Bump to Go 1.13.3 (#166 )

* Bump to Go 1.13.3 and golangci-lint 1.21.0 * go mod tidy
Suppress success log to prevent screen disturbance (#165 )
2026-02-27 23:43:49 +00:00 · 2019-10-22 11:24:46 +09:00 · 2019-10-19 15:36:47 +09:00 · 2019-10-04 22:28:09 +09:00 · 2019-10-04 21:26:26 +09:00 · 2019-10-04 21:08:52 +09:00
104 changed files with 3987 additions and 3131 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -2,7 +2,7 @@ version: 2
 jobs:
  build:
    docker:
-      - image: circleci/golang:1.12.3
+      - image: circleci/golang:1.13.3
    steps:
      - run: |
          mkdir -p ~/bin
@@ -14,7 +14,7 @@ jobs:
          curl -L -o ~/bin/ghcp https://github.com/int128/ghcp/releases/download/v1.5.0/ghcp_linux_amd64
          chmod +x ~/bin/ghcp
      - run: |
-          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b ~/bin v1.16.0
+          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b ~/bin v1.21.0
      - run: go get github.com/int128/goxzst
      - run: go get github.com/tcnksm/ghr
      - checkout
--- a/DESIGN.md
+++ b/DESIGN.md
@@ -1,47 +0,0 @@
-# Design of kubelogin
-
-This explains design of kubelogin.
-
-## Use cases
-
-Kubelogin is a command line tool and designed to run as both a standalone command and a kubectl plugin.
-
-It respects the following flags, commonly used in kubectl:
-
-```
-      --kubeconfig string              Path to the kubeconfig file
-      --context string                 The name of the kubeconfig context to use
-      --user string                    The name of the kubeconfig user to use. Prior to --context
-      --certificate-authority string   Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-  -v, --v int                          If set to 1 or greater, it shows debug log
-```
-
-As well as it respects the environment variable `KUBECONFIG`.
-
-
-### Login by the command
-
-TODO
-
-
-## Architecture
-
-Kubelogin consists of the following layers:
-
- `usecases`: This provides the use-cases.
- `adaptor`: This provides external access and converts objects between the use-cases and external system.
-
-
-### Use-cases
-
-This provides the use-cases mentioned in the previous section.
-
-This layer should not contain external access such as HTTP requests and system calls.
-
-
-### Adaptor
-
-This provides external access such as command line interface and HTTP requests.
-
-
--- a/12
+++ b/12
@@ -3,13 +3,11 @@ TARGET_PLUGIN := kubectl-oidc_login
 CIRCLE_TAG ?= HEAD
 LDFLAGS := -X main.version=$(CIRCLE_TAG)

-.PHONY: check run diagram release clean
-
 all: $(TARGET)

+.PHONY: check
 check:
 	golangci-lint run
-	$(MAKE) -C e2e_test/keys/testdata
 	go test -v -race -cover -coverprofile=coverage.out ./...

 $(TARGET): $(wildcard *.go)
@@ -18,25 +16,23 @@ $(TARGET): $(wildcard *.go)
 $(TARGET_PLUGIN): $(TARGET)
 	ln -sf $(TARGET) $@

+.PHONY: run
 run: $(TARGET_PLUGIN)
 	-PATH=.:$(PATH) kubectl oidc-login --help

-diagram: docs/authn.png
-
-%.png: %.seqdiag
-	seqdiag -a -f /Library/Fonts/Verdana.ttf $<
-
 dist:
 	VERSION=$(CIRCLE_TAG) goxzst -d dist/gh/ -o "$(TARGET)" -t "kubelogin.rb oidc-login.yaml" -- -ldflags "$(LDFLAGS)"
 	mv dist/gh/kubelogin.rb dist/
 	mkdir -p dist/plugins
 	cp dist/gh/oidc-login.yaml dist/plugins/oidc-login.yaml

+.PHONY: release
 release: dist
 	ghr -u "$(CIRCLE_PROJECT_USERNAME)" -r "$(CIRCLE_PROJECT_REPONAME)" "$(CIRCLE_TAG)" dist/gh/
 	ghcp commit -u "$(CIRCLE_PROJECT_USERNAME)" -r "homebrew-$(CIRCLE_PROJECT_REPONAME)" -m "$(CIRCLE_TAG)" -C dist/ kubelogin.rb
 	ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(CIRCLE_TAG)" -m "Bump oidc-login to $(CIRCLE_TAG)" -C dist/ plugins/oidc-login.yaml

+.PHONY: clean
 clean:
 	-rm $(TARGET)
 	-rm $(TARGET_PLUGIN)
--- a/README.md
+++ b/README.md
@@ -2,63 +2,47 @@

 This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.

-Kubelogin integrates browser based authentication with kubectl.
-You do not need to manually set an ID token and refresh token to the kubeconfig.
+This is designed to run as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
+When you run kubectl, kubelogin opens the browser and you can log in to the provider.
+Then kubelogin gets a token from the provider and kubectl access Kubernetes APIs with the token.


 ## Getting Started

-You can install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew) or [GitHub Releases](https://github.com/int128/kubelogin/releases) as follows:
+### Install
+
+Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew) or [GitHub Releases](https://github.com/int128/kubelogin/releases) as follows:

 ```sh
 # Homebrew
-brew tap int128/kubelogin
-brew install kubelogin
+brew install int128/kubelogin/kubelogin

 # Krew
 kubectl krew install oidc-login

 # GitHub Releases
-curl -LO https://github.com/int128/kubelogin/releases/download/v1.14.0/kubelogin_linux_amd64.zip
+curl -LO https://github.com/int128/kubelogin/releases/download/v1.14.2/kubelogin_linux_amd64.zip
 unzip kubelogin_linux_amd64.zip
 ln -s kubelogin kubectl-oidc_login
 ```

-You need to configure the OIDC provider, Kubernetes API server, kubeconfig and role binding.
+### Setup
+
+You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
 See the following documents for more:

- [Getting Started with Keycloak](docs/keycloak.md)
 - [Getting Started with Google Identity Platform](docs/google.md)
- [Team Operation](docs/team_ops.md)
+- [Getting Started with dex and GitHub](docs/dex.md)
+- [Getting Started with Keycloak](docs/keycloak.md)

-You can run kubelogin as the following methods:
+Run the following command to show the setup instruction.

- Run as a credential plugin
- Run as a standalone command
-
-
-### Run as a credential plugin
-
-You can run kubelogin as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
-This provides transparent login without manually running `kubelogin` command.
-
-Configure the kubeconfig like:
-
-```yaml
-users:
- name: keycloak
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubectl
-      args:
-      - oidc-login
-      - get-token
-      - --oidc-issuer-url=https://issuer.example.com
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
+```sh
+kubectl oidc-login setup
 ```

+### Run
+
 Run kubectl.

 ```sh
@@ -86,103 +70,56 @@ If the cached ID token is valid, kubelogin just returns it.
 If the cached ID token has expired, kubelogin will refresh the token using the refresh token.
 If the refresh token has expired, kubelogin will perform reauthentication.

-You can log out by removing the token cache file (default `~/.kube/oidc-login.token-cache`).
+You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
 Kubelogin will perform authentication if the token cache file does not exist.


-### Run as a standalone command
-
-You can run kubelogin as a standalone command.
-In this method, you need to manually run the command before running kubectl.
-
-Configure the kubeconfig like:
-
-```yaml
- name: keycloak
-  user:
-    auth-provider:
-      config:
-        client-id: YOUR_CLIENT_ID
-        client-secret: YOUR_CLIENT_SECRET
-        idp-issuer-url: https://issuer.example.com
-      name: oidc
-```
-
-Run kubelogin:
-
-```sh
-kubelogin
-
-# or run as a kubectl plugin
-kubectl oidc-login
-```
-
-It automatically opens the browser and you can log in to the provider.
-
-<img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">
-
-After authentication, kubelogin writes the ID token and refresh token to the kubeconfig.
-
-```
-% kubelogin
-Open http://localhost:8000 for authentication
-You got a valid token until 2019-05-18 10:28:51 +0900 JST
-Updated ~/.kubeconfig
-```
-
-Now you can access to the cluster.
-
-```
-% kubectl get pods
-NAME                          READY   STATUS    RESTARTS   AGE
-echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
-```
-
-If the ID token is valid, kubelogin does nothing.
-
-```
-% kubelogin
-You already have a valid token until 2019-05-18 10:28:51 +0900 JST
-```
-
-If the ID token has expired, kubelogin will refresh the token using the refresh token in the kubeconfig.
-If the refresh token has expired, kubelogin will proceed the authentication.
-
-
-## Configuration
+## Usage

 This document is for the development version.
 If you are looking for a specific version, see [the release tags](https://github.com/int128/kubelogin/tags).

-
-### Run as a credential plugin
-
 Kubelogin supports the following options:

 ```
-% kubelogin get-token -h
+% kubectl oidc-login get-token -h
 Run as a kubectl credential plugin

 Usage:
  kubelogin get-token [flags]

 Flags:
-      --listen-port ints               Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
-      --skip-open-browser              If true, it does not open the browser on authentication
-      --username string                If set, perform the resource owner password credentials grant
-      --password string                If set, use the password instead of asking it
      --oidc-issuer-url string         Issuer URL of the provider (mandatory)
      --oidc-client-id string          Client ID of the provider (mandatory)
      --oidc-client-secret string      Client secret of the provider
      --oidc-extra-scope strings       Scopes to request to the provider
+      --listen-port ints               Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
+      --skip-open-browser              If true, it does not open the browser on authentication
+      --username string                If set, perform the resource owner password credentials grant
+      --password string                If set, use the password instead of asking it
      --certificate-authority string   Path to a cert file for the certificate authority
      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-  -v, --v int                          If set to 1 or greater, it shows debug log
-      --token-cache string             Path to a file for caching the token (default "~/.kube/oidc-login.token-cache")
+      --token-cache-dir string         Path to a directory for caching tokens (default "~/.kube/cache/oidc-login")
  -h, --help                           help for get-token
+
+Global Flags:
+      --add_dir_header                   If true, adds the file directory to the header
+      --alsologtostderr                  log to standard error as well as files
+      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                   If non-empty, write log files in this directory
+      --log_file string                  If non-empty, use this log file
+      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                      log to standard error instead of files (default true)
+      --skip_headers                     If true, avoid header prefixes in the log messages
+      --skip_log_headers                 If true, avoid headers when opening log files
+      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
+  -v, --v Level                          number for the log level verbosity
+      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
 ```

-#### Extra scopes
+See also the options of [standalone mode](docs/standalone-mode.md).
+
+### Extra scopes

 You can set the extra scopes to request to the provider by `--oidc-extra-scope`.

@@ -191,110 +128,14 @@ You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
      - --oidc-extra-scope=profile
 ```

-#### CA Certificates
+### CA Certificates

-You can use your self-signed certificates for the provider.
+You can use your self-signed certificate for the provider.

 ```yaml
      - --certificate-authority=/home/user/.kube/keycloak-ca.pem
 ```

-
-### Run as a standalone command
-
-Kubelogin supports the following options:
-
-```
-% kubelogin -h
-Login to the OpenID Connect provider and update the kubeconfig
-
-Usage:
-  kubelogin [flags]
-  kubelogin [command]
-
-Examples:
-  # Login to the provider using the authorization code flow.
-  kubelogin
-
-  # Login to the provider using the resource owner password credentials flow.
-  kubelogin --username USERNAME --password PASSWORD
-
-  # Run as a credential plugin.
-  kubelogin get-token --oidc-issuer-url=https://issuer.example.com
-
-Available Commands:
-  get-token   Run as a kubectl credential plugin
-  help        Help about any command
-  version     Print the version information
-
-Flags:
-      --kubeconfig string              Path to the kubeconfig file
-      --context string                 The name of the kubeconfig context to use
-      --user string                    The name of the kubeconfig user to use. Prior to --context
-      --certificate-authority string   Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-  -v, --v int                          If set to 1 or greater, it shows debug log
-      --listen-port ints               Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
-      --skip-open-browser              If true, it does not open the browser on authentication
-      --username string                If set, perform the resource owner password credentials grant
-      --password string                If set, use the password instead of asking it
-  -h, --help                           help for kubelogin
-```
-
-#### Kubeconfig
-
-You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
-It defaults to `~/.kube/config`.
-
-```sh
-# by the option
-kubelogin --kubeconfig /path/to/kubeconfig
-
-# by the environment variable
-KUBECONFIG="/path/to/kubeconfig1:/path/to/kubeconfig2" kubelogin
-```
-
-If you set multiple files, kubelogin will find the file which has the current authentication (i.e. `user` and `auth-provider`) and write a token to it.
-
-Kubelogin supports the following keys of `auth-provider` in a kubeconfig.
-See [kubectl authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl) for more.
-
-Key | Direction | Value
----|-----------|------
-`idp-issuer-url`                  | Read (Mandatory) | Issuer URL of the provider.
-`client-id`                       | Read (Mandatory) | Client ID of the provider.
-`client-secret`                   | Read (Mandatory) | Client Secret of the provider.
-`idp-certificate-authority`       | Read | CA certificate path of the provider.
-`idp-certificate-authority-data`  | Read | Base64 encoded CA certificate of the provider.
-`extra-scopes`                    | Read | Scopes to request to the provider (comma separated).
-`id-token`                        | Write | ID token got from the provider.
-`refresh-token`                   | Write | Refresh token got from the provider.
-
-#### Extra scopes
-
-You can set the extra scopes to request to the provider by `extra-scopes` in the kubeconfig.
-
-```sh
-kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=email
-```
-
-Currently kubectl does not accept multiple scopes, so you need to edit the kubeconfig as like:
-
-```sh
-kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=SCOPES
-sed -i '' -e s/SCOPES/email,profile/ $KUBECONFIG
-```
-
-#### CA Certificates
-
-You can use your self-signed certificates for the provider.
-
-```sh
-kubectl config set-credentials keycloak \
-  --auth-provider-arg idp-certificate-authority=$HOME/.kube/keycloak-ca.pem
-```
-
-
 ### HTTP Proxy

 You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
@@ -315,15 +156,11 @@ You need to register the following redirect URIs to the provider:

 You can change the ports by the option:

-```sh
-# run as a standalone command
-kubelogin --listen-port 12345 --listen-port 23456
-
-# run as a credential plugin
-kubelogin get-token --listen-port 12345 --listen-port 23456
+```yaml
+      - --listen-port 12345
+      - --listen-port 23456
 ```

-
 #### Resource owner password credentials grant flow

 As well as you can use the resource owner password credentials grant flow.
@@ -332,11 +169,12 @@ Most OIDC providers do not support this flow.

 You can pass the username and password:

-```
-% kubelogin --username USER --password PASS
+```yaml
+      - --username USERNAME
+      - --password PASSWORD
 ```

-or use the password prompt:
+If the password is not set, kubelogin will show the prompt.

