Fix krew yaml (#134 )

Refactor (#133 )
* Refactor: change debug messages to lowercase * Refactor: add debug messages * Refactor Makefile * Refactor: add keys and certificates of e2e tests
2026-02-19 19:09:50 +00:00 · 2019-08-18 16:57:47 +09:00 · 2019-08-18 15:14:07 +09:00 · 2019-08-17 21:40:14 +09:00 · 2019-08-14 14:52:58 +09:00 · 2019-08-11 16:09:53 +09:00
89 changed files with 6459 additions and 484 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -2,35 +2,36 @@ version: 2
 jobs:
  build:
    docker:
-      - image: circleci/golang:1.10
-    working_directory: /go/src/github.com/int128/kubelogin
+      - image: circleci/golang:1.12.3
    steps:
-      - checkout
-      - run: go get -v -t -d ./...
-      - run: go get github.com/golang/lint/golint
-      - run: golint
-      - run: go build -v
-
-  release:
-    docker:
-      - image: circleci/golang:1.10
-    working_directory: /go/src/github.com/int128/kubelogin
-    steps:
-      - checkout
-      - run: go get -v -t -d ./...
-      - run: go get github.com/mitchellh/gox
+      - run: |
+          mkdir -p ~/bin
+          echo 'export PATH="$HOME/bin:$PATH"' >> $BASH_ENV
+      - run: |
+          curl -L -o ~/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.14.0/bin/linux/amd64/kubectl
+          chmod +x ~/bin/kubectl
+      - run: |
+          curl -L -o ~/bin/ghcp https://github.com/int128/ghcp/releases/download/v1.5.0/ghcp_linux_amd64
+          chmod +x ~/bin/ghcp
+      - run: |
+          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b ~/bin v1.16.0
+      - run: go get github.com/int128/goxzst
      - run: go get github.com/tcnksm/ghr
-      - run: gox --osarch 'darwin/amd64 linux/amd64 windows/amd64 windows/386' -output 'dist/{{.Dir}}_{{.OS}}_{{.Arch}}'
-      - run: ghr -u "$CIRCLE_PROJECT_USERNAME" -r "$CIRCLE_PROJECT_REPONAME" "$CIRCLE_TAG" dist
+      - checkout
+      - run: make check
+      - run: bash <(curl -s https://codecov.io/bash)
+      - run: make run
+      - run: |
+          if [ "$CIRCLE_TAG" ]; then
+            make release
+          fi

 workflows:
  version: 2
-  build:
+  all:
    jobs:
-      - build
-      - release:
+      - build:
+          context: open-source
          filters:
-            branches:
-              ignore: /.*/
            tags:
              only: /.*/
--- a/.editorconfig
+++ b/.editorconfig
@@ -1,11 +0,0 @@
-root = true
-
-[*]
-end_of_line = lf
-insert_final_newline = true
-indent_style = space
-indent_size = 2
-
-[*.go]
-indent_style = tab
-indent_size = 4
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,9 @@
+/.idea
+
+/.kubeconfig*
+
+/dist
+/coverage.out
+
 /kubelogin
-/.kubeconfig
+/kubectl-oidc_login
--- a/DESIGN.md
+++ b/DESIGN.md
@@ -0,0 +1,47 @@
+# Design of kubelogin
+
+This explains design of kubelogin.
+
+## Use cases
+
+Kubelogin is a command line tool and designed to run as both a standalone command and a kubectl plugin.
+
+It respects the following flags, commonly used in kubectl:
+
+```
+      --kubeconfig string              Path to the kubeconfig file
+      --context string                 The name of the kubeconfig context to use
+      --user string                    The name of the kubeconfig user to use. Prior to --context
+      --certificate-authority string   Path to a cert file for the certificate authority
+      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+  -v, --v int                          If set to 1 or greater, it shows debug log
+```
+
+As well as it respects the environment variable `KUBECONFIG`.
+
+
+### Login by the command
+
+TODO
+
+
+## Architecture
+
+Kubelogin consists of the following layers:
+
+- `usecases`: This provides the use-cases.
+- `adaptor`: This provides external access and converts objects between the use-cases and external system.
+
+
+### Use-cases
+
+This provides the use-cases mentioned in the previous section.
+
+This layer should not contain external access such as HTTP requests and system calls.
+
+
+### Adaptor
+
+This provides external access such as command line interface and HTTP requests.
+
+
--- a/44
+++ b/44
@@ -0,0 +1,44 @@
+TARGET := kubelogin
+TARGET_PLUGIN := kubectl-oidc_login
+CIRCLE_TAG ?= HEAD
+LDFLAGS := -X main.version=$(CIRCLE_TAG)
+
+all: $(TARGET)
+
+.PHONY: check
+check:
+	golangci-lint run
+	go test -v -race -cover -coverprofile=coverage.out ./...
+
+$(TARGET): $(wildcard *.go)
+	go build -o $@ -ldflags "$(LDFLAGS)"
+
+$(TARGET_PLUGIN): $(TARGET)
+	ln -sf $(TARGET) $@
+
+.PHONY: run
+run: $(TARGET_PLUGIN)
+	-PATH=.:$(PATH) kubectl oidc-login --help
+
+diagram: docs/authn.png
+
+%.png: %.seqdiag
+	seqdiag -a -f /Library/Fonts/Verdana.ttf $<
+
+dist:
+	VERSION=$(CIRCLE_TAG) goxzst -d dist/gh/ -o "$(TARGET)" -t "kubelogin.rb oidc-login.yaml" -- -ldflags "$(LDFLAGS)"
+	mv dist/gh/kubelogin.rb dist/
+	mkdir -p dist/plugins
+	cp dist/gh/oidc-login.yaml dist/plugins/oidc-login.yaml
+
+.PHONY: release
+release: dist
+	ghr -u "$(CIRCLE_PROJECT_USERNAME)" -r "$(CIRCLE_PROJECT_REPONAME)" "$(CIRCLE_TAG)" dist/gh/
+	ghcp commit -u "$(CIRCLE_PROJECT_USERNAME)" -r "homebrew-$(CIRCLE_PROJECT_REPONAME)" -m "$(CIRCLE_TAG)" -C dist/ kubelogin.rb
+	ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(CIRCLE_TAG)" -m "Bump oidc-login to $(CIRCLE_TAG)" -C dist/ plugins/oidc-login.yaml
+
+.PHONY: clean
+clean:
+	-rm $(TARGET)
+	-rm $(TARGET_PLUGIN)
+	-rm -r dist/
--- a/README.md
+++ b/README.md
@@ -1,153 +1,380 @@
-# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin)
+# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)

-`kubelogin` is a command to get an OpenID Connect (OIDC) token for `kubectl` authentication.
+This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.
+
+This is designed to run as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
+When you run `kubectl`, kubelogin opens the browser and you can log in to the provider.
+Then kubelogin gets a token from the provider and kubectl calls the Kubernetes APIs with the token.


 ## Getting Started

-Download [the latest release](https://github.com/int128/kubelogin/releases) and save it as `/usr/local/bin/kubelogin`.
-
-You have to configure `kubectl` to authenticate with OIDC.
-See the later section for details.
+You can install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew) or [GitHub Releases](https://github.com/int128/kubelogin/releases) as follows:

 ```sh
-kubectl config set-credentials CLUSTER_NAME \
-  --auth-provider oidc \
-  --auth-provider-arg idp-issuer-url=https://keycloak.example.com/auth/realms/hello \
-  --auth-provider-arg client-id=kubernetes \
-  --auth-provider-arg client-secret=YOUR_CLIENT_SECRET
+# Homebrew
+brew tap int128/kubelogin
+brew install kubelogin
+
+# Krew
+kubectl krew install oidc-login
+
+# GitHub Releases
+curl -LO https://github.com/int128/kubelogin/releases/download/v1.14.1/kubelogin_linux_amd64.zip
+unzip kubelogin_linux_amd64.zip
+ln -s kubelogin kubectl-oidc_login
 ```

-Run `kubelogin`.
+You need to configure the OIDC provider, Kubernetes API server, kubeconfig and role binding.
+See the following documents for more:

-```
-% kubelogin
-2018/08/10 10:36:38 Reading .kubeconfig
-2018/08/10 10:36:38 Using current context: devops.hidetake.org
-2018/08/10 10:36:41 Open http://localhost:8000 for authorization
-2018/08/10 10:36:45 GET /
-2018/08/10 10:37:07 GET /?state=...&session_state=...&code=ey...
-2018/08/10 10:37:08 Updated .kubeconfig
-```
+- [Getting Started with Keycloak](docs/keycloak.md)
+- [Getting Started with dex and GitHub](docs/dex.md)
+- [Getting Started with Google Identity Platform](docs/google.md)

-Now your `~/.kube/config` looks like:
+You can run kubelogin as the following methods:
+
+- Credential plugin mode
+- Standalone mode
+
+
+### Credential plugin mode
+
+You can run kubelogin as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
+This provides transparent login without manually running `kubelogin` command.
+
+Configure the kubeconfig like:

 ```yaml
-# ~/.kube/config (snip)
 users:
- name: hello.k8s.local
+- name: keycloak
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: kubectl
+      args:
+      - oidc-login
+      - get-token
+      - --oidc-issuer-url=https://issuer.example.com
+      - --oidc-client-id=YOUR_CLIENT_ID
+      - --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+Run kubectl.
+
+```sh
+kubectl get pods
+```
+
+Kubectl executes kubelogin before calling the Kubernetes APIs.
+Kubelogin automatically opens the browser and you can log in to the provider.
+
+<img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">
+
+After authentication, kubelogin returns the credentials to kubectl and finally kubectl calls the Kubernetes APIs with the credential.
+
+```
+% kubectl get pods
+Open http://localhost:8000 for authentication
+You got a valid token until 2019-05-18 10:28:51 +0900 JST
+NAME                          READY   STATUS    RESTARTS   AGE
+echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
+```
+
+Kubelogin writes the ID token and refresh token to the token cache file.
+
+If the cached ID token is valid, kubelogin just returns it.
+If the cached ID token has expired, kubelogin will refresh the token using the refresh token.
+If the refresh token has expired, kubelogin will perform reauthentication.
+
+You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
+Kubelogin will perform authentication if the token cache file does not exist.
+
+
+### Standalone mode
+
+You can run kubelogin as a standalone command.
+In this method, you need to manually run the command before running kubectl.
+
+Configure the kubeconfig like:
+
+```yaml
+- name: keycloak
  user:
    auth-provider:
      config:
-        idp-issuer-url: https://keycloak.example.com/auth/realms/hello
-        client-id: kubernetes
-        client-secret: YOUR_SECRET
-        id-token: ey...       # kubelogin will update ID token here
-        refresh-token: ey...  # kubelogin will update refresh token here
+        client-id: YOUR_CLIENT_ID
+        client-secret: YOUR_CLIENT_SECRET
+        idp-issuer-url: https://issuer.example.com
      name: oidc
 ```

-Make sure you can access to the Kubernetes cluster:
+Run kubelogin:
+
+```sh
+kubelogin
+
+# or run as a kubectl plugin
+kubectl oidc-login
+```
+
+It automatically opens the browser and you can log in to the provider.
+
+<img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">
+
+After authentication, kubelogin writes the ID token and refresh token to the kubeconfig.

 ```
-% kubectl version
-Client Version: version.Info{...}
-Server Version: version.Info{...}
+% kubelogin
+Open http://localhost:8000 for authentication
+You got a valid token until 2019-05-18 10:28:51 +0900 JST
+Updated ~/.kubeconfig
 ```

+Now you can access the cluster.
+
+```
+% kubectl get pods
+NAME                          READY   STATUS    RESTARTS   AGE
+echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
+```
+
+Your kubeconfig looks like:
+
+```yaml
+users:
+- name: keycloak
+  user:
+    auth-provider:
+      config:
+        client-id: YOUR_CLIENT_ID
+        client-secret: YOUR_CLIENT_SECRET
+        idp-issuer-url: https://issuer.example.com
+        id-token: ey...       # kubelogin will add or update the ID token here
+        refresh-token: ey...  # kubelogin will add or update the refresh token here
+      name: oidc
+```
+
+If the ID token is valid, kubelogin does nothing.
+
+```
+% kubelogin
+You already have a valid token until 2019-05-18 10:28:51 +0900 JST
+```
+
+If the ID token has expired, kubelogin will refresh the token using the refresh token in the kubeconfig.
+If the refresh token has expired, kubelogin will proceed the authentication.
+

 ## Configuration

-You can set the following environment variable:
-
- `KUBECONFIG` - Path to the config. Defaults to `~/.kube/config`.
+This document is for the development version.
+If you are looking for a specific version, see [the release tags](https://github.com/int128/kubelogin/tags).


-## Prerequisite
+### Credential plugin mode

-You have to setup your OIDC identity provider and Kubernetes cluster.
+Kubelogin supports the following options:

-### 1. Setup OIDC Identity Provider
+```
+% kubelogin get-token -h
+Run as a kubectl credential plugin

-This tutorial assumes you have created an OIDC client with the following:
+Usage:
+  kubelogin get-token [flags]

- Issuer URL: `https://keycloak.example.com/auth/realms/hello`
- Client ID: `kubernetes`
- Client Secret: `YOUR_CLIENT_SECRET`
- Allowed redirect URLs: `http://localhost:8000/`
- Groups claim: `groups` (optional for group based access controll)
-
-### 2. Setup Kubernetes API Server
-
-Configure the Kubernetes API server allows your identity provider.
-
-If you are using [kops](https://github.com/kubernetes/kops), `kops edit cluster` and append the following settings:
-
-```yaml
-spec:
-  kubeAPIServer:
-    oidcClientID: kubernetes
-    oidcGroupsClaim: groups
-    oidcIssuerURL: https://keycloak.example.com/auth/realms/hello
+Flags:
+      --listen-port ints               Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
+      --skip-open-browser              If true, it does not open the browser on authentication
+      --username string                If set, perform the resource owner password credentials grant
+      --password string                If set, use the password instead of asking it
+      --oidc-issuer-url string         Issuer URL of the provider (mandatory)
+      --oidc-client-id string          Client ID of the provider (mandatory)
+      --oidc-client-secret string      Client secret of the provider
+      --oidc-extra-scope strings       Scopes to request to the provider
+      --certificate-authority string   Path to a cert file for the certificate authority
+      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+  -v, --v int                          If set to 1 or greater, it shows debug log
+      --token-cache-dir string         Path to a directory for caching tokens (default "~/.kube/cache/oidc-login")
+  -h, --help                           help for get-token
 ```

-### 3. Setup kubectl
+#### Extra scopes

-Run the following command to configure `kubectl` to authenticate by your identity provider.
+You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
+
+```yaml
+      - --oidc-extra-scope=email
+      - --oidc-extra-scope=profile
+```
+
+#### CA Certificates
+
+You can use your self-signed certificates for the provider.
+
+```yaml
+      - --certificate-authority=/home/user/.kube/keycloak-ca.pem
+```
+
+
+### Standalone mode
+
+Kubelogin supports the following options:
+
+```
+% kubelogin -h
+Login to the OpenID Connect provider and update the kubeconfig
+
+Usage:
+  kubelogin [flags]
+  kubelogin [command]
+
+Examples:
+  # Login to the provider using the authorization code flow.
+  kubelogin
+
+  # Login to the provider using the resource owner password credentials flow.
+  kubelogin --username USERNAME --password PASSWORD
+
+  # Run as a credential plugin.
+  kubelogin get-token --oidc-issuer-url=https://issuer.example.com
+
+Available Commands:
+  get-token   Run as a kubectl credential plugin
+  help        Help about any command
+  version     Print the version information
+
+Flags:
+      --kubeconfig string              Path to the kubeconfig file
+      --context string                 The name of the kubeconfig context to use
+      --user string                    The name of the kubeconfig user to use. Prior to --context
+      --certificate-authority string   Path to a cert file for the certificate authority
+      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+  -v, --v int                          If set to 1 or greater, it shows debug log
+      --listen-port ints               Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
+      --skip-open-browser              If true, it does not open the browser on authentication
+      --username string                If set, perform the resource owner password credentials grant
+      --password string                If set, use the password instead of asking it
+  -h, --help                           help for kubelogin
+```
+
+#### Kubeconfig
+
+You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
+It defaults to `~/.kube/config`.

 ```sh
-kubectl config set-credentials CLUSTER_NAME \
-  --auth-provider oidc \
-  --auth-provider-arg idp-issuer-url=https://keycloak.example.com/auth/realms/hello \
-  --auth-provider-arg client-id=kubernetes \
-  --auth-provider-arg client-secret=YOUR_CLIENT_SECRET
+# by the option
+kubelogin --kubeconfig /path/to/kubeconfig
+
+# by the environment variable
+KUBECONFIG="/path/to/kubeconfig1:/path/to/kubeconfig2" kubelogin
 ```

-In actual team operation, you can share the following config to your team members for easy setup.
+If you set multiple files, kubelogin will find the file which has the current authentication (i.e. `user` and `auth-provider`) and write a token to it.

-```yaml
-#!/bin/sh
-CLUSTER_NAME="hello.k8s.local"
+Kubelogin supports the following keys of `auth-provider` in a kubeconfig.
+See [kubectl authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl) for more.

-# Set the certificate
-mkdir -p "$HOME/.kube"
-cat > "$HOME/.kube/$CLUSTER_NAME.crt" <<EOF
-----BEGIN CERTIFICATE-----
-MII...
-----END CERTIFICATE-----
-EOF
+Key | Direction | Value
+----|-----------|------
+`idp-issuer-url`                  | Read (Mandatory) | Issuer URL of the provider.
+`client-id`                       | Read (Mandatory) | Client ID of the provider.
+`client-secret`                   | Read (Mandatory) | Client Secret of the provider.
+`idp-certificate-authority`       | Read | CA certificate path of the provider.
+`idp-certificate-authority-data`  | Read | Base64 encoded CA certificate of the provider.
+`extra-scopes`                    | Read | Scopes to request to the provider (comma separated).
+`id-token`                        | Write | ID token got from the provider.
+`refresh-token`                   | Write | Refresh token got from the provider.

-# Set the cluster
-kubectl config set-cluster "$CLUSTER_NAME" \
-  --server https://api-xxx.xxx.elb.amazonaws.com \
-  --certificate-authority "$HOME/.kube/$CLUSTER_NAME.crt"
+#### Extra scopes

-# Set the credentials
-kubectl config set-credentials "$CLUSTER_NAME" \
-  --auth-provider oidc \
-  --auth-provider-arg idp-issuer-url=https://keycloak.example.com/auth/realms/hello \
-  --auth-provider-arg client-id=kubernetes \
-  --auth-provider-arg client-secret=YOUR_SECRET
+You can set the extra scopes to request to the provider by `extra-scopes` in the kubeconfig.

-# Set the context
-kubectl config set-context "$CLUSTER_NAME" --cluster "$CLUSTER_NAME" --user "$CLUSTER_NAME"
+```sh
+kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=email
+```

-# Set the current context
-kubectl config use-context "$CLUSTER_NAME"
+Currently kubectl does not accept multiple scopes, so you need to edit the kubeconfig as like:
+
+```sh
+kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=SCOPES
+sed -i '' -e s/SCOPES/email,profile/ $KUBECONFIG
+```
+
+#### CA Certificates
+
+You can use your self-signed certificates for the provider.
+
+```sh
+kubectl config set-credentials keycloak \
+  --auth-provider-arg idp-certificate-authority=$HOME/.kube/keycloak-ca.pem
+```
+
+
+### HTTP Proxy
+
+You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
+See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
+
+
+### Authentication flows
+
+#### Authorization code flow
+
+Kubelogin performs the authorization code flow by default.
+
+It starts the local server at port 8000 or 18000 by default.
+You need to register the following redirect URIs to the provider:
+
+- `http://localhost:8000`
+- `http://localhost:18000` (used if port 8000 is already in use)
+
+You can change the ports by the option:
+
+```sh
+# run as a standalone command
+kubelogin --listen-port 12345 --listen-port 23456
+
+# run as a credential plugin
+kubelogin get-token --listen-port 12345 --listen-port 23456
+```
+
+
+#### Resource owner password credentials grant flow
+
+As well as you can use the resource owner password credentials grant flow.
+Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
+Most OIDC providers do not support this flow.
+
+You can pass the username and password:
+
+```
+% kubelogin --username USER --password PASS
+```
+
+or use the password prompt:
+
+```
+% kubelogin --username USER
+Password:
 ```


 ## Contributions

 This is an open source software licensed under Apache License 2.0.
-Feel free to open issues and pull requests.
+Feel free to open issues and pull requests for improving code and documents.

