Update help message and doc (#1374 )

Use Endpoint.DeviceAuthURL of oauth2 package (#1372 )
Split oidc/client.go (#1371 )
2026-02-27 23:43:49 +00:00 · 2025-07-13 15:24:33 +09:00 · 2025-07-13 13:54:55 +09:00 · 2025-07-13 13:23:33 +09:00 · 2025-07-13 11:04:40 +09:00 · 2025-07-11 17:10:18 +00:00
222 changed files with 14924 additions and 6200 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,37 +0,0 @@
-version: 2
-jobs:
-  build:
-    docker:
-      - image: circleci/golang:1.12.3
-    steps:
-      - run: |
-          mkdir -p ~/bin
-          echo 'export PATH="$HOME/bin:$PATH"' >> $BASH_ENV
-      - run: |
-          curl -L -o ~/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.14.0/bin/linux/amd64/kubectl
-          chmod +x ~/bin/kubectl
-      - run: |
-          curl -L -o ~/bin/ghcp https://github.com/int128/ghcp/releases/download/v1.5.0/ghcp_linux_amd64
-          chmod +x ~/bin/ghcp
-      - run: |
-          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b ~/bin v1.16.0
-      - run: go get github.com/int128/goxzst
-      - run: go get github.com/tcnksm/ghr
-      - checkout
-      - run: make check
-      - run: bash <(curl -s https://codecov.io/bash)
-      - run: make run
-      - run: |
-          if [ "$CIRCLE_TAG" ]; then
-            make release
-          fi
-
-workflows:
-  version: 2
-  all:
-    jobs:
-      - build:
-          context: open-source
-          filters:
-            tags:
-              only: /.*/
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: [int128] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,20 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+## Describe the issue
+A clear and concise description of what the issue is.
+
+## To reproduce
+A console log or steps to reproduce the issue.
+
+## Your environment
+- OS: e.g. macOS
+- kubelogin version: e.g. v1.19
+- kubectl version: e.g. v1.19
+- OpenID Connect provider: e.g. Google
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,15 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+## Purpose of the feature (why)
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+A clear and concise description of what you want to happen.
+
+## Your idea (how)
+A clear and concise description of any alternative solutions or features you've considered.
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@@ -0,0 +1,20 @@
+---
+name: Question
+about: Feel free to ask a question
+title: ''
+labels: question
+assignees: ''
+
+---
+
+## Describe the question
+A clear and concise description of what the issue is.
+
+## To reproduce
+A console log or steps to reproduce the issue.
+
+## Your environment
+- OS: e.g. macOS
+- kubelogin version: e.g. v1.19
+- kubectl version: e.g. v1.19
+- OpenID Connect provider: e.g. Google
--- a/.github/release.yml
+++ b/.github/release.yml
@@ -0,0 +1,16 @@
+# https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+changelog:
+  categories:
+    - title: Features
+      labels:
+        - '*'
+      exclude:
+        labels:
+          - renovate
+          - refactoring
+    - title: Refactoring
+      labels:
+        - refactoring
+    - title: Dependencies
+      labels:
+        - renovate
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -0,0 +1,12 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "github>int128/renovate-base",
+    "github>int128/go-renovate-config#v1.7.2",
+    "github>int128/go-renovate-config:go-directive#v1.7.2",
+    "github>int128/go-renovate-config:github-actions#v1.7.2",
+    "github>int128/go-renovate-config:kubernetes#v1.7.2",
+    "github>int128/go-renovate-config:kustomization-github-releases#v1.7.2",
+    "helpers:pinGitHubActionDigests",
+  ],
+}
--- a/.github/workflows/acceptance-test.yaml
+++ b/.github/workflows/acceptance-test.yaml
@@ -0,0 +1,34 @@
+name: acceptance-test
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/acceptance-test.yaml
+      - acceptance_test/**
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/acceptance-test.yaml
+      - acceptance_test/**
+
+jobs:
+  test-makefile:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make -C acceptance_test check
+      - run: make -C acceptance_test
+        env:
+          OIDC_ISSUER_URL: https://accounts.google.com
+          OIDC_CLIENT_ID: REDACTED.apps.googleusercontent.com
+          YOUR_EMAIL: REDACTED@gmail.com
+      - run: make -C acceptance_test delete-cluster
+      - run: make -C acceptance_test clean
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -0,0 +1,74 @@
+name: docker
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/docker.yaml
+      - pkg/**
+      - go.*
+      - Dockerfile
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/docker.yaml
+      - pkg/**
+      - go.*
+      - Dockerfile
+    tags:
+      - v*
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      image-uri: ${{ steps.build-metadata.outputs.image-uri }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        id: metadata
+        with:
+          images: ghcr.io/${{ github.repository }}
+      - uses: int128/docker-build-cache-config-action@338206c80bf9eeb2b9694b7b4fc8c247c317e2a8 # v1.38.0
+        id: cache
+        with:
+          image: ghcr.io/${{ github.repository }}/cache
+      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        id: build
+        with:
+          push: ${{ github.event_name == 'push' }}
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          cache-from: ${{ steps.cache.outputs.cache-from }}
+          cache-to: ${{ steps.cache.outputs.cache-to }}
+          platforms: |
+            linux/amd64
+            linux/arm64
+            linux/ppc64le
+      - uses: int128/docker-build-metadata-action@fac3c879c58b212e339c5e959cabb865cbee0c6e # v1.0.0
+        id: build-metadata
+        with:
+          metadata: ${{ steps.build.outputs.metadata }}
+
+  test:
+    if: needs.build.outputs.image-uri != ''
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - run: docker run --rm "$IMAGE_URI" --help
+        env:
+          IMAGE_URI: ${{ needs.build.outputs.image-uri }}
--- a/.github/workflows/go.yaml
+++ b/.github/workflows/go.yaml
@@ -0,0 +1,79 @@
+name: go
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/go.yaml
+      - pkg/**
+      - integration_test/**
+      - mocks/**
+      - tools/**
+      - '**/go.*'
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/go.yaml
+      - pkg/**
+      - integration_test/**
+      - mocks/**
+      - tools/**
+      - '**/go.*'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make test
+
+  integration-test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - macos-latest
+          - windows-latest
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make integration-test
+
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make lint
+
+  generate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: go mod tidy
+      - run: make generate
+      - uses: int128/update-generated-files-action@f6dc44e35ce252932e9018f1c38d1e2a4ff80e14 # v2.60.0
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,78 @@
+name: release
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/release.yaml
+      - pkg/**
+      - go.*
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/release.yaml
+      - pkg/**
+      - go.*
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        platform:
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: amd64
+            CGO_ENABLED: 0 # https://github.com/int128/kubelogin/issues/567
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: arm64
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: arm
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: ppc64le
+          - runs-on: macos-latest
+            GOOS: darwin
+            GOARCH: amd64
+            CGO_ENABLED: 1 # https://github.com/int128/kubelogin/issues/249
+          - runs-on: macos-latest
+            GOOS: darwin
+            GOARCH: arm64
+            CGO_ENABLED: 1 # https://github.com/int128/kubelogin/issues/762
+          - runs-on: windows-latest
+            GOOS: windows
+            GOARCH: amd64
+          - runs-on: windows-latest
+            GOOS: windows
+            GOARCH: arm64
+    runs-on: ${{ matrix.platform.runs-on }}
+    env:
+      GOOS: ${{ matrix.platform.GOOS }}
+      GOARCH: ${{ matrix.platform.GOARCH }}
+      CGO_ENABLED: ${{ matrix.platform.CGO_ENABLED }}
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: go build -ldflags '-X main.version=${{ github.ref_name }}'
+      - uses: int128/go-release-action@2979cc5b15ceb7ae458e95b0a9467afc7ae25259 # v2.0.0
+        with:
+          binary: kubelogin
+
+  publish:
+    if: github.ref_type == 'tag'
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47
--- a/.github/workflows/system-test.yaml
+++ b/.github/workflows/system-test.yaml
@@ -0,0 +1,43 @@
+name: system-test
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/system-test.yaml
+      - system_test/**
+      - pkg/**
+      - go.*
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/system-test.yaml
+      - system_test/**
+      - pkg/**
+      - go.*
+
+jobs:
+  system-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+
+      - run: sudo apt-get update
+      # Install certutil.
+      # https://packages.ubuntu.com/xenial/libnss3-tools
+      # Install keyring related packages.
+      # https://github.com/zalando/go-keyring/issues/45
+      - run: sudo apt-get install --no-install-recommends -y libnss3-tools dbus-x11 gnome-keyring
+
+      - run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
+
+      - run: make -C system_test -j3
+
+      - run: make -C system_test logs
+        if: always()
--- a/.gitignore
+++ b/.gitignore
@@ -1,9 +1,12 @@
 /.idea

-/.kubeconfig*
+/tools/bin
+
+/acceptance_test/output/

-/dist
 /coverage.out

 /kubelogin
 /kubectl-oidc_login
+/kubelogin_*.zip
+/kubelogin_*.zip.sha256
--- a/.krew.yaml
+++ b/.krew.yaml
@@ -0,0 +1,68 @@
+apiVersion: krew.googlecontainertools.github.com/v1alpha2
+kind: Plugin
+metadata:
+  name: oidc-login
+spec:
+  homepage: https://github.com/int128/kubelogin
+  shortDescription: Log in to the OpenID Connect provider
+  description: |
+    This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
+
+    ## Credential plugin mode
+    kubectl executes oidc-login before calling the Kubernetes APIs.
+    oidc-login automatically opens the browser and you can log in to the provider.
+    After authentication, kubectl gets the token from oidc-login and you can access the cluster.
+    See https://github.com/int128/kubelogin#credential-plugin-mode for more.
+
+    ## Standalone mode
+    Run `kubectl oidc-login`.
+    It automatically opens the browser and you can log in to the provider.
+    After authentication, it writes the token to the kubeconfig and you can access the cluster.
+    See https://github.com/int128/kubelogin#standalone-mode for more.
+
+  caveats: |
+    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
+  version: {{ .TagName }}
+  platforms:
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: amd64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: arm64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_arm.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: arm
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_darwin_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: darwin
+        arch: amd64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_darwin_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
+  - bin: kubelogin.exe
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_windows_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: windows
+        arch: amd64
+  - bin: kubelogin.exe
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_windows_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: windows
+        arch: arm64
--- a/.mockery.yaml
+++ b/.mockery.yaml
@@ -0,0 +1,12 @@
+dir: mocks/{{.SrcPackagePath}}_mock
+pkgname: '{{.SrcPackageName}}_mock'
+filename: mocks.go
+template: testify
+packages:
+  github.com/int128/kubelogin:
+    config:
+      all: true
+      recursive: true
+  io:
+    interfaces:
+      Closer: {}
--- a/DESIGN.md
+++ b/DESIGN.md
@@ -1,51 +0,0 @@
-# Design of kubelogin
-
-This explains design of kubelogin.
-
-## Use cases
-
-Kubelogin is a command line tool and designed to run as both a standalone command and a kubectl plugin.
-
-It respects the following flags, commonly used in kubectl:
-
-```
-      --kubeconfig string              Path to the kubeconfig file
-      --context string                 The name of the kubeconfig context to use
-      --user string                    The name of the kubeconfig user to use. Prior to --context
-      --certificate-authority string   Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-  -v, --v int                          If set to 1 or greater, it shows debug log
-```
-
-As well as it respects the environment variable `KUBECONFIG`.
-
-
-### Login by the command
-
-TODO
-
-### Wrap kubectl and login transparently
-
-TODO
-
-
-## Architecture
-
-Kubelogin consists of the following layers:
-
- `usecases`: This provides the use-cases.
- `adaptor`: This provides external access and converts objects between the use-cases and external system.
-
-
-### Use-cases
-
-This provides the use-cases mentioned in the previous section.
-
-This layer should not contain external access such as HTTP requests and system calls.
-
-
-### Adaptor
-
-This provides external access such as command line interface and HTTP requests.
-
-
--- a/20
+++ b/20
@@ -0,0 +1,20 @@
+FROM --platform=$BUILDPLATFORM golang:1.24 AS builder
+
+WORKDIR /builder
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+RUN go mod download
+
+# Copy the go source
+COPY main.go .
+COPY pkg pkg
+
+ARG TARGETOS
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build
+
+FROM gcr.io/distroless/base-debian12
+COPY --from=builder /builder/kubelogin /
+ENTRYPOINT ["/kubelogin"]
--- a/55
+++ b/55
@@ -1,43 +1,20 @@
-TARGET := kubelogin
-TARGET_PLUGIN := kubectl-oidc_login
-CIRCLE_TAG ?= HEAD
-LDFLAGS := -X main.version=$(CIRCLE_TAG)
+.PHONY: all
+all:

-.PHONY: check run diagram release clean
+.PHONY: test
+test:
+	go test -v -race ./pkg/...

-all: $(TARGET)
+.PHONY: integration-test
+integration-test:
+	go test -v -race ./integration_test/...

-check:
-	golangci-lint run
-	$(MAKE) -C e2e_test/keys/testdata
-	go test -v -race -cover -coverprofile=coverage.out ./...
+.PHONY: generate
+generate:
+	go tool github.com/google/wire/cmd/wire ./pkg/di
+	rm -fr mocks/
+	go tool mockery

-$(TARGET): $(wildcard *.go)
-	go build -o $@ -ldflags "$(LDFLAGS)"
-
-$(TARGET_PLUGIN): $(TARGET)
-	ln -sf $(TARGET) $@
-
-run: $(TARGET_PLUGIN)
-	-PATH=.:$(PATH) kubectl oidc-login --help
-
-diagram: docs/authn.png
-
-%.png: %.seqdiag
-	seqdiag -a -f /Library/Fonts/Verdana.ttf $<
-
-dist:
-	VERSION=$(CIRCLE_TAG) goxzst -d dist/gh/ -o "$(TARGET)" -t "kubelogin.rb oidc-login.yaml" -- -ldflags "$(LDFLAGS)"
-	mv dist/gh/kubelogin.rb dist/
-	mkdir -p dist/plugins
-	cp dist/gh/oidc-login.yaml dist/plugins/oidc-login.yaml
-
-release: dist
-	ghr -u "$(CIRCLE_PROJECT_USERNAME)" -r "$(CIRCLE_PROJECT_REPONAME)" "$(CIRCLE_TAG)" dist/gh/
-	ghcp commit -u "$(CIRCLE_PROJECT_USERNAME)" -r "homebrew-$(CIRCLE_PROJECT_REPONAME)" -m "$(CIRCLE_TAG)" -C dist/ kubelogin.rb
-	ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(CIRCLE_TAG)" -m "Bump oidc-login to $(CIRCLE_TAG)" -C dist/ plugins/oidc-login.yaml
-
-clean:
-	-rm $(TARGET)
-	-rm $(TARGET_PLUGIN)
-	-rm -r dist/
+.PHONY: lint
+lint:
+	go tool golangci-lint run
--- a/README.md
+++ b/README.md
@@ -1,66 +1,60 @@
-# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
+# kubelogin [![go](https://github.com/int128/kubelogin/actions/workflows/go.yaml/badge.svg)](https://github.com/int128/kubelogin/actions/workflows/go.yaml) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)

 This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.

-In Kubernetes OIDC authentication, kubectl does not provide actual authentication and we need to manually set an ID token and refresh token to the kubeconfig.
-Kubelogin integrates browser based authentication with kubectl.
+Here is an example of Kubernetes authentication with the Google Identity Platform:

+<img alt="screencast" src="https://user-images.githubusercontent.com/321266/85427290-86e43700-b5b6-11ea-9e97-ffefd736c9b7.gif" width="572" height="391">
+
+Kubelogin is designed to run as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
+When you run kubectl, kubelogin opens the browser and you can log in to the provider.
+Then kubelogin gets a token from the provider and kubectl access Kubernetes APIs with the token.
+Take a look at the diagram:
+
+![Diagram of the credential plugin](docs/credential-plugin-diagram.svg)

 ## Getting Started

-You can install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew) or [GitHub Releases](https://github.com/int128/kubelogin/releases) as follows:
+### Setup
+
+Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew), [Chocolatey](https://chocolatey.org/packages/kubelogin) or [GitHub Releases](https://github.com/int128/kubelogin/releases).

 ```sh
-# Homebrew
-brew tap int128/kubelogin
+# Homebrew (macOS and Linux)
 brew install kubelogin

-# Krew
+# Krew (macOS, Linux, Windows and ARM)
 kubectl krew install oidc-login

-# GitHub Releases
-curl -LO https://github.com/int128/kubelogin/releases/download/v1.13.0/kubelogin_linux_amd64.zip
-unzip kubelogin_linux_amd64.zip
-ln -s kubelogin kubectl-oidc_login
+# Chocolatey (Windows)
+choco install kubelogin
 ```

-You need to configure the OIDC provider, Kubernetes API server, kubeconfig and role binding.
-See the following documents for more:
+If you install via GitHub releases, save the binary as the name `kubectl-oidc_login` on your path.
+When you invoke `kubectl oidc-login`, kubectl finds it by the [naming convention of kubectl plugins](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/).
+The other install methods do this for you.

- [Getting Started with Keycloak](docs/keycloak.md)
- [Getting Started with Google Identity Platform](docs/google.md)
- [Team Operation](docs/team_ops.md)
-
-You can run kubelogin as the following methods:
-
- Run as a credential plugin
- Run as a standalone command
- Wrap kubectl (deprecated)
-
-
-### Run as a credential plugin
-
-Status: beta since kubelogin v1.14.0.
-
-You can run kubelogin as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
-This provides transparent login without manually running `kubelogin` command.
-
-Configure the kubeconfig like:
+You need to set up the OIDC provider, cluster role binding, Kubernetes API server and kubeconfig.
+Your kubeconfig looks like this:

 ```yaml
 users:
- name: keycloak
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubelogin
-      args:
-      - get-token
-      - --oidc-issuer-url=https://issuer.example.com
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
+  - name: oidc
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1
+        command: kubectl
+        args:
+          - oidc-login
+          - get-token
+          - --oidc-issuer-url=ISSUER_URL
+          - --oidc-client-id=YOUR_CLIENT_ID
 ```

+See the [setup guide](docs/setup.md) for more.
+
+### Run
+
 Run kubectl.

 ```sh
@@ -68,339 +62,85 @@ kubectl get pods
 ```

 Kubectl executes kubelogin before calling the Kubernetes APIs.
-Kubelogin automatically opens the browser and you can log in to the provider.
+Kubelogin automatically opens the browser, and you can log in to the provider.

-<img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">
+After the authentication, kubelogin returns the credentials to kubectl.
+Kubectl then calls the Kubernetes APIs with the credentials.

-After authentication, kubelogin returns the credentials to kubectl and finally kubectl calls the Kubernetes APIs with the credential.
-
-```
+```console
 % kubectl get pods
 Open http://localhost:8000 for authentication
-You got a valid token until 2019-05-18 10:28:51 +0900 JST
 NAME                          READY   STATUS    RESTARTS   AGE
 echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
 ```

-Kubelogin writes the ID token and refresh token to the cache file.
+Kubelogin stores the ID token and refresh token to the cache.
+If the ID token is valid, it just returns it.
+If the ID token has expired, it will refresh the token using the refresh token.
+If the refresh token has expired, it will perform re-authentication.

-If the cached ID token is valid, kubelogin just returns it.
-If the cached ID token has expired, kubelogin will refresh the token using the refresh token.
-If the refresh token has expired, kubelogin will proceed the authentication.
+## Troubleshooting

+### Token cache

-### Run as a standalone command
+Kubelogin stores the token cache to the file system by default.
+For enhanced security, it is recommended to store it to the keyring.
+See the [token cache](docs/usage.md#token-cache) for details.

-Status: stable.
+You can log out by deleting the token cache.

-You can run kubelogin as a standalone command.
-In this method, you need to manually run the command before running kubectl.
+```console
+% kubectl oidc-login clean
+Deleted the token cache at /home/user/.kube/cache/oidc-login
+Deleted the token cache from the keyring
+```

-Configure the kubeconfig like:
+Kubelogin will ask you to log in via the browser again.
+If the browser has a cookie for the provider, you need to log out from the provider or clear the cookie.
+
+### ID token claims
+
+You can run `setup` command to dump the claims of an ID token from the provider.
+
+```console
+% kubectl oidc-login setup --oidc-issuer-url=ISSUER_URL --oidc-client-id=REDACTED
+...
+You got a token with the following claims:
+
+{
+  "sub": "********",
+  "iss": "https://accounts.google.com",
+  "aud": "********",
+  ...
+}
+```
+
+You can set `-v1` option to increase the log level.