 ```
 % kubelogin --username USER
@@ -344,6 +182,13 @@ Password:
 ```


+## Related works
+
+### Kubernetes Dashboard
+
+You can access the Kubernetes Dashboard using kubelogin and [kauthproxy](https://github.com/int128/kauthproxy).
+
+
 ## Contributions

 This is an open source software licensed under Apache License 2.0.
--- a/adaptors/cmd/cmd.go
+++ b/adaptors/cmd/cmd.go
@@ -1,211 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"path/filepath"
-
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/models/kubeconfig"
-	"github.com/int128/kubelogin/usecases"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
-	"k8s.io/client-go/util/homedir"
-)
-
-// Set provides an implementation and interface for Cmd.
-var Set = wire.NewSet(
-	wire.Struct(new(Cmd), "*"),
-	wire.Bind(new(adaptors.Cmd), new(*Cmd)),
-)
-
-const examples = `  # Login to the provider using the authorization code flow.
-  %[1]s
-
-  # Login to the provider using the resource owner password credentials flow.
-  %[1]s --username USERNAME --password PASSWORD
-
-  # Run as a credential plugin.
-  %[1]s get-token --oidc-issuer-url=https://issuer.example.com`
-
-var defaultListenPort = []int{8000, 18000}
-var defaultTokenCache = homedir.HomeDir() + "/.kube/oidc-login.token-cache"
-
-// Cmd provides interaction with command line interface (CLI).
-type Cmd struct {
-	Login    usecases.Login
-	GetToken usecases.GetToken
-	Logger   adaptors.Logger
-}
-
-// Run parses the command line arguments and executes the specified use-case.
-// It returns an exit code, that is 0 on success or 1 on error.
-func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
-	executable := filepath.Base(args[0])
-
-	rootCmd := newRootCmd(ctx, executable, cmd)
-	rootCmd.Version = version
-	rootCmd.SilenceUsage = true
-	rootCmd.SilenceErrors = true
-
-	getTokenCmd := newGetTokenCmd(ctx, cmd)
-	rootCmd.AddCommand(getTokenCmd)
-
-	versionCmd := &cobra.Command{
-		Use:   "version",
-		Short: "Print the version information",
-		Args:  cobra.NoArgs,
-		Run: func(*cobra.Command, []string) {
-			cmd.Logger.Printf("%s version %s", executable, version)
-		},
-	}
-	rootCmd.AddCommand(versionCmd)
-
-	rootCmd.SetArgs(args[1:])
-	if err := rootCmd.Execute(); err != nil {
-		cmd.Logger.Printf("error: %s", err)
-		cmd.Logger.Debugf(1, "stacktrace: %+v", err)
-		return 1
-	}
-	return 0
-}
-
-// kubectlOptions represents kubectl specific options.
-type kubectlOptions struct {
-	Kubeconfig           string
-	Context              string
-	User                 string
-	CertificateAuthority string
-	SkipTLSVerify        bool
-	Verbose              int
-}
-
-func (o *kubectlOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
-	f.StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to the kubeconfig file")
-	f.StringVar(&o.Context, "context", "", "The name of the kubeconfig context to use")
-	f.StringVar(&o.User, "user", "", "The name of the kubeconfig user to use. Prior to --context")
-	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
-	f.IntVarP(&o.Verbose, "v", "v", 0, "If set to 1 or greater, it shows debug log")
-}
-
-// loginOptions represents the options for Login use-case.
-type loginOptions struct {
-	ListenPort      []int
-	SkipOpenBrowser bool
-	Username        string
-	Password        string
-}
-
-func (o *loginOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
-	f.IntSliceVar(&o.ListenPort, "listen-port", defaultListenPort, "Port to bind to the local server. If multiple ports are given, it will try the ports in order")
-	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
-	f.StringVar(&o.Username, "username", "", "If set, perform the resource owner password credentials grant")
-	f.StringVar(&o.Password, "password", "", "If set, use the password instead of asking it")
-}
-
-func newRootCmd(ctx context.Context, executable string, cmd *Cmd) *cobra.Command {
-	var o struct {
-		kubectlOptions
-		loginOptions
-	}
-	rootCmd := &cobra.Command{
-		Use:     executable,
-		Short:   "Login to the OpenID Connect provider and update the kubeconfig",
-		Example: fmt.Sprintf(examples, executable),
-		Args:    cobra.NoArgs,
-		RunE: func(*cobra.Command, []string) error {
-			cmd.Logger.SetLevel(adaptors.LogLevel(o.Verbose))
-			in := usecases.LoginIn{
-				KubeconfigFilename: o.Kubeconfig,
-				KubeconfigContext:  kubeconfig.ContextName(o.Context),
-				KubeconfigUser:     kubeconfig.UserName(o.User),
-				CACertFilename:     o.CertificateAuthority,
-				SkipTLSVerify:      o.SkipTLSVerify,
-				ListenPort:         o.ListenPort,
-				SkipOpenBrowser:    o.SkipOpenBrowser,
-				Username:           o.Username,
-				Password:           o.Password,
-			}
-			if err := cmd.Login.Do(ctx, in); err != nil {
-				return xerrors.Errorf("error: %w", err)
-			}
-			return nil
-		},
-	}
-	o.kubectlOptions.register(rootCmd.Flags())
-	o.loginOptions.register(rootCmd.Flags())
-	return rootCmd
-}
-
-// getTokenOptions represents the options for get-token command.
-type getTokenOptions struct {
-	loginOptions
-	IssuerURL            string
-	ClientID             string
-	ClientSecret         string
-	ExtraScopes          []string
-	CertificateAuthority string
-	SkipTLSVerify        bool
-	Verbose              int
-	TokenCacheFilename   string
-}
-
-func (o *getTokenOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
-	o.loginOptions.register(f)
-	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)")
-	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
-	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
-	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
-	f.IntVarP(&o.Verbose, "v", "v", 0, "If set to 1 or greater, it shows debug log")
-	f.StringVar(&o.TokenCacheFilename, "token-cache", defaultTokenCache, "Path to a file for caching the token")
-}
-
-func newGetTokenCmd(ctx context.Context, cmd *Cmd) *cobra.Command {
-	var o getTokenOptions
-	c := &cobra.Command{
-		Use:   "get-token [flags]",
-		Short: "Run as a kubectl credential plugin",
-		Args: func(c *cobra.Command, args []string) error {
-			if err := cobra.NoArgs(c, args); err != nil {
-				return err
-			}
-			if o.IssuerURL == "" {
-				return xerrors.New("--oidc-issuer-url is missing")
-			}
-			if o.ClientID == "" {
-				return xerrors.New("--oidc-client-id is missing")
-			}
-			return nil
-		},
-		RunE: func(*cobra.Command, []string) error {
-			cmd.Logger.SetLevel(adaptors.LogLevel(o.Verbose))
-			in := usecases.GetTokenIn{
-				IssuerURL:          o.IssuerURL,
-				ClientID:           o.ClientID,
-				ClientSecret:       o.ClientSecret,
-				ExtraScopes:        o.ExtraScopes,
-				CACertFilename:     o.CertificateAuthority,
-				SkipTLSVerify:      o.SkipTLSVerify,
-				ListenPort:         o.ListenPort,
-				SkipOpenBrowser:    o.SkipOpenBrowser,
-				Username:           o.Username,
-				Password:           o.Password,
-				TokenCacheFilename: o.TokenCacheFilename,
-			}
-			if err := cmd.GetToken.Do(ctx, in); err != nil {
-				return xerrors.Errorf("error: %w", err)
-			}
-			return nil
-		},
-	}
-	o.register(c.Flags())
-	return c
-}
--- a/adaptors/env/env.go
+++ b/adaptors/env/env.go
@@ -1,36 +0,0 @@
-package env
-
-import (
-	"fmt"
-	"os"
-	"syscall"
-
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"golang.org/x/crypto/ssh/terminal"
-	"golang.org/x/xerrors"
-)
-
-// Set provides an implementation and interface for Env.
-var Set = wire.NewSet(
-	wire.Struct(new(Env), "*"),
-	wire.Bind(new(adaptors.Env), new(*Env)),
-)
-
-// Env provides environment specific facilities.
-type Env struct{}
-
-// ReadPassword reads a password from the stdin without echo back.
-func (*Env) ReadPassword(prompt string) (string, error) {
-	if _, err := fmt.Fprint(os.Stderr, "Password: "); err != nil {
-		return "", xerrors.Errorf("could not write the prompt: %w", err)
-	}
-	b, err := terminal.ReadPassword(int(syscall.Stdin))
-	if err != nil {
-		return "", xerrors.Errorf("could not read: %w", err)
-	}
-	if _, err := fmt.Fprintln(os.Stderr); err != nil {
-		return "", xerrors.Errorf("could not write a new line: %w", err)
-	}
-	return string(b), nil
-}
--- a/adaptors/interfaces.go
+++ b/adaptors/interfaces.go
@@ -1,106 +0,0 @@
-package adaptors
-
-import (
-	"context"
-	"time"
-
-	"github.com/int128/kubelogin/models/credentialplugin"
-	"github.com/int128/kubelogin/models/kubeconfig"
-)
-
-//go:generate mockgen -destination mock_adaptors/mock_adaptors.go github.com/int128/kubelogin/adaptors Kubeconfig,TokenCacheRepository,CredentialPluginInteraction,OIDC,OIDCClient,Env,Logger
-
-type Cmd interface {
-	Run(ctx context.Context, args []string, version string) int
-}
-
-type Kubeconfig interface {
-	GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error)
-	UpdateAuthProvider(auth *kubeconfig.AuthProvider) error
-}
-
-type TokenCacheRepository interface {
-	Read(filename string) (*credentialplugin.TokenCache, error)
-	Write(filename string, tc credentialplugin.TokenCache) error
-}
-
-type CredentialPluginInteraction interface {
-	Write(out credentialplugin.Output) error
-}
-
-type OIDC interface {
-	New(ctx context.Context, config OIDCClientConfig) (OIDCClient, error)
-}
-
-// OIDCClientConfig represents a configuration of an OIDCClient to create.
-type OIDCClientConfig struct {
-	Config         kubeconfig.OIDCConfig
-	CACertFilename string
-	SkipTLSVerify  bool
-}
-
-type OIDCClient interface {
-	AuthenticateByCode(ctx context.Context, in OIDCAuthenticateByCodeIn) (*OIDCAuthenticateOut, error)
-	AuthenticateByPassword(ctx context.Context, in OIDCAuthenticateByPasswordIn) (*OIDCAuthenticateOut, error)
-	Verify(ctx context.Context, in OIDCVerifyIn) (*OIDCVerifyOut, error)
-	Refresh(ctx context.Context, in OIDCRefreshIn) (*OIDCAuthenticateOut, error)
-}
-
-// OIDCAuthenticateByCodeIn represents an input DTO of OIDCClient.AuthenticateByCode.
-type OIDCAuthenticateByCodeIn struct {
-	LocalServerPort    []int // HTTP server port candidates
-	SkipOpenBrowser    bool  // skip opening browser if true
-	ShowLocalServerURL interface{ ShowLocalServerURL(url string) }
-}
-
-// OIDCAuthenticateByPasswordIn represents an input DTO of OIDCClient.AuthenticateByPassword.
-type OIDCAuthenticateByPasswordIn struct {
-	Username string
-	Password string
-}
-
-// OIDCAuthenticateOut represents an output DTO of
-// OIDCClient.AuthenticateByCode, OIDCClient.AuthenticateByPassword and OIDCClient.Refresh.
-type OIDCAuthenticateOut struct {
-	IDToken       string
-	RefreshToken  string
-	IDTokenExpiry time.Time
-	IDTokenClaims map[string]string // string representation of claims for logging
-}
-
-// OIDCVerifyIn represents an input DTO of OIDCClient.Verify.
-type OIDCVerifyIn struct {
-	IDToken      string
-	RefreshToken string
-}
-
-// OIDCVerifyIn represents an output DTO of OIDCClient.Verify.
-type OIDCVerifyOut struct {
-	IDTokenExpiry time.Time
-	IDTokenClaims map[string]string // string representation of claims for logging
-}
-
-// OIDCRefreshIn represents an input DTO of OIDCClient.Refresh.
-type OIDCRefreshIn struct {
-	RefreshToken string
-}
-
-type Env interface {
-	ReadPassword(prompt string) (string, error)
-}
-
-type Logger interface {
-	Printf(format string, v ...interface{})
-	Debugf(level LogLevel, format string, v ...interface{})
-	SetLevel(level LogLevel)
-	IsEnabled(level LogLevel) bool
-}
-
-// LogLevel represents a log level for debug.
-//
-// 0 = None
-// 1 = Including in/out
-// 2 = Including transport headers
-// 3 = Including transport body
-//
-type LogLevel int
--- a/adaptors/kubeconfig/kubeconfig.go
+++ b/adaptors/kubeconfig/kubeconfig.go
@@ -1,14 +0,0 @@
-package kubeconfig
-
-import (
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-)
-
-// Set provides an implementation and interface for Kubeconfig.
-var Set = wire.NewSet(
-	wire.Struct(new(Kubeconfig), "*"),
-	wire.Bind(new(adaptors.Kubeconfig), new(*Kubeconfig)),
-)
-
-type Kubeconfig struct{}
--- a/adaptors/logger/logger.go
+++ b/adaptors/logger/logger.go
@@ -1,56 +0,0 @@
-package logger
-
-import (
-	"fmt"
-	"log"
-	"os"
-
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-)
-
-// Set provides an implementation and interface for Logger.
-var Set = wire.NewSet(
-	New,
-)
-
-// New returns a Logger with the standard log.Logger for messages and debug.
-func New() adaptors.Logger {
-	return &Logger{
-		stdLogger:   log.New(os.Stderr, "", 0),
-		debugLogger: log.New(os.Stderr, "", log.Ltime|log.Lmicroseconds|log.Lshortfile),
-	}
-}
-
-func NewWith(s stdLogger, d debugLogger) *Logger {
-	return &Logger{s, d, 0}
-}
-
-type stdLogger interface {
-	Printf(format string, v ...interface{})
-}
-
-type debugLogger interface {
-	Output(calldepth int, s string) error
-}
-
-// Logger wraps the standard log.Logger and just provides debug level.
-type Logger struct {
-	stdLogger
-	debugLogger
-	level adaptors.LogLevel
-}
-
-func (l *Logger) Debugf(level adaptors.LogLevel, format string, v ...interface{}) {
-	if l.IsEnabled(level) {
-		_ = l.debugLogger.Output(2, fmt.Sprintf(format, v...))
-	}
-}
-
-func (l *Logger) SetLevel(level adaptors.LogLevel) {
-	l.level = level
-}
-
-func (l *Logger) IsEnabled(level adaptors.LogLevel) bool {
-	return level <= l.level
-}
--- a/adaptors/logger/logger_test.go
+++ b/adaptors/logger/logger_test.go
@@ -1,62 +0,0 @@
-package logger
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/int128/kubelogin/adaptors"
-)
-
-type mockDebugLogger struct {
-	count int
-}
-
-func (l *mockDebugLogger) Output(int, string) error {
-	l.count++
-	return nil
-}
-
-func TestLogger_Debugf(t *testing.T) {
-	for _, c := range []struct {
-		loggerLevel adaptors.LogLevel
-		debugfLevel adaptors.LogLevel
-		count       int
-	}{
-		{0, 0, 1},
-		{0, 1, 0},
-
-		{1, 0, 1},
-		{1, 1, 1},
-		{1, 2, 0},
-
-		{2, 1, 1},
-		{2, 2, 1},
-		{2, 3, 0},
-	} {
-		t.Run(fmt.Sprintf("%+v", c), func(t *testing.T) {
-			m := &mockDebugLogger{}
-			l := &Logger{debugLogger: m, level: c.loggerLevel}
-			l.Debugf(c.debugfLevel, "hello")
-			if m.count != c.count {
-				t.Errorf("count wants %d but %d", c.count, m.count)
-			}
-		})
-	}
-}
-
-type mockStdLogger struct {
-	count int
-}
-
-func (l *mockStdLogger) Printf(format string, v ...interface{}) {
-	l.count++
-}
-
-func TestLogger_Printf(t *testing.T) {
-	m := &mockStdLogger{}
-	l := &Logger{stdLogger: m}
-	l.Printf("hello")
-	if m.count != 1 {
-		t.Errorf("count wants %d but %d", 1, m.count)
-	}
-}
--- a/adaptors/mock_adaptors/logger.go
+++ b/adaptors/mock_adaptors/logger.go
@@ -1,31 +0,0 @@
-package mock_adaptors
-
-import (
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/adaptors"
-)
-
-func NewLogger(t testingLogger, ctrl *gomock.Controller) *Logger {
-	return &Logger{
-		MockLogger:    NewMockLogger(ctrl),
-		testingLogger: t,
-	}
-}
-
-type testingLogger interface {
-	Logf(format string, v ...interface{})
-}
-
-// Logger provides mock feature but overrides output methods with actual logging.
-type Logger struct {
-	*MockLogger
-	testingLogger testingLogger
-}
-
-func (l *Logger) Printf(format string, v ...interface{}) {
-	l.testingLogger.Logf(format, v...)
-}
-
-func (l *Logger) Debugf(level adaptors.LogLevel, format string, v ...interface{}) {
-	l.testingLogger.Logf(format, v...)
-}
--- a/adaptors/mock_adaptors/mock_adaptors.go
+++ b/adaptors/mock_adaptors/mock_adaptors.go
@@ -1,367 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/adaptors (interfaces: Kubeconfig,TokenCacheRepository,CredentialPluginInteraction,OIDC,OIDCClient,Env,Logger)
-
-// Package mock_adaptors is a generated GoMock package.
-package mock_adaptors
-
-import (
-	context "context"
-	gomock "github.com/golang/mock/gomock"
-	adaptors "github.com/int128/kubelogin/adaptors"
-	credentialplugin "github.com/int128/kubelogin/models/credentialplugin"
-	kubeconfig "github.com/int128/kubelogin/models/kubeconfig"
-	reflect "reflect"
-)
-
-// MockKubeconfig is a mock of Kubeconfig interface
-type MockKubeconfig struct {
-	ctrl     *gomock.Controller
-	recorder *MockKubeconfigMockRecorder
-}
-
-// MockKubeconfigMockRecorder is the mock recorder for MockKubeconfig
-type MockKubeconfigMockRecorder struct {
-	mock *MockKubeconfig
-}
-
-// NewMockKubeconfig creates a new mock instance
-func NewMockKubeconfig(ctrl *gomock.Controller) *MockKubeconfig {
-	mock := &MockKubeconfig{ctrl: ctrl}
-	mock.recorder = &MockKubeconfigMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockKubeconfig) EXPECT() *MockKubeconfigMockRecorder {
-	return m.recorder
-}
-
-// GetCurrentAuthProvider mocks base method
-func (m *MockKubeconfig) GetCurrentAuthProvider(arg0 string, arg1 kubeconfig.ContextName, arg2 kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
-	ret := m.ctrl.Call(m, "GetCurrentAuthProvider", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*kubeconfig.AuthProvider)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetCurrentAuthProvider indicates an expected call of GetCurrentAuthProvider
-func (mr *MockKubeconfigMockRecorder) GetCurrentAuthProvider(arg0, arg1, arg2 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCurrentAuthProvider", reflect.TypeOf((*MockKubeconfig)(nil).GetCurrentAuthProvider), arg0, arg1, arg2)
-}
-
-// UpdateAuthProvider mocks base method
-func (m *MockKubeconfig) UpdateAuthProvider(arg0 *kubeconfig.AuthProvider) error {
-	ret := m.ctrl.Call(m, "UpdateAuthProvider", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// UpdateAuthProvider indicates an expected call of UpdateAuthProvider
-func (mr *MockKubeconfigMockRecorder) UpdateAuthProvider(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAuthProvider", reflect.TypeOf((*MockKubeconfig)(nil).UpdateAuthProvider), arg0)
-}
-
-// MockTokenCacheRepository is a mock of TokenCacheRepository interface
-type MockTokenCacheRepository struct {
-	ctrl     *gomock.Controller
-	recorder *MockTokenCacheRepositoryMockRecorder
-}
-
-// MockTokenCacheRepositoryMockRecorder is the mock recorder for MockTokenCacheRepository
-type MockTokenCacheRepositoryMockRecorder struct {
-	mock *MockTokenCacheRepository
-}
-
-// NewMockTokenCacheRepository creates a new mock instance
-func NewMockTokenCacheRepository(ctrl *gomock.Controller) *MockTokenCacheRepository {
-	mock := &MockTokenCacheRepository{ctrl: ctrl}
-	mock.recorder = &MockTokenCacheRepositoryMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockTokenCacheRepository) EXPECT() *MockTokenCacheRepositoryMockRecorder {
-	return m.recorder
-}
-
-// Read mocks base method
-func (m *MockTokenCacheRepository) Read(arg0 string) (*credentialplugin.TokenCache, error) {
-	ret := m.ctrl.Call(m, "Read", arg0)
-	ret0, _ := ret[0].(*credentialplugin.TokenCache)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Read indicates an expected call of Read
-func (mr *MockTokenCacheRepositoryMockRecorder) Read(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Read", reflect.TypeOf((*MockTokenCacheRepository)(nil).Read), arg0)
-}
-
-// Write mocks base method
-func (m *MockTokenCacheRepository) Write(arg0 string, arg1 credentialplugin.TokenCache) error {
-	ret := m.ctrl.Call(m, "Write", arg0, arg1)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Write indicates an expected call of Write
-func (mr *MockTokenCacheRepositoryMockRecorder) Write(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockTokenCacheRepository)(nil).Write), arg0, arg1)
-}
-
-// MockCredentialPluginInteraction is a mock of CredentialPluginInteraction interface
-type MockCredentialPluginInteraction struct {
-	ctrl     *gomock.Controller
-	recorder *MockCredentialPluginInteractionMockRecorder
-}
-
-// MockCredentialPluginInteractionMockRecorder is the mock recorder for MockCredentialPluginInteraction
-type MockCredentialPluginInteractionMockRecorder struct {
-	mock *MockCredentialPluginInteraction
-}
-
-// NewMockCredentialPluginInteraction creates a new mock instance
-func NewMockCredentialPluginInteraction(ctrl *gomock.Controller) *MockCredentialPluginInteraction {
-	mock := &MockCredentialPluginInteraction{ctrl: ctrl}
-	mock.recorder = &MockCredentialPluginInteractionMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockCredentialPluginInteraction) EXPECT() *MockCredentialPluginInteractionMockRecorder {
-	return m.recorder
-}
-
-// Write mocks base method
-func (m *MockCredentialPluginInteraction) Write(arg0 credentialplugin.Output) error {
-	ret := m.ctrl.Call(m, "Write", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Write indicates an expected call of Write
-func (mr *MockCredentialPluginInteractionMockRecorder) Write(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockCredentialPluginInteraction)(nil).Write), arg0)
-}
-
-// MockOIDC is a mock of OIDC interface
-type MockOIDC struct {
-	ctrl     *gomock.Controller
-	recorder *MockOIDCMockRecorder
-}
-
-// MockOIDCMockRecorder is the mock recorder for MockOIDC
-type MockOIDCMockRecorder struct {
-	mock *MockOIDC
-}
-
-// NewMockOIDC creates a new mock instance
-func NewMockOIDC(ctrl *gomock.Controller) *MockOIDC {
-	mock := &MockOIDC{ctrl: ctrl}
-	mock.recorder = &MockOIDCMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockOIDC) EXPECT() *MockOIDCMockRecorder {
-	return m.recorder
-}
-
-// New mocks base method
-func (m *MockOIDC) New(arg0 context.Context, arg1 adaptors.OIDCClientConfig) (adaptors.OIDCClient, error) {
-	ret := m.ctrl.Call(m, "New", arg0, arg1)
-	ret0, _ := ret[0].(adaptors.OIDCClient)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// New indicates an expected call of New
-func (mr *MockOIDCMockRecorder) New(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "New", reflect.TypeOf((*MockOIDC)(nil).New), arg0, arg1)
-}
-
-// MockOIDCClient is a mock of OIDCClient interface
-type MockOIDCClient struct {
-	ctrl     *gomock.Controller
-	recorder *MockOIDCClientMockRecorder
-}
-
-// MockOIDCClientMockRecorder is the mock recorder for MockOIDCClient
-type MockOIDCClientMockRecorder struct {
-	mock *MockOIDCClient
-}
-
-// NewMockOIDCClient creates a new mock instance
-func NewMockOIDCClient(ctrl *gomock.Controller) *MockOIDCClient {
-	mock := &MockOIDCClient{ctrl: ctrl}
-	mock.recorder = &MockOIDCClientMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockOIDCClient) EXPECT() *MockOIDCClientMockRecorder {
-	return m.recorder
-}
-
-// AuthenticateByCode mocks base method
-func (m *MockOIDCClient) AuthenticateByCode(arg0 context.Context, arg1 adaptors.OIDCAuthenticateByCodeIn) (*adaptors.OIDCAuthenticateOut, error) {
-	ret := m.ctrl.Call(m, "AuthenticateByCode", arg0, arg1)
-	ret0, _ := ret[0].(*adaptors.OIDCAuthenticateOut)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AuthenticateByCode indicates an expected call of AuthenticateByCode
-func (mr *MockOIDCClientMockRecorder) AuthenticateByCode(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateByCode", reflect.TypeOf((*MockOIDCClient)(nil).AuthenticateByCode), arg0, arg1)
-}
-
-// AuthenticateByPassword mocks base method
-func (m *MockOIDCClient) AuthenticateByPassword(arg0 context.Context, arg1 adaptors.OIDCAuthenticateByPasswordIn) (*adaptors.OIDCAuthenticateOut, error) {
-	ret := m.ctrl.Call(m, "AuthenticateByPassword", arg0, arg1)
-	ret0, _ := ret[0].(*adaptors.OIDCAuthenticateOut)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AuthenticateByPassword indicates an expected call of AuthenticateByPassword
-func (mr *MockOIDCClientMockRecorder) AuthenticateByPassword(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateByPassword", reflect.TypeOf((*MockOIDCClient)(nil).AuthenticateByPassword), arg0, arg1)
-}
-
-// Refresh mocks base method
-func (m *MockOIDCClient) Refresh(arg0 context.Context, arg1 adaptors.OIDCRefreshIn) (*adaptors.OIDCAuthenticateOut, error) {
-	ret := m.ctrl.Call(m, "Refresh", arg0, arg1)
-	ret0, _ := ret[0].(*adaptors.OIDCAuthenticateOut)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Refresh indicates an expected call of Refresh
-func (mr *MockOIDCClientMockRecorder) Refresh(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockOIDCClient)(nil).Refresh), arg0, arg1)
-}
-
-// Verify mocks base method
-func (m *MockOIDCClient) Verify(arg0 context.Context, arg1 adaptors.OIDCVerifyIn) (*adaptors.OIDCVerifyOut, error) {
-	ret := m.ctrl.Call(m, "Verify", arg0, arg1)
-	ret0, _ := ret[0].(*adaptors.OIDCVerifyOut)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Verify indicates an expected call of Verify
-func (mr *MockOIDCClientMockRecorder) Verify(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Verify", reflect.TypeOf((*MockOIDCClient)(nil).Verify), arg0, arg1)
-}
-
-// MockEnv is a mock of Env interface
-type MockEnv struct {
-	ctrl     *gomock.Controller
-	recorder *MockEnvMockRecorder
-}
-
-// MockEnvMockRecorder is the mock recorder for MockEnv
-type MockEnvMockRecorder struct {
-	mock *MockEnv
-}
-
-// NewMockEnv creates a new mock instance
-func NewMockEnv(ctrl *gomock.Controller) *MockEnv {
-	mock := &MockEnv{ctrl: ctrl}
-	mock.recorder = &MockEnvMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockEnv) EXPECT() *MockEnvMockRecorder {
-	return m.recorder
-}
-
-// ReadPassword mocks base method
-func (m *MockEnv) ReadPassword(arg0 string) (string, error) {
-	ret := m.ctrl.Call(m, "ReadPassword", arg0)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReadPassword indicates an expected call of ReadPassword
-func (mr *MockEnvMockRecorder) ReadPassword(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadPassword", reflect.TypeOf((*MockEnv)(nil).ReadPassword), arg0)
-}
-
-// MockLogger is a mock of Logger interface
-type MockLogger struct {
-	ctrl     *gomock.Controller
-	recorder *MockLoggerMockRecorder
-}
-
-// MockLoggerMockRecorder is the mock recorder for MockLogger
-type MockLoggerMockRecorder struct {
-	mock *MockLogger
-}
-
-// NewMockLogger creates a new mock instance
-func NewMockLogger(ctrl *gomock.Controller) *MockLogger {
-	mock := &MockLogger{ctrl: ctrl}
-	mock.recorder = &MockLoggerMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockLogger) EXPECT() *MockLoggerMockRecorder {
-	return m.recorder
-}
-
-// Debugf mocks base method
-func (m *MockLogger) Debugf(arg0 adaptors.LogLevel, arg1 string, arg2 ...interface{}) {
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	m.ctrl.Call(m, "Debugf", varargs...)
-}
-
-// Debugf indicates an expected call of Debugf
-func (mr *MockLoggerMockRecorder) Debugf(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Debugf", reflect.TypeOf((*MockLogger)(nil).Debugf), varargs...)
-}
-
-// IsEnabled mocks base method
-func (m *MockLogger) IsEnabled(arg0 adaptors.LogLevel) bool {
-	ret := m.ctrl.Call(m, "IsEnabled", arg0)
-	ret0, _ := ret[0].(bool)
-	return ret0
-}
-
-// IsEnabled indicates an expected call of IsEnabled
-func (mr *MockLoggerMockRecorder) IsEnabled(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsEnabled", reflect.TypeOf((*MockLogger)(nil).IsEnabled), arg0)
-}
-
-// Printf mocks base method
-func (m *MockLogger) Printf(arg0 string, arg1 ...interface{}) {
-	varargs := []interface{}{arg0}
-	for _, a := range arg1 {
-		varargs = append(varargs, a)
-	}
-	m.ctrl.Call(m, "Printf", varargs...)
-}
-
-// Printf indicates an expected call of Printf
-func (mr *MockLoggerMockRecorder) Printf(arg0 interface{}, arg1 ...interface{}) *gomock.Call {
-	varargs := append([]interface{}{arg0}, arg1...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Printf", reflect.TypeOf((*MockLogger)(nil).Printf), varargs...)
-}
-
-// SetLevel mocks base method
-func (m *MockLogger) SetLevel(arg0 adaptors.LogLevel) {
-	m.ctrl.Call(m, "SetLevel", arg0)
-}
-
-// SetLevel indicates an expected call of SetLevel
-func (mr *MockLoggerMockRecorder) SetLevel(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLevel", reflect.TypeOf((*MockLogger)(nil).SetLevel), arg0)
-}
--- a/adaptors/oidc/logging/transport.go
+++ b/adaptors/oidc/logging/transport.go
@@ -1,50 +0,0 @@
-package logging
-
-import (
-	"net/http"
-	"net/http/httputil"
-
-	"github.com/int128/kubelogin/adaptors"
-)
-
-const (
-	logLevelDumpHeaders = 2
-	logLevelDumpBody    = 3
-)
-
-type Transport struct {
-	Base   http.RoundTripper
-	Logger adaptors.Logger
-}
-
-func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
-	if !t.IsDumpEnabled() {
-		return t.Base.RoundTrip(req)
-	}
-
-	reqDump, err := httputil.DumpRequestOut(req, t.IsDumpBodyEnabled())
-	if err != nil {
-		t.Logger.Debugf(logLevelDumpHeaders, "Error: could not dump the request: %s", err)
-		return t.Base.RoundTrip(req)
-	}
-	t.Logger.Debugf(logLevelDumpHeaders, "%s", string(reqDump))
-	resp, err := t.Base.RoundTrip(req)
-	if err != nil {
-		return resp, err
-	}
-	respDump, err := httputil.DumpResponse(resp, t.IsDumpBodyEnabled())
-	if err != nil {
-		t.Logger.Debugf(logLevelDumpHeaders, "Error: could not dump the response: %s", err)
-		return resp, err
-	}
-	t.Logger.Debugf(logLevelDumpHeaders, "%s", string(respDump))
-	return resp, err
-}
-
-func (t *Transport) IsDumpEnabled() bool {
-	return t.Logger.IsEnabled(logLevelDumpHeaders)
-}
-
-func (t *Transport) IsDumpBodyEnabled() bool {
-	return t.Logger.IsEnabled(logLevelDumpBody)
-}
--- a/adaptors/oidc/logging/transport_test.go
+++ b/adaptors/oidc/logging/transport_test.go
@@ -1,90 +0,0 @@
-package logging
-
-import (
-	"bufio"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/mock_adaptors"
-)
-
-type mockTransport struct {
-	req  *http.Request
-	resp *http.Response
-}
-
-func (t *mockTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	t.req = req
-	return t.resp, nil
-}
-
-func TestLoggingTransport_RoundTrip(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	logger := mock_adaptors.NewLogger(t, ctrl)
-	logger.EXPECT().
-		IsEnabled(gomock.Any()).
-		Return(true).
-		AnyTimes()
-
-	req := httptest.NewRequest("GET", "http://example.com/hello", nil)
-	resp, err := http.ReadResponse(bufio.NewReader(strings.NewReader(`HTTP/1.1 200 OK
-Host: example.com
-
-dummy`)), req)
-	if err != nil {
-		t.Errorf("could not create a response: %s", err)
-	}
-	defer resp.Body.Close()
-
-	transport := &Transport{
-		Base:   &mockTransport{resp: resp},
-		Logger: logger,
-	}
-	gotResp, err := transport.RoundTrip(req)
-	if err != nil {
-		t.Errorf("RoundTrip error: %s", err)
-	}
-	if gotResp != resp {
-		t.Errorf("resp wants %v but %v", resp, gotResp)
-	}
-}
-
-func TestLoggingTransport_IsDumpEnabled(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	logger := mock_adaptors.NewLogger(t, ctrl)
-	logger.EXPECT().
-		IsEnabled(adaptors.LogLevel(logLevelDumpHeaders)).
-		Return(true)
-
-	transport := &Transport{
-		Logger: logger,
-	}
-	if transport.IsDumpEnabled() != true {
-		t.Errorf("IsDumpEnabled wants true")
-	}
-}
-
-func TestLoggingTransport_IsDumpBodyEnabled(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	logger := mock_adaptors.NewLogger(t, ctrl)
-	logger.EXPECT().
-		IsEnabled(adaptors.LogLevel(logLevelDumpBody)).
-		Return(true)
-
-	transport := &Transport{
-		Logger: logger,
-	}
-	if transport.IsDumpBodyEnabled() != true {
-		t.Errorf("IsDumpBodyEnabled wants true")
-	}
-}
--- a/adaptors/oidc/oidc.go
+++ b/adaptors/oidc/oidc.go
@@ -1,239 +0,0 @@
-package oidc
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/binary"
-	"fmt"
-	"net/http"
-	"os"
-	"time"
-
-	"github.com/coreos/go-oidc"
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/oidc/logging"
-	"github.com/int128/kubelogin/adaptors/oidc/tls"
-	"github.com/int128/oauth2cli"
-	"github.com/pkg/browser"
-	"golang.org/x/oauth2"
-	"golang.org/x/xerrors"
-)
-
-func init() {
-	// In credential plugin mode, some browser launcher writes a message to stdout
-	// and it may break the credential json for client-go.
-	// This prevents the browser launcher from breaking the credential json.
-	browser.Stdout = os.Stderr
-}
-
-// Set provides an implementation and interface for OIDC.
-var Set = wire.NewSet(
-	wire.Struct(new(Factory), "*"),
-	wire.Bind(new(adaptors.OIDC), new(*Factory)),
-)
-
-type Factory struct {
-	Logger adaptors.Logger
-}
-
-// New returns an instance of adaptors.OIDCClient with the given configuration.
-func (f *Factory) New(ctx context.Context, config adaptors.OIDCClientConfig) (adaptors.OIDCClient, error) {
-	tlsConfig, err := tls.NewConfig(config, f.Logger)
-	if err != nil {
-		return nil, xerrors.Errorf("could not initialize TLS config: %w", err)
-	}
-	baseTransport := &http.Transport{
-		TLSClientConfig: tlsConfig,
-		Proxy:           http.ProxyFromEnvironment,
-	}
-	loggingTransport := &logging.Transport{
-		Base:   baseTransport,
-		Logger: f.Logger,
-	}
-	httpClient := &http.Client{
-		Transport: loggingTransport,
-	}
-
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
-	provider, err := oidc.NewProvider(ctx, config.Config.IDPIssuerURL)
-	if err != nil {
-		return nil, xerrors.Errorf("could not discovery the OIDC issuer: %w", err)
-	}
-	return &client{
-		httpClient: httpClient,
-		provider:   provider,
-		oauth2Config: oauth2.Config{
-			Endpoint:     provider.Endpoint(),
-			ClientID:     config.Config.ClientID,
-			ClientSecret: config.Config.ClientSecret,
-			Scopes:       append(config.Config.ExtraScopes, oidc.ScopeOpenID),
-		},
-		logger: f.Logger,
-	}, nil
-}
-
-type client struct {
-	httpClient   *http.Client
-	provider     *oidc.Provider
-	oauth2Config oauth2.Config
-	logger       adaptors.Logger
-}
-
-func (c *client) wrapContext(ctx context.Context) context.Context {
-	if c.httpClient != nil {
-		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.httpClient)
-	}
-	return ctx
-}
-
-// AuthenticateByCode performs the authorization code flow.
-func (c *client) AuthenticateByCode(ctx context.Context, in adaptors.OIDCAuthenticateByCodeIn) (*adaptors.OIDCAuthenticateOut, error) {
-	ctx = c.wrapContext(ctx)
-	nonce, err := newNonce()
-	if err != nil {
-		return nil, xerrors.Errorf("could not generate a nonce parameter")
-	}
-	config := oauth2cli.Config{
-		OAuth2Config:       c.oauth2Config,
-		LocalServerPort:    in.LocalServerPort,
-		SkipOpenBrowser:    in.SkipOpenBrowser,
-		AuthCodeOptions:    []oauth2.AuthCodeOption{oauth2.AccessTypeOffline, oidc.Nonce(nonce)},
-		ShowLocalServerURL: in.ShowLocalServerURL.ShowLocalServerURL,
-	}
-	token, err := oauth2cli.GetToken(ctx, config)
-	if err != nil {
-		return nil, xerrors.Errorf("could not get a token: %w", err)
-	}
-	idToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
-	}
-	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
-	verifiedIDToken, err := verifier.Verify(ctx, idToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
-	}
-	if verifiedIDToken.Nonce != nonce {
-		return nil, xerrors.Errorf("nonce of ID token did not match (want %s but was %s)", nonce, verifiedIDToken.Nonce)
-	}
-	claims, err := dumpClaims(verifiedIDToken)
-	if err != nil {
-		c.logger.Debugf(1, "incomplete claims of the ID token: %w", err)
-	}
-	return &adaptors.OIDCAuthenticateOut{
-		IDToken:       idToken,
-		RefreshToken:  token.RefreshToken,
-		IDTokenExpiry: verifiedIDToken.Expiry,
-		IDTokenClaims: claims,
-	}, nil
-}
-
-func newNonce() (string, error) {
-	var n uint64
-	if err := binary.Read(rand.Reader, binary.LittleEndian, &n); err != nil {
-		return "", xerrors.Errorf("error while reading random: %w", err)
-	}
-	return fmt.Sprintf("%x", n), nil
-}
-
-// AuthenticateByPassword performs the resource owner password credentials flow.
-func (c *client) AuthenticateByPassword(ctx context.Context, in adaptors.OIDCAuthenticateByPasswordIn) (*adaptors.OIDCAuthenticateOut, error) {
-	ctx = c.wrapContext(ctx)
-	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, in.Username, in.Password)
-	if err != nil {
-		return nil, xerrors.Errorf("could not get a token: %w", err)
-	}
-	idToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
-	}
-	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
-	verifiedIDToken, err := verifier.Verify(ctx, idToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
-	}
-	claims, err := dumpClaims(verifiedIDToken)
-	if err != nil {
-		c.logger.Debugf(1, "incomplete claims of the ID token: %w", err)
-	}
-	return &adaptors.OIDCAuthenticateOut{
-		IDToken:       idToken,
-		RefreshToken:  token.RefreshToken,
-		IDTokenExpiry: verifiedIDToken.Expiry,
-		IDTokenClaims: claims,
-	}, nil
-}
-
-// Verify checks client ID and signature of the ID token.
-// This does not check the expiration and caller should check it.
-func (c *client) Verify(ctx context.Context, in adaptors.OIDCVerifyIn) (*adaptors.OIDCVerifyOut, error) {
-	ctx = c.wrapContext(ctx)
-	verifier := c.provider.Verifier(&oidc.Config{
-		ClientID:        c.oauth2Config.ClientID,
-		SkipExpiryCheck: true,
-	})
-	verifiedIDToken, err := verifier.Verify(ctx, in.IDToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
-	}
-	claims, err := dumpClaims(verifiedIDToken)
-	if err != nil {
-		c.logger.Debugf(1, "incomplete claims of the ID token: %w", err)
-	}
-	return &adaptors.OIDCVerifyOut{
-		IDTokenExpiry: verifiedIDToken.Expiry,
-		IDTokenClaims: claims,
-	}, nil
-}
-
-// Refresh sends a refresh token request and returns a token set.
-func (c *client) Refresh(ctx context.Context, in adaptors.OIDCRefreshIn) (*adaptors.OIDCAuthenticateOut, error) {
-	ctx = c.wrapContext(ctx)
-	currentToken := &oauth2.Token{
-		Expiry:       time.Now(),
-		RefreshToken: in.RefreshToken,
-	}
-	source := c.oauth2Config.TokenSource(ctx, currentToken)
-	token, err := source.Token()
-	if err != nil {
-		return nil, xerrors.Errorf("could not refresh the token: %w", err)
-	}
-	idToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
-	}
-	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
-	verifiedIDToken, err := verifier.Verify(ctx, idToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
-	}
-	claims, err := dumpClaims(verifiedIDToken)
-	if err != nil {
-		c.logger.Debugf(1, "incomplete claims of the ID token: %w", err)
-	}
-	return &adaptors.OIDCAuthenticateOut{
-		IDToken:       idToken,
-		RefreshToken:  token.RefreshToken,
-		IDTokenExpiry: verifiedIDToken.Expiry,
-		IDTokenClaims: claims,
-	}, nil
-}
-
-func dumpClaims(token *oidc.IDToken) (map[string]string, error) {
-	var rawClaims map[string]interface{}
-	err := token.Claims(&rawClaims)
-	claims := make(map[string]string)
-	for k, v := range rawClaims {
-		switch v.(type) {
-		case float64:
-			claims[k] = fmt.Sprintf("%f", v.(float64))
-		default:
-			claims[k] = fmt.Sprintf("%s", v)
-		}
-	}
-	if err != nil {
-		return claims, xerrors.Errorf("error while decoding the ID token: %w", err)
-	}
-	return claims, nil
-}
--- a/adaptors/oidc/tls/tls.go
+++ b/adaptors/oidc/tls/tls.go
@@ -1,66 +0,0 @@
-package tls
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"io/ioutil"
-
-	"github.com/int128/kubelogin/adaptors"
-	"golang.org/x/xerrors"
-)
-
-// NewConfig returns a tls.Config with the given certificates and options.
-func NewConfig(config adaptors.OIDCClientConfig, logger adaptors.Logger) (*tls.Config, error) {
-	pool := x509.NewCertPool()
-	if config.Config.IDPCertificateAuthority != "" {
-		logger.Debugf(1, "Loading the certificate %s", config.Config.IDPCertificateAuthority)
-		err := appendCertificateFromFile(pool, config.Config.IDPCertificateAuthority)
-		if err != nil {
-			return nil, xerrors.Errorf("could not load the certificate of idp-certificate-authority: %w", err)
-		}
-	}
-	if config.Config.IDPCertificateAuthorityData != "" {
-		logger.Debugf(1, "Loading the certificate of idp-certificate-authority-data")
-		err := appendEncodedCertificate(pool, config.Config.IDPCertificateAuthorityData)
-		if err != nil {
-			return nil, xerrors.Errorf("could not load the certificate of idp-certificate-authority-data: %w", err)
-		}
-	}
-	if config.CACertFilename != "" {
-		logger.Debugf(1, "Loading the certificate %s", config.CACertFilename)
-		err := appendCertificateFromFile(pool, config.CACertFilename)
-		if err != nil {
-			return nil, xerrors.Errorf("could not load the certificate: %w", err)
-		}
-	}
-	c := &tls.Config{
-		InsecureSkipVerify: config.SkipTLSVerify,
-	}
-	if len(pool.Subjects()) > 0 {
-		c.RootCAs = pool
-	}
-	return c, nil
-}
-
-func appendCertificateFromFile(pool *x509.CertPool, filename string) error {
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return xerrors.Errorf("could not read %s: %w", filename, err)
-	}
-	if !pool.AppendCertsFromPEM(b) {
-		return xerrors.Errorf("could not append certificate from %s", filename)
-	}
-	return nil
-}
-
-func appendEncodedCertificate(pool *x509.CertPool, base64String string) error {
-	b, err := base64.StdEncoding.DecodeString(base64String)
-	if err != nil {
-		return xerrors.Errorf("could not decode base64: %w", err)
-	}
-	if !pool.AppendCertsFromPEM(b) {
-		return xerrors.Errorf("could not append certificate")
-	}
-	return nil
-}
--- a/adaptors/tokencache/tokencache.go
+++ b/adaptors/tokencache/tokencache.go
@@ -1,46 +0,0 @@
-package tokencache
-
-import (
-	"encoding/json"
-	"os"
-
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/models/credentialplugin"
-	"golang.org/x/xerrors"
-)
-
-// Set provides an implementation and interface for Kubeconfig.
-var Set = wire.NewSet(
-	wire.Struct(new(Repository), "*"),
-	wire.Bind(new(adaptors.TokenCacheRepository), new(*Repository)),
-)
-
-type Repository struct{}
-
-func (*Repository) Read(filename string) (*credentialplugin.TokenCache, error) {
-	f, err := os.Open(filename)
-	if err != nil {
-		return nil, xerrors.Errorf("could not open file %s: %w", filename, err)
-	}
-	defer f.Close()
-	d := json.NewDecoder(f)
-	var c credentialplugin.TokenCache
-	if err := d.Decode(&c); err != nil {
-		return nil, xerrors.Errorf("could not decode json file %s: %w", filename, err)
-	}
-	return &c, nil
-}
-
-func (*Repository) Write(filename string, tc credentialplugin.TokenCache) error {
-	f, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return xerrors.Errorf("could not create file %s: %w", filename, err)
-	}
-	defer f.Close()
-	e := json.NewEncoder(f)
-	if err := e.Encode(&tc); err != nil {
-		return xerrors.Errorf("could not encode json to file %s: %w", filename, err)
-	}
-	return nil
-}
--- a/di/di.go
+++ b/di/di.go
@@ -1,57 +0,0 @@
-//+build wireinject
-
-// Package di provides dependency injection.
-package di
-
-import (
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/cmd"
-	credentialPluginAdaptor "github.com/int128/kubelogin/adaptors/credentialplugin"
-	"github.com/int128/kubelogin/adaptors/env"
-	"github.com/int128/kubelogin/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/adaptors/logger"
-	"github.com/int128/kubelogin/adaptors/oidc"
-	"github.com/int128/kubelogin/adaptors/tokencache"
-	"github.com/int128/kubelogin/usecases"
-	"github.com/int128/kubelogin/usecases/auth"
-	credentialPluginUseCase "github.com/int128/kubelogin/usecases/credentialplugin"
-	"github.com/int128/kubelogin/usecases/login"
-)
-
-// NewCmd returns an instance of adaptors.Cmd.
-func NewCmd() adaptors.Cmd {
-	wire.Build(
-		auth.Set,
-		auth.ExtraSet,
-		login.Set,
-		credentialPluginUseCase.Set,
-		cmd.Set,
-		env.Set,
-		kubeconfig.Set,
-		tokencache.Set,
-		credentialPluginAdaptor.Set,
-		oidc.Set,
-		logger.Set,
-	)
-	return nil
-}
-
-// NewCmdForHeadless returns an instance of adaptors.Cmd for headless testing.
-func NewCmdForHeadless(
-	adaptors.Logger,
-	usecases.LoginShowLocalServerURL,
-	adaptors.CredentialPluginInteraction,
-) adaptors.Cmd {
-	wire.Build(
-		auth.Set,
-		login.Set,
-		credentialPluginUseCase.Set,
-		cmd.Set,
-		env.Set,
-		kubeconfig.Set,
-		tokencache.Set,
-		oidc.Set,
-	)
-	return nil
-}
--- a/di/wire_gen.go
+++ b/di/wire_gen.go
@@ -1,92 +0,0 @@
-// Code generated by Wire. DO NOT EDIT.
-
-//go:generate wire
-//+build !wireinject
-
-package di
-
-import (
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/cmd"
-	"github.com/int128/kubelogin/adaptors/credentialplugin"
-	"github.com/int128/kubelogin/adaptors/env"
-	"github.com/int128/kubelogin/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/adaptors/logger"
-	"github.com/int128/kubelogin/adaptors/oidc"
-	"github.com/int128/kubelogin/adaptors/tokencache"
-	"github.com/int128/kubelogin/usecases"
-	"github.com/int128/kubelogin/usecases/auth"
-	credentialplugin2 "github.com/int128/kubelogin/usecases/credentialplugin"
-	"github.com/int128/kubelogin/usecases/login"
-)
-
-// Injectors from di.go:
-
-func NewCmd() adaptors.Cmd {
-	adaptorsLogger := logger.New()
-	factory := &oidc.Factory{
-		Logger: adaptorsLogger,
-	}
-	envEnv := &env.Env{}
-	showLocalServerURL := &auth.ShowLocalServerURL{
-		Logger: adaptorsLogger,
-	}
-	authentication := &auth.Authentication{
-		OIDC:               factory,
-		Env:                envEnv,
-		Logger:             adaptorsLogger,
-		ShowLocalServerURL: showLocalServerURL,
-	}
-	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{}
-	loginLogin := &login.Login{
-		Authentication: authentication,
-		Kubeconfig:     kubeconfigKubeconfig,
-		Logger:         adaptorsLogger,
-	}
-	repository := &tokencache.Repository{}
-	interaction := &credentialplugin.Interaction{}
-	getToken := &credentialplugin2.GetToken{
-		Authentication:       authentication,
-		TokenCacheRepository: repository,
-		Interaction:          interaction,
-		Logger:               adaptorsLogger,
-	}
-	cmdCmd := &cmd.Cmd{
-		Login:    loginLogin,
-		GetToken: getToken,
-		Logger:   adaptorsLogger,
-	}
-	return cmdCmd
-}
-
-func NewCmdForHeadless(adaptorsLogger adaptors.Logger, loginShowLocalServerURL usecases.LoginShowLocalServerURL, credentialPluginInteraction adaptors.CredentialPluginInteraction) adaptors.Cmd {
-	factory := &oidc.Factory{
-		Logger: adaptorsLogger,
-	}
-	envEnv := &env.Env{}
-	authentication := &auth.Authentication{
-		OIDC:               factory,
-		Env:                envEnv,
-		Logger:             adaptorsLogger,
-		ShowLocalServerURL: loginShowLocalServerURL,
-	}
-	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{}
-	loginLogin := &login.Login{
-		Authentication: authentication,
-		Kubeconfig:     kubeconfigKubeconfig,
-		Logger:         adaptorsLogger,
-	}
-	repository := &tokencache.Repository{}
-	getToken := &credentialplugin2.GetToken{
-		Authentication:       authentication,
-		TokenCacheRepository: repository,
-		Interaction:          credentialPluginInteraction,
-		Logger:               adaptorsLogger,
-	}
-	cmdCmd := &cmd.Cmd{
-		Login:    loginLogin,
-		GetToken: getToken,
-		Logger:   adaptorsLogger,
-	}
-	return cmdCmd
-}
--- a/docs/authn.png
+++ b/docs/authn.png
--- a/docs/authn.seqdiag
+++ b/docs/authn.seqdiag
@@ -1,16 +0,0 @@
-seqdiag {
-  User -> kubelogin [label = "execute"];
-  kubelogin -> Browser [label = "open"];
-  Browser -> Provider [label = "authentication request"];
-  Browser <-- Provider [label = "redirect"];
-  User -> Browser [label = "enter credentials"];
-  Browser -> Provider [label = "credentials"];
-  Browser <-- Provider [label = "authentication response"];
-  User <-- Browser [label = "success"];
-  kubelogin <-- Browser [label = "close"];
-  kubelogin -> Provider [label = "token request"];
-  kubelogin <-- Provider [label = "token response"];
-  kubelogin -> kubeconfig [label = "write token"];
-  kubelogin <-- kubeconfig;
-  User <-- kubelogin;
-}
--- a/docs/dex.md
+++ b/docs/dex.md
@@ -0,0 +1,131 @@
+# Getting Started with dex and GitHub
+
+Prerequisite:
+
+- You have a GitHub account.
+- You have an administrator role of the Kubernetes cluster.
+- You can configure the Kubernetes API server.
+- `kubectl` and `kubelogin` are installed.
+
+
+## 1. Set up the OpenID Connect Provider
+
+Open [GitHub OAuth Apps](https://github.com/settings/developers) and create an application with the following setting:
+
+- Application name: (any)
+- Homepage URL: `https://dex.example.com`
+- Authorization callback URL: `https://dex.example.com/callback`
+
+Deploy the [dex](https://github.com/dexidp/dex) with the following config:
+
+```yaml
+issuer: https://dex.example.com
+connectors:
+- type: github
+  id: github
+  name: GitHub
+  config:
+    clientID: YOUR_GITHUB_CLIENT_ID
+    clientSecret: YOUR_GITHUB_CLIENT_SECRET
+    redirectURI: https://dex.example.com/callback
+staticClients:
+- id: YOUR_CLIENT_ID
+  name: Kubernetes
+  redirectURIs:
+  - http://localhost:8000
+  - http://localhost:18000
+  secret: YOUR_DEX_CLIENT_SECRET
+```
+
+
+## 2. Verify authentication
+
+Run the following command:
+
+```sh
+kubectl oidc-login setup \
+  --oidc-issuer-url=https://dex.example.com \
+  --oidc-client-id=YOUR_CLIENT_ID \
+  --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+It will open the browser and you can log in to the provider.
+
+
+## 3. Bind a role
+
+Bind the `cluster-admin` role to you.
+Apply the following manifest:
+
+```yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: oidc-admin-group
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: User
+  name: https://dex.example.com#YOUR_SUBJECT
+```
+
+As well as you can create a custom role and bind it.
+
+
+## 4. Set up the Kubernetes API server
+
+Add the following options to the kube-apiserver:
+
+```
+--oidc-issuer-url=https://dex.example.com
+--oidc-client-id=YOUR_CLIENT_ID
+```
+
+See [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for details.
+
+If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
+
+```yaml
+spec:
+  kubeAPIServer:
+    oidcIssuerURL: https://dex.example.com
+    oidcClientID: YOUR_CLIENT_ID
+```
+
+
+## 5. Set up the kubeconfig
+
+Add the following user to the kubeconfig:
+
+```yaml
+users:
+- name: google
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: kubectl
+      args:
+      - oidc-login
+      - get-token
+      - --oidc-issuer-url=https://dex.example.com
+      - --oidc-client-id=YOUR_CLIENT_ID
+      - --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+You can share the kubeconfig to your team members for on-boarding.
+
+
+## 6. Verify cluster access
+
+Make sure you can access the Kubernetes cluster.
+
+```
+% kubectl get nodes
+Open http://localhost:8000 for authentication
+You got a valid token until 2019-05-16 22:03:13 +0900 JST
+NAME                                    STATUS    ROLES     AGE       VERSION
+ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
+ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
+```
--- a/docs/google.md
+++ b/docs/google.md
@@ -1,39 +1,38 @@
 # Getting Started with Google Identity Platform

-## Prerequisite
+Prerequisite:

 - You have a Google account.
- You have the Cluster Admin role of the Kubernetes cluster.
+- You have an administrator role of the Kubernetes cluster.
 - You can configure the Kubernetes API server.
 - `kubectl` and `kubelogin` are installed to your computer.

-## 1. Setup Google API
+
+## 1. Set up the OpenID Connect Provider

 Open [Google APIs Console](https://console.developers.google.com/apis/credentials) and create an OAuth client with the following setting:

 - Application Type: Other

-## 2. Setup Kubernetes API server

-Configure your Kubernetes API Server accepts [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
+## 2. Verify authentication

-```
--oidc-issuer-url=https://accounts.google.com
--oidc-client-id=YOUR_CLIENT_ID.apps.googleusercontent.com
+Run the following command:
+
+```sh
+kubectl oidc-login setup \
+  --oidc-issuer-url=https://accounts.google.com \
+  --oidc-client-id=YOUR_CLIENT_ID \
+  --oidc-client-secret=YOUR_CLIENT_SECRET
 ```

-If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
+It will open the browser and you can log in to the provider.

