rsenden
commented
10 months ago According to FoD team, tokens will expire automatically after 6 hours and it's not necessary to explicitly invoke the /oauth/retireToken endpoint. As we want to avoid invoking undocumented endpoints, we'll leave it as-is for now. If FoD ever starts documenting this endpoint, and/or FoD team recommends to start using this endpoint, we can reconsider this decision, and have the logout command invoke the documented/recommended endpoint for retiring/revoking the token.
For now, we should just add a comment in the source code of the FoD logout command, referencing this issue to explain why we're not retiring the token.
I don't recall seeing any information about retiring tokens in the FoD API documentation, but apparently there is an
/oauth/retireTokenendpoint as shown here for example: https://github.com/fod-dev/fod-uploader-java/blob/335b736c622e0aa000841eec2f1a3a701d94aae7/src/main/java/com/fortify/fod/fodapi/FodApi.java#L137We should probably call this endpoint when
fcli fod session logoutis invoked.