 ```yaml
- name: keycloak
-  user:
-    auth-provider:
-      config:
-        client-id: YOUR_CLIENT_ID
-        client-secret: YOUR_CLIENT_SECRET
-        idp-issuer-url: https://issuer.example.com
-      name: oidc
+users:
+  - name: oidc
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1
+        command: kubectl
+        args:
+          - oidc-login
+          - get-token
+          - -v1
 ```

-Run kubelogin:
+You can run the [acceptance test](acceptance_test) to verify if kubelogin works with your provider.

-```sh
-kubelogin
-
-# or run as a kubectl plugin
-kubectl oidc-login
-```
-
-It automatically opens the browser and you can log in to the provider.
-
-<img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">
-
-After authentication, kubelogin writes the ID token and refresh token to the kubeconfig.
-
-```
-% kubelogin
-Open http://localhost:8000 for authentication
-You got a valid token until 2019-05-18 10:28:51 +0900 JST
-Updated ~/.kubeconfig
-```
-
-Now you can access to the cluster.
-
-```
-% kubectl get pods
-NAME                          READY   STATUS    RESTARTS   AGE
-echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
-```
-
-If the ID token is valid, kubelogin does nothing.
-
-```
-% kubelogin
-You already have a valid token until 2019-05-18 10:28:51 +0900 JST
-```
-
-If the ID token has expired, kubelogin will refresh the token using the refresh token in the kubeconfig.
-If the refresh token has expired, kubelogin will proceed the authentication.
-
-
-### Wrap kubectl
-
-Status: DEPRECATED and will be removed in kubelogin v1.15.0.
-
-You can wrap kubectl to transparently login to the provider.
-
-```sh
-alias kubectl='kubelogin exec -- kubectl'
-
-# or run as a kubectl plugin
-alias kubectl='kubectl oidc-login exec -- kubectl'
-```
-
-If the token expired, kubelogin updates the kubeconfig and executes kubectl.
-
-```
-% kubectl get pods
-Open http://localhost:8000 for authentication
-You got a valid token until 2019-06-05 19:05:34 +0900 JST
-NAME                          READY   STATUS    RESTARTS   AGE
-echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
-```
-
-If the ID token is valid, kubelogin just executes kubectl.
-
-```
-% kubectl get pods
-NAME                          READY   STATUS    RESTARTS   AGE
-echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
-```
-
-If the ID token has expired, kubelogin will refresh the token using the refresh token in the kubeconfig.
-If the refresh token has expired, kubelogin will proceed the authentication.
-
-Kubelogin respects kubectl options passed to the extra arguments.
-For example, if you run `kubectl --kubeconfig .kubeconfig`,
-it will update `.kubeconfig` and execute kubectl.
-
-If the current auth provider is not `oidc`, kubelogin just executes kubectl.
-
-
-## Configuration
-
-This document is for the development version.
-If you are looking for a specific version, see [the release tags](https://github.com/int128/kubelogin/tags).
-
-
-### Run as a credential plugin
-
-Kubelogin supports the following options:
-
-```
-% kubelogin get-token -h
-Run as a kubectl credential plugin
-
-Usage:
-  kubelogin get-token [flags]
-
-Flags:
-      --listen-port ints               Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
-      --skip-open-browser              If true, it does not open the browser on authentication
-      --username string                If set, perform the resource owner password credentials grant
-      --password string                If set, use the password instead of asking it
-      --oidc-issuer-url string         Issuer URL of the provider (mandatory)
-      --oidc-client-id string          Client ID of the provider (mandatory)
-      --oidc-client-secret string      Client secret of the provider
-      --oidc-extra-scope strings       Scopes to request to the provider
-      --certificate-authority string   Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-  -v, --v int                          If set to 1 or greater, it shows debug log
-      --token-cache string             Path to a file for caching the token (default "~/.kube/oidc-login.token-cache")
-  -h, --help                           help for get-token
-```
-
-#### Extra scopes
-
-You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
-
-```yaml
-      - --oidc-extra-scope=email
-      - --oidc-extra-scope=profile
-```
-
-#### CA Certificates
-
-You can use your self-signed certificates for the provider.
-
-```yaml
-      - --certificate-authority=/home/user/.kube/keycloak-ca.pem
-```
-
-
-### Run as a standalone command
-
-Kubelogin supports the following options:
-
-```
-% kubelogin -h
-Login to the OpenID Connect provider and update the kubeconfig
-
-Usage:
-  kubelogin [flags]
-  kubelogin [command]
-
-Examples:
-  # Login to the provider using the authorization code flow.
-  kubelogin
-
-  # Login to the provider using the resource owner password credentials flow.
-  kubelogin --username USERNAME --password PASSWORD
-
-  # Run as a credential plugin.
-  kubelogin get-token --oidc-issuer-url=https://issuer.example.com
-
-Available Commands:
-  exec        Login transparently and execute the kubectl command (deprecated)
-  get-token   Run as a kubectl credential plugin
-  help        Help about any command
-  version     Print the version information
-
-Flags:
-      --kubeconfig string              Path to the kubeconfig file
-      --context string                 The name of the kubeconfig context to use
-      --user string                    The name of the kubeconfig user to use. Prior to --context
-      --certificate-authority string   Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-  -v, --v int                          If set to 1 or greater, it shows debug log
-      --listen-port ints               Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
-      --skip-open-browser              If true, it does not open the browser on authentication
-      --username string                If set, perform the resource owner password credentials grant
-      --password string                If set, use the password instead of asking it
-  -h, --help                           help for kubelogin
-```
-
-#### Kubeconfig
-
-You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
-It defaults to `~/.kube/config`.
-
-```sh
-# by the option
-kubelogin --kubeconfig /path/to/kubeconfig
-
-# by the environment variable
-KUBECONFIG="/path/to/kubeconfig1:/path/to/kubeconfig2" kubelogin
-```
-
-If you set multiple files, kubelogin will find the file which has the current authentication (i.e. `user` and `auth-provider`) and write a token to it.
-
-Kubelogin supports the following keys of `auth-provider` in a kubeconfig.
-See [kubectl authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl) for more.
-
-Key | Direction | Value
----|-----------|------
-`idp-issuer-url`                  | Read (Mandatory) | Issuer URL of the provider.
-`client-id`                       | Read (Mandatory) | Client ID of the provider.
-`client-secret`                   | Read (Mandatory) | Client Secret of the provider.
-`idp-certificate-authority`       | Read | CA certificate path of the provider.
-`idp-certificate-authority-data`  | Read | Base64 encoded CA certificate of the provider.
-`extra-scopes`                    | Read | Scopes to request to the provider (comma separated).
-`id-token`                        | Write | ID token got from the provider.
-`refresh-token`                   | Write | Refresh token got from the provider.
-
-#### Extra scopes
-
-You can set the extra scopes to request to the provider by `extra-scopes` in the kubeconfig.
-
-```sh
-kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=email
-```
-
-Currently kubectl does not accept multiple scopes, so you need to edit the kubeconfig as like:
-
-```sh
-kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=SCOPES
-sed -i '' -e s/SCOPES/email,profile/ $KUBECONFIG
-```
-
-#### CA Certificates
-
-You can use your self-signed certificates for the provider.
-
-```sh
-kubectl config set-credentials keycloak \
-  --auth-provider-arg idp-certificate-authority=$HOME/.kube/keycloak-ca.pem
-```
-
-
-### HTTP Proxy
-
-You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
-See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
-
-
-### Authentication flows
-
-#### Authorization code flow
-
-Kubelogin performs the authorization code flow by default.
-
-It starts the local server at port 8000 or 18000 by default.
-You need to register the following redirect URIs to the provider:
-
- `http://localhost:8000`
- `http://localhost:18000` (used if port 8000 is already in use)
-
-You can change the ports by the option:
-
-```sh
-# run as a standalone command
-kubelogin --listen-port 12345 --listen-port 23456
-
-# run as a credential plugin
-kubelogin get-token --listen-port 12345 --listen-port 23456
-```
-
-
-#### Resource owner password credentials grant flow
-
-As well as you can use the resource owner password credentials grant flow.
-Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
-Most OIDC providers do not support this flow.
-
-You can pass the username and password:
-
-```
-% kubelogin --username USER --password PASS
-```
-
-or use the password prompt:
-
-```
-% kubelogin --username USER
-Password:
-```
+## Docs

+- [Setup guide](docs/setup.md)
+- [Usage and options](docs/usage.md)
+- [Standalone mode](docs/standalone-mode.md)
+- [System test](system_test)
+- [Acceptance_test for identity providers](acceptance_test)

 ## Contributions

 This is an open source software licensed under Apache License 2.0.
 Feel free to open issues and pull requests for improving code and documents.
-
-### Development
-
-Go 1.12 or later is required.
-
-```sh
-# Run lint and tests
-make check
-
-# Compile and run the command
-make
-./kubelogin
-```
--- a/acceptance_test/Makefile
+++ b/acceptance_test/Makefile
@@ -0,0 +1,47 @@
+CLUSTER_NAME := kubelogin-acceptance-test
+OUTPUT_DIR := $(CURDIR)/output
+
+KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
+export KUBECONFIG
+
+.PHONY: cluster
+cluster:
+	# Create a cluster.
+	mkdir -p $(OUTPUT_DIR)
+	sed -e "s|OIDC_ISSUER_URL|$(OIDC_ISSUER_URL)|" -e "s|OIDC_CLIENT_ID|$(OIDC_CLIENT_ID)|" cluster.yaml > $(OUTPUT_DIR)/cluster.yaml
+	kind create cluster --name $(CLUSTER_NAME) --config $(OUTPUT_DIR)/cluster.yaml
+
+	# Set up the access control.
+	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
+	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=$(YOUR_EMAIL)
+
+	# Set up kubectl.
+	kubectl config set-credentials oidc \
+		--exec-api-version=client.authentication.k8s.io/v1 \
+		--exec-interactive-mode=Never \
+		--exec-command=$(CURDIR)/../kubelogin \
+		--exec-arg=get-token \
+		--exec-arg=--token-cache-dir=$(OUTPUT_DIR)/token-cache \
+		--exec-arg=--oidc-issuer-url=$(OIDC_ISSUER_URL) \
+		--exec-arg=--oidc-client-id=$(OIDC_CLIENT_ID) \
+		--exec-arg=--oidc-extra-scope=email
+
+	# Switch the default user.
+	kubectl config set-context --current --user=oidc
+
+	# Show the kubeconfig.
+	kubectl config view
+
+.PHONY: clean
+clean:
+	-rm -r $(OUTPUT_DIR)
+
+.PHONY: delete-cluster
+delete-cluster:
+	kind delete cluster --name $(CLUSTER_NAME)
+
+.PHONY: check
+check:
+	docker version
+	kind version
+	kubectl version --client
--- a/acceptance_test/README.md
+++ b/acceptance_test/README.md
@@ -0,0 +1,72 @@
+# kubelogin/acceptance_test
+
+This is a manual test to verify if the Kubernetes OIDC authentication works with your OIDC provider.
+
+## Purpose
+
+This test checks the following points:
+
+1. You can set up your OIDC provider using the [setup guide](../docs/setup.md).
+1. The plugin works with your OIDC provider.
+
+## Getting Started
+
+### Prerequisite
+
+You need to build the plugin into the parent directory.
+
+```sh
+make -C ..
+```
+
+You need to set up your provider.
+See the [setup guide](../docs/setup.md) for more.
+
+You need to install the following tools:
+
+- Docker
+- Kind
+- kubectl
+
+You can check if the tools are available.
+
+```sh
+make check
+```
+
+### 1. Create a cluster
+
+Create a cluster.
+For example, you can create a cluster with Google account authentication.
+
+```sh
+make OIDC_ISSUER_URL=https://accounts.google.com \
+  OIDC_CLIENT_ID=REDACTED.apps.googleusercontent.com \
+  YOUR_EMAIL=REDACTED@gmail.com
+```
+
+It will do the following steps:
+
+1. Create a cluster.
+1. Set up access control. It allows read-only access from your email address.
+1. Set up kubectl to enable the plugin.
+
+You can change kubectl configuration in generated `output/kubeconfig.yaml`.
+
+### 2. Run kubectl
+
+Make sure you can log in to the provider and access the cluster.
+
+```console
+% export KUBECONFIG=$PWD/output/kubeconfig.yaml
+% kubectl get pods -A
+```
+
+### Clean up
+
+To delete the cluster and generated files:
+
+```sh
+make delete-cluster
+make clean
+```
--- a/acceptance_test/cluster.yaml
+++ b/acceptance_test/cluster.yaml
@@ -0,0 +1,13 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+kubeadmConfigPatches:
+  - |
+    apiVersion: kubeadm.k8s.io/v1beta2
+    kind: ClusterConfiguration
+    metadata:
+      name: config
+    apiServer:
+      extraArgs:
+        oidc-issuer-url: OIDC_ISSUER_URL
+        oidc-client-id: OIDC_CLIENT_ID
+        oidc-username-claim: email
--- a/adaptors/cmd/cmd.go
+++ b/adaptors/cmd/cmd.go
@@ -1,256 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"path/filepath"
-
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/models/kubeconfig"
-	"github.com/int128/kubelogin/usecases"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
-	"k8s.io/client-go/util/homedir"
-)
-
-// Set provides an implementation and interface for Cmd.
-var Set = wire.NewSet(
-	wire.Struct(new(Cmd), "*"),
-	wire.Bind(new(adaptors.Cmd), new(*Cmd)),
-)
-
-const examples = `  # Login to the provider using the authorization code flow.
-  %[1]s
-
-  # Login to the provider using the resource owner password credentials flow.
-  %[1]s --username USERNAME --password PASSWORD
-
-  # Run as a credential plugin.
-  %[1]s get-token --oidc-issuer-url=https://issuer.example.com`
-
-var defaultListenPort = []int{8000, 18000}
-var defaultTokenCache = homedir.HomeDir() + "/.kube/oidc-login.token-cache"
-
-// Cmd provides interaction with command line interface (CLI).
-type Cmd struct {
-	Login        usecases.Login
-	GetToken     usecases.GetToken
-	LoginAndExec usecases.LoginAndExec
-	Logger       adaptors.Logger
-}
-
-// Run parses the command line arguments and executes the specified use-case.
-// It returns an exit code, that is 0 on success or 1 on error.
-func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
-	var exitCode int
-	executable := filepath.Base(args[0])
-	var o struct {
-		kubectlOptions
-		kubeloginOptions
-	}
-	rootCmd := cobra.Command{
-		Use:     executable,
-		Short:   "Login to the OpenID Connect provider and update the kubeconfig",
-		Example: fmt.Sprintf(examples, executable),
-		Args:    cobra.NoArgs,
-		Run: func(*cobra.Command, []string) {
-			cmd.Logger.SetLevel(adaptors.LogLevel(o.Verbose))
-			in := usecases.LoginIn{
-				KubeconfigFilename: o.Kubeconfig,
-				KubeconfigContext:  kubeconfig.ContextName(o.Context),
-				KubeconfigUser:     kubeconfig.UserName(o.User),
-				CACertFilename:     o.CertificateAuthority,
-				SkipTLSVerify:      o.SkipTLSVerify,
-				ListenPort:         o.ListenPort,
-				SkipOpenBrowser:    o.SkipOpenBrowser,
-				Username:           o.Username,
-				Password:           o.Password,
-			}
-			if err := cmd.Login.Do(ctx, in); err != nil {
-				cmd.Logger.Printf("error: %s", err)
-				exitCode = 1
-				return
-			}
-		},
-	}
-	o.kubectlOptions.register(rootCmd.Flags())
-	o.kubeloginOptions.register(rootCmd.Flags())
-
-	//TODO: deprecated
-	execCmd := cobra.Command{
-		Use:   "exec [flags] -- kubectl [args]",
-		Short: "Login transparently and execute the kubectl command (deprecated)",
-		Args: func(execCmd *cobra.Command, args []string) error {
-			if execCmd.ArgsLenAtDash() == -1 {
-				return xerrors.Errorf("double dash is missing, please run as %s exec -- kubectl", executable)
-			}
-			if len(args) < 1 {
-				return xerrors.New("too few arguments")
-			}
-			return nil
-		},
-		Run: func(execCmd *cobra.Command, args []string) {
-			// parse the extra args and override the kubectl options
-			f := pflag.NewFlagSet(execCmd.Name(), pflag.ContinueOnError)
-			o.kubectlOptions.register(f)
-			// ignore unknown flags and help flags (-h/--help)
-			f.ParseErrorsWhitelist.UnknownFlags = true
-			f.BoolP("help", "h", false, "ignore help flags")
-			if err := f.Parse(args); err != nil {
-				cmd.Logger.Debugf(1, "error while parsing the extra arguments: %s", err)
-			}
-			cmd.Logger.SetLevel(adaptors.LogLevel(o.Verbose))
-			in := usecases.LoginAndExecIn{
-				LoginIn: usecases.LoginIn{
-					KubeconfigFilename: o.Kubeconfig,
-					KubeconfigContext:  kubeconfig.ContextName(o.Context),
-					KubeconfigUser:     kubeconfig.UserName(o.User),
-					CACertFilename:     o.CertificateAuthority,
-					SkipTLSVerify:      o.SkipTLSVerify,
-					ListenPort:         o.ListenPort,
-					SkipOpenBrowser:    o.SkipOpenBrowser,
-					Username:           o.Username,
-					Password:           o.Password,
-				},
-				Executable: args[0],
-				Args:       args[1:],
-			}
-			out, err := cmd.LoginAndExec.Do(ctx, in)
-			if err != nil {
-				cmd.Logger.Printf("error: %s", err)
-				exitCode = 1
-				return
-			}
-			exitCode = out.ExitCode
-		},
-	}
-	o.kubeloginOptions.register(execCmd.Flags())
-	rootCmd.AddCommand(&execCmd)
-
-	getTokenCmd := newGetTokenCmd(ctx, cmd)
-	rootCmd.AddCommand(getTokenCmd)
-
-	versionCmd := cobra.Command{
-		Use:   "version",
-		Short: "Print the version information",
-		Args:  cobra.NoArgs,
-		Run: func(*cobra.Command, []string) {
-			cmd.Logger.Printf("%s version %s", executable, version)
-		},
-	}
-	rootCmd.AddCommand(&versionCmd)
-
-	rootCmd.SetArgs(args[1:])
-	if err := rootCmd.Execute(); err != nil {
-		cmd.Logger.Debugf(1, "error while parsing the arguments: %s", err)
-		return 1
-	}
-	return exitCode
-}
-
-// kubectlOptions represents kubectl specific options.
-type kubectlOptions struct {
-	Kubeconfig           string
-	Context              string
-	User                 string
-	CertificateAuthority string
-	SkipTLSVerify        bool
-	Verbose              int
-}
-
-func (o *kubectlOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
-	f.StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to the kubeconfig file")
-	f.StringVar(&o.Context, "context", "", "The name of the kubeconfig context to use")
-	f.StringVar(&o.User, "user", "", "The name of the kubeconfig user to use. Prior to --context")
-	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
-	f.IntVarP(&o.Verbose, "v", "v", 0, "If set to 1 or greater, it shows debug log")
-}
-
-// kubeloginOptions represents application specific options.
-type kubeloginOptions struct {
-	ListenPort      []int
-	SkipOpenBrowser bool
-	Username        string
-	Password        string
-}
-
-func (o *kubeloginOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
-	f.IntSliceVar(&o.ListenPort, "listen-port", defaultListenPort, "Port to bind to the local server. If multiple ports are given, it will try the ports in order")
-	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
-	f.StringVar(&o.Username, "username", "", "If set, perform the resource owner password credentials grant")
-	f.StringVar(&o.Password, "password", "", "If set, use the password instead of asking it")
-}
-
-// getTokenOptions represents the options for get-token command.
-type getTokenOptions struct {
-	kubeloginOptions
-	IssuerURL            string
-	ClientID             string
-	ClientSecret         string
-	ExtraScopes          []string
-	CertificateAuthority string
-	SkipTLSVerify        bool
-	Verbose              int
-	TokenCacheFilename   string
-}
-
-func (o *getTokenOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
-	o.kubeloginOptions.register(f)
-	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)")
-	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
-	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
-	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
-	f.IntVarP(&o.Verbose, "v", "v", 0, "If set to 1 or greater, it shows debug log")
-	f.StringVar(&o.TokenCacheFilename, "token-cache", defaultTokenCache, "Path to a file for caching the token")
-}
-
-func newGetTokenCmd(ctx context.Context, cmd *Cmd) *cobra.Command {
-	var o getTokenOptions
-	c := &cobra.Command{
-		Use:   "get-token [flags]",
-		Short: "Run as a kubectl credential plugin",
-		Args: func(c *cobra.Command, args []string) error {
-			if err := cobra.NoArgs(c, args); err != nil {
-				return err
-			}
-			if o.IssuerURL == "" {
-				return xerrors.New("--oidc-issuer-url is missing")
-			}
-			if o.ClientID == "" {
-				return xerrors.New("--oidc-client-id is missing")
-			}
-			return nil
-		},
-		RunE: func(*cobra.Command, []string) error {
-			cmd.Logger.SetLevel(adaptors.LogLevel(o.Verbose))
-			in := usecases.GetTokenIn{
-				IssuerURL:          o.IssuerURL,
-				ClientID:           o.ClientID,
-				ClientSecret:       o.ClientSecret,
-				ExtraScopes:        o.ExtraScopes,
-				CACertFilename:     o.CertificateAuthority,
-				SkipTLSVerify:      o.SkipTLSVerify,
-				ListenPort:         o.ListenPort,
-				SkipOpenBrowser:    o.SkipOpenBrowser,
-				Username:           o.Username,
-				Password:           o.Password,
-				TokenCacheFilename: o.TokenCacheFilename,
-			}
-			if err := cmd.GetToken.Do(ctx, in); err != nil {
-				return xerrors.Errorf("error: %w", err)
-			}
-			return nil
-		},
-	}
-	c.SilenceUsage = true
-	o.register(c.Flags())
-	return c
-}
--- a/adaptors/cmd/cmd_test.go
+++ b/adaptors/cmd/cmd_test.go
@@ -1,376 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/mock_adaptors"
-	"github.com/int128/kubelogin/usecases"
-	"github.com/int128/kubelogin/usecases/mock_usecases"
-)
-
-func TestCmd_Run(t *testing.T) {
-	const executable = "kubelogin"
-	const version = "HEAD"
-
-	t.Run("login/Defaults", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-
-		login := mock_usecases.NewMockLogin(ctrl)
-		login.EXPECT().
-			Do(ctx, usecases.LoginIn{
-				ListenPort: defaultListenPort,
-			})
-
-		logger := mock_adaptors.NewLogger(t, ctrl)
-		logger.EXPECT().SetLevel(adaptors.LogLevel(0))
-
-		cmd := Cmd{
-			Login:  login,
-			Logger: logger,
-		}
-		exitCode := cmd.Run(ctx, []string{executable}, version)
-		if exitCode != 0 {
-			t.Errorf("exitCode wants 0 but %d", exitCode)
-		}
-	})
-
-	t.Run("login/FullOptions", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-
-		login := mock_usecases.NewMockLogin(ctrl)
-		login.EXPECT().
-			Do(ctx, usecases.LoginIn{
-				KubeconfigFilename: "/path/to/kubeconfig",
-				KubeconfigContext:  "hello.k8s.local",
-				KubeconfigUser:     "google",
-				CACertFilename:     "/path/to/cacert",
-				SkipTLSVerify:      true,
-				ListenPort:         []int{10080, 20080},
-				SkipOpenBrowser:    true,
-				Username:           "USER",
-				Password:           "PASS",
-			})
-
-		logger := mock_adaptors.NewLogger(t, ctrl)
-		logger.EXPECT().SetLevel(adaptors.LogLevel(1))
-
-		cmd := Cmd{
-			Login:  login,
-			Logger: logger,
-		}
-		exitCode := cmd.Run(ctx, []string{executable,
-			"--kubeconfig", "/path/to/kubeconfig",
-			"--context", "hello.k8s.local",
-			"--user", "google",
-			"--certificate-authority", "/path/to/cacert",
-			"--insecure-skip-tls-verify",
-			"-v1",
-			"--listen-port", "10080",
-			"--listen-port", "20080",
-			"--skip-open-browser",
-			"--username", "USER",
-			"--password", "PASS",
-		}, version)
-		if exitCode != 0 {
-			t.Errorf("exitCode wants 0 but %d", exitCode)
-		}
-	})
-
-	t.Run("login/TooManyArgs", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		cmd := Cmd{
-			Login:  mock_usecases.NewMockLogin(ctrl),
-			Logger: mock_adaptors.NewLogger(t, ctrl),
-		}
-		exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
-		if exitCode != 1 {
-			t.Errorf("exitCode wants 1 but %d", exitCode)
-		}
-	})
-
-	t.Run("loginAndExec/Defaults", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-
-		loginAndExec := mock_usecases.NewMockLoginAndExec(ctrl)
-		loginAndExec.EXPECT().
-			Do(ctx, usecases.LoginAndExecIn{
-				LoginIn: usecases.LoginIn{
-					ListenPort: defaultListenPort,
-				},
-				Executable: "kubectl",
-				Args:       []string{"dummy"},
-			}).
-			Return(&usecases.LoginAndExecOut{ExitCode: 0}, nil)
-
-		logger := mock_adaptors.NewLogger(t, ctrl)
-		logger.EXPECT().SetLevel(adaptors.LogLevel(0))
-
-		cmd := Cmd{
-			LoginAndExec: loginAndExec,
-			Logger:       logger,
-		}
-		exitCode := cmd.Run(ctx, []string{executable, "exec", "--", "kubectl", "dummy"}, version)
-		if exitCode != 0 {
-			t.Errorf("exitCode wants 0 but %d", exitCode)
-		}
-	})
-
-	t.Run("loginAndExec/OptionsInExtraArgs", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-
-		loginAndExec := mock_usecases.NewMockLoginAndExec(ctrl)
-		loginAndExec.EXPECT().
-			Do(ctx, usecases.LoginAndExecIn{
-				LoginIn: usecases.LoginIn{
-					KubeconfigFilename: "/path/to/kubeconfig2",
-					KubeconfigContext:  "hello2.k8s.local",
-					KubeconfigUser:     "google2",
-					CACertFilename:     "/path/to/cacert2",
-					SkipTLSVerify:      true,
-					ListenPort:         defaultListenPort,
-				},
-				Executable: "kubectl",
-				Args: []string{
-					"--kubeconfig", "/path/to/kubeconfig2",
-					"--context", "hello2.k8s.local",
-					"--user", "google2",
-					"--certificate-authority", "/path/to/cacert2",
-					"--insecure-skip-tls-verify",
-					"-v2",
-					"--listen-port", "30080",
-					"--skip-open-browser",
-					"--username", "USER2",
-					"--password", "PASS2",
-					"dummy",
-					"--dummy",
-					"--help",
-				},
-			}).
-			Return(&usecases.LoginAndExecOut{ExitCode: 0}, nil)
-
-		logger := mock_adaptors.NewLogger(t, ctrl)
-		logger.EXPECT().SetLevel(adaptors.LogLevel(2))
-
-		cmd := Cmd{
-			LoginAndExec: loginAndExec,
-			Logger:       logger,
-		}
-		exitCode := cmd.Run(ctx, []string{executable,
-			"exec",
-			"--",
-			"kubectl",
-			// kubectl options in the extra args should be mapped to the options
-			"--kubeconfig", "/path/to/kubeconfig2",
-			"--context", "hello2.k8s.local",
-			"--user", "google2",
-			"--certificate-authority", "/path/to/cacert2",
-			"--insecure-skip-tls-verify",
-			"-v2",
-			// kubelogin options in the extra args should not affect
-			"--listen-port", "30080",
-			"--skip-open-browser",
-			"--username", "USER2",
-			"--password", "PASS2",
-			"dummy",
-			"--dummy",
-			"--help",
-		}, version)
-		if exitCode != 0 {
-			t.Errorf("exitCode wants 0 but %d", exitCode)
-		}
-	})
-
-	t.Run("loginAndExec/OverrideOptions", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-
-		loginAndExec := mock_usecases.NewMockLoginAndExec(ctrl)
-		loginAndExec.EXPECT().
-			Do(ctx, usecases.LoginAndExecIn{
-				LoginIn: usecases.LoginIn{
-					KubeconfigFilename: "/path/to/kubeconfig2",
-					KubeconfigContext:  "hello2.k8s.local",
-					KubeconfigUser:     "google2",
-					CACertFilename:     "/path/to/cacert2",
-					SkipTLSVerify:      true,
-					ListenPort:         []int{10080, 20080},
-					SkipOpenBrowser:    true,
-					Username:           "USER",
-					Password:           "PASS",
-				},
-				Executable: "kubectl",
-				Args: []string{
-					"--kubeconfig", "/path/to/kubeconfig2",
-					"--context", "hello2.k8s.local",
-					"--user", "google2",
-					"--certificate-authority", "/path/to/cacert2",
-					"--insecure-skip-tls-verify",
-					"-v2",
-					"--listen-port", "30080",
-					"--skip-open-browser",
-					"--username", "USER2",
-					"--password", "PASS2",
-					"dummy",
-					"--dummy",
-				},
-			}).
-			Return(&usecases.LoginAndExecOut{ExitCode: 0}, nil)
-
-		logger := mock_adaptors.NewLogger(t, ctrl)
-		logger.EXPECT().SetLevel(adaptors.LogLevel(2))
-
-		cmd := Cmd{
-			LoginAndExec: loginAndExec,
-			Logger:       logger,
-		}
-		exitCode := cmd.Run(ctx, []string{executable,
-			// kubelogin options in the first args should be mapped to the options
-			"--listen-port", "10080",
-			"--listen-port", "20080",
-			"--skip-open-browser",
-			"--username", "USER",
-			"--password", "PASS",
-			"exec",
-			"--",
-			"kubectl",
-			// kubectl options in the extra args should be mapped to the options
-			"--kubeconfig", "/path/to/kubeconfig2",
-			"--context", "hello2.k8s.local",
-			"--user", "google2",
-			"--certificate-authority", "/path/to/cacert2",
-			"--insecure-skip-tls-verify",
-			"-v2",
-			// kubelogin options in the extra args should not affect
-			"--listen-port", "30080",
-			"--skip-open-browser",
-			"--username", "USER2",
-			"--password", "PASS2",
-			"dummy",
-			"--dummy",
-		}, version)
-		if exitCode != 0 {
-			t.Errorf("exitCode wants 0 but %d", exitCode)
-		}
-	})
-
-	t.Run("get-token/Defaults", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-
-		getToken := mock_usecases.NewMockGetToken(ctrl)
-		getToken.EXPECT().
-			Do(ctx, usecases.GetTokenIn{
-				ListenPort:         defaultListenPort,
-				TokenCacheFilename: defaultTokenCache,
-				IssuerURL:          "https://issuer.example.com",
-				ClientID:           "YOUR_CLIENT_ID",
-			})
-
-		logger := mock_adaptors.NewLogger(t, ctrl)
-		logger.EXPECT().SetLevel(adaptors.LogLevel(0))
-
-		cmd := Cmd{
-			GetToken: getToken,
-			Logger:   logger,
-		}
-		exitCode := cmd.Run(ctx, []string{executable,
-			"get-token",
-			"--oidc-issuer-url", "https://issuer.example.com",
-			"--oidc-client-id", "YOUR_CLIENT_ID",
-		}, version)
-		if exitCode != 0 {
-			t.Errorf("exitCode wants 0 but %d", exitCode)
-		}
-	})
-
-	t.Run("get-token/FullOptions", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-
-		getToken := mock_usecases.NewMockGetToken(ctrl)
-		getToken.EXPECT().
-			Do(ctx, usecases.GetTokenIn{
-				TokenCacheFilename: defaultTokenCache,
-				IssuerURL:          "https://issuer.example.com",
-				ClientID:           "YOUR_CLIENT_ID",
-				ClientSecret:       "YOUR_CLIENT_SECRET",
-				ExtraScopes:        []string{"email", "profile"},
-				CACertFilename:     "/path/to/cacert",
-				SkipTLSVerify:      true,
-				ListenPort:         []int{10080, 20080},
-				SkipOpenBrowser:    true,
-				Username:           "USER",
-				Password:           "PASS",
-			})
-
-		logger := mock_adaptors.NewLogger(t, ctrl)
-		logger.EXPECT().SetLevel(adaptors.LogLevel(1))
-
-		cmd := Cmd{
-			GetToken: getToken,
-			Logger:   logger,
-		}
-		exitCode := cmd.Run(ctx, []string{executable,
-			"get-token",
-			"--oidc-issuer-url", "https://issuer.example.com",
-			"--oidc-client-id", "YOUR_CLIENT_ID",
-			"--oidc-client-secret", "YOUR_CLIENT_SECRET",
-			"--oidc-extra-scope", "email",
-			"--oidc-extra-scope", "profile",
-			"--certificate-authority", "/path/to/cacert",
-			"--insecure-skip-tls-verify",
-			"-v1",
-			"--listen-port", "10080",
-			"--listen-port", "20080",
-			"--skip-open-browser",
-			"--username", "USER",
-			"--password", "PASS",
-		}, version)
-		if exitCode != 0 {
-			t.Errorf("exitCode wants 0 but %d", exitCode)
-		}
-	})
-
-	t.Run("get-token/MissingMandatoryOptions", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-		cmd := Cmd{
-			GetToken: mock_usecases.NewMockGetToken(ctrl),
-			Logger:   mock_adaptors.NewLogger(t, ctrl),
-		}
-		exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
-		if exitCode != 1 {
-			t.Errorf("exitCode wants 1 but %d", exitCode)
-		}
-	})
-
-	t.Run("get-token/TooManyArgs", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-		cmd := Cmd{
-			GetToken: mock_usecases.NewMockGetToken(ctrl),
-			Logger:   mock_adaptors.NewLogger(t, ctrl),
-		}
-		exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
-		if exitCode != 1 {
-			t.Errorf("exitCode wants 1 but %d", exitCode)
-		}
-	})
-}
--- a/adaptors/credentialplugin/credential_plugin.go
+++ b/adaptors/credentialplugin/credential_plugin.go
@@ -1,40 +0,0 @@
-// Package credentialplugin provides interaction with kubectl for a credential plugin.
-package credentialplugin
-
-import (
-	"encoding/json"
-	"os"
-
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/models/credentialplugin"
-	"golang.org/x/xerrors"
-	"k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
-)
-
-var Set = wire.NewSet(
-	wire.Struct(new(Interaction), "*"),
-	wire.Bind(new(adaptors.CredentialPluginInteraction), new(*Interaction)),
-)
-
-type Interaction struct{}
-
-// Write writes the ExecCredential to standard output for kubectl.
-func (*Interaction) Write(out credentialplugin.Output) error {
-	ec := &v1beta1.ExecCredential{
-		TypeMeta: v1.TypeMeta{
-			APIVersion: "client.authentication.k8s.io/v1beta1",
-			Kind:       "ExecCredential",
-		},
-		Status: &v1beta1.ExecCredentialStatus{
-			Token:               out.Token,
-			ExpirationTimestamp: &v1.Time{Time: out.Expiry},
-		},
-	}
-	e := json.NewEncoder(os.Stdout)
-	if err := e.Encode(ec); err != nil {
-		return xerrors.Errorf("could not write the ExecCredential: %w", err)
-	}
-	return nil
-}
--- a/adaptors/env/env.go
+++ b/adaptors/env/env.go
@@ -1,54 +0,0 @@
-package env
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"os/exec"
-	"syscall"
-
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"golang.org/x/crypto/ssh/terminal"
-	"golang.org/x/xerrors"
-)
-
-// Set provides an implementation and interface for Env.
-var Set = wire.NewSet(
-	wire.Struct(new(Env), "*"),
-	wire.Bind(new(adaptors.Env), new(*Env)),
-)
-
-// Env provides environment specific facilities.
-type Env struct{}
-
-// ReadPassword reads a password from the stdin without echo back.
-func (*Env) ReadPassword(prompt string) (string, error) {
-	if _, err := fmt.Fprint(os.Stderr, "Password: "); err != nil {
-		return "", xerrors.Errorf("could not write the prompt: %w", err)
-	}
-	b, err := terminal.ReadPassword(int(syscall.Stdin))
-	if err != nil {
-		return "", xerrors.Errorf("could not read: %w", err)
-	}
-	if _, err := fmt.Fprintln(os.Stderr); err != nil {
-		return "", xerrors.Errorf("could not write a new line: %w", err)
-	}
-	return string(b), nil
-}
-
-// Exec executes the command and returns the exit code.
-// Unlike the exec package, this does not return an error even if the command exited with non-zero code.
-func (*Env) Exec(ctx context.Context, executable string, args []string) (int, error) {
-	c := exec.CommandContext(ctx, executable, args...)
-	c.Stdin = os.Stdin
-	c.Stdout = os.Stdout
-	c.Stderr = os.Stderr
-	if err := c.Run(); err != nil {
-		if err, ok := err.(*exec.ExitError); ok {
-			return err.ExitCode(), nil
-		}
-		return 0, xerrors.Errorf("could not execute the command: %w", err)
-	}
-	return 0, nil
-}
--- a/adaptors/interfaces.go
+++ b/adaptors/interfaces.go
@@ -1,107 +0,0 @@
-package adaptors
-
-import (
-	"context"
-	"time"
-
-	"github.com/int128/kubelogin/models/credentialplugin"
-	"github.com/int128/kubelogin/models/kubeconfig"
-)
-
-//go:generate mockgen -destination mock_adaptors/mock_adaptors.go github.com/int128/kubelogin/adaptors Kubeconfig,TokenCacheRepository,CredentialPluginInteraction,OIDC,OIDCClient,Env,Logger
-
-type Cmd interface {
-	Run(ctx context.Context, args []string, version string) int
-}
-
-type Kubeconfig interface {
-	GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error)
-	UpdateAuthProvider(auth *kubeconfig.AuthProvider) error
-}
-
-type TokenCacheRepository interface {
-	Read(filename string) (*credentialplugin.TokenCache, error)
-	Write(filename string, tc credentialplugin.TokenCache) error
-}
-
-type CredentialPluginInteraction interface {
-	Write(out credentialplugin.Output) error
-}
-
-type OIDC interface {
-	New(ctx context.Context, config OIDCClientConfig) (OIDCClient, error)
-}
-
-// OIDCClientConfig represents a configuration of an OIDCClient to create.
-type OIDCClientConfig struct {
-	Config         kubeconfig.OIDCConfig
-	CACertFilename string
-	SkipTLSVerify  bool
-}
-
-type OIDCClient interface {
-	AuthenticateByCode(ctx context.Context, in OIDCAuthenticateByCodeIn) (*OIDCAuthenticateOut, error)
-	AuthenticateByPassword(ctx context.Context, in OIDCAuthenticateByPasswordIn) (*OIDCAuthenticateOut, error)
-	Verify(ctx context.Context, in OIDCVerifyIn) (*OIDCVerifyOut, error)
-	Refresh(ctx context.Context, in OIDCRefreshIn) (*OIDCAuthenticateOut, error)
-}
-