-```yaml
-spec:
-  kubeAPIServer:
-    oidcIssuerURL: https://accounts.google.com
-    oidcClientID: YOUR_CLIENT_ID.apps.googleusercontent.com
-```

-## 3. Setup Kubernetes cluster
+## 3. Bind a role

-Here assign the `cluster-admin` role to you.
+Bind the `cluster-admin` role to you.
+Apply the following manifest:

 ```yaml
 kind: ClusterRoleBinding
@@ -46,14 +45,36 @@ roleRef:
  name: cluster-admin
 subjects:
 - kind: User
-  name: https://accounts.google.com#1234567890
+  name: https://accounts.google.com#YOUR_SUBJECT
 ```

-You can create a custom role and assign it as well.
+As well as you can create a custom role and bind it.

-## 4. Setup kubeconfig

-Configure the kubeconfig like:
+## 4. Set up the Kubernetes API server
+
+Add the following options to the kube-apiserver:
+
+```
+--oidc-issuer-url=https://accounts.google.com
+--oidc-client-id=YOUR_CLIENT_ID
+```
+
+See [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for details.
+
+If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
+
+```yaml
+spec:
+  kubeAPIServer:
+    oidcIssuerURL: https://accounts.google.com
+    oidcClientID: YOUR_CLIENT_ID
+```
+
+
+## 5. Set up the kubeconfig
+
+Add the following user to the kubeconfig:

 ```yaml
 users:
@@ -61,23 +82,26 @@ users:
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubelogin
+      command: kubectl
      args:
+      - oidc-login
      - get-token
      - --oidc-issuer-url=https://accounts.google.com
-      - --oidc-client-id=YOUR_CLIENT_ID.apps.googleusercontent.com
+      - --oidc-client-id=YOUR_CLIENT_ID
      - --oidc-client-secret=YOUR_CLIENT_SECRET
 ```

-## 5. Run kubectl
+You can share the kubeconfig to your team members for on-boarding.

-Make sure you can access to the Kubernetes cluster.
+
+## 6. Verify cluster access
+
+Make sure you can access the Kubernetes cluster.

 ```
 % kubectl get nodes
 Open http://localhost:8000 for authentication
 You got a valid token until 2019-05-16 22:03:13 +0900 JST
-Updated ~/.kubeconfig
 NAME                                    STATUS    ROLES     AGE       VERSION
 ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
 ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
--- a/docs/keycloak.md
+++ b/docs/keycloak.md
@@ -1,17 +1,18 @@
 # Getting Started with Keycloak

-## Prerequisite
+Prerequisite:

 - You have an administrator role of the Keycloak realm.
 - You have an administrator role of the Kubernetes cluster.
 - You can configure the Kubernetes API server.
 - `kubectl` and `kubelogin` are installed.

-## 1. Setup Keycloak
+
+## 1. Set up the OpenID Connect Provider

 Open the Keycloak and create an OIDC client as follows:

- Client ID: `kubernetes`
+- Client ID: `YOUR_CLIENT_ID`
 - Valid Redirect URLs:
    - `http://localhost:8000`
    - `http://localhost:18000` (used if the port 8000 is already in use)
@@ -21,80 +22,101 @@ You can associate client roles by adding the following mapper:

 - Name: `groups`
 - Mapper Type: `User Client Role`
- Client ID: `kubernetes`
+- Client ID: `YOUR_CLIENT_ID`
 - Client Role prefix: `kubernetes:`
 - Token Claim Name: `groups`
 - Add to ID token: on

 For example, if you have the `admin` role of the client, you will get a JWT with the claim `{"groups": ["kubernetes:admin"]}`.

-## 2. Setup Kubernetes API server

-Configure your Kubernetes API server accepts [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
+## 2. Verify authentication

-```
--oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM
--oidc-client-id=kubernetes
--oidc-groups-claim=groups
+Run the following command:
+
+```sh
+kubectl oidc-login setup \
+  --oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM \
+  --oidc-client-id=YOUR_CLIENT_ID \
+  --oidc-client-secret=YOUR_CLIENT_SECRET
 ```

-If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and add the following spec:
+It will open the browser and you can log in to the provider.

-```yaml
-spec:
-  kubeAPIServer:
-    oidcIssuerURL: https://keycloak.example.com/auth/realms/YOUR_REALM
-    oidcClientID: kubernetes
-    oidcGroupsClaim: groups
-```

-## 3. Setup Kubernetes cluster
+## 3. Bind a role

-Here assign the `cluster-admin` role to the `kubernetes:admin` group.
+Bind the `cluster-admin` role to you.
+Apply the following manifest:

 ```yaml
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: keycloak-admin-group
+  name: oidc-admin-group
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
- kind: Group
-  name: kubernetes:admin
+- kind: User
+  name: https://keycloak.example.com/auth/realms/YOUR_REALM#YOUR_SUBJECT
 ```

-You can create a custom role and assign it as well.
+As well as you can create a custom role and bind it.

-## 4. Setup kubeconfig

-Configure the kubeconfig like:
+## 4. Set up the Kubernetes API server
+
+Add the following options to the kube-apiserver:
+
+```
+--oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM
+--oidc-client-id=YOUR_CLIENT_ID
+```
+
+See [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for details.
+
+If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
+
+```yaml
+spec:
+  kubeAPIServer:
+    oidcIssuerURL: https://keycloak.example.com/auth/realms/YOUR_REALM
+    oidcClientID: YOUR_CLIENT_ID
+```
+
+
+## 5. Set up the kubeconfig
+
+Add the following user to the kubeconfig:

 ```yaml
 users:
- name: keycloak
+- name: google
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubelogin
+      command: kubectl
      args:
+      - oidc-login
      - get-token
      - --oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM
-      - --oidc-client-id=kubernetes
+      - --oidc-client-id=YOUR_CLIENT_ID
      - --oidc-client-secret=YOUR_CLIENT_SECRET
 ```

-## 5. Run kubectl
+You can share the kubeconfig to your team members for on-boarding.

