Dear CLI and oauth specialist,
We have the following issue at the moment.
I as user login with the CF CLI to a CF endpoint and do some stuff.
If I then logout, no call to the UAA or API endpoint is done to really invalidate the current token. Sure I have to login again to do work with the CLI.
You can test this behaviour if you enter this "export CF_TRACE=true" before you do a "cf logout".
With this situation we have a problem. If I use a man in the middle software and capture a request (for example to create a service) this request works until the token is expired, even if the user logout from the CLI.
So my problem with this behaviour is not that the request works with man in the middle, my problem is that is even works after the user did a logout.
Is this the proper way of handling a CLI logout, to just clear the CLI user data and not invalidate the token?
Side note: We don't use the standard screens from the UAA as we implemented our own login server, so we don't have this logout functionality.
Best regards
Dave