-// OIDCAuthenticateByCodeIn represents an input DTO of OIDCClient.AuthenticateByCode.
-type OIDCAuthenticateByCodeIn struct {
-	LocalServerPort    []int // HTTP server port candidates
-	SkipOpenBrowser    bool  // skip opening browser if true
-	ShowLocalServerURL interface{ ShowLocalServerURL(url string) }
-}
-
-// OIDCAuthenticateByPasswordIn represents an input DTO of OIDCClient.AuthenticateByPassword.
-type OIDCAuthenticateByPasswordIn struct {
-	Username string
-	Password string
-}
-
-// OIDCAuthenticateOut represents an output DTO of
-// OIDCClient.AuthenticateByCode, OIDCClient.AuthenticateByPassword and OIDCClient.Refresh.
-type OIDCAuthenticateOut struct {
-	IDToken       string
-	RefreshToken  string
-	IDTokenExpiry time.Time
-	IDTokenClaims map[string]string // string representation of claims for logging
-}
-
-// OIDCVerifyIn represents an input DTO of OIDCClient.Verify.
-type OIDCVerifyIn struct {
-	IDToken      string
-	RefreshToken string
-}
-
-// OIDCVerifyIn represents an output DTO of OIDCClient.Verify.
-type OIDCVerifyOut struct {
-	IDTokenExpiry time.Time
-	IDTokenClaims map[string]string // string representation of claims for logging
-}
-
-// OIDCRefreshIn represents an input DTO of OIDCClient.Refresh.
-type OIDCRefreshIn struct {
-	RefreshToken string
-}
-
-type Env interface {
-	ReadPassword(prompt string) (string, error)
-	Exec(ctx context.Context, executable string, args []string) (int, error)
-}
-
-type Logger interface {
-	Printf(format string, v ...interface{})
-	Debugf(level LogLevel, format string, v ...interface{})
-	SetLevel(level LogLevel)
-	IsEnabled(level LogLevel) bool
-}
-
-// LogLevel represents a log level for debug.
-//
-// 0 = None
-// 1 = Including in/out
-// 2 = Including transport headers
-// 3 = Including transport body
-//
-type LogLevel int
--- a/adaptors/kubeconfig/kubeconfig.go
+++ b/adaptors/kubeconfig/kubeconfig.go
@@ -1,14 +0,0 @@
-package kubeconfig
-
-import (
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-)
-
-// Set provides an implementation and interface for Kubeconfig.
-var Set = wire.NewSet(
-	wire.Struct(new(Kubeconfig), "*"),
-	wire.Bind(new(adaptors.Kubeconfig), new(*Kubeconfig)),
-)
-
-type Kubeconfig struct{}
--- a/adaptors/kubeconfig/write.go
+++ b/adaptors/kubeconfig/write.go
@@ -1,51 +0,0 @@
-package kubeconfig
-
-import (
-	"strings"
-
-	"github.com/int128/kubelogin/models/kubeconfig"
-	"golang.org/x/xerrors"
-	"k8s.io/client-go/tools/clientcmd"
-)
-
-func (*Kubeconfig) UpdateAuthProvider(auth *kubeconfig.AuthProvider) error {
-	config, err := clientcmd.LoadFromFile(auth.LocationOfOrigin)
-	if err != nil {
-		return xerrors.Errorf("could not load %s: %w", auth.LocationOfOrigin, err)
-	}
-	userNode, ok := config.AuthInfos[string(auth.UserName)]
-	if !ok {
-		return xerrors.Errorf("user %s does not exist", auth.UserName)
-	}
-	if userNode.AuthProvider == nil {
-		return xerrors.Errorf("auth-provider is missing")
-	}
-	if userNode.AuthProvider.Name != "oidc" {
-		return xerrors.Errorf("auth-provider must be oidc but is %s", userNode.AuthProvider.Name)
-	}
-	copyOIDCConfig(auth.OIDCConfig, userNode.AuthProvider.Config)
-	if err := clientcmd.WriteToFile(*config, auth.LocationOfOrigin); err != nil {
-		return xerrors.Errorf("could not update %s: %w", auth.LocationOfOrigin, err)
-	}
-	return nil
-}
-
-func copyOIDCConfig(config kubeconfig.OIDCConfig, m map[string]string) {
-	setOrDeleteKey(m, "idp-issuer-url", config.IDPIssuerURL)
-	setOrDeleteKey(m, "client-id", config.ClientID)
-	setOrDeleteKey(m, "client-secret", config.ClientSecret)
-	setOrDeleteKey(m, "idp-certificate-authority", config.IDPCertificateAuthority)
-	setOrDeleteKey(m, "idp-certificate-authority-data", config.IDPCertificateAuthorityData)
-	extraScopes := strings.Join(config.ExtraScopes, ",")
-	setOrDeleteKey(m, "extra-scopes", extraScopes)
-	setOrDeleteKey(m, "id-token", config.IDToken)
-	setOrDeleteKey(m, "refresh-token", config.RefreshToken)
-}
-
-func setOrDeleteKey(m map[string]string, key, value string) {
-	if value == "" {
-		delete(m, key)
-		return
-	}
-	m[key] = value
-}
--- a/adaptors/kubeconfig/write_test.go
+++ b/adaptors/kubeconfig/write_test.go
@@ -1,138 +0,0 @@
-package kubeconfig
-
-import (
-	"io/ioutil"
-	"os"
-	"testing"
-
-	"github.com/int128/kubelogin/models/kubeconfig"
-)
-
-func TestKubeconfig_UpdateAuth(t *testing.T) {
-	var k Kubeconfig
-
-	t.Run("MinimumKeys", func(t *testing.T) {
-		f := newKubeconfigFile(t)
-		defer func() {
-			if err := os.Remove(f.Name()); err != nil {
-				t.Errorf("Could not remove the temp file: %s", err)
-			}
-		}()
-		if err := k.UpdateAuthProvider(&kubeconfig.AuthProvider{
-			LocationOfOrigin: f.Name(),
-			UserName:         "google",
-			OIDCConfig: kubeconfig.OIDCConfig{
-				IDPIssuerURL: "https://accounts.google.com",
-				ClientID:     "GOOGLE_CLIENT_ID",
-				ClientSecret: "GOOGLE_CLIENT_SECRET",
-				IDToken:      "YOUR_ID_TOKEN",
-				RefreshToken: "YOUR_REFRESH_TOKEN",
-			},
-		}); err != nil {
-			t.Fatalf("Could not update auth: %s", err)
-		}
-		b, err := ioutil.ReadFile(f.Name())
-		if err != nil {
-			t.Fatalf("Could not read kubeconfig: %s", err)
-		}
-
-		want := `apiVersion: v1
-clusters: []
-contexts: []
-current-context: ""
-kind: Config
-preferences: {}
-users:
- name: google
-  user:
-    auth-provider:
-      config:
-        client-id: GOOGLE_CLIENT_ID
-        client-secret: GOOGLE_CLIENT_SECRET
-        id-token: YOUR_ID_TOKEN
-        idp-issuer-url: https://accounts.google.com
-        refresh-token: YOUR_REFRESH_TOKEN
-      name: oidc
-`
-		if want != string(b) {
-			t.Errorf("---- kubeconfig wants ----\n%s\n---- but ----\n%s", want, string(b))
-		}
-	})
-
-	t.Run("FullKeys", func(t *testing.T) {
-		f := newKubeconfigFile(t)
-		defer func() {
-			if err := os.Remove(f.Name()); err != nil {
-				t.Errorf("Could not remove the temp file: %s", err)
-			}
-		}()
-		if err := k.UpdateAuthProvider(&kubeconfig.AuthProvider{
-			LocationOfOrigin: f.Name(),
-			UserName:         "google",
-			OIDCConfig: kubeconfig.OIDCConfig{
-				IDPIssuerURL:                "https://accounts.google.com",
-				ClientID:                    "GOOGLE_CLIENT_ID",
-				ClientSecret:                "GOOGLE_CLIENT_SECRET",
-				IDPCertificateAuthority:     "/path/to/cert",
-				IDPCertificateAuthorityData: "BASE64",
-				ExtraScopes:                 []string{"email", "profile"},
-				IDToken:                     "YOUR_ID_TOKEN",
-				RefreshToken:                "YOUR_REFRESH_TOKEN",
-			},
-		}); err != nil {
-			t.Fatalf("Could not update auth: %s", err)
-		}
-		b, err := ioutil.ReadFile(f.Name())
-		if err != nil {
-			t.Fatalf("Could not read kubeconfig: %s", err)
-		}
-
-		want := `apiVersion: v1
-clusters: []
-contexts: []
-current-context: ""
-kind: Config
-preferences: {}
-users:
- name: google
-  user:
-    auth-provider:
-      config:
-        client-id: GOOGLE_CLIENT_ID
-        client-secret: GOOGLE_CLIENT_SECRET
-        extra-scopes: email,profile
-        id-token: YOUR_ID_TOKEN
-        idp-certificate-authority: /path/to/cert
-        idp-certificate-authority-data: BASE64
-        idp-issuer-url: https://accounts.google.com
-        refresh-token: YOUR_REFRESH_TOKEN
-      name: oidc
-`
-		if want != string(b) {
-			t.Errorf("---- kubeconfig wants ----\n%s\n---- but ----\n%s", want, string(b))
-		}
-	})
-}
-
-func newKubeconfigFile(t *testing.T) *os.File {
-	content := `apiVersion: v1
-clusters: []
-kind: Config
-preferences: {}
-users:
-  - name: google
-    user:
-      auth-provider:
-        config:
-          idp-issuer-url: https://accounts.google.com
-        name: oidc`
-	f, err := ioutil.TempFile("", "kubeconfig")
-	if err != nil {
-		t.Fatalf("Could not create a file: %s", err)
-	}
-	defer f.Close()
-	if _, err := f.Write([]byte(content)); err != nil {
-		t.Fatalf("Could not write kubeconfig: %s", err)
-	}
-	return f
-}
--- a/adaptors/logger/logger.go
+++ b/adaptors/logger/logger.go
@@ -1,56 +0,0 @@
-package logger
-
-import (
-	"fmt"
-	"log"
-	"os"
-
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-)
-
-// Set provides an implementation and interface for Logger.
-var Set = wire.NewSet(
-	New,
-)
-
-// New returns a Logger with the standard log.Logger for messages and debug.
-func New() adaptors.Logger {
-	return &Logger{
-		stdLogger:   log.New(os.Stderr, "", 0),
-		debugLogger: log.New(os.Stderr, "", log.Ltime|log.Lmicroseconds|log.Lshortfile),
-	}
-}
-
-func NewWith(s stdLogger, d debugLogger) *Logger {
-	return &Logger{s, d, 0}
-}
-
-type stdLogger interface {
-	Printf(format string, v ...interface{})
-}
-
-type debugLogger interface {
-	Output(calldepth int, s string) error
-}
-
-// Logger wraps the standard log.Logger and just provides debug level.
-type Logger struct {
-	stdLogger
-	debugLogger
-	level adaptors.LogLevel
-}
-
-func (l *Logger) Debugf(level adaptors.LogLevel, format string, v ...interface{}) {
-	if l.IsEnabled(level) {
-		_ = l.debugLogger.Output(2, fmt.Sprintf(format, v...))
-	}
-}
-
-func (l *Logger) SetLevel(level adaptors.LogLevel) {
-	l.level = level
-}
-
-func (l *Logger) IsEnabled(level adaptors.LogLevel) bool {
-	return level <= l.level
-}
--- a/adaptors/logger/logger_test.go
+++ b/adaptors/logger/logger_test.go
@@ -1,62 +0,0 @@
-package logger
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/int128/kubelogin/adaptors"
-)
-
-type mockDebugLogger struct {
-	count int
-}
-
-func (l *mockDebugLogger) Output(int, string) error {
-	l.count++
-	return nil
-}
-
-func TestLogger_Debugf(t *testing.T) {
-	for _, c := range []struct {
-		loggerLevel adaptors.LogLevel
-		debugfLevel adaptors.LogLevel
-		count       int
-	}{
-		{0, 0, 1},
-		{0, 1, 0},
-
-		{1, 0, 1},
-		{1, 1, 1},
-		{1, 2, 0},
-
-		{2, 1, 1},
-		{2, 2, 1},
-		{2, 3, 0},
-	} {
-		t.Run(fmt.Sprintf("%+v", c), func(t *testing.T) {
-			m := &mockDebugLogger{}
-			l := &Logger{debugLogger: m, level: c.loggerLevel}
-			l.Debugf(c.debugfLevel, "hello")
-			if m.count != c.count {
-				t.Errorf("count wants %d but %d", c.count, m.count)
-			}
-		})
-	}
-}
-
-type mockStdLogger struct {
-	count int
-}
-
-func (l *mockStdLogger) Printf(format string, v ...interface{}) {
-	l.count++
-}
-
-func TestLogger_Printf(t *testing.T) {
-	m := &mockStdLogger{}
-	l := &Logger{stdLogger: m}
-	l.Printf("hello")
-	if m.count != 1 {
-		t.Errorf("count wants %d but %d", 1, m.count)
-	}
-}
--- a/adaptors/mock_adaptors/logger.go
+++ b/adaptors/mock_adaptors/logger.go
@@ -1,31 +0,0 @@
-package mock_adaptors
-
-import (
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/adaptors"
-)
-
-func NewLogger(t testingLogger, ctrl *gomock.Controller) *Logger {
-	return &Logger{
-		MockLogger:    NewMockLogger(ctrl),
-		testingLogger: t,
-	}
-}
-
-type testingLogger interface {
-	Logf(format string, v ...interface{})
-}
-
-// Logger provides mock feature but overrides output methods with actual logging.
-type Logger struct {
-	*MockLogger
-	testingLogger testingLogger
-}
-
-func (l *Logger) Printf(format string, v ...interface{}) {
-	l.testingLogger.Logf(format, v...)
-}
-
-func (l *Logger) Debugf(level adaptors.LogLevel, format string, v ...interface{}) {
-	l.testingLogger.Logf(format, v...)
-}
--- a/adaptors/mock_adaptors/mock_adaptors.go
+++ b/adaptors/mock_adaptors/mock_adaptors.go
@@ -1,380 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/adaptors (interfaces: Kubeconfig,TokenCacheRepository,CredentialPluginInteraction,OIDC,OIDCClient,Env,Logger)
-
-// Package mock_adaptors is a generated GoMock package.
-package mock_adaptors
-
-import (
-	context "context"
-	gomock "github.com/golang/mock/gomock"
-	adaptors "github.com/int128/kubelogin/adaptors"
-	credentialplugin "github.com/int128/kubelogin/models/credentialplugin"
-	kubeconfig "github.com/int128/kubelogin/models/kubeconfig"
-	reflect "reflect"
-)
-
-// MockKubeconfig is a mock of Kubeconfig interface
-type MockKubeconfig struct {
-	ctrl     *gomock.Controller
-	recorder *MockKubeconfigMockRecorder
-}
-
-// MockKubeconfigMockRecorder is the mock recorder for MockKubeconfig
-type MockKubeconfigMockRecorder struct {
-	mock *MockKubeconfig
-}
-
-// NewMockKubeconfig creates a new mock instance
-func NewMockKubeconfig(ctrl *gomock.Controller) *MockKubeconfig {
-	mock := &MockKubeconfig{ctrl: ctrl}
-	mock.recorder = &MockKubeconfigMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockKubeconfig) EXPECT() *MockKubeconfigMockRecorder {
-	return m.recorder
-}
-
-// GetCurrentAuthProvider mocks base method
-func (m *MockKubeconfig) GetCurrentAuthProvider(arg0 string, arg1 kubeconfig.ContextName, arg2 kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
-	ret := m.ctrl.Call(m, "GetCurrentAuthProvider", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*kubeconfig.AuthProvider)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetCurrentAuthProvider indicates an expected call of GetCurrentAuthProvider
-func (mr *MockKubeconfigMockRecorder) GetCurrentAuthProvider(arg0, arg1, arg2 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCurrentAuthProvider", reflect.TypeOf((*MockKubeconfig)(nil).GetCurrentAuthProvider), arg0, arg1, arg2)
-}
-
-// UpdateAuthProvider mocks base method
-func (m *MockKubeconfig) UpdateAuthProvider(arg0 *kubeconfig.AuthProvider) error {
-	ret := m.ctrl.Call(m, "UpdateAuthProvider", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// UpdateAuthProvider indicates an expected call of UpdateAuthProvider
-func (mr *MockKubeconfigMockRecorder) UpdateAuthProvider(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAuthProvider", reflect.TypeOf((*MockKubeconfig)(nil).UpdateAuthProvider), arg0)
-}
-
-// MockTokenCacheRepository is a mock of TokenCacheRepository interface
-type MockTokenCacheRepository struct {
-	ctrl     *gomock.Controller
-	recorder *MockTokenCacheRepositoryMockRecorder
-}
-
-// MockTokenCacheRepositoryMockRecorder is the mock recorder for MockTokenCacheRepository
-type MockTokenCacheRepositoryMockRecorder struct {
-	mock *MockTokenCacheRepository
-}
-
-// NewMockTokenCacheRepository creates a new mock instance
-func NewMockTokenCacheRepository(ctrl *gomock.Controller) *MockTokenCacheRepository {
-	mock := &MockTokenCacheRepository{ctrl: ctrl}
-	mock.recorder = &MockTokenCacheRepositoryMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockTokenCacheRepository) EXPECT() *MockTokenCacheRepositoryMockRecorder {
-	return m.recorder
-}
-
-// Read mocks base method
-func (m *MockTokenCacheRepository) Read(arg0 string) (*credentialplugin.TokenCache, error) {
-	ret := m.ctrl.Call(m, "Read", arg0)
-	ret0, _ := ret[0].(*credentialplugin.TokenCache)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Read indicates an expected call of Read
-func (mr *MockTokenCacheRepositoryMockRecorder) Read(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Read", reflect.TypeOf((*MockTokenCacheRepository)(nil).Read), arg0)
-}
-
-// Write mocks base method
-func (m *MockTokenCacheRepository) Write(arg0 string, arg1 credentialplugin.TokenCache) error {
-	ret := m.ctrl.Call(m, "Write", arg0, arg1)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Write indicates an expected call of Write
-func (mr *MockTokenCacheRepositoryMockRecorder) Write(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockTokenCacheRepository)(nil).Write), arg0, arg1)
-}
-
-// MockCredentialPluginInteraction is a mock of CredentialPluginInteraction interface
-type MockCredentialPluginInteraction struct {
-	ctrl     *gomock.Controller
-	recorder *MockCredentialPluginInteractionMockRecorder
-}
-
-// MockCredentialPluginInteractionMockRecorder is the mock recorder for MockCredentialPluginInteraction
-type MockCredentialPluginInteractionMockRecorder struct {
-	mock *MockCredentialPluginInteraction
-}
-
-// NewMockCredentialPluginInteraction creates a new mock instance
-func NewMockCredentialPluginInteraction(ctrl *gomock.Controller) *MockCredentialPluginInteraction {
-	mock := &MockCredentialPluginInteraction{ctrl: ctrl}
-	mock.recorder = &MockCredentialPluginInteractionMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockCredentialPluginInteraction) EXPECT() *MockCredentialPluginInteractionMockRecorder {
-	return m.recorder
-}
-
-// Write mocks base method
-func (m *MockCredentialPluginInteraction) Write(arg0 credentialplugin.Output) error {
-	ret := m.ctrl.Call(m, "Write", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Write indicates an expected call of Write
-func (mr *MockCredentialPluginInteractionMockRecorder) Write(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockCredentialPluginInteraction)(nil).Write), arg0)
-}
-
-// MockOIDC is a mock of OIDC interface
-type MockOIDC struct {
-	ctrl     *gomock.Controller
-	recorder *MockOIDCMockRecorder
-}
-
-// MockOIDCMockRecorder is the mock recorder for MockOIDC
-type MockOIDCMockRecorder struct {
-	mock *MockOIDC
-}
-
-// NewMockOIDC creates a new mock instance
-func NewMockOIDC(ctrl *gomock.Controller) *MockOIDC {
-	mock := &MockOIDC{ctrl: ctrl}
-	mock.recorder = &MockOIDCMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockOIDC) EXPECT() *MockOIDCMockRecorder {
-	return m.recorder
-}
-
-// New mocks base method
-func (m *MockOIDC) New(arg0 context.Context, arg1 adaptors.OIDCClientConfig) (adaptors.OIDCClient, error) {
-	ret := m.ctrl.Call(m, "New", arg0, arg1)
-	ret0, _ := ret[0].(adaptors.OIDCClient)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// New indicates an expected call of New
-func (mr *MockOIDCMockRecorder) New(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "New", reflect.TypeOf((*MockOIDC)(nil).New), arg0, arg1)
-}
-
-// MockOIDCClient is a mock of OIDCClient interface
-type MockOIDCClient struct {
-	ctrl     *gomock.Controller
-	recorder *MockOIDCClientMockRecorder
-}
-
-// MockOIDCClientMockRecorder is the mock recorder for MockOIDCClient
-type MockOIDCClientMockRecorder struct {
-	mock *MockOIDCClient
-}
-
-// NewMockOIDCClient creates a new mock instance
-func NewMockOIDCClient(ctrl *gomock.Controller) *MockOIDCClient {
-	mock := &MockOIDCClient{ctrl: ctrl}
-	mock.recorder = &MockOIDCClientMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockOIDCClient) EXPECT() *MockOIDCClientMockRecorder {
-	return m.recorder
-}
-
-// AuthenticateByCode mocks base method
-func (m *MockOIDCClient) AuthenticateByCode(arg0 context.Context, arg1 adaptors.OIDCAuthenticateByCodeIn) (*adaptors.OIDCAuthenticateOut, error) {
-	ret := m.ctrl.Call(m, "AuthenticateByCode", arg0, arg1)
-	ret0, _ := ret[0].(*adaptors.OIDCAuthenticateOut)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AuthenticateByCode indicates an expected call of AuthenticateByCode
-func (mr *MockOIDCClientMockRecorder) AuthenticateByCode(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateByCode", reflect.TypeOf((*MockOIDCClient)(nil).AuthenticateByCode), arg0, arg1)
-}
-
-// AuthenticateByPassword mocks base method
-func (m *MockOIDCClient) AuthenticateByPassword(arg0 context.Context, arg1 adaptors.OIDCAuthenticateByPasswordIn) (*adaptors.OIDCAuthenticateOut, error) {
-	ret := m.ctrl.Call(m, "AuthenticateByPassword", arg0, arg1)
-	ret0, _ := ret[0].(*adaptors.OIDCAuthenticateOut)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AuthenticateByPassword indicates an expected call of AuthenticateByPassword
-func (mr *MockOIDCClientMockRecorder) AuthenticateByPassword(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateByPassword", reflect.TypeOf((*MockOIDCClient)(nil).AuthenticateByPassword), arg0, arg1)
-}
-
-// Refresh mocks base method
-func (m *MockOIDCClient) Refresh(arg0 context.Context, arg1 adaptors.OIDCRefreshIn) (*adaptors.OIDCAuthenticateOut, error) {
-	ret := m.ctrl.Call(m, "Refresh", arg0, arg1)
-	ret0, _ := ret[0].(*adaptors.OIDCAuthenticateOut)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Refresh indicates an expected call of Refresh
-func (mr *MockOIDCClientMockRecorder) Refresh(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockOIDCClient)(nil).Refresh), arg0, arg1)
-}
-
-// Verify mocks base method
-func (m *MockOIDCClient) Verify(arg0 context.Context, arg1 adaptors.OIDCVerifyIn) (*adaptors.OIDCVerifyOut, error) {
-	ret := m.ctrl.Call(m, "Verify", arg0, arg1)
-	ret0, _ := ret[0].(*adaptors.OIDCVerifyOut)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Verify indicates an expected call of Verify
-func (mr *MockOIDCClientMockRecorder) Verify(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Verify", reflect.TypeOf((*MockOIDCClient)(nil).Verify), arg0, arg1)
-}
-
-// MockEnv is a mock of Env interface
-type MockEnv struct {
-	ctrl     *gomock.Controller
-	recorder *MockEnvMockRecorder
-}
-
-// MockEnvMockRecorder is the mock recorder for MockEnv
-type MockEnvMockRecorder struct {
-	mock *MockEnv
-}
-
-// NewMockEnv creates a new mock instance
-func NewMockEnv(ctrl *gomock.Controller) *MockEnv {
-	mock := &MockEnv{ctrl: ctrl}
-	mock.recorder = &MockEnvMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockEnv) EXPECT() *MockEnvMockRecorder {
-	return m.recorder
-}
-
-// Exec mocks base method
-func (m *MockEnv) Exec(arg0 context.Context, arg1 string, arg2 []string) (int, error) {
-	ret := m.ctrl.Call(m, "Exec", arg0, arg1, arg2)
-	ret0, _ := ret[0].(int)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Exec indicates an expected call of Exec
-func (mr *MockEnvMockRecorder) Exec(arg0, arg1, arg2 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Exec", reflect.TypeOf((*MockEnv)(nil).Exec), arg0, arg1, arg2)
-}
-
-// ReadPassword mocks base method
-func (m *MockEnv) ReadPassword(arg0 string) (string, error) {
-	ret := m.ctrl.Call(m, "ReadPassword", arg0)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReadPassword indicates an expected call of ReadPassword
-func (mr *MockEnvMockRecorder) ReadPassword(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadPassword", reflect.TypeOf((*MockEnv)(nil).ReadPassword), arg0)
-}
-
-// MockLogger is a mock of Logger interface
-type MockLogger struct {
-	ctrl     *gomock.Controller
-	recorder *MockLoggerMockRecorder
-}
-
-// MockLoggerMockRecorder is the mock recorder for MockLogger
-type MockLoggerMockRecorder struct {
-	mock *MockLogger
-}
-
-// NewMockLogger creates a new mock instance
-func NewMockLogger(ctrl *gomock.Controller) *MockLogger {
-	mock := &MockLogger{ctrl: ctrl}
-	mock.recorder = &MockLoggerMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockLogger) EXPECT() *MockLoggerMockRecorder {
-	return m.recorder
-}
-
-// Debugf mocks base method
-func (m *MockLogger) Debugf(arg0 adaptors.LogLevel, arg1 string, arg2 ...interface{}) {
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	m.ctrl.Call(m, "Debugf", varargs...)
-}
-
-// Debugf indicates an expected call of Debugf
-func (mr *MockLoggerMockRecorder) Debugf(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Debugf", reflect.TypeOf((*MockLogger)(nil).Debugf), varargs...)
-}
-
-// IsEnabled mocks base method
-func (m *MockLogger) IsEnabled(arg0 adaptors.LogLevel) bool {
-	ret := m.ctrl.Call(m, "IsEnabled", arg0)
-	ret0, _ := ret[0].(bool)
-	return ret0
-}
-
-// IsEnabled indicates an expected call of IsEnabled
-func (mr *MockLoggerMockRecorder) IsEnabled(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsEnabled", reflect.TypeOf((*MockLogger)(nil).IsEnabled), arg0)
-}
-
-// Printf mocks base method
-func (m *MockLogger) Printf(arg0 string, arg1 ...interface{}) {
-	varargs := []interface{}{arg0}
-	for _, a := range arg1 {
-		varargs = append(varargs, a)
-	}
-	m.ctrl.Call(m, "Printf", varargs...)
-}
-
-// Printf indicates an expected call of Printf
-func (mr *MockLoggerMockRecorder) Printf(arg0 interface{}, arg1 ...interface{}) *gomock.Call {
-	varargs := append([]interface{}{arg0}, arg1...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Printf", reflect.TypeOf((*MockLogger)(nil).Printf), varargs...)
-}
-
-// SetLevel mocks base method
-func (m *MockLogger) SetLevel(arg0 adaptors.LogLevel) {
-	m.ctrl.Call(m, "SetLevel", arg0)
-}
-
-// SetLevel indicates an expected call of SetLevel
-func (mr *MockLoggerMockRecorder) SetLevel(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLevel", reflect.TypeOf((*MockLogger)(nil).SetLevel), arg0)
-}
--- a/adaptors/oidc/logging/transport.go
+++ b/adaptors/oidc/logging/transport.go
@@ -1,50 +0,0 @@
-package logging
-
-import (
-	"net/http"
-	"net/http/httputil"
-
-	"github.com/int128/kubelogin/adaptors"
-)
-
-const (
-	logLevelDumpHeaders = 2
-	logLevelDumpBody    = 3
-)
-
-type Transport struct {
-	Base   http.RoundTripper
-	Logger adaptors.Logger
-}
-
-func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
-	if !t.IsDumpEnabled() {
-		return t.Base.RoundTrip(req)
-	}
-
-	reqDump, err := httputil.DumpRequestOut(req, t.IsDumpBodyEnabled())
-	if err != nil {
-		t.Logger.Debugf(logLevelDumpHeaders, "Error: could not dump the request: %s", err)
-		return t.Base.RoundTrip(req)
-	}
-	t.Logger.Debugf(logLevelDumpHeaders, "%s", string(reqDump))
-	resp, err := t.Base.RoundTrip(req)
-	if err != nil {
-		return resp, err
-	}
-	respDump, err := httputil.DumpResponse(resp, t.IsDumpBodyEnabled())
-	if err != nil {
-		t.Logger.Debugf(logLevelDumpHeaders, "Error: could not dump the response: %s", err)
-		return resp, err
-	}
-	t.Logger.Debugf(logLevelDumpHeaders, "%s", string(respDump))
-	return resp, err
-}
-
-func (t *Transport) IsDumpEnabled() bool {
-	return t.Logger.IsEnabled(logLevelDumpHeaders)
-}
-
-func (t *Transport) IsDumpBodyEnabled() bool {
-	return t.Logger.IsEnabled(logLevelDumpBody)
-}
--- a/adaptors/oidc/logging/transport_test.go
+++ b/adaptors/oidc/logging/transport_test.go
@@ -1,90 +0,0 @@
-package logging
-
-import (
-	"bufio"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/mock_adaptors"
-)
-
-type mockTransport struct {
-	req  *http.Request
-	resp *http.Response
-}
-
-func (t *mockTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	t.req = req
-	return t.resp, nil
-}
-
-func TestLoggingTransport_RoundTrip(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	logger := mock_adaptors.NewLogger(t, ctrl)
-	logger.EXPECT().
-		IsEnabled(gomock.Any()).
-		Return(true).
-		AnyTimes()
-
-	req := httptest.NewRequest("GET", "http://example.com/hello", nil)
-	resp, err := http.ReadResponse(bufio.NewReader(strings.NewReader(`HTTP/1.1 200 OK
-Host: example.com
-
-dummy`)), req)
-	if err != nil {
-		t.Errorf("could not create a response: %s", err)
-	}
-	defer resp.Body.Close()
-
-	transport := &Transport{
-		Base:   &mockTransport{resp: resp},
-		Logger: logger,
-	}
-	gotResp, err := transport.RoundTrip(req)
-	if err != nil {
-		t.Errorf("RoundTrip error: %s", err)
-	}
-	if gotResp != resp {
-		t.Errorf("resp wants %v but %v", resp, gotResp)
-	}
-}
-
-func TestLoggingTransport_IsDumpEnabled(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	logger := mock_adaptors.NewLogger(t, ctrl)
-	logger.EXPECT().
-		IsEnabled(adaptors.LogLevel(logLevelDumpHeaders)).
-		Return(true)
-
-	transport := &Transport{
-		Logger: logger,
-	}
-	if transport.IsDumpEnabled() != true {
-		t.Errorf("IsDumpEnabled wants true")
-	}
-}
-
-func TestLoggingTransport_IsDumpBodyEnabled(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	logger := mock_adaptors.NewLogger(t, ctrl)
-	logger.EXPECT().
-		IsEnabled(adaptors.LogLevel(logLevelDumpBody)).
-		Return(true)
-
-	transport := &Transport{
-		Logger: logger,
-	}
-	if transport.IsDumpBodyEnabled() != true {
-		t.Errorf("IsDumpBodyEnabled wants true")
-	}
-}
--- a/adaptors/oidc/oidc.go
+++ b/adaptors/oidc/oidc.go
@@ -1,228 +0,0 @@
-package oidc
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/binary"
-	"fmt"
-	"net/http"
-	"time"
-
-	"github.com/coreos/go-oidc"
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/oidc/logging"
-	"github.com/int128/kubelogin/adaptors/oidc/tls"
-	"github.com/int128/oauth2cli"
-	"golang.org/x/oauth2"
-	"golang.org/x/xerrors"
-)
-
-// Set provides an implementation and interface for OIDC.
-var Set = wire.NewSet(
-	wire.Struct(new(Factory), "*"),
-	wire.Bind(new(adaptors.OIDC), new(*Factory)),
-)
-
-type Factory struct {
-	Logger adaptors.Logger
-}
-
-// New returns an instance of adaptors.OIDCClient with the given configuration.
-func (f *Factory) New(ctx context.Context, config adaptors.OIDCClientConfig) (adaptors.OIDCClient, error) {
-	tlsConfig, err := tls.NewConfig(config, f.Logger)
-	if err != nil {
-		return nil, xerrors.Errorf("could not initialize TLS config: %w", err)
-	}
-	baseTransport := &http.Transport{
-		TLSClientConfig: tlsConfig,
-		Proxy:           http.ProxyFromEnvironment,
-	}
-	loggingTransport := &logging.Transport{
-		Base:   baseTransport,
-		Logger: f.Logger,
-	}
-	httpClient := &http.Client{
-		Transport: loggingTransport,
-	}
-
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
-	provider, err := oidc.NewProvider(ctx, config.Config.IDPIssuerURL)
-	if err != nil {
-		return nil, xerrors.Errorf("could not discovery the OIDC issuer: %w", err)
-	}
-	return &client{
-		httpClient: httpClient,
-		provider:   provider,
-		oauth2Config: oauth2.Config{
-			Endpoint:     provider.Endpoint(),
-			ClientID:     config.Config.ClientID,
-			ClientSecret: config.Config.ClientSecret,
-			Scopes:       append(config.Config.ExtraScopes, oidc.ScopeOpenID),
-		},
-		logger: f.Logger,
-	}, nil
-}
-
-type client struct {
-	httpClient   *http.Client
-	provider     *oidc.Provider
-	oauth2Config oauth2.Config
-	logger       adaptors.Logger
-}
-
-// AuthenticateByCode performs the authorization code flow.
-func (c *client) AuthenticateByCode(ctx context.Context, in adaptors.OIDCAuthenticateByCodeIn) (*adaptors.OIDCAuthenticateOut, error) {
-	if c.httpClient != nil {
-		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.httpClient)
-	}
-	nonce, err := newNonce()
-	if err != nil {
-		return nil, xerrors.Errorf("could not generate a nonce parameter")
-	}
-	config := oauth2cli.Config{
-		OAuth2Config:       c.oauth2Config,
-		LocalServerPort:    in.LocalServerPort,
-		SkipOpenBrowser:    in.SkipOpenBrowser,
-		AuthCodeOptions:    []oauth2.AuthCodeOption{oauth2.AccessTypeOffline, oidc.Nonce(nonce)},
-		ShowLocalServerURL: in.ShowLocalServerURL.ShowLocalServerURL,
-	}
-	token, err := oauth2cli.GetToken(ctx, config)
-	if err != nil {
-		return nil, xerrors.Errorf("could not get a token: %w", err)
-	}
-	idToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
-	}
-	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
-	verifiedIDToken, err := verifier.Verify(ctx, idToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
-	}
-	if verifiedIDToken.Nonce != nonce {
-		return nil, xerrors.Errorf("nonce of ID token did not match (want %s but was %s)", nonce, verifiedIDToken.Nonce)
-	}
-	claims, err := dumpClaims(verifiedIDToken)
-	if err != nil {
-		c.logger.Debugf(1, "incomplete claims of the ID token: %w", err)
-	}
-	return &adaptors.OIDCAuthenticateOut{
-		IDToken:       idToken,
-		RefreshToken:  token.RefreshToken,
-		IDTokenExpiry: verifiedIDToken.Expiry,
-		IDTokenClaims: claims,
-	}, nil
-}
-
-func newNonce() (string, error) {
-	var n uint64
-	if err := binary.Read(rand.Reader, binary.LittleEndian, &n); err != nil {
-		return "", xerrors.Errorf("error while reading random: %w", err)
-	}
-	return fmt.Sprintf("%x", n), nil
-}
-
-// AuthenticateByPassword performs the resource owner password credentials flow.
-func (c *client) AuthenticateByPassword(ctx context.Context, in adaptors.OIDCAuthenticateByPasswordIn) (*adaptors.OIDCAuthenticateOut, error) {
-	if c.httpClient != nil {
-		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.httpClient)
-	}
-	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, in.Username, in.Password)
-	if err != nil {
-		return nil, xerrors.Errorf("could not get a token: %w", err)
-	}
-	idToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
-	}
-	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
-	verifiedIDToken, err := verifier.Verify(ctx, idToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
-	}
-	claims, err := dumpClaims(verifiedIDToken)
-	if err != nil {
-		c.logger.Debugf(1, "incomplete claims of the ID token: %w", err)
-	}
-	return &adaptors.OIDCAuthenticateOut{
-		IDToken:       idToken,
-		RefreshToken:  token.RefreshToken,
-		IDTokenExpiry: verifiedIDToken.Expiry,
-		IDTokenClaims: claims,
-	}, nil
-}
-
-// Verify checks client ID and signature of the ID token.
-// This does not check the expiration and caller should check it.
-func (c *client) Verify(ctx context.Context, in adaptors.OIDCVerifyIn) (*adaptors.OIDCVerifyOut, error) {
-	if c.httpClient != nil {
-		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.httpClient)
-	}
-	verifier := c.provider.Verifier(&oidc.Config{
-		ClientID:        c.oauth2Config.ClientID,
-		SkipExpiryCheck: true,
-	})
-	verifiedIDToken, err := verifier.Verify(ctx, in.IDToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
-	}
-	claims, err := dumpClaims(verifiedIDToken)
-	if err != nil {
-		c.logger.Debugf(1, "incomplete claims of the ID token: %w", err)
-	}
-	return &adaptors.OIDCVerifyOut{
-		IDTokenExpiry: verifiedIDToken.Expiry,
-		IDTokenClaims: claims,
-	}, nil
-}
-
-// Refresh sends a refresh token request and returns a token set.
-func (c *client) Refresh(ctx context.Context, in adaptors.OIDCRefreshIn) (*adaptors.OIDCAuthenticateOut, error) {
-	currentToken := &oauth2.Token{
-		Expiry:       time.Now(),
-		RefreshToken: in.RefreshToken,
-	}
-	source := c.oauth2Config.TokenSource(ctx, currentToken)
-	token, err := source.Token()
-	if err != nil {
-		return nil, xerrors.Errorf("could not refresh the token: %w", err)
-	}
-	idToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
-	}
-	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
-	verifiedIDToken, err := verifier.Verify(ctx, idToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
-	}
-	claims, err := dumpClaims(verifiedIDToken)
-	if err != nil {
-		c.logger.Debugf(1, "incomplete claims of the ID token: %w", err)
-	}
-	return &adaptors.OIDCAuthenticateOut{
-		IDToken:       idToken,
-		RefreshToken:  token.RefreshToken,
-		IDTokenExpiry: verifiedIDToken.Expiry,
-		IDTokenClaims: claims,
-	}, nil
-}
-
-func dumpClaims(token *oidc.IDToken) (map[string]string, error) {
-	var rawClaims map[string]interface{}
-	err := token.Claims(&rawClaims)
-	claims := make(map[string]string)
-	for k, v := range rawClaims {
-		switch v.(type) {
-		case float64:
-			claims[k] = fmt.Sprintf("%f", v.(float64))
-		default:
-			claims[k] = fmt.Sprintf("%s", v)
-		}
-	}
-	if err != nil {
-		return claims, xerrors.Errorf("error while decoding the ID token: %w", err)
-	}
-	return claims, nil
-}
--- a/adaptors/oidc/tls/tls.go
+++ b/adaptors/oidc/tls/tls.go
@@ -1,66 +0,0 @@
-package tls
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"io/ioutil"
-
-	"github.com/int128/kubelogin/adaptors"
-	"golang.org/x/xerrors"
-)
-
-// NewConfig returns a tls.Config with the given certificates and options.
-func NewConfig(config adaptors.OIDCClientConfig, logger adaptors.Logger) (*tls.Config, error) {
-	pool := x509.NewCertPool()
-	if config.Config.IDPCertificateAuthority != "" {
-		logger.Debugf(1, "Loading the certificate %s", config.Config.IDPCertificateAuthority)
-		err := appendCertificateFromFile(pool, config.Config.IDPCertificateAuthority)
-		if err != nil {
-			return nil, xerrors.Errorf("could not load the certificate of idp-certificate-authority: %w", err)
-		}
-	}
-	if config.Config.IDPCertificateAuthorityData != "" {
-		logger.Debugf(1, "Loading the certificate of idp-certificate-authority-data")
-		err := appendEncodedCertificate(pool, config.Config.IDPCertificateAuthorityData)
-		if err != nil {
-			return nil, xerrors.Errorf("could not load the certificate of idp-certificate-authority-data: %w", err)
-		}
-	}
-	if config.CACertFilename != "" {
-		logger.Debugf(1, "Loading the certificate %s", config.CACertFilename)
-		err := appendCertificateFromFile(pool, config.CACertFilename)
-		if err != nil {
-			return nil, xerrors.Errorf("could not load the certificate: %w", err)
-		}
-	}
-	c := &tls.Config{
-		InsecureSkipVerify: config.SkipTLSVerify,
-	}
-	if len(pool.Subjects()) > 0 {
-		c.RootCAs = pool
-	}
-	return c, nil
-}
-
-func appendCertificateFromFile(pool *x509.CertPool, filename string) error {
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return xerrors.Errorf("could not read %s: %w", filename, err)
-	}
-	if !pool.AppendCertsFromPEM(b) {
-		return xerrors.Errorf("could not append certificate from %s", filename)