-Make sure you can access to the Kubernetes cluster.
+
+## 6. Verify cluster access
+
+Make sure you can access the Kubernetes cluster.

 ```
 % kubectl get nodes
 Open http://localhost:8000 for authentication
 You got a valid token until 2019-05-16 22:03:13 +0900 JST
-Updated ~/.kubeconfig
 NAME                                    STATUS    ROLES     AGE       VERSION
 ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
 ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
--- a/docs/standalone-mode.md
+++ b/docs/standalone-mode.md
@@ -0,0 +1,178 @@
+# Standalone mode
+
+You can run kubelogin as a standalone command.
+In this mode, you need to manually run the command before running kubectl.
+
+Configure the kubeconfig like:
+
+```yaml
+- name: keycloak
+  user:
+    auth-provider:
+      config:
+        client-id: YOUR_CLIENT_ID
+        client-secret: YOUR_CLIENT_SECRET
+        idp-issuer-url: https://issuer.example.com
+      name: oidc
+```
+
+Run kubelogin:
+
+```sh
+kubelogin
+
+# or run as a kubectl plugin
+kubectl oidc-login
+```
+
+It automatically opens the browser and you can log in to the provider.
+
+<img src="keycloak-login.png" alt="keycloak-login" width="455" height="329">
+
+After authentication, kubelogin writes the ID token and refresh token to the kubeconfig.
+
+```
+% kubelogin
+Open http://localhost:8000 for authentication
+You got a valid token until 2019-05-18 10:28:51 +0900 JST
+Updated ~/.kubeconfig
+```
+
+Now you can access the cluster.
+
+```
+% kubectl get pods
+NAME                          READY   STATUS    RESTARTS   AGE
+echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
+```
+
+Your kubeconfig looks like:
+
+```yaml
+users:
+- name: keycloak
+  user:
+    auth-provider:
+      config:
+        client-id: YOUR_CLIENT_ID
+        client-secret: YOUR_CLIENT_SECRET
+        idp-issuer-url: https://issuer.example.com
+        id-token: ey...       # kubelogin will add or update the ID token here
+        refresh-token: ey...  # kubelogin will add or update the refresh token here
+      name: oidc
+```
+
+If the ID token is valid, kubelogin does nothing.
+
+```
+% kubelogin
+You already have a valid token until 2019-05-18 10:28:51 +0900 JST
+```
+
+If the ID token has expired, kubelogin will refresh the token using the refresh token in the kubeconfig.
+If the refresh token has expired, kubelogin will proceed the authentication.
+
+
+## Usage
+
+Kubelogin supports the following options:
+
+```
+% kubectl oidc-login -h
+Login to the OpenID Connect provider.
+
+You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
+Run the following command to show the setup instruction:
+
+	kubectl oidc-login setup
+
+See https://github.com/int128/kubelogin for more.
+
+Usage:
+  main [flags]
+  main [command]
+
+Available Commands:
+  get-token   Run as a kubectl credential plugin
+  help        Help about any command
+  setup       Show the setup instruction
+  version     Print the version information
+
+Flags:
+      --kubeconfig string                Path to the kubeconfig file
+      --context string                   The name of the kubeconfig context to use
+      --user string                      The name of the kubeconfig user to use. Prior to --context
+      --listen-port ints                 Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
+      --skip-open-browser                If true, it does not open the browser on authentication
+      --username string                  If set, perform the resource owner password credentials grant
+      --password string                  If set, use the password instead of asking it
+      --certificate-authority string     Path to a cert file for the certificate authority
+      --insecure-skip-tls-verify         If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --add_dir_header                   If true, adds the file directory to the header
+      --alsologtostderr                  log to standard error as well as files
+      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                   If non-empty, write log files in this directory
+      --log_file string                  If non-empty, use this log file
+      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                      log to standard error instead of files (default true)
+      --skip_headers                     If true, avoid header prefixes in the log messages
+      --skip_log_headers                 If true, avoid headers when opening log files
+      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
+  -v, --v Level                          number for the log level verbosity
+      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
+  -h, --help                             help for main
+      --version                          version for main
+```
+
+### Kubeconfig
+
+You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
+It defaults to `~/.kube/config`.
+
+```sh
+# by the option
+kubelogin --kubeconfig /path/to/kubeconfig
+
+# by the environment variable
+KUBECONFIG="/path/to/kubeconfig1:/path/to/kubeconfig2" kubelogin
+```
+
+If you set multiple files, kubelogin will find the file which has the current authentication (i.e. `user` and `auth-provider`) and write a token to it.
+
+Kubelogin supports the following keys of `auth-provider` in a kubeconfig.
+See [kubectl authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl) for more.
+
+Key | Direction | Value
+----|-----------|------
+`idp-issuer-url`                  | Read (Mandatory) | Issuer URL of the provider.
+`client-id`                       | Read (Mandatory) | Client ID of the provider.
+`client-secret`                   | Read (Mandatory) | Client Secret of the provider.
+`idp-certificate-authority`       | Read | CA certificate path of the provider.
+`idp-certificate-authority-data`  | Read | Base64 encoded CA certificate of the provider.
+`extra-scopes`                    | Read | Scopes to request to the provider (comma separated).
+`id-token`                        | Write | ID token got from the provider.
+`refresh-token`                   | Write | Refresh token got from the provider.
+
+### Extra scopes
+
+You can set the extra scopes to request to the provider by `extra-scopes` in the kubeconfig.
+
+```sh
+kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=email
+```
+
+Currently kubectl does not accept multiple scopes, so you need to edit the kubeconfig as like:
+
+```sh
+kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=SCOPES
+sed -i '' -e s/SCOPES/email,profile/ $KUBECONFIG
+```
+
+### CA Certificates
+
+You can use your self-signed certificates for the provider.
+
+```sh
+kubectl config set-credentials keycloak \
+  --auth-provider-arg idp-certificate-authority=$HOME/.kube/keycloak-ca.pem
+```
--- a/docs/team_ops.md
+++ b/docs/team_ops.md
@@ -1,42 +0,0 @@
-# Team on-boarding
-
-## kops
-
-Export the kubeconfig.
-
-```sh
-KUBECONFIG=.kubeconfig kops export kubecfg hello.k8s.local
-```
-
-Remove the `admin` access from the kubeconfig.
-It should look as like:
-
-```yaml
-apiVersion: v1
-kind: Config
-clusters:
-  - cluster:
-      certificate-authority-data: LS...
-      server: https://api.hello.k8s.example.com
-      name: hello.k8s.local
-contexts:
- context:
-    cluster: hello.k8s.local
-    user: hello.k8s.local
-  name: hello.k8s.local
-current-context: hello.k8s.local
-preferences: {}
-users:
- name: hello.k8s.local
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubelogin
-      args:
-      - get-token
-      - --oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
-```
-
-You can share the kubeconfig to your team members for on-boarding.
--- a/e2e_test/credetial_plugin_test.go
+++ b/e2e_test/credetial_plugin_test.go
@@ -2,19 +2,20 @@ package e2e_test

 import (
 	"context"
+	"io/ioutil"
+	"os"
 	"testing"
 	"time"

 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/mock_adaptors"
-	"github.com/int128/kubelogin/di"
 	"github.com/int128/kubelogin/e2e_test/idp"
 	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
 	"github.com/int128/kubelogin/e2e_test/localserver"
-	"github.com/int128/kubelogin/e2e_test/logger"
-	"github.com/int128/kubelogin/models/credentialplugin"
-	"github.com/int128/kubelogin/usecases"
+	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
+	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin/mock_credentialplugin"
+	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
 )

 // Run the integration tests of the credential plugin use-case.
@@ -26,6 +27,15 @@ import (
 //
 func TestCmd_Run_CredentialPlugin(t *testing.T) {
 	timeout := 1 * time.Second
+	cacheDir, err := ioutil.TempDir("", "kube")
+	if err != nil {
+		t.Fatalf("could not create a cache dir: %s", err)
+	}
+	defer func() {
+		if err := os.RemoveAll(cacheDir); err != nil {
+			t.Errorf("could not clean up the cache dir: %s", err)
+		}
+	}()

 	t.Run("Defaults", func(t *testing.T) {
 		t.Parallel()
@@ -40,7 +50,7 @@ func TestCmd_Run_CredentialPlugin(t *testing.T) {
 		var idToken string
 		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)

-		credentialPluginInteraction := mock_adaptors.NewMockCredentialPluginInteraction(ctrl)
+		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
 		credentialPluginInteraction.EXPECT().
 			Write(gomock.Any()).
 			Do(func(out credentialplugin.Output) {
@@ -52,21 +62,21 @@ func TestCmd_Run_CredentialPlugin(t *testing.T) {
 				}
 			})

-		req := startBrowserRequest(t, ctx, nil)
-		runGetTokenCmd(t, ctx, req, credentialPluginInteraction,
+		runGetTokenCmd(t, ctx,
+			openBrowserOnReadyFunc(t, ctx, nil),
+			credentialPluginInteraction,
 			"--skip-open-browser",
 			"--listen-port", "0",
-			"--token-cache", "/dev/null",
+			"--token-cache-dir", cacheDir,
 			"--oidc-issuer-url", serverURL,
 			"--oidc-client-id", "kubernetes",
 		)
-		req.wait()
 	})
 }

-func runGetTokenCmd(t *testing.T, ctx context.Context, s usecases.LoginShowLocalServerURL, interaction adaptors.CredentialPluginInteraction, args ...string) {
+func runGetTokenCmd(t *testing.T, ctx context.Context, localServerReadyFunc auth.LocalServerReadyFunc, interaction credentialplugin.Interface, args ...string) {
 	t.Helper()
-	cmd := di.NewCmdForHeadless(logger.New(t), s, interaction)
+	cmd := di.NewCmdForHeadless(mock_logger.New(t), localServerReadyFunc, interaction)
 	exitCode := cmd.Run(ctx, append([]string{"kubelogin", "get-token", "--v=1"}, args...), "HEAD")
 	if exitCode != 0 {
 		t.Errorf("exit status wants 0 but %d", exitCode)
--- a/e2e_test/keys/testdata/.gitignore
+++ b/e2e_test/keys/testdata/.gitignore
@@ -1,4 +1 @@
 /CA
-*.key
-*.csr
-*.crt
--- a/e2e_test/keys/testdata/Makefile
+++ b/e2e_test/keys/testdata/Makefile
@@ -1,13 +1,15 @@
+EXPIRY := 3650
+
+all: ca.key ca.crt server.key server.crt jws.key
+
 .PHONY: clean
-
-all: server.crt ca.crt jws.key
-
 clean:
-	rm -v ca.* server.*
+	-rm -v ca.* server.* jws.*

 ca.key:
 	openssl genrsa -out $@ 1024

+.INTERMEDIATE: ca.csr
 ca.csr: openssl.cnf ca.key
 	openssl req -config openssl.cnf \
 		-new \
@@ -17,7 +19,9 @@ ca.csr: openssl.cnf ca.key
 	openssl req -noout -text -in $@

 ca.crt: ca.csr ca.key
-	openssl x509 -req \
+	openssl x509 \
+		-req \
+		-days $(EXPIRY) \
 		-signkey ca.key \
 		-in ca.csr \
 		-out $@
@@ -26,6 +30,7 @@ ca.crt: ca.csr ca.key
 server.key:
 	openssl genrsa -out $@ 1024

+.INTERMEDIATE: server.csr
 server.csr: openssl.cnf server.key
 	openssl req -config openssl.cnf \
 		-new \
@@ -41,6 +46,7 @@ server.crt: openssl.cnf server.csr ca.key ca.crt
 	touch CA/index.txt.attr
 	echo 00 > CA/serial
 	openssl ca -config openssl.cnf \
+		-days $(EXPIRY) \
 		-extensions v3_req \
 		-batch \
 		-cert ca.crt \
--- a/e2e_test/keys/testdata/ca.crt
+++ b/e2e_test/keys/testdata/ca.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBnTCCAQYCCQC/aR7GRyndljANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAhI
+ZWxsbyBDQTAeFw0xOTA5MjUxNDQ0NTFaFw0yOTA5MjIxNDQ0NTFaMBMxETAPBgNV
+BAMMCEhlbGxvIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnSTDsRx4U
+JmaTWHOAZasfN2O37wMcRez7LDM2qfQ8nlXnEAAZ4Pc51itOycWN1nclNVb489i9
+J8ALgRKzNumSkfl1sCgJoDds75AC3oRRCbhnEP3Lu4mysxyOtYZNsdST8GBCP0m4
+2tWa4W2ditpA44uU4x8opAX2qY919nVLNwIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
+AE/gsgTC4jzYC3icZdhALJTe3JsZ7geN702dE95zSI5LXAzzHJ/j8wGmorQjrMs2
+iNPjVOdTU6cVWa1Ba29wWakVyVCUqDmDiWHaVhM/Qyyxo6mVlZGFwSnto3zq/h4y
+KMFJ8lUtFCYMrzo5wqgj2xOjVrN77F6F4XWZbMufh50G
+-----END CERTIFICATE-----
--- a/e2e_test/keys/testdata/ca.key
+++ b/e2e_test/keys/testdata/ca.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDnSTDsRx4UJmaTWHOAZasfN2O37wMcRez7LDM2qfQ8nlXnEAAZ
+4Pc51itOycWN1nclNVb489i9J8ALgRKzNumSkfl1sCgJoDds75AC3oRRCbhnEP3L
+u4mysxyOtYZNsdST8GBCP0m42tWa4W2ditpA44uU4x8opAX2qY919nVLNwIDAQAB
+AoGAaYmTYm29QvKW4et9oPxDjpYG0bqlz7P0xFRR9kKtKTATAMHjWeu2xFR/JI+b
+rvJLIdZqHmWe5AmMb3NxZgfLonEB71ohaKQha1L8Vc7aoedRheJvqqaNr+ZxoCMO
+8xcjsaMYxLEVt0tg6XyKyEhi1/hOufFZ4BSng4oQbrpaNIkCQQD6hPEzzPZtMEEe
+eRdwTVUIStKFMQbRdwZ5Oc7pyDk2U+SFRJiqkBkqnmFekcf2UgbBQxem+GMhWNgE
+LItKy/wVAkEA7FiHxbzn2msaE3hZCWudtnXqmJNuPO0zJ5icXe2svwmwPfLA/rm9
+iazCuyzyK67J8IG9QgIjQFYXtQbMr2chGwJBAMm3dghBx0LQEf8Zfdf9TLSqmqyI
+d3b+IgZGl+cCQ58NGfp863ibIsiAUuK0+4/JKItBHLBjXF6jjPx/aYFGkqkCQH4w
+GnXCEYx1qJuCow87jR4xQQsrlC0lfC2E9t/TmWr6UkYRCWg3ZXJPcj0bl0Upcppd
+ut22ZHniPZAizEBOcMcCQQDnMEOxufxhMsx2NC8yON/noewLINqKcbkMsl6DjvJl
+wLbQmzJ0j+uIBgdpsj4rWnEr7GxoL2eWG44QDUBco79
+-----END RSA PRIVATE KEY-----
--- a/e2e_test/keys/testdata/jws.key
+++ b/e2e_test/keys/testdata/jws.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXwIBAAKBgQCZukkN1GxMlNXkpOZxCnvCF874/rn1sNKzO98fOwmBRPG2+m/c
+yqBY7t2L2nihqz3+GZTiHmzSrBzMAGPVW1qGmk9KYg3m7akz9SiCxdoUkgM9MCCp
+X/s8IhgtXkyoKFPcGdwHblDl/3aJG02b6TAQD8vTNQAKoKw7L0FST+pvRwIDAQAB
+AoGBAJT1fXR5MbfDQL+dSe6fSex5RYTgzzDTdldW3I1Wl487Tz0OzvYTIe0LCIJL
+4DhHxnpCL5IsCSbav8ytVA+ZxczHpEW6UxbalXt5UfgFu0joTrdoGxDcVWgUCW3J
+Olbln0lOP55wViKh509gt45Za3VxJrNul3khVfVj7qGG9cKBAkEAxwtT8LxwqTYF
+nqoeZvPp15JAqlgdk38ttJa4KEqvpBTSxNIXkL9T5gJ+irKZAzxlz/U7bhn5mw6E
+3xFiljOXpQJBAMW3XRFOjgNBXNjbt81wREF5LdZl9EI8cRMSH6xljt2uwSqw4EG3
+76gFvccUd+WnfspFQZVypSSD4pWzsAqh13sCQQCA9BLW5Y7r4ab0a2y08JNwaT1h
+3yKSO5QF6pu25uQyHpeKkj5YNcyKONV40EqXsRqZB10QcN2omlh1GJNRkm1NAkEA
+qV3lr4mnRUqcinfM/4MINT3k8h/sGUFFa5y+3SMyOtwURMm3kRRLi5c/dmYmPug4
+SHUDNU48AQeo9awzRShWOQJBAJdw+cfRgi4fo3HY33uZdFa1T9G+qTA2ijhco6O3
+8tOc0yOFEtPNXM87MsHGIQP3ZCLfIY1gs2O3WCTFbPxR4rc=
+-----END RSA PRIVATE KEY-----
--- a/e2e_test/keys/testdata/openssl.cnf
+++ b/e2e_test/keys/testdata/openssl.cnf
@@ -10,7 +10,6 @@ new_certs_dir   = $dir
 default_md      = sha256
 policy          = policy_match
 serial          = $dir/serial
-default_days    = 365

 [ policy_match ]
 countryName             = optional
--- a/e2e_test/keys/testdata/server.crt
+++ b/e2e_test/keys/testdata/server.crt
@@ -0,0 +1,52 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=Hello CA
+        Validity
+            Not Before: Aug 18 06:00:06 2019 GMT
+            Not After : Aug 15 06:00:06 2029 GMT
+        Subject: CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:d6:4e:eb:3a:cb:25:f9:7e:92:22:f2:63:99:da:
+                    08:05:8b:a3:e7:d3:fd:71:3e:bd:da:c5:d5:63:b7:
+                    d3:7b:f8:cd:1a:2e:5c:a2:4f:48:98:c2:b4:da:e8:
+                    1e:d3:d7:8f:d8:ee:a9:70:d0:9d:4f:f4:8d:95:e5:
+                    8e:9a:71:b6:80:aa:0b:cb:28:1d:f6:0d:7e:aa:78:
+                    bf:30:e6:58:d7:6b:92:8f:19:1c:7d:95:f8:d5:2f:
+                    8c:58:49:98:88:05:50:88:80:a9:77:c4:16:b4:c1:
+                    00:45:1e:d3:d0:ed:98:4d:f7:a3:5d:f1:82:cb:a5:
+                    4d:19:64:4d:43:db:13:d4:17
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:localhost
+    Signature Algorithm: sha256WithRSAEncryption
+         5a:5c:5e:8b:de:82:86:f4:98:40:0e:cf:c5:51:fe:89:46:49:
+         f0:26:d2:a5:06:e3:91:43:c1:f8:b2:ad:b7:a1:23:13:1a:80:
+         45:00:51:70:b6:06:63:c6:a8:c8:22:5d:1b:00:e0:4a:8c:2e:
+         ce:b4:da:b1:89:8a:d2:d0:e3:eb:0f:16:34:45:a1:bd:64:5c:
+         48:41:8c:0a:bf:66:be:1c:a8:35:47:ce:b0:dc:c8:4f:5e:c1:
+         ec:ef:21:fb:45:55:95:e3:99:40:46:0b:6c:8a:b3:d5:f0:bf:
+         39:a4:ba:c4:d7:58:88:58:08:07:98:59:6e:ca:9c:08:e4:c4:
+         4f:db
+-----BEGIN CERTIFICATE-----
+MIIBzTCCATagAwIBAgIBADANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhIZWxs
+byBDQTAeFw0xOTA4MTgwNjAwMDZaFw0yOTA4MTUwNjAwMDZaMBQxEjAQBgNVBAMM
+CWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1k7rOssl+X6S
+IvJjmdoIBYuj59P9cT692sXVY7fTe/jNGi5cok9ImMK02uge09eP2O6pcNCdT/SN
+leWOmnG2gKoLyygd9g1+qni/MOZY12uSjxkcfZX41S+MWEmYiAVQiICpd8QWtMEA
+RR7T0O2YTfejXfGCy6VNGWRNQ9sT1BcCAwEAAaMwMC4wCQYDVR0TBAIwADALBgNV
+HQ8EBAMCBeAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4GB
+AFpcXovegob0mEAOz8VR/olGSfAm0qUG45FDwfiyrbehIxMagEUAUXC2BmPGqMgi
+XRsA4EqMLs602rGJitLQ4+sPFjRFob1kXEhBjAq/Zr4cqDVHzrDcyE9ewezvIftF
+VZXjmUBGC2yKs9XwvzmkusTXWIhYCAeYWW7KnAjkxE/b
+-----END CERTIFICATE-----
--- a/e2e_test/keys/testdata/server.key
+++ b/e2e_test/keys/testdata/server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDWTus6yyX5fpIi8mOZ2ggFi6Pn0/1xPr3axdVjt9N7+M0aLlyi
+T0iYwrTa6B7T14/Y7qlw0J1P9I2V5Y6acbaAqgvLKB32DX6qeL8w5ljXa5KPGRx9
+lfjVL4xYSZiIBVCIgKl3xBa0wQBFHtPQ7ZhN96Nd8YLLpU0ZZE1D2xPUFwIDAQAB
+AoGBAJhNR7Dl1JwFzndViWE6aP7/6UEFEBWeADDs7aTLbFmrTJ+xmRWkgLRHk14L
+HnVwuYLywaoyJ8o9wy1nEbxC2e4zWZ94d351MQf3/komCXDBzEsktfAcNsAFnMmS
+HZuGXfhi0FYWoftpIGxUmEBmQRcq0ctycbLves6TY3y+oajpAkEA8UHmSr/zsM3E
+XQXPp2BCAvRrTH/njk4R0jwB29Bi89gt/XDD4uvfWbHw7TZxnZuCpWisnxpMPIwa
+1rjqIQmhEwJBAONncQUOxwYCIuvraIhV0QtkIUa+YpTvAxP8ZNXx+agtHmHG2TTf
+kGv2YddvjxXZItN/FZOzUGm9OptaeLRTpW0CQHO8CEzNnoqve0agtgf2LlSaiiqt
+pRhoLTZsYPvhEMcnapCNGvtt6bxul0REfOZ9poPRHhZJGE9naqydEnv80Y8CQQC3
+pxLfws95SsBpR/VkJepuCK/XMmrrXRxfR7coEgROjiG7VZyV1vgMOS9Ljg1A19wI
+cto6LtcCjpCGZsqU1/kBAkEAv2tXBts3vuIjguZNMz7KLWmu3zG2SQRaqdEZwL+R
+DQmD5tbI6gEtd5OmgmSiW8A4mpfgFYvG7Um2fwi7TTXtSA==
+-----END RSA PRIVATE KEY-----
--- a/e2e_test/logger/logger.go
+++ b/e2e_test/logger/logger.go
@@ -1,27 +0,0 @@
-package logger
-
-import (
-	"github.com/int128/kubelogin/adaptors/logger"
-)
-
-func New(t testingLogger) *logger.Logger {
-	b := &bridge{t}
-	return logger.NewWith(b, b)
-}
-
-type testingLogger interface {
-	Logf(format string, v ...interface{})
-}
-
-type bridge struct {
-	t testingLogger
-}
-
-func (b *bridge) Printf(format string, v ...interface{}) {
-	b.t.Logf(format, v...)
-}
-
-func (b *bridge) Output(calldepth int, s string) error {
-	b.t.Logf("%s", s)
-	return nil
-}
--- a/e2e_test/standalone_test.go
+++ b/e2e_test/standalone_test.go
@@ -5,20 +5,19 @@ import (
 	"crypto/tls"
 	"net/http"
 	"os"
-	"sync"
 	"testing"
 	"time"

 	"github.com/dgrijalva/jwt-go"
 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/di"
 	"github.com/int128/kubelogin/e2e_test/idp"
 	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
 	"github.com/int128/kubelogin/e2e_test/keys"
 	"github.com/int128/kubelogin/e2e_test/kubeconfig"
 	"github.com/int128/kubelogin/e2e_test/localserver"
-	"github.com/int128/kubelogin/e2e_test/logger"
-	"github.com/int128/kubelogin/usecases"
+	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
 )

 var (
@@ -33,8 +32,8 @@ var (
 // 3. Open a request for the local server.
 // 4. Verify the kubeconfig.
 //
-func TestCmd_Run_Login(t *testing.T) {
-	timeout := 1 * time.Second
+func TestCmd_Run_Standalone(t *testing.T) {
+	timeout := 5 * time.Second

 	type testParameter struct {
 		startServer                       func(t *testing.T, h http.Handler) (string, localserver.Shutdowner)
@@ -58,7 +57,7 @@ func TestCmd_Run_Login(t *testing.T) {
 	runTest := func(t *testing.T, p testParameter) {
 		t.Run("Defaults", func(t *testing.T) {
 			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.Background(), timeout)
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 			defer cancel()
 			ctrl := gomock.NewController(t)
 			defer ctrl.Finish()
@@ -75,9 +74,9 @@ func TestCmd_Run_Login(t *testing.T) {
 			})
 			defer os.Remove(kubeConfigFilename)

-			req := startBrowserRequest(t, ctx, p.clientTLSConfig)
-			runCmd(t, ctx, req, "--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
-			req.wait()
+			runCmd(t, ctx,
+				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
+				"--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
 			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
 				IDToken:      idToken,
 				RefreshToken: "YOUR_REFRESH_TOKEN",
@@ -86,7 +85,7 @@ func TestCmd_Run_Login(t *testing.T) {

 		t.Run("ResourceOwnerPasswordCredentials", func(t *testing.T) {
 			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.Background(), timeout)
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 			defer cancel()
 			ctrl := gomock.NewController(t)
 			defer ctrl.Finish()
@@ -106,7 +105,9 @@ func TestCmd_Run_Login(t *testing.T) {
 			})
 			defer os.Remove(kubeConfigFilename)

-			runCmd(t, ctx, &nopBrowserRequest{t}, "--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--username", "USER", "--password", "PASS")
+			runCmd(t, ctx,
+				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
+				"--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--username", "USER", "--password", "PASS")
 			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
 				IDToken:      idToken,
 				RefreshToken: "YOUR_REFRESH_TOKEN",
@@ -115,7 +116,7 @@ func TestCmd_Run_Login(t *testing.T) {

 		t.Run("HasValidToken", func(t *testing.T) {
 			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.Background(), timeout)
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 			defer cancel()
 			ctrl := gomock.NewController(t)
 			defer ctrl.Finish()
@@ -124,8 +125,6 @@ func TestCmd_Run_Login(t *testing.T) {
 			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
 			defer server.Shutdown(t, ctx)
 			idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-			service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-			service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))

 			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 				Issuer:                  serverURL,
@@ -135,7 +134,9 @@ func TestCmd_Run_Login(t *testing.T) {
 			})
 			defer os.Remove(kubeConfigFilename)

-			runCmd(t, ctx, &nopBrowserRequest{t}, "--kubeconfig", kubeConfigFilename, "--skip-open-browser")
+			runCmd(t, ctx,
+				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
+				"--kubeconfig", kubeConfigFilename, "--skip-open-browser")
 			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
 				IDToken:      idToken,
 				RefreshToken: "YOUR_REFRESH_TOKEN",
@@ -144,7 +145,7 @@ func TestCmd_Run_Login(t *testing.T) {

 		t.Run("HasValidRefreshToken", func(t *testing.T) {
 			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.Background(), timeout)
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 			defer cancel()
 			ctrl := gomock.NewController(t)
 			defer ctrl.Finish()
@@ -166,7 +167,9 @@ func TestCmd_Run_Login(t *testing.T) {
 			})
 			defer os.Remove(kubeConfigFilename)

-			runCmd(t, ctx, &nopBrowserRequest{t}, "--kubeconfig", kubeConfigFilename, "--skip-open-browser")
+			runCmd(t, ctx,
+				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
+				"--kubeconfig", kubeConfigFilename, "--skip-open-browser")
 			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
 				IDToken:      idToken,
 				RefreshToken: "NEW_REFRESH_TOKEN",
@@ -175,7 +178,7 @@ func TestCmd_Run_Login(t *testing.T) {

 		t.Run("HasExpiredRefreshToken", func(t *testing.T) {
 			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.Background(), timeout)
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 			defer cancel()
 			ctrl := gomock.NewController(t)
 			defer ctrl.Finish()
@@ -197,8 +200,9 @@ func TestCmd_Run_Login(t *testing.T) {
 			})
 			defer os.Remove(kubeConfigFilename)

-			req := startBrowserRequest(t, ctx, p.clientTLSConfig)
-			runCmd(t, ctx, req, "--kubeconfig", kubeConfigFilename, "--skip-open-browser")
+			runCmd(t, ctx,
+				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
+				"--kubeconfig", kubeConfigFilename, "--skip-open-browser")
 			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
 				IDToken:      idToken,
 				RefreshToken: "YOUR_REFRESH_TOKEN",
@@ -214,7 +218,7 @@ func TestCmd_Run_Login(t *testing.T) {

 	t.Run("env:KUBECONFIG", func(t *testing.T) {
 		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
@@ -230,9 +234,9 @@ func TestCmd_Run_Login(t *testing.T) {
 		setenv(t, "KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
 		defer unsetenv(t, "KUBECONFIG")

-		req := startBrowserRequest(t, ctx, nil)
-		runCmd(t, ctx, req, "--skip-open-browser", "--listen-port", "0")
-		req.wait()
+		runCmd(t, ctx,
+			openBrowserOnReadyFunc(t, ctx, nil),
+			"--skip-open-browser", "--listen-port", "0")
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
 			IDToken:      idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
@@ -241,7 +245,7 @@ func TestCmd_Run_Login(t *testing.T) {

 	t.Run("ExtraScopes", func(t *testing.T) {
 		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
@@ -258,9 +262,9 @@ func TestCmd_Run_Login(t *testing.T) {
 		})
 		defer os.Remove(kubeConfigFilename)

-		req := startBrowserRequest(t, ctx, nil)
-		runCmd(t, ctx, req, "--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
-		req.wait()
+		runCmd(t, ctx,
+			openBrowserOnReadyFunc(t, ctx, nil),
+			"--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
 			IDToken:      idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
@@ -308,69 +312,34 @@ func setupMockIDPForCodeFlow(t *testing.T, service *mock_idp.MockService, server
 		})
 }

-func runCmd(t *testing.T, ctx context.Context, s usecases.LoginShowLocalServerURL, args ...string) {
+func runCmd(t *testing.T, ctx context.Context, localServerReadyFunc auth.LocalServerReadyFunc, args ...string) {
 	t.Helper()
-	cmd := di.NewCmdForHeadless(logger.New(t), s, nil)
+	cmd := di.NewCmdForHeadless(mock_logger.New(t), localServerReadyFunc, nil)
 	exitCode := cmd.Run(ctx, append([]string{"kubelogin", "--v=1"}, args...), "HEAD")
 	if exitCode != 0 {
 		t.Errorf("exit status wants 0 but %d", exitCode)
 	}
 }

-type nopBrowserRequest struct {
-	t *testing.T
-}
-
-func (r *nopBrowserRequest) ShowLocalServerURL(url string) {
-	r.t.Errorf("ShowLocalServerURL must not be called")
-}
-
-type browserRequest struct {
-	t     *testing.T
-	urlCh chan<- string
-	wg    *sync.WaitGroup
-}
-
-func (r *browserRequest) ShowLocalServerURL(url string) {
-	defer close(r.urlCh)
-	r.t.Logf("Open %s for authentication", url)
-	r.urlCh <- url
-}
-
-func (r *browserRequest) wait() {
-	r.wg.Wait()
-}
-
-func startBrowserRequest(t *testing.T, ctx context.Context, tlsConfig *tls.Config) *browserRequest {
-	t.Helper()
-	urlCh := make(chan string)
-	var wg sync.WaitGroup
-	go func() {
-		defer wg.Done()
-		select {
-		case url := <-urlCh:
-			client := http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}}
-			req, err := http.NewRequest("GET", url, nil)
-			if err != nil {
-				t.Errorf("could not create a request: %s", err)
-				return
-			}
-			req = req.WithContext(ctx)
-			resp, err := client.Do(req)
-			if err != nil {
-				t.Errorf("could not send a request: %s", err)
-				return
-			}
-			defer resp.Body.Close()
-			if resp.StatusCode != 200 {
-				t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
-			}
-		case err := <-ctx.Done():
-			t.Errorf("context done while waiting for URL prompt: %s", err)
+func openBrowserOnReadyFunc(t *testing.T, ctx context.Context, clientConfig *tls.Config) auth.LocalServerReadyFunc {
+	return func(url string) {
+		client := http.Client{Transport: &http.Transport{TLSClientConfig: clientConfig}}
+		req, err := http.NewRequest("GET", url, nil)
+		if err != nil {
+			t.Errorf("could not create a request: %s", err)
+			return
 		}
-	}()
-	wg.Add(1)
-	return &browserRequest{t, urlCh, &wg}
+		req = req.WithContext(ctx)
+		resp, err := client.Do(req)
+		if err != nil {
+			t.Errorf("could not send a request: %s", err)
+			return
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != 200 {
+			t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
+		}
+	}
 }

 func setenv(t *testing.T, key, value string) {
--- a/go.mod
+++ b/go.mod
@@ -3,20 +3,23 @@ module github.com/int128/kubelogin
 go 1.12

 require (
-	github.com/coreos/go-oidc v2.0.0+incompatible
+	github.com/coreos/go-oidc v2.1.0+incompatible
 	github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda
-	github.com/go-test/deep v1.0.2
+	github.com/go-test/deep v1.0.4
 	github.com/golang/mock v1.3.1
 	github.com/google/wire v0.3.0
-	github.com/int128/oauth2cli v1.4.1
+	github.com/int128/oauth2cli v1.7.0
+	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/spf13/cobra v0.0.5
-	github.com/spf13/pflag v1.0.3
+	github.com/spf13/pflag v1.0.5
 	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
-	golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a
+	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
+	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
 	golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7
 	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
-	gopkg.in/yaml.v2 v2.2.2
+	gopkg.in/yaml.v2 v2.2.4
 	k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719
 	k8s.io/client-go v0.0.0-20190620085101-78d2af792bab
+	k8s.io/klog v0.4.0
 )
--- a/go.sum
+++ b/go.sum
@@ -4,8 +4,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-oidc v2.0.0+incompatible h1:+RStIopZ8wooMx+Vs5Bt8zMXxV1ABl5LbakNExNmZIg=
-github.com/coreos/go-oidc v2.0.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
+github.com/coreos/go-oidc v2.1.0+incompatible h1:sdJrfw8akMnCuUlaZU3tE/uYXFgfqom8DBE9so9EBsM=
+github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -17,16 +17,19 @@ github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkg
 github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw=
-github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-test/deep v1.0.4 h1:u2CU3YKy9I2pmu9pX0eq50wCgjfGIt539SqR7FbHiho=
+github.com/go-test/deep v1.0.4/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415 h1:WSBJMqJbLxsn+bTCPyPYZfqHdJmc8MK4wrBjMft6BAM=
 github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/google/btree v0.0.0-20160524151835-7d79101e329e/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck=
 github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
@@ -42,9 +45,10 @@ github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/int128/oauth2cli v1.4.1 h1:IsaYMafEDS1jyArxYdmksw+nMsNxiYCQzdkPj3QF9BY=
-github.com/int128/oauth2cli v1.4.1/go.mod h1:CMJjyUSgKiobye1M/9byFACOjtB2LRo2mo7boklEKlI=
+github.com/int128/oauth2cli v1.7.0 h1:lguQEIJ4IcSFRTqQ6y7avnfvPqVe0U6dlkW8mC1Epts=
+github.com/int128/oauth2cli v1.7.0/go.mod h1:bucNn0/es9IhOf0a2MWPvJ5xO5f6JYrCfitQTyjI5lA=
 github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be h1:AHimNtVIpiBjPUhEF5KNCkrUyqTSA5zWUl8sQ2bfGBE=
 github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
@@ -63,6 +67,7 @@ github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/9
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4 h1:49lOXmGaUpV9Fz3gd7TFZY106KVlPVa5jcYD1gaQf98=
 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
 github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
@@ -76,7 +81,10 @@ github.com/spf13/pflag v1.0.1 h1:aCvUg6QPl3ibpQUxyLkrEkCHtPqYJL4x9AuhqVqFis4=
 github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
+github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
@@ -92,14 +100,17 @@ golang.org/x/net v0.0.0-20190206173232-65e2d4e15006 h1:bfLnR+k0tq5Lqt6dflRLcZiz6
 golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/oauth2 v0.0.0-20190319182350-c85d3e98c914/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a h1:tImsplftrFpALCYumobsd0K86vlAs/eXGFms2txfJfA=
 golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -114,11 +125,12 @@ golang.org/x/time v0.0.0-20161028155119-f51c12702a4d/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190422233926-fe54fb35175b/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.0 h1:3zYtXIO92bvsdS3ggAdA8Gb4Azj0YU+TVY1uGYNFA8o=
@@ -130,14 +142,18 @@ gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+k8s.io/api v0.0.0-20190620084959-7cf5895f2711 h1:BblVYz/wE5WtBsD/Gvu54KyBUTJMflolzc5I2DTvh50=
 k8s.io/api v0.0.0-20190620084959-7cf5895f2711/go.mod h1:TBhBqb1AWbBQbW3XRusr7n7E4v2+5ZY8r8sAMnyFC5A=
 k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719 h1:uV4S5IB5g4Nvi+TBVNf3e9L4wrirlwYJ6w88jUQxTUw=
 k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA=
 k8s.io/client-go v0.0.0-20190620085101-78d2af792bab h1:E8Fecph0qbNsAbijJJQryKu4Oi9QTp5cVpjTE+nqg6g=
 k8s.io/client-go v0.0.0-20190620085101-78d2af792bab/go.mod h1:E95RaSlHr79aHaX0aGSwcPNfygDiPKOVXdmivCIZT0k=
-k8s.io/client-go v11.0.0+incompatible h1:LBbX2+lOwY9flffWlJM7f1Ct8V2SRNiMRDFeiwnJo9o=
 k8s.io/klog v0.3.1 h1:RVgyDHY/kFKtLqh67NvEWIgkMneNoIrdkN0CxDSQc68=
 k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.4.0 h1:lCJCxf/LIowc2IGS9TPjWDyXY4nOmdGdfcwwDQCOURQ=
