064a2bfebe4eaf5fceb