-	}
-	return nil
-}
-
-func appendEncodedCertificate(pool *x509.CertPool, base64String string) error {
-	b, err := base64.StdEncoding.DecodeString(base64String)
-	if err != nil {
-		return xerrors.Errorf("could not decode base64: %w", err)
-	}
-	if !pool.AppendCertsFromPEM(b) {
-		return xerrors.Errorf("could not append certificate")
-	}
-	return nil
-}
--- a/adaptors/oidc/tls/tls_test.go
+++ b/adaptors/oidc/tls/tls_test.go
@@ -1,89 +0,0 @@
-package tls
-
-import (
-	"io/ioutil"
-	"testing"
-
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/e2e_test/logger"
-	"github.com/int128/kubelogin/models/kubeconfig"
-)
-
-func TestNewConfig(t *testing.T) {
-	testingLogger := logger.New(t)
-	testingLogger.SetLevel(1)
-
-	t.Run("Defaults", func(t *testing.T) {
-		c, err := NewConfig(adaptors.OIDCClientConfig{}, testingLogger)
-		if err != nil {
-			t.Fatalf("NewConfig error: %+v", err)
-		}
-		if c.InsecureSkipVerify {
-			t.Errorf("InsecureSkipVerify wants false but true")
-		}
-		if c.RootCAs != nil {
-			t.Errorf("RootCAs wants nil but %+v", c.RootCAs)
-		}
-	})
-	t.Run("SkipTLSVerify", func(t *testing.T) {
-		config := adaptors.OIDCClientConfig{
-			SkipTLSVerify: true,
-		}
-		c, err := NewConfig(config, testingLogger)
-		if err != nil {
-			t.Fatalf("NewConfig error: %+v", err)
-		}
-		if !c.InsecureSkipVerify {
-			t.Errorf("InsecureSkipVerify wants true but false")
-		}
-		if c.RootCAs != nil {
-			t.Errorf("RootCAs wants nil but %+v", c.RootCAs)
-		}
-	})
-	t.Run("AllCertificates", func(t *testing.T) {
-		config := adaptors.OIDCClientConfig{
-			Config: kubeconfig.OIDCConfig{
-				IDPCertificateAuthority:     "testdata/ca1.crt",
-				IDPCertificateAuthorityData: string(readFile(t, "testdata/ca2.crt.base64")),
-			},
-			CACertFilename: "testdata/ca3.crt",
-		}
-		c, err := NewConfig(config, testingLogger)
-		if err != nil {
-			t.Fatalf("NewConfig error: %+v", err)
-		}
-		if c.InsecureSkipVerify {
-			t.Errorf("InsecureSkipVerify wants false but true")
-		}
-		if c.RootCAs == nil {
-			t.Fatalf("RootCAs wants non-nil but nil")
-		}
-		subjects := c.RootCAs.Subjects()
-		if len(subjects) != 3 {
-			t.Errorf("len(subjects) wants 3 but %d", len(subjects))
-		}
-	})
-	t.Run("InvalidCertificate", func(t *testing.T) {
-		config := adaptors.OIDCClientConfig{
-			Config: kubeconfig.OIDCConfig{
-				IDPCertificateAuthority:     "testdata/ca1.crt",
-				IDPCertificateAuthorityData: string(readFile(t, "testdata/ca2.crt.base64")),
-			},
-			CACertFilename: "testdata/Makefile", // invalid cert
-		}
-		_, err := NewConfig(config, testingLogger)
-		if err == nil {
-			t.Fatalf("NewConfig wants non-nil but nil")
-		}
-		t.Logf("expected error: %+v", err)
-	})
-}
-
-func readFile(t *testing.T, filename string) []byte {
-	t.Helper()
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		t.Fatalf("ReadFile error: %s", err)
-	}
-	return b
-}
--- a/adaptors/tokencache/tokencache.go
+++ b/adaptors/tokencache/tokencache.go
@@ -1,46 +0,0 @@
-package tokencache
-
-import (
-	"encoding/json"
-	"os"
-
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/models/credentialplugin"
-	"golang.org/x/xerrors"
-)
-
-// Set provides an implementation and interface for Kubeconfig.
-var Set = wire.NewSet(
-	wire.Struct(new(Repository), "*"),
-	wire.Bind(new(adaptors.TokenCacheRepository), new(*Repository)),
-)
-
-type Repository struct{}
-
-func (*Repository) Read(filename string) (*credentialplugin.TokenCache, error) {
-	f, err := os.Open(filename)
-	if err != nil {
-		return nil, xerrors.Errorf("could not open file %s: %w", filename, err)
-	}
-	defer f.Close()
-	d := json.NewDecoder(f)
-	var c credentialplugin.TokenCache
-	if err := d.Decode(&c); err != nil {
-		return nil, xerrors.Errorf("could not decode json file %s: %w", filename, err)
-	}
-	return &c, nil
-}
-
-func (*Repository) Write(filename string, tc credentialplugin.TokenCache) error {
-	f, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return xerrors.Errorf("could not create file %s: %w", filename, err)
-	}
-	defer f.Close()
-	e := json.NewEncoder(f)
-	if err := e.Encode(&tc); err != nil {
-		return xerrors.Errorf("could not encode json to file %s: %w", filename, err)
-	}
-	return nil
-}
--- a/adaptors/tokencache/tokencache_test.go
+++ b/adaptors/tokencache/tokencache_test.go
@@ -1,73 +0,0 @@
-package tokencache
-
-import (
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/go-test/deep"
-	"github.com/int128/kubelogin/models/credentialplugin"
-)
-
-func TestRepository_Read(t *testing.T) {
-	var r Repository
-
-	t.Run("Success", func(t *testing.T) {
-		dir, err := ioutil.TempDir("", "kube")
-		if err != nil {
-			t.Fatalf("could not create a temp dir: %s", err)
-		}
-		defer func() {
-			if err := os.RemoveAll(dir); err != nil {
-				t.Errorf("could not clean up the temp dir: %s", err)
-			}
-		}()
-		json := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}`
-		filename := filepath.Join(dir, "token-cache")
-		if err := ioutil.WriteFile(filename, []byte(json), 0600); err != nil {
-			t.Fatalf("could not write to the temp file: %s", err)
-		}
-
-		tokenCache, err := r.Read(filename)
-		if err != nil {
-			t.Errorf("err wants nil but %+v", err)
-		}
-		want := &credentialplugin.TokenCache{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
-		if diff := deep.Equal(tokenCache, want); diff != nil {
-			t.Error(diff)
-		}
-	})
-}
-
-func TestRepository_Write(t *testing.T) {
-	var r Repository
-
-	t.Run("Success", func(t *testing.T) {
-		dir, err := ioutil.TempDir("", "kube")
-		if err != nil {
-			t.Fatalf("could not create a temp dir: %s", err)
-		}
-		defer func() {
-			if err := os.RemoveAll(dir); err != nil {
-				t.Errorf("could not clean up the temp dir: %s", err)
-			}
-		}()
-
-		filename := filepath.Join(dir, "token-cache")
-		tokenCache := credentialplugin.TokenCache{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
-		if err := r.Write(filename, tokenCache); err != nil {
-			t.Errorf("err wants nil but %+v", err)
-		}
-
-		b, err := ioutil.ReadFile(filename)
-		if err != nil {
-			t.Fatalf("could not read the token cache file: %s", err)
-		}
-		want := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}
-`
-		if diff := deep.Equal(string(b), want); diff != nil {
-			t.Error(diff)
-		}
-	})
-}
--- a/di/di.go
+++ b/di/di.go
@@ -1,57 +0,0 @@
-//+build wireinject
-
-// Package di provides dependency injection.
-package di
-
-import (
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/cmd"
-	credentialPluginAdaptor "github.com/int128/kubelogin/adaptors/credentialplugin"
-	"github.com/int128/kubelogin/adaptors/env"
-	"github.com/int128/kubelogin/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/adaptors/logger"
-	"github.com/int128/kubelogin/adaptors/oidc"
-	"github.com/int128/kubelogin/adaptors/tokencache"
-	"github.com/int128/kubelogin/usecases"
-	"github.com/int128/kubelogin/usecases/auth"
-	credentialPluginUseCase "github.com/int128/kubelogin/usecases/credentialplugin"
-	"github.com/int128/kubelogin/usecases/login"
-)
-
-// NewCmd returns an instance of adaptors.Cmd.
-func NewCmd() adaptors.Cmd {
-	wire.Build(
-		auth.Set,
-		auth.ExtraSet,
-		login.Set,
-		credentialPluginUseCase.Set,
-		cmd.Set,
-		env.Set,
-		kubeconfig.Set,
-		tokencache.Set,
-		credentialPluginAdaptor.Set,
-		oidc.Set,
-		logger.Set,
-	)
-	return nil
-}
-
-// NewCmdForHeadless returns an instance of adaptors.Cmd for headless testing.
-func NewCmdForHeadless(
-	adaptors.Logger,
-	usecases.LoginShowLocalServerURL,
-	adaptors.CredentialPluginInteraction,
-) adaptors.Cmd {
-	wire.Build(
-		auth.Set,
-		login.Set,
-		credentialPluginUseCase.Set,
-		cmd.Set,
-		env.Set,
-		kubeconfig.Set,
-		tokencache.Set,
-		oidc.Set,
-	)
-	return nil
-}
--- a/di/wire_gen.go
+++ b/di/wire_gen.go
@@ -1,106 +0,0 @@
-// Code generated by Wire. DO NOT EDIT.
-
-//go:generate wire
-//+build !wireinject
-
-package di
-
-import (
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/cmd"
-	"github.com/int128/kubelogin/adaptors/credentialplugin"
-	"github.com/int128/kubelogin/adaptors/env"
-	"github.com/int128/kubelogin/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/adaptors/logger"
-	"github.com/int128/kubelogin/adaptors/oidc"
-	"github.com/int128/kubelogin/adaptors/tokencache"
-	"github.com/int128/kubelogin/usecases"
-	"github.com/int128/kubelogin/usecases/auth"
-	credentialplugin2 "github.com/int128/kubelogin/usecases/credentialplugin"
-	"github.com/int128/kubelogin/usecases/login"
-)
-
-// Injectors from di.go:
-
-func NewCmd() adaptors.Cmd {
-	adaptorsLogger := logger.New()
-	factory := &oidc.Factory{
-		Logger: adaptorsLogger,
-	}
-	envEnv := &env.Env{}
-	showLocalServerURL := &auth.ShowLocalServerURL{
-		Logger: adaptorsLogger,
-	}
-	authentication := &auth.Authentication{
-		OIDC:               factory,
-		Env:                envEnv,
-		Logger:             adaptorsLogger,
-		ShowLocalServerURL: showLocalServerURL,
-	}
-	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{}
-	loginLogin := &login.Login{
-		Authentication: authentication,
-		Kubeconfig:     kubeconfigKubeconfig,
-		Logger:         adaptorsLogger,
-	}
-	repository := &tokencache.Repository{}
-	interaction := &credentialplugin.Interaction{}
-	getToken := &credentialplugin2.GetToken{
-		Authentication:       authentication,
-		TokenCacheRepository: repository,
-		Interaction:          interaction,
-		Logger:               adaptorsLogger,
-	}
-	exec := &login.Exec{
-		Authentication: authentication,
-		Kubeconfig:     kubeconfigKubeconfig,
-		Env:            envEnv,
-		Logger:         adaptorsLogger,
-	}
-	cmdCmd := &cmd.Cmd{
-		Login:        loginLogin,
-		GetToken:     getToken,
-		LoginAndExec: exec,
-		Logger:       adaptorsLogger,
-	}
-	return cmdCmd
-}
-
-func NewCmdForHeadless(adaptorsLogger adaptors.Logger, loginShowLocalServerURL usecases.LoginShowLocalServerURL, credentialPluginInteraction adaptors.CredentialPluginInteraction) adaptors.Cmd {
-	factory := &oidc.Factory{
-		Logger: adaptorsLogger,
-	}
-	envEnv := &env.Env{}
-	authentication := &auth.Authentication{
-		OIDC:               factory,
-		Env:                envEnv,
-		Logger:             adaptorsLogger,
-		ShowLocalServerURL: loginShowLocalServerURL,
-	}
-	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{}
-	loginLogin := &login.Login{
-		Authentication: authentication,
-		Kubeconfig:     kubeconfigKubeconfig,
-		Logger:         adaptorsLogger,
-	}
-	repository := &tokencache.Repository{}
-	getToken := &credentialplugin2.GetToken{
-		Authentication:       authentication,
-		TokenCacheRepository: repository,
-		Interaction:          credentialPluginInteraction,
-		Logger:               adaptorsLogger,
-	}
-	exec := &login.Exec{
-		Authentication: authentication,
-		Kubeconfig:     kubeconfigKubeconfig,
-		Env:            envEnv,
-		Logger:         adaptorsLogger,
-	}
-	cmdCmd := &cmd.Cmd{
-		Login:        loginLogin,
-		GetToken:     getToken,
-		LoginAndExec: exec,
-		Logger:       adaptorsLogger,
-	}
-	return cmdCmd
-}
--- a/docs/authn.png
+++ b/docs/authn.png
--- a/docs/authn.seqdiag
+++ b/docs/authn.seqdiag
@@ -1,16 +0,0 @@
-seqdiag {
-  User -> kubelogin [label = "execute"];
-  kubelogin -> Browser [label = "open"];
-  Browser -> Provider [label = "authentication request"];
-  Browser <-- Provider [label = "redirect"];
-  User -> Browser [label = "enter credentials"];
-  Browser -> Provider [label = "credentials"];
-  Browser <-- Provider [label = "authentication response"];
-  User <-- Browser [label = "success"];
-  kubelogin <-- Browser [label = "close"];
-  kubelogin -> Provider [label = "token request"];
-  kubelogin <-- Provider [label = "token response"];
-  kubelogin -> kubeconfig [label = "write token"];
-  kubelogin <-- kubeconfig;
-  User <-- kubelogin;
-}
--- a/docs/credential-plugin-diagram.svg
+++ b/docs/credential-plugin-diagram.svg
--- a/docs/google.md
+++ b/docs/google.md
@@ -1,84 +0,0 @@
-# Getting Started with Google Identity Platform
-
-## Prerequisite
-
- You have a Google account.
- You have the Cluster Admin role of the Kubernetes cluster.
- You can configure the Kubernetes API server.
- `kubectl` and `kubelogin` are installed to your computer.
-
-## 1. Setup Google API
-
-Open [Google APIs Console](https://console.developers.google.com/apis/credentials) and create an OAuth client with the following setting:
-
- Application Type: Other
-
-## 2. Setup Kubernetes API server
-
-Configure your Kubernetes API Server accepts [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
-
-```
--oidc-issuer-url=https://accounts.google.com
--oidc-client-id=YOUR_CLIENT_ID.apps.googleusercontent.com
-```
-
-If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
-
-```yaml
-spec:
-  kubeAPIServer:
-    oidcIssuerURL: https://accounts.google.com
-    oidcClientID: YOUR_CLIENT_ID.apps.googleusercontent.com
-```
-
-## 3. Setup Kubernetes cluster
-
-Here assign the `cluster-admin` role to you.
-
-```yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: oidc-admin-group
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
- kind: User
-  name: https://accounts.google.com#1234567890
-```
-
-You can create a custom role and assign it as well.
-
-## 4. Setup kubeconfig
-
-Configure the kubeconfig like:
-
-```yaml
-users:
- name: google
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubelogin
-      args:
-      - get-token
-      - --oidc-issuer-url=https://accounts.google.com
-      - --oidc-client-id=YOUR_CLIENT_ID.apps.googleusercontent.com
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
-```
-
-## 5. Run kubectl
-
-Make sure you can access to the Kubernetes cluster.
-
-```
-% kubectl get nodes
-Open http://localhost:8000 for authentication
-You got a valid token until 2019-05-16 22:03:13 +0900 JST
-Updated ~/.kubeconfig
-NAME                                    STATUS    ROLES     AGE       VERSION
-ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
-ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
-```
--- a/docs/keycloak-login.png
+++ b/docs/keycloak-login.png
--- a/docs/keycloak.md
+++ b/docs/keycloak.md
@@ -1,101 +0,0 @@
-# Getting Started with Keycloak
-
-## Prerequisite
-
- You have an administrator role of the Keycloak realm.
- You have an administrator role of the Kubernetes cluster.
- You can configure the Kubernetes API server.
- `kubectl` and `kubelogin` are installed.
-
-## 1. Setup Keycloak
-
-Open the Keycloak and create an OIDC client as follows:
-
- Client ID: `kubernetes`
- Valid Redirect URLs:
-    - `http://localhost:8000`
-    - `http://localhost:18000` (used if the port 8000 is already in use)
- Issuer URL: `https://keycloak.example.com/auth/realms/YOUR_REALM`
-
-You can associate client roles by adding the following mapper:
-
- Name: `groups`
- Mapper Type: `User Client Role`
- Client ID: `kubernetes`
- Client Role prefix: `kubernetes:`
- Token Claim Name: `groups`
- Add to ID token: on
-
-For example, if you have the `admin` role of the client, you will get a JWT with the claim `{"groups": ["kubernetes:admin"]}`.
-
-## 2. Setup Kubernetes API server
-
-Configure your Kubernetes API server accepts [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
-
-```
--oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM
--oidc-client-id=kubernetes
--oidc-groups-claim=groups
-```
-
-If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and add the following spec:
-
-```yaml
-spec:
-  kubeAPIServer:
-    oidcIssuerURL: https://keycloak.example.com/auth/realms/YOUR_REALM
-    oidcClientID: kubernetes
-    oidcGroupsClaim: groups
-```
-
-## 3. Setup Kubernetes cluster
-
-Here assign the `cluster-admin` role to the `kubernetes:admin` group.
-
-```yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: keycloak-admin-group
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
- kind: Group
-  name: kubernetes:admin
-```
-
-You can create a custom role and assign it as well.
-
-## 4. Setup kubeconfig
-
-Configure the kubeconfig like:
-
-```yaml
-users:
- name: keycloak
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubelogin
-      args:
-      - get-token
-      - --oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM
-      - --oidc-client-id=kubernetes
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
-```
-
-## 5. Run kubectl
-
-Make sure you can access to the Kubernetes cluster.
-
-```
-% kubectl get nodes
-Open http://localhost:8000 for authentication
-You got a valid token until 2019-05-16 22:03:13 +0900 JST
-Updated ~/.kubeconfig
-NAME                                    STATUS    ROLES     AGE       VERSION
-ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
-ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
-```
--- a/docs/setup.md
+++ b/docs/setup.md
@@ -0,0 +1,99 @@
+# Kubernetes OpenID Connection authentication
+
+This document guides how to set up Kubernetes OpenID Connect (OIDC) authentication.
+Let's see the following steps:
+
+1. Set up the OIDC provider
+1. Verify authentication
+1. Bind a cluster role
+1. Set up the Kubernetes API server
+1. Set up the kubeconfig
+1. Verify cluster access
+
+## 1. Set up the OIDC provider
+
+Kubelogin supports the authentication flows such as Device Authorization Grant or Authorization Code Flow.
+For the details of flows supported in Kubelogin, see the [usage](usage.md).
+For the details of your provider, ask the administrator of your provider.
+
+## 2. Authenticate with the OpenID Connect Provider
+
+Run the following command to show the instruction to set up the configuration:
+
+```sh
+kubectl oidc-login setup --oidc-issuer-url=ISSUER_URL --oidc-client-id=YOUR_CLIENT_ID
+```
+
+Set the following flags:
+
+- Set the issuer URL of your OpenID Connect provider to `--oidc-issuer-url`.
+- Set the client ID for your OpenID Connect provider to `--oidc-client-id`.
+- If your provider requires a client secret, set `--oidc-client-secret`.
+
+If your provider supports the Device Authorization Grant, set `--grant-type=device-code`.
+It launches the browser and navigates to the authentication page of your provider.
+
+If your provider supports the Authorization Code Flow, set `--grant-type=authcode`.
+It starts a local server for the authentication.
+It launches the browser and navigates to the authentication page of your provider.
+
+You can see the full options:
+
+```sh
+kubectl oidc-login setup --help
+```
+
+## 3. Bind a cluster role
+
+You can run the following command to bind `cluster-admin` role to you:
+
+```sh
+kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='ISSUER_URL#YOUR_SUBJECT'
+```
+
+## 4. Set up the Kubernetes API server
+
+Add the following flags to kube-apiserver:
+
+```
+--oidc-issuer-url=ISSUER_URL
+--oidc-client-id=YOUR_CLIENT_ID
+```
+
+See [Kubernetes Authenticating: OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for the all flags.
+
+## 5. Set up the kubeconfig
+
+Add `oidc` user to the kubeconfig.
+
+```sh
+kubectl config set-credentials oidc \
+  --exec-interactive-mode=Never \
+  --exec-api-version=client.authentication.k8s.io/v1 \
+  --exec-command=kubectl \
+  --exec-arg=oidc-login \
+  --exec-arg=get-token \
+  --exec-arg=--oidc-issuer-url=ISSUER_URL \
+  --exec-arg=--oidc-client-id=YOUR_CLIENT_ID
+```
+
+If your provider requires a client secret, add `--oidc-client-secret=YOUR_CLIENT_SECRET`.
+
+For security, it is recommended to add `--token-cache-storage=keyring` to store the token cache to the keyring instead of the file system.
+If you encounter an error, see the [token cache](usage.md#token-cache) for details.
+
+## 6. Verify cluster access
+
+Make sure you can access the Kubernetes cluster.
+
+```sh
+kubectl --user=oidc cluster-info
+```
+
+You can switch the current context to oidc.
+
+```sh
+kubectl config set-context --current --user=oidc
+```
+
+You can share the kubeconfig to your team members for on-boarding.
--- a/docs/standalone-mode.md
+++ b/docs/standalone-mode.md
@@ -0,0 +1,106 @@
+# Standalone mode
+
+Kubelogin supports the standalone mode as well.
+It writes the token to the kubeconfig (typically `~/.kube/config`) after authentication.
+
+## Getting started
+
+Configure your kubeconfig like:
+
+```yaml
+- name: keycloak
+  user:
+    auth-provider:
+      config:
+        client-id: YOUR_CLIENT_ID
+        client-secret: YOUR_CLIENT_SECRET
+        idp-issuer-url: https://issuer.example.com
+      name: oidc
+```
+
+Run kubelogin:
+
+```sh
+kubelogin
+
+# or run as a kubectl plugin
+kubectl oidc-login
+```
+
+It automatically opens the browser and you can log in to the provider.
+
+<img src="keycloak-login.png" alt="keycloak-login" width="455" height="329">
+
+After authentication, kubelogin writes the ID token and refresh token to the kubeconfig.
+
+```console
+% kubelogin
+Open http://localhost:8000 for authentication
+You got a valid token until 2019-05-18 10:28:51 +0900 JST
+Updated ~/.kubeconfig
+```
+
+Now you can access the cluster.
+
+```console
+% kubectl get pods
+NAME                          READY   STATUS    RESTARTS   AGE
+echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
+```
+
+Your kubeconfig looks like:
+
+```yaml
+users:
+  - name: keycloak
+    user:
+      auth-provider:
+        config:
+          client-id: YOUR_CLIENT_ID
+          client-secret: YOUR_CLIENT_SECRET
+          idp-issuer-url: https://issuer.example.com
+          id-token: ey... # kubelogin will add or update the ID token here
+          refresh-token: ey... # kubelogin will add or update the refresh token here
+        name: oidc
+```
+
+If the ID token is valid, kubelogin does nothing.
+
+```console
+% kubelogin
+You already have a valid token until 2019-05-18 10:28:51 +0900 JST
+```
+
+If the ID token has expired, kubelogin will refresh the token using the refresh token in the kubeconfig.
+If the refresh token has expired, kubelogin will proceed the authentication.
+
+## Usage
+
+You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
+It defaults to `~/.kube/config`.
+
+```sh
+# by the option
+kubelogin --kubeconfig /path/to/kubeconfig
+
+# by the environment variable
+KUBECONFIG="/path/to/kubeconfig1:/path/to/kubeconfig2" kubelogin
+```
+
+If you set multiple files, kubelogin will find the file which has the current authentication (i.e. `user` and `auth-provider`) and write a token to it.
+
+Kubelogin supports the following keys of `auth-provider` in a kubeconfig.
+See [kubectl authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl) for more.
+
+| Key                              | Direction        | Value                                                |
+| -------------------------------- | ---------------- | ---------------------------------------------------- |
+| `idp-issuer-url`                 | Read (Mandatory) | Issuer URL of the provider.                          |
+| `client-id`                      | Read (Mandatory) | Client ID of the provider.                           |
+| `client-secret`                  | Read (Mandatory) | Client Secret of the provider.                       |
+| `idp-certificate-authority`      | Read             | CA certificate path of the provider.                 |
+| `idp-certificate-authority-data` | Read             | Base64 encoded CA certificate of the provider.       |
+| `extra-scopes`                   | Read             | Scopes to request to the provider (comma separated). |
+| `id-token`                       | Write            | ID token got from the provider.                      |
+| `refresh-token`                  | Write            | Refresh token got from the provider.                 |
+
+See also [usage.md](usage.md).
--- a/docs/system-test-diagram.svg
+++ b/docs/system-test-diagram.svg
--- a/docs/team_ops.md
+++ b/docs/team_ops.md
@@ -1,42 +0,0 @@
-# Team on-boarding
-
-## kops
-
-Export the kubeconfig.
-
-```sh
-KUBECONFIG=.kubeconfig kops export kubecfg hello.k8s.local
-```
-
-Remove the `admin` access from the kubeconfig.
-It should look as like:
-
-```yaml
-apiVersion: v1
-kind: Config
-clusters:
-  - cluster:
-      certificate-authority-data: LS...
-      server: https://api.hello.k8s.example.com
-      name: hello.k8s.local
-contexts:
- context:
-    cluster: hello.k8s.local
-    user: hello.k8s.local
-  name: hello.k8s.local
-current-context: hello.k8s.local
-preferences: {}
-users:
- name: hello.k8s.local
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubelogin
-      args:
-      - get-token
-      - --oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
-```
-
-You can share the kubeconfig to your team members for on-boarding.
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -0,0 +1,340 @@
+# Usage
+
+Kubelogin supports the following options:
+
+```
+Usage:
+  kubelogin get-token [flags]
+
+Flags:
+      --oidc-issuer-url string                          Issuer URL of the provider (mandatory)
+      --oidc-client-id string                           Client ID of the provider (mandatory)
+      --oidc-client-secret string                       Client secret of the provider
+      --oidc-redirect-url string                        [authcode, authcode-keyboard] Redirect URL
+      --oidc-extra-scope strings                        Scopes to request to the provider
+      --oidc-use-access-token                           Instead of using the id_token, use the access_token to authenticate to Kubernetes
+      --oidc-request-header stringToString              HTTP headers to send with an authentication request (default [])
+      --force-refresh                                   If set, refresh the ID token regardless of its expiration time
+      --token-cache-dir string                          Path to a directory of the token cache (default "~/.kube/cache/oidc-login")
+      --token-cache-storage string                      Storage for the token cache. One of (disk|keyring|none) (default "disk")
+      --certificate-authority stringArray               Path to a cert file for the certificate authority
+      --certificate-authority-data stringArray          Base64 encoded cert for the certificate authority
+      --insecure-skip-tls-verify                        [SECURITY RISK] If set, the server's certificate will not be checked for validity
+      --tls-renegotiation-once                          If set, allow a remote server to request renegotiation once per connection
+      --tls-renegotiation-freely                        If set, allow a remote server to repeatedly request renegotiation
+      --oidc-pkce-method string                         PKCE code challenge method. Automatically determined by default. One of (auto|no|S256) (default "auto")
+      --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password|device-code|client-credentials) (default "auto")
+      --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
+      --skip-open-browser                               [authcode] Do not open the browser automatically
+      --browser-command string                          [authcode] Command to open the browser
+      --authentication-timeout-sec int                  [authcode] Timeout of authentication in seconds (default 180)
+      --local-server-cert string                        [authcode] Certificate path for the local server
+      --local-server-key string                         [authcode] Certificate key path for the local server
+      --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
+      --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard, client-credentials] Extra query parameters to send with an authentication request (default [])
+      --username string                                 [password] Username for resource owner password credentials grant
+      --password string                                 [password] Password for resource owner password credentials grant
+  -h, --help                                            help for get-token
+
+Global Flags:
+      --add_dir_header                   If true, adds the file directory to the header of the log messages
+      --alsologtostderr                  log to standard error as well as files (no effect when -logtostderr=true)
+      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                   If non-empty, write log files in this directory (no effect when -logtostderr=true)
+      --log_file string                  If non-empty, use this log file (no effect when -logtostderr=true)
+      --log_file_max_size uint           Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                      log to standard error instead of files (default true)
+      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
+      --skip_headers                     If true, avoid header prefixes in the log messages
+      --skip_log_headers                 If true, avoid headers when opening log files (no effect when -logtostderr=true)
+      --stderrthreshold severity         logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2)
+  -v, --v Level                          number for the log level verbosity
+      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
+```
+
+## Options
+
+### Authentication timeout
+
+By default, you need to log in to your provider in the browser within 3 minutes.
+This prevents a process from remaining forever.
+You can change the timeout by the following flag:
+
+```yaml
+- --authentication-timeout-sec=60
+```
+
+For now this timeout works only for the authorization code flow.
+
+### Extra scopes
+
+You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
+
+```yaml
+- --oidc-extra-scope=email
+- --oidc-extra-scope=profile
+```
+
+### PKCE
+
+Kubelogin automatically uses the PKCE if the provider supports it.
+It determines the code challenge method by the `code_challenge_methods_supported` claim of the OpenID Connect Discovery document.
+
+If your provider does not return a valid `code_challenge_methods_supported` claim,
+you can enforce the code challenge method by `--oidc-pkce-method`.
+
+```yaml
+- --oidc-pkce-method=S256
+```
+
+For the most providers, you don't need to set this option explicitly.
+
+### HTTP headers
+
+If your provider requires extra HTTP headers, you can set them by `--oidc-request-header`.
+
+For Azure AD Single Page Application with PKCE, you can set `Origin` header as follows:
+
+```yaml
+- --oidc-request-header=Origin=localhost
+```
+
+### CA certificate
+
+You can use your self-signed certificate for the provider.
+
+```yaml
+- --certificate-authority=/home/user/.kube/keycloak-ca.pem
+- --certificate-authority-data=LS0t...
+```
+
+### HTTP proxy
+
+You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
+See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
+
+### Token cache
+
+Kubelogin stores the token cache to the file system by default.
+
+You can store the token cache to the OS keyring for enhanced security.
+It depends on [zalando/go-keyring](https://github.com/zalando/go-keyring).
+
+```yaml
+- --token-cache-storage=keyring
+```
+
+You can delete the token cache by the clean command.
+
+```console
+% kubectl oidc-login clean
+Deleted the token cache at /home/user/.kube/cache/oidc-login
+Deleted the token cache from the keyring
+```
+
+For systems with immutable storage and no keyring, a cache type of none is available.
+
+### Home directory expansion
+
+If a value in the following options begins with a tilde character `~`, it is expanded to the home directory.
+
+- `--certificate-authority`
+- `--local-server-cert`
+- `--local-server-key`
+- `--token-cache-dir`
+
+## Authentication flows
+
+Kubelogin support the following flows:
+
+- [Device Authorization Grant](#device-authorization-grant)
+- [Authorization Code Flow](#authorization-code-flow)
+- [Authorization Code Flow with a Keyboard](#authorization-code-flow-with-a-keyboard)
+- [Resource Owner Password Credentials Grant](#resource-owner-password-credentials-grant)
+- [Client Credentials Flow](#client-credentials-flow)
+
+### Device Authorization Grant
+
+It performs the [Device Authorization Grant (RFC 8628)](https://tools.ietf.org/html/rfc8628) when `--grant-type=device-code` is set.
+
+```yaml
+- --grant-type=device-code
+```
+
+It automatically opens the browser.
+If the provider returns the `verification_uri_complete` parameter, you don't need to enter the code.
+Otherwise, you need to enter the code shown.
+
+If you encounter a problem with the browser, you can change the browser command or skip opening the browser.
+
+```yaml
+# Change the browser command
+- --browser-command=google-chrome
+# Do not open the browser
+- --skip-open-browser
+```
+
+### Authorization Code Flow
+
+It performs the [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) when `--grant-type=authcode` is set or the flag is not given.
+
+It starts the local server at port 8000 or 18000 by default.
+You need to register the following redirect URIs to the provider:
+
+- `http://localhost:8000`
+- `http://localhost:18000` (used if port 8000 is already in use)
+
+You can change the listening address.
+
+```yaml
+- --listen-address=127.0.0.1:12345
+- --listen-address=127.0.0.1:23456
+```
+
+The redirect URL defaults to `http://localhost` with the listening port.
+You can override the redirect URL.
+
+```yaml
+- --oidc-redirect-url=http://127.0.0.1:8000/
+- --oidc-redirect-url=http://your-local-hostname:8000/
+```
+
+You can specify a certificate for the local webserver if HTTPS is required by your identity provider.
+
+```yaml
+- --local-server-cert=localhost.crt
+- --local-server-key=localhost.key
+```
+
+You can add extra parameters to the authentication request.
+
+```yaml
+- --oidc-auth-request-extra-params=ttl=86400
+```
+
+When authentication completed, kubelogin shows a message to close the browser.
+You can change the URL to show after authentication.
+
+```yaml
+- --open-url-after-authentication=https://example.com/success.html
+```
+
+If you encounter a problem with the browser, you can change the browser command or skip opening the browser.
+
+```yaml
+# Change the browser command
+- --browser-command=google-chrome
+# Do not open the browser
+- --skip-open-browser
+```
+
+### Authorization Code Flow with a keyboard
+
+If you cannot access the browser, instead use the authorization code flow with a keyboard.
+
+```yaml
+- --grant-type=authcode-keyboard
+```
+
+You need to explicitly set the redirect URL.
+
+```yaml
+- --oidc-redirect-url=urn:ietf:wg:oauth:2.0:oob
+- --oidc-redirect-url=http://localhost
+```
+
+Kubelogin will show the URL and prompt.
+Open the URL in the browser and then copy the code shown.
+
+```
+% kubectl get pods
+Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=...
+Enter code: YOUR_CODE
+```
+
+You can add extra parameters to the authentication request.
+
+```yaml
+- --oidc-auth-request-extra-params=ttl=86400
+```
+
+### Resource Owner Password Credentials Grant
+
+It performs the [Resource Owner Password Credentials Grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3)
+when `--grant-type=password` or `--username` is set.
+
+Note that most OIDC providers do not support this grant.
+Keycloak supports this grant but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
+
+You can set the username and password.
+
+```yaml
+- --username=USERNAME
+- --password=PASSWORD
+```
+
+If the password is not set, kubelogin will show the prompt for the password.
+
+```yaml
+- --username=USERNAME
+```
+
+```
+% kubectl get pods
+Password:
+```
+
+If the username is not set, kubelogin will show the prompt for the username and password.
+
+```yaml
+- --grant-type=password
+```
+
+```
+% kubectl get pods
+Username: foo
+Password:
+```
+
+### Client Credentials Flow
+
+It performs the [OAuth 2.0 Client Credentials Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.4) when `--grant-type=client-credentials` is set.
+
+```yaml
+- --grant-type=client-credentials
+```
+
+Per specification, this flow only returns authorization tokens.
+
+## Run in Docker
+
+You can run [the Docker image](https://ghcr.io/int128/kubelogin) instead of the binary.
+The kubeconfig looks like:
+
+```yaml
+users:
+  - name: oidc
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1
+        command: docker
+        args:
+          - run
+          - --rm
+          - -v
+          - /tmp/.token-cache:/.token-cache
+          - -p
+          - 8000:8000
+          - ghcr.io/int128/kubelogin
+          - get-token
+          - --token-cache-dir=/.token-cache