+k8s.io/klog v0.4.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
 k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
 k8s.io/utils v0.0.0-20190221042446-c2654d5206da h1:ElyM7RPonbKnQqOcw7dG2IK5uvQQn3b/WPHqD5mBvP4=
 k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
--- a/main.go
+++ b/main.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"os"

-	"github.com/int128/kubelogin/di"
+	"github.com/int128/kubelogin/pkg/di"
 )

 var version = "HEAD"
--- a/models/credentialplugin/credential_plugin.go
+++ b/models/credentialplugin/credential_plugin.go
@@ -1,16 +0,0 @@
-// Package credentialplugin provides models for the credential plugin.
-package credentialplugin
-
-import "time"
-
-// TokenCache represents a token object cached.
-type TokenCache struct {
-	IDToken      string `json:"id_token,omitempty"`
-	RefreshToken string `json:"refresh_token,omitempty"`
-}
-
-// Output represents an output object of the credential plugin.
-type Output struct {
-	Token  string
-	Expiry time.Time
-}
--- a/oidc-login.yaml
+++ b/oidc-login.yaml
@@ -4,10 +4,21 @@ metadata:
  name: oidc-login
 spec:
  homepage: https://github.com/int128/kubelogin
-  shortDescription: kubectl integration for OpenID Connect authentication
+  shortDescription: Log in to the OpenID Connect provider
  description: |
-    Kubelogin integrates browser based authentication with kubectl.
-    You do not need to manually set an ID token and refresh token to the kubeconfig.
+    This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
+
+    ## Credential plugin mode
+    kubectl executes oidc-login before calling the Kubernetes APIs.
+    oidc-login automatically opens the browser and you can log in to the provider.
+    After authentication, kubectl gets the token from oidc-login and you can access the cluster.
+    See https://github.com/int128/kubelogin#credential-plugin-mode for more.
+
+    ## Standalone mode
+    Run `kubectl oidc-login`.
+    It automatically opens the browser and you can log in to the provider.
+    After authentication, it writes the token to the kubeconfig and you can access the cluster.
+    See https://github.com/int128/kubelogin#standalone-mode for more.

  caveats: |
    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
--- a/pkg/adaptors/cmd/cmd.go
+++ b/pkg/adaptors/cmd/cmd.go
@@ -0,0 +1,70 @@
+package cmd
+
+import (
+	"context"
+	"path/filepath"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/spf13/cobra"
+	"k8s.io/client-go/util/homedir"
+)
+
+// Set provides an implementation and interface for Cmd.
+var Set = wire.NewSet(
+	wire.Struct(new(Cmd), "*"),
+	wire.Bind(new(Interface), new(*Cmd)),
+	wire.Struct(new(Root), "*"),
+	wire.Struct(new(GetToken), "*"),
+	wire.Struct(new(Setup), "*"),
+)
+
+type Interface interface {
+	Run(ctx context.Context, args []string, version string) int
+}
+
+var defaultListenPort = []int{8000, 18000}
+var defaultTokenCacheDir = homedir.HomeDir() + "/.kube/cache/oidc-login"
+
+// Cmd provides interaction with command line interface (CLI).
+type Cmd struct {
+	Root     *Root
+	GetToken *GetToken
+	Setup    *Setup
+	Logger   logger.Interface
+}
+
+// Run parses the command line arguments and executes the specified use-case.
+// It returns an exit code, that is 0 on success or 1 on error.
+func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
+	executable := filepath.Base(args[0])
+
+	rootCmd := cmd.Root.New(ctx, executable)
+	rootCmd.Version = version
+	rootCmd.SilenceUsage = true
+	rootCmd.SilenceErrors = true
+
+	getTokenCmd := cmd.GetToken.New(ctx)
+	rootCmd.AddCommand(getTokenCmd)
+
+	setupCmd := cmd.Setup.New(ctx)
+	rootCmd.AddCommand(setupCmd)
+
+	versionCmd := &cobra.Command{
+		Use:   "version",
+		Short: "Print the version information",
+		Args:  cobra.NoArgs,
+		Run: func(*cobra.Command, []string) {
+			cmd.Logger.Printf("%s version %s", executable, version)
+		},
+	}
+	rootCmd.AddCommand(versionCmd)
+
+	rootCmd.SetArgs(args[1:])
+	if err := rootCmd.Execute(); err != nil {
+		cmd.Logger.Printf("error: %s", err)
+		cmd.Logger.V(1).Infof("stacktrace: %+v", err)
+		return 1
+	}
+	return 0
+}
--- a/pkg/adaptors/cmd/cmd_test.go
+++ b/pkg/adaptors/cmd/cmd_test.go
@@ -5,10 +5,11 @@ import (
 	"testing"

 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/mock_adaptors"
-	"github.com/int128/kubelogin/usecases"
-	"github.com/int128/kubelogin/usecases/mock_usecases"
+	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin/mock_credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/standalone"
+	"github.com/int128/kubelogin/pkg/usecases/standalone/mock_standalone"
 )

 func TestCmd_Run(t *testing.T) {
@@ -20,18 +21,18 @@ func TestCmd_Run(t *testing.T) {
 		defer ctrl.Finish()
 		ctx := context.TODO()

-		login := mock_usecases.NewMockLogin(ctrl)
-		login.EXPECT().
-			Do(ctx, usecases.LoginIn{
+		mockStandalone := mock_standalone.NewMockInterface(ctrl)
+		mockStandalone.EXPECT().
+			Do(ctx, standalone.Input{
 				ListenPort: defaultListenPort,
 			})

-		logger := mock_adaptors.NewLogger(t, ctrl)
-		logger.EXPECT().SetLevel(adaptors.LogLevel(0))
-
 		cmd := Cmd{
-			Login:  login,
-			Logger: logger,
+			Root: &Root{
+				Standalone: mockStandalone,
+				Logger:     mock_logger.New(t),
+			},
+			Logger: mock_logger.New(t),
 		}
 		exitCode := cmd.Run(ctx, []string{executable}, version)
 		if exitCode != 0 {
@@ -44,9 +45,9 @@ func TestCmd_Run(t *testing.T) {
 		defer ctrl.Finish()
 		ctx := context.TODO()

-		login := mock_usecases.NewMockLogin(ctrl)
-		login.EXPECT().
-			Do(ctx, usecases.LoginIn{
+		mockStandalone := mock_standalone.NewMockInterface(ctrl)
+		mockStandalone.EXPECT().
+			Do(ctx, standalone.Input{
 				KubeconfigFilename: "/path/to/kubeconfig",
 				KubeconfigContext:  "hello.k8s.local",
 				KubeconfigUser:     "google",
@@ -58,12 +59,12 @@ func TestCmd_Run(t *testing.T) {
 				Password:           "PASS",
 			})

-		logger := mock_adaptors.NewLogger(t, ctrl)
-		logger.EXPECT().SetLevel(adaptors.LogLevel(1))
-
 		cmd := Cmd{
-			Login:  login,
-			Logger: logger,
+			Root: &Root{
+				Standalone: mockStandalone,
+				Logger:     mock_logger.New(t),
+			},
+			Logger: mock_logger.New(t),
 		}
 		exitCode := cmd.Run(ctx, []string{executable,
 			"--kubeconfig", "/path/to/kubeconfig",
@@ -87,8 +88,11 @@ func TestCmd_Run(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 		cmd := Cmd{
-			Login:  mock_usecases.NewMockLogin(ctrl),
-			Logger: mock_adaptors.NewLogger(t, ctrl),
+			Root: &Root{
+				Standalone: mock_standalone.NewMockInterface(ctrl),
+				Logger:     mock_logger.New(t),
+			},
+			Logger: mock_logger.New(t),
 		}
 		exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
 		if exitCode != 1 {
@@ -101,21 +105,24 @@ func TestCmd_Run(t *testing.T) {
 		defer ctrl.Finish()
 		ctx := context.TODO()

-		getToken := mock_usecases.NewMockGetToken(ctrl)
+		getToken := mock_credentialplugin.NewMockInterface(ctrl)
 		getToken.EXPECT().
-			Do(ctx, usecases.GetTokenIn{
-				ListenPort:         defaultListenPort,
-				TokenCacheFilename: defaultTokenCache,
-				IssuerURL:          "https://issuer.example.com",
-				ClientID:           "YOUR_CLIENT_ID",
+			Do(ctx, credentialplugin.Input{
+				ListenPort:    defaultListenPort,
+				TokenCacheDir: defaultTokenCacheDir,
+				IssuerURL:     "https://issuer.example.com",
+				ClientID:      "YOUR_CLIENT_ID",
 			})

-		logger := mock_adaptors.NewLogger(t, ctrl)
-		logger.EXPECT().SetLevel(adaptors.LogLevel(0))
-
 		cmd := Cmd{
-			GetToken: getToken,
-			Logger:   logger,
+			Root: &Root{
+				Logger: mock_logger.New(t),
+			},
+			GetToken: &GetToken{
+				GetToken: getToken,
+				Logger:   mock_logger.New(t),
+			},
+			Logger: mock_logger.New(t),
 		}
 		exitCode := cmd.Run(ctx, []string{executable,
 			"get-token",
@@ -132,28 +139,31 @@ func TestCmd_Run(t *testing.T) {
 		defer ctrl.Finish()
 		ctx := context.TODO()

-		getToken := mock_usecases.NewMockGetToken(ctrl)
+		getToken := mock_credentialplugin.NewMockInterface(ctrl)
 		getToken.EXPECT().
-			Do(ctx, usecases.GetTokenIn{
-				TokenCacheFilename: defaultTokenCache,
-				IssuerURL:          "https://issuer.example.com",
-				ClientID:           "YOUR_CLIENT_ID",
-				ClientSecret:       "YOUR_CLIENT_SECRET",
-				ExtraScopes:        []string{"email", "profile"},
-				CACertFilename:     "/path/to/cacert",
-				SkipTLSVerify:      true,
-				ListenPort:         []int{10080, 20080},
-				SkipOpenBrowser:    true,
-				Username:           "USER",
-				Password:           "PASS",
+			Do(ctx, credentialplugin.Input{
+				TokenCacheDir:   defaultTokenCacheDir,
+				IssuerURL:       "https://issuer.example.com",
+				ClientID:        "YOUR_CLIENT_ID",
+				ClientSecret:    "YOUR_CLIENT_SECRET",
+				ExtraScopes:     []string{"email", "profile"},
+				CACertFilename:  "/path/to/cacert",
+				SkipTLSVerify:   true,
+				ListenPort:      []int{10080, 20080},
+				SkipOpenBrowser: true,
+				Username:        "USER",
+				Password:        "PASS",
 			})

-		logger := mock_adaptors.NewLogger(t, ctrl)
-		logger.EXPECT().SetLevel(adaptors.LogLevel(1))
-
 		cmd := Cmd{
-			GetToken: getToken,
-			Logger:   logger,
+			Root: &Root{
+				Logger: mock_logger.New(t),
+			},
+			GetToken: &GetToken{
+				GetToken: getToken,
+				Logger:   mock_logger.New(t),
+			},
+			Logger: mock_logger.New(t),
 		}
 		exitCode := cmd.Run(ctx, []string{executable,
 			"get-token",
@@ -181,8 +191,14 @@ func TestCmd_Run(t *testing.T) {
 		defer ctrl.Finish()
 		ctx := context.TODO()
 		cmd := Cmd{
-			GetToken: mock_usecases.NewMockGetToken(ctrl),
-			Logger:   mock_adaptors.NewLogger(t, ctrl),
+			Root: &Root{
+				Logger: mock_logger.New(t),
+			},
+			GetToken: &GetToken{
+				GetToken: mock_credentialplugin.NewMockInterface(ctrl),
+				Logger:   mock_logger.New(t),
+			},
+			Logger: mock_logger.New(t),
 		}
 		exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
 		if exitCode != 1 {
@@ -195,8 +211,14 @@ func TestCmd_Run(t *testing.T) {
 		defer ctrl.Finish()
 		ctx := context.TODO()
 		cmd := Cmd{
-			GetToken: mock_usecases.NewMockGetToken(ctrl),
-			Logger:   mock_adaptors.NewLogger(t, ctrl),
+			Root: &Root{
+				Logger: mock_logger.New(t),
+			},
+			GetToken: &GetToken{
+				GetToken: mock_credentialplugin.NewMockInterface(ctrl),
+				Logger:   mock_logger.New(t),
+			},
+			Logger: mock_logger.New(t),
 		}
 		exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
 		if exitCode != 1 {
--- a/pkg/adaptors/cmd/get_token.go
+++ b/pkg/adaptors/cmd/get_token.go
@@ -0,0 +1,87 @@
+package cmd
+
+import (
+	"context"
+
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"golang.org/x/xerrors"
+)
+
+// getTokenOptions represents the options for get-token command.
+type getTokenOptions struct {
+	IssuerURL            string
+	ClientID             string
+	ClientSecret         string
+	ExtraScopes          []string
+	ListenPort           []int
+	SkipOpenBrowser      bool
+	Username             string
+	Password             string
+	CertificateAuthority string
+	SkipTLSVerify        bool
+	TokenCacheDir        string
+}
+
+func (o *getTokenOptions) register(f *pflag.FlagSet) {
+	f.SortFlags = false
+	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)")
+	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
+	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
+	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
+	f.IntSliceVar(&o.ListenPort, "listen-port", defaultListenPort, "Port to bind to the local server. If multiple ports are given, it will try the ports in order")
+	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
+	f.StringVar(&o.Username, "username", "", "If set, perform the resource owner password credentials grant")
+	f.StringVar(&o.Password, "password", "", "If set, use the password instead of asking it")
+	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for caching tokens")
+}
+
+type GetToken struct {
+	GetToken credentialplugin.Interface
+	Logger   logger.Interface
+}
+
+func (cmd *GetToken) New(ctx context.Context) *cobra.Command {
+	var o getTokenOptions
+	c := &cobra.Command{
+		Use:   "get-token [flags]",
+		Short: "Run as a kubectl credential plugin",
+		Args: func(c *cobra.Command, args []string) error {
+			if err := cobra.NoArgs(c, args); err != nil {
+				return err
+			}
+			if o.IssuerURL == "" {
+				return xerrors.New("--oidc-issuer-url is missing")
+			}
+			if o.ClientID == "" {
+				return xerrors.New("--oidc-client-id is missing")
+			}
+			return nil
+		},
+		RunE: func(*cobra.Command, []string) error {
+			in := credentialplugin.Input{
+				IssuerURL:       o.IssuerURL,
+				ClientID:        o.ClientID,
+				ClientSecret:    o.ClientSecret,
+				ExtraScopes:     o.ExtraScopes,
+				CACertFilename:  o.CertificateAuthority,
+				SkipTLSVerify:   o.SkipTLSVerify,
+				ListenPort:      o.ListenPort,
+				SkipOpenBrowser: o.SkipOpenBrowser,
+				Username:        o.Username,
+				Password:        o.Password,
+				TokenCacheDir:   o.TokenCacheDir,
+			}
+			if err := cmd.GetToken.Do(ctx, in); err != nil {
+				return xerrors.Errorf("error: %w", err)
+			}
+			return nil
+		},
+	}
+	o.register(c.Flags())
+	return c
+}
--- a/pkg/adaptors/cmd/root.go
+++ b/pkg/adaptors/cmd/root.go
@@ -0,0 +1,83 @@
+package cmd
+
+import (
+	"context"
+
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/usecases/standalone"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"golang.org/x/xerrors"
+)
+
+const longDescription = `Login to the OpenID Connect provider.
+
+You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
+Run the following command to show the setup instruction:
+
+	kubectl oidc-login setup
+
+See https://github.com/int128/kubelogin for more.
+`
+
+// rootOptions represents the options for the root command.
+type rootOptions struct {
+	Kubeconfig           string
+	Context              string
+	User                 string
+	ListenPort           []int
+	SkipOpenBrowser      bool
+	Username             string
+	Password             string
+	CertificateAuthority string
+	SkipTLSVerify        bool
+}
+
+func (o *rootOptions) register(f *pflag.FlagSet) {
+	f.SortFlags = false
+	f.StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to the kubeconfig file")
+	f.StringVar(&o.Context, "context", "", "The name of the kubeconfig context to use")
+	f.StringVar(&o.User, "user", "", "The name of the kubeconfig user to use. Prior to --context")
+	f.IntSliceVar(&o.ListenPort, "listen-port", defaultListenPort, "Port to bind to the local server. If multiple ports are given, it will try the ports in order")
+	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
+	f.StringVar(&o.Username, "username", "", "If set, perform the resource owner password credentials grant")
+	f.StringVar(&o.Password, "password", "", "If set, use the password instead of asking it")
+	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+}
+
+type Root struct {
+	Standalone standalone.Interface
+	Logger     logger.Interface
+}
+
+func (cmd *Root) New(ctx context.Context, executable string) *cobra.Command {
+	var o rootOptions
+	rootCmd := &cobra.Command{
+		Use:   executable,
+		Short: "Login to the OpenID Connect provider",
+		Long:  longDescription,
+		Args:  cobra.NoArgs,
+		RunE: func(*cobra.Command, []string) error {
+			in := standalone.Input{
+				KubeconfigFilename: o.Kubeconfig,
+				KubeconfigContext:  kubeconfig.ContextName(o.Context),
+				KubeconfigUser:     kubeconfig.UserName(o.User),
+				CACertFilename:     o.CertificateAuthority,
+				SkipTLSVerify:      o.SkipTLSVerify,
+				ListenPort:         o.ListenPort,
+				SkipOpenBrowser:    o.SkipOpenBrowser,
+				Username:           o.Username,
+				Password:           o.Password,
+			}
+			if err := cmd.Standalone.Do(ctx, in); err != nil {
+				return xerrors.Errorf("error: %w", err)
+			}
+			return nil
+		},
+	}
+	o.register(rootCmd.Flags())
+	cmd.Logger.AddFlags(rootCmd.PersistentFlags())
+	return rootCmd
+}
--- a/pkg/adaptors/cmd/setup.go
+++ b/pkg/adaptors/cmd/setup.go
@@ -0,0 +1,71 @@
+package cmd
+
+import (
+	"context"
+	"reflect"
+
+	"github.com/int128/kubelogin/pkg/usecases/setup"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"golang.org/x/xerrors"
+)
+
+// setupOptions represents the options for setup command.
+type setupOptions struct {
+	IssuerURL            string
+	ClientID             string
+	ClientSecret         string
+	ExtraScopes          []string
+	ListenPort           []int
+	SkipOpenBrowser      bool
+	CertificateAuthority string
+	SkipTLSVerify        bool
+}
+
+func (o *setupOptions) register(f *pflag.FlagSet) {
+	f.SortFlags = false
+	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider")
+	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider")
+	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
+	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
+	f.IntSliceVar(&o.ListenPort, "listen-port", defaultListenPort, "Port to bind to the local server. If multiple ports are given, it will try the ports in order")
+	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
+	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+}
+
+type Setup struct {
+	Setup setup.Interface
+}
+
+func (cmd *Setup) New(ctx context.Context) *cobra.Command {
+	var o setupOptions
+	c := &cobra.Command{
+		Use:   "setup",
+		Short: "Show the setup instruction",
+		Args:  cobra.NoArgs,
+		RunE: func(*cobra.Command, []string) error {
+			in := setup.Stage2Input{
+				IssuerURL:       o.IssuerURL,
+				ClientID:        o.ClientID,
+				ClientSecret:    o.ClientSecret,
+				ExtraScopes:     o.ExtraScopes,
+				SkipOpenBrowser: o.SkipOpenBrowser,
+				ListenPort:      o.ListenPort,
+				ListenPortIsSet: !reflect.DeepEqual(o.ListenPort, defaultListenPort),
+				CACertFilename:  o.CertificateAuthority,
+				SkipTLSVerify:   o.SkipTLSVerify,
+			}
+			if in.IssuerURL == "" || in.ClientID == "" {
+				cmd.Setup.DoStage1()
+				return nil
+			}
+			if err := cmd.Setup.DoStage2(ctx, in); err != nil {
+				return xerrors.Errorf("error: %w", err)
+			}
+			return nil
+		},
+	}
+	o.register(c.Flags())
+	return c
+}
--- a/pkg/adaptors/credentialplugin/credential_plugin.go
+++ b/pkg/adaptors/credentialplugin/credential_plugin.go
@@ -4,24 +4,35 @@ package credentialplugin
 import (
 	"encoding/json"
 	"os"
+	"time"

 	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/models/credentialplugin"
 	"golang.org/x/xerrors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 )

+//go:generate mockgen -destination mock_credentialplugin/mock_credentialplugin.go github.com/int128/kubelogin/pkg/adaptors/credentialplugin Interface
+
 var Set = wire.NewSet(
 	wire.Struct(new(Interaction), "*"),
-	wire.Bind(new(adaptors.CredentialPluginInteraction), new(*Interaction)),
+	wire.Bind(new(Interface), new(*Interaction)),
 )

+type Interface interface {
+	Write(out Output) error
+}
+
+// Output represents an output object of the credential plugin.
+type Output struct {
+	Token  string
+	Expiry time.Time
+}
+
 type Interaction struct{}

 // Write writes the ExecCredential to standard output for kubectl.
-func (*Interaction) Write(out credentialplugin.Output) error {
+func (*Interaction) Write(out Output) error {
 	ec := &v1beta1.ExecCredential{
 		TypeMeta: v1.TypeMeta{
 			APIVersion: "client.authentication.k8s.io/v1beta1",
--- a/pkg/adaptors/credentialplugin/mock_credentialplugin/mock_credentialplugin.go
+++ b/pkg/adaptors/credentialplugin/mock_credentialplugin/mock_credentialplugin.go
@@ -0,0 +1,46 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/adaptors/credentialplugin (interfaces: Interface)
+
+// Package mock_credentialplugin is a generated GoMock package.
+package mock_credentialplugin
+
+import (
+	gomock "github.com/golang/mock/gomock"
+	credentialplugin "github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
+	reflect "reflect"
+)
+
+// MockInterface is a mock of Interface interface
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// Write mocks base method
+func (m *MockInterface) Write(arg0 credentialplugin.Output) error {
+	ret := m.ctrl.Call(m, "Write", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Write indicates an expected call of Write
+func (mr *MockInterfaceMockRecorder) Write(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockInterface)(nil).Write), arg0)
+}
--- a/pkg/adaptors/env/env.go
+++ b/pkg/adaptors/env/env.go
@@ -0,0 +1,58 @@
+package env
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+
+	"github.com/google/wire"
+	"github.com/pkg/browser"
+	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/xerrors"
+)
+
+//go:generate mockgen -destination mock_env/mock_env.go github.com/int128/kubelogin/pkg/adaptors/env Interface
+
+func init() {
+	// In credential plugin mode, some browser launcher writes a message to stdout
+	// and it may break the credential json for client-go.
+	// This prevents the browser launcher from breaking the credential json.
+	browser.Stdout = os.Stderr
+}
+
+// Set provides an implementation and interface for Env.
+var Set = wire.NewSet(
+	wire.Struct(new(Env), "*"),
+	wire.Bind(new(Interface), new(*Env)),
+)
+
+type Interface interface {
+	ReadPassword(prompt string) (string, error)
+	OpenBrowser(url string) error
+}
+
+// Env provides environment specific facilities.
+type Env struct{}
+
+// ReadPassword reads a password from the stdin without echo back.
+func (*Env) ReadPassword(prompt string) (string, error) {
+	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
+		return "", xerrors.Errorf("could not write the prompt: %w", err)
+	}
+	b, err := terminal.ReadPassword(int(syscall.Stdin))
+	if err != nil {
+		return "", xerrors.Errorf("could not read: %w", err)
+	}
+	if _, err := fmt.Fprintln(os.Stderr); err != nil {
+		return "", xerrors.Errorf("could not write a new line: %w", err)
+	}
+	return string(b), nil
+}
+
+// OpenBrowser opens the default browser.
+func (env *Env) OpenBrowser(url string) error {
+	if err := browser.OpenURL(url); err != nil {
+		return xerrors.Errorf("could not open the browser: %w", err)
+	}
+	return nil
+}
--- a/pkg/adaptors/env/mock_env/mock_env.go
+++ b/pkg/adaptors/env/mock_env/mock_env.go
@@ -0,0 +1,58 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/adaptors/env (interfaces: Interface)
+
+// Package mock_env is a generated GoMock package.
+package mock_env
+
+import (
+	gomock "github.com/golang/mock/gomock"
+	reflect "reflect"
+)
+
+// MockInterface is a mock of Interface interface
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// OpenBrowser mocks base method
+func (m *MockInterface) OpenBrowser(arg0 string) error {
+	ret := m.ctrl.Call(m, "OpenBrowser", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// OpenBrowser indicates an expected call of OpenBrowser
+func (mr *MockInterfaceMockRecorder) OpenBrowser(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OpenBrowser", reflect.TypeOf((*MockInterface)(nil).OpenBrowser), arg0)
+}
+
+// ReadPassword mocks base method
+func (m *MockInterface) ReadPassword(arg0 string) (string, error) {
+	ret := m.ctrl.Call(m, "ReadPassword", arg0)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ReadPassword indicates an expected call of ReadPassword
+func (mr *MockInterfaceMockRecorder) ReadPassword(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadPassword", reflect.TypeOf((*MockInterface)(nil).ReadPassword), arg0)
+}
--- a/pkg/adaptors/kubeconfig/kubeconfig.go
+++ b/pkg/adaptors/kubeconfig/kubeconfig.go
@@ -1,5 +1,22 @@
 package kubeconfig

+import (
+	"github.com/google/wire"
+)
+
+//go:generate mockgen -destination mock_kubeconfig/mock_kubeconfig.go github.com/int128/kubelogin/pkg/adaptors/kubeconfig Interface
+
+// Set provides an implementation and interface for Kubeconfig.
+var Set = wire.NewSet(
+	wire.Struct(new(Kubeconfig), "*"),
+	wire.Bind(new(Interface), new(*Kubeconfig)),
+)
+
+type Interface interface {
+	GetCurrentAuthProvider(explicitFilename string, contextName ContextName, userName UserName) (*AuthProvider, error)
+	UpdateAuthProvider(auth *AuthProvider) error
+}
+
 // ContextName represents name of a context.
 type ContextName string

@@ -26,3 +43,5 @@ type OIDCConfig struct {
 	IDToken                     string   // (optional) id-token
 	RefreshToken                string   // (optional) refresh-token
 }
+
+type Kubeconfig struct{}
--- a/pkg/adaptors/kubeconfig/load.go
+++ b/pkg/adaptors/kubeconfig/load.go
@@ -3,13 +3,12 @@ package kubeconfig
 import (
 	"strings"

-	"github.com/int128/kubelogin/models/kubeconfig"
 	"golang.org/x/xerrors"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/clientcmd/api"
 )

-func (*Kubeconfig) GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
+func (*Kubeconfig) GetCurrentAuthProvider(explicitFilename string, contextName ContextName, userName UserName) (*AuthProvider, error) {
 	config, err := loadByDefaultRules(explicitFilename)
 	if err != nil {
 		return nil, xerrors.Errorf("could not load kubeconfig: %w", err)
@@ -35,16 +34,16 @@ func loadByDefaultRules(explicitFilename string) (*api.Config, error) {
 // If contextName is given, this returns the user of the context.
 // If userName is given, this ignores the context and returns the user.
 // If any context or user is not found, this returns an error.
-func findCurrentAuthProvider(config *api.Config, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
+func findCurrentAuthProvider(config *api.Config, contextName ContextName, userName UserName) (*AuthProvider, error) {
 	if userName == "" {
 		if contextName == "" {
-			contextName = kubeconfig.ContextName(config.CurrentContext)
+			contextName = ContextName(config.CurrentContext)
 		}
 		contextNode, ok := config.Contexts[string(contextName)]
 		if !ok {
 			return nil, xerrors.Errorf("context %s does not exist", contextName)
 		}
-		userName = kubeconfig.UserName(contextNode.AuthInfo)
+		userName = UserName(contextNode.AuthInfo)
 	}
 	userNode, ok := config.AuthInfos[string(userName)]
 	if !ok {
@@ -59,7 +58,7 @@ func findCurrentAuthProvider(config *api.Config, contextName kubeconfig.ContextN
 	if userNode.AuthProvider.Config == nil {
 		return nil, xerrors.New("auth-provider.config is missing")
 	}
-	return &kubeconfig.AuthProvider{
+	return &AuthProvider{
 		LocationOfOrigin: userNode.LocationOfOrigin,
 		UserName:         userName,
 		ContextName:      contextName,
@@ -67,12 +66,12 @@ func findCurrentAuthProvider(config *api.Config, contextName kubeconfig.ContextN
 	}, nil
 }

-func makeOIDCConfig(m map[string]string) kubeconfig.OIDCConfig {
+func makeOIDCConfig(m map[string]string) OIDCConfig {
 	var extraScopes []string
 	if m["extra-scopes"] != "" {
 		extraScopes = strings.Split(m["extra-scopes"], ",")
 	}
-	return kubeconfig.OIDCConfig{
+	return OIDCConfig{
 		IDPIssuerURL:                m["idp-issuer-url"],
 		ClientID:                    m["client-id"],
 		ClientSecret:                m["client-secret"],
--- a/pkg/adaptors/kubeconfig/load_test.go
+++ b/pkg/adaptors/kubeconfig/load_test.go
@@ -5,7 +5,6 @@ import (
 	"testing"

 	"github.com/go-test/deep"
-	"github.com/int128/kubelogin/models/kubeconfig"
 	"k8s.io/client-go/tools/clientcmd/api"
 )

@@ -106,11 +105,11 @@ func Test_findCurrentAuthProvider(t *testing.T) {
 		if err != nil {
 			t.Fatalf("Could not find the current auth: %s", err)
 		}
-		want := &kubeconfig.AuthProvider{
+		want := &AuthProvider{
 			LocationOfOrigin: "/path/to/kubeconfig",
 			UserName:         "theUser",
 			ContextName:      "theContext",
-			OIDCConfig: kubeconfig.OIDCConfig{
+			OIDCConfig: OIDCConfig{
 				IDPIssuerURL:                "https://accounts.google.com",
 				ClientID:                    "GOOGLE_CLIENT_ID",
 				ClientSecret:                "GOOGLE_CLIENT_SECRET",
@@ -148,11 +147,11 @@ func Test_findCurrentAuthProvider(t *testing.T) {
 		if err != nil {
 			t.Fatalf("Could not find the current auth: %s", err)
 		}
-		want := &kubeconfig.AuthProvider{
+		want := &AuthProvider{
 			LocationOfOrigin: "/path/to/kubeconfig",
 			UserName:         "theUser",
 			ContextName:      "theContext",
-			OIDCConfig: kubeconfig.OIDCConfig{
+			OIDCConfig: OIDCConfig{
 				IDPIssuerURL: "https://accounts.google.com",
 			},
 		}
@@ -178,10 +177,10 @@ func Test_findCurrentAuthProvider(t *testing.T) {
 		if err != nil {
 			t.Fatalf("Could not find the current auth: %s", err)
 		}
-		want := &kubeconfig.AuthProvider{
+		want := &AuthProvider{
 			LocationOfOrigin: "/path/to/kubeconfig",
 			UserName:         "theUser",
-			OIDCConfig: kubeconfig.OIDCConfig{
+			OIDCConfig: OIDCConfig{
 				IDPIssuerURL: "https://accounts.google.com",
 			},
 		}
--- a/pkg/adaptors/kubeconfig/mock_kubeconfig/mock_kubeconfig.go
+++ b/pkg/adaptors/kubeconfig/mock_kubeconfig/mock_kubeconfig.go
@@ -0,0 +1,59 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/adaptors/kubeconfig (interfaces: Interface)
+
+// Package mock_kubeconfig is a generated GoMock package.
+package mock_kubeconfig
+
+import (
+	gomock "github.com/golang/mock/gomock"
+	kubeconfig "github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	reflect "reflect"
+)
+
+// MockInterface is a mock of Interface interface
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// GetCurrentAuthProvider mocks base method
+func (m *MockInterface) GetCurrentAuthProvider(arg0 string, arg1 kubeconfig.ContextName, arg2 kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
+	ret := m.ctrl.Call(m, "GetCurrentAuthProvider", arg0, arg1, arg2)
+	ret0, _ := ret[0].(*kubeconfig.AuthProvider)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetCurrentAuthProvider indicates an expected call of GetCurrentAuthProvider
+func (mr *MockInterfaceMockRecorder) GetCurrentAuthProvider(arg0, arg1, arg2 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCurrentAuthProvider", reflect.TypeOf((*MockInterface)(nil).GetCurrentAuthProvider), arg0, arg1, arg2)
+}
+
+// UpdateAuthProvider mocks base method
+func (m *MockInterface) UpdateAuthProvider(arg0 *kubeconfig.AuthProvider) error {
+	ret := m.ctrl.Call(m, "UpdateAuthProvider", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UpdateAuthProvider indicates an expected call of UpdateAuthProvider
+func (mr *MockInterfaceMockRecorder) UpdateAuthProvider(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAuthProvider", reflect.TypeOf((*MockInterface)(nil).UpdateAuthProvider), arg0)
+}
--- a/pkg/adaptors/kubeconfig/testdata/kubeconfig.google.yaml
+++ b/pkg/adaptors/kubeconfig/testdata/kubeconfig.google.yaml
--- a/pkg/adaptors/kubeconfig/testdata/kubeconfig.keycloak.yaml
+++ b/pkg/adaptors/kubeconfig/testdata/kubeconfig.keycloak.yaml
--- a/pkg/adaptors/kubeconfig/write.go
+++ b/pkg/adaptors/kubeconfig/write.go
@@ -3,12 +3,11 @@ package kubeconfig
 import (
 	"strings"

-	"github.com/int128/kubelogin/models/kubeconfig"
 	"golang.org/x/xerrors"
 	"k8s.io/client-go/tools/clientcmd"
 )

-func (*Kubeconfig) UpdateAuthProvider(auth *kubeconfig.AuthProvider) error {
+func (*Kubeconfig) UpdateAuthProvider(auth *AuthProvider) error {
 	config, err := clientcmd.LoadFromFile(auth.LocationOfOrigin)
 	if err != nil {
 		return xerrors.Errorf("could not load %s: %w", auth.LocationOfOrigin, err)
@@ -30,7 +29,7 @@ func (*Kubeconfig) UpdateAuthProvider(auth *kubeconfig.AuthProvider) error {
 	return nil
 }

-func copyOIDCConfig(config kubeconfig.OIDCConfig, m map[string]string) {
+func copyOIDCConfig(config OIDCConfig, m map[string]string) {
 	setOrDeleteKey(m, "idp-issuer-url", config.IDPIssuerURL)
 	setOrDeleteKey(m, "client-id", config.ClientID)
 	setOrDeleteKey(m, "client-secret", config.ClientSecret)
--- a/pkg/adaptors/kubeconfig/write_test.go
+++ b/pkg/adaptors/kubeconfig/write_test.go
@@ -4,8 +4,6 @@ import (
 	"io/ioutil"
 	"os"
 	"testing"
-
-	"github.com/int128/kubelogin/models/kubeconfig"
 )

 func TestKubeconfig_UpdateAuth(t *testing.T) {
@@ -18,10 +16,10 @@ func TestKubeconfig_UpdateAuth(t *testing.T) {
 				t.Errorf("Could not remove the temp file: %s", err)
 			}
 		}()
-		if err := k.UpdateAuthProvider(&kubeconfig.AuthProvider{
+		if err := k.UpdateAuthProvider(&AuthProvider{
 			LocationOfOrigin: f.Name(),
 			UserName:         "google",
-			OIDCConfig: kubeconfig.OIDCConfig{
+			OIDCConfig: OIDCConfig{
 				IDPIssuerURL: "https://accounts.google.com",
 				ClientID:     "GOOGLE_CLIENT_ID",
 				ClientSecret: "GOOGLE_CLIENT_SECRET",
@@ -66,10 +64,10 @@ users:
 				t.Errorf("Could not remove the temp file: %s", err)
 			}
 		}()
-		if err := k.UpdateAuthProvider(&kubeconfig.AuthProvider{
+		if err := k.UpdateAuthProvider(&AuthProvider{
 			LocationOfOrigin: f.Name(),
 			UserName:         "google",
-			OIDCConfig: kubeconfig.OIDCConfig{
+			OIDCConfig: OIDCConfig{
 				IDPIssuerURL:                "https://accounts.google.com",
 				ClientID:                    "GOOGLE_CLIENT_ID",
 				ClientSecret:                "GOOGLE_CLIENT_SECRET",
--- a/pkg/adaptors/logger/logger.go
+++ b/pkg/adaptors/logger/logger.go
@@ -0,0 +1,60 @@
+package logger
+
+import (
+	"flag"
+	"log"
+	"os"
+
+	"github.com/google/wire"
+	"github.com/spf13/pflag"
+	"k8s.io/klog"