-### Build
+### Development
+
+Go 1.12 or later is required.

 ```sh
-go get github.com/int128/kubelogin
+# Run lint and tests
+make check
+
+# Compile and run the command
+make
+./kubelogin
 ```
-
-### Release
-
-CircleCI publishes the build to GitHub. See [.circleci/config.yml](.circleci/config.yml).
--- a/authn/authn.go
+++ b/authn/authn.go
@@ -1,61 +0,0 @@
-package authn
-
-import (
-	"context"
-	"fmt"
-
-	oidc "github.com/coreos/go-oidc"
-	"github.com/int128/kubelogin/authz"
-	"golang.org/x/oauth2"
-)
-
-// TokenSet is a set of tokens and claims.
-type TokenSet struct {
-	IDToken      string
-	RefreshToken string
-	Claims       *Claims
-}
-
-// Claims represents properties in the ID token.
-type Claims struct {
-	Email string `json:"email"`
-}
-
-// GetTokenSet retrieves a token from the OIDC provider.
-func GetTokenSet(ctx context.Context, issuer string, clientID string, clientSecret string) (*TokenSet, error) {
-	provider, err := oidc.NewProvider(ctx, issuer)
-	if err != nil {
-		return nil, fmt.Errorf("Could not access OIDC issuer: %s", err)
-	}
-	flow := authz.BrowserAuthCodeFlow{
-		Port: 8000,
-		Config: oauth2.Config{
-			Endpoint:     provider.Endpoint(),
-			ClientID:     clientID,
-			ClientSecret: clientSecret,
-			Scopes:       []string{oidc.ScopeOpenID, "email"},
-		},
-	}
-	token, err := flow.GetToken(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("Could not get a token: %s", err)
-	}
-	rawIDToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, fmt.Errorf("id_token is missing in the token response: %s", token)
-	}
-	verifier := provider.Verifier(&oidc.Config{ClientID: clientID})
-	idToken, err := verifier.Verify(ctx, rawIDToken)
-	if err != nil {
-		return nil, fmt.Errorf("Could not verify the id_token: %s", err)
-	}
-	var claims Claims
-	if err := idToken.Claims(&claims); err != nil {
-		return nil, fmt.Errorf("Could not extract claims from the token response: %s", err)
-	}
-	return &TokenSet{
-		IDToken:      rawIDToken,
-		RefreshToken: token.RefreshToken,
-		Claims:       &claims,
-	}, nil
-}
--- a/authz/authz.go
+++ b/authz/authz.go
@@ -1,12 +0,0 @@
-package authz
-
-import (
-	"context"
-
-	"golang.org/x/oauth2"
-)
-
-// Flow represents an authorization method.
-type Flow interface {
-	GetToken(context.Context) (*oauth2.Token, error)
-}
--- a/authz/browser.go
+++ b/authz/browser.go
@@ -1,97 +0,0 @@
-package authz
-
-import (
-	"context"
-	"fmt"
-	"log"
-	"net/http"
-
-	"golang.org/x/oauth2"
-)
-
-// BrowserAuthCodeFlow is a flow to get a token by browser interaction.
-type BrowserAuthCodeFlow struct {
-	oauth2.Config
-	Port int // HTTP server port
-}
-
-// GetToken returns a token.
-func (f *BrowserAuthCodeFlow) GetToken(ctx context.Context) (*oauth2.Token, error) {
-	f.Config.RedirectURL = fmt.Sprintf("http://localhost:%d/", f.Port)
-	state, err := generateOAuthState()
-	if err != nil {
-		return nil, err
-	}
-	log.Printf("Open http://localhost:%d for authorization", f.Port)
-	code, err := f.getCode(ctx, &f.Config, state)
-	if err != nil {
-		return nil, err
-	}
-	token, err := f.Config.Exchange(ctx, code)
-	if err != nil {
-		return nil, fmt.Errorf("Could not exchange oauth code: %s", err)
-	}
-	return token, nil
-}
-
-func (f *BrowserAuthCodeFlow) getCode(ctx context.Context, config *oauth2.Config, state string) (string, error) {
-	codeCh := make(chan string)
-	errCh := make(chan error)
-	server := http.Server{
-		Addr: fmt.Sprintf(":%d", f.Port),
-		Handler: &handler{
-			AuthCodeURL: config.AuthCodeURL(state),
-			Callback: func(code string, actualState string, err error) {
-				switch {
-				case err != nil:
-					errCh <- err
-				case actualState != state:
-					errCh <- fmt.Errorf("OAuth state did not match, should be %s but %s", state, actualState)
-				default:
-					codeCh <- code
-				}
-			},
-		},
-	}
-	go func() {
-		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
-			errCh <- err
-		}
-	}()
-	select {
-	case err := <-errCh:
-		server.Shutdown(ctx)
-		return "", err
-	case code := <-codeCh:
-		server.Shutdown(ctx)
-		return code, nil
-	}
-}
-
-type handler struct {
-	AuthCodeURL string
-	Callback    func(code string, state string, err error)
-}
-
-func (s *handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	log.Printf("%s %s", r.Method, r.RequestURI)
-	switch r.URL.Path {
-	case "/":
-		code := r.URL.Query().Get("code")
-		state := r.URL.Query().Get("state")
-		errorCode := r.URL.Query().Get("error")
-		errorDescription := r.URL.Query().Get("error_description")
-		switch {
-		case code != "":
-			s.Callback(code, state, nil)
-			fmt.Fprintf(w, "Back to command line.")
-		case errorCode != "":
-			s.Callback("", "", fmt.Errorf("OAuth Error: %s %s", errorCode, errorDescription))
-			fmt.Fprintf(w, "Back to command line.")
-		default:
-			http.Redirect(w, r, s.AuthCodeURL, 302)
-		}
-	default:
-		http.Error(w, "Not Found", 404)
-	}
-}
--- a/authz/cli.go
+++ b/authz/cli.go
@@ -1,35 +0,0 @@
-package authz
-
-import (
-	"context"
-	"fmt"
-	"log"
-
-	"golang.org/x/oauth2"
-)
-
-// CLIAuthCodeFlow is a flow to get a token by keyboard interaction.
-type CLIAuthCodeFlow struct {
-	oauth2.Config
-}
-
-// GetToken returns a token by browser interaction.
-func (f *CLIAuthCodeFlow) GetToken(ctx context.Context) (*oauth2.Token, error) {
-	f.Config.RedirectURL = "urn:ietf:wg:oauth:2.0:oob"
-	state, err := generateOAuthState()
-	if err != nil {
-		return nil, err
-	}
-	authCodeURL := f.Config.AuthCodeURL(state)
-	log.Printf("Open %s for authorization", authCodeURL)
-	fmt.Print("Enter code: ")
-	var code string
-	if _, err := fmt.Scanln(&code); err != nil {
-		return nil, err
-	}
-	token, err := f.Config.Exchange(ctx, code)
-	if err != nil {
-		return nil, fmt.Errorf("Could not exchange oauth code: %s", err)
-	}
-	return token, nil
-}
--- a/authz/state.go
+++ b/authz/state.go
@@ -1,15 +0,0 @@
-package authz
-
-import (
-	"crypto/rand"
-	"encoding/binary"
-	"fmt"
-)
-
-func generateOAuthState() (string, error) {
-	var n uint64
-	if err := binary.Read(rand.Reader, binary.LittleEndian, &n); err != nil {
-		return "", err
-	}
-	return fmt.Sprintf("%x", n), nil
-}
--- a/docs/authn.png
+++ b/docs/authn.png
--- a/docs/authn.seqdiag
+++ b/docs/authn.seqdiag
@@ -0,0 +1,16 @@
+seqdiag {
+  User -> kubelogin [label = "execute"];
+  kubelogin -> Browser [label = "open"];
+  Browser -> Provider [label = "authentication request"];
+  Browser <-- Provider [label = "redirect"];
+  User -> Browser [label = "enter credentials"];
+  Browser -> Provider [label = "credentials"];
+  Browser <-- Provider [label = "authentication response"];
+  User <-- Browser [label = "success"];
+  kubelogin <-- Browser [label = "close"];
+  kubelogin -> Provider [label = "token request"];
+  kubelogin <-- Provider [label = "token response"];
+  kubelogin -> kubeconfig [label = "write token"];
+  kubelogin <-- kubeconfig;
+  User <-- kubelogin;
+}
--- a/docs/dex.md
+++ b/docs/dex.md
@@ -0,0 +1,141 @@
+# Getting Started with dex and GitHub
+
+## Prerequisite
+
+- You have a GitHub account.
+- You can configure the Kubernetes API server.
+- `kubectl` and `kubelogin` are installed.
+
+## 1. Setup GitHub OAuth
+
+Open [GitHub OAuth Apps](https://github.com/settings/developers) and create an application with the following setting:
+
+- Application name: (any)
+- Homepage URL: `https://dex.example.com`
+- Authorization callback URL: `https://dex.example.com/callback`
+
+## 2. Setup dex
+
+Configure the dex with the following config:
+
+```yaml
+issuer: https://dex.example.com
+connectors:
+- type: github
+  id: github
+  name: GitHub
+  config:
+    clientID: YOUR_GITHUB_CLIENT_ID
+    clientSecret: YOUR_GITHUB_CLIENT_SECRET
+    redirectURI: https://dex.example.com/callback
+staticClients:
+- id: kubernetes
+  name: Kubernetes
+  redirectURIs:
+    - http://localhost:8000
+    - http://localhost:18000
+  secret: YOUR_DEX_CLIENT_SECRET
+```
+
+Now test authentication with the dex.
+
+```sh
+kubectl oidc-login get-token -v1 \
+  --oidc-issuer-url=https://dex.example.com \
+  --oidc-client-id=kubernetes \
+  --oidc-client-secret=YOUR_DEX_CLIENT_SECRET
+```
+
+You should get claims like:
+
+```
+17:21:32.052655 get_token.go:57: ID token has the claim: iss=https://dex.example.com
+17:21:32.052672 get_token.go:57: ID token has the claim: sub=YOUR_SUBJECT
+17:21:32.052683 get_token.go:57: ID token has the claim: aud=kubernetes
+```
+
+## 3. Setup Kubernetes API server
+
+Configure your Kubernetes API server accepts [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
+
+```
+--oidc-issuer-url=https://dex.example.com
+--oidc-client-id=kubernetes
+```
+
+If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and add the following spec:
+
+```yaml
+spec:
+  kubeAPIServer:
+    oidcIssuerURL: https://dex.example.com
+    oidcClientID: kubernetes
+```
+
+## 4. Create a role binding
+
+Here assign the `cluster-admin` role to your subject.
+
+```yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: keycloak-admin-group
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: User
+  name: YOUR_SUBJECT
+```
+
+You can create a custom role and assign it as well.
+
+## 5. Setup kubeconfig
+
+Configure the kubeconfig like:
+
+```yaml
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://api.example.com
+  name: example.k8s.local
+contexts:
+- context:
+    cluster: example.k8s.local
+    user: dex
+  name: dex@example.k8s.local
+current-context: dex@example.k8s.local
+kind: Config
+preferences: {}
+users:
+- name: dex
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: kubectl
+      args:
+      - oidc-login
+      - get-token
+      - --oidc-issuer-url=https://dex.example.com
+      - --oidc-client-id=kubernetes
+      - --oidc-client-secret=YOUR_DEX_CLIENT_SECRET
+```
+
+You can share the kubeconfig to your team members for on-boarding.
+
+## 6. Run kubectl
+
+Make sure you can access the Kubernetes cluster.
+
+```
+% kubectl get nodes
+Open http://localhost:8000 for authentication
+You got a valid token until 2019-05-16 22:03:13 +0900 JST
+Updated ~/.kubeconfig
+NAME                                    STATUS    ROLES     AGE       VERSION
+ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
+ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
+```
--- a/docs/google.md
+++ b/docs/google.md
@@ -0,0 +1,116 @@
+# Getting Started with Google Identity Platform
+
+## Prerequisite
+
+- You have a Google account.
+- You have the Cluster Admin role of the Kubernetes cluster.
+- You can configure the Kubernetes API server.
+- `kubectl` and `kubelogin` are installed to your computer.
+
+## 1. Setup Google API
+
+Open [Google APIs Console](https://console.developers.google.com/apis/credentials) and create an OAuth client with the following setting:
+
+- Application Type: Other
+
+Now test authentication with Google Identity Platform.
+
+```sh
+kubectl oidc-login get-token -v1 \
+  --oidc-issuer-url=https://accounts.google.com \
+  --oidc-client-id=YOUR_CLIENT_ID.apps.googleusercontent.com \
+  --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+You should get claims like:
+
+```
+17:21:32.052655 get_token.go:57: ID token has the claim: iss=https://accounts.google.com
+17:21:32.052672 get_token.go:57: ID token has the claim: sub=YOUR_SUBJECT
+17:21:32.052683 get_token.go:57: ID token has the claim: aud=YOUR_CLIENT_ID.apps.googleusercontent.com
+```
+
+## 2. Setup Kubernetes API server
+
+Configure your Kubernetes API Server accepts [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
+
+```
+--oidc-issuer-url=https://accounts.google.com
+--oidc-client-id=YOUR_CLIENT_ID.apps.googleusercontent.com
+```
+
+If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
+
+```yaml
+spec:
+  kubeAPIServer:
+    oidcIssuerURL: https://accounts.google.com
+    oidcClientID: YOUR_CLIENT_ID.apps.googleusercontent.com
+```
+
+## 3. Setup Kubernetes cluster
+
+Here assign the `cluster-admin` role to your subject.
+
+```yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: oidc-admin-group
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: User
+  name: YOUR_SUBJECT
+```
+
+You can create a custom role and assign it as well.
+
+## 4. Setup kubeconfig
+
+Configure the kubeconfig like:
+
+```yaml
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://api.example.com
+  name: example.k8s.local
+contexts:
+- context:
+    cluster: example.k8s.local
+    user: google
+  name: google@example.k8s.local
+current-context: google@example.k8s.local
+kind: Config
+preferences: {}
+users:
+- name: google
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: kubelogin
+      args:
+      - get-token
+      - --oidc-issuer-url=https://accounts.google.com
+      - --oidc-client-id=YOUR_CLIENT_ID.apps.googleusercontent.com
+      - --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+You can share the kubeconfig to your team members for on-boarding.
+
+## 5. Run kubectl
+
+Make sure you can access the Kubernetes cluster.
+
+```
+% kubectl get nodes
+Open http://localhost:8000 for authentication
+You got a valid token until 2019-05-16 22:03:13 +0900 JST
+Updated ~/.kubeconfig
+NAME                                    STATUS    ROLES     AGE       VERSION
+ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
+ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
+```
--- a/docs/keycloak-login.png
+++ b/docs/keycloak-login.png
--- a/docs/keycloak.md
+++ b/docs/keycloak.md
@@ -0,0 +1,134 @@
+# Getting Started with Keycloak
+
+## Prerequisite
+
+- You have an administrator role of the Keycloak realm.
+- You have an administrator role of the Kubernetes cluster.
+- You can configure the Kubernetes API server.
+- `kubectl` and `kubelogin` are installed.
+
+## 1. Setup Keycloak
+
+Open the Keycloak and create an OIDC client as follows:
+
+- Client ID: `kubernetes`
+- Valid Redirect URLs:
+    - `http://localhost:8000`
+    - `http://localhost:18000` (used if the port 8000 is already in use)
+- Issuer URL: `https://keycloak.example.com/auth/realms/YOUR_REALM`
+
+You can associate client roles by adding the following mapper:
+
+- Name: `groups`
+- Mapper Type: `User Client Role`
+- Client ID: `kubernetes`
+- Client Role prefix: `kubernetes:`
+- Token Claim Name: `groups`
+- Add to ID token: on
+
+For example, if you have the `admin` role of the client, you will get a JWT with the claim `{"groups": ["kubernetes:admin"]}`.
+
+Now test authentication with the Keycloak.
+
+```sh
+kubectl oidc-login get-token -v1 \
+  --oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM \
+  --oidc-client-id=kubernetes \
+  --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+You should get claims like:
+
+```
+17:21:32.052655 get_token.go:57: ID token has the claim: iss=https://keycloak.example.com/auth/realms/YOUR_REALM
+17:21:32.052672 get_token.go:57: ID token has the claim: sub=YOUR_SUBJECT
+17:21:32.052683 get_token.go:57: ID token has the claim: aud=kubernetes
+17:21:32.052694 get_token.go:57: ID token has the claim: groups=[kubernetes:admin]
+```
+
+## 2. Setup Kubernetes API server
+
+Configure your Kubernetes API server accepts [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
+
+```
+--oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM
+--oidc-client-id=kubernetes
+--oidc-groups-claim=groups
+```
+
+If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and add the following spec:
+
+```yaml
+spec:
+  kubeAPIServer:
+    oidcIssuerURL: https://keycloak.example.com/auth/realms/YOUR_REALM
+    oidcClientID: kubernetes
+    oidcGroupsClaim: groups
+```
+
+## 3. Setup Kubernetes cluster
+
+Here assign the `cluster-admin` role to the `kubernetes:admin` group.
+
+```yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: keycloak-admin-group
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: Group
+  name: kubernetes:admin
+```
+
+You can create a custom role and assign it as well.
+
+## 4. Setup kubeconfig
+
+Configure the kubeconfig like:
+
+```yaml
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://api.example.com
+  name: example.k8s.local
+contexts:
+- context:
+    cluster: example.k8s.local
+    user: keycloak
+  name: keycloak@example.k8s.local
+current-context: keycloak@example.k8s.local
+kind: Config
+preferences: {}
+users:
+- name: keycloak
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: kubelogin
+      args:
+      - get-token
+      - --oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM
+      - --oidc-client-id=kubernetes
+      - --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+You can share the kubeconfig to your team members for on-boarding.
+
+## 5. Run kubectl
+
+Make sure you can access the Kubernetes cluster.
+
+```
+% kubectl get nodes
+Open http://localhost:8000 for authentication
+You got a valid token until 2019-05-16 22:03:13 +0900 JST
+Updated ~/.kubeconfig
+NAME                                    STATUS    ROLES     AGE       VERSION
+ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
+ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
+```
--- a/e2e_test/credetial_plugin_test.go
+++ b/e2e_test/credetial_plugin_test.go
@@ -0,0 +1,85 @@
+package e2e_test
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/e2e_test/idp"
+	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
+	"github.com/int128/kubelogin/e2e_test/localserver"
+	"github.com/int128/kubelogin/e2e_test/logger"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/adaptors/mock_adaptors"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/models/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases"
+)
+
+// Run the integration tests of the credential plugin use-case.
+//
+// 1. Start the auth server.
+// 2. Run the Cmd.
+// 3. Open a request for the local server.
+// 4. Verify the output.
+//
+func TestCmd_Run_CredentialPlugin(t *testing.T) {
+	timeout := 1 * time.Second
+	cacheDir, err := ioutil.TempDir("", "kube")
+	if err != nil {
+		t.Fatalf("could not create a cache dir: %s", err)
+	}
+	defer func() {
+		if err := os.RemoveAll(cacheDir); err != nil {
+			t.Errorf("could not clean up the cache dir: %s", err)
+		}
+	}()
+
+	t.Run("Defaults", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.Background(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
+		defer server.Shutdown(t, ctx)
+		var idToken string
+		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
+
+		credentialPluginInteraction := mock_adaptors.NewMockCredentialPluginInteraction(ctrl)
+		credentialPluginInteraction.EXPECT().
+			Write(gomock.Any()).
+			Do(func(out credentialplugin.Output) {
+				if out.Token != idToken {
+					t.Errorf("Token wants %s but %s", idToken, out.Token)
+				}
+				if out.Expiry != tokenExpiryFuture {
+					t.Errorf("Expiry wants %v but %v", tokenExpiryFuture, out.Expiry)
+				}
+			})
+
+		req := startBrowserRequest(t, ctx, nil)
+		runGetTokenCmd(t, ctx, req, credentialPluginInteraction,
+			"--skip-open-browser",
+			"--listen-port", "0",
+			"--token-cache-dir", cacheDir,
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+		)
+		req.wait()
+	})
+}
+
+func runGetTokenCmd(t *testing.T, ctx context.Context, s usecases.LoginShowLocalServerURL, interaction adaptors.CredentialPluginInteraction, args ...string) {
+	t.Helper()
+	cmd := di.NewCmdForHeadless(logger.New(t), s, interaction)
+	exitCode := cmd.Run(ctx, append([]string{"kubelogin", "get-token", "--v=1"}, args...), "HEAD")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}
--- a/e2e_test/idp/handler.go
+++ b/e2e_test/idp/handler.go
@@ -0,0 +1,142 @@
+// Package idp provides a test double of the identity provider of OpenID Connect.
+package idp
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"testing"
+
+	"golang.org/x/xerrors"
+)
+
+func NewHandler(t *testing.T, service Service) *Handler {
+	return &Handler{t, service}
+}
+
+// Handler provides a HTTP handler for the identity provider of OpenID Connect.
+// You need to implement the Service interface.
+// Note that this skips some security checks and is only for testing.
+type Handler struct {
+	t       *testing.T
+	service Service
+}
+
+func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	wr := &responseWriterRecorder{w, 200}
+	err := h.serveHTTP(wr, r)
+	if err == nil {
+		h.t.Logf("%d %s %s", wr.statusCode, r.Method, r.RequestURI)
+		return
+	}
+	if errResp := new(ErrorResponse); xerrors.As(err, &errResp) {
+		h.t.Logf("400 %s %s: %s", r.Method, r.RequestURI, err)
+		w.Header().Add("Content-Type", "application/json")
+		w.WriteHeader(400)
+		e := json.NewEncoder(w)
+		if err := e.Encode(errResp); err != nil {
+			h.t.Errorf("idp/handler: could not write the response: %s", err)
+		}
+		return
+	}
+	h.t.Logf("500 %s %s: %s", r.Method, r.RequestURI, err)
+	http.Error(w, err.Error(), 500)
+}
+
+type responseWriterRecorder struct {
+	http.ResponseWriter
+	statusCode int
+}
+
+func (w *responseWriterRecorder) WriteHeader(statusCode int) {
+	w.ResponseWriter.WriteHeader(statusCode)
+	w.statusCode = statusCode
+}
+
+func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
+	m := r.Method
+	p := r.URL.Path
+	switch {
+	case m == "GET" && p == "/.well-known/openid-configuration":
+		discoveryResponse := h.service.Discovery()
+		w.Header().Add("Content-Type", "application/json")
+		e := json.NewEncoder(w)
+		if err := e.Encode(discoveryResponse); err != nil {
+			return xerrors.Errorf("could not render json: %w", err)
+		}
+	case m == "GET" && p == "/certs":
+		certificatesResponse := h.service.GetCertificates()
+		w.Header().Add("Content-Type", "application/json")
+		e := json.NewEncoder(w)
+		if err := e.Encode(certificatesResponse); err != nil {
+			return xerrors.Errorf("could not render json: %w", err)
+		}
+	case m == "GET" && p == "/auth":
+		// 3.1.2.1. Authentication Request
+		// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+		q := r.URL.Query()
+		redirectURI, scope, state, nonce := q.Get("redirect_uri"), q.Get("scope"), q.Get("state"), q.Get("nonce")
+		code, err := h.service.AuthenticateCode(scope, nonce)
+		if err != nil {
+			return xerrors.Errorf("authentication error: %w", err)
+		}
+		to := fmt.Sprintf("%s?state=%s&code=%s", redirectURI, state, code)
+		http.Redirect(w, r, to, 302)
+	case m == "POST" && p == "/token":
+		if err := r.ParseForm(); err != nil {
+			return xerrors.Errorf("could not parse the form: %w", err)
+		}
+		grantType := r.Form.Get("grant_type")
+		switch grantType {
+		case "authorization_code":
+			// 3.1.3.1. Token Request
+			// https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
+			code := r.Form.Get("code")
+			tokenResponse, err := h.service.Exchange(code)
+			if err != nil {
+				return xerrors.Errorf("token request error: %w", err)
+			}
+			w.Header().Add("Content-Type", "application/json")
+			e := json.NewEncoder(w)
+			if err := e.Encode(tokenResponse); err != nil {
+				return xerrors.Errorf("could not render json: %w", err)
+			}
+		case "password":
+			// 4.3. Resource Owner Password Credentials Grant
+			// https://tools.ietf.org/html/rfc6749#section-4.3
+			username, password, scope := r.Form.Get("username"), r.Form.Get("password"), r.Form.Get("scope")
+			tokenResponse, err := h.service.AuthenticatePassword(username, password, scope)
+			if err != nil {
+				return xerrors.Errorf("authentication error: %w", err)
+			}
+			w.Header().Add("Content-Type", "application/json")
+			e := json.NewEncoder(w)
+			if err := e.Encode(tokenResponse); err != nil {
+				return xerrors.Errorf("could not render json: %w", err)
+			}
+		case "refresh_token":
+			// 12.1. Refresh Request
+			// https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
+			refreshToken := r.Form.Get("refresh_token")
+			tokenResponse, err := h.service.Refresh(refreshToken)
+			if err != nil {
+				return xerrors.Errorf("token refresh error: %w", err)
+			}
+			w.Header().Add("Content-Type", "application/json")
+			e := json.NewEncoder(w)
+			if err := e.Encode(tokenResponse); err != nil {
+				return xerrors.Errorf("could not render json: %w", err)
+			}
+		default:
+			// 5.2. Error Response
+			// https://tools.ietf.org/html/rfc6749#section-5.2
+			return &ErrorResponse{
+				Code:        "invalid_grant",
+				Description: fmt.Sprintf("unknown grant_type %s", grantType),
+			}
+		}
+	default:
+		http.NotFound(w, r)
+	}
+	return nil
+}
--- a/e2e_test/idp/mock_idp/mock_service.go
+++ b/e2e_test/idp/mock_idp/mock_service.go
@@ -0,0 +1,110 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/e2e_test/idp (interfaces: Service)
+
+// Package mock_idp is a generated GoMock package.
+package mock_idp
+
+import (
+	gomock "github.com/golang/mock/gomock"
+	idp "github.com/int128/kubelogin/e2e_test/idp"
+	reflect "reflect"
+)
+
+// MockService is a mock of Service interface
+type MockService struct {
+	ctrl     *gomock.Controller
+	recorder *MockServiceMockRecorder
+}
+
+// MockServiceMockRecorder is the mock recorder for MockService
+type MockServiceMockRecorder struct {
+	mock *MockService
+}
+
+// NewMockService creates a new mock instance
+func NewMockService(ctrl *gomock.Controller) *MockService {
+	mock := &MockService{ctrl: ctrl}
+	mock.recorder = &MockServiceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockService) EXPECT() *MockServiceMockRecorder {
+	return m.recorder
+}
+
+// AuthenticateCode mocks base method
+func (m *MockService) AuthenticateCode(arg0, arg1 string) (string, error) {
+	ret := m.ctrl.Call(m, "AuthenticateCode", arg0, arg1)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AuthenticateCode indicates an expected call of AuthenticateCode
+func (mr *MockServiceMockRecorder) AuthenticateCode(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateCode", reflect.TypeOf((*MockService)(nil).AuthenticateCode), arg0, arg1)
+}
+
+// AuthenticatePassword mocks base method
+func (m *MockService) AuthenticatePassword(arg0, arg1, arg2 string) (*idp.TokenResponse, error) {
+	ret := m.ctrl.Call(m, "AuthenticatePassword", arg0, arg1, arg2)
+	ret0, _ := ret[0].(*idp.TokenResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AuthenticatePassword indicates an expected call of AuthenticatePassword
+func (mr *MockServiceMockRecorder) AuthenticatePassword(arg0, arg1, arg2 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticatePassword", reflect.TypeOf((*MockService)(nil).AuthenticatePassword), arg0, arg1, arg2)
+}
+
+// Discovery mocks base method
+func (m *MockService) Discovery() *idp.DiscoveryResponse {
+	ret := m.ctrl.Call(m, "Discovery")
+	ret0, _ := ret[0].(*idp.DiscoveryResponse)
+	return ret0
+}
+
+// Discovery indicates an expected call of Discovery
+func (mr *MockServiceMockRecorder) Discovery() *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Discovery", reflect.TypeOf((*MockService)(nil).Discovery))
+}
+
+// Exchange mocks base method
+func (m *MockService) Exchange(arg0 string) (*idp.TokenResponse, error) {
+	ret := m.ctrl.Call(m, "Exchange", arg0)
+	ret0, _ := ret[0].(*idp.TokenResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Exchange indicates an expected call of Exchange
+func (mr *MockServiceMockRecorder) Exchange(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Exchange", reflect.TypeOf((*MockService)(nil).Exchange), arg0)
+}
+
+// GetCertificates mocks base method
+func (m *MockService) GetCertificates() *idp.CertificatesResponse {
+	ret := m.ctrl.Call(m, "GetCertificates")
+	ret0, _ := ret[0].(*idp.CertificatesResponse)
+	return ret0
+}
+
+// GetCertificates indicates an expected call of GetCertificates
+func (mr *MockServiceMockRecorder) GetCertificates() *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificates", reflect.TypeOf((*MockService)(nil).GetCertificates))
+}
+
+// Refresh mocks base method
+func (m *MockService) Refresh(arg0 string) (*idp.TokenResponse, error) {
+	ret := m.ctrl.Call(m, "Refresh", arg0)
+	ret0, _ := ret[0].(*idp.TokenResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Refresh indicates an expected call of Refresh
+func (mr *MockServiceMockRecorder) Refresh(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockService)(nil).Refresh), arg0)
+}
--- a/e2e_test/idp/service.go
+++ b/e2e_test/idp/service.go
@@ -0,0 +1,120 @@
+package idp
+
+//go:generate mockgen -destination mock_idp/mock_service.go github.com/int128/kubelogin/e2e_test/idp Service
+
+import (
+	"crypto/rsa"
+	"encoding/base64"
+	"fmt"
+	"math/big"
+)
+
+// Service provides discovery and authentication methods.
+// If an implemented method returns an ErrorResponse,
+// the handler will respond 400 and corresponding json of the ErrorResponse.
+// Otherwise, the handler will respond 500 and fail the current test.
+type Service interface {
+	Discovery() *DiscoveryResponse
+	GetCertificates() *CertificatesResponse
+	AuthenticateCode(scope, nonce string) (code string, err error)
+	Exchange(code string) (*TokenResponse, error)
+	AuthenticatePassword(username, password, scope string) (*TokenResponse, error)
+	Refresh(refreshToken string) (*TokenResponse, error)
+}
+
+type DiscoveryResponse struct {
+	Issuer                            string   `json:"issuer"`
+	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
+	TokenEndpoint                     string   `json:"token_endpoint"`
+	UserinfoEndpoint                  string   `json:"userinfo_endpoint"`
+	RevocationEndpoint                string   `json:"revocation_endpoint"`
+	JwksURI                           string   `json:"jwks_uri"`
+	ResponseTypesSupported            []string `json:"response_types_supported"`
+	SubjectTypesSupported             []string `json:"subject_types_supported"`
+	IDTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported"`
+	ScopesSupported                   []string `json:"scopes_supported"`
+	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
+	ClaimsSupported                   []string `json:"claims_supported"`
+	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`
+}
+
+// NewDiscoveryResponse returns a DiscoveryResponse for the local server.
+// This is based on https://accounts.google.com/.well-known/openid-configuration.
+func NewDiscoveryResponse(issuer string) *DiscoveryResponse {
+	return &DiscoveryResponse{
+		Issuer:                            issuer,
+		AuthorizationEndpoint:             issuer + "/auth",
+		TokenEndpoint:                     issuer + "/token",
+		JwksURI:                           issuer + "/certs",
+		UserinfoEndpoint:                  issuer + "/userinfo",
+		RevocationEndpoint:                issuer + "/revoke",
+		ResponseTypesSupported:            []string{"code id_token"},
+		SubjectTypesSupported:             []string{"public"},
+		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+		ScopesSupported:                   []string{"openid", "email", "profile"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
+		CodeChallengeMethodsSupported:     []string{"plain", "S256"},
+		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
+	}
+}
+
+type CertificatesResponse struct {
+	Keys []*CertificatesResponseKey `json:"keys"`
+}
+
+type CertificatesResponseKey struct {
+	Kty string `json:"kty"`
+	Alg string `json:"alg"`
+	Use string `json:"use"`
+	Kid string `json:"kid"`
+	N   string `json:"n"`
+	E   string `json:"e"`
+}
+
+// NewCertificatesResponse returns a CertificatesResponse using the key pair.
+// This is used for verifying a signature of ID token.
+func NewCertificatesResponse(idTokenKeyPair *rsa.PrivateKey) *CertificatesResponse {
+	return &CertificatesResponse{
+		Keys: []*CertificatesResponseKey{
+			{
+				Kty: "RSA",
+				Alg: "RS256",
+				Use: "sig",
+				Kid: "dummy",
+				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
+				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
+			},
+		},
+	}
+}
+
+type TokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	TokenType    string `json:"token_type"`
+	RefreshToken string `json:"refresh_token"`
+	ExpiresIn    int    `json:"expires_in"`
+	IDToken      string `json:"id_token"`
+}
+
+// NewTokenResponse returns a TokenResponse.
+func NewTokenResponse(idToken, refreshToken string) *TokenResponse {
+	return &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		IDToken:      idToken,
+		RefreshToken: refreshToken,
+	}
+}
+
+// ErrorResponse represents an error response described in the following section:
+// 5.2 Error Response
+// https://tools.ietf.org/html/rfc6749#section-5.2
+type ErrorResponse struct {
+	Code        string `json:"error"`
+	Description string `json:"error_description"`
+}
+
+func (err *ErrorResponse) Error() string {
+	return fmt.Sprintf("%s(%s)", err.Code, err.Description)
+}
--- a/e2e_test/keys/keys.go
+++ b/e2e_test/keys/keys.go
@@ -0,0 +1,71 @@
+package keys
+
+import (
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"io/ioutil"
+
+	"golang.org/x/xerrors"
+)
+
+// TLSCACert is path to the CA certificate.
+// This should be generated by Makefile before test.
+const TLSCACert = "keys/testdata/ca.crt"
+
+// TLSCACertAsBase64 is a base64 encoded string of TLSCACert.
+var TLSCACertAsBase64 string
+
+// TLSCACertAsConfig is a TLS config including TLSCACert.
+var TLSCACertAsConfig = &tls.Config{RootCAs: x509.NewCertPool()}
+
+// TLSServerCert is path to the server certificate.
+// This should be generated by Makefile before test.
+const TLSServerCert = "keys/testdata/server.crt"
+
+// TLSServerKey is path to the server key.
+// This should be generated by Makefile before test.
+const TLSServerKey = "keys/testdata/server.key"
+
+// JWSKey is path to the key for signing ID tokens.
+const JWSKey = "keys/testdata/jws.key"
+
+// JWSKeyPair is the key pair loaded from JWSKey.
+var JWSKeyPair *rsa.PrivateKey
+
+func init() {
+	var err error
+	JWSKeyPair, err = readPrivateKey(JWSKey)
+	if err != nil {
+		panic(err)
+	}
+	b, err := ioutil.ReadFile(TLSCACert)
+	if err != nil {
+		panic(err)
+	}
+	TLSCACertAsBase64 = base64.StdEncoding.EncodeToString(b)
+	if !TLSCACertAsConfig.RootCAs.AppendCertsFromPEM(b) {
+		panic("could not append the CA cert")
+	}
+}
+
+func readPrivateKey(name string) (*rsa.PrivateKey, error) {
+	b, err := ioutil.ReadFile(name)
+	if err != nil {
+		return nil, xerrors.Errorf("could not read JWSKey: %w", err)
+	}
+	block, rest := pem.Decode(b)
+	if block == nil {
+		return nil, xerrors.New("could not decode PEM")
+	}
+	if len(rest) > 0 {
+		return nil, xerrors.New("PEM should contain single key but multiple keys")
+	}
+	k, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	if err != nil {
+		return nil, xerrors.Errorf("could not parse the key: %w", err)
+	}
+	return k, nil
+}
--- a/e2e_test/keys/testdata/.gitignore
+++ b/e2e_test/keys/testdata/.gitignore
@@ -0,0 +1 @@
+/CA
--- a/e2e_test/keys/testdata/Makefile
+++ b/e2e_test/keys/testdata/Makefile
@@ -0,0 +1,54 @@
+all: ca.key ca.crt server.key server.crt jws.key
+
+.PHONY: clean
+clean:
+	-rm -v ca.* server.* jws.*
+
+ca.key:
+	openssl genrsa -out $@ 1024
+
+.INTERMEDIATE: ca.csr
+ca.csr: openssl.cnf ca.key
+	openssl req -config openssl.cnf \