+          - --listen-address=0.0.0.0:8000
+          - --oidc-issuer-url=ISSUER_URL
+          - --oidc-client-id=YOUR_CLIENT_ID
+          - --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+Known limitations:
+
+- It cannot open the browser automatically.
+- The container port and listen port must be equal for consistency of the redirect URI.
--- a/e2e_test/credetial_plugin_test.go
+++ b/e2e_test/credetial_plugin_test.go
@@ -1,74 +0,0 @@
-package e2e_test
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/mock_adaptors"
-	"github.com/int128/kubelogin/di"
-	"github.com/int128/kubelogin/e2e_test/idp"
-	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
-	"github.com/int128/kubelogin/e2e_test/localserver"
-	"github.com/int128/kubelogin/e2e_test/logger"
-	"github.com/int128/kubelogin/models/credentialplugin"
-	"github.com/int128/kubelogin/usecases"
-)
-
-// Run the integration tests of the credential plugin use-case.
-//
-// 1. Start the auth server.
-// 2. Run the Cmd.
-// 3. Open a request for the local server.
-// 4. Verify the output.
-//
-func TestCmd_Run_CredentialPlugin(t *testing.T) {
-	timeout := 1 * time.Second
-
-	t.Run("Defaults", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-
-		credentialPluginInteraction := mock_adaptors.NewMockCredentialPluginInteraction(ctrl)
-		credentialPluginInteraction.EXPECT().
-			Write(gomock.Any()).
-			Do(func(out credentialplugin.Output) {
-				if out.Token != idToken {
-					t.Errorf("Token wants %s but %s", idToken, out.Token)
-				}
-				if out.Expiry != tokenExpiryFuture {
-					t.Errorf("Expiry wants %v but %v", tokenExpiryFuture, out.Expiry)
-				}
-			})
-
-		req := startBrowserRequest(t, ctx, nil)
-		runGetTokenCmd(t, ctx, req, credentialPluginInteraction,
-			"--skip-open-browser",
-			"--listen-port", "0",
-			"--token-cache", "/dev/null",
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-		)
-		req.wait()
-	})
-}
-
-func runGetTokenCmd(t *testing.T, ctx context.Context, s usecases.LoginShowLocalServerURL, interaction adaptors.CredentialPluginInteraction, args ...string) {
-	t.Helper()
-	cmd := di.NewCmdForHeadless(logger.New(t), s, interaction)
-	exitCode := cmd.Run(ctx, append([]string{"kubelogin", "get-token", "--v=1"}, args...), "HEAD")
-	if exitCode != 0 {
-		t.Errorf("exit status wants 0 but %d", exitCode)
-	}
-}
--- a/e2e_test/idp/handler.go
+++ b/e2e_test/idp/handler.go
@@ -1,142 +0,0 @@
-// Package idp provides a test double of the identity provider of OpenID Connect.
-package idp
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"testing"
-
-	"golang.org/x/xerrors"
-)
-
-func NewHandler(t *testing.T, service Service) *Handler {
-	return &Handler{t, service}
-}
-
-// Handler provides a HTTP handler for the identity provider of OpenID Connect.
-// You need to implement the Service interface.
-// Note that this skips some security checks and is only for testing.
-type Handler struct {
-	t       *testing.T
-	service Service
-}
-
-func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	wr := &responseWriterRecorder{w, 200}
-	err := h.serveHTTP(wr, r)
-	if err == nil {
-		h.t.Logf("%d %s %s", wr.statusCode, r.Method, r.RequestURI)
-		return
-	}
-	if errResp := new(ErrorResponse); xerrors.As(err, &errResp) {
-		h.t.Logf("400 %s %s: %s", r.Method, r.RequestURI, err)
-		w.Header().Add("Content-Type", "application/json")
-		w.WriteHeader(400)
-		e := json.NewEncoder(w)
-		if err := e.Encode(errResp); err != nil {
-			h.t.Errorf("idp/handler: could not write the response: %s", err)
-		}
-		return
-	}
-	h.t.Logf("500 %s %s: %s", r.Method, r.RequestURI, err)
-	http.Error(w, err.Error(), 500)
-}
-
-type responseWriterRecorder struct {
-	http.ResponseWriter
-	statusCode int
-}
-
-func (w *responseWriterRecorder) WriteHeader(statusCode int) {
-	w.ResponseWriter.WriteHeader(statusCode)
-	w.statusCode = statusCode
-}
-
-func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
-	m := r.Method
-	p := r.URL.Path
-	switch {
-	case m == "GET" && p == "/.well-known/openid-configuration":
-		discoveryResponse := h.service.Discovery()
-		w.Header().Add("Content-Type", "application/json")
-		e := json.NewEncoder(w)
-		if err := e.Encode(discoveryResponse); err != nil {
-			return xerrors.Errorf("could not render json: %w", err)
-		}
-	case m == "GET" && p == "/certs":
-		certificatesResponse := h.service.GetCertificates()
-		w.Header().Add("Content-Type", "application/json")
-		e := json.NewEncoder(w)
-		if err := e.Encode(certificatesResponse); err != nil {
-			return xerrors.Errorf("could not render json: %w", err)
-		}
-	case m == "GET" && p == "/auth":
-		// 3.1.2.1. Authentication Request
-		// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
-		q := r.URL.Query()
-		redirectURI, scope, state, nonce := q.Get("redirect_uri"), q.Get("scope"), q.Get("state"), q.Get("nonce")
-		code, err := h.service.AuthenticateCode(scope, nonce)
-		if err != nil {
-			return xerrors.Errorf("authentication error: %w", err)
-		}
-		to := fmt.Sprintf("%s?state=%s&code=%s", redirectURI, state, code)
-		http.Redirect(w, r, to, 302)
-	case m == "POST" && p == "/token":
-		if err := r.ParseForm(); err != nil {
-			return xerrors.Errorf("could not parse the form: %w", err)
-		}
-		grantType := r.Form.Get("grant_type")
-		switch grantType {
-		case "authorization_code":
-			// 3.1.3.1. Token Request
-			// https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
-			code := r.Form.Get("code")
-			tokenResponse, err := h.service.Exchange(code)
-			if err != nil {
-				return xerrors.Errorf("token request error: %w", err)
-			}
-			w.Header().Add("Content-Type", "application/json")
-			e := json.NewEncoder(w)
-			if err := e.Encode(tokenResponse); err != nil {
-				return xerrors.Errorf("could not render json: %w", err)
-			}
-		case "password":
-			// 4.3. Resource Owner Password Credentials Grant
-			// https://tools.ietf.org/html/rfc6749#section-4.3
-			username, password, scope := r.Form.Get("username"), r.Form.Get("password"), r.Form.Get("scope")
-			tokenResponse, err := h.service.AuthenticatePassword(username, password, scope)
-			if err != nil {
-				return xerrors.Errorf("authentication error: %w", err)
-			}
-			w.Header().Add("Content-Type", "application/json")
-			e := json.NewEncoder(w)
-			if err := e.Encode(tokenResponse); err != nil {
-				return xerrors.Errorf("could not render json: %w", err)
-			}
-		case "refresh_token":
-			// 12.1. Refresh Request
-			// https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
-			refreshToken := r.Form.Get("refresh_token")
-			tokenResponse, err := h.service.Refresh(refreshToken)
-			if err != nil {
-				return xerrors.Errorf("token refresh error: %w", err)
-			}
-			w.Header().Add("Content-Type", "application/json")
-			e := json.NewEncoder(w)
-			if err := e.Encode(tokenResponse); err != nil {
-				return xerrors.Errorf("could not render json: %w", err)
-			}
-		default:
-			// 5.2. Error Response
-			// https://tools.ietf.org/html/rfc6749#section-5.2
-			return &ErrorResponse{
-				Code:        "invalid_grant",
-				Description: fmt.Sprintf("unknown grant_type %s", grantType),
-			}
-		}
-	default:
-		http.NotFound(w, r)
-	}
-	return nil
-}
--- a/e2e_test/idp/mock_idp/mock_service.go
+++ b/e2e_test/idp/mock_idp/mock_service.go
@@ -1,110 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/e2e_test/idp (interfaces: Service)
-
-// Package mock_idp is a generated GoMock package.
-package mock_idp
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	idp "github.com/int128/kubelogin/e2e_test/idp"
-	reflect "reflect"
-)
-
-// MockService is a mock of Service interface
-type MockService struct {
-	ctrl     *gomock.Controller
-	recorder *MockServiceMockRecorder
-}
-
-// MockServiceMockRecorder is the mock recorder for MockService
-type MockServiceMockRecorder struct {
-	mock *MockService
-}
-
-// NewMockService creates a new mock instance
-func NewMockService(ctrl *gomock.Controller) *MockService {
-	mock := &MockService{ctrl: ctrl}
-	mock.recorder = &MockServiceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockService) EXPECT() *MockServiceMockRecorder {
-	return m.recorder
-}
-
-// AuthenticateCode mocks base method
-func (m *MockService) AuthenticateCode(arg0, arg1 string) (string, error) {
-	ret := m.ctrl.Call(m, "AuthenticateCode", arg0, arg1)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AuthenticateCode indicates an expected call of AuthenticateCode
-func (mr *MockServiceMockRecorder) AuthenticateCode(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateCode", reflect.TypeOf((*MockService)(nil).AuthenticateCode), arg0, arg1)
-}
-
-// AuthenticatePassword mocks base method
-func (m *MockService) AuthenticatePassword(arg0, arg1, arg2 string) (*idp.TokenResponse, error) {
-	ret := m.ctrl.Call(m, "AuthenticatePassword", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*idp.TokenResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AuthenticatePassword indicates an expected call of AuthenticatePassword
-func (mr *MockServiceMockRecorder) AuthenticatePassword(arg0, arg1, arg2 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticatePassword", reflect.TypeOf((*MockService)(nil).AuthenticatePassword), arg0, arg1, arg2)
-}
-
-// Discovery mocks base method
-func (m *MockService) Discovery() *idp.DiscoveryResponse {
-	ret := m.ctrl.Call(m, "Discovery")
-	ret0, _ := ret[0].(*idp.DiscoveryResponse)
-	return ret0
-}
-
-// Discovery indicates an expected call of Discovery
-func (mr *MockServiceMockRecorder) Discovery() *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Discovery", reflect.TypeOf((*MockService)(nil).Discovery))
-}
-
-// Exchange mocks base method
-func (m *MockService) Exchange(arg0 string) (*idp.TokenResponse, error) {
-	ret := m.ctrl.Call(m, "Exchange", arg0)
-	ret0, _ := ret[0].(*idp.TokenResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Exchange indicates an expected call of Exchange
-func (mr *MockServiceMockRecorder) Exchange(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Exchange", reflect.TypeOf((*MockService)(nil).Exchange), arg0)
-}
-
-// GetCertificates mocks base method
-func (m *MockService) GetCertificates() *idp.CertificatesResponse {
-	ret := m.ctrl.Call(m, "GetCertificates")
-	ret0, _ := ret[0].(*idp.CertificatesResponse)
-	return ret0
-}
-
-// GetCertificates indicates an expected call of GetCertificates
-func (mr *MockServiceMockRecorder) GetCertificates() *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificates", reflect.TypeOf((*MockService)(nil).GetCertificates))
-}
-
-// Refresh mocks base method
-func (m *MockService) Refresh(arg0 string) (*idp.TokenResponse, error) {
-	ret := m.ctrl.Call(m, "Refresh", arg0)
-	ret0, _ := ret[0].(*idp.TokenResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Refresh indicates an expected call of Refresh
-func (mr *MockServiceMockRecorder) Refresh(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockService)(nil).Refresh), arg0)
-}
--- a/e2e_test/idp/service.go
+++ b/e2e_test/idp/service.go
@@ -1,120 +0,0 @@
-package idp
-
-//go:generate mockgen -destination mock_idp/mock_service.go github.com/int128/kubelogin/e2e_test/idp Service
-
-import (
-	"crypto/rsa"
-	"encoding/base64"
-	"fmt"
-	"math/big"
-)
-
-// Service provides discovery and authentication methods.
-// If an implemented method returns an ErrorResponse,
-// the handler will respond 400 and corresponding json of the ErrorResponse.
-// Otherwise, the handler will respond 500 and fail the current test.
-type Service interface {
-	Discovery() *DiscoveryResponse
-	GetCertificates() *CertificatesResponse
-	AuthenticateCode(scope, nonce string) (code string, err error)
-	Exchange(code string) (*TokenResponse, error)
-	AuthenticatePassword(username, password, scope string) (*TokenResponse, error)
-	Refresh(refreshToken string) (*TokenResponse, error)
-}
-
-type DiscoveryResponse struct {
-	Issuer                            string   `json:"issuer"`
-	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
-	TokenEndpoint                     string   `json:"token_endpoint"`
-	UserinfoEndpoint                  string   `json:"userinfo_endpoint"`
-	RevocationEndpoint                string   `json:"revocation_endpoint"`
-	JwksURI                           string   `json:"jwks_uri"`
-	ResponseTypesSupported            []string `json:"response_types_supported"`
-	SubjectTypesSupported             []string `json:"subject_types_supported"`
-	IDTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported"`
-	ScopesSupported                   []string `json:"scopes_supported"`
-	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
-	ClaimsSupported                   []string `json:"claims_supported"`
-	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`
-}
-
-// NewDiscoveryResponse returns a DiscoveryResponse for the local server.
-// This is based on https://accounts.google.com/.well-known/openid-configuration.
-func NewDiscoveryResponse(issuer string) *DiscoveryResponse {
-	return &DiscoveryResponse{
-		Issuer:                            issuer,
-		AuthorizationEndpoint:             issuer + "/auth",
-		TokenEndpoint:                     issuer + "/token",
-		JwksURI:                           issuer + "/certs",
-		UserinfoEndpoint:                  issuer + "/userinfo",
-		RevocationEndpoint:                issuer + "/revoke",
-		ResponseTypesSupported:            []string{"code id_token"},
-		SubjectTypesSupported:             []string{"public"},
-		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
-		ScopesSupported:                   []string{"openid", "email", "profile"},
-		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
-		CodeChallengeMethodsSupported:     []string{"plain", "S256"},
-		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
-	}
-}
-
-type CertificatesResponse struct {
-	Keys []*CertificatesResponseKey `json:"keys"`
-}
-
-type CertificatesResponseKey struct {
-	Kty string `json:"kty"`
-	Alg string `json:"alg"`
-	Use string `json:"use"`
-	Kid string `json:"kid"`
-	N   string `json:"n"`
-	E   string `json:"e"`
-}
-
-// NewCertificatesResponse returns a CertificatesResponse using the key pair.
-// This is used for verifying a signature of ID token.
-func NewCertificatesResponse(idTokenKeyPair *rsa.PrivateKey) *CertificatesResponse {
-	return &CertificatesResponse{
-		Keys: []*CertificatesResponseKey{
-			{
-				Kty: "RSA",
-				Alg: "RS256",
-				Use: "sig",
-				Kid: "dummy",
-				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
-				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
-			},
-		},
-	}
-}
-
-type TokenResponse struct {
-	AccessToken  string `json:"access_token"`
-	TokenType    string `json:"token_type"`
-	RefreshToken string `json:"refresh_token"`
-	ExpiresIn    int    `json:"expires_in"`
-	IDToken      string `json:"id_token"`
-}
-
-// NewTokenResponse returns a TokenResponse.
-func NewTokenResponse(idToken, refreshToken string) *TokenResponse {
-	return &TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		IDToken:      idToken,
-		RefreshToken: refreshToken,
-	}
-}
-
-// ErrorResponse represents an error response described in the following section:
-// 5.2 Error Response
-// https://tools.ietf.org/html/rfc6749#section-5.2
-type ErrorResponse struct {
-	Code        string `json:"error"`
-	Description string `json:"error_description"`
-}
-
-func (err *ErrorResponse) Error() string {
-	return fmt.Sprintf("%s(%s)", err.Code, err.Description)
-}
--- a/e2e_test/keys/keys.go
+++ b/e2e_test/keys/keys.go
@@ -1,71 +0,0 @@
-package keys
-
-import (
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/pem"
-	"io/ioutil"
-
-	"golang.org/x/xerrors"
-)
-
-// TLSCACert is path to the CA certificate.
-// This should be generated by Makefile before test.
-const TLSCACert = "keys/testdata/ca.crt"
-
-// TLSCACertAsBase64 is a base64 encoded string of TLSCACert.
-var TLSCACertAsBase64 string
-
-// TLSCACertAsConfig is a TLS config including TLSCACert.
-var TLSCACertAsConfig = &tls.Config{RootCAs: x509.NewCertPool()}
-
-// TLSServerCert is path to the server certificate.
-// This should be generated by Makefile before test.
-const TLSServerCert = "keys/testdata/server.crt"
-
-// TLSServerKey is path to the server key.
-// This should be generated by Makefile before test.
-const TLSServerKey = "keys/testdata/server.key"
-
-// JWSKey is path to the key for signing ID tokens.
-const JWSKey = "keys/testdata/jws.key"
-
-// JWSKeyPair is the key pair loaded from JWSKey.
-var JWSKeyPair *rsa.PrivateKey
-
-func init() {
-	var err error
-	JWSKeyPair, err = readPrivateKey(JWSKey)
-	if err != nil {
-		panic(err)
-	}
-	b, err := ioutil.ReadFile(TLSCACert)
-	if err != nil {
-		panic(err)
-	}
-	TLSCACertAsBase64 = base64.StdEncoding.EncodeToString(b)
-	if !TLSCACertAsConfig.RootCAs.AppendCertsFromPEM(b) {
-		panic("could not append the CA cert")
-	}
-}
-
-func readPrivateKey(name string) (*rsa.PrivateKey, error) {
-	b, err := ioutil.ReadFile(name)
-	if err != nil {
-		return nil, xerrors.Errorf("could not read JWSKey: %w", err)
-	}
-	block, rest := pem.Decode(b)
-	if block == nil {
-		return nil, xerrors.New("could not decode PEM")
-	}
-	if len(rest) > 0 {
-		return nil, xerrors.New("PEM should contain single key but multiple keys")
-	}
-	k, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-	if err != nil {
-		return nil, xerrors.Errorf("could not parse the key: %w", err)
-	}
-	return k, nil
-}
--- a/e2e_test/keys/testdata/.gitignore
+++ b/e2e_test/keys/testdata/.gitignore
@@ -1,4 +0,0 @@
-/CA
-*.key
-*.csr
-*.crt
--- a/e2e_test/keys/testdata/Makefile
+++ b/e2e_test/keys/testdata/Makefile
@@ -1,53 +0,0 @@
-.PHONY: clean
-
-all: server.crt ca.crt jws.key
-
-clean:
-	rm -v ca.* server.*
-
-ca.key:
-	openssl genrsa -out $@ 1024
-
-ca.csr: openssl.cnf ca.key
-	openssl req -config openssl.cnf \
-		-new \
-		-key ca.key \
-		-subj "/CN=Hello CA" \
-		-out $@
-	openssl req -noout -text -in $@
-
-ca.crt: ca.csr ca.key
-	openssl x509 -req \
-		-signkey ca.key \
-		-in ca.csr \
-		-out $@
-	openssl x509 -text -in $@
-
-server.key:
-	openssl genrsa -out $@ 1024
-
-server.csr: openssl.cnf server.key
-	openssl req -config openssl.cnf \
-		-new \
-		-key server.key \
-		-subj "/CN=localhost" \
-		-out $@
-	openssl req -noout -text -in $@
-
-server.crt: openssl.cnf server.csr ca.key ca.crt
-	rm -fr ./CA
-	mkdir -p ./CA
-	touch CA/index.txt
-	touch CA/index.txt.attr
-	echo 00 > CA/serial
-	openssl ca -config openssl.cnf \
-		-extensions v3_req \
-		-batch \
-		-cert ca.crt \
-		-keyfile ca.key \
-		-in server.csr \
-		-out $@
-	openssl x509 -text -in $@
-
-jws.key:
-	openssl genrsa -out $@ 1024
--- a/e2e_test/keys/testdata/openssl.cnf
+++ b/e2e_test/keys/testdata/openssl.cnf
@@ -1,37 +0,0 @@
-[ ca ]
-default_ca      = CA_default
-
-[ CA_default ]
-dir             = ./CA
-certs           = $dir
-crl_dir         = $dir
-database        = $dir/index.txt
-new_certs_dir   = $dir
-default_md      = sha256
-policy          = policy_match
-serial          = $dir/serial
-default_days    = 365
-
-[ policy_match ]
-countryName             = optional
-stateOrProvinceName     = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-[ req ]
-distinguished_name	= req_distinguished_name
-req_extensions = v3_req
-x509_extensions = v3_ca
-
-[ req_distinguished_name ]
-commonName			= Common Name (e.g. server FQDN or YOUR name)
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-subjectAltName = DNS:localhost
-
-[ v3_ca ]
-basicConstraints = CA:true
--- a/e2e_test/localserver/authserver.go
+++ b/e2e_test/localserver/authserver.go
@@ -1,76 +0,0 @@
-// Package localserver provides a http server running on localhost.
-// This is only for testing.
-//
-package localserver
-
-import (
-	"context"
-	"net"
-	"net/http"
-	"testing"
-)
-
-type Shutdowner interface {
-	Shutdown(t *testing.T, ctx context.Context)
-}
-
-type shutdowner struct {
-	l net.Listener
-	s *http.Server
-}
-
-func (s *shutdowner) Shutdown(t *testing.T, ctx context.Context) {
-	// s.Shutdown() closes the lister as well,
-	// so we do not need to call l.Close() explicitly
-	if err := s.s.Shutdown(ctx); err != nil {
-		t.Errorf("Could not shutdown the server: %s", err)
-	}
-}
-
-// Start starts an authentication server.
-func Start(t *testing.T, h http.Handler) (string, Shutdowner) {
-	t.Helper()
-	l, port := newLocalhostListener(t)
-	url := "http://localhost:" + port
-	s := &http.Server{
-		Handler: h,
-	}
-	go func() {
-		err := s.Serve(l)
-		if err != nil && err != http.ErrServerClosed {
-			t.Error(err)
-		}
-	}()
-	return url, &shutdowner{l, s}
-}
-
-// Start starts an authentication server with TLS.
-func StartTLS(t *testing.T, cert string, key string, h http.Handler) (string, Shutdowner) {
-	t.Helper()
-	l, port := newLocalhostListener(t)
-	url := "https://localhost:" + port
-	s := &http.Server{
-		Handler: h,
-	}
-	go func() {
-		err := s.ServeTLS(l, cert, key)
-		if err != nil && err != http.ErrServerClosed {
-			t.Error(err)
-		}
-	}()
-	return url, &shutdowner{l, s}
-}
-
-func newLocalhostListener(t *testing.T) (net.Listener, string) {
-	t.Helper()
-	l, err := net.Listen("tcp", "localhost:0")
-	if err != nil {
-		t.Fatalf("Could not create a listener: %s", err)
-	}
-	addr := l.Addr().String()
-	_, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		t.Fatalf("Could not parse the address %s: %s", addr, err)
-	}
-	return l, port
-}
--- a/e2e_test/logger/logger.go
+++ b/e2e_test/logger/logger.go
@@ -1,27 +0,0 @@
-package logger
-
-import (
-	"github.com/int128/kubelogin/adaptors/logger"
-)
-
-func New(t testingLogger) *logger.Logger {
-	b := &bridge{t}
-	return logger.NewWith(b, b)
-}
-
-type testingLogger interface {
-	Logf(format string, v ...interface{})
-}
-
-type bridge struct {
-	t testingLogger
-}
-
-func (b *bridge) Printf(format string, v ...interface{}) {
-	b.t.Logf(format, v...)
-}
-
-func (b *bridge) Output(calldepth int, s string) error {
-	b.t.Logf("%s", s)
-	return nil
-}
--- a/e2e_test/login_test.go
+++ b/e2e_test/login_test.go
@@ -1,408 +0,0 @@
-package e2e_test
-
-import (
-	"context"
-	"crypto/tls"
-	"net/http"
-	"os"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/dgrijalva/jwt-go"
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/di"
-	"github.com/int128/kubelogin/e2e_test/idp"
-	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
-	"github.com/int128/kubelogin/e2e_test/keys"
-	"github.com/int128/kubelogin/e2e_test/kubeconfig"
-	"github.com/int128/kubelogin/e2e_test/localserver"
-	"github.com/int128/kubelogin/e2e_test/logger"
-	"github.com/int128/kubelogin/usecases"
-)
-
-var (
-	tokenExpiryFuture = time.Now().Add(time.Hour).Round(time.Second)
-	tokenExpiryPast   = time.Now().Add(-time.Hour).Round(time.Second)
-)
-
-// Run the integration tests of the Login use-case.
-//
-// 1. Start the auth server.
-// 2. Run the Cmd.
-// 3. Open a request for the local server.
-// 4. Verify the kubeconfig.
-//
-func TestCmd_Run_Login(t *testing.T) {
-	timeout := 1 * time.Second
-
-	t.Run("Defaults", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{Issuer: serverURL})
-		defer os.Remove(kubeConfigFilename)
-
-		req := startBrowserRequest(t, ctx, nil)
-		runCmd(t, ctx, req, "--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
-		req.wait()
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("ResourceOwnerPasswordCredentials", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		idToken := newIDToken(t, serverURL, "", tokenExpiryFuture)
-		service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-		service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-		service.EXPECT().AuthenticatePassword("USER", "PASS", "openid").
-			Return(idp.NewTokenResponse(idToken, "YOUR_REFRESH_TOKEN"), nil)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{Issuer: serverURL})
-		defer os.Remove(kubeConfigFilename)
-
-		runCmd(t, ctx, &nopBrowserRequest{t}, "--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--username", "USER", "--password", "PASS")
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("env:KUBECONFIG", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{Issuer: serverURL})
-		defer os.Remove(kubeConfigFilename)
-		setenv(t, "KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
-		defer unsetenv(t, "KUBECONFIG")
-
-		req := startBrowserRequest(t, ctx, nil)
-		runCmd(t, ctx, req, "--skip-open-browser", "--listen-port", "0")
-		req.wait()
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("ExtraScopes", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "profile groups openid", &idToken)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:      serverURL,
-			ExtraScopes: "profile,groups",
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		req := startBrowserRequest(t, ctx, nil)
-		runCmd(t, ctx, req, "--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
-		req.wait()
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("CACert", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.StartTLS(t, keys.TLSServerCert, keys.TLSServerKey, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:                  serverURL,
-			IDPCertificateAuthority: keys.TLSCACert,
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		req := startBrowserRequest(t, ctx, keys.TLSCACertAsConfig)
-		runCmd(t, ctx, req, "--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
-		req.wait()
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("CACertData", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.StartTLS(t, keys.TLSServerCert, keys.TLSServerKey, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:                      serverURL,
-			IDPCertificateAuthorityData: keys.TLSCACertAsBase64,
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		req := startBrowserRequest(t, ctx, keys.TLSCACertAsConfig)
-		runCmd(t, ctx, req, "--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
-		req.wait()
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("HasValidToken", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-		service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-		service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:       serverURL,
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		runCmd(t, ctx, &nopBrowserRequest{t}, "--kubeconfig", kubeConfigFilename, "--skip-open-browser")
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("HasValidRefreshToken", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-		service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-		service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-		service.EXPECT().Refresh("VALID_REFRESH_TOKEN").
-			Return(idp.NewTokenResponse(idToken, "NEW_REFRESH_TOKEN"), nil)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:       serverURL,
-			IDToken:      newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast), // expired
-			RefreshToken: "VALID_REFRESH_TOKEN",
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		runCmd(t, ctx, &nopBrowserRequest{t}, "--kubeconfig", kubeConfigFilename, "--skip-open-browser")
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "NEW_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("HasExpiredRefreshToken", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-		service.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
-			Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
-			MaxTimes(2) // package oauth2 will retry refreshing the token
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:       serverURL,
-			IDToken:      newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast), // expired
-			RefreshToken: "EXPIRED_REFRESH_TOKEN",
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		req := startBrowserRequest(t, ctx, nil)
-		runCmd(t, ctx, req, "--kubeconfig", kubeConfigFilename, "--skip-open-browser")
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-}
-
-func newIDToken(t *testing.T, issuer, nonce string, expiry time.Time) string {
-	t.Helper()
-	var claims struct {
-		jwt.StandardClaims
-		Nonce  string   `json:"nonce"`
-		Groups []string `json:"groups"`
-	}
-	claims.StandardClaims = jwt.StandardClaims{
-		Issuer:    issuer,
-		Audience:  "kubernetes",
-		Subject:   "SUBJECT",
-		IssuedAt:  time.Now().Unix(),
-		ExpiresAt: expiry.Unix(),
-	}
-	claims.Nonce = nonce
-	claims.Groups = []string{"admin", "users"}
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-	s, err := token.SignedString(keys.JWSKeyPair)
-	if err != nil {
-		t.Fatalf("Could not sign the claims: %s", err)
-	}
-	return s
-}
-
-func setupMockIDPForCodeFlow(t *testing.T, service *mock_idp.MockService, serverURL, scope string, idToken *string) {
-	var nonce string
-	service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-	service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-	service.EXPECT().AuthenticateCode(scope, gomock.Any()).
-		DoAndReturn(func(_, gotNonce string) (string, error) {
-			nonce = gotNonce
-			return "YOUR_AUTH_CODE", nil
-		})
-	service.EXPECT().Exchange("YOUR_AUTH_CODE").
-		DoAndReturn(func(string) (*idp.TokenResponse, error) {
-			*idToken = newIDToken(t, serverURL, nonce, tokenExpiryFuture)
-			return idp.NewTokenResponse(*idToken, "YOUR_REFRESH_TOKEN"), nil
-		})
-}
-
-func runCmd(t *testing.T, ctx context.Context, s usecases.LoginShowLocalServerURL, args ...string) {
-	t.Helper()
-	cmd := di.NewCmdForHeadless(logger.New(t), s, nil)
-	exitCode := cmd.Run(ctx, append([]string{"kubelogin", "--v=1"}, args...), "HEAD")
-	if exitCode != 0 {
-		t.Errorf("exit status wants 0 but %d", exitCode)
-	}
-}
-
-type nopBrowserRequest struct {
-	t *testing.T
-}
-
-func (r *nopBrowserRequest) ShowLocalServerURL(url string) {
-	r.t.Errorf("ShowLocalServerURL must not be called")
-}
-
-type browserRequest struct {
-	t     *testing.T
-	urlCh chan<- string
-	wg    *sync.WaitGroup
-}
-
-func (r *browserRequest) ShowLocalServerURL(url string) {
-	defer close(r.urlCh)
-	r.t.Logf("Open %s for authentication", url)
-	r.urlCh <- url
-}
-
-func (r *browserRequest) wait() {
-	r.wg.Wait()
-}
-
-func startBrowserRequest(t *testing.T, ctx context.Context, tlsConfig *tls.Config) *browserRequest {
-	t.Helper()
-	urlCh := make(chan string)
-	var wg sync.WaitGroup
-	go func() {
-		defer wg.Done()
-		select {
-		case url := <-urlCh:
-			client := http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}}
-			req, err := http.NewRequest("GET", url, nil)
-			if err != nil {
-				t.Errorf("could not create a request: %s", err)
-				return
-			}
-			req = req.WithContext(ctx)
-			resp, err := client.Do(req)
-			if err != nil {
-				t.Errorf("could not send a request: %s", err)
-				return
-			}
-			defer resp.Body.Close()
-			if resp.StatusCode != 200 {
-				t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
-			}
-		case err := <-ctx.Done():
-			t.Errorf("context done while waiting for URL prompt: %s", err)
-		}
-	}()
-	wg.Add(1)
-	return &browserRequest{t, urlCh, &wg}
-}
-
-func setenv(t *testing.T, key, value string) {
-	t.Helper()
-	if err := os.Setenv(key, value); err != nil {
-		t.Fatalf("Could not set the env var %s=%s: %s", key, value, err)
-	}
-}
-
-func unsetenv(t *testing.T, key string) {
-	t.Helper()
-	if err := os.Unsetenv(key); err != nil {
-		t.Fatalf("Could not unset the env var %s: %s", key, err)
-	}
-}
--- a/go.mod
+++ b/go.mod
@@ -1,22 +1,274 @@
 module github.com/int128/kubelogin

-go 1.12
+go 1.24.5

 require (
-	github.com/coreos/go-oidc v2.0.0+incompatible
-	github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda
-	github.com/go-test/deep v1.0.2
-	github.com/golang/mock v1.3.1
-	github.com/google/wire v0.3.0
-	github.com/int128/oauth2cli v1.4.1
-	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
-	github.com/spf13/cobra v0.0.5
-	github.com/spf13/pflag v1.0.3
-	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
-	golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a
-	golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7
-	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
-	gopkg.in/yaml.v2 v2.2.2
-	k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719
-	k8s.io/client-go v0.0.0-20190620085101-78d2af792bab
+	github.com/chromedp/chromedp v0.13.7
+	github.com/coreos/go-oidc/v3 v3.14.1
+	github.com/gofrs/flock v0.12.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/google/go-cmp v0.7.0
+	github.com/google/wire v0.6.0
+	github.com/int128/oauth2cli v1.17.0
+	github.com/int128/oauth2dev v1.1.0
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
+	github.com/spf13/cobra v1.9.1
+	github.com/spf13/pflag v1.0.6
+	github.com/stretchr/testify v1.10.0
+	github.com/zalando/go-keyring v0.2.6
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/sync v0.16.0
+	golang.org/x/term v0.33.0
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/apimachinery v0.33.2
+	k8s.io/client-go v0.33.2
+	k8s.io/klog/v2 v2.130.1
+)
+
+require (
+	4d63.com/gocheckcompilerdirectives v1.3.0 // indirect
+	4d63.com/gochecknoglobals v0.2.2 // indirect
+	al.essio.dev/pkg/shellescape v1.5.1 // indirect
+	codeberg.org/chavacava/garif v0.2.0 // indirect
+	github.com/4meepo/tagalign v1.4.2 // indirect
+	github.com/Abirdcfly/dupword v0.1.6 // indirect
+	github.com/AlwxSin/noinlineerr v1.0.4 // indirect
+	github.com/Antonboom/errname v1.1.0 // indirect
+	github.com/Antonboom/nilnil v1.1.0 // indirect
+	github.com/Antonboom/testifylint v1.6.1 // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
+	github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
+	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/OpenPeeDeeP/depguard/v2 v2.2.1 // indirect
+	github.com/alecthomas/chroma/v2 v2.19.0 // indirect
+	github.com/alecthomas/go-check-sumtype v0.3.1 // indirect
+	github.com/alexkohler/nakedret/v2 v2.0.6 // indirect
+	github.com/alexkohler/prealloc v1.0.0 // indirect
+	github.com/alingse/asasalint v0.0.11 // indirect
+	github.com/alingse/nilnesserr v0.2.0 // indirect
+	github.com/ashanbrown/forbidigo/v2 v2.1.0 // indirect
+	github.com/ashanbrown/makezero/v2 v2.0.1 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bkielbasa/cyclop v1.2.3 // indirect
+	github.com/blizzy78/varnamelen v0.8.0 // indirect
+	github.com/bombsimon/wsl/v4 v4.7.0 // indirect
+	github.com/bombsimon/wsl/v5 v5.0.0 // indirect
+	github.com/breml/bidichk v0.3.3 // indirect
+	github.com/breml/errchkjson v0.4.1 // indirect
+	github.com/brunoga/deep v1.2.4 // indirect
+	github.com/butuzov/ireturn v0.4.0 // indirect
+	github.com/butuzov/mirror v1.3.0 // indirect
+	github.com/catenacyber/perfsprint v0.9.1 // indirect
+	github.com/ccojocar/zxcvbn-go v1.0.4 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/charithe/durationcheck v0.0.10 // indirect
+	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
+	github.com/charmbracelet/lipgloss v1.1.0 // indirect
+	github.com/charmbracelet/x/ansi v0.8.0 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
+	github.com/charmbracelet/x/term v0.2.1 // indirect
+	github.com/chromedp/cdproto v0.0.0-20250403032234-65de8f5d025b // indirect
+	github.com/chromedp/sysutil v1.1.0 // indirect
+	github.com/ckaznocha/intrange v0.3.1 // indirect
+	github.com/curioswitch/go-reassign v0.3.0 // indirect
+	github.com/daixiang0/gci v0.13.6 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
+	github.com/dave/dst v0.27.3 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/denis-tingaikin/go-header v0.5.0 // indirect
+	github.com/dlclark/regexp2 v1.11.5 // indirect
+	github.com/ettle/strcase v0.2.0 // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/fatih/structs v1.1.0 // indirect
+	github.com/fatih/structtag v1.2.0 // indirect
+	github.com/firefart/nonamedreturns v1.0.6 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/fzipp/gocyclo v0.6.0 // indirect
+	github.com/ghostiam/protogetter v0.3.15 // indirect
+	github.com/go-critic/go-critic v0.13.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-json-experiment/json v0.0.0-20250211171154-1ae217ad3535 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-toolsmith/astcast v1.1.0 // indirect
+	github.com/go-toolsmith/astcopy v1.1.0 // indirect
+	github.com/go-toolsmith/astequal v1.2.0 // indirect
+	github.com/go-toolsmith/astfmt v1.1.0 // indirect
+	github.com/go-toolsmith/astp v1.1.0 // indirect
+	github.com/go-toolsmith/strparse v1.1.0 // indirect
+	github.com/go-toolsmith/typep v1.1.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
+	github.com/go-xmlfmt/xmlfmt v1.1.3 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/gobwas/httphead v0.1.0 // indirect