+)
+
+// Set provides an implementation and interface for Logger.
+var Set = wire.NewSet(
+	New,
+)
+
+// New returns a Logger with the standard log.Logger and klog.
+func New() Interface {
+	return &Logger{
+		goLogger: log.New(os.Stderr, "", 0),
+	}
+}
+
+type Interface interface {
+	AddFlags(f *pflag.FlagSet)
+	Printf(format string, args ...interface{})
+	V(level int) Verbose
+	IsEnabled(level int) bool
+}
+
+type Verbose interface {
+	Infof(format string, args ...interface{})
+}
+
+type goLogger interface {
+	Printf(format string, v ...interface{})
+}
+
+// Logger provides logging facility using log.Logger and klog.
+type Logger struct {
+	goLogger
+}
+
+// AddFlags adds the flags such as -v.
+func (*Logger) AddFlags(f *pflag.FlagSet) {
+	gf := flag.NewFlagSet("", flag.ContinueOnError)
+	klog.InitFlags(gf)
+	f.AddGoFlagSet(gf)
+}
+
+// V returns a logger enabled only if the level is enabled.
+func (*Logger) V(level int) Verbose {
+	return klog.V(klog.Level(level))
+}
+
+// IsEnabled returns true if the level is enabled.
+func (*Logger) IsEnabled(level int) bool {
+	return bool(klog.V(klog.Level(level)))
+}
--- a/pkg/adaptors/logger/mock_logger/logger.go
+++ b/pkg/adaptors/logger/mock_logger/logger.go
@@ -0,0 +1,46 @@
+package mock_logger
+
+import (
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/spf13/pflag"
+)
+
+func New(t testingLogger) *Logger {
+	return &Logger{t}
+}
+
+type testingLogger interface {
+	Logf(format string, v ...interface{})
+}
+
+// Logger provides logging facility using testing.T.
+type Logger struct {
+	t testingLogger
+}
+
+func (*Logger) AddFlags(f *pflag.FlagSet) {
+	f.IntP("v", "v", 0, "dummy flag used in the tests")
+}
+
+func (l *Logger) Printf(format string, args ...interface{}) {
+	l.t.Logf(format, args...)
+}
+
+type Verbose struct {
+	t     testingLogger
+	level int
+}
+
+func (v *Verbose) Infof(format string, args ...interface{}) {
+	v.t.Logf(fmt.Sprintf("I%d] ", v.level)+format, args...)
+}
+
+func (l *Logger) V(level int) logger.Verbose {
+	return &Verbose{l.t, level}
+}
+
+func (*Logger) IsEnabled(level int) bool {
+	return true
+}
--- a/pkg/adaptors/oidc/client.go
+++ b/pkg/adaptors/oidc/client.go
@@ -0,0 +1,162 @@
+package oidc
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/binary"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/coreos/go-oidc"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/oauth2cli"
+	"golang.org/x/oauth2"
+	"golang.org/x/xerrors"
+)
+
+type Interface interface {
+	AuthenticateByCode(ctx context.Context, localServerPort []int, localServerReadyChan chan<- string) (*TokenSet, error)
+	AuthenticateByPassword(ctx context.Context, username, password string) (*TokenSet, error)
+	Refresh(ctx context.Context, refreshToken string) (*TokenSet, error)
+}
+
+// TokenSet represents an output DTO of
+// Interface.AuthenticateByCode, Interface.AuthenticateByPassword and Interface.Refresh.
+type TokenSet struct {
+	IDToken        string
+	RefreshToken   string
+	IDTokenSubject string
+	IDTokenExpiry  time.Time
+	IDTokenClaims  map[string]string // string representation of claims for logging
+}
+
+type client struct {
+	httpClient   *http.Client
+	provider     *oidc.Provider
+	oauth2Config oauth2.Config
+	logger       logger.Interface
+}
+
+func (c *client) wrapContext(ctx context.Context) context.Context {
+	if c.httpClient != nil {
+		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.httpClient)
+	}
+	return ctx
+}
+
+// AuthenticateByCode performs the authorization code flow.
+func (c *client) AuthenticateByCode(ctx context.Context, localServerPort []int, localServerReadyChan chan<- string) (*TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	nonce, err := newNonce()
+	if err != nil {
+		return nil, xerrors.Errorf("could not generate a nonce parameter")
+	}
+	config := oauth2cli.Config{
+		OAuth2Config:         c.oauth2Config,
+		LocalServerPort:      localServerPort,
+		AuthCodeOptions:      []oauth2.AuthCodeOption{oauth2.AccessTypeOffline, oidc.Nonce(nonce)},
+		LocalServerReadyChan: localServerReadyChan,
+	}
+	token, err := oauth2cli.GetToken(ctx, config)
+	if err != nil {
+		return nil, xerrors.Errorf("could not get a token: %w", err)
+	}
+	idToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
+	}
+	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
+	verifiedIDToken, err := verifier.Verify(ctx, idToken)
+	if err != nil {
+		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
+	}
+	if verifiedIDToken.Nonce != nonce {
+		return nil, xerrors.Errorf("nonce of ID token did not match (want %s but was %s)", nonce, verifiedIDToken.Nonce)
+	}
+	claims, err := dumpClaims(verifiedIDToken)
+	if err != nil {
+		c.logger.V(1).Infof("incomplete claims of the ID token: %w", err)
+	}
+	return &TokenSet{
+		IDToken:       idToken,
+		RefreshToken:  token.RefreshToken,
+		IDTokenExpiry: verifiedIDToken.Expiry,
+		IDTokenClaims: claims,
+	}, nil
+}
+
+func newNonce() (string, error) {
+	var n uint64
+	if err := binary.Read(rand.Reader, binary.LittleEndian, &n); err != nil {
+		return "", xerrors.Errorf("error while reading random: %w", err)
+	}
+	return fmt.Sprintf("%x", n), nil
+}
+
+// AuthenticateByPassword performs the resource owner password credentials flow.
+func (c *client) AuthenticateByPassword(ctx context.Context, username, password string) (*TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, username, password)
+	if err != nil {
+		return nil, xerrors.Errorf("could not get a token: %w", err)
+	}
+	idToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
+	}
+	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
+	verifiedIDToken, err := verifier.Verify(ctx, idToken)
+	if err != nil {
+		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
+	}
+	claims, err := dumpClaims(verifiedIDToken)
+	if err != nil {
+		c.logger.V(1).Infof("incomplete claims of the ID token: %w", err)
+	}
+	return &TokenSet{
+		IDToken:       idToken,
+		RefreshToken:  token.RefreshToken,
+		IDTokenExpiry: verifiedIDToken.Expiry,
+		IDTokenClaims: claims,
+	}, nil
+}
+
+// Refresh sends a refresh token request and returns a token set.
+func (c *client) Refresh(ctx context.Context, refreshToken string) (*TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	currentToken := &oauth2.Token{
+		Expiry:       time.Now(),
+		RefreshToken: refreshToken,
+	}
+	source := c.oauth2Config.TokenSource(ctx, currentToken)
+	token, err := source.Token()
+	if err != nil {
+		return nil, xerrors.Errorf("could not refresh the token: %w", err)
+	}
+	idToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
+	}
+	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
+	verifiedIDToken, err := verifier.Verify(ctx, idToken)
+	if err != nil {
+		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
+	}
+	claims, err := dumpClaims(verifiedIDToken)
+	if err != nil {
+		c.logger.V(1).Infof("incomplete claims of the ID token: %w", err)
+	}
+	return &TokenSet{
+		IDToken:       idToken,
+		RefreshToken:  token.RefreshToken,
+		IDTokenExpiry: verifiedIDToken.Expiry,
+		IDTokenClaims: claims,
+	}, nil
+}
+
+func dumpClaims(token *oidc.IDToken) (map[string]string, error) {
+	var rawClaims map[string]interface{}
+	err := token.Claims(&rawClaims)
+	return dumpRawClaims(rawClaims), err
+}
--- a/pkg/adaptors/oidc/decoder.go
+++ b/pkg/adaptors/oidc/decoder.go
@@ -0,0 +1,63 @@
+package oidc
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+	"golang.org/x/xerrors"
+)
+
+type DecoderInterface interface {
+	DecodeIDToken(t string) (*DecodedIDToken, error)
+}
+
+type DecodedIDToken struct {
+	Subject string
+	Expiry  time.Time
+	Claims  map[string]string // string representation of claims for logging
+}
+
+type Decoder struct{}
+
+// DecodeIDToken returns the claims of the ID token.
+// Note that this method does not verify the signature and always trust it.
+func (d *Decoder) DecodeIDToken(t string) (*DecodedIDToken, error) {
+	parts := strings.Split(t, ".")
+	if len(parts) != 3 {
+		return nil, xerrors.Errorf("token contains an invalid number of segments")
+	}
+	b, err := jwt.DecodeSegment(parts[1])
+	if err != nil {
+		return nil, xerrors.Errorf("could not decode the token: %w", err)
+	}
+	var claims jwt.StandardClaims
+	if err := json.NewDecoder(bytes.NewBuffer(b)).Decode(&claims); err != nil {
+		return nil, xerrors.Errorf("could not decode the json of token: %w", err)
+	}
+	var rawClaims map[string]interface{}
+	if err := json.NewDecoder(bytes.NewBuffer(b)).Decode(&rawClaims); err != nil {
+		return nil, xerrors.Errorf("could not decode the json of token: %w", err)
+	}
+	return &DecodedIDToken{
+		Subject: claims.Subject,
+		Expiry:  time.Unix(claims.ExpiresAt, 0),
+		Claims:  dumpRawClaims(rawClaims),
+	}, nil
+}
+
+func dumpRawClaims(rawClaims map[string]interface{}) map[string]string {
+	claims := make(map[string]string)
+	for k, v := range rawClaims {
+		switch v := v.(type) {
+		case float64:
+			claims[k] = fmt.Sprintf("%.f", v)
+		default:
+			claims[k] = fmt.Sprintf("%v", v)
+		}
+	}
+	return claims
+}
--- a/pkg/adaptors/oidc/decoder_test.go
+++ b/pkg/adaptors/oidc/decoder_test.go
@@ -0,0 +1,87 @@
+package oidc
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+)
+
+func TestDecoder_DecodeIDToken(t *testing.T) {
+	var decoder Decoder
+
+	t.Run("ValidToken", func(t *testing.T) {
+		expiry := time.Now().Round(time.Second)
+		idToken := newIDToken(t, "https://issuer.example.com", expiry)
+		decodedToken, err := decoder.DecodeIDToken(idToken)
+		if err != nil {
+			t.Fatalf("DecodeIDToken error: %s", err)
+		}
+		if decodedToken.Expiry != expiry {
+			t.Errorf("Expiry wants %s but %s", expiry, decodedToken.Expiry)
+		}
+		t.Logf("Claims=%+v", decodedToken.Claims)
+	})
+	t.Run("InvalidToken", func(t *testing.T) {
+		decodedToken, err := decoder.DecodeIDToken("HEADER.INVALID_TOKEN.SIGNATURE")
+		if err == nil {
+			t.Errorf("error wants non-nil but nil")
+		} else {
+			t.Logf("expected error: %+v", err)
+		}
+		if decodedToken != nil {
+			t.Errorf("decodedToken wants nil but %+v", decodedToken)
+		}
+	})
+}
+
+func newIDToken(t *testing.T, issuer string, expiry time.Time) string {
+	t.Helper()
+	claims := struct {
+		jwt.StandardClaims
+		Nonce         string   `json:"nonce"`
+		Groups        []string `json:"groups"`
+		EmailVerified bool     `json:"email_verified"`
+	}{
+		StandardClaims: jwt.StandardClaims{
+			Issuer:    issuer,
+			Audience:  "kubernetes",
+			Subject:   "SUBJECT",
+			IssuedAt:  time.Now().Unix(),
+			ExpiresAt: expiry.Unix(),
+		},
+		Nonce:         "NONCE",
+		Groups:        []string{"admin", "users"},
+		EmailVerified: false,
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	s, err := token.SignedString(readPrivateKey(t, "testdata/jws.key"))
+	if err != nil {
+		t.Fatalf("Could not sign the claims: %s", err)
+	}
+	return s
+}
+
+func readPrivateKey(t *testing.T, name string) *rsa.PrivateKey {
+	t.Helper()
+	b, err := ioutil.ReadFile(name)
+	if err != nil {
+		t.Fatalf("could not read the file: %s", err)
+	}
+	block, rest := pem.Decode(b)
+	if block == nil {
+		t.Fatalf("could not decode PEM")
+	}
+	if len(rest) > 0 {
+		t.Fatalf("PEM should contain single key but multiple keys")
+	}
+	k, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	if err != nil {
+		t.Fatalf("could not parse the key: %s", err)
+	}
+	return k
+}
--- a/pkg/adaptors/oidc/factory.go
+++ b/pkg/adaptors/oidc/factory.go
@@ -0,0 +1,122 @@
+package oidc
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/coreos/go-oidc"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/adaptors/oidc/logging"
+	"golang.org/x/oauth2"
+	"golang.org/x/xerrors"
+)
+
+type FactoryInterface interface {
+	New(ctx context.Context, config ClientConfig) (Interface, error)
+}
+
+// ClientConfig represents a configuration of an Interface to create.
+type ClientConfig struct {
+	Config         kubeconfig.OIDCConfig
+	CACertFilename string
+	SkipTLSVerify  bool
+}
+
+type Factory struct {
+	Logger logger.Interface
+}
+
+// New returns an instance of adaptors.Interface with the given configuration.
+func (f *Factory) New(ctx context.Context, config ClientConfig) (Interface, error) {
+	tlsConfig, err := f.tlsConfigFor(config)
+	if err != nil {
+		return nil, xerrors.Errorf("could not initialize TLS config: %w", err)
+	}
+	baseTransport := &http.Transport{
+		TLSClientConfig: tlsConfig,
+		Proxy:           http.ProxyFromEnvironment,
+	}
+	loggingTransport := &logging.Transport{
+		Base:   baseTransport,
+		Logger: f.Logger,
+	}
+	httpClient := &http.Client{
+		Transport: loggingTransport,
+	}
+
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
+	provider, err := oidc.NewProvider(ctx, config.Config.IDPIssuerURL)
+	if err != nil {
+		return nil, xerrors.Errorf("could not discovery the OIDCFactory issuer: %w", err)
+	}
+	return &client{
+		httpClient: httpClient,
+		provider:   provider,
+		oauth2Config: oauth2.Config{
+			Endpoint:     provider.Endpoint(),
+			ClientID:     config.Config.ClientID,
+			ClientSecret: config.Config.ClientSecret,
+			Scopes:       append(config.Config.ExtraScopes, oidc.ScopeOpenID),
+		},
+		logger: f.Logger,
+	}, nil
+}
+
+func (f *Factory) tlsConfigFor(config ClientConfig) (*tls.Config, error) {
+	pool := x509.NewCertPool()
+	if config.Config.IDPCertificateAuthority != "" {
+		f.Logger.V(1).Infof("loading the certificate %s", config.Config.IDPCertificateAuthority)
+		err := appendCertificateFromFile(pool, config.Config.IDPCertificateAuthority)
+		if err != nil {
+			return nil, xerrors.Errorf("could not load the certificate of idp-certificate-authority: %w", err)
+		}
+	}
+	if config.Config.IDPCertificateAuthorityData != "" {
+		f.Logger.V(1).Infof("loading the certificate of idp-certificate-authority-data")
+		err := appendEncodedCertificate(pool, config.Config.IDPCertificateAuthorityData)
+		if err != nil {
+			return nil, xerrors.Errorf("could not load the certificate of idp-certificate-authority-data: %w", err)
+		}
+	}
+	if config.CACertFilename != "" {
+		f.Logger.V(1).Infof("loading the certificate %s", config.CACertFilename)
+		err := appendCertificateFromFile(pool, config.CACertFilename)
+		if err != nil {
+			return nil, xerrors.Errorf("could not load the certificate: %w", err)
+		}
+	}
+	c := &tls.Config{
+		InsecureSkipVerify: config.SkipTLSVerify,
+	}
+	if len(pool.Subjects()) > 0 {
+		c.RootCAs = pool
+	}
+	return c, nil
+}
+
+func appendCertificateFromFile(pool *x509.CertPool, filename string) error {
+	b, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return xerrors.Errorf("could not read %s: %w", filename, err)
+	}
+	if !pool.AppendCertsFromPEM(b) {
+		return xerrors.Errorf("could not append certificate from %s", filename)
+	}
+	return nil
+}
+
+func appendEncodedCertificate(pool *x509.CertPool, base64String string) error {
+	b, err := base64.StdEncoding.DecodeString(base64String)
+	if err != nil {
+		return xerrors.Errorf("could not decode base64: %w", err)
+	}
+	if !pool.AppendCertsFromPEM(b) {
+		return xerrors.Errorf("could not append certificate")
+	}
+	return nil
+}
--- a/pkg/adaptors/oidc/factory_test.go
+++ b/pkg/adaptors/oidc/factory_test.go
@@ -1,20 +1,19 @@
-package tls
+package oidc

 import (
 	"io/ioutil"
 	"testing"

-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/e2e_test/logger"
-	"github.com/int128/kubelogin/models/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
 )

-func TestNewConfig(t *testing.T) {
-	testingLogger := logger.New(t)
-	testingLogger.SetLevel(1)
+func TestFactory_tlsConfigFor(t *testing.T) {
+	testingLogger := mock_logger.New(t)
+	factory := &Factory{Logger: testingLogger}

 	t.Run("Defaults", func(t *testing.T) {
-		c, err := NewConfig(adaptors.OIDCClientConfig{}, testingLogger)
+		c, err := factory.tlsConfigFor(ClientConfig{})
 		if err != nil {
 			t.Fatalf("NewConfig error: %+v", err)
 		}
@@ -26,10 +25,10 @@ func TestNewConfig(t *testing.T) {
 		}
 	})
 	t.Run("SkipTLSVerify", func(t *testing.T) {
-		config := adaptors.OIDCClientConfig{
+		config := ClientConfig{
 			SkipTLSVerify: true,
 		}
-		c, err := NewConfig(config, testingLogger)
+		c, err := factory.tlsConfigFor(config)
 		if err != nil {
 			t.Fatalf("NewConfig error: %+v", err)
 		}
@@ -41,14 +40,14 @@ func TestNewConfig(t *testing.T) {
 		}
 	})
 	t.Run("AllCertificates", func(t *testing.T) {
-		config := adaptors.OIDCClientConfig{
+		config := ClientConfig{
 			Config: kubeconfig.OIDCConfig{
-				IDPCertificateAuthority:     "testdata/ca1.crt",
-				IDPCertificateAuthorityData: string(readFile(t, "testdata/ca2.crt.base64")),
+				IDPCertificateAuthority:     "testdata/tls/ca1.crt",
+				IDPCertificateAuthorityData: string(readFile(t, "testdata/tls/ca2.crt.base64")),
 			},
-			CACertFilename: "testdata/ca3.crt",
+			CACertFilename: "testdata/tls/ca3.crt",
 		}
-		c, err := NewConfig(config, testingLogger)
+		c, err := factory.tlsConfigFor(config)
 		if err != nil {
 			t.Fatalf("NewConfig error: %+v", err)
 		}
@@ -64,14 +63,14 @@ func TestNewConfig(t *testing.T) {
 		}
 	})
 	t.Run("InvalidCertificate", func(t *testing.T) {
-		config := adaptors.OIDCClientConfig{
+		config := ClientConfig{
 			Config: kubeconfig.OIDCConfig{
-				IDPCertificateAuthority:     "testdata/ca1.crt",
-				IDPCertificateAuthorityData: string(readFile(t, "testdata/ca2.crt.base64")),
+				IDPCertificateAuthority:     "testdata/tls/ca1.crt",
+				IDPCertificateAuthorityData: string(readFile(t, "testdata/tls/ca2.crt.base64")),
 			},
 			CACertFilename: "testdata/Makefile", // invalid cert
 		}
-		_, err := NewConfig(config, testingLogger)
+		_, err := factory.tlsConfigFor(config)
 		if err == nil {
 			t.Fatalf("NewConfig wants non-nil but nil")
 		}
--- a/pkg/adaptors/oidc/logging/transport.go
+++ b/pkg/adaptors/oidc/logging/transport.go
@@ -0,0 +1,42 @@
+package logging
+
+import (
+	"net/http"
+	"net/http/httputil"
+
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+)
+
+const (
+	levelDumpHeaders = 2
+	levelDumpBody    = 3
+)
+
+type Transport struct {
+	Base   http.RoundTripper
+	Logger logger.Interface
+}
+
+func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
+	if !t.Logger.IsEnabled(levelDumpHeaders) {
+		return t.Base.RoundTrip(req)
+	}
+
+	reqDump, err := httputil.DumpRequestOut(req, t.Logger.IsEnabled(levelDumpBody))
+	if err != nil {
+		t.Logger.V(levelDumpHeaders).Infof("could not dump the request: %s", err)
+		return t.Base.RoundTrip(req)
+	}
+	t.Logger.V(levelDumpHeaders).Infof("%s", string(reqDump))
+	resp, err := t.Base.RoundTrip(req)
+	if err != nil {
+		return resp, err
+	}
+	respDump, err := httputil.DumpResponse(resp, t.Logger.IsEnabled(levelDumpBody))
+	if err != nil {
+		t.Logger.V(levelDumpHeaders).Infof("could not dump the response: %s", err)
+		return resp, err
+	}
+	t.Logger.V(levelDumpHeaders).Infof("%s", string(respDump))
+	return resp, err
+}
--- a/pkg/adaptors/oidc/logging/transport_test.go
+++ b/pkg/adaptors/oidc/logging/transport_test.go
@@ -0,0 +1,49 @@
+package logging
+
+import (
+	"bufio"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+)
+
+type mockTransport struct {
+	req  *http.Request
+	resp *http.Response
+}
+
+func (t *mockTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	t.req = req
+	return t.resp, nil
+}
+
+func TestLoggingTransport_RoundTrip(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	req := httptest.NewRequest("GET", "http://example.com/hello", nil)
+	resp, err := http.ReadResponse(bufio.NewReader(strings.NewReader(`HTTP/1.1 200 OK
+Host: example.com
+
+dummy`)), req)
+	if err != nil {
+		t.Errorf("could not create a response: %s", err)
+	}
+	defer resp.Body.Close()
+
+	transport := &Transport{
+		Base:   &mockTransport{resp: resp},
+		Logger: mock_logger.New(t),
+	}
+	gotResp, err := transport.RoundTrip(req)
+	if err != nil {
+		t.Errorf("RoundTrip error: %s", err)
+	}
+	if gotResp != resp {
+		t.Errorf("resp wants %v but %v", resp, gotResp)
+	}
+}
--- a/pkg/adaptors/oidc/mock_oidc/mock_oidc.go
+++ b/pkg/adaptors/oidc/mock_oidc/mock_oidc.go
@@ -0,0 +1,146 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/adaptors/oidc (interfaces: FactoryInterface,Interface,DecoderInterface)
+
+// Package mock_oidc is a generated GoMock package.
+package mock_oidc
+
+import (
+	context "context"
+	gomock "github.com/golang/mock/gomock"
+	oidc "github.com/int128/kubelogin/pkg/adaptors/oidc"
+	reflect "reflect"
+)
+
+// MockFactoryInterface is a mock of FactoryInterface interface
+type MockFactoryInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockFactoryInterfaceMockRecorder
+}
+
+// MockFactoryInterfaceMockRecorder is the mock recorder for MockFactoryInterface
+type MockFactoryInterfaceMockRecorder struct {
+	mock *MockFactoryInterface
+}
+
+// NewMockFactoryInterface creates a new mock instance
+func NewMockFactoryInterface(ctrl *gomock.Controller) *MockFactoryInterface {
+	mock := &MockFactoryInterface{ctrl: ctrl}
+	mock.recorder = &MockFactoryInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockFactoryInterface) EXPECT() *MockFactoryInterfaceMockRecorder {
+	return m.recorder
+}
+
+// New mocks base method
+func (m *MockFactoryInterface) New(arg0 context.Context, arg1 oidc.ClientConfig) (oidc.Interface, error) {
+	ret := m.ctrl.Call(m, "New", arg0, arg1)
+	ret0, _ := ret[0].(oidc.Interface)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// New indicates an expected call of New
+func (mr *MockFactoryInterfaceMockRecorder) New(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "New", reflect.TypeOf((*MockFactoryInterface)(nil).New), arg0, arg1)
+}
+
+// MockInterface is a mock of Interface interface
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// AuthenticateByCode mocks base method
+func (m *MockInterface) AuthenticateByCode(arg0 context.Context, arg1 []int, arg2 chan<- string) (*oidc.TokenSet, error) {
+	ret := m.ctrl.Call(m, "AuthenticateByCode", arg0, arg1, arg2)
+	ret0, _ := ret[0].(*oidc.TokenSet)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AuthenticateByCode indicates an expected call of AuthenticateByCode
+func (mr *MockInterfaceMockRecorder) AuthenticateByCode(arg0, arg1, arg2 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateByCode", reflect.TypeOf((*MockInterface)(nil).AuthenticateByCode), arg0, arg1, arg2)
+}
+
+// AuthenticateByPassword mocks base method
+func (m *MockInterface) AuthenticateByPassword(arg0 context.Context, arg1, arg2 string) (*oidc.TokenSet, error) {
+	ret := m.ctrl.Call(m, "AuthenticateByPassword", arg0, arg1, arg2)
+	ret0, _ := ret[0].(*oidc.TokenSet)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AuthenticateByPassword indicates an expected call of AuthenticateByPassword
+func (mr *MockInterfaceMockRecorder) AuthenticateByPassword(arg0, arg1, arg2 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateByPassword", reflect.TypeOf((*MockInterface)(nil).AuthenticateByPassword), arg0, arg1, arg2)
+}
+
+// Refresh mocks base method
+func (m *MockInterface) Refresh(arg0 context.Context, arg1 string) (*oidc.TokenSet, error) {
+	ret := m.ctrl.Call(m, "Refresh", arg0, arg1)
+	ret0, _ := ret[0].(*oidc.TokenSet)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Refresh indicates an expected call of Refresh
+func (mr *MockInterfaceMockRecorder) Refresh(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockInterface)(nil).Refresh), arg0, arg1)
+}
+
+// MockDecoderInterface is a mock of DecoderInterface interface
+type MockDecoderInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockDecoderInterfaceMockRecorder
+}
+
+// MockDecoderInterfaceMockRecorder is the mock recorder for MockDecoderInterface
+type MockDecoderInterfaceMockRecorder struct {
+	mock *MockDecoderInterface
+}
+
+// NewMockDecoderInterface creates a new mock instance
+func NewMockDecoderInterface(ctrl *gomock.Controller) *MockDecoderInterface {
+	mock := &MockDecoderInterface{ctrl: ctrl}
+	mock.recorder = &MockDecoderInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockDecoderInterface) EXPECT() *MockDecoderInterfaceMockRecorder {
+	return m.recorder
+}
+
+// DecodeIDToken mocks base method
+func (m *MockDecoderInterface) DecodeIDToken(arg0 string) (*oidc.DecodedIDToken, error) {
+	ret := m.ctrl.Call(m, "DecodeIDToken", arg0)
+	ret0, _ := ret[0].(*oidc.DecodedIDToken)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// DecodeIDToken indicates an expected call of DecodeIDToken
+func (mr *MockDecoderInterfaceMockRecorder) DecodeIDToken(arg0 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DecodeIDToken", reflect.TypeOf((*MockDecoderInterface)(nil).DecodeIDToken), arg0)
+}
--- a/pkg/adaptors/oidc/oidc.go
+++ b/pkg/adaptors/oidc/oidc.go
@@ -0,0 +1,15 @@
+package oidc
+
+import (
+	"github.com/google/wire"
+)
+
+//go:generate mockgen -destination mock_oidc/mock_oidc.go github.com/int128/kubelogin/pkg/adaptors/oidc FactoryInterface,Interface,DecoderInterface
+
+// Set provides an implementation and interface for OIDC.
+var Set = wire.NewSet(
+	wire.Struct(new(Factory), "*"),
+	wire.Bind(new(FactoryInterface), new(*Factory)),
+	wire.Struct(new(Decoder)),
+	wire.Bind(new(DecoderInterface), new(*Decoder)),
+)
--- a/pkg/adaptors/oidc/testdata/Makefile
+++ b/pkg/adaptors/oidc/testdata/Makefile
@@ -0,0 +1,8 @@
+all: jws.key
+
+jws.key:
+	openssl genrsa -out $@ 1024
+
+.PHONY: clean
+clean:
+	-rm -v jws.key
--- a/pkg/adaptors/oidc/testdata/jws.key
+++ b/pkg/adaptors/oidc/testdata/jws.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCrH34yA/f/sBOUlkYnRtd2jgDZ3WivhidqvoQaa73xqTazbkn6
+GZ9r7jx0CGLRV2bmErj2WoyT54yrhezrKh0YXAHlrwLdsmV4dwiV0lOfUJd9P/vF
+e2hiAWv4CcO9ZuNkTsrxM5W8Wdj2tjqOvsIn4We+HWPkpknT7VtT5RrumwIDAQAB
+AoGAFqy5oA7+kZbXQV0YNqQgcMkoO7Ym5Ps1xeMwxf94z8jIQsZebxFuGnMa95UU
+4wBd1ias85fUANUxwpigaBjQee5Hk+dnfUe1snUWYNm9H6tKrXEF8ajer3a2knEv
+GfK0CSEumFougfW2xG88ChGTS60wc+MIRfXERCvWpGm/5EECQQDdv5IBSi89g/R1
+5AGZKFCoqr6Zw5bWEKPzCCYJZzncR1ER9vP2AnMExM8Io/87WYvmpZIUrXJvQYm8
+hkfVOcBZAkEAxY4VcqmRWru3zmnbj21MwcwtgESaONkWsHeYs1C/Y/3zt7TuelYz
+ZJ9aUuUsaiJLEs9Y26nMt0L0snWGr2noEwJBANaDp1PWFyMUTt3pB17JcFXqb15C
+pt1I1cGapWk9Uez1lMijNNhNAEWhuoKqW5Nnif5DN7EHJYfZR8x3vm/YYWkCQHAA
+0iAkCwjKDLe2RIjYiwAE5ncmbdl1GuwJokVnrlrei+LHbb1mSdTuk6MT006JCs8r
+R1GivzHXgCv9fdLN1IkCQHxRvv9RPND80eEkdMv4qu0s22OLRhLQ/pb+YeT5Cjjv
+pJYWKrvXdRZcuNde9JiiTgK2UW1wM8KeD/EGvK2yF6M=
+-----END RSA PRIVATE KEY-----
--- a/pkg/adaptors/oidc/testdata/tls/Makefile
+++ b/pkg/adaptors/oidc/testdata/tls/Makefile
@@ -1,9 +1,8 @@
-.PHONY: clean
-
 all: ca1.crt ca1.crt.base64 ca2.crt ca2.crt.base64 ca3.crt ca3.crt.base64

+.PHONY: clean
 clean:
-	rm -v *.key *.csr *.crt *.base64
+	-rm -v *.key *.csr *.crt *.base64

 %.key:
 	openssl genrsa -out $@ 1024
--- a/pkg/adaptors/oidc/testdata/tls/ca1.crt
+++ b/pkg/adaptors/oidc/testdata/tls/ca1.crt
--- a/pkg/adaptors/oidc/testdata/tls/ca1.crt.base64
+++ b/pkg/adaptors/oidc/testdata/tls/ca1.crt.base64
--- a/pkg/adaptors/oidc/testdata/tls/ca2.crt
+++ b/pkg/adaptors/oidc/testdata/tls/ca2.crt
--- a/pkg/adaptors/oidc/testdata/tls/ca2.crt.base64
+++ b/pkg/adaptors/oidc/testdata/tls/ca2.crt.base64
--- a/pkg/adaptors/oidc/testdata/tls/ca3.crt
+++ b/pkg/adaptors/oidc/testdata/tls/ca3.crt
--- a/pkg/adaptors/oidc/testdata/tls/ca3.crt.base64
+++ b/pkg/adaptors/oidc/testdata/tls/ca3.crt.base64
--- a/pkg/adaptors/tokencache/mock_tokencache/mock_tokencache.go
+++ b/pkg/adaptors/tokencache/mock_tokencache/mock_tokencache.go
@@ -0,0 +1,59 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/adaptors/tokencache (interfaces: Interface)
+
+// Package mock_tokencache is a generated GoMock package.
+package mock_tokencache
+
+import (
+	gomock "github.com/golang/mock/gomock"
+	tokencache "github.com/int128/kubelogin/pkg/adaptors/tokencache"
+	reflect "reflect"
+)
+
+// MockInterface is a mock of Interface interface
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// FindByKey mocks base method
+func (m *MockInterface) FindByKey(arg0 string, arg1 tokencache.Key) (*tokencache.TokenCache, error) {
+	ret := m.ctrl.Call(m, "FindByKey", arg0, arg1)
+	ret0, _ := ret[0].(*tokencache.TokenCache)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// FindByKey indicates an expected call of FindByKey
+func (mr *MockInterfaceMockRecorder) FindByKey(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FindByKey", reflect.TypeOf((*MockInterface)(nil).FindByKey), arg0, arg1)
+}
+
+// Save mocks base method
+func (m *MockInterface) Save(arg0 string, arg1 tokencache.Key, arg2 tokencache.TokenCache) error {
+	ret := m.ctrl.Call(m, "Save", arg0, arg1, arg2)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Save indicates an expected call of Save
+func (mr *MockInterfaceMockRecorder) Save(arg0, arg1, arg2 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Save", reflect.TypeOf((*MockInterface)(nil).Save), arg0, arg1, arg2)
+}
--- a/pkg/adaptors/tokencache/tokencache.go
+++ b/pkg/adaptors/tokencache/tokencache.go
@@ -0,0 +1,81 @@
+package tokencache
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"os"
+	"path/filepath"
+
+	"github.com/google/wire"
+	"golang.org/x/xerrors"
+)
+
+//go:generate mockgen -destination mock_tokencache/mock_tokencache.go github.com/int128/kubelogin/pkg/adaptors/tokencache Interface
+
+// Set provides an implementation and interface for Kubeconfig.
+var Set = wire.NewSet(
+	wire.Struct(new(Repository), "*"),
+	wire.Bind(new(Interface), new(*Repository)),
+)
+
+type Interface interface {
+	FindByKey(dir string, key Key) (*TokenCache, error)
+	Save(dir string, key Key, cache TokenCache) error
+}
+
+// Key represents a key of a token cache.
+type Key struct {
+	IssuerURL string
+	ClientID  string
+}
+
+// TokenCache represents a token cache.
+type TokenCache struct {
+	IDToken      string `json:"id_token,omitempty"`
+	RefreshToken string `json:"refresh_token,omitempty"`
+}
+
+// Repository provides access to the token cache on the local filesystem.
+// Filename of a token cache is sha256 digest of the issuer, zero-character and client ID.
+type Repository struct{}
+
+func (r *Repository) FindByKey(dir string, key Key) (*TokenCache, error) {
+	filename := filepath.Join(dir, computeFilename(key))
+	f, err := os.Open(filename)
+	if err != nil {
+		return nil, xerrors.Errorf("could not open file %s: %w", filename, err)
+	}
+	defer f.Close()
+	d := json.NewDecoder(f)
+	var c TokenCache
+	if err := d.Decode(&c); err != nil {
+		return nil, xerrors.Errorf("could not decode json file %s: %w", filename, err)
+	}
+	return &c, nil
+}
+
+func (r *Repository) Save(dir string, key Key, cache TokenCache) error {
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		return xerrors.Errorf("could not create directory %s: %w", dir, err)
+	}
+	filename := filepath.Join(dir, computeFilename(key))
+	f, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return xerrors.Errorf("could not create file %s: %w", filename, err)
+	}
+	defer f.Close()
+	e := json.NewEncoder(f)
+	if err := e.Encode(&cache); err != nil {
+		return xerrors.Errorf("could not encode json to file %s: %w", filename, err)
+	}
+	return nil
+}
+
+func computeFilename(key Key) string {
+	s := sha256.New()
+	_, _ = s.Write([]byte(key.IssuerURL))
+	_, _ = s.Write([]byte{0x00})
+	_, _ = s.Write([]byte(key.ClientID))
+	return hex.EncodeToString(s.Sum(nil))
+}
--- a/pkg/adaptors/tokencache/tokencache_test.go
+++ b/pkg/adaptors/tokencache/tokencache_test.go
@@ -7,10 +7,9 @@ import (
 	"testing"

 	"github.com/go-test/deep"
-	"github.com/int128/kubelogin/models/credentialplugin"
 )

-func TestRepository_Read(t *testing.T) {
+func TestRepository_FindByKey(t *testing.T) {
 	var r Repository

 	t.Run("Success", func(t *testing.T) {
@@ -23,24 +22,28 @@ func TestRepository_Read(t *testing.T) {
 				t.Errorf("could not clean up the temp dir: %s", err)
 			}
 		}()
+		key := Key{
+			IssuerURL: "YOUR_ISSUER",
+			ClientID:  "YOUR_CLIENT_ID",
+		}
 		json := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}`
-		filename := filepath.Join(dir, "token-cache")
+		filename := filepath.Join(dir, computeFilename(key))
 		if err := ioutil.WriteFile(filename, []byte(json), 0600); err != nil {
 			t.Fatalf("could not write to the temp file: %s", err)
 		}

-		tokenCache, err := r.Read(filename)
+		tokenCache, err := r.FindByKey(dir, key)
 		if err != nil {
 			t.Errorf("err wants nil but %+v", err)
 		}
-		want := &credentialplugin.TokenCache{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
+		want := &TokenCache{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
 		if diff := deep.Equal(tokenCache, want); diff != nil {
 			t.Error(diff)
 		}
 	})
 }

-func TestRepository_Write(t *testing.T) {
+func TestRepository_Save(t *testing.T) {
 	var r Repository

 	t.Run("Success", func(t *testing.T) {
@@ -54,12 +57,16 @@ func TestRepository_Write(t *testing.T) {
 			}
 		}()

-		filename := filepath.Join(dir, "token-cache")
-		tokenCache := credentialplugin.TokenCache{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
-		if err := r.Write(filename, tokenCache); err != nil {
+		key := Key{
+			IssuerURL: "YOUR_ISSUER",
+			ClientID:  "YOUR_CLIENT_ID",
+		}
