/
FreePBX Open Source - Compromised tokens or credentials

FreePBX Open Source - Compromised tokens or credentials

The benefit of Oauth2 is it allows granular access to the API. Tokens are temporary and a compromised token typically expires to limit any extended abuse. A compromised application secret is a bit more serious and allows people the ability to create new tokens and act as the application.

Tokens

Via the UI browse to "Connectivity > API", Click on the "Access Tokens" tab and next to the compromised token click the trash can.  If there is a refresh token do the same in the "Refresh tokens" tab.

image2019-1-7_11-32-26.png

Application

Via the UI browse to "Connectivity > API", The default landing is the Applications tab. Click on the eye in the actions field of your app. You will get a popup with all the access information less the Client Secret. Click on "Regenerate Credentials".  You will be given a new client id and secret. Copy the secret down in a safe place, it is only shown on generation.

image2019-1-7_11-37-2.png