+	github.com/gobwas/pool v0.2.1 // indirect
+	github.com/gobwas/ws v1.4.0 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 // indirect
+	github.com/golangci/go-printf-func-name v0.1.0 // indirect
+	github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d // indirect
+	github.com/golangci/golangci-lint/v2 v2.2.2 // indirect
+	github.com/golangci/golines v0.0.0-20250217134842-442fd0091d95 // indirect
+	github.com/golangci/misspell v0.7.0 // indirect
+	github.com/golangci/plugin-module-register v0.1.2 // indirect
+	github.com/golangci/revgrep v0.8.0 // indirect
+	github.com/golangci/swaggoswag v0.0.0-20250504205917-77f2aca3143e // indirect
+	github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e // indirect
+	github.com/google/subcommands v1.2.0 // indirect
+	github.com/gordonklaus/ineffassign v0.1.0 // indirect
+	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
+	github.com/gostaticanalysis/comment v1.5.0 // indirect
+	github.com/gostaticanalysis/forcetypeassert v0.2.0 // indirect
+	github.com/gostaticanalysis/nilerr v0.1.1 // indirect
+	github.com/hashicorp/go-immutable-radix/v2 v2.1.0 // indirect
+	github.com/hashicorp/go-version v1.7.0 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/hexops/gotextdiff v1.0.3 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/int128/listener v1.2.0 // indirect
+	github.com/jedib0t/go-pretty/v6 v6.6.7 // indirect
+	github.com/jgautheron/goconst v1.8.2 // indirect
+	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
+	github.com/jjti/go-spancheck v0.6.5 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/julz/importas v0.2.0 // indirect
+	github.com/karamaru-alpha/copyloopvar v1.2.1 // indirect
+	github.com/kisielk/errcheck v1.9.0 // indirect
+	github.com/kkHAIKE/contextcheck v1.1.6 // indirect
+	github.com/knadh/koanf/maps v0.1.2 // indirect
+	github.com/knadh/koanf/parsers/yaml v0.1.0 // indirect
+	github.com/knadh/koanf/providers/env v1.0.0 // indirect
+	github.com/knadh/koanf/providers/file v1.1.2 // indirect
+	github.com/knadh/koanf/providers/posflag v0.1.0 // indirect
+	github.com/knadh/koanf/providers/structs v0.1.0 // indirect
+	github.com/knadh/koanf/v2 v2.2.1 // indirect
+	github.com/kulti/thelper v0.6.3 // indirect
+	github.com/kunwardeep/paralleltest v1.0.14 // indirect
+	github.com/lasiar/canonicalheader v1.1.2 // indirect
+	github.com/ldez/exptostd v0.4.4 // indirect
+	github.com/ldez/gomoddirectives v0.7.0 // indirect
+	github.com/ldez/grignotin v0.9.0 // indirect
+	github.com/ldez/tagliatelle v0.7.1 // indirect
+	github.com/ldez/usetesting v0.5.0 // indirect
+	github.com/leonklingele/grouper v1.1.2 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/macabu/inamedparam v0.2.0 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/manuelarte/embeddedstructfieldcheck v0.3.0 // indirect
+	github.com/manuelarte/funcorder v0.5.0 // indirect
+	github.com/maratori/testableexamples v1.0.0 // indirect
+	github.com/maratori/testpackage v1.1.1 // indirect
+	github.com/matoous/godox v1.1.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/mgechev/revive v1.10.0 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/moricho/tparallel v0.3.2 // indirect
+	github.com/muesli/termenv v0.16.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/nakabonne/nestif v0.3.1 // indirect
+	github.com/nishanths/exhaustive v0.12.0 // indirect
+	github.com/nishanths/predeclared v0.2.2 // indirect
+	github.com/nunnatsa/ginkgolinter v0.19.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/polyfloyd/go-errorlint v1.8.0 // indirect
+	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/quasilyte/go-ruleguard v0.4.4 // indirect
+	github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
+	github.com/quasilyte/gogrep v0.5.0 // indirect
+	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
+	github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
+	github.com/raeperd/recvcheck v0.2.0 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/rs/zerolog v1.33.0 // indirect
+	github.com/ryancurrah/gomodguard v1.4.1 // indirect
+	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/sanposhiho/wastedassign/v2 v2.1.0 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
+	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
+	github.com/sashamelentyev/usestdlibvars v1.29.0 // indirect
+	github.com/securego/gosec/v2 v2.22.5 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sivchari/containedctx v1.0.3 // indirect
+	github.com/sonatard/noctx v0.3.4 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/sourcegraph/go-diff v0.7.0 // indirect
+	github.com/spf13/afero v1.14.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/viper v1.20.0 // indirect
+	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
+	github.com/stbenjam/no-sprintf-host-port v0.2.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/tdakkota/asciicheck v0.4.1 // indirect
+	github.com/tetafro/godot v1.5.1 // indirect
+	github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67 // indirect
+	github.com/timonwong/loggercheck v0.11.0 // indirect
+	github.com/tomarrell/wrapcheck/v2 v2.11.0 // indirect
+	github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
+	github.com/ultraware/funlen v0.2.0 // indirect
+	github.com/ultraware/whitespace v0.2.0 // indirect
+	github.com/uudashr/gocognit v1.2.0 // indirect
+	github.com/uudashr/iface v1.4.0 // indirect
+	github.com/vektra/mockery/v3 v3.5.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/xen0n/gosmopolitan v1.3.0 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	github.com/yagipy/maintidx v1.0.0 // indirect
+	github.com/yeya24/promlinter v0.3.0 // indirect
+	github.com/ykadowak/zerologlint v0.1.5 // indirect
+	gitlab.com/bosi/decorder v0.4.2 // indirect
+	go-simpler.org/musttag v0.13.1 // indirect
+	go-simpler.org/sloglint v0.11.0 // indirect
+	go.augendre.info/arangolint v0.2.0 // indirect
+	go.augendre.info/fatcontext v0.8.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.24.0 // indirect
+	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect
+	golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect
+	golang.org/x/mod v0.26.0 // indirect
+	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	golang.org/x/tools v0.34.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	honnef.co/go/tools v0.6.1 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	mvdan.cc/gofumpt v0.8.0 // indirect
+	mvdan.cc/unparam v0.0.0-20250301125049-0df0534333a4 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)
+
+tool (
+	github.com/golangci/golangci-lint/v2/cmd/golangci-lint
+	github.com/google/wire/cmd/wire
+	github.com/vektra/mockery/v3
 )
--- a/go.sum
+++ b/go.sum
--- a/integration_test/clean_test.go
+++ b/integration_test/clean_test.go
@@ -0,0 +1,27 @@
+package integration_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/integration_test/httpdriver"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/testing/clock"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+)
+
+func TestClean(t *testing.T) {
+	tokenCacheDir := t.TempDir()
+
+	cmd := di.NewCmdForHeadless(clock.Fake(time.Now()), os.Stdin, os.Stdout, logger.New(t), httpdriver.Zero(t))
+	exitCode := cmd.Run(context.TODO(), []string{
+		"kubelogin",
+		"clean",
+		"--token-cache-dir", tokenCacheDir,
+	}, "HEAD")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}
--- a/integration_test/credetial_plugin_test.go
+++ b/integration_test/credetial_plugin_test.go
@@ -0,0 +1,474 @@
+package integration_test
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/integration_test/httpdriver"
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/oidcserver"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
+	"github.com/int128/kubelogin/pkg/testing/clock"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
+)
+
+// Run the integration tests of the credential plugin use-case.
+//
+// 1. Start the auth server.
+// 2. Run the Cmd.
+// 3. Open a request for the local server.
+// 4. Verify the output.
+func TestCredentialPlugin(t *testing.T) {
+	timeout := 10 * time.Second
+	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
+	tokenCacheDir := t.TempDir()
+
+	for name, tc := range map[string]struct {
+		keyPair keypair.KeyPair
+		args    []string
+	}{
+		"NoTLS": {},
+		"TLS": {
+			keyPair: keypair.Server,
+			args:    []string{"--certificate-authority", keypair.Server.CACertPath},
+		},
+	} {
+		httpDriverConfig := httpdriver.Config{
+			TLSConfig:    tc.keyPair.TLSConfig,
+			BodyContains: "Authenticated",
+		}
+
+		t.Run(name, func(t *testing.T) {
+			t.Run("AuthCode", func(t *testing.T) {
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
+						Scope:               "openid",
+						RedirectURIPrefix:   "http://localhost:",
+						CodeChallengeMethod: "S256",
+					},
+					Response: testconfig.Response{
+						IDTokenExpiry:                 now.Add(time.Hour),
+						CodeChallengeMethodsSupported: []string{"plain", "S256"},
+					},
+				})
+				var stdout bytes.Buffer
+				runGetToken(t, ctx, getTokenConfig{
+					tokenCacheDir: tokenCacheDir,
+					issuerURL:     svc.IssuerURL(),
+					httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
+					now:           now,
+					stdout:        &stdout,
+					args:          tc.args,
+				})
+				assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+			})
+
+			t.Run("ROPC", func(t *testing.T) {
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
+						Scope:             "openid",
+						RedirectURIPrefix: "http://localhost:",
+						Username:          "USER1",
+						Password:          "PASS1",
+					},
+					Response: testconfig.Response{
+						IDTokenExpiry:                 now.Add(time.Hour),
+						CodeChallengeMethodsSupported: []string{"plain", "S256"},
+					},
+				})
+				var stdout bytes.Buffer
+				runGetToken(t, ctx, getTokenConfig{
+					tokenCacheDir: tokenCacheDir,
+					issuerURL:     svc.IssuerURL(),
+					httpDriver:    httpdriver.Zero(t),
+					now:           now,
+					stdout:        &stdout,
+					args: append([]string{
+						"--username", "USER1",
+						"--password", "PASS1",
+					}, tc.args...),
+				})
+				assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+			})
+
+			t.Run("TokenCacheLifecycle", func(t *testing.T) {
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{})
+
+				t.Run("NoCache", func(t *testing.T) {
+					svc.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
+							Scope:               "openid",
+							RedirectURIPrefix:   "http://localhost:",
+							CodeChallengeMethod: "S256",
+						},
+						Response: testconfig.Response{
+							IDTokenExpiry:                 now.Add(time.Hour),
+							RefreshToken:                  "REFRESH_TOKEN_1",
+							CodeChallengeMethodsSupported: []string{"plain", "S256"},
+						},
+					})
+					var stdout bytes.Buffer
+					runGetToken(t, ctx, getTokenConfig{
+						tokenCacheDir: tokenCacheDir,
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
+						now:           now,
+						stdout:        &stdout,
+						args:          tc.args,
+					})
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+				})
+				t.Run("Valid", func(t *testing.T) {
+					svc.SetConfig(testconfig.Config{})
+					var stdout bytes.Buffer
+					runGetToken(t, ctx, getTokenConfig{
+						tokenCacheDir: tokenCacheDir,
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.Zero(t),
+						now:           now,
+						stdout:        &stdout,
+						args:          tc.args,
+					})
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+				})
+				t.Run("Refresh", func(t *testing.T) {
+					svc.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+							RefreshToken:      "REFRESH_TOKEN_1",
+						},
+						Response: testconfig.Response{
+							IDTokenExpiry:                 now.Add(3 * time.Hour),
+							RefreshToken:                  "REFRESH_TOKEN_2",
+							CodeChallengeMethodsSupported: []string{"plain", "S256"},
+						},
+					})
+					var stdout bytes.Buffer
+					runGetToken(t, ctx, getTokenConfig{
+						tokenCacheDir: tokenCacheDir,
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
+						now:           now.Add(2 * time.Hour),
+						stdout:        &stdout,
+						args:          tc.args,
+					})
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(3*time.Hour))
+				})
+				t.Run("RefreshAgain", func(t *testing.T) {
+					svc.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+							RefreshToken:      "REFRESH_TOKEN_2",
+						},
+						Response: testconfig.Response{
+							IDTokenExpiry:                 now.Add(5 * time.Hour),
+							CodeChallengeMethodsSupported: []string{"plain", "S256"},
+						},
+					})
+					var stdout bytes.Buffer
+					runGetToken(t, ctx, getTokenConfig{
+						tokenCacheDir: tokenCacheDir,
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
+						now:           now.Add(4 * time.Hour),
+						stdout:        &stdout,
+						args:          tc.args,
+					})
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(5*time.Hour))
+				})
+			})
+		})
+	}
+
+	t.Run("PKCE", func(t *testing.T) {
+		t.Run("Not supported by provider", func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+			defer cancel()
+			svc := oidcserver.New(t, keypair.None, testconfig.Config{
+				Want: testconfig.Want{
+					Scope:               "openid",
+					RedirectURIPrefix:   "http://localhost:",
+					CodeChallengeMethod: "",
+				},
+				Response: testconfig.Response{
+					IDTokenExpiry:                 now.Add(time.Hour),
+					CodeChallengeMethodsSupported: nil,
+				},
+			})
+			var stdout bytes.Buffer
+			runGetToken(t, ctx, getTokenConfig{
+				tokenCacheDir: tokenCacheDir,
+				issuerURL:     svc.IssuerURL(),
+				httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
+				now:           now,
+				stdout:        &stdout,
+			})
+			assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+		})
+
+		t.Run("Enforce", func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+			defer cancel()
+			svc := oidcserver.New(t, keypair.None, testconfig.Config{
+				Want: testconfig.Want{
+					Scope:               "openid",
+					RedirectURIPrefix:   "http://localhost:",
+					CodeChallengeMethod: "S256",
+				},
+				Response: testconfig.Response{
+					IDTokenExpiry:                 now.Add(time.Hour),
+					CodeChallengeMethodsSupported: nil,
+				},
+			})
+			var stdout bytes.Buffer
+			runGetToken(t, ctx, getTokenConfig{
+				tokenCacheDir: tokenCacheDir,
+				issuerURL:     svc.IssuerURL(),
+				httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
+				now:           now,
+				stdout:        &stdout,
+				args:          []string{"--oidc-use-pkce"},
+			})
+			assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+		})
+	})
+
+	t.Run("TLSData", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		svc := oidcserver.New(t, keypair.Server, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
+			},
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
+			},
+		})
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{TLSConfig: keypair.Server.TLSConfig, BodyContains: "Authenticated"}),
+			now:           now,
+			stdout:        &stdout,
+			args:          []string{"--certificate-authority-data", keypair.Server.CACertBase64},
+		})
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("ExtraScopes", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "email profile openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
+			},
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
+			},
+		})
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
+			now:           now,
+			stdout:        &stdout,
+			args: []string{
+				"--oidc-extra-scope", "email",
+				"--oidc-extra-scope", "profile",
+			},
+		})
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("OpenURLAfterAuthentication", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
+			},
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
+			},
+		})
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "URL=https://example.com/success"}),
+			now:           now,
+			stdout:        &stdout,
+			args:          []string{"--open-url-after-authentication", "https://example.com/success"},
+		})
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("RedirectURLHostname", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://127.0.0.1:",
+				CodeChallengeMethod: "S256",
+			},
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
+			},
+		})
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
+			now:           now,
+			stdout:        &stdout,
+			args:          []string{"--oidc-redirect-url-hostname", "127.0.0.1"},
+		})
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("RedirectURLHTTPS", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "https://localhost:",
+				CodeChallengeMethod: "S256",
+			},
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
+			},
+		})
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     svc.IssuerURL(),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Config{
+				TLSConfig:    keypair.Server.TLSConfig,
+				BodyContains: "Authenticated",
+			}),
+			now:    now,
+			stdout: &stdout,
+			args: []string{
+				"--local-server-cert", keypair.Server.CertPath,
+				"--local-server-key", keypair.Server.KeyPath,
+			},
+		})
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("ExtraParams", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
+				ExtraParams: map[string]string{
+					"ttl":    "86400",
+					"reauth": "false",
+				},
+			},
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
+			},
+		})
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
+			now:           now,
+			stdout:        &stdout,
+			args: []string{
+				"--oidc-auth-request-extra-params", "ttl=86400",
+				"--oidc-auth-request-extra-params", "reauth=false",
+			},
+		})
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+}
+
+type getTokenConfig struct {
+	tokenCacheDir string
+	issuerURL     string
+	httpDriver    browser.Interface
+	stdout        io.Writer
+	now           time.Time
+	args          []string
+}
+
+func runGetToken(t *testing.T, ctx context.Context, cfg getTokenConfig) {
+	cmd := di.NewCmdForHeadless(clock.Fake(cfg.now), os.Stdin, cfg.stdout, logger.New(t), cfg.httpDriver)
+	t.Setenv(
+		"KUBERNETES_EXEC_INFO",
+		`{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1","spec":{"interactive":true}}`,
+	)
+	exitCode := cmd.Run(ctx, append([]string{
+		"kubelogin",
+		"get-token",
+		"--token-cache-dir", cfg.tokenCacheDir,
+		"--oidc-issuer-url", cfg.issuerURL,
+		"--oidc-client-id", "kubernetes",
+		"--listen-address", "127.0.0.1:0",
+	}, cfg.args...), "latest")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}
+
+func assertCredentialPluginStdout(t *testing.T, stdout io.Reader, token string, expiry time.Time) {
+	var got clientauthenticationv1.ExecCredential
+	if err := json.NewDecoder(stdout).Decode(&got); err != nil {
+		t.Errorf("could not decode json of the credential plugin: %s", err)
+		return
+	}
+	want := clientauthenticationv1.ExecCredential{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "client.authentication.k8s.io/v1",
+			Kind:       "ExecCredential",
+		},
+		Status: &clientauthenticationv1.ExecCredentialStatus{
+			Token:               token,
+			ExpirationTimestamp: &metav1.Time{Time: expiry},
+		},
+	}
+	if diff := cmp.Diff(want, got); diff != "" {
+		t.Errorf("stdout mismatch (-want +got):\n%s", diff)
+	}
+}
--- a/integration_test/httpdriver/http_driver.go
+++ b/integration_test/httpdriver/http_driver.go
@@ -0,0 +1,82 @@
+// Package httpdriver provides a test double of the browser.
+package httpdriver
+
+import (
+	"context"
+	"crypto/tls"
+	"io"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+type Config struct {
+	TLSConfig    *tls.Config
+	BodyContains string
+}
+
+// New returns a client to simulate browser access.
+func New(ctx context.Context, t *testing.T, config Config) *client {
+	return &client{ctx, t, config}
+}
+
+// Zero returns a client which call is not expected.
+func Zero(t *testing.T) *zeroClient {
+	return &zeroClient{t}
+}
+
+type client struct {
+	ctx    context.Context
+	t      *testing.T
+	config Config
+}
+
+func (c *client) Open(url string) error {
+	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.config.TLSConfig}}
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		c.t.Errorf("could not create a request: %s", err)
+		return nil
+	}
+	req = req.WithContext(c.ctx)
+	resp, err := client.Do(req)
+	if err != nil {
+		c.t.Errorf("could not send a request: %s", err)
+		return nil
+	}
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			c.t.Errorf("could not close response body: %s", err)
+		}
+	}()
+	if resp.StatusCode != 200 {
+		c.t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
+	}
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		c.t.Errorf("could not read body: %s", err)
+		return nil
+	}
+	body := string(b)
+	if !strings.Contains(body, c.config.BodyContains) {
+		c.t.Errorf("body should contain %s but was %s", c.config.BodyContains, body)
+	}
+	return nil
+}
+
+func (c *client) OpenCommand(_ context.Context, url, _ string) error {
+	return c.Open(url)
+}
+
+type zeroClient struct {
+	t *testing.T
+}
+
+func (c *zeroClient) Open(url string) error {
+	c.t.Errorf("unexpected function call Open(%s)", url)
+	return nil
+}
+
+func (c *zeroClient) OpenCommand(_ context.Context, url, _ string) error {
+	return c.Open(url)
+}
--- a/integration_test/keypair/keypair.go
+++ b/integration_test/keypair/keypair.go
@@ -0,0 +1,65 @@
+package keypair
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"io"
+	"os"
+	"strings"
+)
+
+// KeyPair represents a pair of certificate and key.
+type KeyPair struct {
+	CertPath     string
+	KeyPath      string
+	CACertPath   string
+	CACertBase64 string
+	TLSConfig    *tls.Config
+}
+
+// None represents non-TLS.
+var None KeyPair
+
+// Server is a KeyPair for TLS server.
+// These files should be generated by Makefile before test.
+var Server = KeyPair{
+	CertPath:     "keypair/testdata/server.crt",
+	KeyPath:      "keypair/testdata/server.key",
+	CACertPath:   "keypair/testdata/ca.crt",
+	CACertBase64: readAsBase64("keypair/testdata/ca.crt"),
+	TLSConfig:    newTLSConfig("keypair/testdata/ca.crt"),
+}
+
+func readAsBase64(name string) string {
+	f, err := os.Open(name)
+	if err != nil {
+		panic(err)
+	}
+	defer func() {
+		if err := f.Close(); err != nil {
+			panic(err)
+		}
+	}()
+	var s strings.Builder
+	e := base64.NewEncoder(base64.StdEncoding, &s)
+	if _, err := io.Copy(e, f); err != nil {
+		panic(err)
+	}
+	if err := e.Close(); err != nil {
+		panic(err)
+	}
+	return s.String()
+}
+
+func newTLSConfig(name string) *tls.Config {
+	b, err := os.ReadFile(name)
+	if err != nil {
+		panic(err)
+	}
+	p := x509.NewCertPool()
+	if !p.AppendCertsFromPEM(b) {
+		panic("could not append the CA cert")
+	}
+	return &tls.Config{RootCAs: p}
+}
--- a/integration_test/keypair/testdata/Makefile
+++ b/integration_test/keypair/testdata/Makefile
@@ -0,0 +1,26 @@
+EXPIRY := 3650
+OUTPUT_DIR := testdata
+TARGETS := ca.key
+TARGETS += ca.crt
+TARGETS += server.key
+TARGETS += server.crt
+
+.PHONY: all
+all: $(TARGETS)
+
+ca.key:
+	openssl genrsa -out $@ 2048
+ca.csr: ca.key
+	openssl req -new -key ca.key -out $@ -subj "/CN=hello-ca" -config openssl.cnf
+ca.crt: ca.key ca.csr
+	openssl x509 -req -in ca.csr -signkey ca.key -out $@ -days $(EXPIRY)
+server.key:
+	openssl genrsa -out $@ 2048
+server.csr: openssl.cnf server.key
+	openssl req -new -key server.key -out $@ -subj "/CN=localhost" -config openssl.cnf
+server.crt: openssl.cnf server.csr ca.crt ca.key
+	openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $@ -sha256 -days $(EXPIRY) -extensions v3_req -extfile openssl.cnf
+
+.PHONY: clean
+clean:
+	-rm -v $(TARGETS)
--- a/integration_test/keypair/testdata/ca.crt
+++ b/integration_test/keypair/testdata/ca.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICojCCAYoCCQCNsdXicWqF2DANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAho
+ZWxsby1jYTAeFw0yMDAyMDYwMTMzMzNaFw0zMDAyMDMwMTMzMzNaMBMxETAPBgNV
+BAMMCGhlbGxvLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxcPN
+dS88B6ewqVn/m9yO74OLIwNrqMci8l7olP9XlcJhxUZs+3WZQpsSj5nC4yEx8uPQ
+bTtBKnXXVDe+8k7OsLTruu9+isTaYk4o/TZbuw/N31ZAiT0pJw8hdypTQyMLbeDr
+Vl4bbrfbYywx30DyrHxUkgzOWs459Uwc1wWu0W7M21GY4KENHFE3OAcD58FMvvrh
+vgkslATwwW4M2UtXUFJ8XHh26g/J450DU2gwNxpcSdIsvFE6zSyAxU55RElph7mE
+ru9cNWAYhCRZvlZQ2VlH7C6JQ3SHyA9RZmBbPpXhtl9zavFkGx2MEwDp/3FmUukR
+yJnS2KnAo0QdBeS1LQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAXGfoDwuKY4TyF
+fhKg553Y5I6VDCDc97jyW9yyfc0kvPjQc4EGQV+1eQqMSeh2THpgEEKk9hH/g35a
+grPRcBTsEWpbQd16yWyulQeyOtPeWZB2FvAigMaAdMmeXlTs6++gJ6PjPuACa2Jl
+nJ/AjCqKFxkn0yEVkPTY0c/I9A12xhCmATqIrQiK1pPowiFxQb4M8Cm0z0AkaJZr
+iW0NCOJlLzBqRpFquL4umNaIsxTmOshfM70NpQGRjKREBuK6S0qWsRR0wz4b9Rvi
+62qW4zU94q2EDIoCItjHP4twGENXJDC0vLCsKfA5AvbPzszd5/4ifYe2C00Rn7/O
+lIxrspMm
+-----END CERTIFICATE-----
--- a/integration_test/keypair/testdata/ca.csr
+++ b/integration_test/keypair/testdata/ca.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrDCCAZQCAQAwEzERMA8GA1UEAwwIaGVsbG8tY2EwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDFw811LzwHp7CpWf+b3I7vg4sjA2uoxyLyXuiU/1eV
+wmHFRmz7dZlCmxKPmcLjITHy49BtO0EqdddUN77yTs6wtOu6736KxNpiTij9Nlu7
+D83fVkCJPSknDyF3KlNDIwtt4OtWXhtut9tjLDHfQPKsfFSSDM5azjn1TBzXBa7R
+bszbUZjgoQ0cUTc4BwPnwUy++uG+CSyUBPDBbgzZS1dQUnxceHbqD8njnQNTaDA3
+GlxJ0iy8UTrNLIDFTnlESWmHuYSu71w1YBiEJFm+VlDZWUfsLolDdIfID1FmYFs+
+leG2X3Nq8WQbHYwTAOn/cWZS6RHImdLYqcCjRB0F5LUtAgMBAAGgVDBSBgkqhkiG
+9w0BCQ4xRTBDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBQGA1UdEQQNMAuCCWxv
+Y2FsaG9zdDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEA
+o/Uthp3NWx0ydTn/GBZI+vA3gI7Qd9UwLvwkeinldRlPM9DOXpG6LR0C40f6u+fj
+mXvUDerveYJI8rpo+Ds0UVqy63AH/zZLG7M96L5Nv2KnK40bkfVNez858Yqp1u17
+/ci1ZsQIElU5v2qKozaHdQThDVtD5ZZdZoQwLvBLE/Dwpe/4VZZFh8smPMR+Mhcq
+b7gpSy1RiUffk0ZMjuF9Nc9OODdQMTCf+86i0qWXGVzkhfHKAGv+xarHEztcmxF
+GUgUYW8DMvYBjEzaGRM1n0aIFkQO6y8SUXvGMIGBSMC4jfBH3ghIXg1+nD6Uah4D
+16r+CLjFsDUdn/DK/fIQVw==
+-----END CERTIFICATE REQUEST-----
--- a/integration_test/keypair/testdata/ca.key
+++ b/integration_test/keypair/testdata/ca.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAxcPNdS88B6ewqVn/m9yO74OLIwNrqMci8l7olP9XlcJhxUZs
+3WZQpsSj5nC4yEx8uPQbTtBKnXXVDe+8k7OsLTruu9+isTaYk4o/TZbuw/N31ZA
+iT0pJw8hdypTQyMLbeDrVl4bbrfbYywx30DyrHxUkgzOWs459Uwc1wWu0W7M21GY
+4KENHFE3OAcD58FMvvrhvgkslATwwW4M2UtXUFJ8XHh26g/J450DU2gwNxpcSdIs
+vFE6zSyAxU55RElph7mEru9cNWAYhCRZvlZQ2VlH7C6JQ3SHyA9RZmBbPpXhtl9z
+avFkGx2MEwDp/3FmUukRyJnS2KnAo0QdBeS1LQIDAQABAoIBAHSoWtMsaMnPNlu/
+thM32K0auIGP6/rkdQ3pxGLX+M9jmY7oSzNOHHj4xssklZyroS45CmLU2Ez2tG1+
+cMm4iR4dqwxbaBbtpjDlEDLF1PiUiwmadHlANb1PpJsJwZHR41UOn2QUITR/ig+H
+K2gZhM0QjkaU/Uj9a5zyJ/UC6iupmgCtj8ij65B49qKMODxV4gqZstRSZiJ3gb6R
+TBeR3PUWQS62MZueEQz2eF0eXkXKsFWcbLfHArjfIJ533zW68A0vabgqOhCwJTks
+rkyaKUjEwJJQcgpCfUI4t9HAwICqYtw0fQdDDaMak2XTDFnGHn1/VfSi818U5Sa
+jZ+/uIECgYEA4uCd5ISsLWebSv2r5f97N8+WcW0MSJ0XP5MniiMvlaNOtJmoN3H0
+PlgR3uwpH9TNWHITZEEb/I93r2E3f24v2018g0uJuwiRDusxHs7yuxw/93Y5rwtG
+3twL1k0GyeLCxfM2y2QQU/awXISx7nNk2f0umvTWmjrEw632oQSWCSECgYEA3yaF
+zDk7k1u1GdZAh+pQAyUtjzHSvQjiE2JzLaH8BTorACrczRascX5yyMi0QfLYnoYt
+UL9dCb4Z8HUclj55kBSx8anvVtf3XAT3hZ3sm8LV3JLGDeURGS8rGdV+tyFk7zw9
+XgvaLj3xjB5CoJvtOhbXvqF9M9yp4TMBb5El7o0CgYBTx5Bm15thNPZCrgQxbbOJ
+u42ZmyRDGEeCgYvDVhT3VBP3WxqkRt9juk/3GwxgpcuikpWYmvaDwFL5H5RH6V+g
+wy9sqJNWzuYKNU2xS8iU0ezJLA5HFon4OBfi7hTIroUwZgzg9LWW2+zqbVHrdQ9T
+9Eumiy1ITNVmUTJW6YOiIQKBgBE4BsEAdZFkVTAeMTKLqQrlFoPjI1DE27UFNsAB
+rNG2cFT9+bW1ly7WxAKsQgSIuaBZ2CtP6Nz0l0nPr5oEThsJDcYJB9faqFKoa3Ua
+/4PxX9E6Xh/6WfxogFno+HMnF4PCUTXtkjNZQkc+moOMJJ0D4DfsfB3BXDZtWiIC
+wDuNAoGBAN5ZFTXwE1VpWxIWq5dV9+0aVOP/eB+h7Pt+u2xyRip31FGcpGEzGniu
+VmOzWApW7NmvD0QWtstJWlCpsw+rOptAL0oVunlB70KuYuA+2Q5g/Cw3kUrvXqbe
+mkCoV21eFAmpU+I6z/n7pUDXPuUsmTkzmwedv0HUuNSQJmHZOMPD
+-----END RSA PRIVATE KEY-----
--- a/integration_test/keypair/testdata/ca.srl
+++ b/integration_test/keypair/testdata/ca.srl
@@ -0,0 +1 @@
+9E12C7A1AF348811
--- a/integration_test/keypair/testdata/openssl.cnf
+++ b/integration_test/keypair/testdata/openssl.cnf
@@ -0,0 +1,14 @@
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[ req_distinguished_name ]
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+extendedKeyUsage = serverAuth
+
+[alt_names]
+DNS.1 = localhost
--- a/integration_test/keypair/testdata/server.crt
+++ b/integration_test/keypair/testdata/server.crt
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIJAJ4Sx6GvNIgRMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
+BAMMCGhlbGxvLWNhMB4XDTIwMDIwNjAxMzMzM1oXDTMwMDIwMzAxMzMzM1owFDES
+MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA3CJvDbbiiY/o9lgzeABLCtZe56h2w9Dzejy02M6F7yVyphLtJr+/AxI8k5Er
+MFRitkzgIUkLn/90CZjPI3k5OnLtUAJ4XLj4gUGjziy4TKyVaU0XK41ZSbDAchbW
+349lsEgW5ZnL4qNaZeCvvbYec+RroVc6ZXCcDp4BATTkC3gSVF92+TzrrlbkZ5+W
+YVeoMpAPWDPq2zwQx4RcYlpkpI/fzLezRqjRcZJx3FDgkGuwwhzXfVUpxJ/DYLXZ
+yHCKyaT7e8YIs8e7TRekOwrLCfssfhJSdWopf6aYRZFV+2ovP0Nggn6XJNh/g1QK
+o4wzJAf6v5WMc0jEvb7EuSG+nwIDAQABo0UwQzAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIF4DAUBgNVHREEDTALgglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
+DQYJKoZIhvcNAQELBQADggEBACqlq8b7trNRtKUm1PbY7dnrAFCOnV4OT2R98s17
+Q6tmCXM1DvQ101W0ih/lh6iPyU4JM2A0kvO+gizuL/Dmvb6oh+3ox0mMLposptso
+gCE1K3SXlvlcLdM6hXRJ5+XwlSCHM6o2Y4yABnKjT6Zr+CMh86a5abDx33hkJ4QR
+6I+/iBHVLiCVv0wUF3jD/T+HxinEQrB4cQsSgKmfPClrc8n7rkWWE+MdwEL4VZCH
+ufabw178aYibVvJ8k3rushjLlftkDyCNno2rz8YWrnaxabVR0EqSPInyYQenmv2r
+/CedVKpmdH2RV8ubkwqa0s6cmpRkyu6FS2g3LviJhmm0nwQ=
+-----END CERTIFICATE-----
--- a/integration_test/keypair/testdata/server.csr
+++ b/integration_test/keypair/testdata/server.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrTCCAZUCAQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA3CJvDbbiiY/o9lgzeABLCtZe56h2w9Dzejy02M6F
+7yVyphLtJr+/AxI8k5ErMFRitkzgIUkLn/90CZjPI3k5OnLtUAJ4XLj4gUGjziy4
+TKyVaU0XK41ZSbDAchbW349lsEgW5ZnL4qNaZeCvvbYec+RroVc6ZXCcDp4BATTk
+C3gSVF92+TzrrlbkZ5+WYVeoMpAPWDPq2zwQx4RcYlpkpI/fzLezRqjRcZJx3FDg
+kGuwwhzXfVUpxJ/DYLXZyHCKyaT7e8YIs8e7TRekOwrLCfssfhJSdWopf6aYRZFV
+2ovP0Nggn6XJNh/g1QKo4wzJAf6v5WMc0jEvb7EuSG+nwIDAQABoFQwUgYJKoZI
+hvcNAQkOMUUwQzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAUBgNVHREEDTALggls
+b2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEB
+ACUQ0j3XuUZY3fso5tEgOGVjVsTU+C4pIsEw3e1KyIB93i56ANKaq1uBLtnlWtYi
+R4RxZ3Sf08GzoEHAHpWoQ4BQ3WGDQjxSdezbudWMuNnNyvyhkh36tmmp/PLA4iZD
+Q/d1odzGWg1HMqY0/Q3hfz40MQ9IEBBm+5zKw3tLsKNIKdSdlY7Ul3Z9PUsqsOVW
+uF0LKsTMEh1CpbYnOBS2EQjComVM5kYfdQwDNh+BMok8rH7mHFYRmrwYUrU9njsM
+eoKqhLkoSu6hw1Cgd9Yru5lC541KfxsSN4Cj6rkm+Qv/5zjvIPxYZ+akSQQR9hR3
+2O9THHKqaQS0xmD+y8NjfYk=
+-----END CERTIFICATE REQUEST-----
--- a/integration_test/keypair/testdata/server.key
+++ b/integration_test/keypair/testdata/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA3CJvDbbiiY/o9lgzeABLCtZe56h2w9Dzejy02M6F7yVyphLt
+Jr+/AxI8k5ErMFRitkzgIUkLn/90CZjPI3k5OnLtUAJ4XLj4gUGjziy4TKyVaU0X
+K41ZSbDAchbW349lsEgW5ZnL4qNaZeCvvbYec+RroVc6ZXCcDp4BATTkC3gSVF92
+TzrrlbkZ5+WYVeoMpAPWDPq2zwQx4RcYlpkpI/fzLezRqjRcZJx3FDgkGuwwhzX
+fVUpxJ/DYLXZyHCKyaT7e8YIs8e7TRekOwrLCfssfhJSdWopf6aYRZFV+2ovP0Ng
+gn6XJNh/g1QKo4wzJAf6v5WMc0jEvb7EuSG+nwIDAQABAoIBAEYvWFb4C0wurOj2
+ABrvhP2Ekaesh4kxMp+zgTlqxzsTJnWarS/gjKcPBm9KJon3La3P3tnd7y3pBXcV
+2F0IBl4DTHRpBTUS6HBVnENc8LnJgK2dHZkOLPyYtRLrA0Et+A73PQ2hNmchC+5V
+b9K9oQH0Pvim1gCHocnrSIi480hQPazO9/gnHvFtu9Tdsx9kM9jgChhh5VaR+nzM
+uw6MpUSzCri3/W6K5Hz8F1lLQcZ6o3vyyFtLPjFrWT4J1UiHqAoxuCGeWTvMbGQl
+9Cg0SMX4FLBpbIoMonhM3hb9Cw3FVRGU/1i4oF+gEIGlX/v9CPT5HAZmD59rawc8
+11x7yTECgYEA8EYVGKauLHeI1nJdCoVrWI73W1wtwt6prJbzltpoAR4tb3Qu6gBX
+JQNd+Ifhl28lK6lPnCGk/SsmfiKSp/XE4IyS1GBd2LpxWj5R50GePCg4hAzk9Xyx
+M9SJAFQw73pODgu4RWFXTCOMo9crahJ6X/O+MckHqbFqqohJ8nChGDkCgYEA6oro
+Ql/ymO7UdYCay7OlzKeg8ud6XgkZ+wkpSG/5TQ0QZWVN3aSOLztEdVfh3PAqWob0
+KgVhLmq6CYwq+HSzU92bvFqCgYUMU8tYzeRboGLxyEdAGL+EW0j8wQyZKYR5cNz4
+yM0hpM6kbJ0zZqkYVM/XfRT2RTGwTMakF/FOHZcCgYEAmf4guTriuIcoAWEstniK
+Myj16ezrO1Df6Eia+B0kuUqxDhSlmL39HDDLQmU8NYU7in8qEcQSbVwBgKgB3HoM
+42nVFR5qJ2RfD9qPPar1klKo3iExgRCYtcJKyBYtgt6dNi1WvcjEXX0PP1bBcWtE
+WUjrphbUvXKDDabp1eNPrCkCgYBOw/F2APTeyS4Oe+8AQ8eFcDIMARLGK7ZO6Oe1
+TO1jI+UCuD+rFI0vbW7zHV1brkf6+OFcj0vwo6TweeMgZ0il/IFFgvva9UyLg3nC
+Q1NGDJR4Fv1+kiqn4V4IkuuI1tVVws/F16XZzA/J7g0KB/WE3fvXJMgDuskjL36C
+D+aU5wKBgQCvEg+mJYny1QiR/mQuowX34xf4CkMl7Xq9YDH7W/3AlwuPrPNHaZjh
+SvSCz9I8vV0E4ur6atazgCblnvA/G3d4r8YYx+e1l30WJHMgoZRxxHMH74tmUPAj
+Klic16BJikSQclMeFdlJqf2UHd37eEuYnxorpep8YGP7/eN1ghHWAw==
+-----END RSA PRIVATE KEY-----
--- a/integration_test/kubeconfig/kubeconfig.go
+++ b/integration_test/kubeconfig/kubeconfig.go
@@ -2,11 +2,11 @@ package kubeconfig

 import (
 	"html/template"
-	"io/ioutil"
 	"os"
+	"path/filepath"
 	"testing"

-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )

 // Values represents values in .kubeconfig template.
@@ -22,11 +22,16 @@ type Values struct {
 // Create creates a kubeconfig file and returns path to it.
 func Create(t *testing.T, v *Values) string {
 	t.Helper()
-	f, err := ioutil.TempFile("", "kubeconfig")
+	name := filepath.Join(t.TempDir(), "kubeconfig")
+	f, err := os.Create(name)
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer f.Close()
+	defer func() {
+		if err := f.Close(); err != nil {
+			t.Fatal(err)
+		}
+	}()
 	tpl, err := template.ParseFiles("kubeconfig/testdata/kubeconfig.yaml")
 	if err != nil {
 		t.Fatal(err)
@@ -34,7 +39,7 @@ func Create(t *testing.T, v *Values) string {
 	if err := tpl.Execute(f, v); err != nil {
 		t.Fatal(err)
 	}
-	return f.Name()
+	return name
 }

 type AuthProviderConfig struct {
@@ -50,7 +55,11 @@ func Verify(t *testing.T, kubeconfig string, want AuthProviderConfig) {
 		t.Errorf("could not open kubeconfig: %s", err)
 		return
 	}
-	defer f.Close()
+	defer func() {
+		if err := f.Close(); err != nil {
+			t.Errorf("could not close kubeconfig: %s", err)
+		}
+	}()

 	var y struct {
 		Users []struct {
--- a/integration_test/kubeconfig/testdata/dummy.yaml
+++ b/integration_test/kubeconfig/testdata/dummy.yaml
--- a/integration_test/kubeconfig/testdata/kubeconfig.yaml
+++ b/integration_test/kubeconfig/testdata/kubeconfig.yaml
--- a/integration_test/oidcserver/handler/handler.go
+++ b/integration_test/oidcserver/handler/handler.go
@@ -0,0 +1,156 @@
+// Package handler provides HTTP handlers for the OpenID Connect Provider.
+package handler
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"testing"
+
+	"github.com/int128/kubelogin/integration_test/oidcserver/service"
+)
+
+func Register(t *testing.T, mux *http.ServeMux, provider service.Provider) {
+	h := &Handlers{t, provider}
+	mux.HandleFunc("GET /.well-known/openid-configuration", h.Discovery)
+	mux.HandleFunc("GET /certs", h.GetCertificates)
+	mux.HandleFunc("GET /auth", h.AuthenticateCode)
+	mux.HandleFunc("POST /token", h.Exchange)
+}
+
+// Handlers provides HTTP handlers for the OpenID Connect Provider.
+// You need to implement the Provider interface.
+// Note that this skips some security checks and is only for testing.
+type Handlers struct {
+	t        *testing.T
+	provider service.Provider
+}
+
+func (h *Handlers) handleError(w http.ResponseWriter, r *http.Request, f func() error) {
+	err := f()
+	if err == nil {
+		return
+	}
+	if errResp := new(service.ErrorResponse); errors.As(err, &errResp) {
+		h.t.Logf("400 %s %s: %s", r.Method, r.RequestURI, err)
+		w.Header().Add("Content-Type", "application/json")
+		w.WriteHeader(400)
+		e := json.NewEncoder(w)
+		if err := e.Encode(errResp); err != nil {
+			h.t.Errorf("idp/handler: could not write the response: %s", err)
+		}
+		return
+	}
+	h.t.Logf("500 %s %s: %s", r.Method, r.RequestURI, err)
+	http.Error(w, err.Error(), 500)
+}
+
+func (h *Handlers) Discovery(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
+		discoveryResponse := h.provider.Discovery()
+		w.Header().Add("Content-Type", "application/json")
+		e := json.NewEncoder(w)
+		if err := e.Encode(discoveryResponse); err != nil {
+			return fmt.Errorf("could not render json: %w", err)
+		}
+		return nil
+	})
+}
+
+func (h *Handlers) GetCertificates(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
+		certificatesResponse := h.provider.GetCertificates()
+		w.Header().Add("Content-Type", "application/json")
+		e := json.NewEncoder(w)
+		if err := e.Encode(certificatesResponse); err != nil {
+			return fmt.Errorf("could not render json: %w", err)