+		-new \
+		-key ca.key \
+		-subj "/CN=Hello CA" \
+		-out $@
+	openssl req -noout -text -in $@
+
+ca.crt: ca.csr ca.key
+	openssl x509 -req \
+		-signkey ca.key \
+		-in ca.csr \
+		-out $@
+	openssl x509 -text -in $@
+
+server.key:
+	openssl genrsa -out $@ 1024
+
+.INTERMEDIATE: server.csr
+server.csr: openssl.cnf server.key
+	openssl req -config openssl.cnf \
+		-new \
+		-key server.key \
+		-subj "/CN=localhost" \
+		-out $@
+	openssl req -noout -text -in $@
+
+server.crt: openssl.cnf server.csr ca.key ca.crt
+	rm -fr ./CA
+	mkdir -p ./CA
+	touch CA/index.txt
+	touch CA/index.txt.attr
+	echo 00 > CA/serial
+	openssl ca -config openssl.cnf \
+		-extensions v3_req \
+		-batch \
+		-cert ca.crt \
+		-keyfile ca.key \
+		-in server.csr \
+		-out $@
+	openssl x509 -text -in $@
+
+jws.key:
+	openssl genrsa -out $@ 1024
--- a/e2e_test/keys/testdata/ca.crt
+++ b/e2e_test/keys/testdata/ca.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBnTCCAQYCCQCuPrhkr+BvGzANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAhI
+ZWxsbyBDQTAeFw0xOTA4MTgwNjAwMDZaFw0xOTA5MTcwNjAwMDZaMBMxETAPBgNV
+BAMMCEhlbGxvIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnSTDsRx4U
+JmaTWHOAZasfN2O37wMcRez7LDM2qfQ8nlXnEAAZ4Pc51itOycWN1nclNVb489i9
+J8ALgRKzNumSkfl1sCgJoDds75AC3oRRCbhnEP3Lu4mysxyOtYZNsdST8GBCP0m4
+2tWa4W2ditpA44uU4x8opAX2qY919nVLNwIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
+ACfgNePlOLnLz1zJrWN6RZ6q0a+SSK8HdgSiKSF66SBIRILFoQmapBLXRY9YyATt
+cdgg7pOd1WGCMqlOnhL56c8X5n+j/LGM5hc9PaEJA5vru7EBrnbxCkg0n8yp4Swc
+8KFV5IiZ5D8t03AHjrXLQg8/HRzTuFRJJ1nJmc+FbnjT
+-----END CERTIFICATE-----
--- a/e2e_test/keys/testdata/ca.key
+++ b/e2e_test/keys/testdata/ca.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDnSTDsRx4UJmaTWHOAZasfN2O37wMcRez7LDM2qfQ8nlXnEAAZ
+4Pc51itOycWN1nclNVb489i9J8ALgRKzNumSkfl1sCgJoDds75AC3oRRCbhnEP3L
+u4mysxyOtYZNsdST8GBCP0m42tWa4W2ditpA44uU4x8opAX2qY919nVLNwIDAQAB
+AoGAaYmTYm29QvKW4et9oPxDjpYG0bqlz7P0xFRR9kKtKTATAMHjWeu2xFR/JI+b
+rvJLIdZqHmWe5AmMb3NxZgfLonEB71ohaKQha1L8Vc7aoedRheJvqqaNr+ZxoCMO
+8xcjsaMYxLEVt0tg6XyKyEhi1/hOufFZ4BSng4oQbrpaNIkCQQD6hPEzzPZtMEEe
+eRdwTVUIStKFMQbRdwZ5Oc7pyDk2U+SFRJiqkBkqnmFekcf2UgbBQxem+GMhWNgE
+LItKy/wVAkEA7FiHxbzn2msaE3hZCWudtnXqmJNuPO0zJ5icXe2svwmwPfLA/rm9
+iazCuyzyK67J8IG9QgIjQFYXtQbMr2chGwJBAMm3dghBx0LQEf8Zfdf9TLSqmqyI
+d3b+IgZGl+cCQ58NGfp863ibIsiAUuK0+4/JKItBHLBjXF6jjPx/aYFGkqkCQH4w
+GnXCEYx1qJuCow87jR4xQQsrlC0lfC2E9t/TmWr6UkYRCWg3ZXJPcj0bl0Upcppd
+ut22ZHniPZAizEBOcMcCQQDnMEOxufxhMsx2NC8yON/noewLINqKcbkMsl6DjvJl
+wLbQmzJ0j+uIBgdpsj4rWnEr7GxoL2eWG44QDUBco79
+-----END RSA PRIVATE KEY-----
--- a/e2e_test/keys/testdata/jws.key
+++ b/e2e_test/keys/testdata/jws.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXwIBAAKBgQCZukkN1GxMlNXkpOZxCnvCF874/rn1sNKzO98fOwmBRPG2+m/c
+yqBY7t2L2nihqz3+GZTiHmzSrBzMAGPVW1qGmk9KYg3m7akz9SiCxdoUkgM9MCCp
+X/s8IhgtXkyoKFPcGdwHblDl/3aJG02b6TAQD8vTNQAKoKw7L0FST+pvRwIDAQAB
+AoGBAJT1fXR5MbfDQL+dSe6fSex5RYTgzzDTdldW3I1Wl487Tz0OzvYTIe0LCIJL
+4DhHxnpCL5IsCSbav8ytVA+ZxczHpEW6UxbalXt5UfgFu0joTrdoGxDcVWgUCW3J
+Olbln0lOP55wViKh509gt45Za3VxJrNul3khVfVj7qGG9cKBAkEAxwtT8LxwqTYF
+nqoeZvPp15JAqlgdk38ttJa4KEqvpBTSxNIXkL9T5gJ+irKZAzxlz/U7bhn5mw6E
+3xFiljOXpQJBAMW3XRFOjgNBXNjbt81wREF5LdZl9EI8cRMSH6xljt2uwSqw4EG3
+76gFvccUd+WnfspFQZVypSSD4pWzsAqh13sCQQCA9BLW5Y7r4ab0a2y08JNwaT1h
+3yKSO5QF6pu25uQyHpeKkj5YNcyKONV40EqXsRqZB10QcN2omlh1GJNRkm1NAkEA
+qV3lr4mnRUqcinfM/4MINT3k8h/sGUFFa5y+3SMyOtwURMm3kRRLi5c/dmYmPug4
+SHUDNU48AQeo9awzRShWOQJBAJdw+cfRgi4fo3HY33uZdFa1T9G+qTA2ijhco6O3
+8tOc0yOFEtPNXM87MsHGIQP3ZCLfIY1gs2O3WCTFbPxR4rc=
+-----END RSA PRIVATE KEY-----
--- a/e2e_test/keys/testdata/openssl.cnf
+++ b/e2e_test/keys/testdata/openssl.cnf
@@ -0,0 +1,37 @@
+[ ca ]
+default_ca      = CA_default
+
+[ CA_default ]
+dir             = ./CA
+certs           = $dir
+crl_dir         = $dir
+database        = $dir/index.txt
+new_certs_dir   = $dir
+default_md      = sha256
+policy          = policy_match
+serial          = $dir/serial
+default_days    = 3650
+
+[ policy_match ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+distinguished_name	= req_distinguished_name
+req_extensions = v3_req
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+commonName			= Common Name (e.g. server FQDN or YOUR name)
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = DNS:localhost
+
+[ v3_ca ]
+basicConstraints = CA:true
--- a/e2e_test/keys/testdata/server.crt
+++ b/e2e_test/keys/testdata/server.crt
@@ -0,0 +1,52 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Hello CA
+        Validity
+            Not Before: Aug 18 06:00:06 2019 GMT
+            Not After : Aug 15 06:00:06 2029 GMT
+        Subject: CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:d6:4e:eb:3a:cb:25:f9:7e:92:22:f2:63:99:da:
+                    08:05:8b:a3:e7:d3:fd:71:3e:bd:da:c5:d5:63:b7:
+                    d3:7b:f8:cd:1a:2e:5c:a2:4f:48:98:c2:b4:da:e8:
+                    1e:d3:d7:8f:d8:ee:a9:70:d0:9d:4f:f4:8d:95:e5:
+                    8e:9a:71:b6:80:aa:0b:cb:28:1d:f6:0d:7e:aa:78:
+                    bf:30:e6:58:d7:6b:92:8f:19:1c:7d:95:f8:d5:2f:
+                    8c:58:49:98:88:05:50:88:80:a9:77:c4:16:b4:c1:
+                    00:45:1e:d3:d0:ed:98:4d:f7:a3:5d:f1:82:cb:a5:
+                    4d:19:64:4d:43:db:13:d4:17
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:localhost
+    Signature Algorithm: sha256WithRSAEncryption
+         5a:5c:5e:8b:de:82:86:f4:98:40:0e:cf:c5:51:fe:89:46:49:
+         f0:26:d2:a5:06:e3:91:43:c1:f8:b2:ad:b7:a1:23:13:1a:80:
+         45:00:51:70:b6:06:63:c6:a8:c8:22:5d:1b:00:e0:4a:8c:2e:
+         ce:b4:da:b1:89:8a:d2:d0:e3:eb:0f:16:34:45:a1:bd:64:5c:
+         48:41:8c:0a:bf:66:be:1c:a8:35:47:ce:b0:dc:c8:4f:5e:c1:
+         ec:ef:21:fb:45:55:95:e3:99:40:46:0b:6c:8a:b3:d5:f0:bf:
+         39:a4:ba:c4:d7:58:88:58:08:07:98:59:6e:ca:9c:08:e4:c4:
+         4f:db
+-----BEGIN CERTIFICATE-----
+MIIBzTCCATagAwIBAgIBADANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhIZWxs
+byBDQTAeFw0xOTA4MTgwNjAwMDZaFw0yOTA4MTUwNjAwMDZaMBQxEjAQBgNVBAMM
+CWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1k7rOssl+X6S
+IvJjmdoIBYuj59P9cT692sXVY7fTe/jNGi5cok9ImMK02uge09eP2O6pcNCdT/SN
+leWOmnG2gKoLyygd9g1+qni/MOZY12uSjxkcfZX41S+MWEmYiAVQiICpd8QWtMEA
+RR7T0O2YTfejXfGCy6VNGWRNQ9sT1BcCAwEAAaMwMC4wCQYDVR0TBAIwADALBgNV
+HQ8EBAMCBeAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4GB
+AFpcXovegob0mEAOz8VR/olGSfAm0qUG45FDwfiyrbehIxMagEUAUXC2BmPGqMgi
+XRsA4EqMLs602rGJitLQ4+sPFjRFob1kXEhBjAq/Zr4cqDVHzrDcyE9ewezvIftF
+VZXjmUBGC2yKs9XwvzmkusTXWIhYCAeYWW7KnAjkxE/b
+-----END CERTIFICATE-----
--- a/e2e_test/keys/testdata/server.key
+++ b/e2e_test/keys/testdata/server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDWTus6yyX5fpIi8mOZ2ggFi6Pn0/1xPr3axdVjt9N7+M0aLlyi
+T0iYwrTa6B7T14/Y7qlw0J1P9I2V5Y6acbaAqgvLKB32DX6qeL8w5ljXa5KPGRx9
+lfjVL4xYSZiIBVCIgKl3xBa0wQBFHtPQ7ZhN96Nd8YLLpU0ZZE1D2xPUFwIDAQAB
+AoGBAJhNR7Dl1JwFzndViWE6aP7/6UEFEBWeADDs7aTLbFmrTJ+xmRWkgLRHk14L
+HnVwuYLywaoyJ8o9wy1nEbxC2e4zWZ94d351MQf3/komCXDBzEsktfAcNsAFnMmS
+HZuGXfhi0FYWoftpIGxUmEBmQRcq0ctycbLves6TY3y+oajpAkEA8UHmSr/zsM3E
+XQXPp2BCAvRrTH/njk4R0jwB29Bi89gt/XDD4uvfWbHw7TZxnZuCpWisnxpMPIwa
+1rjqIQmhEwJBAONncQUOxwYCIuvraIhV0QtkIUa+YpTvAxP8ZNXx+agtHmHG2TTf
+kGv2YddvjxXZItN/FZOzUGm9OptaeLRTpW0CQHO8CEzNnoqve0agtgf2LlSaiiqt
+pRhoLTZsYPvhEMcnapCNGvtt6bxul0REfOZ9poPRHhZJGE9naqydEnv80Y8CQQC3
+pxLfws95SsBpR/VkJepuCK/XMmrrXRxfR7coEgROjiG7VZyV1vgMOS9Ljg1A19wI
+cto6LtcCjpCGZsqU1/kBAkEAv2tXBts3vuIjguZNMz7KLWmu3zG2SQRaqdEZwL+R
+DQmD5tbI6gEtd5OmgmSiW8A4mpfgFYvG7Um2fwi7TTXtSA==
+-----END RSA PRIVATE KEY-----
--- a/e2e_test/kubeconfig/kubeconfig.go
+++ b/e2e_test/kubeconfig/kubeconfig.go
@@ -0,0 +1,80 @@
+package kubeconfig
+
+import (
+	"html/template"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"gopkg.in/yaml.v2"
+)
+
+// Values represents values in .kubeconfig template.
+type Values struct {
+	Issuer                      string
+	ExtraScopes                 string
+	IDPCertificateAuthority     string
+	IDPCertificateAuthorityData string
+	IDToken                     string
+	RefreshToken                string
+}
+
+// Create creates a kubeconfig file and returns path to it.
+func Create(t *testing.T, v *Values) string {
+	t.Helper()
+	f, err := ioutil.TempFile("", "kubeconfig")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+	tpl, err := template.ParseFiles("kubeconfig/testdata/kubeconfig.yaml")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := tpl.Execute(f, v); err != nil {
+		t.Fatal(err)
+	}
+	return f.Name()
+}
+
+type AuthProviderConfig struct {
+	IDToken      string `yaml:"id-token"`
+	RefreshToken string `yaml:"refresh-token"`
+}
+
+// Verify returns true if the kubeconfig has valid values.
+func Verify(t *testing.T, kubeconfig string, want AuthProviderConfig) {
+	t.Helper()
+	f, err := os.Open(kubeconfig)
+	if err != nil {
+		t.Errorf("could not open kubeconfig: %s", err)
+		return
+	}
+	defer f.Close()
+
+	var y struct {
+		Users []struct {
+			User struct {
+				AuthProvider struct {
+					Config AuthProviderConfig `yaml:"config"`
+				} `yaml:"auth-provider"`
+			} `yaml:"user"`
+		} `yaml:"users"`
+	}
+	d := yaml.NewDecoder(f)
+	if err := d.Decode(&y); err != nil {
+		t.Errorf("could not decode YAML: %s", err)
+		return
+	}
+	if len(y.Users) != 1 {
+		t.Errorf("len(users) wants 1 but %d", len(y.Users))
+		return
+	}
+	currentConfig := y.Users[0].User.AuthProvider.Config
+	if currentConfig.IDToken != want.IDToken {
+		t.Errorf("id-token wants %s but %s", want.IDToken, currentConfig.IDToken)
+	}
+	if currentConfig.RefreshToken != want.RefreshToken {
+		t.Errorf("refresh-token wants %s but %s", want.RefreshToken, currentConfig.RefreshToken)
+	}
+}
--- a/e2e_test/kubeconfig/testdata/dummy.yaml
+++ b/e2e_test/kubeconfig/testdata/dummy.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+current-context: dummy
+kind: Config
+preferences: {}
--- a/e2e_test/kubeconfig/testdata/kubeconfig.yaml
+++ b/e2e_test/kubeconfig/testdata/kubeconfig.yaml
@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Config
+clusters:
+  - cluster:
+      server: https://api.hello.k8s.example.com
+      name: hello.k8s.local
+contexts:
+- context:
+    cluster: hello.k8s.local
+    user: hello.k8s.local
+  name: hello.k8s.local
+current-context: hello.k8s.local
+preferences: {}
+users:
+- name: hello.k8s.local
+  user:
+    auth-provider:
+      config:
+        client-id: kubernetes
+        client-secret: a3c508c3-73c9-42e2-ab14-487a1bf67c33
+        idp-issuer-url: {{ .Issuer }}
+#{{ if .ExtraScopes }}
+        extra-scopes: {{ .ExtraScopes }}
+#{{ end }}
+#{{ if .IDPCertificateAuthority }}
+        idp-certificate-authority: {{ .IDPCertificateAuthority }}
+#{{ end }}
+#{{ if .IDPCertificateAuthorityData }}
+        idp-certificate-authority-data: {{ .IDPCertificateAuthorityData }}
+#{{ end }}
+#{{ if .IDToken }}
+        id-token: {{ .IDToken }}
+#{{ end }}
+#{{ if .RefreshToken }}
+        refresh-token: {{ .RefreshToken }}
+#{{ end }}
+      name: oidc
--- a/e2e_test/localserver/authserver.go
+++ b/e2e_test/localserver/authserver.go
@@ -0,0 +1,76 @@
+// Package localserver provides a http server running on localhost.
+// This is only for testing.
+//
+package localserver
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"testing"
+)
+
+type Shutdowner interface {
+	Shutdown(t *testing.T, ctx context.Context)
+}
+
+type shutdowner struct {
+	l net.Listener
+	s *http.Server
+}
+
+func (s *shutdowner) Shutdown(t *testing.T, ctx context.Context) {
+	// s.Shutdown() closes the lister as well,
+	// so we do not need to call l.Close() explicitly
+	if err := s.s.Shutdown(ctx); err != nil {
+		t.Errorf("Could not shutdown the server: %s", err)
+	}
+}
+
+// Start starts an authentication server.
+func Start(t *testing.T, h http.Handler) (string, Shutdowner) {
+	t.Helper()
+	l, port := newLocalhostListener(t)
+	url := "http://localhost:" + port
+	s := &http.Server{
+		Handler: h,
+	}
+	go func() {
+		err := s.Serve(l)
+		if err != nil && err != http.ErrServerClosed {
+			t.Error(err)
+		}
+	}()
+	return url, &shutdowner{l, s}
+}
+
+// Start starts an authentication server with TLS.
+func StartTLS(t *testing.T, cert string, key string, h http.Handler) (string, Shutdowner) {
+	t.Helper()
+	l, port := newLocalhostListener(t)
+	url := "https://localhost:" + port
+	s := &http.Server{
+		Handler: h,
+	}
+	go func() {
+		err := s.ServeTLS(l, cert, key)
+		if err != nil && err != http.ErrServerClosed {
+			t.Error(err)
+		}
+	}()
+	return url, &shutdowner{l, s}
+}
+
+func newLocalhostListener(t *testing.T) (net.Listener, string) {
+	t.Helper()
+	l, err := net.Listen("tcp", "localhost:0")
+	if err != nil {
+		t.Fatalf("Could not create a listener: %s", err)
+	}
+	addr := l.Addr().String()
+	_, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		t.Fatalf("Could not parse the address %s: %s", addr, err)
+	}
+	return l, port
+}
--- a/e2e_test/logger/logger.go
+++ b/e2e_test/logger/logger.go
@@ -0,0 +1,27 @@
+package logger
+
+import (
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+)
+
+func New(t testingLogger) *logger.Logger {
+	b := &bridge{t}
+	return logger.NewWith(b, b)
+}
+
+type testingLogger interface {
+	Logf(format string, v ...interface{})
+}
+
+type bridge struct {
+	t testingLogger
+}
+
+func (b *bridge) Printf(format string, v ...interface{}) {
+	b.t.Logf(format, v...)
+}
+
+func (b *bridge) Output(calldepth int, s string) error {
+	b.t.Logf("%s", s)
+	return nil
+}
--- a/e2e_test/login_test.go
+++ b/e2e_test/login_test.go
@@ -0,0 +1,386 @@
+package e2e_test
+
+import (
+	"context"
+	"crypto/tls"
+	"net/http"
+	"os"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/e2e_test/idp"
+	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
+	"github.com/int128/kubelogin/e2e_test/keys"
+	"github.com/int128/kubelogin/e2e_test/kubeconfig"
+	"github.com/int128/kubelogin/e2e_test/localserver"
+	"github.com/int128/kubelogin/e2e_test/logger"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/usecases"
+)
+
+var (
+	tokenExpiryFuture = time.Now().Add(time.Hour).Round(time.Second)
+	tokenExpiryPast   = time.Now().Add(-time.Hour).Round(time.Second)
+)
+
+// Run the integration tests of the Login use-case.
+//
+// 1. Start the auth server.
+// 2. Run the Cmd.
+// 3. Open a request for the local server.
+// 4. Verify the kubeconfig.
+//
+func TestCmd_Run_Login(t *testing.T) {
+	timeout := 1 * time.Second
+
+	type testParameter struct {
+		startServer                       func(t *testing.T, h http.Handler) (string, localserver.Shutdowner)
+		kubeconfigIDPCertificateAuthority string
+		clientTLSConfig                   *tls.Config
+	}
+
+	testParameters := map[string]testParameter{
+		"NoTLS": {
+			startServer: localserver.Start,
+		},
+		"CACert": {
+			startServer: func(t *testing.T, h http.Handler) (string, localserver.Shutdowner) {
+				return localserver.StartTLS(t, keys.TLSServerCert, keys.TLSServerKey, h)
+			},
+			kubeconfigIDPCertificateAuthority: keys.TLSCACert,
+			clientTLSConfig:                   keys.TLSCACertAsConfig,
+		},
+	}
+
+	runTest := func(t *testing.T, p testParameter) {
+		t.Run("Defaults", func(t *testing.T) {
+			t.Parallel()
+			ctx, cancel := context.WithTimeout(context.Background(), timeout)
+			defer cancel()
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+
+			service := mock_idp.NewMockService(ctrl)
+			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
+			defer server.Shutdown(t, ctx)
+			var idToken string
+			setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
+
+			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+				Issuer:                  serverURL,
+				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
+			})
+			defer os.Remove(kubeConfigFilename)
+
+			req := startBrowserRequest(t, ctx, p.clientTLSConfig)
+			runCmd(t, ctx, req, "--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
+			req.wait()
+			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+				IDToken:      idToken,
+				RefreshToken: "YOUR_REFRESH_TOKEN",
+			})
+		})
+
+		t.Run("ResourceOwnerPasswordCredentials", func(t *testing.T) {
+			t.Parallel()
+			ctx, cancel := context.WithTimeout(context.Background(), timeout)
+			defer cancel()
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+
+			service := mock_idp.NewMockService(ctrl)
+			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
+			defer server.Shutdown(t, ctx)
+			idToken := newIDToken(t, serverURL, "", tokenExpiryFuture)
+			service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
+			service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
+			service.EXPECT().AuthenticatePassword("USER", "PASS", "openid").
+				Return(idp.NewTokenResponse(idToken, "YOUR_REFRESH_TOKEN"), nil)
+
+			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+				Issuer:                  serverURL,
+				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
+			})
+			defer os.Remove(kubeConfigFilename)
+
+			runCmd(t, ctx, &nopBrowserRequest{t}, "--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--username", "USER", "--password", "PASS")
+			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+				IDToken:      idToken,
+				RefreshToken: "YOUR_REFRESH_TOKEN",
+			})
+		})
+
+		t.Run("HasValidToken", func(t *testing.T) {
+			t.Parallel()
+			ctx, cancel := context.WithTimeout(context.Background(), timeout)
+			defer cancel()
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+
+			service := mock_idp.NewMockService(ctrl)
+			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
+			defer server.Shutdown(t, ctx)
+			idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
+
+			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+				Issuer:                  serverURL,
+				IDToken:                 idToken,
+				RefreshToken:            "YOUR_REFRESH_TOKEN",
+				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
+			})
+			defer os.Remove(kubeConfigFilename)
+
+			runCmd(t, ctx, &nopBrowserRequest{t}, "--kubeconfig", kubeConfigFilename, "--skip-open-browser")
+			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+				IDToken:      idToken,
+				RefreshToken: "YOUR_REFRESH_TOKEN",
+			})
+		})
+
+		t.Run("HasValidRefreshToken", func(t *testing.T) {
+			t.Parallel()
+			ctx, cancel := context.WithTimeout(context.Background(), timeout)
+			defer cancel()
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+
+			service := mock_idp.NewMockService(ctrl)
+			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
+			defer server.Shutdown(t, ctx)
+			idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
+			service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
+			service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
+			service.EXPECT().Refresh("VALID_REFRESH_TOKEN").
+				Return(idp.NewTokenResponse(idToken, "NEW_REFRESH_TOKEN"), nil)
+
+			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+				Issuer:                  serverURL,
+				IDToken:                 newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast), // expired
+				RefreshToken:            "VALID_REFRESH_TOKEN",
+				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
+			})
+			defer os.Remove(kubeConfigFilename)
+
+			runCmd(t, ctx, &nopBrowserRequest{t}, "--kubeconfig", kubeConfigFilename, "--skip-open-browser")
+			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+				IDToken:      idToken,
+				RefreshToken: "NEW_REFRESH_TOKEN",
+			})
+		})
+
+		t.Run("HasExpiredRefreshToken", func(t *testing.T) {
+			t.Parallel()
+			ctx, cancel := context.WithTimeout(context.Background(), timeout)
+			defer cancel()
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+
+			service := mock_idp.NewMockService(ctrl)
+			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
+			defer server.Shutdown(t, ctx)
+			var idToken string
+			setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
+			service.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
+				Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
+				MaxTimes(2) // package oauth2 will retry refreshing the token
+
+			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+				Issuer:                  serverURL,
+				IDToken:                 newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast), // expired
+				RefreshToken:            "EXPIRED_REFRESH_TOKEN",
+				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
+			})
+			defer os.Remove(kubeConfigFilename)
+
+			req := startBrowserRequest(t, ctx, p.clientTLSConfig)
+			runCmd(t, ctx, req, "--kubeconfig", kubeConfigFilename, "--skip-open-browser")
+			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+				IDToken:      idToken,
+				RefreshToken: "YOUR_REFRESH_TOKEN",
+			})
+		})
+	}
+
+	for name, p := range testParameters {
+		t.Run(name, func(t *testing.T) {
+			runTest(t, p)
+		})
+	}
+
+	t.Run("env:KUBECONFIG", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.Background(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
+		defer server.Shutdown(t, ctx)
+		var idToken string
+		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
+
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{Issuer: serverURL})
+		defer os.Remove(kubeConfigFilename)
+		setenv(t, "KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
+		defer unsetenv(t, "KUBECONFIG")
+
+		req := startBrowserRequest(t, ctx, nil)
+		runCmd(t, ctx, req, "--skip-open-browser", "--listen-port", "0")
+		req.wait()
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      idToken,
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		})
+	})
+
+	t.Run("ExtraScopes", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.Background(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
+		defer server.Shutdown(t, ctx)
+		var idToken string
+		setupMockIDPForCodeFlow(t, service, serverURL, "profile groups openid", &idToken)
+
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:      serverURL,
+			ExtraScopes: "profile,groups",
+		})
+		defer os.Remove(kubeConfigFilename)
+
+		req := startBrowserRequest(t, ctx, nil)
+		runCmd(t, ctx, req, "--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
+		req.wait()
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      idToken,
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		})
+	})
+}
+
+func newIDToken(t *testing.T, issuer, nonce string, expiry time.Time) string {
+	t.Helper()
+	var claims struct {
+		jwt.StandardClaims
+		Nonce  string   `json:"nonce"`
+		Groups []string `json:"groups"`
+	}
+	claims.StandardClaims = jwt.StandardClaims{
+		Issuer:    issuer,
+		Audience:  "kubernetes",
+		Subject:   "SUBJECT",
+		IssuedAt:  time.Now().Unix(),
+		ExpiresAt: expiry.Unix(),
+	}
+	claims.Nonce = nonce
+	claims.Groups = []string{"admin", "users"}
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	s, err := token.SignedString(keys.JWSKeyPair)
+	if err != nil {
+		t.Fatalf("Could not sign the claims: %s", err)
+	}
+	return s
+}
+
+func setupMockIDPForCodeFlow(t *testing.T, service *mock_idp.MockService, serverURL, scope string, idToken *string) {
+	var nonce string
+	service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
+	service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
+	service.EXPECT().AuthenticateCode(scope, gomock.Any()).
+		DoAndReturn(func(_, gotNonce string) (string, error) {
+			nonce = gotNonce
+			return "YOUR_AUTH_CODE", nil
+		})
+	service.EXPECT().Exchange("YOUR_AUTH_CODE").
+		DoAndReturn(func(string) (*idp.TokenResponse, error) {
+			*idToken = newIDToken(t, serverURL, nonce, tokenExpiryFuture)
+			return idp.NewTokenResponse(*idToken, "YOUR_REFRESH_TOKEN"), nil
+		})
+}
+
+func runCmd(t *testing.T, ctx context.Context, s usecases.LoginShowLocalServerURL, args ...string) {
+	t.Helper()
+	cmd := di.NewCmdForHeadless(logger.New(t), s, nil)
+	exitCode := cmd.Run(ctx, append([]string{"kubelogin", "--v=1"}, args...), "HEAD")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}
+
+type nopBrowserRequest struct {
+	t *testing.T
+}
+
+func (r *nopBrowserRequest) ShowLocalServerURL(url string) {
+	r.t.Errorf("ShowLocalServerURL must not be called")
+}
+
+type browserRequest struct {
+	t     *testing.T
+	urlCh chan<- string
+	wg    *sync.WaitGroup
+}
+
+func (r *browserRequest) ShowLocalServerURL(url string) {
+	defer close(r.urlCh)
+	r.t.Logf("Open %s for authentication", url)
+	r.urlCh <- url
+}
+
+func (r *browserRequest) wait() {
+	r.wg.Wait()
+}
+
+func startBrowserRequest(t *testing.T, ctx context.Context, tlsConfig *tls.Config) *browserRequest {
+	t.Helper()
+	urlCh := make(chan string)
+	var wg sync.WaitGroup
+	go func() {
+		defer wg.Done()
+		select {
+		case url := <-urlCh:
+			client := http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}}
+			req, err := http.NewRequest("GET", url, nil)
+			if err != nil {
+				t.Errorf("could not create a request: %s", err)
+				return
+			}
+			req = req.WithContext(ctx)
+			resp, err := client.Do(req)
+			if err != nil {
+				t.Errorf("could not send a request: %s", err)
+				return
+			}
+			defer resp.Body.Close()
+			if resp.StatusCode != 200 {
+				t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
+			}
+		case err := <-ctx.Done():
+			t.Errorf("context done while waiting for URL prompt: %s", err)
+		}
+	}()
+	wg.Add(1)
+	return &browserRequest{t, urlCh, &wg}
+}
+
+func setenv(t *testing.T, key, value string) {
+	t.Helper()
+	if err := os.Setenv(key, value); err != nil {
+		t.Fatalf("Could not set the env var %s=%s: %s", key, value, err)
+	}
+}
+
+func unsetenv(t *testing.T, key string) {
+	t.Helper()
+	if err := os.Unsetenv(key); err != nil {
+		t.Fatalf("Could not unset the env var %s: %s", key, err)
+	}
+}
--- a/go.mod
+++ b/go.mod
@@ -0,0 +1,23 @@
+module github.com/int128/kubelogin
+
+go 1.12
+
+require (
+	github.com/coreos/go-oidc v2.0.0+incompatible
+	github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda
+	github.com/go-test/deep v1.0.2
+	github.com/golang/mock v1.3.1
+	github.com/google/wire v0.3.0
+	github.com/int128/oauth2cli v1.4.1
+	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
+	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
+	github.com/spf13/cobra v0.0.5
+	github.com/spf13/pflag v1.0.3
+	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
+	golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a
+	golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7
+	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
+	gopkg.in/yaml.v2 v2.2.2
+	k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719
+	k8s.io/client-go v0.0.0-20190620085101-78d2af792bab
+)
--- a/go.sum
+++ b/go.sum
@@ -0,0 +1,145 @@
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/Azure/go-autorest v11.1.2+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
+github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
+github.com/coreos/go-oidc v2.0.0+incompatible h1:+RStIopZ8wooMx+Vs5Bt8zMXxV1ABl5LbakNExNmZIg=
+github.com/coreos/go-oidc v2.0.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
+github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda h1:NyywMz59neOoVRFDz+ccfKWxn784fiHMDnZSy6T+JXY=
+github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
+github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw=
+github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415 h1:WSBJMqJbLxsn+bTCPyPYZfqHdJmc8MK4wrBjMft6BAM=
+github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s=
+github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/btree v0.0.0-20160524151835-7d79101e329e/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck=
+github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
+github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
+github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/wire v0.3.0 h1:imGQZGEVEHpje5056+K+cgdO72p0LQv2xIIFXNGUf60=
+github.com/google/wire v0.3.0/go.mod h1:i1DMg/Lu8Sz5yYl25iOdmc5CT5qusaa+zmRWs16741s=
+github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/gophercloud/gophercloud v0.0.0-20190126172459-c818fa66e4c8/go.mod h1:3WdhXV3rUYy9p6AUW8d94kr+HS62Y4VL9mBnFxsD8q4=
+github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
+github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/int128/oauth2cli v1.4.1 h1:IsaYMafEDS1jyArxYdmksw+nMsNxiYCQzdkPj3QF9BY=
+github.com/int128/oauth2cli v1.4.1/go.mod h1:CMJjyUSgKiobye1M/9byFACOjtB2LRo2mo7boklEKlI=
+github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be h1:AHimNtVIpiBjPUhEF5KNCkrUyqTSA5zWUl8sQ2bfGBE=
+github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
+github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4 h1:49lOXmGaUpV9Fz3gd7TFZY106KVlPVa5jcYD1gaQf98=
+github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
+github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
+github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s=
+github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
+github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/pflag v1.0.1 h1:aCvUg6QPl3ibpQUxyLkrEkCHtPqYJL4x9AuhqVqFis4=
+github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
+github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
+golang.org/x/crypto v0.0.0-20181025213731-e84da0312774 h1:a4tQYYYuK9QdeO/+kEvNYyuR21S+7ve5EANok6hABhI=
+golang.org/x/crypto v0.0.0-20181025213731-e84da0312774/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190206173232-65e2d4e15006 h1:bfLnR+k0tq5Lqt6dflRLcZiz6UaXCMt3vhYJ1l4FQ80=
+golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/oauth2 v0.0.0-20190319182350-c85d3e98c914/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a h1:tImsplftrFpALCYumobsd0K86vlAs/eXGFms2txfJfA=
+golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313 h1:pczuHS43Cp2ktBEEmLwScxgjWsBSzdaQiKzUyf3DTTc=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db h1:6/JqlYfC1CCaLnGceQTI+sDGhC9UBSPAsBqI0Gun6kU=
+golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/time v0.0.0-20161028155119-f51c12702a4d h1:TnM+PKb3ylGmZvyPXmo9m/wktg7Jn/a/fNmr33HSj8g=
+golang.org/x/time v0.0.0-20161028155119-f51c12702a4d/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190422233926-fe54fb35175b/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.0 h1:3zYtXIO92bvsdS3ggAdA8Gb4Azj0YU+TVY1uGYNFA8o=
+gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4=
+gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+k8s.io/api v0.0.0-20190620084959-7cf5895f2711/go.mod h1:TBhBqb1AWbBQbW3XRusr7n7E4v2+5ZY8r8sAMnyFC5A=
+k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719 h1:uV4S5IB5g4Nvi+TBVNf3e9L4wrirlwYJ6w88jUQxTUw=
+k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA=
+k8s.io/client-go v0.0.0-20190620085101-78d2af792bab h1:E8Fecph0qbNsAbijJJQryKu4Oi9QTp5cVpjTE+nqg6g=
+k8s.io/client-go v0.0.0-20190620085101-78d2af792bab/go.mod h1:E95RaSlHr79aHaX0aGSwcPNfygDiPKOVXdmivCIZT0k=
+k8s.io/client-go v11.0.0+incompatible h1:LBbX2+lOwY9flffWlJM7f1Ct8V2SRNiMRDFeiwnJo9o=
+k8s.io/klog v0.3.1 h1:RVgyDHY/kFKtLqh67NvEWIgkMneNoIrdkN0CxDSQc68=
+k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
+k8s.io/utils v0.0.0-20190221042446-c2654d5206da h1:ElyM7RPonbKnQqOcw7dG2IK5uvQQn3b/WPHqD5mBvP4=
+k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
+sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
+sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
--- a/kubeconfig/auth.go
+++ b/kubeconfig/auth.go
@@ -1,52 +0,0 @@
-package kubeconfig
-
-import (
-	"fmt"
-
-	"k8s.io/client-go/tools/clientcmd/api"
-)
-
-// FindCurrentAuthInfo returns the authInfo of current context.
-// If the current context does not exist, this returns nil.
-func FindCurrentAuthInfo(config *api.Config) *api.AuthInfo {
-	context := config.Contexts[config.CurrentContext]
-	if context == nil {
-		return nil
-	}
-	return config.AuthInfos[context.AuthInfo]
-}
-
-func ToOIDCAuthProviderConfig(authInfo *api.AuthInfo) (*OIDCAuthProviderConfig, error) {
-	if authInfo.AuthProvider == nil {
-		return nil, fmt.Errorf("auth-provider is not set, did you setup kubectl as listed here: https://github.com/int128/kubelogin#3-setup-kubectl")
-	}
-	if authInfo.AuthProvider.Name != "oidc" {
-		return nil, fmt.Errorf("auth-provider `%s` is not supported", authInfo.AuthProvider.Name)
-	}
-	return (*OIDCAuthProviderConfig)(authInfo.AuthProvider), nil
-}
-
-type OIDCAuthProviderConfig api.AuthProviderConfig
-
-// IDPIssuerURL returns the idp-issuer-url.
-func (c *OIDCAuthProviderConfig) IDPIssuerURL() string {
-	return c.Config["idp-issuer-url"]
-}
-
-// ClientID returns the client-id.
-func (c *OIDCAuthProviderConfig) ClientID() string {
-	return c.Config["client-id"]
-}
-
-// ClientSecret returns the client-secret.
-func (c *OIDCAuthProviderConfig) ClientSecret() string {
-	return c.Config["client-secret"]
-}
-
-func (c *OIDCAuthProviderConfig) SetIDToken(idToken string) {
-	c.Config["id-token"] = idToken
-}
-
-func (c *OIDCAuthProviderConfig) SetRefreshToken(refreshToken string) {
-	c.Config["refresh-token"] = refreshToken
-}
--- a/kubeconfig/kubeconfig.go
+++ b/kubeconfig/kubeconfig.go
@@ -1,48 +0,0 @@
-package kubeconfig
-
-import (
-	"fmt"
-	"os"
-
-	homedir "github.com/mitchellh/go-homedir"
-	"k8s.io/client-go/tools/clientcmd"
-	"k8s.io/client-go/tools/clientcmd/api"
-)
-
-const userKubeConfig = "~/.kube/config"
-
-// Find returns path to the kubeconfig file,
-// that is given by env:KUBECONFIG or ~/.kube/config.
-// This returns an error if it is not found or I/O error occurred.
-func Find() (string, error) {
-	path := os.Getenv("KUBECONFIG")
-	if path == "" {
-		var err error
-		path, err = homedir.Expand(userKubeConfig)
-		if err != nil {
-			return "", fmt.Errorf("Could not expand %s: %s", userKubeConfig, err)
-		}
-	}
-	info, err := os.Stat(path)
-	if err != nil {
-		return "", fmt.Errorf("Could not stat %s: %s", userKubeConfig, err)
-	}
-	if info.IsDir() {
-		return "", fmt.Errorf("%s should be a file", userKubeConfig)
-	}
-	return path, nil
-}
-
-// Load loads the file and returns the Config.
-func Load(path string) (*api.Config, error) {
-	config, err := clientcmd.LoadFromFile(path)
-	if err != nil {
-		return nil, fmt.Errorf("Could not load kubeconfig from %s: %s", path, err)
-	}
-	return config, nil
-}
-
-// Write writes the config to the file.
-func Write(config *api.Config, path string) error {
-	return clientcmd.WriteToFile(*config, path)
-}
--- a/kubelogin.rb
+++ b/kubelogin.rb
@@ -0,0 +1,15 @@
+class Kubelogin < Formula
+  desc "A kubectl plugin for Kubernetes OpenID Connect authentication"
+  homepage "https://github.com/int128/kubelogin"
+  url "https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_darwin_amd64.zip"
+  version "{{ env "VERSION" }}"
+  sha256 "{{ sha256 .darwin_amd64_archive }}"
+  def install
+    bin.install "kubelogin" => "kubelogin"
+    ln_s bin/"kubelogin", bin/"kubectl-oidc_login"
+  end
+  test do
+    system "#{bin}/kubelogin -h"
+    system "#{bin}/kubectl-oidc_login -h"
+  end
+end
--- a/main.go
+++ b/main.go
@@ -2,40 +2,13 @@ package main