+		tokenCache := TokenCache{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
+		if err := r.Save(dir, key, tokenCache); err != nil {
 			t.Errorf("err wants nil but %+v", err)
 		}

+		filename := filepath.Join(dir, computeFilename(key))
 		b, err := ioutil.ReadFile(filename)
 		if err != nil {
 			t.Fatalf("could not read the token cache file: %s", err)
--- a/pkg/di/di.go
+++ b/pkg/di/di.go
@@ -0,0 +1,58 @@
+//+build wireinject
+
+// Package di provides dependency injection.
+package di
+
+import (
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors/cmd"
+	credentialPluginAdaptor "github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
+	"github.com/int128/kubelogin/pkg/adaptors/env"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/adaptors/oidc"
+	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
+	credentialPluginUseCase "github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/setup"
+	"github.com/int128/kubelogin/pkg/usecases/standalone"
+)
+
+// NewCmd returns an instance of adaptors.Cmd.
+func NewCmd() cmd.Interface {
+	wire.Build(
+		// use-cases
+		auth.Set,
+		wire.Value(auth.DefaultLocalServerReadyFunc),
+		standalone.Set,
+		credentialPluginUseCase.Set,
+		setup.Set,
+
+		// adaptors
+		cmd.Set,
+		env.Set,
+		kubeconfig.Set,
+		tokencache.Set,
+		credentialPluginAdaptor.Set,
+		oidc.Set,
+		logger.Set,
+	)
+	return nil
+}
+
+// NewCmdForHeadless returns an instance of adaptors.Cmd for headless testing.
+func NewCmdForHeadless(logger.Interface, auth.LocalServerReadyFunc, credentialPluginAdaptor.Interface) cmd.Interface {
+	wire.Build(
+		auth.Set,
+		standalone.Set,
+		credentialPluginUseCase.Set,
+		setup.Set,
+
+		cmd.Set,
+		env.Set,
+		kubeconfig.Set,
+		tokencache.Set,
+		oidc.Set,
+	)
+	return nil
+}
--- a/pkg/di/wire_gen.go
+++ b/pkg/di/wire_gen.go
@@ -0,0 +1,129 @@
+// Code generated by Wire. DO NOT EDIT.
+
+//go:generate wire
+//+build !wireinject
+
+package di
+
+import (
+	"github.com/int128/kubelogin/pkg/adaptors/cmd"
+	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
+	"github.com/int128/kubelogin/pkg/adaptors/env"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/adaptors/oidc"
+	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
+	credentialplugin2 "github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/setup"
+	"github.com/int128/kubelogin/pkg/usecases/standalone"
+)
+
+// Injectors from di.go:
+
+func NewCmd() cmd.Interface {
+	loggerInterface := logger.New()
+	factory := &oidc.Factory{
+		Logger: loggerInterface,
+	}
+	decoder := &oidc.Decoder{}
+	envEnv := &env.Env{}
+	localServerReadyFunc := _wireLocalServerReadyFuncValue
+	authentication := &auth.Authentication{
+		OIDCFactory:          factory,
+		OIDCDecoder:          decoder,
+		Env:                  envEnv,
+		Logger:               loggerInterface,
+		LocalServerReadyFunc: localServerReadyFunc,
+	}
+	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{}
+	standaloneStandalone := &standalone.Standalone{
+		Authentication: authentication,
+		Kubeconfig:     kubeconfigKubeconfig,
+		Logger:         loggerInterface,
+	}
+	root := &cmd.Root{
+		Standalone: standaloneStandalone,
+		Logger:     loggerInterface,
+	}
+	repository := &tokencache.Repository{}
+	interaction := &credentialplugin.Interaction{}
+	getToken := &credentialplugin2.GetToken{
+		Authentication:       authentication,
+		TokenCacheRepository: repository,
+		Interaction:          interaction,
+		Logger:               loggerInterface,
+	}
+	cmdGetToken := &cmd.GetToken{
+		GetToken: getToken,
+		Logger:   loggerInterface,
+	}
+	setupSetup := &setup.Setup{
+		Authentication: authentication,
+		Logger:         loggerInterface,
+	}
+	cmdSetup := &cmd.Setup{
+		Setup: setupSetup,
+	}
+	cmdCmd := &cmd.Cmd{
+		Root:     root,
+		GetToken: cmdGetToken,
+		Setup:    cmdSetup,
+		Logger:   loggerInterface,
+	}
+	return cmdCmd
+}
+
+var (
+	_wireLocalServerReadyFuncValue = auth.DefaultLocalServerReadyFunc
+)
+
+func NewCmdForHeadless(loggerInterface logger.Interface, localServerReadyFunc auth.LocalServerReadyFunc, credentialpluginInterface credentialplugin.Interface) cmd.Interface {
+	factory := &oidc.Factory{
+		Logger: loggerInterface,
+	}
+	decoder := &oidc.Decoder{}
+	envEnv := &env.Env{}
+	authentication := &auth.Authentication{
+		OIDCFactory:          factory,
+		OIDCDecoder:          decoder,
+		Env:                  envEnv,
+		Logger:               loggerInterface,
+		LocalServerReadyFunc: localServerReadyFunc,
+	}
+	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{}
+	standaloneStandalone := &standalone.Standalone{
+		Authentication: authentication,
+		Kubeconfig:     kubeconfigKubeconfig,
+		Logger:         loggerInterface,
+	}
+	root := &cmd.Root{
+		Standalone: standaloneStandalone,
+		Logger:     loggerInterface,
+	}
+	repository := &tokencache.Repository{}
+	getToken := &credentialplugin2.GetToken{
+		Authentication:       authentication,
+		TokenCacheRepository: repository,
+		Interaction:          credentialpluginInterface,
+		Logger:               loggerInterface,
+	}
+	cmdGetToken := &cmd.GetToken{
+		GetToken: getToken,
+		Logger:   loggerInterface,
+	}
+	setupSetup := &setup.Setup{
+		Authentication: authentication,
+		Logger:         loggerInterface,
+	}
+	cmdSetup := &cmd.Setup{
+		Setup: setupSetup,
+	}
+	cmdCmd := &cmd.Cmd{
+		Root:     root,
+		GetToken: cmdGetToken,
+		Setup:    cmdSetup,
+		Logger:   loggerInterface,
+	}
+	return cmdCmd
+}
--- a/pkg/usecases/auth/auth.go
+++ b/pkg/usecases/auth/auth.go
@@ -0,0 +1,200 @@
+package auth
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors/env"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/adaptors/oidc"
+	"golang.org/x/sync/errgroup"
+	"golang.org/x/xerrors"
+)
+
+//go:generate mockgen -destination mock_auth/mock_auth.go github.com/int128/kubelogin/pkg/usecases/auth Interface
+
+// Set provides the use-case of Authentication.
+var Set = wire.NewSet(
+	wire.Struct(new(Authentication), "*"),
+	wire.Bind(new(Interface), new(*Authentication)),
+)
+
+// LocalServerReadyFunc provides an extension point for e2e tests.
+type LocalServerReadyFunc func(url string)
+
+// DefaultLocalServerReadyFunc is the default noop function.
+var DefaultLocalServerReadyFunc = LocalServerReadyFunc(nil)
+
+type Interface interface {
+	Do(ctx context.Context, in Input) (*Output, error)
+}
+
+// Input represents an input DTO of the Authentication use-case.
+type Input struct {
+	OIDCConfig      kubeconfig.OIDCConfig
+	SkipOpenBrowser bool
+	ListenPort      []int
+	Username        string // If set, perform the resource owner password credentials grant
+	Password        string // If empty, read a password using Env.ReadPassword()
+	CACertFilename  string // If set, use the CA cert
+	SkipTLSVerify   bool
+}
+
+// Output represents an output DTO of the Authentication use-case.
+type Output struct {
+	AlreadyHasValidIDToken bool
+	IDTokenSubject         string
+	IDTokenExpiry          time.Time
+	IDTokenClaims          map[string]string
+	IDToken                string
+	RefreshToken           string
+}
+
+const passwordPrompt = "Password: "
+
+// Authentication provides the internal use-case of authentication.
+//
+// If the IDToken is not set, it performs the authentication flow.
+// If the IDToken is valid, it does nothing.
+// If the IDtoken has expired and the RefreshToken is set, it refreshes the token.
+// If the RefreshToken has expired, it performs the authentication flow.
+//
+// The authentication flow is determined as:
+//
+// If the Username is not set, it performs the authorization code flow.
+// Otherwise, it performs the resource owner password credentials flow.
+// If the Password is not set, it asks a password by the prompt.
+//
+type Authentication struct {
+	OIDCFactory          oidc.FactoryInterface
+	OIDCDecoder          oidc.DecoderInterface
+	Env                  env.Interface
+	Logger               logger.Interface
+	LocalServerReadyFunc LocalServerReadyFunc // only for e2e tests
+}
+
+func (u *Authentication) Do(ctx context.Context, in Input) (*Output, error) {
+	if in.OIDCConfig.IDToken != "" {
+		u.Logger.V(1).Infof("checking expiration of the existing token")
+		// Skip verification of the token to reduce time of a discovery request.
+		// Here it trusts the signature and claims and checks only expiration,
+		// because the token has been verified before caching.
+		token, err := u.OIDCDecoder.DecodeIDToken(in.OIDCConfig.IDToken)
+		if err != nil {
+			return nil, xerrors.Errorf("invalid token and you need to remove the cache: %w", err)
+		}
+		if token.Expiry.After(time.Now()) { //TODO: inject time service
+			u.Logger.V(1).Infof("you already have a valid token until %s", token.Expiry)
+			return &Output{
+				AlreadyHasValidIDToken: true,
+				IDToken:                in.OIDCConfig.IDToken,
+				RefreshToken:           in.OIDCConfig.RefreshToken,
+				IDTokenSubject:         token.Subject,
+				IDTokenExpiry:          token.Expiry,
+				IDTokenClaims:          token.Claims,
+			}, nil
+		}
+		u.Logger.V(1).Infof("you have an expired token at %s", token.Expiry)
+	}
+
+	u.Logger.V(1).Infof("initializing an OIDCFactory client")
+	client, err := u.OIDCFactory.New(ctx, oidc.ClientConfig{
+		Config:         in.OIDCConfig,
+		CACertFilename: in.CACertFilename,
+		SkipTLSVerify:  in.SkipTLSVerify,
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("could not create an OIDCFactory client: %w", err)
+	}
+
+	if in.OIDCConfig.RefreshToken != "" {
+		u.Logger.V(1).Infof("refreshing the token")
+		out, err := client.Refresh(ctx, in.OIDCConfig.RefreshToken)
+		if err == nil {
+			return &Output{
+				IDToken:        out.IDToken,
+				RefreshToken:   out.RefreshToken,
+				IDTokenSubject: out.IDTokenSubject,
+				IDTokenExpiry:  out.IDTokenExpiry,
+				IDTokenClaims:  out.IDTokenClaims,
+			}, nil
+		}
+		u.Logger.V(1).Infof("could not refresh the token: %s", err)
+	}
+
+	if in.Username == "" {
+		return u.doAuthCodeFlow(ctx, in, client)
+	}
+	return u.doPasswordCredentialsFlow(ctx, in, client)
+}
+
+func (u *Authentication) doAuthCodeFlow(ctx context.Context, in Input, client oidc.Interface) (*Output, error) {
+	u.Logger.V(1).Infof("performing the authentication code flow")
+	readyChan := make(chan string, 1)
+	defer close(readyChan)
+	var out Output
+	eg, ctx := errgroup.WithContext(ctx)
+	eg.Go(func() error {
+		select {
+		case url, ok := <-readyChan:
+			if !ok {
+				return nil
+			}
+			u.Logger.Printf("Open %s for authentication", url)
+			if u.LocalServerReadyFunc != nil {
+				u.LocalServerReadyFunc(url)
+			}
+			if in.SkipOpenBrowser {
+				return nil
+			}
+			if err := u.Env.OpenBrowser(url); err != nil {
+				u.Logger.V(1).Infof("could not open the browser: %s", err)
+			}
+			return nil
+		case <-ctx.Done():
+			return xerrors.Errorf("context cancelled while waiting for the local server: %w", ctx.Err())
+		}
+	})
+	eg.Go(func() error {
+		tokenSet, err := client.AuthenticateByCode(ctx, in.ListenPort, readyChan)
+		if err != nil {
+			return xerrors.Errorf("error while the authorization code flow: %w", err)
+		}
+		out = Output{
+			IDToken:        tokenSet.IDToken,
+			RefreshToken:   tokenSet.RefreshToken,
+			IDTokenSubject: tokenSet.IDTokenSubject,
+			IDTokenExpiry:  tokenSet.IDTokenExpiry,
+			IDTokenClaims:  tokenSet.IDTokenClaims,
+		}
+		return nil
+	})
+	if err := eg.Wait(); err != nil {
+		return nil, xerrors.Errorf("error while the authorization code flow: %w", err)
+	}
+	return &out, nil
+}
+
+func (u *Authentication) doPasswordCredentialsFlow(ctx context.Context, in Input, client oidc.Interface) (*Output, error) {
+	u.Logger.V(1).Infof("performing the resource owner password credentials flow")
+	if in.Password == "" {
+		var err error
+		in.Password, err = u.Env.ReadPassword(passwordPrompt)
+		if err != nil {
+			return nil, xerrors.Errorf("could not read a password: %w", err)
+		}
+	}
+	tokenSet, err := client.AuthenticateByPassword(ctx, in.Username, in.Password)
+	if err != nil {
+		return nil, xerrors.Errorf("error while the resource owner password credentials flow: %w", err)
+	}
+	return &Output{
+		IDToken:        tokenSet.IDToken,
+		RefreshToken:   tokenSet.RefreshToken,
+		IDTokenSubject: tokenSet.IDTokenSubject,
+		IDTokenExpiry:  tokenSet.IDTokenExpiry,
+		IDTokenClaims:  tokenSet.IDTokenClaims,
+	}, nil
+}
--- a/pkg/usecases/auth/auth_test.go
+++ b/pkg/usecases/auth/auth_test.go
@@ -0,0 +1,435 @@
+package auth
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/go-test/deep"
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/pkg/adaptors/env/mock_env"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/pkg/adaptors/oidc"
+	"github.com/int128/kubelogin/pkg/adaptors/oidc/mock_oidc"
+	"golang.org/x/xerrors"
+)
+
+func TestAuthentication_Do(t *testing.T) {
+	dummyTokenClaims := map[string]string{"sub": "YOUR_SUBJECT"}
+	pastTime := time.Now().Add(-time.Hour)  //TODO: inject time service
+	futureTime := time.Now().Add(time.Hour) //TODO: inject time service
+	timeout := 5 * time.Second
+
+	t.Run("AuthorizationCodeFlow", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		in := Input{
+			ListenPort:      []int{10000},
+			SkipOpenBrowser: true,
+			CACertFilename:  "/path/to/cert",
+			SkipTLSVerify:   true,
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+		mockOIDCClient := mock_oidc.NewMockInterface(ctrl)
+		mockOIDCClient.EXPECT().
+			AuthenticateByCode(gomock.Any(), []int{10000}, gomock.Any()).
+			Do(func(_ context.Context, _ []int, readyChan chan<- string) {
+				readyChan <- "LOCAL_SERVER_URL"
+			}).
+			Return(&oidc.TokenSet{
+				IDToken:        "YOUR_ID_TOKEN",
+				RefreshToken:   "YOUR_REFRESH_TOKEN",
+				IDTokenSubject: "YOUR_SUBJECT",
+				IDTokenExpiry:  futureTime,
+				IDTokenClaims:  dummyTokenClaims,
+			}, nil)
+		mockOIDCFactory := mock_oidc.NewMockFactoryInterface(ctrl)
+		mockOIDCFactory.EXPECT().
+			New(ctx, oidc.ClientConfig{
+				Config:         in.OIDCConfig,
+				CACertFilename: "/path/to/cert",
+				SkipTLSVerify:  true,
+			}).
+			Return(mockOIDCClient, nil)
+		u := Authentication{
+			OIDCFactory: mockOIDCFactory,
+			Logger:      mock_logger.New(t),
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &Output{
+			IDToken:        "YOUR_ID_TOKEN",
+			RefreshToken:   "YOUR_REFRESH_TOKEN",
+			IDTokenSubject: "YOUR_SUBJECT",
+			IDTokenExpiry:  futureTime,
+			IDTokenClaims:  dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("AuthorizationCodeFlow/OpenBrowser", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		in := Input{
+			ListenPort: []int{10000},
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+		mockOIDCClient := mock_oidc.NewMockInterface(ctrl)
+		mockOIDCClient.EXPECT().
+			AuthenticateByCode(gomock.Any(), []int{10000}, gomock.Any()).
+			Do(func(_ context.Context, _ []int, readyChan chan<- string) {
+				readyChan <- "LOCAL_SERVER_URL"
+			}).
+			Return(&oidc.TokenSet{
+				IDToken:        "YOUR_ID_TOKEN",
+				RefreshToken:   "YOUR_REFRESH_TOKEN",
+				IDTokenSubject: "YOUR_SUBJECT",
+				IDTokenExpiry:  futureTime,
+				IDTokenClaims:  dummyTokenClaims,
+			}, nil)
+		mockOIDCFactory := mock_oidc.NewMockFactoryInterface(ctrl)
+		mockOIDCFactory.EXPECT().
+			New(ctx, oidc.ClientConfig{Config: in.OIDCConfig}).
+			Return(mockOIDCClient, nil)
+		mockEnv := mock_env.NewMockInterface(ctrl)
+		mockEnv.EXPECT().
+			OpenBrowser("LOCAL_SERVER_URL")
+		u := Authentication{
+			OIDCFactory: mockOIDCFactory,
+			Logger:      mock_logger.New(t),
+			Env:         mockEnv,
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &Output{
+			IDToken:        "YOUR_ID_TOKEN",
+			RefreshToken:   "YOUR_REFRESH_TOKEN",
+			IDTokenSubject: "YOUR_SUBJECT",
+			IDTokenExpiry:  futureTime,
+			IDTokenClaims:  dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("ResourceOwnerPasswordCredentialsFlow/UsePassword", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		in := Input{
+			Username:       "USER",
+			Password:       "PASS",
+			CACertFilename: "/path/to/cert",
+			SkipTLSVerify:  true,
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+		mockOIDCClient := mock_oidc.NewMockInterface(ctrl)
+		mockOIDCClient.EXPECT().
+			AuthenticateByPassword(gomock.Any(), "USER", "PASS").
+			Return(&oidc.TokenSet{
+				IDToken:        "YOUR_ID_TOKEN",
+				RefreshToken:   "YOUR_REFRESH_TOKEN",
+				IDTokenSubject: "YOUR_SUBJECT",
+				IDTokenExpiry:  futureTime,
+				IDTokenClaims:  dummyTokenClaims,
+			}, nil)
+		mockOIDCFactory := mock_oidc.NewMockFactoryInterface(ctrl)
+		mockOIDCFactory.EXPECT().
+			New(ctx, oidc.ClientConfig{
+				Config:         in.OIDCConfig,
+				CACertFilename: "/path/to/cert",
+				SkipTLSVerify:  true,
+			}).
+			Return(mockOIDCClient, nil)
+		u := Authentication{
+			OIDCFactory: mockOIDCFactory,
+			Logger:      mock_logger.New(t),
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &Output{
+			IDToken:        "YOUR_ID_TOKEN",
+			RefreshToken:   "YOUR_REFRESH_TOKEN",
+			IDTokenSubject: "YOUR_SUBJECT",
+			IDTokenExpiry:  futureTime,
+			IDTokenClaims:  dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("ResourceOwnerPasswordCredentialsFlow/AskPassword", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		in := Input{
+			Username: "USER",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+		mockOIDCClient := mock_oidc.NewMockInterface(ctrl)
+		mockOIDCClient.EXPECT().
+			AuthenticateByPassword(gomock.Any(), "USER", "PASS").
+			Return(&oidc.TokenSet{
+				IDToken:        "YOUR_ID_TOKEN",
+				RefreshToken:   "YOUR_REFRESH_TOKEN",
+				IDTokenSubject: "YOUR_SUBJECT",
+				IDTokenExpiry:  futureTime,
+				IDTokenClaims:  dummyTokenClaims,
+			}, nil)
+		mockOIDCFactory := mock_oidc.NewMockFactoryInterface(ctrl)
+		mockOIDCFactory.EXPECT().
+			New(ctx, oidc.ClientConfig{
+				Config: in.OIDCConfig,
+			}).
+			Return(mockOIDCClient, nil)
+		mockEnv := mock_env.NewMockInterface(ctrl)
+		mockEnv.EXPECT().ReadPassword(passwordPrompt).Return("PASS", nil)
+		u := Authentication{
+			OIDCFactory: mockOIDCFactory,
+			Env:         mockEnv,
+			Logger:      mock_logger.New(t),
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &Output{
+			IDToken:        "YOUR_ID_TOKEN",
+			RefreshToken:   "YOUR_REFRESH_TOKEN",
+			IDTokenSubject: "YOUR_SUBJECT",
+			IDTokenExpiry:  futureTime,
+			IDTokenClaims:  dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("ResourceOwnerPasswordCredentialsFlow/AskPasswordError", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		in := Input{
+			Username: "USER",
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+		mockOIDCFactory := mock_oidc.NewMockFactoryInterface(ctrl)
+		mockOIDCFactory.EXPECT().
+			New(ctx, oidc.ClientConfig{
+				Config: in.OIDCConfig,
+			}).
+			Return(mock_oidc.NewMockInterface(ctrl), nil)
+		mockEnv := mock_env.NewMockInterface(ctrl)
+		mockEnv.EXPECT().ReadPassword(passwordPrompt).Return("", xerrors.New("error"))
+		u := Authentication{
+			OIDCFactory: mockOIDCFactory,
+			Env:         mockEnv,
+			Logger:      mock_logger.New(t),
+		}
+		out, err := u.Do(ctx, in)
+		if err == nil {
+			t.Errorf("err wants non-nil but nil")
+		}
+		if out != nil {
+			t.Errorf("out wants nil but %+v", out)
+		}
+	})
+
+	t.Run("HasValidIDToken", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		in := Input{
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				IDToken:      "VALID_ID_TOKEN",
+			},
+		}
+		mockOIDCDecoder := mock_oidc.NewMockDecoderInterface(ctrl)
+		mockOIDCDecoder.EXPECT().
+			DecodeIDToken("VALID_ID_TOKEN").
+			Return(&oidc.DecodedIDToken{
+				Subject: "YOUR_SUBJECT",
+				Expiry:  futureTime,
+				Claims:  dummyTokenClaims,
+			}, nil)
+		u := Authentication{
+			OIDCFactory: mock_oidc.NewMockFactoryInterface(ctrl),
+			OIDCDecoder: mockOIDCDecoder,
+			Logger:      mock_logger.New(t),
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &Output{
+			AlreadyHasValidIDToken: true,
+			IDToken:                "VALID_ID_TOKEN",
+			IDTokenSubject:         "YOUR_SUBJECT",
+			IDTokenExpiry:          futureTime,
+			IDTokenClaims:          dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("HasValidRefreshToken", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		in := Input{
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				IDToken:      "EXPIRED_ID_TOKEN",
+				RefreshToken: "VALID_REFRESH_TOKEN",
+			},
+		}
+		mockOIDCDecoder := mock_oidc.NewMockDecoderInterface(ctrl)
+		mockOIDCDecoder.EXPECT().
+			DecodeIDToken("EXPIRED_ID_TOKEN").
+			Return(&oidc.DecodedIDToken{
+				Subject: "YOUR_SUBJECT",
+				Expiry:  pastTime,
+				Claims:  dummyTokenClaims,
+			}, nil)
+		mockOIDCClient := mock_oidc.NewMockInterface(ctrl)
+		mockOIDCClient.EXPECT().
+			Refresh(ctx, "VALID_REFRESH_TOKEN").
+			Return(&oidc.TokenSet{
+				IDToken:        "NEW_ID_TOKEN",
+				RefreshToken:   "NEW_REFRESH_TOKEN",
+				IDTokenSubject: "YOUR_SUBJECT",
+				IDTokenExpiry:  futureTime,
+				IDTokenClaims:  dummyTokenClaims,
+			}, nil)
+		mockOIDCFactory := mock_oidc.NewMockFactoryInterface(ctrl)
+		mockOIDCFactory.EXPECT().
+			New(ctx, oidc.ClientConfig{
+				Config: in.OIDCConfig,
+			}).
+			Return(mockOIDCClient, nil)
+		u := Authentication{
+			OIDCFactory: mockOIDCFactory,
+			OIDCDecoder: mockOIDCDecoder,
+			Logger:      mock_logger.New(t),
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &Output{
+			IDToken:        "NEW_ID_TOKEN",
+			RefreshToken:   "NEW_REFRESH_TOKEN",
+			IDTokenSubject: "YOUR_SUBJECT",
+			IDTokenExpiry:  futureTime,
+			IDTokenClaims:  dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+
+	t.Run("HasExpiredRefreshToken", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		in := Input{
+			ListenPort:      []int{10000},
+			SkipOpenBrowser: true,
+			OIDCConfig: kubeconfig.OIDCConfig{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				IDToken:      "EXPIRED_ID_TOKEN",
+				RefreshToken: "EXPIRED_REFRESH_TOKEN",
+			},
+		}
+		mockOIDCDecoder := mock_oidc.NewMockDecoderInterface(ctrl)
+		mockOIDCDecoder.EXPECT().
+			DecodeIDToken("EXPIRED_ID_TOKEN").
+			Return(&oidc.DecodedIDToken{
+				Subject: "YOUR_SUBJECT",
+				Expiry:  pastTime,
+				Claims:  dummyTokenClaims,
+			}, nil)
+		mockOIDCClient := mock_oidc.NewMockInterface(ctrl)
+		mockOIDCClient.EXPECT().
+			Refresh(ctx, "EXPIRED_REFRESH_TOKEN").
+			Return(nil, xerrors.New("token has expired"))
+		mockOIDCClient.EXPECT().
+			AuthenticateByCode(gomock.Any(), []int{10000}, gomock.Any()).
+			Do(func(_ context.Context, _ []int, readyChan chan<- string) {
+				readyChan <- "LOCAL_SERVER_URL"
+			}).
+			Return(&oidc.TokenSet{
+				IDToken:        "NEW_ID_TOKEN",
+				RefreshToken:   "NEW_REFRESH_TOKEN",
+				IDTokenSubject: "YOUR_SUBJECT",
+				IDTokenExpiry:  futureTime,
+				IDTokenClaims:  dummyTokenClaims,
+			}, nil)
+		mockOIDCFactory := mock_oidc.NewMockFactoryInterface(ctrl)
+		mockOIDCFactory.EXPECT().
+			New(ctx, oidc.ClientConfig{
+				Config: in.OIDCConfig,
+			}).
+			Return(mockOIDCClient, nil)
+		u := Authentication{
+			OIDCFactory: mockOIDCFactory,
+			OIDCDecoder: mockOIDCDecoder,
+			Logger:      mock_logger.New(t),
+		}
+		out, err := u.Do(ctx, in)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &Output{
+			IDToken:        "NEW_ID_TOKEN",
+			RefreshToken:   "NEW_REFRESH_TOKEN",
+			IDTokenSubject: "YOUR_SUBJECT",
+			IDTokenExpiry:  futureTime,
+			IDTokenClaims:  dummyTokenClaims,
+		}
+		if diff := deep.Equal(want, out); diff != nil {
+			t.Error(diff)
+		}
+	})
+}
--- a/pkg/usecases/auth/mock_auth/mock_auth.go
+++ b/pkg/usecases/auth/mock_auth/mock_auth.go
@@ -0,0 +1,48 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/usecases/auth (interfaces: Interface)
+
+// Package mock_auth is a generated GoMock package.
+package mock_auth
+
+import (
+	context "context"
+	gomock "github.com/golang/mock/gomock"
+	auth "github.com/int128/kubelogin/pkg/usecases/auth"
+	reflect "reflect"
+)
+
+// MockInterface is a mock of Interface interface
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// Do mocks base method
+func (m *MockInterface) Do(arg0 context.Context, arg1 auth.Input) (*auth.Output, error) {
+	ret := m.ctrl.Call(m, "Do", arg0, arg1)
+	ret0, _ := ret[0].(*auth.Output)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Do indicates an expected call of Do
+func (mr *MockInterfaceMockRecorder) Do(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Do", reflect.TypeOf((*MockInterface)(nil).Do), arg0, arg1)
+}
--- a/pkg/usecases/credentialplugin/get_token.go
+++ b/pkg/usecases/credentialplugin/get_token.go
@@ -0,0 +1,109 @@
+// Package credentialplugin provides the use-cases for running as a client-go credentials plugin.
+//
+// See https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
+package credentialplugin
+
+import (
+	"context"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
+	"golang.org/x/xerrors"
+)
+
+//go:generate mockgen -destination mock_credentialplugin/mock_credentialplugin.go github.com/int128/kubelogin/pkg/usecases/credentialplugin Interface
+
+var Set = wire.NewSet(
+	wire.Struct(new(GetToken), "*"),
+	wire.Bind(new(Interface), new(*GetToken)),
+)
+
+type Interface interface {
+	Do(ctx context.Context, in Input) error
+}
+
+// Input represents an input DTO of the GetToken use-case.
+type Input struct {
+	IssuerURL       string
+	ClientID        string
+	ClientSecret    string
+	ExtraScopes     []string // optional
+	SkipOpenBrowser bool
+	ListenPort      []int
+	Username        string // If set, perform the resource owner password credentials grant
+	Password        string // If empty, read a password using Env.ReadPassword()
+	CACertFilename  string // If set, use the CA cert
+	SkipTLSVerify   bool
+	TokenCacheDir   string
+}
+
+type GetToken struct {
+	Authentication       auth.Interface
+	TokenCacheRepository tokencache.Interface
+	Interaction          credentialplugin.Interface
+	Logger               logger.Interface
+}
+
+func (u *GetToken) Do(ctx context.Context, in Input) error {
+	u.Logger.V(1).Infof("WARNING: log may contain your secrets such as token or password")
+	out, err := u.getTokenFromCacheOrProvider(ctx, in)
+	if err != nil {
+		return xerrors.Errorf("could not get a token from the cache or provider: %w", err)
+	}
+	u.Logger.V(1).Infof("writing the token to client-go")
+	if err := u.Interaction.Write(credentialplugin.Output{Token: out.IDToken, Expiry: out.IDTokenExpiry}); err != nil {
+		return xerrors.Errorf("could not write the token to client-go: %w", err)
+	}
+	return nil
+}
+
+func (u *GetToken) getTokenFromCacheOrProvider(ctx context.Context, in Input) (*auth.Output, error) {
+	u.Logger.V(1).Infof("finding a token from cache directory %s", in.TokenCacheDir)
+	cacheKey := tokencache.Key{IssuerURL: in.IssuerURL, ClientID: in.ClientID}
+	cache, err := u.TokenCacheRepository.FindByKey(in.TokenCacheDir, cacheKey)
+	if err != nil {
+		u.Logger.V(1).Infof("could not find a token cache: %s", err)
+		cache = &tokencache.TokenCache{}
+	}
+
+	out, err := u.Authentication.Do(ctx, auth.Input{
+		OIDCConfig: kubeconfig.OIDCConfig{
+			IDPIssuerURL: in.IssuerURL,
+			ClientID:     in.ClientID,
+			ClientSecret: in.ClientSecret,
+			ExtraScopes:  in.ExtraScopes,
+			IDToken:      cache.IDToken,
+			RefreshToken: cache.RefreshToken,
+		},
+		SkipOpenBrowser: in.SkipOpenBrowser,
+		ListenPort:      in.ListenPort,
+		Username:        in.Username,
+		Password:        in.Password,
+		CACertFilename:  in.CACertFilename,
+		SkipTLSVerify:   in.SkipTLSVerify,
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("error while authentication: %w", err)
+	}
+	for k, v := range out.IDTokenClaims {
+		u.Logger.V(1).Infof("the ID token has the claim: %s=%v", k, v)
+	}
+	if out.AlreadyHasValidIDToken {
+		u.Logger.V(1).Infof("you already have a valid token until %s", out.IDTokenExpiry)
+		return out, nil
+	}
+
+	u.Logger.V(1).Infof("you got a valid token until %s", out.IDTokenExpiry)
+	newCache := tokencache.TokenCache{
+		IDToken:      out.IDToken,
+		RefreshToken: out.RefreshToken,
+	}
+	if err := u.TokenCacheRepository.Save(in.TokenCacheDir, cacheKey, newCache); err != nil {
+		return nil, xerrors.Errorf("could not write the token cache: %w", err)
+	}
+	return out, nil
+}
--- a/pkg/usecases/credentialplugin/get_token_test.go
+++ b/pkg/usecases/credentialplugin/get_token_test.go
@@ -6,11 +6,14 @@ import (
 	"time"

 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/adaptors/mock_adaptors"
-	"github.com/int128/kubelogin/models/credentialplugin"
-	"github.com/int128/kubelogin/models/kubeconfig"
-	"github.com/int128/kubelogin/usecases"
-	"github.com/int128/kubelogin/usecases/mock_usecases"
+	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
+	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin/mock_credentialplugin"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
+	"github.com/int128/kubelogin/pkg/adaptors/tokencache/mock_tokencache"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
+	"github.com/int128/kubelogin/pkg/usecases/auth/mock_auth"
 	"golang.org/x/xerrors"
 )

@@ -22,21 +25,21 @@ func TestGetToken_Do(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 		ctx := context.TODO()
-		in := usecases.GetTokenIn{
-			IssuerURL:          "https://accounts.google.com",
-			ClientID:           "YOUR_CLIENT_ID",
-			ClientSecret:       "YOUR_CLIENT_SECRET",
-			TokenCacheFilename: "/path/to/token-cache",
-			ListenPort:         []int{10000},
-			SkipOpenBrowser:    true,
-			Username:           "USER",
-			Password:           "PASS",
-			CACertFilename:     "/path/to/cert",
-			SkipTLSVerify:      true,
+		in := Input{
+			IssuerURL:       "https://accounts.google.com",
+			ClientID:        "YOUR_CLIENT_ID",
+			ClientSecret:    "YOUR_CLIENT_SECRET",
+			TokenCacheDir:   "/path/to/token-cache",
+			ListenPort:      []int{10000},
+			SkipOpenBrowser: true,
+			Username:        "USER",
+			Password:        "PASS",
+			CACertFilename:  "/path/to/cert",
+			SkipTLSVerify:   true,
 		}
-		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication := mock_auth.NewMockInterface(ctrl)
 		mockAuthentication.EXPECT().
-			Do(ctx, usecases.AuthenticationIn{
+			Do(ctx, auth.Input{
 				OIDCConfig: kubeconfig.OIDCConfig{
 					IDPIssuerURL: "https://accounts.google.com",
 					ClientID:     "YOUR_CLIENT_ID",
@@ -49,22 +52,30 @@ func TestGetToken_Do(t *testing.T) {
 				CACertFilename:  "/path/to/cert",
 				SkipTLSVerify:   true,
 			}).
-			Return(&usecases.AuthenticationOut{
+			Return(&auth.Output{
 				IDToken:       "YOUR_ID_TOKEN",
 				RefreshToken:  "YOUR_REFRESH_TOKEN",
 				IDTokenExpiry: futureTime,
 				IDTokenClaims: dummyTokenClaims,
 			}, nil)
-		tokenCacheRepository := mock_adaptors.NewMockTokenCacheRepository(ctrl)
+		tokenCacheRepository := mock_tokencache.NewMockInterface(ctrl)
 		tokenCacheRepository.EXPECT().
-			Read("/path/to/token-cache").
+			FindByKey("/path/to/token-cache", tokencache.Key{
+				IssuerURL: "https://accounts.google.com",
+				ClientID:  "YOUR_CLIENT_ID",
+			}).
 			Return(nil, xerrors.New("file not found"))
 		tokenCacheRepository.EXPECT().
-			Write("/path/to/token-cache", credentialplugin.TokenCache{
-				IDToken:      "YOUR_ID_TOKEN",
-				RefreshToken: "YOUR_REFRESH_TOKEN",
-			})
-		credentialPluginInteraction := mock_adaptors.NewMockCredentialPluginInteraction(ctrl)
+			Save("/path/to/token-cache",
+				tokencache.Key{
+					IssuerURL: "https://accounts.google.com",
+					ClientID:  "YOUR_CLIENT_ID",
+				},
+				tokencache.TokenCache{
+					IDToken:      "YOUR_ID_TOKEN",
+					RefreshToken: "YOUR_REFRESH_TOKEN",
+				})
+		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
 		credentialPluginInteraction.EXPECT().
 			Write(credentialplugin.Output{
 				Token:  "YOUR_ID_TOKEN",
@@ -74,7 +85,7 @@ func TestGetToken_Do(t *testing.T) {
 			Authentication:       mockAuthentication,
 			TokenCacheRepository: tokenCacheRepository,
 			Interaction:          credentialPluginInteraction,
-			Logger:               mock_adaptors.NewLogger(t, ctrl),
+			Logger:               mock_logger.New(t),
 		}
 		if err := u.Do(ctx, in); err != nil {
 			t.Errorf("Do returned error: %+v", err)
@@ -85,15 +96,15 @@ func TestGetToken_Do(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 		ctx := context.TODO()
-		in := usecases.GetTokenIn{
-			IssuerURL:          "https://accounts.google.com",
-			ClientID:           "YOUR_CLIENT_ID",
-			ClientSecret:       "YOUR_CLIENT_SECRET",
-			TokenCacheFilename: "/path/to/token-cache",
+		in := Input{
+			IssuerURL:     "https://accounts.google.com",
+			ClientID:      "YOUR_CLIENT_ID",
+			ClientSecret:  "YOUR_CLIENT_SECRET",
+			TokenCacheDir: "/path/to/token-cache",
 		}
-		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication := mock_auth.NewMockInterface(ctrl)
 		mockAuthentication.EXPECT().
-			Do(ctx, usecases.AuthenticationIn{
+			Do(ctx, auth.Input{
 				OIDCConfig: kubeconfig.OIDCConfig{
 					IDPIssuerURL: "https://accounts.google.com",
 					ClientID:     "YOUR_CLIENT_ID",
@@ -101,19 +112,22 @@ func TestGetToken_Do(t *testing.T) {