+		}
+		return nil
+	})
+}
+
+func (h *Handlers) AuthenticateCode(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
+		q := r.URL.Query()
+		redirectURI, state := q.Get("redirect_uri"), q.Get("state")
+		code, err := h.provider.AuthenticateCode(service.AuthenticationRequest{
+			RedirectURI:         redirectURI,
+			State:               state,
+			Scope:               q.Get("scope"),
+			Nonce:               q.Get("nonce"),
+			CodeChallenge:       q.Get("code_challenge"),
+			CodeChallengeMethod: q.Get("code_challenge_method"),
+			RawQuery:            q,
+		})
+		if err != nil {
+			return fmt.Errorf("authentication error: %w", err)
+		}
+		redirectTo, err := url.Parse(redirectURI)
+		if err != nil {
+			return fmt.Errorf("invalid redirect_uri: %w", err)
+		}
+		redirectTo.RawQuery = url.Values{"state": {state}, "code": {code}}.Encode()
+		http.Redirect(w, r, redirectTo.String(), http.StatusFound)
+		return nil
+	})
+}
+
+func (h *Handlers) Exchange(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
+		if err := r.ParseForm(); err != nil {
+			return fmt.Errorf("could not parse the form: %w", err)
+		}
+		grantType := r.Form.Get("grant_type")
+		switch grantType {
+		case "authorization_code":
+			tokenResponse, err := h.provider.Exchange(service.TokenRequest{
+				Code:         r.Form.Get("code"),
+				CodeVerifier: r.Form.Get("code_verifier"),
+			})
+			if err != nil {
+				return fmt.Errorf("token request error: %w", err)
+			}
+			w.Header().Add("Content-Type", "application/json")
+			e := json.NewEncoder(w)
+			if err := e.Encode(tokenResponse); err != nil {
+				return fmt.Errorf("could not render json: %w", err)
+			}
+		case "password":
+			// 4.3. Resource Owner Password Credentials Grant
+			// https://tools.ietf.org/html/rfc6749#section-4.3
+			username, password, scope := r.Form.Get("username"), r.Form.Get("password"), r.Form.Get("scope")
+			tokenResponse, err := h.provider.AuthenticatePassword(username, password, scope)
+			if err != nil {
+				return fmt.Errorf("authentication error: %w", err)
+			}
+			w.Header().Add("Content-Type", "application/json")
+			e := json.NewEncoder(w)
+			if err := e.Encode(tokenResponse); err != nil {
+				return fmt.Errorf("could not render json: %w", err)
+			}
+		case "refresh_token":
+			// 12.1. Refresh Request
+			// https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
+			refreshToken := r.Form.Get("refresh_token")
+			tokenResponse, err := h.provider.Refresh(refreshToken)
+			if err != nil {
+				return fmt.Errorf("token refresh error: %w", err)
+			}
+			w.Header().Add("Content-Type", "application/json")
+			e := json.NewEncoder(w)
+			if err := e.Encode(tokenResponse); err != nil {
+				return fmt.Errorf("could not render json: %w", err)
+			}
+		default:
+			// 5.2. Error Response
+			// https://tools.ietf.org/html/rfc6749#section-5.2
+			return &service.ErrorResponse{
+				Code:        "invalid_grant",
+				Description: fmt.Sprintf("unknown grant_type %s", grantType),
+			}
+		}
+		return nil
+	})
+}
--- a/integration_test/oidcserver/oidcserver.go
+++ b/integration_test/oidcserver/oidcserver.go
@@ -0,0 +1,54 @@
+// Package oidcserver provides a stub of OpenID Connect provider.
+package oidcserver
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/oidcserver/handler"
+	"github.com/int128/kubelogin/integration_test/oidcserver/service"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+)
+
+// New starts a server for the OpenID Connect provider.
+func New(t *testing.T, kp keypair.KeyPair, config testconfig.Config) service.Service {
+	mux := http.NewServeMux()
+	serverURL := startServer(t, mux, kp)
+
+	svc := service.New(t, serverURL, config)
+	handler.Register(t, mux, svc)
+	return svc
+}
+
+func startServer(t *testing.T, h http.Handler, kp keypair.KeyPair) string {
+	if kp == keypair.None {
+		srv := httptest.NewServer(h)
+		t.Cleanup(srv.Close)
+		return srv.URL
+	}
+
+	// Unfortunately, httptest package did not work with keypair.KeyPair.
+	// We use httptest package only for allocating a new port.
+	portAllocator := httptest.NewUnstartedServer(h)
+	t.Cleanup(portAllocator.Close)
+	serverURL := fmt.Sprintf("https://localhost:%d", portAllocator.Listener.Addr().(*net.TCPAddr).Port)
+	srv := &http.Server{Handler: h}
+	go func() {
+		err := srv.ServeTLS(portAllocator.Listener, kp.CertPath, kp.KeyPath)
+		if err != nil && !errors.Is(err, http.ErrServerClosed) {
+			t.Error(err)
+		}
+	}()
+	t.Cleanup(func() {
+		if err := srv.Shutdown(context.TODO()); err != nil {
+			t.Errorf("could not shutdown the server: %s", err)
+		}
+	})
+	return serverURL
+}
--- a/integration_test/oidcserver/service/service.go
+++ b/integration_test/oidcserver/service/service.go
@@ -0,0 +1,184 @@
+package service
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"math/big"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+	testingJWT "github.com/int128/kubelogin/pkg/testing/jwt"
+)
+
+func New(t *testing.T, issuerURL string, config testconfig.Config) Service {
+	return &service{
+		config:    config,
+		t:         t,
+		issuerURL: issuerURL,
+	}
+}
+
+type service struct {
+	config                    testconfig.Config
+	t                         *testing.T
+	issuerURL                 string
+	lastAuthenticationRequest *AuthenticationRequest
+	lastTokenResponse         *TokenResponse
+}
+
+func (svc *service) IssuerURL() string {
+	return svc.issuerURL
+}
+
+func (svc *service) SetConfig(cfg testconfig.Config) {
+	svc.config = cfg
+}
+
+func (svc *service) LastTokenResponse() *TokenResponse {
+	return svc.lastTokenResponse
+}
+
+func (svc *service) Discovery() *DiscoveryResponse {
+	// based on https://accounts.google.com/.well-known/openid-configuration
+	return &DiscoveryResponse{
+		Issuer:                            svc.issuerURL,
+		AuthorizationEndpoint:             svc.issuerURL + "/auth",
+		TokenEndpoint:                     svc.issuerURL + "/token",
+		JwksURI:                           svc.issuerURL + "/certs",
+		UserinfoEndpoint:                  svc.issuerURL + "/userinfo",
+		RevocationEndpoint:                svc.issuerURL + "/revoke",
+		ResponseTypesSupported:            []string{"code id_token"},
+		SubjectTypesSupported:             []string{"public"},
+		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+		ScopesSupported:                   []string{"openid", "email", "profile"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
+		CodeChallengeMethodsSupported:     svc.config.Response.CodeChallengeMethodsSupported,
+		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
+	}
+}
+
+func (svc *service) GetCertificates() *CertificatesResponse {
+	idTokenKeyPair := testingJWT.PrivateKey
+	return &CertificatesResponse{
+		Keys: []*CertificatesResponseKey{
+			{
+				Kty: "RSA",
+				Alg: "RS256",
+				Use: "sig",
+				Kid: "dummy",
+				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
+				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
+			},
+		},
+	}
+}
+
+func (svc *service) AuthenticateCode(req AuthenticationRequest) (code string, err error) {
+	if req.Scope != svc.config.Want.Scope {
+		svc.t.Errorf("scope wants `%s` but was `%s`", svc.config.Want.Scope, req.Scope)
+	}
+	if !strings.HasPrefix(req.RedirectURI, svc.config.Want.RedirectURIPrefix) {
+		svc.t.Errorf("redirectURI wants prefix `%s` but was `%s`", svc.config.Want.RedirectURIPrefix, req.RedirectURI)
+	}
+	if diff := cmp.Diff(svc.config.Want.CodeChallengeMethod, req.CodeChallengeMethod); diff != "" {
+		svc.t.Errorf("code_challenge_method mismatch (-want +got):\n%s", diff)
+	}
+	for k, v := range svc.config.Want.ExtraParams {
+		got := req.RawQuery.Get(k)
+		if got != v {
+			svc.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
+		}
+	}
+	svc.lastAuthenticationRequest = &req
+	return "YOUR_AUTH_CODE", nil
+}
+
+func (svc *service) Exchange(req TokenRequest) (*TokenResponse, error) {
+	if req.Code != "YOUR_AUTH_CODE" {
+		return nil, fmt.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
+	}
+	if svc.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
+		// https://tools.ietf.org/html/rfc7636#section-4.6
+		challenge := computeS256Challenge(req.CodeVerifier)
+		if challenge != svc.lastAuthenticationRequest.CodeChallenge {
+			svc.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", svc.lastAuthenticationRequest.CodeChallenge, challenge)
+		}
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+			claims.Nonce = svc.lastAuthenticationRequest.Nonce
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}
+
+func computeS256Challenge(verifier string) string {
+	c := sha256.Sum256([]byte(verifier))
+	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
+}
+
+func (svc *service) AuthenticatePassword(username, password, scope string) (*TokenResponse, error) {
+	if scope != svc.config.Want.Scope {
+		svc.t.Errorf("scope wants `%s` but was `%s`", svc.config.Want.Scope, scope)
+	}
+	if username != svc.config.Want.Username {
+		svc.t.Errorf("username wants `%s` but was `%s`", svc.config.Want.Username, username)
+	}
+	if password != svc.config.Want.Password {
+		svc.t.Errorf("password wants `%s` but was `%s`", svc.config.Want.Password, password)
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}
+
+func (svc *service) Refresh(refreshToken string) (*TokenResponse, error) {
+	if refreshToken != svc.config.Want.RefreshToken {
+		svc.t.Errorf("refreshToken wants %s but was %s", svc.config.Want.RefreshToken, refreshToken)
+	}
+	if svc.config.Response.RefreshError != "" {
+		return nil, &ErrorResponse{Code: "invalid_request", Description: svc.config.Response.RefreshError}
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}
--- a/integration_test/oidcserver/service/types.go
+++ b/integration_test/oidcserver/service/types.go
@@ -0,0 +1,108 @@
+package service
+
+import (
+	"fmt"
+	"net/url"
+
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+)
+
+// Service represents the test service of OpenID Connect Provider.
+// It provides the feature of Provider and additional methods for testing.
+type Service interface {
+	Provider
+
+	IssuerURL() string
+	SetConfig(config testconfig.Config)
+	LastTokenResponse() *TokenResponse
+}
+
+// Provider represents an OpenID Connect Provider.
+//
+// If an implemented method returns an ErrorResponse,
+// the handler will respond 400 and corresponding json of the ErrorResponse.
+// Otherwise, the handler will respond 500 and fail the current test.
+type Provider interface {
+	Discovery() *DiscoveryResponse
+	GetCertificates() *CertificatesResponse
+	AuthenticateCode(req AuthenticationRequest) (code string, err error)
+	Exchange(req TokenRequest) (*TokenResponse, error)
+	AuthenticatePassword(username, password, scope string) (*TokenResponse, error)
+	Refresh(refreshToken string) (*TokenResponse, error)
+}
+
+// DiscoveryResponse represents the type of:
+// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
+type DiscoveryResponse struct {
+	Issuer                            string   `json:"issuer"`
+	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
+	TokenEndpoint                     string   `json:"token_endpoint"`
+	UserinfoEndpoint                  string   `json:"userinfo_endpoint"`
+	RevocationEndpoint                string   `json:"revocation_endpoint"`
+	JwksURI                           string   `json:"jwks_uri"`
+	ResponseTypesSupported            []string `json:"response_types_supported"`
+	SubjectTypesSupported             []string `json:"subject_types_supported"`
+	IDTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported"`
+	ScopesSupported                   []string `json:"scopes_supported"`
+	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
+	ClaimsSupported                   []string `json:"claims_supported"`
+	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`
+}
+
+// CertificatesResponse represents the type of:
+// https://datatracker.ietf.org/doc/html/rfc7517#section-5
+type CertificatesResponse struct {
+	Keys []*CertificatesResponseKey `json:"keys"`
+}
+
+// CertificatesResponseKey represents the type of:
+// https://datatracker.ietf.org/doc/html/rfc7517#section-4
+type CertificatesResponseKey struct {
+	Kty string `json:"kty"`
+	Alg string `json:"alg"`
+	Use string `json:"use"`
+	Kid string `json:"kid"`
+	N   string `json:"n"`
+	E   string `json:"e"`
+}
+
+// AuthenticationRequest represents the type of:
+// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+type AuthenticationRequest struct {
+	RedirectURI         string
+	State               string
+	Scope               string // space separated string
+	Nonce               string
+	CodeChallenge       string
+	CodeChallengeMethod string
+	RawQuery            url.Values
+}
+
+// TokenRequest represents the type of:
+// https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
+type TokenRequest struct {
+	Code         string
+	CodeVerifier string
+}
+
+// TokenResponse represents the type of:
+// https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
+type TokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	TokenType    string `json:"token_type"`
+	RefreshToken string `json:"refresh_token"`
+	ExpiresIn    int    `json:"expires_in"`
+	IDToken      string `json:"id_token"`
+}
+
+// ErrorResponse represents the error response described in the following section:
+// 5.2 Error Response
+// https://tools.ietf.org/html/rfc6749#section-5.2
+type ErrorResponse struct {
+	Code        string `json:"error"`
+	Description string `json:"error_description"`
+}
+
+func (err *ErrorResponse) Error() string {
+	return fmt.Sprintf("%s(%s)", err.Code, err.Description)
+}
--- a/integration_test/oidcserver/testconfig/types.go
+++ b/integration_test/oidcserver/testconfig/types.go
@@ -0,0 +1,28 @@
+package testconfig
+
+import "time"
+
+// Want represents a set of expected values.
+type Want struct {
+	Scope               string
+	RedirectURIPrefix   string
+	CodeChallengeMethod string
+	ExtraParams         map[string]string // optional
+	Username            string            // optional
+	Password            string            // optional
+	RefreshToken        string            // optional
+}
+
+// Response represents a set of response values.
+type Response struct {
+	IDTokenExpiry                 time.Time
+	RefreshToken                  string
+	RefreshError                  string // if set, Refresh() will return the error
+	CodeChallengeMethodsSupported []string
+}
+
+// Config represents a configuration of the OpenID Connect provider.
+type Config struct {
+	Want     Want
+	Response Response
+}
--- a/integration_test/standalone_test.go
+++ b/integration_test/standalone_test.go
@@ -0,0 +1,307 @@
+package integration_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/integration_test/httpdriver"
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/kubeconfig"
+	"github.com/int128/kubelogin/integration_test/oidcserver"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
+	"github.com/int128/kubelogin/pkg/testing/clock"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+)
+
+// Run the integration tests of the Login use-case.
+//
+// 1. Start the auth server.
+// 2. Run the Cmd.
+// 3. Open a request for the local server.
+// 4. Verify the kubeconfig.
+func TestStandalone(t *testing.T) {
+	timeout := 3 * time.Second
+	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
+
+	for name, tc := range map[string]struct {
+		keyPair keypair.KeyPair
+		args    []string
+	}{
+		"NoTLS": {},
+		"TLS": {
+			keyPair: keypair.Server,
+		},
+	} {
+		httpDriverOption := httpdriver.Config{
+			TLSConfig:    tc.keyPair.TLSConfig,
+			BodyContains: "Authenticated",
+		}
+
+		t.Run(name, func(t *testing.T) {
+			t.Run("AuthCode", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
+						Scope:             "openid",
+						RedirectURIPrefix: "http://localhost:",
+					},
+					Response: testconfig.Response{
+						IDTokenExpiry: now.Add(time.Hour),
+					},
+				})
+				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+					Issuer:                  sv.IssuerURL(),
+					IDPCertificateAuthority: tc.keyPair.CACertPath,
+				})
+				runStandalone(t, ctx, standaloneConfig{
+					issuerURL:          sv.IssuerURL(),
+					kubeConfigFilename: kubeConfigFilename,
+					httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
+					now:                now,
+				})
+				kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+					IDToken:      sv.LastTokenResponse().IDToken,
+					RefreshToken: sv.LastTokenResponse().RefreshToken,
+				})
+			})
+
+			t.Run("ROPC", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
+						Scope:             "openid",
+						RedirectURIPrefix: "http://localhost:",
+						Username:          "USER1",
+						Password:          "PASS1",
+					},
+					Response: testconfig.Response{
+						IDTokenExpiry: now.Add(time.Hour),
+					},
+				})
+				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+					Issuer:                  sv.IssuerURL(),
+					IDPCertificateAuthority: tc.keyPair.CACertPath,
+				})
+				runStandalone(t, ctx, standaloneConfig{
+					issuerURL:          sv.IssuerURL(),
+					kubeConfigFilename: kubeConfigFilename,
+					httpDriver:         httpdriver.Zero(t),
+					now:                now,
+					args: []string{
+						"--username", "USER1",
+						"--password", "PASS1",
+					},
+				})
+				kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+					IDToken:      sv.LastTokenResponse().IDToken,
+					RefreshToken: sv.LastTokenResponse().RefreshToken,
+				})
+			})
+
+			t.Run("TokenLifecycle", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, testconfig.Config{})
+				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+					Issuer:                  sv.IssuerURL(),
+					IDPCertificateAuthority: tc.keyPair.CACertPath,
+				})
+
+				t.Run("NoToken", func(t *testing.T) {
+					sv.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+						},
+						Response: testconfig.Response{
+							IDTokenExpiry: now.Add(time.Hour),
+							RefreshToken:  "REFRESH_TOKEN_1",
+						},
+					})
+					runStandalone(t, ctx, standaloneConfig{
+						issuerURL:          sv.IssuerURL(),
+						kubeConfigFilename: kubeConfigFilename,
+						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
+						now:                now,
+					})
+					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+						IDToken:      sv.LastTokenResponse().IDToken,
+						RefreshToken: "REFRESH_TOKEN_1",
+					})
+				})
+				t.Run("Valid", func(t *testing.T) {
+					sv.SetConfig(testconfig.Config{})
+					runStandalone(t, ctx, standaloneConfig{
+						issuerURL:          sv.IssuerURL(),
+						kubeConfigFilename: kubeConfigFilename,
+						httpDriver:         httpdriver.Zero(t),
+						now:                now,
+					})
+					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+						IDToken:      sv.LastTokenResponse().IDToken,
+						RefreshToken: "REFRESH_TOKEN_1",
+					})
+				})
+				t.Run("Refresh", func(t *testing.T) {
+					sv.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+							RefreshToken:      "REFRESH_TOKEN_1",
+						},
+						Response: testconfig.Response{
+							IDTokenExpiry: now.Add(3 * time.Hour),
+							RefreshToken:  "REFRESH_TOKEN_2",
+						},
+					})
+					runStandalone(t, ctx, standaloneConfig{
+						issuerURL:          sv.IssuerURL(),
+						kubeConfigFilename: kubeConfigFilename,
+						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
+						now:                now.Add(2 * time.Hour),
+					})
+					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+						IDToken:      sv.LastTokenResponse().IDToken,
+						RefreshToken: "REFRESH_TOKEN_2",
+					})
+				})
+				t.Run("RefreshAgain", func(t *testing.T) {
+					sv.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+							RefreshToken:      "REFRESH_TOKEN_2",
+						},
+						Response: testconfig.Response{
+							IDTokenExpiry: now.Add(5 * time.Hour),
+						},
+					})
+					runStandalone(t, ctx, standaloneConfig{
+						issuerURL:          sv.IssuerURL(),
+						kubeConfigFilename: kubeConfigFilename,
+						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
+						now:                now.Add(4 * time.Hour),
+					})
+					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+						IDToken:      sv.LastTokenResponse().IDToken,
+						RefreshToken: "REFRESH_TOKEN_2",
+					})
+				})
+			})
+		})
+	}
+
+	t.Run("TLSData", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.Server, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: testconfig.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:                      sv.IssuerURL(),
+			IDPCertificateAuthorityData: keypair.Server.CACertBase64,
+		})
+		runStandalone(t, ctx, standaloneConfig{
+			issuerURL:          sv.IssuerURL(),
+			kubeConfigFilename: kubeConfigFilename,
+			httpDriver:         httpdriver.New(ctx, t, httpdriver.Config{TLSConfig: keypair.Server.TLSConfig}),
+			now:                now,
+		})
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      sv.LastTokenResponse().IDToken,
+			RefreshToken: sv.LastTokenResponse().RefreshToken,
+		})
+	})
+
+	t.Run("env_KUBECONFIG", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: testconfig.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer: sv.IssuerURL(),
+		})
+		t.Setenv("KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
+		runStandalone(t, ctx, standaloneConfig{
+			issuerURL:  sv.IssuerURL(),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Config{}),
+			now:        now,
+		})
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      sv.LastTokenResponse().IDToken,
+			RefreshToken: sv.LastTokenResponse().RefreshToken,
+		})
+	})
+
+	t.Run("ExtraScopes", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:             "profile groups openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: testconfig.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:      sv.IssuerURL(),
+			ExtraScopes: "profile,groups",
+		})
+		runStandalone(t, ctx, standaloneConfig{
+			issuerURL:          sv.IssuerURL(),
+			kubeConfigFilename: kubeConfigFilename,
+			httpDriver:         httpdriver.New(ctx, t, httpdriver.Config{}),
+			now:                now,
+		})
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      sv.LastTokenResponse().IDToken,
+			RefreshToken: sv.LastTokenResponse().RefreshToken,
+		})
+	})
+}
+
+type standaloneConfig struct {
+	issuerURL          string
+	kubeConfigFilename string
+	httpDriver         browser.Interface
+	now                time.Time
+	args               []string
+}
+
+func runStandalone(t *testing.T, ctx context.Context, cfg standaloneConfig) {
+	cmd := di.NewCmdForHeadless(clock.Fake(cfg.now), os.Stdin, os.Stdout, logger.New(t), cfg.httpDriver)
+	exitCode := cmd.Run(ctx, append([]string{
+		"kubelogin",
+		"--kubeconfig", cfg.kubeConfigFilename,
+		"--listen-address", "127.0.0.1:0",
+	}, cfg.args...), "HEAD")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}
--- a/kubelogin.rb
+++ b/kubelogin.rb
@@ -1,15 +0,0 @@
-class Kubelogin < Formula
-  desc "A kubectl plugin for Kubernetes OpenID Connect authentication"
-  homepage "https://github.com/int128/kubelogin"
-  url "https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_darwin_amd64.zip"
-  version "{{ env "VERSION" }}"
-  sha256 "{{ sha256 .darwin_amd64_archive }}"
-  def install
-    bin.install "kubelogin" => "kubelogin"
-    ln_s bin/"kubelogin", bin/"kubectl-oidc_login"
-  end
-  test do
-    system "#{bin}/kubelogin -h"
-    system "#{bin}/kubectl-oidc_login -h"
-  end
-end
--- a/main.go
+++ b/main.go
@@ -3,12 +3,17 @@ package main
 import (
 	"context"
 	"os"
+	"os/signal"
+	"syscall"

-	"github.com/int128/kubelogin/di"
+	"github.com/int128/kubelogin/pkg/di"
 )

 var version = "HEAD"

 func main() {
-	os.Exit(di.NewCmd().Run(context.Background(), os.Args, version))
+	ctx := context.Background()
+	ctx, stop := signal.NotifyContext(ctx, os.Interrupt, syscall.SIGTERM)
+	defer stop()
+	os.Exit(di.NewCmd().Run(ctx, os.Args, version))
 }
--- a/mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mocks.go
@@ -0,0 +1,895 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package service_mock
+
+import (
+	"github.com/int128/kubelogin/integration_test/oidcserver/service"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockService creates a new instance of MockService. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockService(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockService {
+	mock := &MockService{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockService is an autogenerated mock type for the Service type
+type MockService struct {
+	mock.Mock
+}
+
+type MockService_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockService) EXPECT() *MockService_Expecter {
+	return &MockService_Expecter{mock: &_m.Mock}
+}
+
+// AuthenticateCode provides a mock function for the type MockService
+func (_mock *MockService) AuthenticateCode(req service.AuthenticationRequest) (string, error) {
+	ret := _mock.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticateCode")
+	}
+
+	var r0 string
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(service.AuthenticationRequest) (string, error)); ok {
+		return returnFunc(req)
+	}
+	if returnFunc, ok := ret.Get(0).(func(service.AuthenticationRequest) string); ok {
+		r0 = returnFunc(req)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	if returnFunc, ok := ret.Get(1).(func(service.AuthenticationRequest) error); ok {
+		r1 = returnFunc(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockService_AuthenticateCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticateCode'
+type MockService_AuthenticateCode_Call struct {
+	*mock.Call
+}
+
+// AuthenticateCode is a helper method to define mock.On call
+//   - req service.AuthenticationRequest
+func (_e *MockService_Expecter) AuthenticateCode(req interface{}) *MockService_AuthenticateCode_Call {
+	return &MockService_AuthenticateCode_Call{Call: _e.mock.On("AuthenticateCode", req)}
+}
+
+func (_c *MockService_AuthenticateCode_Call) Run(run func(req service.AuthenticationRequest)) *MockService_AuthenticateCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 service.AuthenticationRequest
+		if args[0] != nil {
+			arg0 = args[0].(service.AuthenticationRequest)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockService_AuthenticateCode_Call) Return(code string, err error) *MockService_AuthenticateCode_Call {
+	_c.Call.Return(code, err)
+	return _c
+}
+
+func (_c *MockService_AuthenticateCode_Call) RunAndReturn(run func(req service.AuthenticationRequest) (string, error)) *MockService_AuthenticateCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// AuthenticatePassword provides a mock function for the type MockService
+func (_mock *MockService) AuthenticatePassword(username string, password string, scope string) (*service.TokenResponse, error) {
+	ret := _mock.Called(username, password, scope)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticatePassword")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string, string, string) (*service.TokenResponse, error)); ok {
+		return returnFunc(username, password, scope)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, string, string) *service.TokenResponse); ok {
+		r0 = returnFunc(username, password, scope)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, string, string) error); ok {
+		r1 = returnFunc(username, password, scope)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockService_AuthenticatePassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticatePassword'
+type MockService_AuthenticatePassword_Call struct {
+	*mock.Call
+}
+
+// AuthenticatePassword is a helper method to define mock.On call
+//   - username string
+//   - password string
+//   - scope string
+func (_e *MockService_Expecter) AuthenticatePassword(username interface{}, password interface{}, scope interface{}) *MockService_AuthenticatePassword_Call {
+	return &MockService_AuthenticatePassword_Call{Call: _e.mock.On("AuthenticatePassword", username, password, scope)}
+}
+
+func (_c *MockService_AuthenticatePassword_Call) Run(run func(username string, password string, scope string)) *MockService_AuthenticatePassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockService_AuthenticatePassword_Call) Return(tokenResponse *service.TokenResponse, err error) *MockService_AuthenticatePassword_Call {
+	_c.Call.Return(tokenResponse, err)
+	return _c
+}
+
+func (_c *MockService_AuthenticatePassword_Call) RunAndReturn(run func(username string, password string, scope string) (*service.TokenResponse, error)) *MockService_AuthenticatePassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Discovery provides a mock function for the type MockService
+func (_mock *MockService) Discovery() *service.DiscoveryResponse {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Discovery")
+	}
+
+	var r0 *service.DiscoveryResponse
+	if returnFunc, ok := ret.Get(0).(func() *service.DiscoveryResponse); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.DiscoveryResponse)
+		}
+	}
+	return r0
+}
+
+// MockService_Discovery_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discovery'
+type MockService_Discovery_Call struct {
+	*mock.Call
+}
+
+// Discovery is a helper method to define mock.On call
+func (_e *MockService_Expecter) Discovery() *MockService_Discovery_Call {
+	return &MockService_Discovery_Call{Call: _e.mock.On("Discovery")}
+}
+
+func (_c *MockService_Discovery_Call) Run(run func()) *MockService_Discovery_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_Discovery_Call) Return(discoveryResponse *service.DiscoveryResponse) *MockService_Discovery_Call {
+	_c.Call.Return(discoveryResponse)
+	return _c
+}
+
+func (_c *MockService_Discovery_Call) RunAndReturn(run func() *service.DiscoveryResponse) *MockService_Discovery_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Exchange provides a mock function for the type MockService
+func (_mock *MockService) Exchange(req service.TokenRequest) (*service.TokenResponse, error) {
+	ret := _mock.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Exchange")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(service.TokenRequest) (*service.TokenResponse, error)); ok {
+		return returnFunc(req)
+	}
+	if returnFunc, ok := ret.Get(0).(func(service.TokenRequest) *service.TokenResponse); ok {
+		r0 = returnFunc(req)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(service.TokenRequest) error); ok {
+		r1 = returnFunc(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockService_Exchange_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exchange'
+type MockService_Exchange_Call struct {
+	*mock.Call
+}
+
+// Exchange is a helper method to define mock.On call
+//   - req service.TokenRequest
+func (_e *MockService_Expecter) Exchange(req interface{}) *MockService_Exchange_Call {
+	return &MockService_Exchange_Call{Call: _e.mock.On("Exchange", req)}
+}
+
+func (_c *MockService_Exchange_Call) Run(run func(req service.TokenRequest)) *MockService_Exchange_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 service.TokenRequest
+		if args[0] != nil {
+			arg0 = args[0].(service.TokenRequest)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockService_Exchange_Call) Return(tokenResponse *service.TokenResponse, err error) *MockService_Exchange_Call {
+	_c.Call.Return(tokenResponse, err)
+	return _c
+}
+
+func (_c *MockService_Exchange_Call) RunAndReturn(run func(req service.TokenRequest) (*service.TokenResponse, error)) *MockService_Exchange_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCertificates provides a mock function for the type MockService
+func (_mock *MockService) GetCertificates() *service.CertificatesResponse {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCertificates")
+	}
+
+	var r0 *service.CertificatesResponse
+	if returnFunc, ok := ret.Get(0).(func() *service.CertificatesResponse); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.CertificatesResponse)
+		}
+	}
+	return r0
+}
+
+// MockService_GetCertificates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCertificates'
+type MockService_GetCertificates_Call struct {
+	*mock.Call
+}
+
+// GetCertificates is a helper method to define mock.On call
+func (_e *MockService_Expecter) GetCertificates() *MockService_GetCertificates_Call {
+	return &MockService_GetCertificates_Call{Call: _e.mock.On("GetCertificates")}
+}
+
+func (_c *MockService_GetCertificates_Call) Run(run func()) *MockService_GetCertificates_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_GetCertificates_Call) Return(certificatesResponse *service.CertificatesResponse) *MockService_GetCertificates_Call {
+	_c.Call.Return(certificatesResponse)
+	return _c
+}
+
+func (_c *MockService_GetCertificates_Call) RunAndReturn(run func() *service.CertificatesResponse) *MockService_GetCertificates_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// IssuerURL provides a mock function for the type MockService
+func (_mock *MockService) IssuerURL() string {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for IssuerURL")
+	}
+
+	var r0 string
+	if returnFunc, ok := ret.Get(0).(func() string); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	return r0
+}
+
+// MockService_IssuerURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IssuerURL'
+type MockService_IssuerURL_Call struct {
+	*mock.Call
+}
+
+// IssuerURL is a helper method to define mock.On call
+func (_e *MockService_Expecter) IssuerURL() *MockService_IssuerURL_Call {
+	return &MockService_IssuerURL_Call{Call: _e.mock.On("IssuerURL")}
+}
+
+func (_c *MockService_IssuerURL_Call) Run(run func()) *MockService_IssuerURL_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_IssuerURL_Call) Return(s string) *MockService_IssuerURL_Call {
+	_c.Call.Return(s)
+	return _c
+}
+
+func (_c *MockService_IssuerURL_Call) RunAndReturn(run func() string) *MockService_IssuerURL_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// LastTokenResponse provides a mock function for the type MockService
+func (_mock *MockService) LastTokenResponse() *service.TokenResponse {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for LastTokenResponse")
+	}
+
+	var r0 *service.TokenResponse
+	if returnFunc, ok := ret.Get(0).(func() *service.TokenResponse); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	return r0
+}
+
+// MockService_LastTokenResponse_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'LastTokenResponse'
+type MockService_LastTokenResponse_Call struct {
+	*mock.Call
+}
+
+// LastTokenResponse is a helper method to define mock.On call
+func (_e *MockService_Expecter) LastTokenResponse() *MockService_LastTokenResponse_Call {
+	return &MockService_LastTokenResponse_Call{Call: _e.mock.On("LastTokenResponse")}
+}
+
+func (_c *MockService_LastTokenResponse_Call) Run(run func()) *MockService_LastTokenResponse_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_LastTokenResponse_Call) Return(tokenResponse *service.TokenResponse) *MockService_LastTokenResponse_Call {
+	_c.Call.Return(tokenResponse)
+	return _c
+}
+
+func (_c *MockService_LastTokenResponse_Call) RunAndReturn(run func() *service.TokenResponse) *MockService_LastTokenResponse_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function for the type MockService
+func (_mock *MockService) Refresh(refreshToken string) (*service.TokenResponse, error) {
+	ret := _mock.Called(refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string) (*service.TokenResponse, error)); ok {
+		return returnFunc(refreshToken)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string) *service.TokenResponse); ok {
+		r0 = returnFunc(refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string) error); ok {
+		r1 = returnFunc(refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockService_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockService_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - refreshToken string
+func (_e *MockService_Expecter) Refresh(refreshToken interface{}) *MockService_Refresh_Call {
+	return &MockService_Refresh_Call{Call: _e.mock.On("Refresh", refreshToken)}
+}
+
+func (_c *MockService_Refresh_Call) Run(run func(refreshToken string)) *MockService_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockService_Refresh_Call) Return(tokenResponse *service.TokenResponse, err error) *MockService_Refresh_Call {