 import (
 	"context"
-	"log"
+	"os"

-	"github.com/int128/kubelogin/authn"
-	"github.com/int128/kubelogin/kubeconfig"
+	"github.com/int128/kubelogin/pkg/di"
 )

+var version = "HEAD"
+
 func main() {
-	path, err := kubeconfig.Find()
-	if err != nil {
-		log.Fatalf("Could not find kubeconfig: %s", err)
-	}
-	log.Printf("Reading %s", path)
-	cfg, err := kubeconfig.Load(path)
-	if err != nil {
-		log.Fatalf("Could not load kubeconfig: %s", err)
-	}
-	log.Printf("Using current context: %s", cfg.CurrentContext)
-	authInfo := kubeconfig.FindCurrentAuthInfo(cfg)
-	if authInfo == nil {
-		log.Fatalf("Could not find current context: %s", cfg.CurrentContext)
-	}
-	authProvider, err := kubeconfig.ToOIDCAuthProviderConfig(authInfo)
-	if err != nil {
-		log.Fatalf("Could not find auth-provider: %s", err)
-	}
-
-	ctx := context.Background()
-	token, err := authn.GetTokenSet(ctx, authProvider.IDPIssuerURL(), authProvider.ClientID(), authProvider.ClientSecret())
-	if err != nil {
-		log.Fatalf("Authentication error: %s", err)
-	}
-
-	authProvider.SetIDToken(token.IDToken)
-	authProvider.SetRefreshToken(token.RefreshToken)
-	kubeconfig.Write(cfg, path)
-	log.Printf("Updated %s", path)
+	os.Exit(di.NewCmd().Run(context.Background(), os.Args, version))
 }
--- a/oidc-login.yaml
+++ b/oidc-login.yaml
@@ -0,0 +1,58 @@
+apiVersion: krew.googlecontainertools.github.com/v1alpha2
+kind: Plugin
+metadata:
+  name: oidc-login
+spec:
+  homepage: https://github.com/int128/kubelogin
+  shortDescription: Log in to the OpenID Connect provider
+  description: |
+    This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
+
+    ## Credential plugin mode
+    kubectl executes oidc-login before calling the Kubernetes APIs.
+    oidc-login automatically opens the browser and you can log in to the provider.
+    After authentication, kubectl gets the token from oidc-login and you can access the cluster.
+    See https://github.com/int128/kubelogin#credential-plugin-mode for more.
+
+    ## Standalone mode
+    Run `kubectl oidc-login`.
+    It automatically opens the browser and you can log in to the provider.
+    After authentication, it writes the token to the kubeconfig and you can access the cluster.
+    See https://github.com/int128/kubelogin#standalone-mode for more.
+
+  caveats: |
+    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
+    See https://github.com/int128/kubelogin for more.
+
+  version: {{ env "VERSION" }}
+  platforms:
+    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_amd64.zip
+      sha256: "{{ sha256 .linux_amd64_archive }}"
+      bin: kubelogin
+      files:
+        - from: "kubelogin"
+          to: "."
+      selector:
+        matchLabels:
+          os: linux
+          arch: amd64
+    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_darwin_amd64.zip
+      sha256: "{{ sha256 .darwin_amd64_archive }}"
+      bin: kubelogin
+      files:
+        - from: "kubelogin"
+          to: "."
+      selector:
+        matchLabels:
+          os: darwin
+          arch: amd64
+    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_windows_amd64.zip
+      sha256: "{{ sha256 .windows_amd64_archive }}"
+      bin: kubelogin.exe
+      files:
+        - from: "kubelogin.exe"
+          to: "."
+      selector:
+        matchLabels:
+          os: windows
+          arch: amd64
--- a/pkg/adaptors/cmd/cmd.go
+++ b/pkg/adaptors/cmd/cmd.go
@@ -0,0 +1,211 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/models/kubeconfig"
+	"github.com/int128/kubelogin/pkg/usecases"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"golang.org/x/xerrors"
+	"k8s.io/client-go/util/homedir"
+)
+
+// Set provides an implementation and interface for Cmd.
+var Set = wire.NewSet(
+	wire.Struct(new(Cmd), "*"),
+	wire.Bind(new(adaptors.Cmd), new(*Cmd)),
+)
+
+const examples = `  # Login to the provider using the authorization code flow.
+  %[1]s
+
+  # Login to the provider using the resource owner password credentials flow.
+  %[1]s --username USERNAME --password PASSWORD
+
+  # Run as a credential plugin.
+  %[1]s get-token --oidc-issuer-url=https://issuer.example.com`
+
+var defaultListenPort = []int{8000, 18000}
+var defaultTokenCacheDir = homedir.HomeDir() + "/.kube/cache/oidc-login"
+
+// Cmd provides interaction with command line interface (CLI).
+type Cmd struct {
+	Login    usecases.Login
+	GetToken usecases.GetToken
+	Logger   adaptors.Logger
+}
+
+// Run parses the command line arguments and executes the specified use-case.
+// It returns an exit code, that is 0 on success or 1 on error.
+func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
+	executable := filepath.Base(args[0])
+
+	rootCmd := newRootCmd(ctx, executable, cmd)
+	rootCmd.Version = version
+	rootCmd.SilenceUsage = true
+	rootCmd.SilenceErrors = true
+
+	getTokenCmd := newGetTokenCmd(ctx, cmd)
+	rootCmd.AddCommand(getTokenCmd)
+
+	versionCmd := &cobra.Command{
+		Use:   "version",
+		Short: "Print the version information",
+		Args:  cobra.NoArgs,
+		Run: func(*cobra.Command, []string) {
+			cmd.Logger.Printf("%s version %s", executable, version)
+		},
+	}
+	rootCmd.AddCommand(versionCmd)
+
+	rootCmd.SetArgs(args[1:])
+	if err := rootCmd.Execute(); err != nil {
+		cmd.Logger.Printf("error: %s", err)
+		cmd.Logger.Debugf(1, "stacktrace: %+v", err)
+		return 1
+	}
+	return 0
+}
+
+// kubectlOptions represents kubectl specific options.
+type kubectlOptions struct {
+	Kubeconfig           string
+	Context              string
+	User                 string
+	CertificateAuthority string
+	SkipTLSVerify        bool
+	Verbose              int
+}
+
+func (o *kubectlOptions) register(f *pflag.FlagSet) {
+	f.SortFlags = false
+	f.StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to the kubeconfig file")
+	f.StringVar(&o.Context, "context", "", "The name of the kubeconfig context to use")
+	f.StringVar(&o.User, "user", "", "The name of the kubeconfig user to use. Prior to --context")
+	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	f.IntVarP(&o.Verbose, "v", "v", 0, "If set to 1 or greater, it shows debug log")
+}
+
+// loginOptions represents the options for Login use-case.
+type loginOptions struct {
+	ListenPort      []int
+	SkipOpenBrowser bool
+	Username        string
+	Password        string
+}
+
+func (o *loginOptions) register(f *pflag.FlagSet) {
+	f.SortFlags = false
+	f.IntSliceVar(&o.ListenPort, "listen-port", defaultListenPort, "Port to bind to the local server. If multiple ports are given, it will try the ports in order")
+	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
+	f.StringVar(&o.Username, "username", "", "If set, perform the resource owner password credentials grant")
+	f.StringVar(&o.Password, "password", "", "If set, use the password instead of asking it")
+}
+
+func newRootCmd(ctx context.Context, executable string, cmd *Cmd) *cobra.Command {
+	var o struct {
+		kubectlOptions
+		loginOptions
+	}
+	rootCmd := &cobra.Command{
+		Use:     executable,
+		Short:   "Login to the OpenID Connect provider and update the kubeconfig",
+		Example: fmt.Sprintf(examples, executable),
+		Args:    cobra.NoArgs,
+		RunE: func(*cobra.Command, []string) error {
+			cmd.Logger.SetLevel(adaptors.LogLevel(o.Verbose))
+			in := usecases.LoginIn{
+				KubeconfigFilename: o.Kubeconfig,
+				KubeconfigContext:  kubeconfig.ContextName(o.Context),
+				KubeconfigUser:     kubeconfig.UserName(o.User),
+				CACertFilename:     o.CertificateAuthority,
+				SkipTLSVerify:      o.SkipTLSVerify,
+				ListenPort:         o.ListenPort,
+				SkipOpenBrowser:    o.SkipOpenBrowser,
+				Username:           o.Username,
+				Password:           o.Password,
+			}
+			if err := cmd.Login.Do(ctx, in); err != nil {
+				return xerrors.Errorf("error: %w", err)
+			}
+			return nil
+		},
+	}
+	o.kubectlOptions.register(rootCmd.Flags())
+	o.loginOptions.register(rootCmd.Flags())
+	return rootCmd
+}
+
+// getTokenOptions represents the options for get-token command.
+type getTokenOptions struct {
+	loginOptions
+	IssuerURL            string
+	ClientID             string
+	ClientSecret         string
+	ExtraScopes          []string
+	CertificateAuthority string
+	SkipTLSVerify        bool
+	Verbose              int
+	TokenCacheDir        string
+}
+
+func (o *getTokenOptions) register(f *pflag.FlagSet) {
+	f.SortFlags = false
+	o.loginOptions.register(f)
+	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)")
+	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
+	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
+	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
+	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	f.IntVarP(&o.Verbose, "v", "v", 0, "If set to 1 or greater, it shows debug log")
+	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for caching tokens")
+}
+
+func newGetTokenCmd(ctx context.Context, cmd *Cmd) *cobra.Command {
+	var o getTokenOptions
+	c := &cobra.Command{
+		Use:   "get-token [flags]",
+		Short: "Run as a kubectl credential plugin",
+		Args: func(c *cobra.Command, args []string) error {
+			if err := cobra.NoArgs(c, args); err != nil {
+				return err
+			}
+			if o.IssuerURL == "" {
+				return xerrors.New("--oidc-issuer-url is missing")
+			}
+			if o.ClientID == "" {
+				return xerrors.New("--oidc-client-id is missing")
+			}
+			return nil
+		},
+		RunE: func(*cobra.Command, []string) error {
+			cmd.Logger.SetLevel(adaptors.LogLevel(o.Verbose))
+			in := usecases.GetTokenIn{
+				IssuerURL:       o.IssuerURL,
+				ClientID:        o.ClientID,
+				ClientSecret:    o.ClientSecret,
+				ExtraScopes:     o.ExtraScopes,
+				CACertFilename:  o.CertificateAuthority,
+				SkipTLSVerify:   o.SkipTLSVerify,
+				ListenPort:      o.ListenPort,
+				SkipOpenBrowser: o.SkipOpenBrowser,
+				Username:        o.Username,
+				Password:        o.Password,
+				TokenCacheDir:   o.TokenCacheDir,
+			}
+			if err := cmd.GetToken.Do(ctx, in); err != nil {
+				return xerrors.Errorf("error: %w", err)
+			}
+			return nil
+		},
+	}
+	o.register(c.Flags())
+	return c
+}
--- a/pkg/adaptors/cmd/cmd_test.go
+++ b/pkg/adaptors/cmd/cmd_test.go
@@ -0,0 +1,206 @@
+package cmd
+
+import (
+	"context"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/adaptors/mock_adaptors"
+	"github.com/int128/kubelogin/pkg/usecases"
+	"github.com/int128/kubelogin/pkg/usecases/mock_usecases"
+)
+
+func TestCmd_Run(t *testing.T) {
+	const executable = "kubelogin"
+	const version = "HEAD"
+
+	t.Run("login/Defaults", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+
+		login := mock_usecases.NewMockLogin(ctrl)
+		login.EXPECT().
+			Do(ctx, usecases.LoginIn{
+				ListenPort: defaultListenPort,
+			})
+
+		logger := mock_adaptors.NewLogger(t, ctrl)
+		logger.EXPECT().SetLevel(adaptors.LogLevel(0))
+
+		cmd := Cmd{
+			Login:  login,
+			Logger: logger,
+		}
+		exitCode := cmd.Run(ctx, []string{executable}, version)
+		if exitCode != 0 {
+			t.Errorf("exitCode wants 0 but %d", exitCode)
+		}
+	})
+
+	t.Run("login/FullOptions", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+
+		login := mock_usecases.NewMockLogin(ctrl)
+		login.EXPECT().
+			Do(ctx, usecases.LoginIn{
+				KubeconfigFilename: "/path/to/kubeconfig",
+				KubeconfigContext:  "hello.k8s.local",
+				KubeconfigUser:     "google",
+				CACertFilename:     "/path/to/cacert",
+				SkipTLSVerify:      true,
+				ListenPort:         []int{10080, 20080},
+				SkipOpenBrowser:    true,
+				Username:           "USER",
+				Password:           "PASS",
+			})
+
+		logger := mock_adaptors.NewLogger(t, ctrl)
+		logger.EXPECT().SetLevel(adaptors.LogLevel(1))
+
+		cmd := Cmd{
+			Login:  login,
+			Logger: logger,
+		}
+		exitCode := cmd.Run(ctx, []string{executable,
+			"--kubeconfig", "/path/to/kubeconfig",
+			"--context", "hello.k8s.local",
+			"--user", "google",
+			"--certificate-authority", "/path/to/cacert",
+			"--insecure-skip-tls-verify",
+			"-v1",
+			"--listen-port", "10080",
+			"--listen-port", "20080",
+			"--skip-open-browser",
+			"--username", "USER",
+			"--password", "PASS",
+		}, version)
+		if exitCode != 0 {
+			t.Errorf("exitCode wants 0 but %d", exitCode)
+		}
+	})
+
+	t.Run("login/TooManyArgs", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		cmd := Cmd{
+			Login:  mock_usecases.NewMockLogin(ctrl),
+			Logger: mock_adaptors.NewLogger(t, ctrl),
+		}
+		exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
+		if exitCode != 1 {
+			t.Errorf("exitCode wants 1 but %d", exitCode)
+		}
+	})
+
+	t.Run("get-token/Defaults", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+
+		getToken := mock_usecases.NewMockGetToken(ctrl)
+		getToken.EXPECT().
+			Do(ctx, usecases.GetTokenIn{
+				ListenPort:    defaultListenPort,
+				TokenCacheDir: defaultTokenCacheDir,
+				IssuerURL:     "https://issuer.example.com",
+				ClientID:      "YOUR_CLIENT_ID",
+			})
+
+		logger := mock_adaptors.NewLogger(t, ctrl)
+		logger.EXPECT().SetLevel(adaptors.LogLevel(0))
+
+		cmd := Cmd{
+			GetToken: getToken,
+			Logger:   logger,
+		}
+		exitCode := cmd.Run(ctx, []string{executable,
+			"get-token",
+			"--oidc-issuer-url", "https://issuer.example.com",
+			"--oidc-client-id", "YOUR_CLIENT_ID",
+		}, version)
+		if exitCode != 0 {
+			t.Errorf("exitCode wants 0 but %d", exitCode)
+		}
+	})
+
+	t.Run("get-token/FullOptions", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+
+		getToken := mock_usecases.NewMockGetToken(ctrl)
+		getToken.EXPECT().
+			Do(ctx, usecases.GetTokenIn{
+				TokenCacheDir:   defaultTokenCacheDir,
+				IssuerURL:       "https://issuer.example.com",
+				ClientID:        "YOUR_CLIENT_ID",
+				ClientSecret:    "YOUR_CLIENT_SECRET",
+				ExtraScopes:     []string{"email", "profile"},
+				CACertFilename:  "/path/to/cacert",
+				SkipTLSVerify:   true,
+				ListenPort:      []int{10080, 20080},
+				SkipOpenBrowser: true,
+				Username:        "USER",
+				Password:        "PASS",
+			})
+
+		logger := mock_adaptors.NewLogger(t, ctrl)
+		logger.EXPECT().SetLevel(adaptors.LogLevel(1))
+
+		cmd := Cmd{
+			GetToken: getToken,
+			Logger:   logger,
+		}
+		exitCode := cmd.Run(ctx, []string{executable,
+			"get-token",
+			"--oidc-issuer-url", "https://issuer.example.com",
+			"--oidc-client-id", "YOUR_CLIENT_ID",
+			"--oidc-client-secret", "YOUR_CLIENT_SECRET",
+			"--oidc-extra-scope", "email",
+			"--oidc-extra-scope", "profile",
+			"--certificate-authority", "/path/to/cacert",
+			"--insecure-skip-tls-verify",
+			"-v1",
+			"--listen-port", "10080",
+			"--listen-port", "20080",
+			"--skip-open-browser",
+			"--username", "USER",
+			"--password", "PASS",
+		}, version)
+		if exitCode != 0 {
+			t.Errorf("exitCode wants 0 but %d", exitCode)
+		}
+	})
+
+	t.Run("get-token/MissingMandatoryOptions", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		cmd := Cmd{
+			GetToken: mock_usecases.NewMockGetToken(ctrl),
+			Logger:   mock_adaptors.NewLogger(t, ctrl),
+		}
+		exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
+		if exitCode != 1 {
+			t.Errorf("exitCode wants 1 but %d", exitCode)
+		}
+	})
+
+	t.Run("get-token/TooManyArgs", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		cmd := Cmd{
+			GetToken: mock_usecases.NewMockGetToken(ctrl),
+			Logger:   mock_adaptors.NewLogger(t, ctrl),
+		}
+		exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
+		if exitCode != 1 {
+			t.Errorf("exitCode wants 1 but %d", exitCode)
+		}
+	})
+}
--- a/pkg/adaptors/credentialplugin/credential_plugin.go
+++ b/pkg/adaptors/credentialplugin/credential_plugin.go
@@ -0,0 +1,40 @@
+// Package credentialplugin provides interaction with kubectl for a credential plugin.
+package credentialplugin
+
+import (
+	"encoding/json"
+	"os"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/models/credentialplugin"
+	"golang.org/x/xerrors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
+)
+
+var Set = wire.NewSet(
+	wire.Struct(new(Interaction), "*"),
+	wire.Bind(new(adaptors.CredentialPluginInteraction), new(*Interaction)),
+)
+
+type Interaction struct{}
+
+// Write writes the ExecCredential to standard output for kubectl.
+func (*Interaction) Write(out credentialplugin.Output) error {
+	ec := &v1beta1.ExecCredential{
+		TypeMeta: v1.TypeMeta{
+			APIVersion: "client.authentication.k8s.io/v1beta1",
+			Kind:       "ExecCredential",
+		},
+		Status: &v1beta1.ExecCredentialStatus{
+			Token:               out.Token,
+			ExpirationTimestamp: &v1.Time{Time: out.Expiry},
+		},
+	}
+	e := json.NewEncoder(os.Stdout)
+	if err := e.Encode(ec); err != nil {
+		return xerrors.Errorf("could not write the ExecCredential: %w", err)
+	}
+	return nil
+}
--- a/pkg/adaptors/env/env.go
+++ b/pkg/adaptors/env/env.go
@@ -0,0 +1,36 @@
+package env
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/xerrors"
+)
+
+// Set provides an implementation and interface for Env.
+var Set = wire.NewSet(
+	wire.Struct(new(Env), "*"),
+	wire.Bind(new(adaptors.Env), new(*Env)),
+)
+
+// Env provides environment specific facilities.
+type Env struct{}
+
+// ReadPassword reads a password from the stdin without echo back.
+func (*Env) ReadPassword(prompt string) (string, error) {
+	if _, err := fmt.Fprint(os.Stderr, "Password: "); err != nil {
+		return "", xerrors.Errorf("could not write the prompt: %w", err)
+	}
+	b, err := terminal.ReadPassword(int(syscall.Stdin))
+	if err != nil {
+		return "", xerrors.Errorf("could not read: %w", err)
+	}
+	if _, err := fmt.Fprintln(os.Stderr); err != nil {
+		return "", xerrors.Errorf("could not write a new line: %w", err)
+	}
+	return string(b), nil
+}
--- a/pkg/adaptors/interfaces.go
+++ b/pkg/adaptors/interfaces.go
@@ -0,0 +1,102 @@
+package adaptors
+
+import (
+	"context"
+	"time"
+
+	"github.com/int128/kubelogin/pkg/models/credentialplugin"
+	"github.com/int128/kubelogin/pkg/models/kubeconfig"
+)
+
+//go:generate mockgen -destination mock_adaptors/mock_adaptors.go github.com/int128/kubelogin/pkg/adaptors Kubeconfig,TokenCacheRepository,CredentialPluginInteraction,OIDC,OIDCClient,OIDCDecoder,Env,Logger
+
+type Cmd interface {
+	Run(ctx context.Context, args []string, version string) int
+}
+
+type Kubeconfig interface {
+	GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error)
+	UpdateAuthProvider(auth *kubeconfig.AuthProvider) error
+}
+
+type TokenCacheRepository interface {
+	FindByKey(dir string, key credentialplugin.TokenCacheKey) (*credentialplugin.TokenCache, error)
+	Save(dir string, key credentialplugin.TokenCacheKey, cache credentialplugin.TokenCache) error
+}
+
+type CredentialPluginInteraction interface {
+	Write(out credentialplugin.Output) error
+}
+
+type OIDC interface {
+	New(ctx context.Context, config OIDCClientConfig) (OIDCClient, error)
+}
+
+// OIDCClientConfig represents a configuration of an OIDCClient to create.
+type OIDCClientConfig struct {
+	Config         kubeconfig.OIDCConfig
+	CACertFilename string
+	SkipTLSVerify  bool
+}
+
+type OIDCClient interface {
+	AuthenticateByCode(ctx context.Context, in OIDCAuthenticateByCodeIn) (*OIDCAuthenticateOut, error)
+	AuthenticateByPassword(ctx context.Context, in OIDCAuthenticateByPasswordIn) (*OIDCAuthenticateOut, error)
+	Refresh(ctx context.Context, in OIDCRefreshIn) (*OIDCAuthenticateOut, error)
+}
+
+// OIDCAuthenticateByCodeIn represents an input DTO of OIDCClient.AuthenticateByCode.
+type OIDCAuthenticateByCodeIn struct {
+	LocalServerPort    []int // HTTP server port candidates
+	SkipOpenBrowser    bool  // skip opening browser if true
+	ShowLocalServerURL interface{ ShowLocalServerURL(url string) }
+}
+
+// OIDCAuthenticateByPasswordIn represents an input DTO of OIDCClient.AuthenticateByPassword.
+type OIDCAuthenticateByPasswordIn struct {
+	Username string
+	Password string
+}
+
+// OIDCAuthenticateOut represents an output DTO of
+// OIDCClient.AuthenticateByCode, OIDCClient.AuthenticateByPassword and OIDCClient.Refresh.
+type OIDCAuthenticateOut struct {
+	IDToken       string
+	RefreshToken  string
+	IDTokenExpiry time.Time
+	IDTokenClaims map[string]string // string representation of claims for logging
+}
+
+// OIDCRefreshIn represents an input DTO of OIDCClient.Refresh.
+type OIDCRefreshIn struct {
+	RefreshToken string
+}
+
+type OIDCDecoder interface {
+	DecodeIDToken(t string) (*DecodedIDToken, error)
+}
+
+type DecodedIDToken struct {
+	IDTokenExpiry time.Time
+	IDTokenClaims map[string]string // string representation of claims for logging
+}
+
+type Env interface {
+	ReadPassword(prompt string) (string, error)
+}
+
+type Logger interface {
+	Printf(format string, v ...interface{})
+	Debugf(level LogLevel, format string, v ...interface{})
+	SetLevel(level LogLevel)
+	IsEnabled(level LogLevel) bool
+}
+
+// LogLevel represents a log level for debug.
+//
+// 0 = None
+// 1 = Including in/out
+// 2 = Including transport headers
+// 3 = Including transport body
+//
+type LogLevel int
--- a/pkg/adaptors/kubeconfig/kubeconfig.go
+++ b/pkg/adaptors/kubeconfig/kubeconfig.go
@@ -0,0 +1,14 @@
+package kubeconfig
+
+import (
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors"
+)
+
+// Set provides an implementation and interface for Kubeconfig.
+var Set = wire.NewSet(
+	wire.Struct(new(Kubeconfig), "*"),
+	wire.Bind(new(adaptors.Kubeconfig), new(*Kubeconfig)),
+)
+
+type Kubeconfig struct{}
--- a/pkg/adaptors/kubeconfig/load.go
+++ b/pkg/adaptors/kubeconfig/load.go
@@ -0,0 +1,85 @@
+package kubeconfig
+
+import (
+	"strings"
+
+	"github.com/int128/kubelogin/pkg/models/kubeconfig"
+	"golang.org/x/xerrors"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/client-go/tools/clientcmd/api"
+)
+
+func (*Kubeconfig) GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
+	config, err := loadByDefaultRules(explicitFilename)
+	if err != nil {
+		return nil, xerrors.Errorf("could not load kubeconfig: %w", err)
+	}
+	auth, err := findCurrentAuthProvider(config, contextName, userName)
+	if err != nil {
+		return nil, xerrors.Errorf("could not find the current auth provider: %w", err)
+	}
+	return auth, nil
+}
+
+func loadByDefaultRules(explicitFilename string) (*api.Config, error) {
+	rules := clientcmd.NewDefaultClientConfigLoadingRules()
+	rules.ExplicitPath = explicitFilename
+	config, err := rules.Load()
+	if err != nil {
+		return nil, xerrors.Errorf("error while loading config: %w", err)
+	}
+	return config, err
+}
+
+// findCurrentAuthProvider resolves the current auth provider.
+// If contextName is given, this returns the user of the context.
+// If userName is given, this ignores the context and returns the user.
+// If any context or user is not found, this returns an error.
+func findCurrentAuthProvider(config *api.Config, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
+	if userName == "" {
+		if contextName == "" {
+			contextName = kubeconfig.ContextName(config.CurrentContext)
+		}
+		contextNode, ok := config.Contexts[string(contextName)]
+		if !ok {
+			return nil, xerrors.Errorf("context %s does not exist", contextName)
+		}
+		userName = kubeconfig.UserName(contextNode.AuthInfo)
+	}
+	userNode, ok := config.AuthInfos[string(userName)]
+	if !ok {
+		return nil, xerrors.Errorf("user %s does not exist", userName)
+	}
+	if userNode.AuthProvider == nil {
+		return nil, xerrors.New("auth-provider is missing")
+	}
+	if userNode.AuthProvider.Name != "oidc" {
+		return nil, xerrors.Errorf("auth-provider.name must be oidc but is %s", userNode.AuthProvider.Name)
+	}
+	if userNode.AuthProvider.Config == nil {
+		return nil, xerrors.New("auth-provider.config is missing")
+	}
+	return &kubeconfig.AuthProvider{
+		LocationOfOrigin: userNode.LocationOfOrigin,
+		UserName:         userName,
+		ContextName:      contextName,
+		OIDCConfig:       makeOIDCConfig(userNode.AuthProvider.Config),
+	}, nil
+}
+
+func makeOIDCConfig(m map[string]string) kubeconfig.OIDCConfig {
+	var extraScopes []string
+	if m["extra-scopes"] != "" {
+		extraScopes = strings.Split(m["extra-scopes"], ",")
+	}
+	return kubeconfig.OIDCConfig{
+		IDPIssuerURL:                m["idp-issuer-url"],
+		ClientID:                    m["client-id"],
+		ClientSecret:                m["client-secret"],
+		IDPCertificateAuthority:     m["idp-certificate-authority"],
+		IDPCertificateAuthorityData: m["idp-certificate-authority-data"],
+		ExtraScopes:                 extraScopes,
+		IDToken:                     m["id-token"],
+		RefreshToken:                m["refresh-token"],
+	}
+}
--- a/pkg/adaptors/kubeconfig/load_test.go
+++ b/pkg/adaptors/kubeconfig/load_test.go
@@ -0,0 +1,225 @@
+package kubeconfig
+
+import (
+	"os"
+	"testing"
+
+	"github.com/go-test/deep"
+	"github.com/int128/kubelogin/pkg/models/kubeconfig"
+	"k8s.io/client-go/tools/clientcmd/api"
+)
+
+func Test_loadByDefaultRules(t *testing.T) {
+	t.Run("google.yaml>keycloak.yaml", func(t *testing.T) {
+		setenv(t, "KUBECONFIG", "testdata/kubeconfig.google.yaml"+string(os.PathListSeparator)+"testdata/kubeconfig.keycloak.yaml")
+		defer unsetenv(t, "KUBECONFIG")
+
+		config, err := loadByDefaultRules("")
+		if err != nil {
+			t.Fatalf("Could not load the configs: %s", err)
+		}
+		if w := "google@hello.k8s.local"; w != config.CurrentContext {
+			t.Errorf("CurrentContext wants %s but %s", w, config.CurrentContext)
+		}
+		if _, ok := config.Contexts["google@hello.k8s.local"]; !ok {
+			t.Errorf("Contexts[google@hello.k8s.local] is missing")
+		}
+		if _, ok := config.Contexts["keycloak@hello.k8s.local"]; !ok {
+			t.Errorf("Contexts[keycloak@hello.k8s.local] is missing")
+		}
+		if _, ok := config.AuthInfos["google"]; !ok {
+			t.Errorf("AuthInfos[google] is missing")
+		}
+		if _, ok := config.AuthInfos["keycloak"]; !ok {
+			t.Errorf("AuthInfos[keycloak] is missing")
+		}
+	})
+
+	t.Run("keycloak.yaml>google.yaml", func(t *testing.T) {
+		setenv(t, "KUBECONFIG", "testdata/kubeconfig.keycloak.yaml"+string(os.PathListSeparator)+"testdata/kubeconfig.google.yaml")
+		defer unsetenv(t, "KUBECONFIG")
+
+		config, err := loadByDefaultRules("")
+		if err != nil {
+			t.Fatalf("Could not load the configs: %s", err)
+		}
+		if w := "keycloak@hello.k8s.local"; w != config.CurrentContext {
+			t.Errorf("CurrentContext wants %s but %s", w, config.CurrentContext)
+		}
+		if _, ok := config.Contexts["google@hello.k8s.local"]; !ok {
+			t.Errorf("Contexts[google@hello.k8s.local] is missing")
+		}
+		if _, ok := config.Contexts["keycloak@hello.k8s.local"]; !ok {
+			t.Errorf("Contexts[keycloak@hello.k8s.local] is missing")
+		}
+		if _, ok := config.AuthInfos["google"]; !ok {
+			t.Errorf("AuthInfos[google] is missing")
+		}
+		if _, ok := config.AuthInfos["keycloak"]; !ok {
+			t.Errorf("AuthInfos[keycloak] is missing")
+		}
+	})
+}
+
+func setenv(t *testing.T, key, value string) {
+	t.Helper()
+	if err := os.Setenv(key, value); err != nil {
+		t.Fatalf("Could not set the env var %s=%s: %s", key, value, err)
+	}
+}
+
+func unsetenv(t *testing.T, key string) {
+	t.Helper()
+	if err := os.Unsetenv(key); err != nil {
+		t.Fatalf("Could not unset the env var %s: %s", key, err)
+	}
+}
+
+func Test_findCurrentAuthProvider(t *testing.T) {
+	t.Run("CurrentContext", func(t *testing.T) {
+		auth, err := findCurrentAuthProvider(&api.Config{
+			CurrentContext: "theContext",
+			Contexts: map[string]*api.Context{
+				"theContext": {
+					AuthInfo: "theUser",
+				},
+			},
+			AuthInfos: map[string]*api.AuthInfo{
+				"theUser": {
+					LocationOfOrigin: "/path/to/kubeconfig",
+					AuthProvider: &api.AuthProviderConfig{
+						Name: "oidc",
+						Config: map[string]string{
+							"idp-issuer-url":                 "https://accounts.google.com",
+							"client-id":                      "GOOGLE_CLIENT_ID",
+							"client-secret":                  "GOOGLE_CLIENT_SECRET",
+							"idp-certificate-authority":      "/path/to/cert",
+							"idp-certificate-authority-data": "BASE64",
+							"extra-scopes":                   "email,profile",
+							"id-token":                       "YOUR_ID_TOKEN",
+							"refresh-token":                  "YOUR_REFRESH_TOKEN",
+						},
+					},
+				},
+			},
+		}, "", "")
+		if err != nil {
+			t.Fatalf("Could not find the current auth: %s", err)
+		}
+		want := &kubeconfig.AuthProvider{
+			LocationOfOrigin: "/path/to/kubeconfig",
+			UserName:         "theUser",
+			ContextName:      "theContext",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				IDPIssuerURL:                "https://accounts.google.com",
+				ClientID:                    "GOOGLE_CLIENT_ID",
+				ClientSecret:                "GOOGLE_CLIENT_SECRET",
+				IDPCertificateAuthority:     "/path/to/cert",
+				IDPCertificateAuthorityData: "BASE64",
+				ExtraScopes:                 []string{"email", "profile"},
+				IDToken:                     "YOUR_ID_TOKEN",
+				RefreshToken:                "YOUR_REFRESH_TOKEN",
+			},
+		}
+		if diff := deep.Equal(want, auth); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("ByContextName", func(t *testing.T) {
+		auth, err := findCurrentAuthProvider(&api.Config{
+			Contexts: map[string]*api.Context{
+				"theContext": {
+					AuthInfo: "theUser",
+				},
+			},
+			AuthInfos: map[string]*api.AuthInfo{
+				"theUser": {
+					LocationOfOrigin: "/path/to/kubeconfig",
+					AuthProvider: &api.AuthProviderConfig{
+						Name: "oidc",
+						Config: map[string]string{
+							"idp-issuer-url": "https://accounts.google.com",
+						},
+					},
+				},
+			},
+		}, "theContext", "")
+		if err != nil {
+			t.Fatalf("Could not find the current auth: %s", err)
+		}
+		want := &kubeconfig.AuthProvider{
+			LocationOfOrigin: "/path/to/kubeconfig",
+			UserName:         "theUser",
+			ContextName:      "theContext",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				IDPIssuerURL: "https://accounts.google.com",
+			},
+		}
+		if diff := deep.Equal(want, auth); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("ByUserName", func(t *testing.T) {
+		auth, err := findCurrentAuthProvider(&api.Config{
+			AuthInfos: map[string]*api.AuthInfo{
+				"theUser": {
+					LocationOfOrigin: "/path/to/kubeconfig",
+					AuthProvider: &api.AuthProviderConfig{
+						Name: "oidc",
+						Config: map[string]string{
+							"idp-issuer-url": "https://accounts.google.com",
+						},
+					},
