Headline
CVE-2020-26877: ApiFest :: Documentation
ApiFest OAuth 2.0 Server 0.3.1 does not validate the redirect URI in accordance with RFC 6749 and is susceptible to an open redirector attack. Specifically, it directly sends an authorization code to the redirect URI submitted with the authorization request, without checking whether the redirect URI is registered by the client who initiated the request. This allows an attacker to craft a request with a manipulated redirect URI (redirect_uri parameter), which is under the attacker’s control, and consequently obtain the leaked authorization code when the server redirects the client to the manipulated redirect URI with an authorization code. NOTE: this is similar to CVE-2019-3778.
ApiFest is an open-source, Apache 2 Licensed, pure Java solution for managing and securing your API. ApiFest is designed for easy customization, easy usage and easy integration.
The ApiFest architecture allows unlimited horizontal scalability. See more about the architecture here. ApiFest uses pluggable datastore, so you can change the datastore with one of your choice.
Mission StatementThe idea behind ApiFest is to aid developers in their daily work related to API changes, API publishing and API security. ApiFest does not require a special IDE - developers can use their favorite one. Also, ApiFest does not require any product specific knowledge - no steep learning-curve to start using it, it is a simple Java program - you checkout the code, compile it and start it.Features
ApiFest features could be separated in two main groups - API security and API management.
API Security
- OAuth 2.0 support
- Dynamically configured OAuth 2.0 scopes
- Configurable expiration period of OAuth 2.0 access tokens per OAuth20 scope and client application
- Revocation of access tokens
- Custom grant_type
- Custom event handlers
API management
- API model (XML format) could be generated from Javadoc
- Native support for multiple API versions and backend hosts
- Customizable error responses
- Request transformations are implemented as simple Java classes
- Online API model and transformation updates
- Custom event handlers
ApiFest consists of two main parts - the ApiFest OAuth 2.0 Server and the ApiFest Mapping Server.
ApiFest OAuth 2.0 Server
The ApiFest OAuth 2.0 Server implements OAuth 2.0 server side as per http://tools.ietf.org/html/rfc6749. It enables the usage of access tokens in the ApiFest Mapping Server.
Features
- register new client app
- generate access token using auth code
- generate access token using username and password - grant_type=password
- generate access token using client credentials - grant_type=client_credentials
- generate access token using refresh token - grant_type=refresh_token
- revoke access token
- validate access token
- pluggable storage (currently supports MongoDB, Redis, Cassandra and Hazelcast)
- unlimited horizontal scalability
ApiFest Mapping Server
The ApiFest Mapping Server is for people who have APIs and want to expose them to the world in a safe and convenient way. The ApiFest Mapping Server is used to translate between the outside world and your internal systems. It helps you keep a consistent API facade.
Features
- mappings are described in xml
- can validate and authorize requests using the ApiFest OAuth20 Server
- out-of-the-box flexible mapping options - multiple versions support, different hosts to which API requests could be directed to
- easy to extend and customize
- customizable error messages and responses
- “online” change of all configurations
- unlimited horizontal scalability