+	_c.Call.Return(tokenResponse, err)
+	return _c
+}
+
+func (_c *MockService_Refresh_Call) RunAndReturn(run func(refreshToken string) (*service.TokenResponse, error)) *MockService_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SetConfig provides a mock function for the type MockService
+func (_mock *MockService) SetConfig(config testconfig.Config) {
+	_mock.Called(config)
+	return
+}
+
+// MockService_SetConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SetConfig'
+type MockService_SetConfig_Call struct {
+	*mock.Call
+}
+
+// SetConfig is a helper method to define mock.On call
+//   - config testconfig.Config
+func (_e *MockService_Expecter) SetConfig(config interface{}) *MockService_SetConfig_Call {
+	return &MockService_SetConfig_Call{Call: _e.mock.On("SetConfig", config)}
+}
+
+func (_c *MockService_SetConfig_Call) Run(run func(config testconfig.Config)) *MockService_SetConfig_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 testconfig.Config
+		if args[0] != nil {
+			arg0 = args[0].(testconfig.Config)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockService_SetConfig_Call) Return() *MockService_SetConfig_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockService_SetConfig_Call) RunAndReturn(run func(config testconfig.Config)) *MockService_SetConfig_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMockProvider creates a new instance of MockProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockProvider {
+	mock := &MockProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockProvider is an autogenerated mock type for the Provider type
+type MockProvider struct {
+	mock.Mock
+}
+
+type MockProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockProvider) EXPECT() *MockProvider_Expecter {
+	return &MockProvider_Expecter{mock: &_m.Mock}
+}
+
+// AuthenticateCode provides a mock function for the type MockProvider
+func (_mock *MockProvider) AuthenticateCode(req service.AuthenticationRequest) (string, error) {
+	ret := _mock.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticateCode")
+	}
+
+	var r0 string
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(service.AuthenticationRequest) (string, error)); ok {
+		return returnFunc(req)
+	}
+	if returnFunc, ok := ret.Get(0).(func(service.AuthenticationRequest) string); ok {
+		r0 = returnFunc(req)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	if returnFunc, ok := ret.Get(1).(func(service.AuthenticationRequest) error); ok {
+		r1 = returnFunc(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_AuthenticateCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticateCode'
+type MockProvider_AuthenticateCode_Call struct {
+	*mock.Call
+}
+
+// AuthenticateCode is a helper method to define mock.On call
+//   - req service.AuthenticationRequest
+func (_e *MockProvider_Expecter) AuthenticateCode(req interface{}) *MockProvider_AuthenticateCode_Call {
+	return &MockProvider_AuthenticateCode_Call{Call: _e.mock.On("AuthenticateCode", req)}
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) Run(run func(req service.AuthenticationRequest)) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 service.AuthenticationRequest
+		if args[0] != nil {
+			arg0 = args[0].(service.AuthenticationRequest)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) Return(code string, err error) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Return(code, err)
+	return _c
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) RunAndReturn(run func(req service.AuthenticationRequest) (string, error)) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// AuthenticatePassword provides a mock function for the type MockProvider
+func (_mock *MockProvider) AuthenticatePassword(username string, password string, scope string) (*service.TokenResponse, error) {
+	ret := _mock.Called(username, password, scope)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticatePassword")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string, string, string) (*service.TokenResponse, error)); ok {
+		return returnFunc(username, password, scope)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, string, string) *service.TokenResponse); ok {
+		r0 = returnFunc(username, password, scope)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, string, string) error); ok {
+		r1 = returnFunc(username, password, scope)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_AuthenticatePassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticatePassword'
+type MockProvider_AuthenticatePassword_Call struct {
+	*mock.Call
+}
+
+// AuthenticatePassword is a helper method to define mock.On call
+//   - username string
+//   - password string
+//   - scope string
+func (_e *MockProvider_Expecter) AuthenticatePassword(username interface{}, password interface{}, scope interface{}) *MockProvider_AuthenticatePassword_Call {
+	return &MockProvider_AuthenticatePassword_Call{Call: _e.mock.On("AuthenticatePassword", username, password, scope)}
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) Run(run func(username string, password string, scope string)) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) Return(tokenResponse *service.TokenResponse, err error) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Return(tokenResponse, err)
+	return _c
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) RunAndReturn(run func(username string, password string, scope string) (*service.TokenResponse, error)) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Discovery provides a mock function for the type MockProvider
+func (_mock *MockProvider) Discovery() *service.DiscoveryResponse {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Discovery")
+	}
+
+	var r0 *service.DiscoveryResponse
+	if returnFunc, ok := ret.Get(0).(func() *service.DiscoveryResponse); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.DiscoveryResponse)
+		}
+	}
+	return r0
+}
+
+// MockProvider_Discovery_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discovery'
+type MockProvider_Discovery_Call struct {
+	*mock.Call
+}
+
+// Discovery is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) Discovery() *MockProvider_Discovery_Call {
+	return &MockProvider_Discovery_Call{Call: _e.mock.On("Discovery")}
+}
+
+func (_c *MockProvider_Discovery_Call) Run(run func()) *MockProvider_Discovery_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_Discovery_Call) Return(discoveryResponse *service.DiscoveryResponse) *MockProvider_Discovery_Call {
+	_c.Call.Return(discoveryResponse)
+	return _c
+}
+
+func (_c *MockProvider_Discovery_Call) RunAndReturn(run func() *service.DiscoveryResponse) *MockProvider_Discovery_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Exchange provides a mock function for the type MockProvider
+func (_mock *MockProvider) Exchange(req service.TokenRequest) (*service.TokenResponse, error) {
+	ret := _mock.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Exchange")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(service.TokenRequest) (*service.TokenResponse, error)); ok {
+		return returnFunc(req)
+	}
+	if returnFunc, ok := ret.Get(0).(func(service.TokenRequest) *service.TokenResponse); ok {
+		r0 = returnFunc(req)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(service.TokenRequest) error); ok {
+		r1 = returnFunc(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_Exchange_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exchange'
+type MockProvider_Exchange_Call struct {
+	*mock.Call
+}
+
+// Exchange is a helper method to define mock.On call
+//   - req service.TokenRequest
+func (_e *MockProvider_Expecter) Exchange(req interface{}) *MockProvider_Exchange_Call {
+	return &MockProvider_Exchange_Call{Call: _e.mock.On("Exchange", req)}
+}
+
+func (_c *MockProvider_Exchange_Call) Run(run func(req service.TokenRequest)) *MockProvider_Exchange_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 service.TokenRequest
+		if args[0] != nil {
+			arg0 = args[0].(service.TokenRequest)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_Exchange_Call) Return(tokenResponse *service.TokenResponse, err error) *MockProvider_Exchange_Call {
+	_c.Call.Return(tokenResponse, err)
+	return _c
+}
+
+func (_c *MockProvider_Exchange_Call) RunAndReturn(run func(req service.TokenRequest) (*service.TokenResponse, error)) *MockProvider_Exchange_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCertificates provides a mock function for the type MockProvider
+func (_mock *MockProvider) GetCertificates() *service.CertificatesResponse {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCertificates")
+	}
+
+	var r0 *service.CertificatesResponse
+	if returnFunc, ok := ret.Get(0).(func() *service.CertificatesResponse); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.CertificatesResponse)
+		}
+	}
+	return r0
+}
+
+// MockProvider_GetCertificates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCertificates'
+type MockProvider_GetCertificates_Call struct {
+	*mock.Call
+}
+
+// GetCertificates is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) GetCertificates() *MockProvider_GetCertificates_Call {
+	return &MockProvider_GetCertificates_Call{Call: _e.mock.On("GetCertificates")}
+}
+
+func (_c *MockProvider_GetCertificates_Call) Run(run func()) *MockProvider_GetCertificates_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetCertificates_Call) Return(certificatesResponse *service.CertificatesResponse) *MockProvider_GetCertificates_Call {
+	_c.Call.Return(certificatesResponse)
+	return _c
+}
+
+func (_c *MockProvider_GetCertificates_Call) RunAndReturn(run func() *service.CertificatesResponse) *MockProvider_GetCertificates_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function for the type MockProvider
+func (_mock *MockProvider) Refresh(refreshToken string) (*service.TokenResponse, error) {
+	ret := _mock.Called(refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string) (*service.TokenResponse, error)); ok {
+		return returnFunc(refreshToken)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string) *service.TokenResponse); ok {
+		r0 = returnFunc(refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string) error); ok {
+		r1 = returnFunc(refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockProvider_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - refreshToken string
+func (_e *MockProvider_Expecter) Refresh(refreshToken interface{}) *MockProvider_Refresh_Call {
+	return &MockProvider_Refresh_Call{Call: _e.mock.On("Refresh", refreshToken)}
+}
+
+func (_c *MockProvider_Refresh_Call) Run(run func(refreshToken string)) *MockProvider_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_Refresh_Call) Return(tokenResponse *service.TokenResponse, err error) *MockProvider_Refresh_Call {
+	_c.Call.Return(tokenResponse, err)
+	return _c
+}
+
+func (_c *MockProvider_Refresh_Call) RunAndReturn(run func(refreshToken string) (*service.TokenResponse, error)) *MockProvider_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/cmd_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/cmd_mock/mocks.go
@@ -0,0 +1,101 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package cmd_mock
+
+import (
+	"context"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Run provides a mock function for the type MockInterface
+func (_mock *MockInterface) Run(ctx context.Context, args []string, version string) int {
+	ret := _mock.Called(ctx, args, version)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Run")
+	}
+
+	var r0 int
+	if returnFunc, ok := ret.Get(0).(func(context.Context, []string, string) int); ok {
+		r0 = returnFunc(ctx, args, version)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+	return r0
+}
+
+// MockInterface_Run_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Run'
+type MockInterface_Run_Call struct {
+	*mock.Call
+}
+
+// Run is a helper method to define mock.On call
+//   - ctx context.Context
+//   - args []string
+//   - version string
+func (_e *MockInterface_Expecter) Run(ctx interface{}, args interface{}, version interface{}) *MockInterface_Run_Call {
+	return &MockInterface_Run_Call{Call: _e.mock.On("Run", ctx, args, version)}
+}
+
+func (_c *MockInterface_Run_Call) Run(run func(ctx context.Context, args []string, version string)) *MockInterface_Run_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 []string
+		if args[1] != nil {
+			arg1 = args[1].([]string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Run_Call) Return(n int) *MockInterface_Run_Call {
+	_c.Call.Return(n)
+	return _c
+}
+
+func (_c *MockInterface_Run_Call) RunAndReturn(run func(ctx context.Context, args []string, version string) int) *MockInterface_Run_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/credentialplugin/reader_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/credentialplugin/reader_mock/mocks.go
@@ -0,0 +1,90 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package reader_mock
+
+import (
+	"github.com/int128/kubelogin/pkg/credentialplugin"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Read provides a mock function for the type MockInterface
+func (_mock *MockInterface) Read() (credentialplugin.Input, error) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Read")
+	}
+
+	var r0 credentialplugin.Input
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func() (credentialplugin.Input, error)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() credentialplugin.Input); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(credentialplugin.Input)
+	}
+	if returnFunc, ok := ret.Get(1).(func() error); ok {
+		r1 = returnFunc()
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_Read_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Read'
+type MockInterface_Read_Call struct {
+	*mock.Call
+}
+
+// Read is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) Read() *MockInterface_Read_Call {
+	return &MockInterface_Read_Call{Call: _e.mock.On("Read")}
+}
+
+func (_c *MockInterface_Read_Call) Run(run func()) *MockInterface_Read_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_Read_Call) Return(input credentialplugin.Input, err error) *MockInterface_Read_Call {
+	_c.Call.Return(input, err)
+	return _c
+}
+
+func (_c *MockInterface_Read_Call) RunAndReturn(run func() (credentialplugin.Input, error)) *MockInterface_Read_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/credentialplugin/writer_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/credentialplugin/writer_mock/mocks.go
@@ -0,0 +1,88 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package writer_mock
+
+import (
+	"github.com/int128/kubelogin/pkg/credentialplugin"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Write provides a mock function for the type MockInterface
+func (_mock *MockInterface) Write(out credentialplugin.Output) error {
+	ret := _mock.Called(out)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Write")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(credentialplugin.Output) error); ok {
+		r0 = returnFunc(out)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockInterface_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'
+type MockInterface_Write_Call struct {
+	*mock.Call
+}
+
+// Write is a helper method to define mock.On call
+//   - out credentialplugin.Output
+func (_e *MockInterface_Expecter) Write(out interface{}) *MockInterface_Write_Call {
+	return &MockInterface_Write_Call{Call: _e.mock.On("Write", out)}
+}
+
+func (_c *MockInterface_Write_Call) Run(run func(out credentialplugin.Output)) *MockInterface_Write_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 credentialplugin.Output
+		if args[0] != nil {
+			arg0 = args[0].(credentialplugin.Output)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Write_Call) Return(err error) *MockInterface_Write_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockInterface_Write_Call) RunAndReturn(run func(out credentialplugin.Output) error) *MockInterface_Write_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/infrastructure/browser_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/infrastructure/browser_mock/mocks.go
@@ -0,0 +1,152 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package browser_mock
+
+import (
+	"context"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Open provides a mock function for the type MockInterface
+func (_mock *MockInterface) Open(url string) error {
+	ret := _mock.Called(url)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Open")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(string) error); ok {
+		r0 = returnFunc(url)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockInterface_Open_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Open'
+type MockInterface_Open_Call struct {
+	*mock.Call
+}
+
+// Open is a helper method to define mock.On call
+//   - url string
+func (_e *MockInterface_Expecter) Open(url interface{}) *MockInterface_Open_Call {
+	return &MockInterface_Open_Call{Call: _e.mock.On("Open", url)}
+}
+
+func (_c *MockInterface_Open_Call) Run(run func(url string)) *MockInterface_Open_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Open_Call) Return(err error) *MockInterface_Open_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockInterface_Open_Call) RunAndReturn(run func(url string) error) *MockInterface_Open_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// OpenCommand provides a mock function for the type MockInterface
+func (_mock *MockInterface) OpenCommand(ctx context.Context, url string, command string) error {
+	ret := _mock.Called(ctx, url, command)
+
+	if len(ret) == 0 {
+		panic("no return value specified for OpenCommand")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, string) error); ok {
+		r0 = returnFunc(ctx, url, command)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockInterface_OpenCommand_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'OpenCommand'
+type MockInterface_OpenCommand_Call struct {
+	*mock.Call
+}
+
+// OpenCommand is a helper method to define mock.On call
+//   - ctx context.Context
+//   - url string
+//   - command string
+func (_e *MockInterface_Expecter) OpenCommand(ctx interface{}, url interface{}, command interface{}) *MockInterface_OpenCommand_Call {
+	return &MockInterface_OpenCommand_Call{Call: _e.mock.On("OpenCommand", ctx, url, command)}
+}
+
+func (_c *MockInterface_OpenCommand_Call) Run(run func(ctx context.Context, url string, command string)) *MockInterface_OpenCommand_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_OpenCommand_Call) Return(err error) *MockInterface_OpenCommand_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockInterface_OpenCommand_Call) RunAndReturn(run func(ctx context.Context, url string, command string) error) *MockInterface_OpenCommand_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/infrastructure/clock_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/infrastructure/clock_mock/mocks.go
@@ -0,0 +1,82 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package clock_mock
+
+import (
+	"time"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Now provides a mock function for the type MockInterface
+func (_mock *MockInterface) Now() time.Time {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Now")
+	}
+
+	var r0 time.Time
+	if returnFunc, ok := ret.Get(0).(func() time.Time); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(time.Time)
+	}
+	return r0
+}
+
+// MockInterface_Now_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Now'
+type MockInterface_Now_Call struct {
+	*mock.Call
+}
+
+// Now is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) Now() *MockInterface_Now_Call {
+	return &MockInterface_Now_Call{Call: _e.mock.On("Now")}
+}
+
+func (_c *MockInterface_Now_Call) Run(run func()) *MockInterface_Now_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_Now_Call) Return(time1 time.Time) *MockInterface_Now_Call {
+	_c.Call.Return(time1)
+	return _c
+}
+
+func (_c *MockInterface_Now_Call) RunAndReturn(run func() time.Time) *MockInterface_Now_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mocks.go
@@ -0,0 +1,398 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package logger_mock
+
+import (
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/spf13/pflag"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// AddFlags provides a mock function for the type MockInterface
+func (_mock *MockInterface) AddFlags(f *pflag.FlagSet) {
+	_mock.Called(f)
+	return
+}
+
+// MockInterface_AddFlags_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AddFlags'
+type MockInterface_AddFlags_Call struct {
+	*mock.Call
+}
+
+// AddFlags is a helper method to define mock.On call
+//   - f *pflag.FlagSet
+func (_e *MockInterface_Expecter) AddFlags(f interface{}) *MockInterface_AddFlags_Call {
+	return &MockInterface_AddFlags_Call{Call: _e.mock.On("AddFlags", f)}
+}
+
+func (_c *MockInterface_AddFlags_Call) Run(run func(f *pflag.FlagSet)) *MockInterface_AddFlags_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *pflag.FlagSet
+		if args[0] != nil {
+			arg0 = args[0].(*pflag.FlagSet)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_AddFlags_Call) Return() *MockInterface_AddFlags_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockInterface_AddFlags_Call) RunAndReturn(run func(f *pflag.FlagSet)) *MockInterface_AddFlags_Call {
+	_c.Run(run)
+	return _c
+}
+
+// IsEnabled provides a mock function for the type MockInterface
+func (_mock *MockInterface) IsEnabled(level int) bool {
+	ret := _mock.Called(level)
+
+	if len(ret) == 0 {
+		panic("no return value specified for IsEnabled")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func(int) bool); ok {
+		r0 = returnFunc(level)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockInterface_IsEnabled_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IsEnabled'
+type MockInterface_IsEnabled_Call struct {
+	*mock.Call
+}
+
+// IsEnabled is a helper method to define mock.On call
+//   - level int
+func (_e *MockInterface_Expecter) IsEnabled(level interface{}) *MockInterface_IsEnabled_Call {
+	return &MockInterface_IsEnabled_Call{Call: _e.mock.On("IsEnabled", level)}
+}
+
+func (_c *MockInterface_IsEnabled_Call) Run(run func(level int)) *MockInterface_IsEnabled_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 int
+		if args[0] != nil {
+			arg0 = args[0].(int)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_IsEnabled_Call) Return(b bool) *MockInterface_IsEnabled_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockInterface_IsEnabled_Call) RunAndReturn(run func(level int) bool) *MockInterface_IsEnabled_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Printf provides a mock function for the type MockInterface
+func (_mock *MockInterface) Printf(format string, args ...interface{}) {
+	if len(args) > 0 {
+		_mock.Called(format, args)
+	} else {
+		_mock.Called(format)
+	}
+
+	return
+}
+
+// MockInterface_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
+type MockInterface_Printf_Call struct {
+	*mock.Call
+}
+
+// Printf is a helper method to define mock.On call
+//   - format string
+//   - args ...interface{}
+func (_e *MockInterface_Expecter) Printf(format interface{}, args ...interface{}) *MockInterface_Printf_Call {
+	return &MockInterface_Printf_Call{Call: _e.mock.On("Printf",
+		append([]interface{}{format}, args...)...)}
+}
+
+func (_c *MockInterface_Printf_Call) Run(run func(format string, args ...interface{})) *MockInterface_Printf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 []interface{}
+		var variadicArgs []interface{}
+		if len(args) > 1 {
+			variadicArgs = args[1].([]interface{})
+		}
+		arg1 = variadicArgs
+		run(
+			arg0,
+			arg1...,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Printf_Call) Return() *MockInterface_Printf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockInterface_Printf_Call) RunAndReturn(run func(format string, args ...interface{})) *MockInterface_Printf_Call {
+	_c.Run(run)
+	return _c
+}
+
+// V provides a mock function for the type MockInterface
+func (_mock *MockInterface) V(level int) logger.Verbose {
+	ret := _mock.Called(level)
+
+	if len(ret) == 0 {
+		panic("no return value specified for V")
+	}
+
+	var r0 logger.Verbose
+	if returnFunc, ok := ret.Get(0).(func(int) logger.Verbose); ok {
+		r0 = returnFunc(level)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(logger.Verbose)
+		}
+	}
+	return r0
+}
+
+// MockInterface_V_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'V'
+type MockInterface_V_Call struct {
+	*mock.Call
+}
+
+// V is a helper method to define mock.On call
+//   - level int
+func (_e *MockInterface_Expecter) V(level interface{}) *MockInterface_V_Call {
+	return &MockInterface_V_Call{Call: _e.mock.On("V", level)}
+}
+
+func (_c *MockInterface_V_Call) Run(run func(level int)) *MockInterface_V_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 int
+		if args[0] != nil {
+			arg0 = args[0].(int)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_V_Call) Return(verbose logger.Verbose) *MockInterface_V_Call {
+	_c.Call.Return(verbose)
+	return _c
+}
+
+func (_c *MockInterface_V_Call) RunAndReturn(run func(level int) logger.Verbose) *MockInterface_V_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockVerbose creates a new instance of MockVerbose. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockVerbose(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockVerbose {
+	mock := &MockVerbose{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockVerbose is an autogenerated mock type for the Verbose type
+type MockVerbose struct {
+	mock.Mock
+}
+
+type MockVerbose_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockVerbose) EXPECT() *MockVerbose_Expecter {
+	return &MockVerbose_Expecter{mock: &_m.Mock}
+}
+
+// Infof provides a mock function for the type MockVerbose
+func (_mock *MockVerbose) Infof(format string, args ...interface{}) {
+	if len(args) > 0 {
+		_mock.Called(format, args)
+	} else {
+		_mock.Called(format)
+	}
+
+	return
+}
+
+// MockVerbose_Infof_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Infof'
+type MockVerbose_Infof_Call struct {
+	*mock.Call
+}
+
+// Infof is a helper method to define mock.On call
+//   - format string
+//   - args ...interface{}
+func (_e *MockVerbose_Expecter) Infof(format interface{}, args ...interface{}) *MockVerbose_Infof_Call {
+	return &MockVerbose_Infof_Call{Call: _e.mock.On("Infof",
+		append([]interface{}{format}, args...)...)}
+}
+
+func (_c *MockVerbose_Infof_Call) Run(run func(format string, args ...interface{})) *MockVerbose_Infof_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 []interface{}
+		var variadicArgs []interface{}
+		if len(args) > 1 {
+			variadicArgs = args[1].([]interface{})
+		}
+		arg1 = variadicArgs
+		run(
+			arg0,
+			arg1...,
+		)
+	})
+	return _c
+}
+
+func (_c *MockVerbose_Infof_Call) Return() *MockVerbose_Infof_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockVerbose_Infof_Call) RunAndReturn(run func(format string, args ...interface{})) *MockVerbose_Infof_Call {
+	_c.Run(run)
+	return _c
+}
+
+// newMockgoLogger creates a new instance of mockgoLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func newMockgoLogger(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *mockgoLogger {
+	mock := &mockgoLogger{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// mockgoLogger is an autogenerated mock type for the goLogger type
+type mockgoLogger struct {
+	mock.Mock
+}
+
+type mockgoLogger_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *mockgoLogger) EXPECT() *mockgoLogger_Expecter {
+	return &mockgoLogger_Expecter{mock: &_m.Mock}
+}
+
+// Printf provides a mock function for the type mockgoLogger
+func (_mock *mockgoLogger) Printf(format string, v ...interface{}) {
+	if len(v) > 0 {
+		_mock.Called(format, v)
+	} else {
+		_mock.Called(format)
+	}
+
+	return
+}
+
+// mockgoLogger_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
+type mockgoLogger_Printf_Call struct {
+	*mock.Call
+}
+
+// Printf is a helper method to define mock.On call
+//   - format string
+//   - v ...interface{}
+func (_e *mockgoLogger_Expecter) Printf(format interface{}, v ...interface{}) *mockgoLogger_Printf_Call {
+	return &mockgoLogger_Printf_Call{Call: _e.mock.On("Printf",
+		append([]interface{}{format}, v...)...)}
+}
+
+func (_c *mockgoLogger_Printf_Call) Run(run func(format string, v ...interface{})) *mockgoLogger_Printf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 []interface{}
+		var variadicArgs []interface{}
+		if len(args) > 1 {
+			variadicArgs = args[1].([]interface{})
+		}
+		arg1 = variadicArgs
+		run(
+			arg0,
+			arg1...,
+		)
+	})
+	return _c
+}
+
+func (_c *mockgoLogger_Printf_Call) Return() *mockgoLogger_Printf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *mockgoLogger_Printf_Call) RunAndReturn(run func(format string, v ...interface{})) *mockgoLogger_Printf_Call {
+	_c.Run(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/infrastructure/reader_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/infrastructure/reader_mock/mocks.go
@@ -0,0 +1,156 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package reader_mock
+
+import (
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// ReadPassword provides a mock function for the type MockInterface
+func (_mock *MockInterface) ReadPassword(prompt string) (string, error) {
+	ret := _mock.Called(prompt)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ReadPassword")
+	}
+
+	var r0 string
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string) (string, error)); ok {
+		return returnFunc(prompt)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string) string); ok {
+		r0 = returnFunc(prompt)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	if returnFunc, ok := ret.Get(1).(func(string) error); ok {
+		r1 = returnFunc(prompt)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_ReadPassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ReadPassword'
+type MockInterface_ReadPassword_Call struct {
+	*mock.Call
+}
+
+// ReadPassword is a helper method to define mock.On call
+//   - prompt string
+func (_e *MockInterface_Expecter) ReadPassword(prompt interface{}) *MockInterface_ReadPassword_Call {
+	return &MockInterface_ReadPassword_Call{Call: _e.mock.On("ReadPassword", prompt)}
+}
+
+func (_c *MockInterface_ReadPassword_Call) Run(run func(prompt string)) *MockInterface_ReadPassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_ReadPassword_Call) Return(s string, err error) *MockInterface_ReadPassword_Call {
+	_c.Call.Return(s, err)
+	return _c
+}
+
+func (_c *MockInterface_ReadPassword_Call) RunAndReturn(run func(prompt string) (string, error)) *MockInterface_ReadPassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ReadString provides a mock function for the type MockInterface
+func (_mock *MockInterface) ReadString(prompt string) (string, error) {
+	ret := _mock.Called(prompt)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ReadString")
+	}
+
+	var r0 string
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string) (string, error)); ok {
+		return returnFunc(prompt)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string) string); ok {
+		r0 = returnFunc(prompt)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	if returnFunc, ok := ret.Get(1).(func(string) error); ok {
+		r1 = returnFunc(prompt)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_ReadString_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ReadString'
+type MockInterface_ReadString_Call struct {
+	*mock.Call
+}
+
+// ReadString is a helper method to define mock.On call
+//   - prompt string
+func (_e *MockInterface_Expecter) ReadString(prompt interface{}) *MockInterface_ReadString_Call {
+	return &MockInterface_ReadString_Call{Call: _e.mock.On("ReadString", prompt)}
+}
+
+func (_c *MockInterface_ReadString_Call) Run(run func(prompt string)) *MockInterface_ReadString_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_ReadString_Call) Return(s string, err error) *MockInterface_ReadString_Call {
+	_c.Call.Return(s, err)
+	return _c
+}
+
+func (_c *MockInterface_ReadString_Call) RunAndReturn(run func(prompt string) (string, error)) *MockInterface_ReadString_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mocks.go
@@ -0,0 +1,183 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package stdio_mock
+
+import (
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockStdout creates a new instance of MockStdout. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockStdout(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockStdout {
+	mock := &MockStdout{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockStdout is an autogenerated mock type for the Stdout type
+type MockStdout struct {
+	mock.Mock
+}
+
+type MockStdout_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockStdout) EXPECT() *MockStdout_Expecter {
+	return &MockStdout_Expecter{mock: &_m.Mock}
+}
+
+// Write provides a mock function for the type MockStdout
+func (_mock *MockStdout) Write(p []byte) (int, error) {
+	ret := _mock.Called(p)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Write")
+	}
+
+	var r0 int
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func([]byte) (int, error)); ok {
+		return returnFunc(p)
+	}
+	if returnFunc, ok := ret.Get(0).(func([]byte) int); ok {
+		r0 = returnFunc(p)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+	if returnFunc, ok := ret.Get(1).(func([]byte) error); ok {
+		r1 = returnFunc(p)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockStdout_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'
+type MockStdout_Write_Call struct {
+	*mock.Call
+}
+
+// Write is a helper method to define mock.On call
+//   - p []byte
+func (_e *MockStdout_Expecter) Write(p interface{}) *MockStdout_Write_Call {
+	return &MockStdout_Write_Call{Call: _e.mock.On("Write", p)}
+}
+
+func (_c *MockStdout_Write_Call) Run(run func(p []byte)) *MockStdout_Write_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 []byte
+		if args[0] != nil {
+			arg0 = args[0].([]byte)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockStdout_Write_Call) Return(n int, err error) *MockStdout_Write_Call {
+	_c.Call.Return(n, err)
+	return _c
+}
+
+func (_c *MockStdout_Write_Call) RunAndReturn(run func(p []byte) (int, error)) *MockStdout_Write_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockStdin creates a new instance of MockStdin. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockStdin(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockStdin {
+	mock := &MockStdin{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockStdin is an autogenerated mock type for the Stdin type
+type MockStdin struct {
+	mock.Mock
+}
+
+type MockStdin_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockStdin) EXPECT() *MockStdin_Expecter {
+	return &MockStdin_Expecter{mock: &_m.Mock}
+}
+
+// Read provides a mock function for the type MockStdin
+func (_mock *MockStdin) Read(p []byte) (int, error) {
+	ret := _mock.Called(p)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Read")
+	}
+
+	var r0 int
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func([]byte) (int, error)); ok {
+		return returnFunc(p)
+	}
+	if returnFunc, ok := ret.Get(0).(func([]byte) int); ok {
+		r0 = returnFunc(p)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+	if returnFunc, ok := ret.Get(1).(func([]byte) error); ok {
+		r1 = returnFunc(p)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockStdin_Read_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Read'
+type MockStdin_Read_Call struct {
+	*mock.Call
+}
+
+// Read is a helper method to define mock.On call
+//   - p []byte
+func (_e *MockStdin_Expecter) Read(p interface{}) *MockStdin_Read_Call {
+	return &MockStdin_Read_Call{Call: _e.mock.On("Read", p)}
+}
+
+func (_c *MockStdin_Read_Call) Run(run func(p []byte)) *MockStdin_Read_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 []byte
+		if args[0] != nil {
+			arg0 = args[0].([]byte)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockStdin_Read_Call) Return(n int, err error) *MockStdin_Read_Call {
+	_c.Call.Return(n, err)
+	return _c
+}
+
+func (_c *MockStdin_Read_Call) RunAndReturn(run func(p []byte) (int, error)) *MockStdin_Read_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/Show More
+++ b/Show More