+				},
+			},
+		}, "", "theUser")
+		if err != nil {
+			t.Fatalf("Could not find the current auth: %s", err)
+		}
+		want := &kubeconfig.AuthProvider{
+			LocationOfOrigin: "/path/to/kubeconfig",
+			UserName:         "theUser",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				IDPIssuerURL: "https://accounts.google.com",
+			},
+		}
+		if diff := deep.Equal(want, auth); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("NoConfig", func(t *testing.T) {
+		_, err := findCurrentAuthProvider(&api.Config{
+			AuthInfos: map[string]*api.AuthInfo{
+				"theUser": {
+					LocationOfOrigin: "/path/to/kubeconfig",
+					AuthProvider: &api.AuthProviderConfig{
+						Name: "oidc",
+					},
+				},
+			},
+		}, "", "theUser")
+		if err == nil {
+			t.Fatalf("wants error but nil")
+		}
+	})
+
+	t.Run("NotOIDC", func(t *testing.T) {
+		_, err := findCurrentAuthProvider(&api.Config{
+			AuthInfos: map[string]*api.AuthInfo{
+				"theUser": {
+					LocationOfOrigin: "/path/to/kubeconfig",
+					AuthProvider: &api.AuthProviderConfig{
+						Name:   "some",
+						Config: map[string]string{"foo": "bar"},
+					},
+				},
+			},
+		}, "", "theUser")
+		if err == nil {
+			t.Fatalf("wants error but nil")
+		}
+	})
+}
--- a/pkg/adaptors/kubeconfig/testdata/kubeconfig.google.yaml
+++ b/pkg/adaptors/kubeconfig/testdata/kubeconfig.google.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+clusters: []
+contexts:
+  - context:
+      cluster: hello.k8s.local
+      user: google
+    name: google@hello.k8s.local
+current-context: google@hello.k8s.local
+kind: Config
+preferences: {}
+users:
+  - name: google
+    user:
+      auth-provider:
+        config:
+          client-id: CLIENT_ID.apps.googleusercontent.com
+        name: oidc
--- a/pkg/adaptors/kubeconfig/testdata/kubeconfig.keycloak.yaml
+++ b/pkg/adaptors/kubeconfig/testdata/kubeconfig.keycloak.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+contexts:
+  - context:
+      cluster: hello.k8s.local
+      user: keycloak
+    name: keycloak@hello.k8s.local
+current-context: keycloak@hello.k8s.local
+kind: Config
+preferences: {}
+users:
+  - name: keycloak
+    user:
+      auth-provider:
+        config:
+          client-id: kubernetes
+        name: oidc
--- a/pkg/adaptors/kubeconfig/write.go
+++ b/pkg/adaptors/kubeconfig/write.go
@@ -0,0 +1,51 @@
+package kubeconfig
+
+import (
+	"strings"
+
+	"github.com/int128/kubelogin/pkg/models/kubeconfig"
+	"golang.org/x/xerrors"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+func (*Kubeconfig) UpdateAuthProvider(auth *kubeconfig.AuthProvider) error {
+	config, err := clientcmd.LoadFromFile(auth.LocationOfOrigin)
+	if err != nil {
+		return xerrors.Errorf("could not load %s: %w", auth.LocationOfOrigin, err)
+	}
+	userNode, ok := config.AuthInfos[string(auth.UserName)]
+	if !ok {
+		return xerrors.Errorf("user %s does not exist", auth.UserName)
+	}
+	if userNode.AuthProvider == nil {
+		return xerrors.Errorf("auth-provider is missing")
+	}
+	if userNode.AuthProvider.Name != "oidc" {
+		return xerrors.Errorf("auth-provider must be oidc but is %s", userNode.AuthProvider.Name)
+	}
+	copyOIDCConfig(auth.OIDCConfig, userNode.AuthProvider.Config)
+	if err := clientcmd.WriteToFile(*config, auth.LocationOfOrigin); err != nil {
+		return xerrors.Errorf("could not update %s: %w", auth.LocationOfOrigin, err)
+	}
+	return nil
+}
+
+func copyOIDCConfig(config kubeconfig.OIDCConfig, m map[string]string) {
+	setOrDeleteKey(m, "idp-issuer-url", config.IDPIssuerURL)
+	setOrDeleteKey(m, "client-id", config.ClientID)
+	setOrDeleteKey(m, "client-secret", config.ClientSecret)
+	setOrDeleteKey(m, "idp-certificate-authority", config.IDPCertificateAuthority)
+	setOrDeleteKey(m, "idp-certificate-authority-data", config.IDPCertificateAuthorityData)
+	extraScopes := strings.Join(config.ExtraScopes, ",")
+	setOrDeleteKey(m, "extra-scopes", extraScopes)
+	setOrDeleteKey(m, "id-token", config.IDToken)
+	setOrDeleteKey(m, "refresh-token", config.RefreshToken)
+}
+
+func setOrDeleteKey(m map[string]string, key, value string) {
+	if value == "" {
+		delete(m, key)
+		return
+	}
+	m[key] = value
+}
--- a/pkg/adaptors/kubeconfig/write_test.go
+++ b/pkg/adaptors/kubeconfig/write_test.go
@@ -0,0 +1,138 @@
+package kubeconfig
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/int128/kubelogin/pkg/models/kubeconfig"
+)
+
+func TestKubeconfig_UpdateAuth(t *testing.T) {
+	var k Kubeconfig
+
+	t.Run("MinimumKeys", func(t *testing.T) {
+		f := newKubeconfigFile(t)
+		defer func() {
+			if err := os.Remove(f.Name()); err != nil {
+				t.Errorf("Could not remove the temp file: %s", err)
+			}
+		}()
+		if err := k.UpdateAuthProvider(&kubeconfig.AuthProvider{
+			LocationOfOrigin: f.Name(),
+			UserName:         "google",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				IDPIssuerURL: "https://accounts.google.com",
+				ClientID:     "GOOGLE_CLIENT_ID",
+				ClientSecret: "GOOGLE_CLIENT_SECRET",
+				IDToken:      "YOUR_ID_TOKEN",
+				RefreshToken: "YOUR_REFRESH_TOKEN",
+			},
+		}); err != nil {
+			t.Fatalf("Could not update auth: %s", err)
+		}
+		b, err := ioutil.ReadFile(f.Name())
+		if err != nil {
+			t.Fatalf("Could not read kubeconfig: %s", err)
+		}
+
+		want := `apiVersion: v1
+clusters: []
+contexts: []
+current-context: ""
+kind: Config
+preferences: {}
+users:
+- name: google
+  user:
+    auth-provider:
+      config:
+        client-id: GOOGLE_CLIENT_ID
+        client-secret: GOOGLE_CLIENT_SECRET
+        id-token: YOUR_ID_TOKEN
+        idp-issuer-url: https://accounts.google.com
+        refresh-token: YOUR_REFRESH_TOKEN
+      name: oidc
+`
+		if want != string(b) {
+			t.Errorf("---- kubeconfig wants ----\n%s\n---- but ----\n%s", want, string(b))
+		}
+	})
+
+	t.Run("FullKeys", func(t *testing.T) {
+		f := newKubeconfigFile(t)
+		defer func() {
+			if err := os.Remove(f.Name()); err != nil {
+				t.Errorf("Could not remove the temp file: %s", err)
+			}
+		}()
+		if err := k.UpdateAuthProvider(&kubeconfig.AuthProvider{
+			LocationOfOrigin: f.Name(),
+			UserName:         "google",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				IDPIssuerURL:                "https://accounts.google.com",
+				ClientID:                    "GOOGLE_CLIENT_ID",
+				ClientSecret:                "GOOGLE_CLIENT_SECRET",
+				IDPCertificateAuthority:     "/path/to/cert",
+				IDPCertificateAuthorityData: "BASE64",
+				ExtraScopes:                 []string{"email", "profile"},
+				IDToken:                     "YOUR_ID_TOKEN",
+				RefreshToken:                "YOUR_REFRESH_TOKEN",
+			},
+		}); err != nil {
+			t.Fatalf("Could not update auth: %s", err)
+		}
+		b, err := ioutil.ReadFile(f.Name())
+		if err != nil {
+			t.Fatalf("Could not read kubeconfig: %s", err)
+		}
+
+		want := `apiVersion: v1
+clusters: []
+contexts: []
+current-context: ""
+kind: Config
+preferences: {}
+users:
+- name: google
+  user:
+    auth-provider:
+      config:
+        client-id: GOOGLE_CLIENT_ID
+        client-secret: GOOGLE_CLIENT_SECRET
+        extra-scopes: email,profile
+        id-token: YOUR_ID_TOKEN
+        idp-certificate-authority: /path/to/cert
+        idp-certificate-authority-data: BASE64
+        idp-issuer-url: https://accounts.google.com
+        refresh-token: YOUR_REFRESH_TOKEN
+      name: oidc
+`
+		if want != string(b) {
+			t.Errorf("---- kubeconfig wants ----\n%s\n---- but ----\n%s", want, string(b))
+		}
+	})
+}
+
+func newKubeconfigFile(t *testing.T) *os.File {
+	content := `apiVersion: v1
+clusters: []
+kind: Config
+preferences: {}
+users:
+  - name: google
+    user:
+      auth-provider:
+        config:
+          idp-issuer-url: https://accounts.google.com
+        name: oidc`
+	f, err := ioutil.TempFile("", "kubeconfig")
+	if err != nil {
+		t.Fatalf("Could not create a file: %s", err)
+	}
+	defer f.Close()
+	if _, err := f.Write([]byte(content)); err != nil {
+		t.Fatalf("Could not write kubeconfig: %s", err)
+	}
+	return f
+}
--- a/pkg/adaptors/logger/logger.go
+++ b/pkg/adaptors/logger/logger.go
@@ -0,0 +1,56 @@
+package logger
+
+import (
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors"
+)
+
+// Set provides an implementation and interface for Logger.
+var Set = wire.NewSet(
+	New,
+)
+
+// New returns a Logger with the standard log.Logger for messages and debug.
+func New() adaptors.Logger {
+	return &Logger{
+		stdLogger:   log.New(os.Stderr, "", 0),
+		debugLogger: log.New(os.Stderr, "", log.Ltime|log.Lmicroseconds|log.Lshortfile),
+	}
+}
+
+func NewWith(s stdLogger, d debugLogger) *Logger {
+	return &Logger{s, d, 0}
+}
+
+type stdLogger interface {
+	Printf(format string, v ...interface{})
+}
+
+type debugLogger interface {
+	Output(calldepth int, s string) error
+}
+
+// Logger wraps the standard log.Logger and just provides debug level.
+type Logger struct {
+	stdLogger
+	debugLogger
+	level adaptors.LogLevel
+}
+
+func (l *Logger) Debugf(level adaptors.LogLevel, format string, v ...interface{}) {
+	if l.IsEnabled(level) {
+		_ = l.debugLogger.Output(2, fmt.Sprintf(format, v...))
+	}
+}
+
+func (l *Logger) SetLevel(level adaptors.LogLevel) {
+	l.level = level
+}
+
+func (l *Logger) IsEnabled(level adaptors.LogLevel) bool {
+	return level <= l.level
+}
--- a/pkg/adaptors/logger/logger_test.go
+++ b/pkg/adaptors/logger/logger_test.go
@@ -0,0 +1,62 @@
+package logger
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/int128/kubelogin/pkg/adaptors"
+)
+
+type mockDebugLogger struct {
+	count int
+}
+
+func (l *mockDebugLogger) Output(int, string) error {
+	l.count++
+	return nil
+}
+
+func TestLogger_Debugf(t *testing.T) {
+	for _, c := range []struct {
+		loggerLevel adaptors.LogLevel
+		debugfLevel adaptors.LogLevel
+		count       int
+	}{
+		{0, 0, 1},
+		{0, 1, 0},
+
+		{1, 0, 1},
+		{1, 1, 1},
+		{1, 2, 0},
+
+		{2, 1, 1},
+		{2, 2, 1},
+		{2, 3, 0},
+	} {
+		t.Run(fmt.Sprintf("%+v", c), func(t *testing.T) {
+			m := &mockDebugLogger{}
+			l := &Logger{debugLogger: m, level: c.loggerLevel}
+			l.Debugf(c.debugfLevel, "hello")
+			if m.count != c.count {
+				t.Errorf("count wants %d but %d", c.count, m.count)
+			}
+		})
+	}
+}
+
+type mockStdLogger struct {
+	count int
+}
+
+func (l *mockStdLogger) Printf(format string, v ...interface{}) {
+	l.count++
+}
+
+func TestLogger_Printf(t *testing.T) {
+	m := &mockStdLogger{}
+	l := &Logger{stdLogger: m}
+	l.Printf("hello")
+	if m.count != 1 {
+		t.Errorf("count wants %d but %d", 1, m.count)
+	}
+}
--- a/pkg/adaptors/mock_adaptors/logger.go
+++ b/pkg/adaptors/mock_adaptors/logger.go
@@ -0,0 +1,31 @@
+package mock_adaptors
+
+import (
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/pkg/adaptors"
+)
+
+func NewLogger(t testingLogger, ctrl *gomock.Controller) *Logger {
+	return &Logger{
+		MockLogger:    NewMockLogger(ctrl),
+		testingLogger: t,
+	}
+}
+
+type testingLogger interface {
+	Logf(format string, v ...interface{})
+}
+
+// Logger provides mock feature but overrides output methods with actual logging.
+type Logger struct {
+	*MockLogger
+	testingLogger testingLogger
+}
+
+func (l *Logger) Printf(format string, v ...interface{}) {
+	l.testingLogger.Logf(format, v...)
+}
+
+func (l *Logger) Debugf(level adaptors.LogLevel, format string, v ...interface{}) {
+	l.testingLogger.Logf(format, v...)
+}
--- a/pkg/adaptors/mock_adaptors/mock_adaptors.go
+++ b/pkg/adaptors/mock_adaptors/mock_adaptors.go
@@ -0,0 +1,390 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/adaptors (interfaces: Kubeconfig,TokenCacheRepository,CredentialPluginInteraction,OIDC,OIDCClient,OIDCDecoder,Env,Logger)
+
+// Package mock_adaptors is a generated GoMock package.
+package mock_adaptors
+
+import (
+	context "context"
+	gomock "github.com/golang/mock/gomock"
+	adaptors "github.com/int128/kubelogin/pkg/adaptors"
+	credentialplugin "github.com/int128/kubelogin/pkg/models/credentialplugin"
+	kubeconfig "github.com/int128/kubelogin/pkg/models/kubeconfig"
+	reflect "reflect"
+)
+
+// MockKubeconfig is a mock of Kubeconfig interface
+type MockKubeconfig struct {
+	ctrl     *gomock.Controller
+	recorder *MockKubeconfigMockRecorder
+}
+
+// MockKubeconfigMockRecorder is the mock recorder for MockKubeconfig
+type MockKubeconfigMockRecorder struct {
+	mock *MockKubeconfig
+}
+
+// NewMockKubeconfig creates a new mock instance
+func NewMockKubeconfig(ctrl *gomock.Controller) *MockKubeconfig {
+	mock := &MockKubeconfig{ctrl: ctrl}
+	mock.recorder = &MockKubeconfigMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockKubeconfig) EXPECT() *MockKubeconfigMockRecorder {
+	return m.recorder
+}
+
+// GetCurrentAuthProvider mocks base method
+func (m *MockKubeconfig) GetCurrentAuthProvider(arg0 string, arg1 kubeconfig.ContextName, arg2 kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
+	ret := m.ctrl.Call(m, "GetCurrentAuthProvider", arg0, arg1, arg2)
+	ret0, _ := ret[0].(*kubeconfig.AuthProvider)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetCurrentAuthProvider indicates an expected call of GetCurrentAuthProvider
+func (mr *MockKubeconfigMockRecorder) GetCurrentAuthProvider(arg0, arg1, arg2 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCurrentAuthProvider", reflect.TypeOf((*MockKubeconfig)(nil).GetCurrentAuthProvider), arg0, arg1, arg2)
+}
+
+// UpdateAuthProvider mocks base method
+func (m *MockKubeconfig) UpdateAuthProvider(arg0 *kubeconfig.AuthProvider) error {
+	ret := m.ctrl.Call(m, "UpdateAuthProvider", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UpdateAuthProvider indicates an expected call of UpdateAuthProvider
+func (mr *MockKubeconfigMockRecorder) UpdateAuthProvider(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAuthProvider", reflect.TypeOf((*MockKubeconfig)(nil).UpdateAuthProvider), arg0)
+}
+
+// MockTokenCacheRepository is a mock of TokenCacheRepository interface
+type MockTokenCacheRepository struct {
+	ctrl     *gomock.Controller
+	recorder *MockTokenCacheRepositoryMockRecorder
+}
+
+// MockTokenCacheRepositoryMockRecorder is the mock recorder for MockTokenCacheRepository
+type MockTokenCacheRepositoryMockRecorder struct {
+	mock *MockTokenCacheRepository
+}
+
+// NewMockTokenCacheRepository creates a new mock instance
+func NewMockTokenCacheRepository(ctrl *gomock.Controller) *MockTokenCacheRepository {
+	mock := &MockTokenCacheRepository{ctrl: ctrl}
+	mock.recorder = &MockTokenCacheRepositoryMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockTokenCacheRepository) EXPECT() *MockTokenCacheRepositoryMockRecorder {
+	return m.recorder
+}
+
+// FindByKey mocks base method
+func (m *MockTokenCacheRepository) FindByKey(arg0 string, arg1 credentialplugin.TokenCacheKey) (*credentialplugin.TokenCache, error) {
+	ret := m.ctrl.Call(m, "FindByKey", arg0, arg1)
+	ret0, _ := ret[0].(*credentialplugin.TokenCache)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// FindByKey indicates an expected call of FindByKey
+func (mr *MockTokenCacheRepositoryMockRecorder) FindByKey(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FindByKey", reflect.TypeOf((*MockTokenCacheRepository)(nil).FindByKey), arg0, arg1)
+}
+
+// Save mocks base method
+func (m *MockTokenCacheRepository) Save(arg0 string, arg1 credentialplugin.TokenCacheKey, arg2 credentialplugin.TokenCache) error {
+	ret := m.ctrl.Call(m, "Save", arg0, arg1, arg2)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Save indicates an expected call of Save
+func (mr *MockTokenCacheRepositoryMockRecorder) Save(arg0, arg1, arg2 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Save", reflect.TypeOf((*MockTokenCacheRepository)(nil).Save), arg0, arg1, arg2)
+}
+
+// MockCredentialPluginInteraction is a mock of CredentialPluginInteraction interface
+type MockCredentialPluginInteraction struct {
+	ctrl     *gomock.Controller
+	recorder *MockCredentialPluginInteractionMockRecorder
+}
+
+// MockCredentialPluginInteractionMockRecorder is the mock recorder for MockCredentialPluginInteraction
+type MockCredentialPluginInteractionMockRecorder struct {
+	mock *MockCredentialPluginInteraction
+}
+
+// NewMockCredentialPluginInteraction creates a new mock instance
+func NewMockCredentialPluginInteraction(ctrl *gomock.Controller) *MockCredentialPluginInteraction {
+	mock := &MockCredentialPluginInteraction{ctrl: ctrl}
+	mock.recorder = &MockCredentialPluginInteractionMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockCredentialPluginInteraction) EXPECT() *MockCredentialPluginInteractionMockRecorder {
+	return m.recorder
+}
+
+// Write mocks base method
+func (m *MockCredentialPluginInteraction) Write(arg0 credentialplugin.Output) error {
+	ret := m.ctrl.Call(m, "Write", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Write indicates an expected call of Write
+func (mr *MockCredentialPluginInteractionMockRecorder) Write(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockCredentialPluginInteraction)(nil).Write), arg0)
+}
+
+// MockOIDC is a mock of OIDC interface
+type MockOIDC struct {
+	ctrl     *gomock.Controller
+	recorder *MockOIDCMockRecorder
+}
+
+// MockOIDCMockRecorder is the mock recorder for MockOIDC
+type MockOIDCMockRecorder struct {
+	mock *MockOIDC
+}
+
+// NewMockOIDC creates a new mock instance
+func NewMockOIDC(ctrl *gomock.Controller) *MockOIDC {
+	mock := &MockOIDC{ctrl: ctrl}
+	mock.recorder = &MockOIDCMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockOIDC) EXPECT() *MockOIDCMockRecorder {
+	return m.recorder
+}
+
+// New mocks base method
+func (m *MockOIDC) New(arg0 context.Context, arg1 adaptors.OIDCClientConfig) (adaptors.OIDCClient, error) {
+	ret := m.ctrl.Call(m, "New", arg0, arg1)
+	ret0, _ := ret[0].(adaptors.OIDCClient)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// New indicates an expected call of New
+func (mr *MockOIDCMockRecorder) New(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "New", reflect.TypeOf((*MockOIDC)(nil).New), arg0, arg1)
+}
+
+// MockOIDCClient is a mock of OIDCClient interface
+type MockOIDCClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockOIDCClientMockRecorder
+}
+
+// MockOIDCClientMockRecorder is the mock recorder for MockOIDCClient
+type MockOIDCClientMockRecorder struct {
+	mock *MockOIDCClient
+}
+
+// NewMockOIDCClient creates a new mock instance
+func NewMockOIDCClient(ctrl *gomock.Controller) *MockOIDCClient {
+	mock := &MockOIDCClient{ctrl: ctrl}
+	mock.recorder = &MockOIDCClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockOIDCClient) EXPECT() *MockOIDCClientMockRecorder {
+	return m.recorder
+}
+
+// AuthenticateByCode mocks base method
+func (m *MockOIDCClient) AuthenticateByCode(arg0 context.Context, arg1 adaptors.OIDCAuthenticateByCodeIn) (*adaptors.OIDCAuthenticateOut, error) {
+	ret := m.ctrl.Call(m, "AuthenticateByCode", arg0, arg1)
+	ret0, _ := ret[0].(*adaptors.OIDCAuthenticateOut)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AuthenticateByCode indicates an expected call of AuthenticateByCode
+func (mr *MockOIDCClientMockRecorder) AuthenticateByCode(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateByCode", reflect.TypeOf((*MockOIDCClient)(nil).AuthenticateByCode), arg0, arg1)
+}
+
+// AuthenticateByPassword mocks base method
+func (m *MockOIDCClient) AuthenticateByPassword(arg0 context.Context, arg1 adaptors.OIDCAuthenticateByPasswordIn) (*adaptors.OIDCAuthenticateOut, error) {
+	ret := m.ctrl.Call(m, "AuthenticateByPassword", arg0, arg1)
+	ret0, _ := ret[0].(*adaptors.OIDCAuthenticateOut)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AuthenticateByPassword indicates an expected call of AuthenticateByPassword
+func (mr *MockOIDCClientMockRecorder) AuthenticateByPassword(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateByPassword", reflect.TypeOf((*MockOIDCClient)(nil).AuthenticateByPassword), arg0, arg1)
+}
+
+// Refresh mocks base method
+func (m *MockOIDCClient) Refresh(arg0 context.Context, arg1 adaptors.OIDCRefreshIn) (*adaptors.OIDCAuthenticateOut, error) {
+	ret := m.ctrl.Call(m, "Refresh", arg0, arg1)
+	ret0, _ := ret[0].(*adaptors.OIDCAuthenticateOut)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Refresh indicates an expected call of Refresh
+func (mr *MockOIDCClientMockRecorder) Refresh(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockOIDCClient)(nil).Refresh), arg0, arg1)
+}
+
+// MockOIDCDecoder is a mock of OIDCDecoder interface
+type MockOIDCDecoder struct {
+	ctrl     *gomock.Controller
+	recorder *MockOIDCDecoderMockRecorder
+}
+
+// MockOIDCDecoderMockRecorder is the mock recorder for MockOIDCDecoder
+type MockOIDCDecoderMockRecorder struct {
+	mock *MockOIDCDecoder
+}
+
+// NewMockOIDCDecoder creates a new mock instance
+func NewMockOIDCDecoder(ctrl *gomock.Controller) *MockOIDCDecoder {
+	mock := &MockOIDCDecoder{ctrl: ctrl}
+	mock.recorder = &MockOIDCDecoderMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockOIDCDecoder) EXPECT() *MockOIDCDecoderMockRecorder {
+	return m.recorder
+}
+
+// DecodeIDToken mocks base method
+func (m *MockOIDCDecoder) DecodeIDToken(arg0 string) (*adaptors.DecodedIDToken, error) {
+	ret := m.ctrl.Call(m, "DecodeIDToken", arg0)
+	ret0, _ := ret[0].(*adaptors.DecodedIDToken)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// DecodeIDToken indicates an expected call of DecodeIDToken
+func (mr *MockOIDCDecoderMockRecorder) DecodeIDToken(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DecodeIDToken", reflect.TypeOf((*MockOIDCDecoder)(nil).DecodeIDToken), arg0)
+}
+
+// MockEnv is a mock of Env interface
+type MockEnv struct {
+	ctrl     *gomock.Controller
+	recorder *MockEnvMockRecorder
+}
+
+// MockEnvMockRecorder is the mock recorder for MockEnv
+type MockEnvMockRecorder struct {
+	mock *MockEnv
+}
+
+// NewMockEnv creates a new mock instance
+func NewMockEnv(ctrl *gomock.Controller) *MockEnv {
+	mock := &MockEnv{ctrl: ctrl}
+	mock.recorder = &MockEnvMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockEnv) EXPECT() *MockEnvMockRecorder {
+	return m.recorder
+}
+
+// ReadPassword mocks base method
+func (m *MockEnv) ReadPassword(arg0 string) (string, error) {
+	ret := m.ctrl.Call(m, "ReadPassword", arg0)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ReadPassword indicates an expected call of ReadPassword
+func (mr *MockEnvMockRecorder) ReadPassword(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadPassword", reflect.TypeOf((*MockEnv)(nil).ReadPassword), arg0)
+}
+
+// MockLogger is a mock of Logger interface
+type MockLogger struct {
+	ctrl     *gomock.Controller
+	recorder *MockLoggerMockRecorder
+}
+
+// MockLoggerMockRecorder is the mock recorder for MockLogger
+type MockLoggerMockRecorder struct {
+	mock *MockLogger
+}
+
+// NewMockLogger creates a new mock instance
+func NewMockLogger(ctrl *gomock.Controller) *MockLogger {
+	mock := &MockLogger{ctrl: ctrl}
+	mock.recorder = &MockLoggerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockLogger) EXPECT() *MockLoggerMockRecorder {
+	return m.recorder
+}
+
+// Debugf mocks base method
+func (m *MockLogger) Debugf(arg0 adaptors.LogLevel, arg1 string, arg2 ...interface{}) {
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	m.ctrl.Call(m, "Debugf", varargs...)
+}
+
+// Debugf indicates an expected call of Debugf
+func (mr *MockLoggerMockRecorder) Debugf(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Debugf", reflect.TypeOf((*MockLogger)(nil).Debugf), varargs...)
+}
+
+// IsEnabled mocks base method
+func (m *MockLogger) IsEnabled(arg0 adaptors.LogLevel) bool {
+	ret := m.ctrl.Call(m, "IsEnabled", arg0)
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// IsEnabled indicates an expected call of IsEnabled
+func (mr *MockLoggerMockRecorder) IsEnabled(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsEnabled", reflect.TypeOf((*MockLogger)(nil).IsEnabled), arg0)
+}
+
+// Printf mocks base method
+func (m *MockLogger) Printf(arg0 string, arg1 ...interface{}) {
+	varargs := []interface{}{arg0}
+	for _, a := range arg1 {
+		varargs = append(varargs, a)
+	}
+	m.ctrl.Call(m, "Printf", varargs...)
+}
+
+// Printf indicates an expected call of Printf
+func (mr *MockLoggerMockRecorder) Printf(arg0 interface{}, arg1 ...interface{}) *gomock.Call {
+	varargs := append([]interface{}{arg0}, arg1...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Printf", reflect.TypeOf((*MockLogger)(nil).Printf), varargs...)
+}
+
+// SetLevel mocks base method
+func (m *MockLogger) SetLevel(arg0 adaptors.LogLevel) {
+	m.ctrl.Call(m, "SetLevel", arg0)
+}
+
+// SetLevel indicates an expected call of SetLevel
+func (mr *MockLoggerMockRecorder) SetLevel(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLevel", reflect.TypeOf((*MockLogger)(nil).SetLevel), arg0)
+}
--- a/pkg/adaptors/oidc/decoder.go
+++ b/pkg/adaptors/oidc/decoder.go
@@ -0,0 +1,53 @@
+package oidc
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"golang.org/x/xerrors"
+)
+
+type Decoder struct{}
+
+// DecodeIDToken returns the claims of the ID token.
+// Note that this method does not verify the signature and always trust it.
+func (d *Decoder) DecodeIDToken(t string) (*adaptors.DecodedIDToken, error) {
+	parts := strings.Split(t, ".")
+	if len(parts) != 3 {
+		return nil, xerrors.Errorf("token contains an invalid number of segments")
+	}
+	b, err := jwt.DecodeSegment(parts[1])
+	if err != nil {
+		return nil, xerrors.Errorf("could not decode the token: %w", err)
+	}
+	var claims jwt.StandardClaims
+	if err := json.NewDecoder(bytes.NewBuffer(b)).Decode(&claims); err != nil {
+		return nil, xerrors.Errorf("could not decode the json of token: %w", err)
+	}
+	var rawClaims map[string]interface{}
+	if err := json.NewDecoder(bytes.NewBuffer(b)).Decode(&rawClaims); err != nil {
+		return nil, xerrors.Errorf("could not decode the json of token: %w", err)
+	}
+	return &adaptors.DecodedIDToken{
+		IDTokenExpiry: time.Unix(claims.ExpiresAt, 0),
+		IDTokenClaims: dumpRawClaims(rawClaims),
+	}, nil
+}
+
+func dumpRawClaims(rawClaims map[string]interface{}) map[string]string {
+	claims := make(map[string]string)
+	for k, v := range rawClaims {
+		switch v.(type) {
+		case float64:
+			claims[k] = fmt.Sprintf("%.f", v.(float64))
+		default:
+			claims[k] = fmt.Sprintf("%v", v)
+		}
+	}
+	return claims
+}
--- a/pkg/adaptors/oidc/decoder_test.go
+++ b/pkg/adaptors/oidc/decoder_test.go
@@ -0,0 +1,87 @@
+package oidc
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+)
+
+func TestDecoder_DecodeIDToken(t *testing.T) {
+	var decoder Decoder
+
+	t.Run("ValidToken", func(t *testing.T) {
+		expiry := time.Now().Round(time.Second)
+		idToken := newIDToken(t, "https://issuer.example.com", expiry)
+		decodedToken, err := decoder.DecodeIDToken(idToken)
+		if err != nil {
+			t.Fatalf("DecodeIDToken error: %s", err)
+		}
+		if decodedToken.IDTokenExpiry != expiry {
+			t.Errorf("IDTokenExpiry wants %s but %s", expiry, decodedToken.IDTokenExpiry)
+		}
+		t.Logf("IDTokenClaims=%+v", decodedToken.IDTokenClaims)
+	})
+	t.Run("InvalidToken", func(t *testing.T) {
+		decodedToken, err := decoder.DecodeIDToken("HEADER.INVALID_TOKEN.SIGNATURE")
+		if err == nil {
+			t.Errorf("error wants non-nil but nil")
+		} else {
+			t.Logf("expected error: %+v", err)
+		}
+		if decodedToken != nil {
+			t.Errorf("decodedToken wants nil but %+v", decodedToken)
+		}
+	})
+}
+
+func newIDToken(t *testing.T, issuer string, expiry time.Time) string {
+	t.Helper()
+	claims := struct {
+		jwt.StandardClaims
+		Nonce         string   `json:"nonce"`
+		Groups        []string `json:"groups"`
+		EmailVerified bool     `json:"email_verified"`
+	}{
+		StandardClaims: jwt.StandardClaims{
+			Issuer:    issuer,
+			Audience:  "kubernetes",
+			Subject:   "SUBJECT",
+			IssuedAt:  time.Now().Unix(),
+			ExpiresAt: expiry.Unix(),
+		},
+		Nonce:         "NONCE",
+		Groups:        []string{"admin", "users"},
+		EmailVerified: false,
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	s, err := token.SignedString(readPrivateKey(t, "testdata/jws.key"))
+	if err != nil {
+		t.Fatalf("Could not sign the claims: %s", err)
+	}
+	return s
+}
+
+func readPrivateKey(t *testing.T, name string) *rsa.PrivateKey {
+	t.Helper()
+	b, err := ioutil.ReadFile(name)
+	if err != nil {
+		t.Fatalf("could not read the file: %s", err)
+	}
+	block, rest := pem.Decode(b)
+	if block == nil {
+		t.Fatalf("could not decode PEM")
+	}
+	if len(rest) > 0 {
+		t.Fatalf("PEM should contain single key but multiple keys")
+	}
+	k, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	if err != nil {
+		t.Fatalf("could not parse the key: %s", err)
+	}
+	return k
+}
--- a/pkg/adaptors/oidc/logging/transport.go
+++ b/pkg/adaptors/oidc/logging/transport.go
@@ -0,0 +1,50 @@
+package logging
+
+import (
+	"net/http"
+	"net/http/httputil"
+
+	"github.com/int128/kubelogin/pkg/adaptors"
+)
+
+const (
+	logLevelDumpHeaders = 2
+	logLevelDumpBody    = 3
+)
+
+type Transport struct {
+	Base   http.RoundTripper
+	Logger adaptors.Logger
+}
+
+func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
+	if !t.IsDumpEnabled() {
+		return t.Base.RoundTrip(req)
+	}
+
+	reqDump, err := httputil.DumpRequestOut(req, t.IsDumpBodyEnabled())
+	if err != nil {
+		t.Logger.Debugf(logLevelDumpHeaders, "could not dump the request: %s", err)
+		return t.Base.RoundTrip(req)
+	}
+	t.Logger.Debugf(logLevelDumpHeaders, "%s", string(reqDump))
+	resp, err := t.Base.RoundTrip(req)
+	if err != nil {
+		return resp, err
+	}
+	respDump, err := httputil.DumpResponse(resp, t.IsDumpBodyEnabled())
+	if err != nil {
+		t.Logger.Debugf(logLevelDumpHeaders, "could not dump the response: %s", err)
+		return resp, err
+	}
+	t.Logger.Debugf(logLevelDumpHeaders, "%s", string(respDump))
+	return resp, err
+}
+
+func (t *Transport) IsDumpEnabled() bool {
+	return t.Logger.IsEnabled(logLevelDumpHeaders)
+}
+
+func (t *Transport) IsDumpBodyEnabled() bool {
+	return t.Logger.IsEnabled(logLevelDumpBody)
+}
--- a/pkg/adaptors/oidc/logging/transport_test.go
+++ b/pkg/adaptors/oidc/logging/transport_test.go
@@ -0,0 +1,90 @@
+package logging
+
+import (
+	"bufio"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/adaptors/mock_adaptors"
+)
+
+type mockTransport struct {
+	req  *http.Request
+	resp *http.Response
+}
+
+func (t *mockTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	t.req = req
+	return t.resp, nil
+}
+
+func TestLoggingTransport_RoundTrip(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	logger := mock_adaptors.NewLogger(t, ctrl)
+	logger.EXPECT().
+		IsEnabled(gomock.Any()).
+		Return(true).
+		AnyTimes()
+
+	req := httptest.NewRequest("GET", "http://example.com/hello", nil)
+	resp, err := http.ReadResponse(bufio.NewReader(strings.NewReader(`HTTP/1.1 200 OK
+Host: example.com
+
+dummy`)), req)
+	if err != nil {
+		t.Errorf("could not create a response: %s", err)
+	}
+	defer resp.Body.Close()
+
+	transport := &Transport{
+		Base:   &mockTransport{resp: resp},
+		Logger: logger,
+	}
+	gotResp, err := transport.RoundTrip(req)
+	if err != nil {
+		t.Errorf("RoundTrip error: %s", err)
+	}
+	if gotResp != resp {
+		t.Errorf("resp wants %v but %v", resp, gotResp)
+	}
+}
+
+func TestLoggingTransport_IsDumpEnabled(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	logger := mock_adaptors.NewLogger(t, ctrl)
+	logger.EXPECT().
+		IsEnabled(adaptors.LogLevel(logLevelDumpHeaders)).
+		Return(true)
+
+	transport := &Transport{
+		Logger: logger,
+	}
+	if transport.IsDumpEnabled() != true {
+		t.Errorf("IsDumpEnabled wants true")
+	}
+}
+
+func TestLoggingTransport_IsDumpBodyEnabled(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	logger := mock_adaptors.NewLogger(t, ctrl)
+	logger.EXPECT().
+		IsEnabled(adaptors.LogLevel(logLevelDumpBody)).
+		Return(true)
+
+	transport := &Transport{
+		Logger: logger,
+	}
+	if transport.IsDumpBodyEnabled() != true {
+		t.Errorf("IsDumpBodyEnabled wants true")
+	}
+}
--- a/pkg/adaptors/oidc/oidc.go
+++ b/pkg/adaptors/oidc/oidc.go
@@ -0,0 +1,207 @@
+package oidc
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/binary"
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/coreos/go-oidc"
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/adaptors/oidc/logging"
+	"github.com/int128/kubelogin/pkg/adaptors/oidc/tls"
+	"github.com/int128/oauth2cli"
+	"github.com/pkg/browser"
+	"golang.org/x/oauth2"
+	"golang.org/x/xerrors"
+)
+
+func init() {
+	// In credential plugin mode, some browser launcher writes a message to stdout
+	// and it may break the credential json for client-go.
+	// This prevents the browser launcher from breaking the credential json.
+	browser.Stdout = os.Stderr
+}
+
+// Set provides an implementation and interface for OIDC.
+var Set = wire.NewSet(
+	wire.Struct(new(Factory), "*"),
+	wire.Bind(new(adaptors.OIDC), new(*Factory)),
+	wire.Struct(new(Decoder)),
+	wire.Bind(new(adaptors.OIDCDecoder), new(*Decoder)),
+)
+
+type Factory struct {
+	Logger adaptors.Logger
+}
+
+// New returns an instance of adaptors.OIDCClient with the given configuration.
+func (f *Factory) New(ctx context.Context, config adaptors.OIDCClientConfig) (adaptors.OIDCClient, error) {
+	tlsConfig, err := tls.NewConfig(config, f.Logger)
+	if err != nil {
+		return nil, xerrors.Errorf("could not initialize TLS config: %w", err)
+	}
+	baseTransport := &http.Transport{
+		TLSClientConfig: tlsConfig,
+		Proxy:           http.ProxyFromEnvironment,
+	}
+	loggingTransport := &logging.Transport{
+		Base:   baseTransport,
+		Logger: f.Logger,
+	}
+	httpClient := &http.Client{
+		Transport: loggingTransport,
+	}
+
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
+	provider, err := oidc.NewProvider(ctx, config.Config.IDPIssuerURL)
+	if err != nil {
+		return nil, xerrors.Errorf("could not discovery the OIDC issuer: %w", err)
+	}
+	return &client{
+		httpClient: httpClient,
+		provider:   provider,
+		oauth2Config: oauth2.Config{
+			Endpoint:     provider.Endpoint(),
+			ClientID:     config.Config.ClientID,
+			ClientSecret: config.Config.ClientSecret,
+			Scopes:       append(config.Config.ExtraScopes, oidc.ScopeOpenID),
+		},
+		logger: f.Logger,
+	}, nil
+}
+
+type client struct {
+	httpClient   *http.Client
+	provider     *oidc.Provider
+	oauth2Config oauth2.Config
+	logger       adaptors.Logger
+}
+
+func (c *client) wrapContext(ctx context.Context) context.Context {
+	if c.httpClient != nil {
+		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.httpClient)
+	}
+	return ctx
+}
+
+// AuthenticateByCode performs the authorization code flow.
+func (c *client) AuthenticateByCode(ctx context.Context, in adaptors.OIDCAuthenticateByCodeIn) (*adaptors.OIDCAuthenticateOut, error) {
+	ctx = c.wrapContext(ctx)
+	nonce, err := newNonce()
+	if err != nil {
+		return nil, xerrors.Errorf("could not generate a nonce parameter")
+	}
+	config := oauth2cli.Config{
+		OAuth2Config:       c.oauth2Config,
+		LocalServerPort:    in.LocalServerPort,
+		SkipOpenBrowser:    in.SkipOpenBrowser,
+		AuthCodeOptions:    []oauth2.AuthCodeOption{oauth2.AccessTypeOffline, oidc.Nonce(nonce)},
+		ShowLocalServerURL: in.ShowLocalServerURL.ShowLocalServerURL,
+	}
+	token, err := oauth2cli.GetToken(ctx, config)
+	if err != nil {
+		return nil, xerrors.Errorf("could not get a token: %w", err)
+	}
+	idToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
+	}
+	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
+	verifiedIDToken, err := verifier.Verify(ctx, idToken)
+	if err != nil {
+		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
+	}
+	if verifiedIDToken.Nonce != nonce {
+		return nil, xerrors.Errorf("nonce of ID token did not match (want %s but was %s)", nonce, verifiedIDToken.Nonce)
+	}
+	claims, err := dumpClaims(verifiedIDToken)
+	if err != nil {
+		c.logger.Debugf(1, "incomplete claims of the ID token: %w", err)
+	}
+	return &adaptors.OIDCAuthenticateOut{
+		IDToken:       idToken,
+		RefreshToken:  token.RefreshToken,
+		IDTokenExpiry: verifiedIDToken.Expiry,
+		IDTokenClaims: claims,
+	}, nil
+}
+
+func newNonce() (string, error) {
+	var n uint64
+	if err := binary.Read(rand.Reader, binary.LittleEndian, &n); err != nil {
+		return "", xerrors.Errorf("error while reading random: %w", err)
+	}
+	return fmt.Sprintf("%x", n), nil
+}
+
+// AuthenticateByPassword performs the resource owner password credentials flow.
+func (c *client) AuthenticateByPassword(ctx context.Context, in adaptors.OIDCAuthenticateByPasswordIn) (*adaptors.OIDCAuthenticateOut, error) {
+	ctx = c.wrapContext(ctx)
+	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, in.Username, in.Password)
+	if err != nil {
+		return nil, xerrors.Errorf("could not get a token: %w", err)
+	}
+	idToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
+	}
+	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
+	verifiedIDToken, err := verifier.Verify(ctx, idToken)
+	if err != nil {
+		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
+	}
+	claims, err := dumpClaims(verifiedIDToken)
+	if err != nil {
+		c.logger.Debugf(1, "incomplete claims of the ID token: %w", err)
+	}
+	return &adaptors.OIDCAuthenticateOut{
+		IDToken:       idToken,
+		RefreshToken:  token.RefreshToken,
+		IDTokenExpiry: verifiedIDToken.Expiry,
+		IDTokenClaims: claims,
+	}, nil
+}
+
+// Refresh sends a refresh token request and returns a token set.
+func (c *client) Refresh(ctx context.Context, in adaptors.OIDCRefreshIn) (*adaptors.OIDCAuthenticateOut, error) {
+	ctx = c.wrapContext(ctx)
+	currentToken := &oauth2.Token{
+		Expiry:       time.Now(),
+		RefreshToken: in.RefreshToken,
+	}
+	source := c.oauth2Config.TokenSource(ctx, currentToken)
+	token, err := source.Token()
+	if err != nil {
+		return nil, xerrors.Errorf("could not refresh the token: %w", err)
+	}
+	idToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
+	}
+	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
+	verifiedIDToken, err := verifier.Verify(ctx, idToken)
+	if err != nil {
+		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
+	}
+	claims, err := dumpClaims(verifiedIDToken)
+	if err != nil {
+		c.logger.Debugf(1, "incomplete claims of the ID token: %w", err)
+	}
+	return &adaptors.OIDCAuthenticateOut{
+		IDToken:       idToken,
+		RefreshToken:  token.RefreshToken,
+		IDTokenExpiry: verifiedIDToken.Expiry,
+		IDTokenClaims: claims,
+	}, nil
+}
+
+func dumpClaims(token *oidc.IDToken) (map[string]string, error) {
+	var rawClaims map[string]interface{}
+	err := token.Claims(&rawClaims)
+	return dumpRawClaims(rawClaims), err
+}
--- a/pkg/adaptors/oidc/testdata/Makefile
+++ b/pkg/adaptors/oidc/testdata/Makefile
@@ -0,0 +1,8 @@
+all: jws.key
+
+jws.key:
+	openssl genrsa -out $@ 1024
+
+.PHONY: clean
+clean:
+	-rm -v jws.key
--- a/pkg/adaptors/oidc/testdata/jws.key
+++ b/pkg/adaptors/oidc/testdata/jws.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCrH34yA/f/sBOUlkYnRtd2jgDZ3WivhidqvoQaa73xqTazbkn6
+GZ9r7jx0CGLRV2bmErj2WoyT54yrhezrKh0YXAHlrwLdsmV4dwiV0lOfUJd9P/vF
+e2hiAWv4CcO9ZuNkTsrxM5W8Wdj2tjqOvsIn4We+HWPkpknT7VtT5RrumwIDAQAB
+AoGAFqy5oA7+kZbXQV0YNqQgcMkoO7Ym5Ps1xeMwxf94z8jIQsZebxFuGnMa95UU
+4wBd1ias85fUANUxwpigaBjQee5Hk+dnfUe1snUWYNm9H6tKrXEF8ajer3a2knEv
+GfK0CSEumFougfW2xG88ChGTS60wc+MIRfXERCvWpGm/5EECQQDdv5IBSi89g/R1
+5AGZKFCoqr6Zw5bWEKPzCCYJZzncR1ER9vP2AnMExM8Io/87WYvmpZIUrXJvQYm8
+hkfVOcBZAkEAxY4VcqmRWru3zmnbj21MwcwtgESaONkWsHeYs1C/Y/3zt7TuelYz
+ZJ9aUuUsaiJLEs9Y26nMt0L0snWGr2noEwJBANaDp1PWFyMUTt3pB17JcFXqb15C
+pt1I1cGapWk9Uez1lMijNNhNAEWhuoKqW5Nnif5DN7EHJYfZR8x3vm/YYWkCQHAA
+0iAkCwjKDLe2RIjYiwAE5ncmbdl1GuwJokVnrlrei+LHbb1mSdTuk6MT006JCs8r
+R1GivzHXgCv9fdLN1IkCQHxRvv9RPND80eEkdMv4qu0s22OLRhLQ/pb+YeT5Cjjv
+pJYWKrvXdRZcuNde9JiiTgK2UW1wM8KeD/EGvK2yF6M=
+-----END RSA PRIVATE KEY-----
--- a/pkg/adaptors/oidc/tls/testdata/Makefile
+++ b/pkg/adaptors/oidc/tls/testdata/Makefile
@@ -0,0 +1,28 @@
+all: ca1.crt ca1.crt.base64 ca2.crt ca2.crt.base64 ca3.crt ca3.crt.base64
+
+.PHONY: clean
+clean:
+	-rm -v *.key *.csr *.crt *.base64
+
+%.key:
+	openssl genrsa -out $@ 1024
+
+%.csr: %.key
+	openssl req \
+		-new \
+		-key $< \
+		-subj "/CN=Hello" \
+		-days 3650 \
+		-out $@
+	openssl req -noout -text -in $@
+
+%.crt: %.csr %.key
+	openssl x509 -req \
+		-signkey $*.key \
+		-in $*.csr \
+		-days 3650 \
+		-out $@
+	openssl x509 -text -in $@
+
+%.crt.base64: %.crt
+	base64 -i $< -o $@
--- a/pkg/adaptors/oidc/tls/testdata/ca1.crt
+++ b/pkg/adaptors/oidc/tls/testdata/ca1.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlzCCAQACCQCDf7Inwu3vkzANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQDDAVI
+ZWxsbzAeFw0xOTA2MjQxMDQ0NDhaFw0yOTA2MjExMDQ0NDhaMBAxDjAMBgNVBAMM
+BUhlbGxvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCitZv5Go16nuHDRa2u
+nT5m1Q9tkr668pnhcP0TkyjD+oEB0lUz2SJEZEvOd1XVRRrPMSXrtybo9p0TqSGp
+Ig1gORWis/j/IR1sYdFutLKhtp6k1HvUiNosdO/K8K/AbO4QPWTGBAcqg//QkMKd
+ccgLY2PYczK/t8+6C7JYEHe5AwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACkPsyme
+JFlj75fO54NH5WXZxBtoY7kV3yd5oO88BngE8ittaHuauQkkw/sC5x733SsJlPlF
+trah4CDMjq5d/okIbIJFKe7NGLi82f9zJ+o1fjDp97UvZHC0zhUx+RiEu3iZRfYM
+31Ht7QG63V5ScV3Zmi1nzfQc4jn8d40kXXcn
+-----END CERTIFICATE-----
--- a/pkg/adaptors/oidc/tls/testdata/ca1.crt.base64
+++ b/pkg/adaptors/oidc/tls/testdata/ca1.crt.base64
@@ -0,0 +1 @@
+LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJsekNDQVFBQ0NRQ0RmN0lud3Uzdmt6QU5CZ2txaGtpRzl3MEJBUVVGQURBUU1RNHdEQVlEVlFRRERBVkkKWld4c2J6QWVGdzB4T1RBMk1qUXhNRFEwTkRoYUZ3MHlPVEEyTWpFeE1EUTBORGhhTUJBeERqQU1CZ05WQkFNTQpCVWhsYkd4dk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRQ2l0WnY1R28xNm51SERSYTJ1Cm5UNW0xUTl0a3I2NjhwbmhjUDBUa3lqRCtvRUIwbFV6MlNKRVpFdk9kMVhWUlJyUE1TWHJ0eWJvOXAwVHFTR3AKSWcxZ09SV2lzL2ovSVIxc1lkRnV0TEtodHA2azFIdlVpTm9zZE8vSzhLL0FiTzRRUFdUR0JBY3FnLy9Ra01LZApjY2dMWTJQWWN6Sy90OCs2QzdKWUVIZTVBd0lEQVFBQk1BMEdDU3FHU0liM0RRRUJCUVVBQTRHQkFDa1BzeW1lCkpGbGo3NWZPNTROSDVXWFp4QnRvWTdrVjN5ZDVvTzg4Qm5nRThpdHRhSHVhdVFra3cvc0M1eDczM1NzSmxQbEYKdHJhaDRDRE1qcTVkL29rSWJJSkZLZTdOR0xpODJmOXpKK28xZmpEcDk3VXZaSEMwemhVeCtSaUV1M2laUmZZTQozMUh0N1FHNjNWNVNjVjNabWkxbnpmUWM0am44ZDQwa1hYY24KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
--- a/pkg/adaptors/oidc/tls/testdata/ca2.crt
+++ b/pkg/adaptors/oidc/tls/testdata/ca2.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlzCCAQACCQCuudlGZuJvODANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQDDAVI
+ZWxsbzAeFw0xOTA2MjQxMDQ0NDhaFw0yOTA2MjExMDQ0NDhaMBAxDjAMBgNVBAMM
+BUhlbGxvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHnrC3q5aCXhULGTTg
+w7psUbrH3gpHEExxlw6Zj+UBZHFhxOccGYfHPvqKwfRAKfqkP6VzLdYsfF0fuMOX
+ZzFk2hB1eAdl2dsFIn4hMll+jDdo9x+7NKvAXgsFF174ZMVTW26aAME8s4OrNuZT
+Fdrp7byuUkwUbSzDC/B/ct9MFQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAGXsF0IA
+yP3g1UTLpld2P38dvMXLGN6gwn0S0oh7AQMckJ35yh8CN/2rAkBVujyvGILLhh2/
+teoIjM2BcZsrsKZ+Jkr177fRIunsd7a+v18M/3/pVvxPZdnztXspycxIacd7yVbG
+5wjN+X7rkoBLhd+BT9+W9O/i+Cu7K89JOO64
+-----END CERTIFICATE-----
--- a/pkg/adaptors/oidc/tls/testdata/ca2.crt.base64
+++ b/pkg/adaptors/oidc/tls/testdata/ca2.crt.base64
@@ -0,0 +1 @@
+LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJsekNDQVFBQ0NRQ3V1ZGxHWnVKdk9EQU5CZ2txaGtpRzl3MEJBUVVGQURBUU1RNHdEQVlEVlFRRERBVkkKWld4c2J6QWVGdzB4T1RBMk1qUXhNRFEwTkRoYUZ3MHlPVEEyTWpFeE1EUTBORGhhTUJBeERqQU1CZ05WQkFNTQpCVWhsYkd4dk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRREhuckMzcTVhQ1hoVUxHVFRnCnc3cHNVYnJIM2dwSEVFeHhsdzZaaitVQlpIRmh4T2NjR1lmSFB2cUt3ZlJBS2Zxa1A2VnpMZFlzZkYwZnVNT1gKWnpGazJoQjFlQWRsMmRzRkluNGhNbGwrakRkbzl4KzdOS3ZBWGdzRkYxNzRaTVZUVzI2YUFNRThzNE9yTnVaVApGZHJwN2J5dVVrd1ViU3pEQy9CL2N0OU1GUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJCUVVBQTRHQkFHWHNGMElBCnlQM2cxVVRMcGxkMlAzOGR2TVhMR042Z3duMFMwb2g3QVFNY2tKMzV5aDhDTi8yckFrQlZ1anl2R0lMTGhoMi8KdGVvSWpNMkJjWnNyc0taK0prcjE3N2ZSSXVuc2Q3YSt2MThNLzMvcFZ2eFBaZG56dFhzcHljeElhY2Q3eVZiRwo1d2pOK1g3cmtvQkxoZCtCVDkrVzlPL2krQ3U3Szg5Sk9PNjQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
--- a/pkg/adaptors/oidc/tls/testdata/ca3.crt
+++ b/pkg/adaptors/oidc/tls/testdata/ca3.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlzCCAQACCQDyFQsG5rDcJTANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQDDAVI
+ZWxsbzAeFw0xOTA2MjQxMDQ0NDhaFw0yOTA2MjExMDQ0NDhaMBAxDjAMBgNVBAMM
+BUhlbGxvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUBsXHnAjPL3ejyNRs
+INI0cp4Sv4HzgXmL6nypzTdEOT3UcqfvZYj3dr4FWZytxb6XgvyvIzoV++GS22cf
+arXwwv0Z6CWiJXI+WQFdsQRQoAt4ucIa046b18p6mCiHfaH98aCOq9K3sxTfNOm3
+kWAi6oFzB5C+6HalQ+rWFSVWHQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBALQfsBMR
+pxD9vzTmhw+rc0HKei9QMViIC3KYPdzvCCe0lMjrWzvcmTtUyCNJm2J2GwBVfyok
+zeUskYjinppBy/ZmzpWTeqTLOoeozgAh/Jgya5cPh01BP+pPFYmcQ5wOZHK5PPSP
+jvfqMeYs8TjXJRjdBKcMuZAN/8g2Ubtn+QbM
+-----END CERTIFICATE-----
--- a/pkg/adaptors/oidc/tls/testdata/ca3.crt.base64
+++ b/pkg/adaptors/oidc/tls/testdata/ca3.crt.base64
@@ -0,0 +1 @@
+LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJsekNDQVFBQ0NRRHlGUXNHNXJEY0pUQU5CZ2txaGtpRzl3MEJBUVVGQURBUU1RNHdEQVlEVlFRRERBVkkKWld4c2J6QWVGdzB4T1RBMk1qUXhNRFEwTkRoYUZ3MHlPVEEyTWpFeE1EUTBORGhhTUJBeERqQU1CZ05WQkFNTQpCVWhsYkd4dk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRFVCc1hIbkFqUEwzZWp5TlJzCklOSTBjcDRTdjRIemdYbUw2bnlwelRkRU9UM1VjcWZ2WllqM2RyNEZXWnl0eGI2WGd2eXZJem9WKytHUzIyY2YKYXJYd3d2MFo2Q1dpSlhJK1dRRmRzUVJRb0F0NHVjSWEwNDZiMThwNm1DaUhmYUg5OGFDT3E5SzNzeFRmTk9tMwprV0FpNm9GekI1Qys2SGFsUStyV0ZTVldIUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJCUVVBQTRHQkFMUWZzQk1SCnB4RDl2elRtaHcrcmMwSEtlaTlRTVZpSUMzS1lQZHp2Q0NlMGxNanJXenZjbVR0VXlDTkptMkoyR3dCVmZ5b2sKemVVc2tZamlucHBCeS9abXpwV1RlcVRMT29lb3pnQWgvSmd5YTVjUGgwMUJQK3BQRlltY1E1d09aSEs1UFBTUApqdmZxTWVZczhUalhKUmpkQktjTXVaQU4vOGcyVWJ0bitRYk0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
--- a/pkg/adaptors/oidc/tls/tls.go
+++ b/pkg/adaptors/oidc/tls/tls.go
@@ -0,0 +1,66 @@
+package tls
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"io/ioutil"
+
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"golang.org/x/xerrors"
+)
+
+// NewConfig returns a tls.Config with the given certificates and options.
+func NewConfig(config adaptors.OIDCClientConfig, logger adaptors.Logger) (*tls.Config, error) {
+	pool := x509.NewCertPool()
+	if config.Config.IDPCertificateAuthority != "" {
+		logger.Debugf(1, "Loading the certificate %s", config.Config.IDPCertificateAuthority)
+		err := appendCertificateFromFile(pool, config.Config.IDPCertificateAuthority)
+		if err != nil {
+			return nil, xerrors.Errorf("could not load the certificate of idp-certificate-authority: %w", err)
+		}
+	}
+	if config.Config.IDPCertificateAuthorityData != "" {
+		logger.Debugf(1, "Loading the certificate of idp-certificate-authority-data")
+		err := appendEncodedCertificate(pool, config.Config.IDPCertificateAuthorityData)
+		if err != nil {
+			return nil, xerrors.Errorf("could not load the certificate of idp-certificate-authority-data: %w", err)
+		}
+	}
+	if config.CACertFilename != "" {
+		logger.Debugf(1, "Loading the certificate %s", config.CACertFilename)
+		err := appendCertificateFromFile(pool, config.CACertFilename)
+		if err != nil {
+			return nil, xerrors.Errorf("could not load the certificate: %w", err)
+		}
+	}
+	c := &tls.Config{
+		InsecureSkipVerify: config.SkipTLSVerify,
+	}
+	if len(pool.Subjects()) > 0 {
+		c.RootCAs = pool
+	}
+	return c, nil
+}
+
+func appendCertificateFromFile(pool *x509.CertPool, filename string) error {
+	b, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return xerrors.Errorf("could not read %s: %w", filename, err)
+	}
+	if !pool.AppendCertsFromPEM(b) {
+		return xerrors.Errorf("could not append certificate from %s", filename)
+	}
+	return nil
+}
+
+func appendEncodedCertificate(pool *x509.CertPool, base64String string) error {
+	b, err := base64.StdEncoding.DecodeString(base64String)
+	if err != nil {
+		return xerrors.Errorf("could not decode base64: %w", err)
+	}
+	if !pool.AppendCertsFromPEM(b) {
+		return xerrors.Errorf("could not append certificate")
+	}
+	return nil
+}
--- a/pkg/adaptors/oidc/tls/tls_test.go
+++ b/pkg/adaptors/oidc/tls/tls_test.go
@@ -0,0 +1,89 @@
+package tls
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/int128/kubelogin/e2e_test/logger"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/models/kubeconfig"
+)
+
+func TestNewConfig(t *testing.T) {
+	testingLogger := logger.New(t)
+	testingLogger.SetLevel(1)
+
+	t.Run("Defaults", func(t *testing.T) {
+		c, err := NewConfig(adaptors.OIDCClientConfig{}, testingLogger)
+		if err != nil {
+			t.Fatalf("NewConfig error: %+v", err)
+		}
+		if c.InsecureSkipVerify {
+			t.Errorf("InsecureSkipVerify wants false but true")
+		}
+		if c.RootCAs != nil {
+			t.Errorf("RootCAs wants nil but %+v", c.RootCAs)
+		}
+	})
+	t.Run("SkipTLSVerify", func(t *testing.T) {
+		config := adaptors.OIDCClientConfig{
+			SkipTLSVerify: true,
+		}
+		c, err := NewConfig(config, testingLogger)
+		if err != nil {
+			t.Fatalf("NewConfig error: %+v", err)
+		}
+		if !c.InsecureSkipVerify {
+			t.Errorf("InsecureSkipVerify wants true but false")
+		}
+		if c.RootCAs != nil {
+			t.Errorf("RootCAs wants nil but %+v", c.RootCAs)
+		}
+	})
+	t.Run("AllCertificates", func(t *testing.T) {
+		config := adaptors.OIDCClientConfig{
+			Config: kubeconfig.OIDCConfig{
+				IDPCertificateAuthority:     "testdata/ca1.crt",
+				IDPCertificateAuthorityData: string(readFile(t, "testdata/ca2.crt.base64")),
+			},
+			CACertFilename: "testdata/ca3.crt",
+		}
+		c, err := NewConfig(config, testingLogger)
+		if err != nil {
+			t.Fatalf("NewConfig error: %+v", err)
+		}
+		if c.InsecureSkipVerify {
+			t.Errorf("InsecureSkipVerify wants false but true")
+		}
+		if c.RootCAs == nil {
+			t.Fatalf("RootCAs wants non-nil but nil")
+		}
+		subjects := c.RootCAs.Subjects()
+		if len(subjects) != 3 {
+			t.Errorf("len(subjects) wants 3 but %d", len(subjects))
+		}
+	})
+	t.Run("InvalidCertificate", func(t *testing.T) {
+		config := adaptors.OIDCClientConfig{
+			Config: kubeconfig.OIDCConfig{
+				IDPCertificateAuthority:     "testdata/ca1.crt",
+				IDPCertificateAuthorityData: string(readFile(t, "testdata/ca2.crt.base64")),
+			},
+			CACertFilename: "testdata/Makefile", // invalid cert
+		}
+		_, err := NewConfig(config, testingLogger)
+		if err == nil {
+			t.Fatalf("NewConfig wants non-nil but nil")
+		}
+		t.Logf("expected error: %+v", err)
+	})
+}
+
+func readFile(t *testing.T, filename string) []byte {
+	t.Helper()
+	b, err := ioutil.ReadFile(filename)
+	if err != nil {
+		t.Fatalf("ReadFile error: %s", err)
+	}
+	return b
+}
--- a/pkg/adaptors/tokencache/tokencache.go
+++ b/pkg/adaptors/tokencache/tokencache.go
@@ -0,0 +1,64 @@
+package tokencache
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"os"
+	"path/filepath"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/models/credentialplugin"
+	"golang.org/x/xerrors"
+)
+
+// Set provides an implementation and interface for Kubeconfig.
+var Set = wire.NewSet(
+	wire.Struct(new(Repository), "*"),
+	wire.Bind(new(adaptors.TokenCacheRepository), new(*Repository)),
+)
+
+// Repository provides access to the token cache on the local filesystem.
+// Filename of a token cache is sha256 digest of the issuer, zero-character and client ID.
+type Repository struct{}
+
+func (r *Repository) FindByKey(dir string, key credentialplugin.TokenCacheKey) (*credentialplugin.TokenCache, error) {
+	filename := filepath.Join(dir, computeFilename(key))
+	f, err := os.Open(filename)
+	if err != nil {
+		return nil, xerrors.Errorf("could not open file %s: %w", filename, err)
+	}
+	defer f.Close()
+	d := json.NewDecoder(f)
+	var c credentialplugin.TokenCache
+	if err := d.Decode(&c); err != nil {
+		return nil, xerrors.Errorf("could not decode json file %s: %w", filename, err)
+	}
+	return &c, nil
+}
+
+func (r *Repository) Save(dir string, key credentialplugin.TokenCacheKey, cache credentialplugin.TokenCache) error {
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		return xerrors.Errorf("could not create directory %s: %w", dir, err)
+	}
+	filename := filepath.Join(dir, computeFilename(key))
+	f, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return xerrors.Errorf("could not create file %s: %w", filename, err)
+	}
+	defer f.Close()
+	e := json.NewEncoder(f)
+	if err := e.Encode(&cache); err != nil {
+		return xerrors.Errorf("could not encode json to file %s: %w", filename, err)
+	}
+	return nil
+}
+
+func computeFilename(key credentialplugin.TokenCacheKey) string {
+	s := sha256.New()
+	_, _ = s.Write([]byte(key.IssuerURL))
+	_, _ = s.Write([]byte{0x00})
+	_, _ = s.Write([]byte(key.ClientID))
+	return hex.EncodeToString(s.Sum(nil))
+}
--- a/pkg/adaptors/tokencache/tokencache_test.go
+++ b/pkg/adaptors/tokencache/tokencache_test.go
@@ -0,0 +1,81 @@
+package tokencache
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/go-test/deep"
+	"github.com/int128/kubelogin/pkg/models/credentialplugin"
+)
+
+func TestRepository_FindByKey(t *testing.T) {
+	var r Repository
+
+	t.Run("Success", func(t *testing.T) {
+		dir, err := ioutil.TempDir("", "kube")
+		if err != nil {
+			t.Fatalf("could not create a temp dir: %s", err)
+		}
+		defer func() {
+			if err := os.RemoveAll(dir); err != nil {
+				t.Errorf("could not clean up the temp dir: %s", err)
+			}
+		}()
+		key := credentialplugin.TokenCacheKey{
+			IssuerURL: "YOUR_ISSUER",
+			ClientID:  "YOUR_CLIENT_ID",
+		}
+		json := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}`
+		filename := filepath.Join(dir, computeFilename(key))
+		if err := ioutil.WriteFile(filename, []byte(json), 0600); err != nil {
+			t.Fatalf("could not write to the temp file: %s", err)
+		}
+
+		tokenCache, err := r.FindByKey(dir, key)
+		if err != nil {
+			t.Errorf("err wants nil but %+v", err)
+		}
+		want := &credentialplugin.TokenCache{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
+		if diff := deep.Equal(tokenCache, want); diff != nil {
+			t.Error(diff)
+		}
+	})
+}
+
+func TestRepository_Save(t *testing.T) {
+	var r Repository
+
+	t.Run("Success", func(t *testing.T) {
+		dir, err := ioutil.TempDir("", "kube")
+		if err != nil {
+			t.Fatalf("could not create a temp dir: %s", err)
+		}
+		defer func() {
+			if err := os.RemoveAll(dir); err != nil {
+				t.Errorf("could not clean up the temp dir: %s", err)
+			}
+		}()
+
+		key := credentialplugin.TokenCacheKey{
+			IssuerURL: "YOUR_ISSUER",
+			ClientID:  "YOUR_CLIENT_ID",
+		}
+		tokenCache := credentialplugin.TokenCache{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
+		if err := r.Save(dir, key, tokenCache); err != nil {
+			t.Errorf("err wants nil but %+v", err)
+		}
+
+		filename := filepath.Join(dir, computeFilename(key))
+		b, err := ioutil.ReadFile(filename)
+		if err != nil {
+			t.Fatalf("could not read the token cache file: %s", err)
+		}
+		want := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}
+`
+		if diff := deep.Equal(string(b), want); diff != nil {
+			t.Error(diff)
+		}
+	})
+}
--- a/pkg/di/di.go
+++ b/pkg/di/di.go
@@ -0,0 +1,57 @@
+//+build wireinject
+
+// Package di provides dependency injection.
+package di
+
+import (
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/adaptors/cmd"
+	credentialPluginAdaptor "github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
+	"github.com/int128/kubelogin/pkg/adaptors/env"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/adaptors/oidc"
+	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
+	"github.com/int128/kubelogin/pkg/usecases"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
+	credentialPluginUseCase "github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/login"
+)
+
+// NewCmd returns an instance of adaptors.Cmd.
+func NewCmd() adaptors.Cmd {
+	wire.Build(
+		auth.Set,
+		auth.ExtraSet,
+		login.Set,
+		credentialPluginUseCase.Set,
+		cmd.Set,
+		env.Set,
+		kubeconfig.Set,
+		tokencache.Set,
+		credentialPluginAdaptor.Set,
+		oidc.Set,
+		logger.Set,
+	)
+	return nil
+}
+
+// NewCmdForHeadless returns an instance of adaptors.Cmd for headless testing.
+func NewCmdForHeadless(
+	adaptors.Logger,
+	usecases.LoginShowLocalServerURL,
+	adaptors.CredentialPluginInteraction,
+) adaptors.Cmd {
+	wire.Build(
+		auth.Set,
+		login.Set,
+		credentialPluginUseCase.Set,
+		cmd.Set,
+		env.Set,
+		kubeconfig.Set,
+		tokencache.Set,
+		oidc.Set,
+	)
+	return nil
+}
--- a/pkg/di/wire_gen.go
+++ b/pkg/di/wire_gen.go
@@ -0,0 +1,96 @@
+// Code generated by Wire. DO NOT EDIT.
+
+//go:generate wire
+//+build !wireinject
+
+package di
+
+import (
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/adaptors/cmd"
+	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
+	"github.com/int128/kubelogin/pkg/adaptors/env"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/adaptors/oidc"
+	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
+	"github.com/int128/kubelogin/pkg/usecases"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
+	credentialplugin2 "github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/login"
+)
+
+// Injectors from di.go:
+
+func NewCmd() adaptors.Cmd {
+	adaptorsLogger := logger.New()
+	factory := &oidc.Factory{
+		Logger: adaptorsLogger,
+	}
+	decoder := &oidc.Decoder{}
+	envEnv := &env.Env{}
+	showLocalServerURL := &auth.ShowLocalServerURL{
+		Logger: adaptorsLogger,
+	}
+	authentication := &auth.Authentication{
+		OIDC:               factory,
+		OIDCDecoder:        decoder,
+		Env:                envEnv,
+		Logger:             adaptorsLogger,
+		ShowLocalServerURL: showLocalServerURL,
+	}
+	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{}
+	loginLogin := &login.Login{
+		Authentication: authentication,
+		Kubeconfig:     kubeconfigKubeconfig,
+		Logger:         adaptorsLogger,
+	}
+	repository := &tokencache.Repository{}
+	interaction := &credentialplugin.Interaction{}
+	getToken := &credentialplugin2.GetToken{
+		Authentication:       authentication,
+		TokenCacheRepository: repository,
+		Interaction:          interaction,
+		Logger:               adaptorsLogger,
+	}
+	cmdCmd := &cmd.Cmd{
+		Login:    loginLogin,
+		GetToken: getToken,
+		Logger:   adaptorsLogger,
+	}
+	return cmdCmd
+}
+
+func NewCmdForHeadless(adaptorsLogger adaptors.Logger, loginShowLocalServerURL usecases.LoginShowLocalServerURL, credentialPluginInteraction adaptors.CredentialPluginInteraction) adaptors.Cmd {
+	factory := &oidc.Factory{
+		Logger: adaptorsLogger,
+	}
+	decoder := &oidc.Decoder{}
+	envEnv := &env.Env{}
+	authentication := &auth.Authentication{
+		OIDC:               factory,
+		OIDCDecoder:        decoder,
+		Env:                envEnv,
+		Logger:             adaptorsLogger,
+		ShowLocalServerURL: loginShowLocalServerURL,
+	}
+	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{}
+	loginLogin := &login.Login{
+		Authentication: authentication,
+		Kubeconfig:     kubeconfigKubeconfig,
+		Logger:         adaptorsLogger,
+	}
+	repository := &tokencache.Repository{}
+	getToken := &credentialplugin2.GetToken{
+		Authentication:       authentication,
+		TokenCacheRepository: repository,
+		Interaction:          credentialPluginInteraction,
+		Logger:               adaptorsLogger,
+	}
+	cmdCmd := &cmd.Cmd{
+		Login:    loginLogin,
+		GetToken: getToken,
+		Logger:   adaptorsLogger,
+	}
+	return cmdCmd
+}
--- a/pkg/models/credentialplugin/credential_plugin.go
+++ b/pkg/models/credentialplugin/credential_plugin.go
@@ -0,0 +1,22 @@
+// Package credentialplugin provides models for the credential plugin.
+package credentialplugin
+
+import "time"
+
+// TokenCacheKey represents a key of a token cache.
+type TokenCacheKey struct {
+	IssuerURL string
+	ClientID  string
+}
+
+// TokenCache represents a token cache.
+type TokenCache struct {
+	IDToken      string `json:"id_token,omitempty"`
+	RefreshToken string `json:"refresh_token,omitempty"`
+}
+
+// Output represents an output object of the credential plugin.
+type Output struct {
+	Token  string
+	Expiry time.Time
+}
--- a/pkg/models/kubeconfig/kubeconfig.go
+++ b/pkg/models/kubeconfig/kubeconfig.go
@@ -0,0 +1,28 @@
+package kubeconfig
+
+// ContextName represents name of a context.
+type ContextName string
+
+// UserName represents name of a user.
+type UserName string
+
+// AuthProvider represents the authentication provider,
+// i.e. context, user and auth-provider in a kubeconfig.
+type AuthProvider struct {
+	LocationOfOrigin string      // Path to the kubeconfig file which contains the user
+	UserName         UserName    // User name
+	ContextName      ContextName // Context name (optional)
+	OIDCConfig       OIDCConfig
+}
+
+// OIDCConfig represents a configuration of an OIDC provider.
+type OIDCConfig struct {
+	IDPIssuerURL                string   // idp-issuer-url
+	ClientID                    string   // client-id
+	ClientSecret                string   // client-secret
+	IDPCertificateAuthority     string   // (optional) idp-certificate-authority
+	IDPCertificateAuthorityData string   // (optional) idp-certificate-authority-data
+	ExtraScopes                 []string // (optional) extra-scopes
+	IDToken                     string   // (optional) id-token
+	RefreshToken                string   // (optional) refresh-token
+}
--- a/pkg/usecases/auth/auth.go
+++ b/pkg/usecases/auth/auth.go
@@ -0,0 +1,144 @@
+package auth
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/usecases"
+	"golang.org/x/xerrors"
+)
+
+// Set provides the use-case of Authentication.
+var Set = wire.NewSet(
+	wire.Struct(new(Authentication), "*"),
+	wire.Bind(new(usecases.Authentication), new(*Authentication)),
+)
+
+// ExtraSet is a set of interaction components for e2e testing.
+var ExtraSet = wire.NewSet(
+	wire.Struct(new(ShowLocalServerURL), "*"),
+	wire.Bind(new(usecases.LoginShowLocalServerURL), new(*ShowLocalServerURL)),
+)
+
+const passwordPrompt = "Password: "
+
+// Authentication provides the internal use-case of authentication.
+//
+// If the IDToken is not set, it performs the authentication flow.
+// If the IDToken is valid, it does nothing.
+// If the IDtoken has expired and the RefreshToken is set, it refreshes the token.
+// If the RefreshToken has expired, it performs the authentication flow.
+//
+// The authentication flow is determined as:
+//
+// If the Username is not set, it performs the authorization code flow.
+// Otherwise, it performs the resource owner password credentials flow.
+// If the Password is not set, it asks a password by the prompt.
+//
+type Authentication struct {
+	OIDC               adaptors.OIDC
+	OIDCDecoder        adaptors.OIDCDecoder
+	Env                adaptors.Env
+	Logger             adaptors.Logger
+	ShowLocalServerURL usecases.LoginShowLocalServerURL
+}
+
+func (u *Authentication) Do(ctx context.Context, in usecases.AuthenticationIn) (*usecases.AuthenticationOut, error) {
+	if in.OIDCConfig.IDToken != "" {
+		u.Logger.Debugf(1, "checking expiration of the existing token")
+		// Skip verification of the token to reduce time of a discovery request.
+		// Here it trusts the signature and claims and checks only expiration,
+		// because the token has been verified before caching.
+		token, err := u.OIDCDecoder.DecodeIDToken(in.OIDCConfig.IDToken)
+		if err != nil {
+			return nil, xerrors.Errorf("invalid token and you need to remove the cache: %w", err)
+		}
+		if token.IDTokenExpiry.After(time.Now()) { //TODO: inject time service
+			u.Logger.Debugf(1, "you already have a valid token until %s", token.IDTokenExpiry)
+			return &usecases.AuthenticationOut{
+				AlreadyHasValidIDToken: true,
+				IDToken:                in.OIDCConfig.IDToken,
+				RefreshToken:           in.OIDCConfig.RefreshToken,
+				IDTokenExpiry:          token.IDTokenExpiry,
+				IDTokenClaims:          token.IDTokenClaims,
+			}, nil
+		}
+		u.Logger.Debugf(1, "you have an expired token at %s", token.IDTokenExpiry)
+	}
+
+	u.Logger.Debugf(1, "initializing an OIDC client")
+	client, err := u.OIDC.New(ctx, adaptors.OIDCClientConfig{
+		Config:         in.OIDCConfig,
+		CACertFilename: in.CACertFilename,
+		SkipTLSVerify:  in.SkipTLSVerify,
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("could not create an OIDC client: %w", err)
+	}
+
+	if in.OIDCConfig.RefreshToken != "" {
+		u.Logger.Debugf(1, "refreshing the token")
+		out, err := client.Refresh(ctx, adaptors.OIDCRefreshIn{
+			RefreshToken: in.OIDCConfig.RefreshToken,
+		})
+		if err == nil {
+			return &usecases.AuthenticationOut{
+				IDToken:       out.IDToken,
+				RefreshToken:  out.RefreshToken,
+				IDTokenExpiry: out.IDTokenExpiry,
+				IDTokenClaims: out.IDTokenClaims,
+			}, nil
+		}
+		u.Logger.Debugf(1, "could not refresh the token: %s", err)
+	}
+
+	if in.Username == "" {
+		u.Logger.Debugf(1, "performing the authentication code flow")
+		out, err := client.AuthenticateByCode(ctx, adaptors.OIDCAuthenticateByCodeIn{
+			LocalServerPort:    in.ListenPort,
+			SkipOpenBrowser:    in.SkipOpenBrowser,
+			ShowLocalServerURL: u.ShowLocalServerURL,
+		})
+		if err != nil {
+			return nil, xerrors.Errorf("error while the authorization code flow: %w", err)
+		}
+		return &usecases.AuthenticationOut{
+			IDToken:       out.IDToken,
+			RefreshToken:  out.RefreshToken,
+			IDTokenExpiry: out.IDTokenExpiry,
+			IDTokenClaims: out.IDTokenClaims,
+		}, nil
+	}
+
+	u.Logger.Debugf(1, "performing the resource owner password credentials flow")
+	if in.Password == "" {
+		in.Password, err = u.Env.ReadPassword(passwordPrompt)
+		if err != nil {
+			return nil, xerrors.Errorf("could not read a password: %w", err)
+		}
+	}
+	out, err := client.AuthenticateByPassword(ctx, adaptors.OIDCAuthenticateByPasswordIn{
+		Username: in.Username,
+		Password: in.Password,
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("error while the resource owner password credentials flow: %w", err)
+	}
+	return &usecases.AuthenticationOut{
+		IDToken:       out.IDToken,
+		RefreshToken:  out.RefreshToken,
+		IDTokenExpiry: out.IDTokenExpiry,
+		IDTokenClaims: out.IDTokenClaims,
+	}, nil
+}
+
+// ShowLocalServerURL just shows the URL of local server to console.
+type ShowLocalServerURL struct {
+	Logger adaptors.Logger
+}
+
+func (s *ShowLocalServerURL) ShowLocalServerURL(url string) {
+	s.Logger.Printf("Open %s for authentication", url)
+}
--- a/pkg/usecases/auth/auth_test.go
+++ b/pkg/usecases/auth/auth_test.go
@@ -0,0 +1,367 @@
+package auth
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/go-test/deep"
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/adaptors/mock_adaptors"
+	"github.com/int128/kubelogin/pkg/models/kubeconfig"
+	"github.com/int128/kubelogin/pkg/usecases"
+	"golang.org/x/xerrors"
+)
+
+func TestAuthentication_Do(t *testing.T) {
+	dummyTokenClaims := map[string]string{"sub": "YOUR_SUBJECT"}
+	pastTime := time.Now().Add(-time.Hour)  //TODO: inject time service
+	futureTime := time.Now().Add(time.Hour) //TODO: inject time service
+
+	t.Run("AuthorizationCodeFlow", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.AuthenticationIn{
+			ListenPort:      []int{10000},
+			SkipOpenBrowser: true,
+			CACertFilename:  "/path/to/cert",
+			SkipTLSVerify:   true,
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+		mockOIDCClient := mock_adaptors.NewMockOIDCClient(ctrl)
+		mockOIDCClient.EXPECT().
+			AuthenticateByCode(ctx, adaptors.OIDCAuthenticateByCodeIn{
+				LocalServerPort: []int{10000},
+				SkipOpenBrowser: true,
+			}).
+			Return(&adaptors.OIDCAuthenticateOut{
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenExpiry: futureTime,
+				IDTokenClaims: dummyTokenClaims,
+			}, nil)
+		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
+		mockOIDC.EXPECT().
+			New(ctx, adaptors.OIDCClientConfig{
+				Config:         in.OIDCConfig,
+				CACertFilename: "/path/to/cert",
+				SkipTLSVerify:  true,
+			}).
+			Return(mockOIDCClient, nil)
+		u := Authentication{
+			OIDC:   mockOIDC,
+			Logger: mock_adaptors.NewLogger(t, ctrl),
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &usecases.AuthenticationOut{
+			IDToken:       "YOUR_ID_TOKEN",
+			RefreshToken:  "YOUR_REFRESH_TOKEN",
+			IDTokenExpiry: futureTime,
+			IDTokenClaims: dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("ResourceOwnerPasswordCredentialsFlow/UsePassword", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.AuthenticationIn{
+			Username:       "USER",
+			Password:       "PASS",
+			CACertFilename: "/path/to/cert",
+			SkipTLSVerify:  true,
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+		mockOIDCClient := mock_adaptors.NewMockOIDCClient(ctrl)
+		mockOIDCClient.EXPECT().
+			AuthenticateByPassword(ctx, adaptors.OIDCAuthenticateByPasswordIn{
+				Username: "USER",
+				Password: "PASS",
+			}).
+			Return(&adaptors.OIDCAuthenticateOut{
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenExpiry: futureTime,
+				IDTokenClaims: dummyTokenClaims,
+			}, nil)
+		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
+		mockOIDC.EXPECT().
+			New(ctx, adaptors.OIDCClientConfig{
+				Config:         in.OIDCConfig,
+				CACertFilename: "/path/to/cert",
+				SkipTLSVerify:  true,
+			}).
+			Return(mockOIDCClient, nil)
+		u := Authentication{
+			OIDC:   mockOIDC,
+			Logger: mock_adaptors.NewLogger(t, ctrl),
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &usecases.AuthenticationOut{
+			IDToken:       "YOUR_ID_TOKEN",
+			RefreshToken:  "YOUR_REFRESH_TOKEN",
+			IDTokenExpiry: futureTime,
+			IDTokenClaims: dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("ResourceOwnerPasswordCredentialsFlow/AskPassword", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.AuthenticationIn{
+			Username: "USER",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+		mockOIDCClient := mock_adaptors.NewMockOIDCClient(ctrl)
+		mockOIDCClient.EXPECT().
+			AuthenticateByPassword(ctx, adaptors.OIDCAuthenticateByPasswordIn{
+				Username: "USER",
+				Password: "PASS",
+			}).
+			Return(&adaptors.OIDCAuthenticateOut{
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenExpiry: futureTime,
+				IDTokenClaims: dummyTokenClaims,
+			}, nil)
+		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
+		mockOIDC.EXPECT().
+			New(ctx, adaptors.OIDCClientConfig{
+				Config: in.OIDCConfig,
+			}).
+			Return(mockOIDCClient, nil)
+		mockEnv := mock_adaptors.NewMockEnv(ctrl)
+		mockEnv.EXPECT().ReadPassword(passwordPrompt).Return("PASS", nil)
+		u := Authentication{
+			OIDC:   mockOIDC,
+			Env:    mockEnv,
+			Logger: mock_adaptors.NewLogger(t, ctrl),
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &usecases.AuthenticationOut{
+			IDToken:       "YOUR_ID_TOKEN",
+			RefreshToken:  "YOUR_REFRESH_TOKEN",
+			IDTokenExpiry: futureTime,
+			IDTokenClaims: dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("ResourceOwnerPasswordCredentialsFlow/AskPasswordError", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.AuthenticationIn{
+			Username: "USER",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
+		mockOIDC.EXPECT().
+			New(ctx, adaptors.OIDCClientConfig{
+				Config: in.OIDCConfig,
+			}).
+			Return(mock_adaptors.NewMockOIDCClient(ctrl), nil)
+		mockEnv := mock_adaptors.NewMockEnv(ctrl)
+		mockEnv.EXPECT().ReadPassword(passwordPrompt).Return("", xerrors.New("error"))
+		u := Authentication{
+			OIDC:   mockOIDC,
+			Env:    mockEnv,
+			Logger: mock_adaptors.NewLogger(t, ctrl),
+		}
+		out, err := u.Do(ctx, in)
+		if err == nil {
+			t.Errorf("err wants non-nil but nil")
+		}
+		if out != nil {
+			t.Errorf("out wants nil but %+v", out)
+		}
+	})
+
+	t.Run("HasValidIDToken", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.AuthenticationIn{
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				IDToken:      "VALID_ID_TOKEN",
+			},
+		}
+		mockOIDCDecoder := mock_adaptors.NewMockOIDCDecoder(ctrl)
+		mockOIDCDecoder.EXPECT().
+			DecodeIDToken("VALID_ID_TOKEN").
+			Return(&adaptors.DecodedIDToken{
+				IDTokenExpiry: futureTime,
+				IDTokenClaims: dummyTokenClaims,
+			}, nil)
+		u := Authentication{
+			OIDC:        mock_adaptors.NewMockOIDC(ctrl),
+			OIDCDecoder: mockOIDCDecoder,
+			Logger:      mock_adaptors.NewLogger(t, ctrl),
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &usecases.AuthenticationOut{
+			AlreadyHasValidIDToken: true,
+			IDToken:                "VALID_ID_TOKEN",
+			IDTokenExpiry:          futureTime,
+			IDTokenClaims:          dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("HasValidRefreshToken", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.AuthenticationIn{
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				IDToken:      "EXPIRED_ID_TOKEN",
+				RefreshToken: "VALID_REFRESH_TOKEN",
+			},
+		}
+		mockOIDCDecoder := mock_adaptors.NewMockOIDCDecoder(ctrl)
+		mockOIDCDecoder.EXPECT().
+			DecodeIDToken("EXPIRED_ID_TOKEN").
+			Return(&adaptors.DecodedIDToken{
+				IDTokenExpiry: pastTime,
+				IDTokenClaims: dummyTokenClaims,
+			}, nil)
+		mockOIDCClient := mock_adaptors.NewMockOIDCClient(ctrl)
+		mockOIDCClient.EXPECT().
+			Refresh(ctx, adaptors.OIDCRefreshIn{
+				RefreshToken: "VALID_REFRESH_TOKEN",
+			}).
+			Return(&adaptors.OIDCAuthenticateOut{
+				IDToken:       "NEW_ID_TOKEN",
+				RefreshToken:  "NEW_REFRESH_TOKEN",
+				IDTokenExpiry: futureTime,
+				IDTokenClaims: dummyTokenClaims,
+			}, nil)
+		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
+		mockOIDC.EXPECT().
+			New(ctx, adaptors.OIDCClientConfig{
+				Config: in.OIDCConfig,
+			}).
+			Return(mockOIDCClient, nil)
+		u := Authentication{
+			OIDC:        mockOIDC,
+			OIDCDecoder: mockOIDCDecoder,
+			Logger:      mock_adaptors.NewLogger(t, ctrl),
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &usecases.AuthenticationOut{
+			IDToken:       "NEW_ID_TOKEN",
+			RefreshToken:  "NEW_REFRESH_TOKEN",
+			IDTokenExpiry: futureTime,
+			IDTokenClaims: dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("HasExpiredRefreshToken", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.AuthenticationIn{
+			ListenPort: []int{10000},
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				IDToken:      "EXPIRED_ID_TOKEN",
+				RefreshToken: "EXPIRED_REFRESH_TOKEN",
+			},
+		}
+		mockOIDCDecoder := mock_adaptors.NewMockOIDCDecoder(ctrl)
+		mockOIDCDecoder.EXPECT().
+			DecodeIDToken("EXPIRED_ID_TOKEN").
+			Return(&adaptors.DecodedIDToken{
+				IDTokenExpiry: pastTime,
+				IDTokenClaims: dummyTokenClaims,
+			}, nil)
+		mockOIDCClient := mock_adaptors.NewMockOIDCClient(ctrl)
+		mockOIDCClient.EXPECT().
+			Refresh(ctx, adaptors.OIDCRefreshIn{
+				RefreshToken: "EXPIRED_REFRESH_TOKEN",
+			}).
+			Return(nil, xerrors.New("token has expired"))
+		mockOIDCClient.EXPECT().
+			AuthenticateByCode(ctx, adaptors.OIDCAuthenticateByCodeIn{
+				LocalServerPort: []int{10000},
+			}).
+			Return(&adaptors.OIDCAuthenticateOut{
+				IDToken:       "NEW_ID_TOKEN",
+				RefreshToken:  "NEW_REFRESH_TOKEN",
+				IDTokenExpiry: futureTime,
+				IDTokenClaims: dummyTokenClaims,
+			}, nil)
+		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
+		mockOIDC.EXPECT().
+			New(ctx, adaptors.OIDCClientConfig{
+				Config: in.OIDCConfig,
+			}).
+			Return(mockOIDCClient, nil)
+		u := Authentication{
+			OIDC:        mockOIDC,
+			OIDCDecoder: mockOIDCDecoder,
+			Logger:      mock_adaptors.NewLogger(t, ctrl),
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &usecases.AuthenticationOut{
+			IDToken:       "NEW_ID_TOKEN",
+			RefreshToken:  "NEW_REFRESH_TOKEN",
+			IDTokenExpiry: futureTime,
+			IDTokenClaims: dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+}
--- a/pkg/usecases/credentialplugin/get_token.go
+++ b/pkg/usecases/credentialplugin/get_token.go
@@ -0,0 +1,77 @@
+// Package credentialplugin provides the use-cases for running as a client-go credentials plugin.
+//
+// See https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
+package credentialplugin
+
+import (
+	"context"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/models/credentialplugin"
+	"github.com/int128/kubelogin/pkg/models/kubeconfig"
+	"github.com/int128/kubelogin/pkg/usecases"
+	"golang.org/x/xerrors"
+)
+
+var Set = wire.NewSet(
+	wire.Struct(new(GetToken), "*"),
+	wire.Bind(new(usecases.GetToken), new(*GetToken)),
+)
+
+type GetToken struct {
+	Authentication       usecases.Authentication
+	TokenCacheRepository adaptors.TokenCacheRepository
+	Interaction          adaptors.CredentialPluginInteraction
+	Logger               adaptors.Logger
+}
+
+func (u *GetToken) Do(ctx context.Context, in usecases.GetTokenIn) error {
+	u.Logger.Debugf(1, "WARNING: log may contain your secrets such as token or password")
+
+	u.Logger.Debugf(1, "finding a token from cache directory %s", in.TokenCacheDir)
+	cacheKey := credentialplugin.TokenCacheKey{IssuerURL: in.IssuerURL, ClientID: in.ClientID}
+	cache, err := u.TokenCacheRepository.FindByKey(in.TokenCacheDir, cacheKey)
+	if err != nil {
+		u.Logger.Debugf(1, "could not find a token cache: %s", err)
+		cache = &credentialplugin.TokenCache{}
+	}
+	out, err := u.Authentication.Do(ctx, usecases.AuthenticationIn{
+		OIDCConfig: kubeconfig.OIDCConfig{
+			IDPIssuerURL: in.IssuerURL,
+			ClientID:     in.ClientID,
+			ClientSecret: in.ClientSecret,
+			ExtraScopes:  in.ExtraScopes,
+			IDToken:      cache.IDToken,
+			RefreshToken: cache.RefreshToken,
+		},
+		SkipOpenBrowser: in.SkipOpenBrowser,
+		ListenPort:      in.ListenPort,
+		Username:        in.Username,
+		Password:        in.Password,
+		CACertFilename:  in.CACertFilename,
+		SkipTLSVerify:   in.SkipTLSVerify,
+	})
+	if err != nil {
+		return xerrors.Errorf("error while authentication: %w", err)
+	}
+	for k, v := range out.IDTokenClaims {
+		u.Logger.Debugf(1, "the ID token has the claim: %s=%v", k, v)
+	}
+	if !out.AlreadyHasValidIDToken {
+		u.Logger.Printf("You got a valid token until %s", out.IDTokenExpiry)
+		cache := credentialplugin.TokenCache{
+			IDToken:      out.IDToken,
+			RefreshToken: out.RefreshToken,
+		}
+		if err := u.TokenCacheRepository.Save(in.TokenCacheDir, cacheKey, cache); err != nil {
+			return xerrors.Errorf("could not write the token cache: %w", err)
+		}
+	}
+
+	u.Logger.Debugf(1, "writing the token to client-go")
+	if err := u.Interaction.Write(credentialplugin.Output{Token: out.IDToken, Expiry: out.IDTokenExpiry}); err != nil {
+		return xerrors.Errorf("could not write the token to client-go: %w", err)
+	}
+	return nil
+}
--- a/pkg/usecases/credentialplugin/get_token_test.go
+++ b/pkg/usecases/credentialplugin/get_token_test.go
@@ -0,0 +1,181 @@
+package credentialplugin
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/pkg/adaptors/mock_adaptors"
+	"github.com/int128/kubelogin/pkg/models/credentialplugin"
+	"github.com/int128/kubelogin/pkg/models/kubeconfig"
+	"github.com/int128/kubelogin/pkg/usecases"
+	"github.com/int128/kubelogin/pkg/usecases/mock_usecases"
+	"golang.org/x/xerrors"
+)
+
+func TestGetToken_Do(t *testing.T) {
+	dummyTokenClaims := map[string]string{"sub": "YOUR_SUBJECT"}
+	futureTime := time.Now().Add(time.Hour) //TODO: inject time service
+
+	t.Run("FullOptions", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.GetTokenIn{
+			IssuerURL:       "https://accounts.google.com",
+			ClientID:        "YOUR_CLIENT_ID",
+			ClientSecret:    "YOUR_CLIENT_SECRET",
+			TokenCacheDir:   "/path/to/token-cache",
+			ListenPort:      []int{10000},
+			SkipOpenBrowser: true,
+			Username:        "USER",
+			Password:        "PASS",
+			CACertFilename:  "/path/to/cert",
+			SkipTLSVerify:   true,
+		}
+		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication.EXPECT().
+			Do(ctx, usecases.AuthenticationIn{
+				OIDCConfig: kubeconfig.OIDCConfig{
+					IDPIssuerURL: "https://accounts.google.com",
+					ClientID:     "YOUR_CLIENT_ID",
+					ClientSecret: "YOUR_CLIENT_SECRET",
+				},
+				ListenPort:      []int{10000},
+				SkipOpenBrowser: true,
+				Username:        "USER",
+				Password:        "PASS",
+				CACertFilename:  "/path/to/cert",
+				SkipTLSVerify:   true,
+			}).
+			Return(&usecases.AuthenticationOut{
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenExpiry: futureTime,
+				IDTokenClaims: dummyTokenClaims,
+			}, nil)
+		tokenCacheRepository := mock_adaptors.NewMockTokenCacheRepository(ctrl)
+		tokenCacheRepository.EXPECT().
+			FindByKey("/path/to/token-cache", credentialplugin.TokenCacheKey{
+				IssuerURL: "https://accounts.google.com",
+				ClientID:  "YOUR_CLIENT_ID",
+			}).
+			Return(nil, xerrors.New("file not found"))
+		tokenCacheRepository.EXPECT().
+			Save("/path/to/token-cache",
+				credentialplugin.TokenCacheKey{
+					IssuerURL: "https://accounts.google.com",
+					ClientID:  "YOUR_CLIENT_ID",
+				},
+				credentialplugin.TokenCache{
+					IDToken:      "YOUR_ID_TOKEN",
+					RefreshToken: "YOUR_REFRESH_TOKEN",
+				})
+		credentialPluginInteraction := mock_adaptors.NewMockCredentialPluginInteraction(ctrl)
+		credentialPluginInteraction.EXPECT().
+			Write(credentialplugin.Output{
+				Token:  "YOUR_ID_TOKEN",
+				Expiry: futureTime,
+			})
+		u := GetToken{
+			Authentication:       mockAuthentication,
+			TokenCacheRepository: tokenCacheRepository,
+			Interaction:          credentialPluginInteraction,
+			Logger:               mock_adaptors.NewLogger(t, ctrl),
+		}
+		if err := u.Do(ctx, in); err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+	})
+
+	t.Run("HasValidIDToken", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.GetTokenIn{
+			IssuerURL:     "https://accounts.google.com",
+			ClientID:      "YOUR_CLIENT_ID",
+			ClientSecret:  "YOUR_CLIENT_SECRET",
+			TokenCacheDir: "/path/to/token-cache",
+		}
+		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication.EXPECT().
+			Do(ctx, usecases.AuthenticationIn{
+				OIDCConfig: kubeconfig.OIDCConfig{
+					IDPIssuerURL: "https://accounts.google.com",
+					ClientID:     "YOUR_CLIENT_ID",
+					ClientSecret: "YOUR_CLIENT_SECRET",
+					IDToken:      "VALID_ID_TOKEN",
+				},
+			}).
+			Return(&usecases.AuthenticationOut{
+				AlreadyHasValidIDToken: true,
+				IDToken:                "VALID_ID_TOKEN",
+				IDTokenExpiry:          futureTime,
+				IDTokenClaims:          dummyTokenClaims,
+			}, nil)
+		tokenCacheRepository := mock_adaptors.NewMockTokenCacheRepository(ctrl)
+		tokenCacheRepository.EXPECT().
+			FindByKey("/path/to/token-cache", credentialplugin.TokenCacheKey{
+				IssuerURL: "https://accounts.google.com",
+				ClientID:  "YOUR_CLIENT_ID",
+			}).
+			Return(&credentialplugin.TokenCache{
+				IDToken: "VALID_ID_TOKEN",
+			}, nil)
+		credentialPluginInteraction := mock_adaptors.NewMockCredentialPluginInteraction(ctrl)
+		credentialPluginInteraction.EXPECT().
+			Write(credentialplugin.Output{
+				Token:  "VALID_ID_TOKEN",
+				Expiry: futureTime,
+			})
+		u := GetToken{
+			Authentication:       mockAuthentication,
+			TokenCacheRepository: tokenCacheRepository,
+			Interaction:          credentialPluginInteraction,
+			Logger:               mock_adaptors.NewLogger(t, ctrl),
+		}
+		if err := u.Do(ctx, in); err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+	})
+
+	t.Run("AuthenticationError", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.GetTokenIn{
+			IssuerURL:     "https://accounts.google.com",
+			ClientID:      "YOUR_CLIENT_ID",
+			ClientSecret:  "YOUR_CLIENT_SECRET",
+			TokenCacheDir: "/path/to/token-cache",
+		}
+		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication.EXPECT().
+			Do(ctx, usecases.AuthenticationIn{
+				OIDCConfig: kubeconfig.OIDCConfig{
+					IDPIssuerURL: "https://accounts.google.com",
+					ClientID:     "YOUR_CLIENT_ID",
+					ClientSecret: "YOUR_CLIENT_SECRET",
+				},
+			}).
+			Return(nil, xerrors.New("authentication error"))
+		tokenCacheRepository := mock_adaptors.NewMockTokenCacheRepository(ctrl)
+		tokenCacheRepository.EXPECT().
+			FindByKey("/path/to/token-cache", credentialplugin.TokenCacheKey{
+				IssuerURL: "https://accounts.google.com",
+				ClientID:  "YOUR_CLIENT_ID",
+			}).
+			Return(nil, xerrors.New("file not found"))
+		u := GetToken{
+			Authentication:       mockAuthentication,
+			TokenCacheRepository: tokenCacheRepository,
+			Interaction:          mock_adaptors.NewMockCredentialPluginInteraction(ctrl),
+			Logger:               mock_adaptors.NewLogger(t, ctrl),
+		}
+		if err := u.Do(ctx, in); err == nil {
+			t.Errorf("err wants non-nil but nil")
+		}
+	})
+}
--- a/pkg/usecases/interfaces.go
+++ b/pkg/usecases/interfaces.go
@@ -0,0 +1,76 @@
+package usecases
+
+import (
+	"context"
+	"time"
+
+	"github.com/int128/kubelogin/pkg/models/kubeconfig"
+)
+
+//go:generate mockgen -destination mock_usecases/mock_usecases.go github.com/int128/kubelogin/pkg/usecases Login,GetToken,Authentication
+
+type Login interface {
+	Do(ctx context.Context, in LoginIn) error
+}
+
+// LoginIn represents an input DTO of the Login use-case.
+type LoginIn struct {
+	KubeconfigFilename string                 // Default to the environment variable or global config as kubectl
+	KubeconfigContext  kubeconfig.ContextName // Default to the current context but ignored if KubeconfigUser is set
+	KubeconfigUser     kubeconfig.UserName    // Default to the user of the context
+	SkipOpenBrowser    bool
+	ListenPort         []int
+	Username           string // If set, perform the resource owner password credentials grant
+	Password           string // If empty, read a password using Env.ReadPassword()
+	CACertFilename     string // If set, use the CA cert
+	SkipTLSVerify      bool
+}
+
+// LoginShowLocalServerURL provides an interface to notify the URL of local server.
+// It is needed for the end-to-end tests.
+type LoginShowLocalServerURL interface {
+	ShowLocalServerURL(url string)
+}
+
+type GetToken interface {
+	Do(ctx context.Context, in GetTokenIn) error
+}
+
+// GetTokenIn represents an input DTO of the GetToken use-case.
+type GetTokenIn struct {
+	IssuerURL       string
+	ClientID        string
+	ClientSecret    string
+	ExtraScopes     []string // optional
+	SkipOpenBrowser bool
+	ListenPort      []int
+	Username        string // If set, perform the resource owner password credentials grant
+	Password        string // If empty, read a password using Env.ReadPassword()
+	CACertFilename  string // If set, use the CA cert
+	SkipTLSVerify   bool
+	TokenCacheDir   string
+}
+
+type Authentication interface {
+	Do(ctx context.Context, in AuthenticationIn) (*AuthenticationOut, error)
+}
+
+// AuthenticationIn represents an input DTO of the Authentication use-case.
+type AuthenticationIn struct {
+	OIDCConfig      kubeconfig.OIDCConfig
+	SkipOpenBrowser bool
+	ListenPort      []int
+	Username        string // If set, perform the resource owner password credentials grant
+	Password        string // If empty, read a password using Env.ReadPassword()
+	CACertFilename  string // If set, use the CA cert
+	SkipTLSVerify   bool
+}
+
+// AuthenticationIn represents an output DTO of the Authentication use-case.
+type AuthenticationOut struct {
+	AlreadyHasValidIDToken bool
+	IDTokenExpiry          time.Time
+	IDTokenClaims          map[string]string
+	IDToken                string
+	RefreshToken           string
+}
--- a/pkg/usecases/login/login.go
+++ b/pkg/usecases/login/login.go
@@ -0,0 +1,76 @@
+package login
+
+import (
+	"context"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors"
+	"github.com/int128/kubelogin/pkg/usecases"
+	"golang.org/x/xerrors"
+)
+
+// Set provides the use-cases of logging in.
+var Set = wire.NewSet(
+	wire.Struct(new(Login), "*"),
+	wire.Bind(new(usecases.Login), new(*Login)),
+)
+
+const oidcConfigErrorMessage = `No OIDC configuration found. Did you setup kubectl for OIDC authentication?
+  kubectl config set-credentials CONTEXT_NAME \
+    --auth-provider oidc \
+    --auth-provider-arg idp-issuer-url=https://issuer.example.com \
+    --auth-provider-arg client-id=YOUR_CLIENT_ID \
+    --auth-provider-arg client-secret=YOUR_CLIENT_SECRET`
+
+// Login provides the use case of explicit login.
+//
+// If the current auth provider is not oidc, show the error.
+// If the kubeconfig has a valid token, do nothing.
+// Otherwise, update the kubeconfig.
+//
+type Login struct {
+	Authentication usecases.Authentication
+	Kubeconfig     adaptors.Kubeconfig
+	Logger         adaptors.Logger
+}
+
+func (u *Login) Do(ctx context.Context, in usecases.LoginIn) error {
+	u.Logger.Debugf(1, "WARNING: log may contain your secrets such as token or password")
+
+	authProvider, err := u.Kubeconfig.GetCurrentAuthProvider(in.KubeconfigFilename, in.KubeconfigContext, in.KubeconfigUser)
+	if err != nil {
+		u.Logger.Printf(oidcConfigErrorMessage)
+		return xerrors.Errorf("could not find the current authentication provider: %w", err)
+	}
+	u.Logger.Debugf(1, "using the authentication provider of the user %s", authProvider.UserName)
+	u.Logger.Debugf(1, "a token will be written to %s", authProvider.LocationOfOrigin)
+
+	out, err := u.Authentication.Do(ctx, usecases.AuthenticationIn{
+		OIDCConfig:      authProvider.OIDCConfig,
+		SkipOpenBrowser: in.SkipOpenBrowser,
+		ListenPort:      in.ListenPort,
+		Username:        in.Username,
+		Password:        in.Password,
+		CACertFilename:  in.CACertFilename,
+		SkipTLSVerify:   in.SkipTLSVerify,
+	})
+	if err != nil {
+		return xerrors.Errorf("error while authentication: %w", err)
+	}
+	for k, v := range out.IDTokenClaims {
+		u.Logger.Debugf(1, "the ID token has the claim: %s=%v", k, v)
+	}
+	if out.AlreadyHasValidIDToken {
+		u.Logger.Printf("You already have a valid token until %s", out.IDTokenExpiry)
+		return nil
+	}
+
+	u.Logger.Printf("You got a valid token until %s", out.IDTokenExpiry)
+	authProvider.OIDCConfig.IDToken = out.IDToken
+	authProvider.OIDCConfig.RefreshToken = out.RefreshToken
+	u.Logger.Debugf(1, "writing the ID token and refresh token to %s", authProvider.LocationOfOrigin)
+	if err := u.Kubeconfig.UpdateAuthProvider(authProvider); err != nil {
+		return xerrors.Errorf("could not write the token to the kubeconfig: %w", err)
+	}
+	return nil
+}
--- a/pkg/usecases/login/login_test.go
+++ b/pkg/usecases/login/login_test.go
@@ -0,0 +1,225 @@
+package login
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/pkg/adaptors/mock_adaptors"
+	"github.com/int128/kubelogin/pkg/models/kubeconfig"
+	"github.com/int128/kubelogin/pkg/usecases"
+	"github.com/int128/kubelogin/pkg/usecases/mock_usecases"
+	"golang.org/x/xerrors"
+)
+
+func TestLogin_Do(t *testing.T) {
+	dummyTokenClaims := map[string]string{"sub": "YOUR_SUBJECT"}
+	futureTime := time.Now().Add(time.Hour) //TODO: inject time service
+
+	t.Run("FullOptions", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.LoginIn{
+			KubeconfigFilename: "/path/to/kubeconfig",
+			KubeconfigContext:  "theContext",
+			KubeconfigUser:     "theUser",
+			ListenPort:         []int{10000},
+			SkipOpenBrowser:    true,
+			Username:           "USER",
+			Password:           "PASS",
+			CACertFilename:     "/path/to/cert",
+			SkipTLSVerify:      true,
+		}
+		currentAuthProvider := &kubeconfig.AuthProvider{
+			LocationOfOrigin: "/path/to/kubeconfig",
+			UserName:         "theUser",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				IDPIssuerURL: "https://accounts.google.com",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+		mockKubeconfig := mock_adaptors.NewMockKubeconfig(ctrl)
+		mockKubeconfig.EXPECT().
+			GetCurrentAuthProvider("/path/to/kubeconfig", kubeconfig.ContextName("theContext"), kubeconfig.UserName("theUser")).
+			Return(currentAuthProvider, nil)
+		mockKubeconfig.EXPECT().
+			UpdateAuthProvider(&kubeconfig.AuthProvider{
+				LocationOfOrigin: "/path/to/kubeconfig",
+				UserName:         "theUser",
+				OIDCConfig: kubeconfig.OIDCConfig{
+					IDPIssuerURL: "https://accounts.google.com",
+					ClientID:     "YOUR_CLIENT_ID",
+					ClientSecret: "YOUR_CLIENT_SECRET",
+					IDToken:      "YOUR_ID_TOKEN",
+					RefreshToken: "YOUR_REFRESH_TOKEN",
+				},
+			})
+		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication.EXPECT().
+			Do(ctx, usecases.AuthenticationIn{
+				OIDCConfig:      currentAuthProvider.OIDCConfig,
+				ListenPort:      []int{10000},
+				SkipOpenBrowser: true,
+				Username:        "USER",
+				Password:        "PASS",
+				CACertFilename:  "/path/to/cert",
+				SkipTLSVerify:   true,
+			}).
+			Return(&usecases.AuthenticationOut{
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenExpiry: futureTime,
+				IDTokenClaims: dummyTokenClaims,
+			}, nil)
+		u := Login{
+			Authentication: mockAuthentication,
+			Kubeconfig:     mockKubeconfig,
+			Logger:         mock_adaptors.NewLogger(t, ctrl),
+		}
+		if err := u.Do(ctx, in); err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+	})
+
+	t.Run("HasValidIDToken", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.LoginIn{}
+		currentAuthProvider := &kubeconfig.AuthProvider{
+			LocationOfOrigin: "/path/to/kubeconfig",
+			UserName:         "theUser",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				IDToken:      "VALID_ID_TOKEN",
+			},
+		}
+		mockKubeconfig := mock_adaptors.NewMockKubeconfig(ctrl)
+		mockKubeconfig.EXPECT().
+			GetCurrentAuthProvider("", kubeconfig.ContextName(""), kubeconfig.UserName("")).
+			Return(currentAuthProvider, nil)
+		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication.EXPECT().
+			Do(ctx, usecases.AuthenticationIn{OIDCConfig: currentAuthProvider.OIDCConfig}).
+			Return(&usecases.AuthenticationOut{
+				AlreadyHasValidIDToken: true,
+				IDToken:                "VALID_ID_TOKEN",
+				IDTokenExpiry:          futureTime,
+				IDTokenClaims:          dummyTokenClaims,
+			}, nil)
+		u := Login{
+			Authentication: mockAuthentication,
+			Kubeconfig:     mockKubeconfig,
+			Logger:         mock_adaptors.NewLogger(t, ctrl),
+		}
+		if err := u.Do(ctx, in); err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+	})
+
+	t.Run("NoOIDCConfig", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.LoginIn{}
+		mockKubeconfig := mock_adaptors.NewMockKubeconfig(ctrl)
+		mockKubeconfig.EXPECT().
+			GetCurrentAuthProvider("", kubeconfig.ContextName(""), kubeconfig.UserName("")).
+			Return(nil, xerrors.New("no oidc config"))
+		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		u := Login{
+			Authentication: mockAuthentication,
+			Kubeconfig:     mockKubeconfig,
+			Logger:         mock_adaptors.NewLogger(t, ctrl),
+		}
+		if err := u.Do(ctx, in); err == nil {
+			t.Errorf("err wants non-nil but nil")
+		}
+	})
+
+	t.Run("AuthenticationError", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.LoginIn{}
+		currentAuthProvider := &kubeconfig.AuthProvider{
+			LocationOfOrigin: "/path/to/kubeconfig",
+			UserName:         "google",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				IDPIssuerURL: "https://accounts.google.com",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+		mockKubeconfig := mock_adaptors.NewMockKubeconfig(ctrl)
+		mockKubeconfig.EXPECT().
+			GetCurrentAuthProvider("", kubeconfig.ContextName(""), kubeconfig.UserName("")).
+			Return(currentAuthProvider, nil)
+		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication.EXPECT().
+			Do(ctx, usecases.AuthenticationIn{OIDCConfig: currentAuthProvider.OIDCConfig}).
+			Return(nil, xerrors.New("authentication error"))
+		u := Login{
+			Authentication: mockAuthentication,
+			Kubeconfig:     mockKubeconfig,
+			Logger:         mock_adaptors.NewLogger(t, ctrl),
+		}
+		if err := u.Do(ctx, in); err == nil {
+			t.Errorf("err wants non-nil but nil")
+		}
+	})
+
+	t.Run("WriteError", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx := context.TODO()
+		in := usecases.LoginIn{}
+		currentAuthProvider := &kubeconfig.AuthProvider{
+			LocationOfOrigin: "/path/to/kubeconfig",
+			UserName:         "google",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				IDPIssuerURL: "https://accounts.google.com",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+		mockKubeconfig := mock_adaptors.NewMockKubeconfig(ctrl)
+		mockKubeconfig.EXPECT().
+			GetCurrentAuthProvider("", kubeconfig.ContextName(""), kubeconfig.UserName("")).
+			Return(currentAuthProvider, nil)
+		mockKubeconfig.EXPECT().
+			UpdateAuthProvider(&kubeconfig.AuthProvider{
+				LocationOfOrigin: "/path/to/kubeconfig",
+				UserName:         "google",
+				OIDCConfig: kubeconfig.OIDCConfig{
+					IDPIssuerURL: "https://accounts.google.com",
+					ClientID:     "YOUR_CLIENT_ID",
+					ClientSecret: "YOUR_CLIENT_SECRET",
+					IDToken:      "YOUR_ID_TOKEN",
+					RefreshToken: "YOUR_REFRESH_TOKEN",
+				},
+			}).
+			Return(xerrors.New("I/O error"))
+		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication.EXPECT().
+			Do(ctx, usecases.AuthenticationIn{OIDCConfig: currentAuthProvider.OIDCConfig}).
+			Return(&usecases.AuthenticationOut{
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenExpiry: futureTime,
+				IDTokenClaims: dummyTokenClaims,
+			}, nil)
+		u := Login{
+			Authentication: mockAuthentication,
+			Kubeconfig:     mockKubeconfig,
+			Logger:         mock_adaptors.NewLogger(t, ctrl),
+		}
+		if err := u.Do(ctx, in); err == nil {
+			t.Errorf("err wants non-nil but nil")
+		}
+	})
+}
--- a/pkg/usecases/mock_usecases/mock_usecases.go
+++ b/pkg/usecases/mock_usecases/mock_usecases.go
@@ -0,0 +1,118 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/usecases (interfaces: Login,GetToken,Authentication)
+
+// Package mock_usecases is a generated GoMock package.
+package mock_usecases
+
+import (
+	context "context"
+	gomock "github.com/golang/mock/gomock"
+	usecases "github.com/int128/kubelogin/pkg/usecases"
+	reflect "reflect"
+)
+
+// MockLogin is a mock of Login interface
+type MockLogin struct {
+	ctrl     *gomock.Controller
+	recorder *MockLoginMockRecorder
+}
+
+// MockLoginMockRecorder is the mock recorder for MockLogin
+type MockLoginMockRecorder struct {
+	mock *MockLogin
+}
+
+// NewMockLogin creates a new mock instance
+func NewMockLogin(ctrl *gomock.Controller) *MockLogin {
+	mock := &MockLogin{ctrl: ctrl}
+	mock.recorder = &MockLoginMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockLogin) EXPECT() *MockLoginMockRecorder {
+	return m.recorder
+}
+
+// Do mocks base method
+func (m *MockLogin) Do(arg0 context.Context, arg1 usecases.LoginIn) error {
+	ret := m.ctrl.Call(m, "Do", arg0, arg1)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Do indicates an expected call of Do
+func (mr *MockLoginMockRecorder) Do(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Do", reflect.TypeOf((*MockLogin)(nil).Do), arg0, arg1)
+}
+
+// MockGetToken is a mock of GetToken interface
+type MockGetToken struct {
+	ctrl     *gomock.Controller
+	recorder *MockGetTokenMockRecorder
+}
+
+// MockGetTokenMockRecorder is the mock recorder for MockGetToken
+type MockGetTokenMockRecorder struct {
+	mock *MockGetToken
+}
+
+// NewMockGetToken creates a new mock instance
+func NewMockGetToken(ctrl *gomock.Controller) *MockGetToken {
+	mock := &MockGetToken{ctrl: ctrl}
+	mock.recorder = &MockGetTokenMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockGetToken) EXPECT() *MockGetTokenMockRecorder {
+	return m.recorder
+}
+
+// Do mocks base method
+func (m *MockGetToken) Do(arg0 context.Context, arg1 usecases.GetTokenIn) error {
+	ret := m.ctrl.Call(m, "Do", arg0, arg1)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Do indicates an expected call of Do
+func (mr *MockGetTokenMockRecorder) Do(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Do", reflect.TypeOf((*MockGetToken)(nil).Do), arg0, arg1)
+}
+
+// MockAuthentication is a mock of Authentication interface
+type MockAuthentication struct {
+	ctrl     *gomock.Controller
+	recorder *MockAuthenticationMockRecorder
+}
+
+// MockAuthenticationMockRecorder is the mock recorder for MockAuthentication
+type MockAuthenticationMockRecorder struct {
+	mock *MockAuthentication
+}
+
+// NewMockAuthentication creates a new mock instance
+func NewMockAuthentication(ctrl *gomock.Controller) *MockAuthentication {
+	mock := &MockAuthentication{ctrl: ctrl}
+	mock.recorder = &MockAuthenticationMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockAuthentication) EXPECT() *MockAuthenticationMockRecorder {
+	return m.recorder
+}
+
+// Do mocks base method
+func (m *MockAuthentication) Do(arg0 context.Context, arg1 usecases.AuthenticationIn) (*usecases.AuthenticationOut, error) {
+	ret := m.ctrl.Call(m, "Do", arg0, arg1)
+	ret0, _ := ret[0].(*usecases.AuthenticationOut)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Do indicates an expected call of Do
+func (mr *MockAuthenticationMockRecorder) Do(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Do", reflect.TypeOf((*MockAuthentication)(nil).Do), arg0, arg1)
+}
Author	SHA1	Message	Date
Hidetake Iwata	c8967faf6b	Fix krew yaml (#134 )	2019-08-18 16:57:47 +09:00
Hidetake Iwata	315d6151d7	Refactor (#133 ) * Refactor: change debug messages to lowercase * Refactor: add debug messages * Refactor Makefile * Refactor: add keys and certificates of e2e tests	2019-08-18 15:14:07 +09:00
Hidetake Iwata	1ff03fdfb3	Skip verification of cached token to reduce time (#132 )	2019-08-17 21:40:14 +09:00
Hidetake Iwata	5e0fc7f399	Save token cache for each issuer and client ID (#131 )	2019-08-14 14:52:58 +09:00
Hidetake Iwata	9423a65f46	Add dex documentation (#130 )	2019-08-11 16:09:53 +09:00
Hidetake Iwata	45417a18fd	Refactor docs	2019-08-10 15:25:06 +09:00
Hidetake Iwata	760416fd04	Update README.md	2019-08-09 17:01:36 +09:00
Hidetake Iwata	0a4ebb26c2	Refactor packages structure (#129 )	2019-08-09 10:15:17 +09:00
Hidetake Iwata	de9f7a2a01	Fix typo (#128 ) * Fix typo * Update google.md * Update keycloak.md	2019-08-03 20:05:13 +09:00
Hidetake Iwata	0006cdda2d	Update README.md	2019-08-02 14:10:20 +09:00
Hidetake Iwata	c89a8a1823	Update README.md	2019-08-01 11:00:55 +09:00
Hidetake Iwata	4f566a7b32	Refactor: use RunE and root error handler (#127 )	2019-08-01 10:54:03 +09:00
Hidetake Iwata	5158159bdd	Fix stdout of browser launcher breaks credential json (#126 )	2019-08-01 10:50:36 +09:00
Hidetake Iwata	3a2aa0c6c0	Fix TLS certificate on refreshing token (#125 ) * Add test of refreshing token with TLS cert * Fix TLS certificate on refreshing token (#123)	2019-08-01 10:19:58 +09:00
Hidetake Iwata	56b17efae1	Remove LoginAndExec use-case (#120 )	2019-07-30 09:57:22 +09:00
Hidetake Iwata	3e5be43d8a	Change description in krew yaml	2019-07-28 16:52:26 +09:00
Hidetake Iwata	1ffa927432	Update README.md	2019-07-27 13:42:40 +09:00
Hidetake Iwata	5c6b461f37	Update README.md	2019-07-27 13:10:21 +09:00
Hidetake Iwata	6f96ccae62	Make commit for PR for krew-index on release	2019-07-26 19:35:45 +09:00
Hidetake Iwata	dc88948d88	Run as a client-go credential plugin (#118 )	2019-07-25 17:01:34 +09:00
Hidetake Iwata	31609a3ed3	Move to k8s.io/client-go@v12.0.0 (#119 ) See https://github.com/kubernetes/client-go/blob/master/INSTALL.md	2019-07-25 16:43:48 +09:00
Hidetake Iwata	9685507d7d	Refactor: use OIDCConfig in input of authentication use-case (#117 )	2019-07-25 13:49:09 +09:00
dependabot-preview[bot]	1c66099496	Bump github.com/go-test/deep from 1.0.1 to 1.0.2 (#113 ) Bumps [github.com/go-test/deep](https://github.com/go-test/deep) from 1.0.1 to 1.0.2. - [Release notes](https://github.com/go-test/deep/releases) - [Changelog](https://github.com/go-test/deep/blob/master/CHANGES.md) - [Commits](https://github.com/go-test/deep/compare/v1.0.1...v1.0.2) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-07-16 13:20:42 +09:00
Hidetake Iwata	681faa07ca	Update README.md	2019-07-11 11:06:58 +09:00
Hidetake Iwata	79d8056c35	Check nonce of ID token on authentication (#112 )	2019-07-10 09:59:03 +09:00
Hidetake Iwata	4138991339	Refactor: split fat handler to handler/service (#111 )	2019-07-09 19:06:03 +09:00
Hidetake Iwata	f650827a5f	Show caller filename and line on debug log (#110 )	2019-07-05 10:31:27 +09:00
Hidetake Iwata	56904e15b1	Refactor (#109 ) * Refactor: rename to kubeconfig.AuthProvider * Refactor: add comments	2019-07-05 10:22:28 +09:00
Hidetake Iwata	dd05c11359	Create DESIGN.md	2019-07-04 20:45:27 +09:00
Hidetake Iwata	ce61e09acf	Refresh the ID token if it has expired (#108 )	2019-07-04 20:15:51 +09:00
Hidetake Iwata	e4057db5b5	Add authentication sequence diagram	2019-06-28 10:09:08 +09:00
Hidetake Iwata	bb288b69d3	Update README.md	2019-06-26 17:39:04 +09:00
Hidetake Iwata	e220267de5	Update README.md	2019-06-26 13:57:20 +09:00
Hidetake Iwata	391754e1ce	Cache oidc.Provider to reduce discovery requests (#107 )	2019-06-26 10:16:10 +09:00
Hidetake Iwata	10c7b6a84f	Refactor: extract tls package and add tests (#106 )	2019-06-24 22:50:26 +09:00
dependabot-preview[bot]	2176105a91	Bump github.com/google/wire from 0.2.2 to 0.3.0 (#101 ) * Bump github.com/google/wire from 0.2.2 to 0.3.0 Bumps [github.com/google/wire](https://github.com/google/wire) from 0.2.2 to 0.3.0. - [Release notes](https://github.com/google/wire/releases) - [Commits](https://github.com/google/wire/compare/v0.2.2...v0.3.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * go mod tidy * Move to google/wire@v0.3.0	2019-06-21 15:40:49 +09:00
Hidetake Iwata	3c79a614ff	Refactor: move to xerrors (#103 )	2019-06-21 14:22:21 +09:00
Hidetake Iwata	f6dec8e3db	Add note of password grant (refs #102 )	2019-06-21 10:19:31 +09:00
dependabot-preview[bot]	1ea9027677	Bump github.com/int128/oauth2cli from 1.4.0 to 1.4.1 (#100 ) Bumps [github.com/int128/oauth2cli](https://github.com/int128/oauth2cli) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/int128/oauth2cli/releases) - [Commits](https://github.com/int128/oauth2cli/compare/v1.4.0...v1.4.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-06-18 09:11:02 +09:00
Hidetake Iwata	cfa38455ab	Refactor (#99 ) * Refactor: rename files * Refactor: rename to e2e_test * Refactor: export wire.Set in each components	2019-06-17 09:29:55 +09:00
dependabot-preview[bot]	0412f6a1b0	Bump github.com/spf13/cobra from 0.0.4 to 0.0.5 (#98 ) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 0.0.4 to 0.0.5. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](https://github.com/spf13/cobra/compare/v0.0.4...0.0.5) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-06-12 16:04:13 +09:00
Hidetake Iwata	afc7974b79	Update README.md	2019-06-06 09:36:16 +09:00
Hidetake Iwata	97b0bdd53c	Fix build error of windows_amd64 binary (#97 )	2019-06-06 09:30:41 +09:00
Hidetake Iwata	ebe5feaed2	Transparently login feature (#95 ) * Introduce spf13/cobra * Add login transparently feature	2019-06-05 22:01:53 +09:00
flarno11	4427bc7985	fixed typo in kubectl plugin call (#94 )	2019-06-04 08:15:00 +09:00
Hidetake Iwata	8643d695fe	Refactor (#92 ) * Refactor test * Refactor: rename and add comments for ShowLocalServerURL	2019-06-03 20:01:51 +09:00
Hidetake Iwata	f0cff5a54b	Add password prompt (#91 )	2019-06-01 19:57:11 +09:00
Hidetake Iwata	8237928af3	Refactor (#90 ) * Refactor: move HTTP adaptor to internal * Refactor: extract models/kubeconfig package * Refactor: rename to Kubeconfig from KubeConfig * Refactor: simplify use-case	2019-05-29 15:31:52 +09:00
Hidetake Iwata	01b270755b	Refactor: use a dynamic port in the integration tests (#89 ) * Refactor: use dynamic port for auth server in integration tests * Refactor: use dynamic port for local server in integration tests	2019-05-28 09:05:15 +09:00
Hidetake Iwata	e97b4de40b	Refactor packages structure (#88 ) * Refactor: move usecases implementation to dedicated packages * Refactor: move adaptors implementation to dedicated packages * Refactor: rename and move packages * Refactor: split to OIDC and OIDCClient	2019-05-24 11:41:09 +09:00
Hidetake Iwata	5063550468	Add resource owner password credentials grant support (#87 )	2019-05-23 09:37:47 +09:00
Hidetake Iwata	d5989ca256	Move to google/wire (#86 )	2019-05-20 10:55:02 +09:00
Hidetake Iwata	c508a1b717	Refactor docs (#84 )	2019-05-19 16:07:57 +09:00
Hidetake Iwata	e133ea8541	Add codecov (#83 )	2019-05-18 09:45:37 +09:00
Hidetake Iwata	3f2e84a1ea	Update README.md	2019-05-17 09:24:08 +09:00
Hidetake Iwata	7011f03094	Release v1.11.0	2019-05-16 21:59:50 +09:00
Hidetake Iwata	6aef98cef7	Bump to int128/oauth2cli:v1.4.0 (#82 )	2019-05-16 21:55:56 +09:00
Hidetake Iwata	93bb1d39b9	Add fallback ports for local server (#79 )	2019-05-16 20:38:45 +09:00
Hidetake Iwata	c8116e2eae	Update keycloak.md	2019-05-14 15:42:05 +09:00
Hidetake Iwata	f2de8dd987	Refactor log messages and etc. (#77 ) * Refactor log messages * Refactor token verification	2019-05-14 13:49:43 +09:00
Hidetake Iwata	915fb35bc8	Raise error on invalid certificate (as kubectl) (#73 )	2019-05-14 11:32:11 +09:00
Hidetake Iwata	51ccd70af3	go mod tidy	2019-05-14 11:26:06 +09:00
dependabot[bot]	c6df597fb0	Bump github.com/golang/mock from 1.3.0 to 1.3.1 (#76 ) Bumps [github.com/golang/mock](https://github.com/golang/mock) from 1.3.0 to 1.3.1. - [Release notes](https://github.com/golang/mock/releases) - [Commits](https://github.com/golang/mock/compare/v1.3.0...1.3.1) Signed-off-by: dependabot[bot] <support@dependabot.com>	2019-05-14 11:24:03 +09:00
Hidetake Iwata	ee78f6f735	Make integration tests in parallel (#75 )	2019-05-13 21:25:20 +09:00
Hidetake Iwata	6e484a2b89	Add golangci-lint (#74 ) * Add golangci-lint * Fix lint errors	2019-05-13 10:19:25 +09:00
Hidetake Iwata	8050db7e05	go mod tidy	2019-05-13 09:26:28 +09:00
dependabot[bot]	cd54ca0df0	Bump github.com/golang/mock from 1.2.0 to 1.3.0 (#71 ) Bumps [github.com/golang/mock](https://github.com/golang/mock) from 1.2.0 to 1.3.0. - [Release notes](https://github.com/golang/mock/releases) - [Commits](https://github.com/golang/mock/compare/v1.2.0...v1.3.0) Signed-off-by: dependabot[bot] <support@dependabot.com>	2019-05-04 17:58:42 +09:00
Hidetake Iwata	45f83b0b0e	Add multiple kubeconfig support (#70 )	2019-04-29 14:34:56 +09:00
Hidetake Iwata	51b7ca1600	Fix templates for the latest goxzst	2019-04-22 09:42:01 +09:00
Hidetake Iwata	83f85a9b53	Dump all claims of ID token to debug log (#68 ) * Dump all claims of ID token to debug log * Add dump when a user already has a token	2019-04-19 10:29:56 +09:00
Hidetake Iwata	d82c8a2dd1	Fix error of go get and remove golint (#69 ) * Remove golint * Fix error of go get github.com/int128/ghcp	2019-04-19 10:26:03 +09:00
Hidetake Iwata	072bee6992	Add --certificate-authority option (#67 )	2019-04-18 10:50:38 +09:00
Hidetake Iwata	5c07850a68	Add --user option (#66 )	2019-04-18 10:38:23 +09:00
Hidetake Iwata	5c8c80f055	Add --context option (#65 )	2019-04-18 10:12:48 +09:00
Hidetake Iwata	bc7bfabfb2	Move to pflags (#62 )	2019-04-17 16:58:17 +09:00
Hidetake Iwata	73112546de	Update README.md	2019-04-17 16:56:44 +09:00
Hidetake Iwata	356f0d519d	Add debug log feature (#58 )	2019-04-16 09:27:38 +09:00
Hidetake Iwata	e84d29bc6b	Fix flaky test (#61 )	2019-04-16 09:13:39 +09:00
Hidetake Iwata	ae80ebf148	Refactor: use dedicated Logger on authentication callback (#59 )	2019-04-14 14:49:12 +09:00
Nathaniel Irons	5942c82b5f	Change expected binary name to kubelogin (#57 )	2019-04-12 10:16:18 +09:00
Hidetake Iwata	a5f9c698ea	Bump Go to 1.12.3 (#56 )	2019-04-11 12:52:41 +09:00
Hidetake Iwata	40ef2c25b8	Update README.md	2019-04-11 10:48:19 +09:00
Hidetake Iwata	2422c46271	Refactor integration tests (#54 ) * Refactor integration tests * Refactor: move keys * Refactor authserver * Refactor: do not generate key on test runtime * Refactor: package keys in integration tests * Refactor: use context on sending browser request * Refactor: use testing.T logger on integration tests	2019-04-11 10:43:05 +09:00
Hidetake Iwata	6ca0ee8013	Skip login if kubeconfig has valid ID token (#52 ) * Skip login if kubeconfig has valid ID token * Add integration test for skip login feature	2019-04-10 10:20:13 +09:00
Hidetake Iwata	9ac252667a	Update README.md	2019-04-09 13:34:47 +09:00
Hidetake Iwata	000711f52e	Add support of HTTP_PROXY, HTTPS_PROXY and NO_PROXY (#51 )	2019-04-09 13:17:12 +09:00
Hidetake Iwata	e465c4852b	Introduce dig container (#50 )	2019-04-09 12:37:44 +09:00
Hidetake Iwata	003badb0bc	Fix nil pointer error (#49 )	2019-04-09 10:19:25 +09:00
Hidetake Iwata	0873a193a5	Refactor: extract adaptors.Logger	2019-04-08 16:07:26 +09:00
Hidetake Iwata	5e80b1858e	Refactor: logs	2019-04-08 16:07:26 +09:00
Hidetake Iwata	c816281657	Refactor: add test of usecases.Login	2019-04-08 13:35:01 +09:00
Hidetake Iwata	0db49860f9	Refactor: extract adaptors.HTTPClientConfig	2019-04-08 13:35:01 +09:00
Hidetake Iwata	d70c9db036	Refactor: extract adaptors.HTTP	2019-04-08 13:35:01 +09:00
Hidetake Iwata	675b5e5fff	Refactor: extract adaptors.OIDC	2019-04-08 13:35:01 +09:00
Hidetake Iwata	e3bfc321a2	Refactor: extract adaptors.KubeConfig	2019-04-08 13:35:01 +09:00
Hidetake Iwata	b34d0fb32f	Refactor: add di package	2019-04-08 13:35:01 +09:00
Hidetake Iwata	4c61a71ed4	Add test of adaptors.Cmd (#45 )	2019-04-07 19:33:53 +09:00
Hidetake Iwata	8a02ed0fb0	Split cli package into adaptors and use-cases (#44 )	2019-04-05 14:52:15 +09:00
Hidetake Iwata	3485c5408e	Replace with errors.Errorf() and errors.Wrapf() (#43 )	2019-04-05 12:12:00 +09:00
Hidetake Iwata	fb99977e98	Update README.md	2019-04-05 10:53:32 +09:00
Hidetake Iwata	39b441a7c2	Run go get at once	2019-04-05 10:40:23 +09:00
Hidetake Iwata	cde5becf67	Fix release in Makefile	2019-04-05 10:37:02 +09:00
Hidetake Iwata	460b14a159	Use CI context	2019-04-05 10:36:12 +09:00
Hidetake Iwata	8436fe3494	Merge pull request #42 from int128/krew Add yaml for Krew installation	2019-04-05 10:28:23 +09:00
Hidetake Iwata	9d2319ee2f	Do not set change log on release	2019-04-05 10:17:42 +09:00
Hidetake Iwata	75277378fc	Add yaml for krew installation	2019-04-05 10:17:42 +09:00
Hidetake Iwata	89a1046ce3	Use goxzst for release	2019-04-05 09:58:34 +09:00
Baykonur	15d40413e4	HTTPS_PROXY support for kubelogin (#41 ) adding HTTPS_PROXY support to kubelogin	2019-04-04 15:45:47 +09:00
Hidetake Iwata	8525ba5142	Merge pull request #40 from int128/refactor Rename plugin to kubectl oidc-login	2019-03-29 16:59:55 +09:00
Hidetake Iwata	dbddd6a07f	Rename plugin to kubectl oidc-login See the naming guide: https://github.com/GoogleContainerTools/krew/blob/master/docs/NAMING_GUIDE.md	2019-03-29 16:43:53 +09:00
Hidetake Iwata	839877b45e	Merge pull request #39 from int128/refactor Move to gox/ghr/ghcp to fix version of k8s modules	2019-03-29 16:29:48 +09:00
Hidetake Iwata	99ed86e22e	Move to gox/ghr/ghcp to fix version of k8s modules	2019-03-29 16:27:26 +09:00
Hidetake Iwata	a78b746c29	Exclude /.idea	2019-02-27 10:54:07 +09:00
Hidetake Iwata	187bbc203c	Merge pull request #32 from int128/dependabot/go_modules/github.com/mitchellh/go-homedir-1.1.0 Bump github.com/mitchellh/go-homedir from 1.0.0 to 1.1.0	2019-02-27 10:46:11 +09:00
dependabot[bot]	d4b5e511bb	Bump github.com/mitchellh/go-homedir from 1.0.0 to 1.1.0 Bumps [github.com/mitchellh/go-homedir](https://github.com/mitchellh/go-homedir) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/mitchellh/go-homedir/releases) - [Commits](https://github.com/mitchellh/go-homedir/compare/v1.0.0...v1.1.0) Signed-off-by: dependabot[bot] <support@dependabot.com>	2019-01-28 20:20:06 +00:00
Hidetake Iwata	33241b8721	Update README.md	2018-11-20 16:46:02 +09:00
Hidetake Iwata	b72cb63826	Fix up #25	2018-11-09 13:26:35 +09:00
Hidetake Iwata	63fda1db0f	Merge pull request #25 from int128/kubectl-plugin Add kubectl plugin support	2018-11-09 11:39:52 +09:00
Hidetake Iwata	da95fe470f	Add kubectl plugin support	2018-11-09 11:37:38 +09:00
Hidetake Iwata	4b08a49a51	Add workaround for Go Modules issue	2018-10-31 14:21:33 +09:00
Hidetake Iwata	9c74f3748b	Merge pull request #23 from int128/oauth2cli Import github.com/int128/oauth2cli	2018-10-31 14:16:25 +09:00
Hidetake Iwata	17e03f2abc	Import github.com/int128/oauth2cli	2018-10-31 14:13:09 +09:00
Hidetake Iwata	ebef81f9d7	Merge pull request #22 from int128/ignore-cert-errors Skip invalid CA certs instead of raising error	2018-10-30 09:56:22 +09:00
Hidetake Iwata	8d0d82fb71	Skip invalid CA certs instead of raising error	2018-10-30 09:55:12 +09:00
Hidetake Iwata	b600e54a12	Refactor e2e test	2018-10-29 14:04:10 +09:00
Hidetake Iwata	75317f88a1	Merge pull request #21 from int128/go111 Move to Go Modules	2018-10-29 13:50:01 +09:00
Hidetake Iwata	5a794e8ceb	Move to Go Modules	2018-10-29 13:45:32 +09:00
Hidetake Iwata	1fe1ec4c20	Update README.md	2018-10-16 09:47:50 +09:00
Hidetake Iwata	7676ffbfab	Fix golint	2018-10-16 09:25:38 +09:00
Hidetake Iwata	7e1e6a096b	Refactor docs	2018-10-15 15:52:52 +09:00
Hidetake Iwata	4d3d1c3b78	Add explanation about extra scopes	2018-10-04 16:05:36 +09:00
Hidetake Iwata	1ebdfc0e4f	Use "Application Type: Other" on Google IdP	2018-10-03 15:33:56 +09:00
Hidetake Iwata	9c67c52b34	Fix test for #17	2018-09-14 15:06:05 +09:00
Hidetake Iwata	550396e1dd	Merge pull request #17 from stang/allow-to-change-listening-port Allow to change listening port	2018-09-14 11:20:08 +09:00
Stephane Tang	34f0578b59	Allow to change listening port It's using port 8000 by default, which is identical as the original behavior. Signed-off-by: Stephane Tang <hi@stang.sh>	2018-09-14 00:03:18 +01:00
Hidetake Iwata	604d118b68	Update README.md	2018-09-07 10:56:26 +09:00
Hidetake Iwata	91959e8a56	Update README.md	2018-09-07 10:56:21 +09:00
Hidetake Iwata	9b325a66a9	Show version on help	2018-09-05 12:54:00 +09:00
Hidetake Iwata	8b6257d60b	Introduce goreleaser	2018-09-05 12:54:00 +09:00
Hidetake Iwata	d469df4978	Fix cli.Parse does not respect argument	2018-09-05 11:34:40 +09:00
Hidetake Iwata	3ae68df848	Merge pull request #14 from int128/ux Improve error messages	2018-09-04 06:52:24 +09:00
Hidetake Iwata	e8805f7a94	Improve error messages	2018-09-04 06:49:49 +09:00
Hidetake Iwata	717da9d442	Merge pull request #15 from int128/refresh-token Fix refresh token is not set with Google IdP	2018-09-04 06:41:58 +09:00
Hidetake Iwata	de176cfbaa	Fix refresh token is not set with Google IdP	2018-09-03 14:42:00 +09:00
Hidetake Iwata	9bf8a89577	Merge pull request #13 from int128/extra-scopes Add extra-scopes support	2018-09-02 14:20:35 +09:00
Hidetake Iwata	a91c020f46	Update README.md	2018-09-02 14:19:23 +09:00
Hidetake Iwata	d4fb49613d	Add extra-scopes support	2018-08-31 21:02:34 +09:00
Hidetake Iwata	64b1d52208	Fix test says message if CLI returns error	2018-08-31 15:19:58 +09:00
Hidetake Iwata	a298058e3f	Refactor test	2018-08-31 14:59:50 +09:00
Hidetake Iwata	309e73d8c0	Merge pull request #12 from int128/browser-delay Add delay before opening browser	2018-08-31 09:30:05 +09:00
Hidetake Iwata	857d5dad88	Add delay before opening browser	2018-08-30 21:28:17 +09:00
Hidetake Iwata	455c920b65	Refactor e2e test	2018-08-30 14:47:03 +09:00
Hidetake Iwata	afad46817a	Update README.md	2018-08-28 12:28:59 +09:00
Hidetake Iwata	4f506b9f62	Update README.md	2018-08-28 09:53:16 +09:00
Hidetake Iwata	72bc19bc10	Rename	2018-08-28 09:30:11 +09:00
Hidetake Iwata	69bcb16e26	Update README.md	2018-08-27 22:27:11 +09:00
Hidetake Iwata	978a45bcf1	Refactor	2018-08-27 14:49:25 +09:00
Hidetake Iwata	62b9a2158d	Refactor	2018-08-26 12:33:35 +09:00
Hidetake Iwata	974fc5c526	Merge pull request #10 from int128/oidc-browser Open browser automatically on authentication	2018-08-26 11:07:07 +09:00
Hidetake Iwata	2c7d958efd	Close browser automatically	2018-08-25 21:53:41 +09:00
Hidetake Iwata	16b15cd21b	Open browser automatically on authentication	2018-08-25 21:53:41 +09:00
Hidetake Iwata	3213572180	Polish	2018-08-24 15:22:09 +09:00
Hidetake Iwata	b7bbcd44e1	Merge pull request #9 from int128/oidc-ca Add support of OIDC CA certificate	2018-08-24 14:05:21 +09:00
Hidetake Iwata	7726ac6c51	Add support of OIDC CA certificate	2018-08-24 14:02:42 +09:00
Hidetake Iwata	adaeba4c24	Refactor	2018-08-22 13:37:12 +09:00
Hidetake Iwata	e8acaa28b3	Refactor	2018-08-22 13:28:51 +09:00
Hidetake Iwata	031f9fb81a	Merge pull request #6 from int128/integration-test Add integration test	2018-08-22 12:52:09 +09:00
Hidetake Iwata	8a7da83338	Add integration test	2018-08-22 12:48:48 +09:00
Hidetake Iwata	b776bac764	Add insecure-skip-tls-verify option	2018-08-16 09:34:12 +09:00
Hidetake Iwata	4bf77886a8	Introduce flags	2018-08-15 19:12:59 +09:00
Hidetake Iwata	ea711f91b4	Update README.md	2018-08-14 16:33:00 +09:00
Hidetake Iwata	cfc6376f69	Refactor README.md	2018-08-14 10:56:30 +09:00
				`@@ -0,0 +1 @@`
				LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJsekNDQVFBQ0NRQ0RmN0lud3Uzdmt6QU5CZ2txaGtpRzl3MEJBUVVGQURBUU1RNHdEQVlEVlFRRERBVkkKWld4c2J6QWVGdzB4T1RBMk1qUXhNRFEwTkRoYUZ3MHlPVEEyTWpFeE1EUTBORGhhTUJBeERqQU1CZ05WQkFNTQpCVWhsYkd4dk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRQ2l0WnY1R28xNm51SERSYTJ1Cm5UNW0xUTl0a3I2NjhwbmhjUDBUa3lqRCtvRUIwbFV6MlNKRVpFdk9kMVhWUlJyUE1TWHJ0eWJvOXAwVHFTR3AKSWcxZ09SV2lzL2ovSVIxc1lkRnV0TEtodHA2azFIdlVpTm9zZE8vSzhLL0FiTzRRUFdUR0JBY3FnLy9Ra01LZApjY2dMWTJQWWN6Sy90OCs2QzdKWUVIZTVBd0lEQVFBQk1BMEdDU3FHU0liM0RRRUJCUVVBQTRHQkFDa1BzeW1lCkpGbGo3NWZPNTROSDVXWFp4QnRvWTdrVjN5ZDVvTzg4Qm5nRThpdHRhSHVhdVFra3cvc0M1eDczM1NzSmxQbEYKdHJhaDRDRE1qcTVkL29rSWJJSkZLZTdOR0xpODJmOXpKK28xZmpEcDk3VXZaSEMwemhVeCtSaUV1M2laUmZZTQozMUh0N1FHNjNWNVNjVjNabWkxbnpmUWM0am44ZDQwa1hYY24KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=