 					IDToken:      "VALID_ID_TOKEN",
 				},
 			}).
-			Return(&usecases.AuthenticationOut{
+			Return(&auth.Output{
 				AlreadyHasValidIDToken: true,
 				IDToken:                "VALID_ID_TOKEN",
 				IDTokenExpiry:          futureTime,
 				IDTokenClaims:          dummyTokenClaims,
 			}, nil)
-		tokenCacheRepository := mock_adaptors.NewMockTokenCacheRepository(ctrl)
+		tokenCacheRepository := mock_tokencache.NewMockInterface(ctrl)
 		tokenCacheRepository.EXPECT().
-			Read("/path/to/token-cache").
-			Return(&credentialplugin.TokenCache{
+			FindByKey("/path/to/token-cache", tokencache.Key{
+				IssuerURL: "https://accounts.google.com",
+				ClientID:  "YOUR_CLIENT_ID",
+			}).
+			Return(&tokencache.TokenCache{
 				IDToken: "VALID_ID_TOKEN",
 			}, nil)
-		credentialPluginInteraction := mock_adaptors.NewMockCredentialPluginInteraction(ctrl)
+		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
 		credentialPluginInteraction.EXPECT().
 			Write(credentialplugin.Output{
 				Token:  "VALID_ID_TOKEN",
@@ -123,7 +137,7 @@ func TestGetToken_Do(t *testing.T) {
 			Authentication:       mockAuthentication,
 			TokenCacheRepository: tokenCacheRepository,
 			Interaction:          credentialPluginInteraction,
-			Logger:               mock_adaptors.NewLogger(t, ctrl),
+			Logger:               mock_logger.New(t),
 		}
 		if err := u.Do(ctx, in); err != nil {
 			t.Errorf("Do returned error: %+v", err)
@@ -134,15 +148,15 @@ func TestGetToken_Do(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 		ctx := context.TODO()
-		in := usecases.GetTokenIn{
-			IssuerURL:          "https://accounts.google.com",
-			ClientID:           "YOUR_CLIENT_ID",
-			ClientSecret:       "YOUR_CLIENT_SECRET",
-			TokenCacheFilename: "/path/to/token-cache",
+		in := Input{
+			IssuerURL:     "https://accounts.google.com",
+			ClientID:      "YOUR_CLIENT_ID",
+			ClientSecret:  "YOUR_CLIENT_SECRET",
+			TokenCacheDir: "/path/to/token-cache",
 		}
-		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication := mock_auth.NewMockInterface(ctrl)
 		mockAuthentication.EXPECT().
-			Do(ctx, usecases.AuthenticationIn{
+			Do(ctx, auth.Input{
 				OIDCConfig: kubeconfig.OIDCConfig{
 					IDPIssuerURL: "https://accounts.google.com",
 					ClientID:     "YOUR_CLIENT_ID",
@@ -150,15 +164,18 @@ func TestGetToken_Do(t *testing.T) {
 				},
 			}).
 			Return(nil, xerrors.New("authentication error"))
-		tokenCacheRepository := mock_adaptors.NewMockTokenCacheRepository(ctrl)
+		tokenCacheRepository := mock_tokencache.NewMockInterface(ctrl)
 		tokenCacheRepository.EXPECT().
-			Read("/path/to/token-cache").
+			FindByKey("/path/to/token-cache", tokencache.Key{
+				IssuerURL: "https://accounts.google.com",
+				ClientID:  "YOUR_CLIENT_ID",
+			}).
 			Return(nil, xerrors.New("file not found"))
 		u := GetToken{
 			Authentication:       mockAuthentication,
 			TokenCacheRepository: tokenCacheRepository,
-			Interaction:          mock_adaptors.NewMockCredentialPluginInteraction(ctrl),
-			Logger:               mock_adaptors.NewLogger(t, ctrl),
+			Interaction:          mock_credentialplugin.NewMockInterface(ctrl),
+			Logger:               mock_logger.New(t),
 		}
 		if err := u.Do(ctx, in); err == nil {
 			t.Errorf("err wants non-nil but nil")
--- a/pkg/usecases/credentialplugin/mock_credentialplugin/mock_credentialplugin.go
+++ b/pkg/usecases/credentialplugin/mock_credentialplugin/mock_credentialplugin.go
@@ -0,0 +1,47 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/usecases/credentialplugin (interfaces: Interface)
+
+// Package mock_credentialplugin is a generated GoMock package.
+package mock_credentialplugin
+
+import (
+	context "context"
+	gomock "github.com/golang/mock/gomock"
+	credentialplugin "github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	reflect "reflect"
+)
+
+// MockInterface is a mock of Interface interface
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// Do mocks base method
+func (m *MockInterface) Do(arg0 context.Context, arg1 credentialplugin.Input) error {
+	ret := m.ctrl.Call(m, "Do", arg0, arg1)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Do indicates an expected call of Do
+func (mr *MockInterfaceMockRecorder) Do(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Do", reflect.TypeOf((*MockInterface)(nil).Do), arg0, arg1)
+}
--- a/pkg/usecases/setup/setup.go
+++ b/pkg/usecases/setup/setup.go
@@ -0,0 +1,25 @@
+// Package setup provides the use case of setting up environment.
+package setup
+
+import (
+	"context"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
+)
+
+var Set = wire.NewSet(
+	wire.Struct(new(Setup), "*"),
+	wire.Bind(new(Interface), new(*Setup)),
+)
+
+type Interface interface {
+	DoStage1()
+	DoStage2(ctx context.Context, in Stage2Input) error
+}
+
+type Setup struct {
+	Authentication auth.Interface
+	Logger         logger.Interface
+}
--- a/pkg/usecases/setup/stage1.go
+++ b/pkg/usecases/setup/stage1.go
@@ -0,0 +1,28 @@
+package setup
+
+const stage1 = `This setup shows the instruction of Kubernetes OpenID Connect authentication.
+See also https://github.com/int128/kubelogin.
+
+## 1. Set up the OpenID Connect Provider
+
+Open the OpenID Connect Provider and create a client.
+
+For example, Google Identity Platform:
+Open https://console.developers.google.com/apis/credentials and create an OAuth client of "Other" type.
+ISSUER is https://accounts.google.com
+
+## 2. Verify authentication
+
+Run the following command to proceed.
+
+	kubectl oidc-login setup \
+	  --oidc-issuer-url=ISSUER \
+	  --oidc-client-id=YOUR_CLIENT_ID \
+	  --oidc-client-secret=YOUR_CLIENT_SECRET
+
+You can set your CA certificate. See also the options by --help.
+`
+
+func (u *Setup) DoStage1() {
+	u.Logger.Printf(stage1)
+}
--- a/pkg/usecases/setup/stage2.go
+++ b/pkg/usecases/setup/stage2.go
@@ -0,0 +1,141 @@
+package setup
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"text/template"
+
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
+	"golang.org/x/xerrors"
+)
+
+var stage2Tpl = template.Must(template.New("").Parse(`
+## 3. Bind a role
+
+Run the following command:
+
+	kubectl apply -f - <<-EOF
+	kind: ClusterRoleBinding
+	apiVersion: rbac.authorization.k8s.io/v1
+	metadata:
+	  name: oidc-cluster-admin
+	roleRef:
+	  apiGroup: rbac.authorization.k8s.io
+	  kind: ClusterRole
+	  name: cluster-admin
+	subjects:
+	- kind: User
+	  name: {{ .IssuerURL }}#{{ .Subject }}
+	EOF
+
+## 4. Set up the Kubernetes API server
+
+Add the following options to the kube-apiserver:
+
+	--oidc-issuer-url={{ .IssuerURL }}
+	--oidc-client-id={{ .ClientID }}
+
+## 5. Set up the kubeconfig
+
+Add the following user to the kubeconfig:
+
+	users:
+	- name: google
+	  user:
+	    exec:
+	      apiVersion: client.authentication.k8s.io/v1beta1
+	      command: kubectl
+	      args:
+	      - oidc-login
+	      - get-token
+{{- range .Args }}
+	      - {{ . }}
+{{- end }}
+
+Run kubectl and verify cluster access.
+`))
+
+type stage2Vars struct {
+	IssuerURL string
+	ClientID  string
+	Args      []string
+	Subject   string
+}
+
+// Stage2Input represents an input DTO of the stage2.
+type Stage2Input struct {
+	IssuerURL       string
+	ClientID        string
+	ClientSecret    string
+	ExtraScopes     []string // optional
+	SkipOpenBrowser bool
+	ListenPort      []int
+	ListenPortIsSet bool   // true if it is set by the command arg
+	CACertFilename  string // If set, use the CA cert
+	SkipTLSVerify   bool
+}
+
+func (u *Setup) DoStage2(ctx context.Context, in Stage2Input) error {
+	u.Logger.Printf(`## 2. Verify authentication`)
+	out, err := u.Authentication.Do(ctx, auth.Input{
+		OIDCConfig: kubeconfig.OIDCConfig{
+			IDPIssuerURL: in.IssuerURL,
+			ClientID:     in.ClientID,
+			ClientSecret: in.ClientSecret,
+			ExtraScopes:  in.ExtraScopes,
+		},
+		SkipOpenBrowser: in.SkipOpenBrowser,
+		ListenPort:      in.ListenPort,
+		CACertFilename:  in.CACertFilename,
+		SkipTLSVerify:   in.SkipTLSVerify,
+	})
+	if err != nil {
+		return xerrors.Errorf("error while authentication: %w", err)
+	}
+	u.Logger.Printf("You got the following claims in the token:")
+	for k, v := range out.IDTokenClaims {
+		u.Logger.Printf("\t%s=%s", k, v)
+	}
+
+	v := stage2Vars{
+		IssuerURL: in.IssuerURL,
+		ClientID:  in.ClientID,
+		Args:      makeCredentialPluginArgs(in),
+		Subject:   out.IDTokenSubject,
+	}
+	var b strings.Builder
+	if err := stage2Tpl.Execute(&b, &v); err != nil {
+		return xerrors.Errorf("could not render the template: %w", err)
+	}
+	u.Logger.Printf(b.String())
+	return nil
+}
+
+func makeCredentialPluginArgs(in Stage2Input) []string {
+	var args []string
+	args = append(args, "--oidc-issuer-url="+in.IssuerURL)
+	args = append(args, "--oidc-client-id="+in.ClientID)
+	if in.ClientSecret != "" {
+		args = append(args, "--oidc-client-secret="+in.ClientSecret)
+	}
+	for _, extraScope := range in.ExtraScopes {
+		args = append(args, "--oidc-extra-scope="+extraScope)
+	}
+	if in.SkipOpenBrowser {
+		args = append(args, "--skip-open-browser")
+	}
+	if in.ListenPortIsSet {
+		for _, port := range in.ListenPort {
+			args = append(args, fmt.Sprintf("--listen-port=%d", port))
+		}
+	}
+	if in.CACertFilename != "" {
+		args = append(args, "--certificate-authority="+in.CACertFilename)
+	}
+	if in.SkipTLSVerify {
+		args = append(args, "--insecure-skip-tls-verify")
+	}
+	return args
+}
--- a/pkg/usecases/setup/stage2_test.go
+++ b/pkg/usecases/setup/stage2_test.go
@@ -0,0 +1,59 @@
+package setup
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
+	"github.com/int128/kubelogin/pkg/usecases/auth/mock_auth"
+)
+
+func TestSetup_DoStage2(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	ctx := context.Background()
+
+	in := Stage2Input{
+		IssuerURL:       "https://accounts.google.com",
+		ClientID:        "YOUR_CLIENT_ID",
+		ClientSecret:    "YOUR_CLIENT_SECRET",
+		ExtraScopes:     []string{"email"},
+		SkipOpenBrowser: true,
+		ListenPort:      []int{8000},
+		CACertFilename:  "/path/to/cert",
+		SkipTLSVerify:   true,
+	}
+
+	mockAuthentication := mock_auth.NewMockInterface(ctrl)
+	mockAuthentication.EXPECT().
+		Do(ctx, auth.Input{
+			OIDCConfig: kubeconfig.OIDCConfig{
+				IDPIssuerURL: "https://accounts.google.com",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				ExtraScopes:  []string{"email"},
+			},
+			SkipOpenBrowser: true,
+			ListenPort:      []int{8000},
+			CACertFilename:  "/path/to/cert",
+			SkipTLSVerify:   true,
+		}).
+		Return(&auth.Output{
+			IDToken:        "YOUR_ID_TOKEN",
+			RefreshToken:   "YOUR_REFRESH_TOKEN",
+			IDTokenSubject: "YOUR_SUBJECT",
+			IDTokenExpiry:  time.Now().Add(time.Hour),
+			IDTokenClaims:  map[string]string{"iss": "https://accounts.google.com"},
+		}, nil)
+	u := Setup{
+		Authentication: mockAuthentication,
+		Logger:         mock_logger.New(t),
+	}
+	if err := u.DoStage2(ctx, in); err != nil {
+		t.Errorf("DoStage2 returned error: %+v", err)
+	}
+}
--- a/pkg/usecases/standalone/mock_standalone/mock_standalone.go
+++ b/pkg/usecases/standalone/mock_standalone/mock_standalone.go
@@ -0,0 +1,47 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/usecases/standalone (interfaces: Interface)
+
+// Package mock_standalone is a generated GoMock package.
+package mock_standalone
+
+import (
+	context "context"
+	gomock "github.com/golang/mock/gomock"
+	standalone "github.com/int128/kubelogin/pkg/usecases/standalone"
+	reflect "reflect"
+)
+
+// MockInterface is a mock of Interface interface
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// Do mocks base method
+func (m *MockInterface) Do(arg0 context.Context, arg1 standalone.Input) error {
+	ret := m.ctrl.Call(m, "Do", arg0, arg1)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Do indicates an expected call of Do
+func (mr *MockInterfaceMockRecorder) Do(arg0, arg1 interface{}) *gomock.Call {
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Do", reflect.TypeOf((*MockInterface)(nil).Do), arg0, arg1)
+}
--- a/pkg/usecases/standalone/standalone.go
+++ b/pkg/usecases/standalone/standalone.go
@@ -0,0 +1,160 @@
+package standalone
+
+import (
+	"context"
+	"strings"
+	"text/template"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
+	"golang.org/x/xerrors"
+)
+
+//go:generate mockgen -destination mock_standalone/mock_standalone.go github.com/int128/kubelogin/pkg/usecases/standalone Interface
+
+// Set provides the use-case.
+var Set = wire.NewSet(
+	wire.Struct(new(Standalone), "*"),
+	wire.Bind(new(Interface), new(*Standalone)),
+)
+
+type Interface interface {
+	Do(ctx context.Context, in Input) error
+}
+
+// Input represents an input DTO of the use-case.
+type Input struct {
+	KubeconfigFilename string                 // Default to the environment variable or global config as kubectl
+	KubeconfigContext  kubeconfig.ContextName // Default to the current context but ignored if KubeconfigUser is set
+	KubeconfigUser     kubeconfig.UserName    // Default to the user of the context
+	SkipOpenBrowser    bool
+	ListenPort         []int
+	Username           string // If set, perform the resource owner password credentials grant
+	Password           string // If empty, read a password using Env.ReadPassword()
+	CACertFilename     string // If set, use the CA cert
+	SkipTLSVerify      bool
+}
+
+const oidcConfigErrorMessage = `You need to set up the kubeconfig for OpenID Connect authentication.
+See https://github.com/int128/kubelogin for more.
+`
+
+// Standalone provides the use case of explicit login.
+//
+// If the current auth provider is not oidc, show the error.
+// If the kubeconfig has a valid token, do nothing.
+// Otherwise, update the kubeconfig.
+//
+type Standalone struct {
+	Authentication auth.Interface
+	Kubeconfig     kubeconfig.Interface
+	Logger         logger.Interface
+}
+
+func (u *Standalone) Do(ctx context.Context, in Input) error {
+	u.Logger.V(1).Infof("WARNING: log may contain your secrets such as token or password")
+
+	authProvider, err := u.Kubeconfig.GetCurrentAuthProvider(in.KubeconfigFilename, in.KubeconfigContext, in.KubeconfigUser)
+	if err != nil {
+		u.Logger.Printf(oidcConfigErrorMessage)
+		return xerrors.Errorf("could not find the current authentication provider: %w", err)
+	}
+	if err := u.showDeprecation(in, authProvider); err != nil {
+		return xerrors.Errorf("could not show deprecation message: %w", err)
+	}
+	u.Logger.V(1).Infof("using the authentication provider of the user %s", authProvider.UserName)
+	u.Logger.V(1).Infof("a token will be written to %s", authProvider.LocationOfOrigin)
+
+	out, err := u.Authentication.Do(ctx, auth.Input{
+		OIDCConfig:      authProvider.OIDCConfig,
+		SkipOpenBrowser: in.SkipOpenBrowser,
+		ListenPort:      in.ListenPort,
+		Username:        in.Username,
+		Password:        in.Password,
+		CACertFilename:  in.CACertFilename,
+		SkipTLSVerify:   in.SkipTLSVerify,
+	})
+	if err != nil {
+		return xerrors.Errorf("error while authentication: %w", err)
+	}
+	for k, v := range out.IDTokenClaims {
+		u.Logger.V(1).Infof("the ID token has the claim: %s=%v", k, v)
+	}
+	if out.AlreadyHasValidIDToken {
+		u.Logger.Printf("You already have a valid token until %s", out.IDTokenExpiry)
+		return nil
+	}
+
+	u.Logger.Printf("You got a valid token until %s", out.IDTokenExpiry)
+	authProvider.OIDCConfig.IDToken = out.IDToken
+	authProvider.OIDCConfig.RefreshToken = out.RefreshToken
+	u.Logger.V(1).Infof("writing the ID token and refresh token to %s", authProvider.LocationOfOrigin)
+	if err := u.Kubeconfig.UpdateAuthProvider(authProvider); err != nil {
+		return xerrors.Errorf("could not write the token to the kubeconfig: %w", err)
+	}
+	return nil
+}
+
+var deprecationTpl = template.Must(template.New("").Parse(
+	`IMPORTANT NOTICE:
+The credential plugin mode is available since v1.14.0.
+Kubectl will automatically run kubelogin and you do not need to run kubelogin explicitly.
+
+You can switch to the credential plugin mode by setting the following user to
+{{ .Kubeconfig }}.
+---
+users:
+- name: oidc
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: kubectl
+      args:
+      - oidc-login
+      - get-token
+{{- range .Args }}
+      - {{ . }}
+{{- end }}
+---
+See https://github.com/int128/kubelogin for more.
+
+`))
+
+type deprecationVars struct {
+	Kubeconfig string
+	Args       []string
+}
+
+func (u *Standalone) showDeprecation(in Input, p *kubeconfig.AuthProvider) error {
+	var args []string
+	args = append(args, "--oidc-issuer-url="+p.OIDCConfig.IDPIssuerURL)
+	args = append(args, "--oidc-client-id="+p.OIDCConfig.ClientID)
+	if p.OIDCConfig.ClientSecret != "" {
+		args = append(args, "--oidc-client-secret="+p.OIDCConfig.ClientSecret)
+	}
+	for _, extraScope := range p.OIDCConfig.ExtraScopes {
+		args = append(args, "--oidc-extra-scope="+extraScope)
+	}
+	if p.OIDCConfig.IDPCertificateAuthority != "" {
+		args = append(args, "--certificate-authority="+p.OIDCConfig.IDPCertificateAuthority)
+	}
+	if in.CACertFilename != "" {
+		args = append(args, "--certificate-authority="+in.CACertFilename)
+	}
+	if in.Username != "" {
+		args = append(args, "--username="+in.Username)
+	}
+
+	v := deprecationVars{
+		Kubeconfig: p.LocationOfOrigin,
+		Args:       args,
+	}
+	var b strings.Builder
+	if err := deprecationTpl.Execute(&b, &v); err != nil {
+		return xerrors.Errorf("could not render the template: %w", err)
+	}
+	u.Logger.Printf("%s", b.String())
+	return nil
+}
--- a/pkg/usecases/standalone/standalone_test.go
+++ b/pkg/usecases/standalone/standalone_test.go
@@ -1,4 +1,4 @@
-package login
+package standalone

 import (
 	"context"
@@ -6,14 +6,15 @@ import (
 	"time"

 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/adaptors/mock_adaptors"
-	"github.com/int128/kubelogin/models/kubeconfig"
-	"github.com/int128/kubelogin/usecases"
-	"github.com/int128/kubelogin/usecases/mock_usecases"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig/mock_kubeconfig"
+	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/pkg/usecases/auth"
+	"github.com/int128/kubelogin/pkg/usecases/auth/mock_auth"
 	"golang.org/x/xerrors"
 )

-func TestLogin_Do(t *testing.T) {
+func TestStandalone_Do(t *testing.T) {
 	dummyTokenClaims := map[string]string{"sub": "YOUR_SUBJECT"}
 	futureTime := time.Now().Add(time.Hour) //TODO: inject time service

@@ -21,7 +22,7 @@ func TestLogin_Do(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 		ctx := context.TODO()
-		in := usecases.LoginIn{
+		in := Input{
 			KubeconfigFilename: "/path/to/kubeconfig",
 			KubeconfigContext:  "theContext",
 			KubeconfigUser:     "theUser",
@@ -41,7 +42,7 @@ func TestLogin_Do(t *testing.T) {
 				ClientSecret: "YOUR_CLIENT_SECRET",
 			},
 		}
-		mockKubeconfig := mock_adaptors.NewMockKubeconfig(ctrl)
+		mockKubeconfig := mock_kubeconfig.NewMockInterface(ctrl)
 		mockKubeconfig.EXPECT().
 			GetCurrentAuthProvider("/path/to/kubeconfig", kubeconfig.ContextName("theContext"), kubeconfig.UserName("theUser")).
 			Return(currentAuthProvider, nil)
@@ -57,9 +58,9 @@ func TestLogin_Do(t *testing.T) {
 					RefreshToken: "YOUR_REFRESH_TOKEN",
 				},
 			})
-		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication := mock_auth.NewMockInterface(ctrl)
 		mockAuthentication.EXPECT().
-			Do(ctx, usecases.AuthenticationIn{
+			Do(ctx, auth.Input{
 				OIDCConfig:      currentAuthProvider.OIDCConfig,
 				ListenPort:      []int{10000},
 				SkipOpenBrowser: true,
@@ -68,16 +69,16 @@ func TestLogin_Do(t *testing.T) {
 				CACertFilename:  "/path/to/cert",
 				SkipTLSVerify:   true,
 			}).
-			Return(&usecases.AuthenticationOut{
+			Return(&auth.Output{
 				IDToken:       "YOUR_ID_TOKEN",
 				RefreshToken:  "YOUR_REFRESH_TOKEN",
 				IDTokenExpiry: futureTime,
 				IDTokenClaims: dummyTokenClaims,
 			}, nil)
-		u := Login{
+		u := Standalone{
 			Authentication: mockAuthentication,
 			Kubeconfig:     mockKubeconfig,
-			Logger:         mock_adaptors.NewLogger(t, ctrl),
+			Logger:         mock_logger.New(t),
 		}
 		if err := u.Do(ctx, in); err != nil {
 			t.Errorf("Do returned error: %+v", err)
@@ -88,7 +89,7 @@ func TestLogin_Do(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 		ctx := context.TODO()
-		in := usecases.LoginIn{}
+		in := Input{}
 		currentAuthProvider := &kubeconfig.AuthProvider{
 			LocationOfOrigin: "/path/to/kubeconfig",
 			UserName:         "theUser",
@@ -98,23 +99,23 @@ func TestLogin_Do(t *testing.T) {
 				IDToken:      "VALID_ID_TOKEN",
 			},
 		}
-		mockKubeconfig := mock_adaptors.NewMockKubeconfig(ctrl)
+		mockKubeconfig := mock_kubeconfig.NewMockInterface(ctrl)
 		mockKubeconfig.EXPECT().
 			GetCurrentAuthProvider("", kubeconfig.ContextName(""), kubeconfig.UserName("")).
 			Return(currentAuthProvider, nil)
-		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication := mock_auth.NewMockInterface(ctrl)
 		mockAuthentication.EXPECT().
-			Do(ctx, usecases.AuthenticationIn{OIDCConfig: currentAuthProvider.OIDCConfig}).
-			Return(&usecases.AuthenticationOut{
+			Do(ctx, auth.Input{OIDCConfig: currentAuthProvider.OIDCConfig}).
+			Return(&auth.Output{
 				AlreadyHasValidIDToken: true,
 				IDToken:                "VALID_ID_TOKEN",
 				IDTokenExpiry:          futureTime,
 				IDTokenClaims:          dummyTokenClaims,
 			}, nil)
-		u := Login{
+		u := Standalone{
 			Authentication: mockAuthentication,
 			Kubeconfig:     mockKubeconfig,
-			Logger:         mock_adaptors.NewLogger(t, ctrl),
+			Logger:         mock_logger.New(t),
 		}
 		if err := u.Do(ctx, in); err != nil {
 			t.Errorf("Do returned error: %+v", err)
@@ -125,16 +126,16 @@ func TestLogin_Do(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 		ctx := context.TODO()
-		in := usecases.LoginIn{}
-		mockKubeconfig := mock_adaptors.NewMockKubeconfig(ctrl)
+		in := Input{}
+		mockKubeconfig := mock_kubeconfig.NewMockInterface(ctrl)
 		mockKubeconfig.EXPECT().
 			GetCurrentAuthProvider("", kubeconfig.ContextName(""), kubeconfig.UserName("")).
 			Return(nil, xerrors.New("no oidc config"))
-		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
-		u := Login{
+		mockAuthentication := mock_auth.NewMockInterface(ctrl)
+		u := Standalone{
 			Authentication: mockAuthentication,
 			Kubeconfig:     mockKubeconfig,
-			Logger:         mock_adaptors.NewLogger(t, ctrl),
+			Logger:         mock_logger.New(t),
 		}
 		if err := u.Do(ctx, in); err == nil {
 			t.Errorf("err wants non-nil but nil")
@@ -145,7 +146,7 @@ func TestLogin_Do(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 		ctx := context.TODO()
-		in := usecases.LoginIn{}
+		in := Input{}
 		currentAuthProvider := &kubeconfig.AuthProvider{
 			LocationOfOrigin: "/path/to/kubeconfig",
 			UserName:         "google",
@@ -155,18 +156,18 @@ func TestLogin_Do(t *testing.T) {
 				ClientSecret: "YOUR_CLIENT_SECRET",
 			},
 		}
-		mockKubeconfig := mock_adaptors.NewMockKubeconfig(ctrl)
+		mockKubeconfig := mock_kubeconfig.NewMockInterface(ctrl)
 		mockKubeconfig.EXPECT().
 			GetCurrentAuthProvider("", kubeconfig.ContextName(""), kubeconfig.UserName("")).
 			Return(currentAuthProvider, nil)
-		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication := mock_auth.NewMockInterface(ctrl)
 		mockAuthentication.EXPECT().
-			Do(ctx, usecases.AuthenticationIn{OIDCConfig: currentAuthProvider.OIDCConfig}).
+			Do(ctx, auth.Input{OIDCConfig: currentAuthProvider.OIDCConfig}).
 			Return(nil, xerrors.New("authentication error"))
-		u := Login{
+		u := Standalone{
 			Authentication: mockAuthentication,
 			Kubeconfig:     mockKubeconfig,
-			Logger:         mock_adaptors.NewLogger(t, ctrl),
+			Logger:         mock_logger.New(t),
 		}
 		if err := u.Do(ctx, in); err == nil {
 			t.Errorf("err wants non-nil but nil")
@@ -177,7 +178,7 @@ func TestLogin_Do(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 		ctx := context.TODO()
-		in := usecases.LoginIn{}
+		in := Input{}
 		currentAuthProvider := &kubeconfig.AuthProvider{
 			LocationOfOrigin: "/path/to/kubeconfig",
 			UserName:         "google",
@@ -187,7 +188,7 @@ func TestLogin_Do(t *testing.T) {
 				ClientSecret: "YOUR_CLIENT_SECRET",
 			},
 		}
-		mockKubeconfig := mock_adaptors.NewMockKubeconfig(ctrl)
+		mockKubeconfig := mock_kubeconfig.NewMockInterface(ctrl)
 		mockKubeconfig.EXPECT().
 			GetCurrentAuthProvider("", kubeconfig.ContextName(""), kubeconfig.UserName("")).
 			Return(currentAuthProvider, nil)
@@ -204,19 +205,19 @@ func TestLogin_Do(t *testing.T) {
 				},
 			}).
 			Return(xerrors.New("I/O error"))
-		mockAuthentication := mock_usecases.NewMockAuthentication(ctrl)
+		mockAuthentication := mock_auth.NewMockInterface(ctrl)
 		mockAuthentication.EXPECT().
-			Do(ctx, usecases.AuthenticationIn{OIDCConfig: currentAuthProvider.OIDCConfig}).
-			Return(&usecases.AuthenticationOut{
+			Do(ctx, auth.Input{OIDCConfig: currentAuthProvider.OIDCConfig}).
+			Return(&auth.Output{
 				IDToken:       "YOUR_ID_TOKEN",
 				RefreshToken:  "YOUR_REFRESH_TOKEN",
 				IDTokenExpiry: futureTime,
 				IDTokenClaims: dummyTokenClaims,
 			}, nil)
-		u := Login{
+		u := Standalone{
 			Authentication: mockAuthentication,
 			Kubeconfig:     mockKubeconfig,
-			Logger:         mock_adaptors.NewLogger(t, ctrl),
+			Logger:         mock_logger.New(t),
 		}
 		if err := u.Do(ctx, in); err == nil {
 			t.Errorf("err wants non-nil but nil")
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -0,0 +1,19 @@
+name: kubelogin
+version: git
+summary: Log in to the OpenID Connect provider
+description: |
+  This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
+confinement: strict
+base: core18
+parts:
+  kubelogin:
+    plugin: nil
+    source: .
+    source-type: git
+    build-snaps: [go]
+    override-build: |
+      make CIRCLE_TAG=$SNAPCRAFT_PROJECT_VERSION
+      cp -av kubelogin $SNAPCRAFT_PART_INSTALL/bin
+apps:
+  kubelogin:
+    command: bin/kubelogin
--- a/usecases/auth/auth.go
+++ b/usecases/auth/auth.go
@@ -1,139 +0,0 @@
-package auth
-
-import (
-	"context"
-	"time"
-
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/usecases"
-	"golang.org/x/xerrors"
-)
-
-// Set provides the use-case of Authentication.
-var Set = wire.NewSet(
-	wire.Struct(new(Authentication), "*"),
-	wire.Bind(new(usecases.Authentication), new(*Authentication)),
-)
-
-// ExtraSet is a set of interaction components for e2e testing.
-var ExtraSet = wire.NewSet(
-	wire.Struct(new(ShowLocalServerURL), "*"),
-	wire.Bind(new(usecases.LoginShowLocalServerURL), new(*ShowLocalServerURL)),
-)
-
-const passwordPrompt = "Password: "
-
-// Authentication provides the internal use-case of authentication.
-//
-// If the IDToken is not set, it performs the authentication flow.
-// If the IDToken is valid, it does nothing.
-// If the IDtoken has expired and the RefreshToken is set, it refreshes the token.
-// If the RefreshToken has expired, it performs the authentication flow.
-//
-// The authentication flow is determined as:
-//
-// If the Username is not set, it performs the authorization code flow.
-// Otherwise, it performs the resource owner password credentials flow.
-// If the Password is not set, it asks a password by the prompt.
-//
-type Authentication struct {
-	OIDC               adaptors.OIDC
-	Env                adaptors.Env
-	Logger             adaptors.Logger
-	ShowLocalServerURL usecases.LoginShowLocalServerURL
-}
-
-func (u *Authentication) Do(ctx context.Context, in usecases.AuthenticationIn) (*usecases.AuthenticationOut, error) {
-	client, err := u.OIDC.New(ctx, adaptors.OIDCClientConfig{
-		Config:         in.OIDCConfig,
-		CACertFilename: in.CACertFilename,
-		SkipTLSVerify:  in.SkipTLSVerify,
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("could not create an OIDC client: %w", err)
-	}
-
-	if in.OIDCConfig.IDToken != "" {
-		u.Logger.Debugf(1, "Verifying the existing token")
-		out, err := client.Verify(ctx, adaptors.OIDCVerifyIn{IDToken: in.OIDCConfig.IDToken})
-		if err != nil {
-			return nil, xerrors.Errorf("you need to remove the existing token manually: %w", err)
-		}
-		if out.IDTokenExpiry.After(time.Now()) { //TODO: inject time service
-			u.Logger.Debugf(1, "You already have a valid token")
-			return &usecases.AuthenticationOut{
-				AlreadyHasValidIDToken: true,
-				IDToken:                in.OIDCConfig.IDToken,
-				RefreshToken:           in.OIDCConfig.RefreshToken,
-				IDTokenExpiry:          out.IDTokenExpiry,
-				IDTokenClaims:          out.IDTokenClaims,
-			}, nil
-		}
-		u.Logger.Debugf(1, "You have an expired token at %s", out.IDTokenExpiry)
-	}
-
-	if in.OIDCConfig.RefreshToken != "" {
-		u.Logger.Debugf(1, "Refreshing the token")
-		out, err := client.Refresh(ctx, adaptors.OIDCRefreshIn{
-			RefreshToken: in.OIDCConfig.RefreshToken,
-		})
-		if err == nil {
-			return &usecases.AuthenticationOut{
-				IDToken:       out.IDToken,
-				RefreshToken:  out.RefreshToken,
-				IDTokenExpiry: out.IDTokenExpiry,
-				IDTokenClaims: out.IDTokenClaims,
-			}, nil
-		}
-		u.Logger.Debugf(1, "Could not refresh the token: %s", err)
-	}
-
-	if in.Username == "" {
-		u.Logger.Debugf(1, "Performing the authentication code flow")
-		out, err := client.AuthenticateByCode(ctx, adaptors.OIDCAuthenticateByCodeIn{
-			LocalServerPort:    in.ListenPort,
-			SkipOpenBrowser:    in.SkipOpenBrowser,
-			ShowLocalServerURL: u.ShowLocalServerURL,
-		})
-		if err != nil {
-			return nil, xerrors.Errorf("error while the authorization code flow: %w", err)
-		}
-		return &usecases.AuthenticationOut{
-			IDToken:       out.IDToken,
-			RefreshToken:  out.RefreshToken,
-			IDTokenExpiry: out.IDTokenExpiry,
-			IDTokenClaims: out.IDTokenClaims,
-		}, nil
-	}
-
-	u.Logger.Debugf(1, "Performing the resource owner password credentials flow")
-	if in.Password == "" {
-		in.Password, err = u.Env.ReadPassword(passwordPrompt)
-		if err != nil {
-			return nil, xerrors.Errorf("could not read a password: %w", err)
-		}
-	}
-	out, err := client.AuthenticateByPassword(ctx, adaptors.OIDCAuthenticateByPasswordIn{
-		Username: in.Username,
-		Password: in.Password,
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("error while the resource owner password credentials flow: %w", err)
-	}
-	return &usecases.AuthenticationOut{
-		IDToken:       out.IDToken,
-		RefreshToken:  out.RefreshToken,
-		IDTokenExpiry: out.IDTokenExpiry,
-		IDTokenClaims: out.IDTokenClaims,
-	}, nil
-}
-
-// ShowLocalServerURL just shows the URL of local server to console.
-type ShowLocalServerURL struct {
-	Logger adaptors.Logger
-}
-
-func (s *ShowLocalServerURL) ShowLocalServerURL(url string) {
-	s.Logger.Printf("Open %s for authentication", url)
-}
--- a/usecases/auth/auth_test.go
+++ b/usecases/auth/auth_test.go
@@ -1,368 +0,0 @@
-package auth
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/go-test/deep"
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/adaptors"
-	"github.com/int128/kubelogin/adaptors/mock_adaptors"
-	"github.com/int128/kubelogin/models/kubeconfig"
-	"github.com/int128/kubelogin/usecases"
-	"golang.org/x/xerrors"
-)
-
-func TestAuthentication_Do(t *testing.T) {
-	dummyTokenClaims := map[string]string{"sub": "YOUR_SUBJECT"}
-	pastTime := time.Now().Add(-time.Hour)  //TODO: inject time service
-	futureTime := time.Now().Add(time.Hour) //TODO: inject time service
-
-	t.Run("AuthorizationCodeFlow", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-		in := usecases.AuthenticationIn{
-			ListenPort:      []int{10000},
-			SkipOpenBrowser: true,
-			CACertFilename:  "/path/to/cert",
-			SkipTLSVerify:   true,
-			OIDCConfig: kubeconfig.OIDCConfig{
-				ClientID:     "YOUR_CLIENT_ID",
-				ClientSecret: "YOUR_CLIENT_SECRET",
-			},
-		}
-		mockOIDCClient := mock_adaptors.NewMockOIDCClient(ctrl)
-		mockOIDCClient.EXPECT().
-			AuthenticateByCode(ctx, adaptors.OIDCAuthenticateByCodeIn{
-				LocalServerPort: []int{10000},
-				SkipOpenBrowser: true,
-			}).
-			Return(&adaptors.OIDCAuthenticateOut{
-				IDToken:       "YOUR_ID_TOKEN",
-				RefreshToken:  "YOUR_REFRESH_TOKEN",
-				IDTokenExpiry: futureTime,
-				IDTokenClaims: dummyTokenClaims,
-			}, nil)
-		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
-		mockOIDC.EXPECT().
-			New(ctx, adaptors.OIDCClientConfig{
-				Config:         in.OIDCConfig,
-				CACertFilename: "/path/to/cert",
-				SkipTLSVerify:  true,
-			}).
-			Return(mockOIDCClient, nil)
-		u := Authentication{
-			OIDC:   mockOIDC,
-			Logger: mock_adaptors.NewLogger(t, ctrl),
-		}
-		out, err := u.Do(ctx, in)
-		if err != nil {
-			t.Errorf("Do returned error: %+v", err)
-		}
-		want := &usecases.AuthenticationOut{
-			IDToken:       "YOUR_ID_TOKEN",
-			RefreshToken:  "YOUR_REFRESH_TOKEN",
-			IDTokenExpiry: futureTime,
-			IDTokenClaims: dummyTokenClaims,
-		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
-		}
-	})
-
-	t.Run("ResourceOwnerPasswordCredentialsFlow/UsePassword", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-		in := usecases.AuthenticationIn{
-			Username:       "USER",
-			Password:       "PASS",
-			CACertFilename: "/path/to/cert",
-			SkipTLSVerify:  true,
-			OIDCConfig: kubeconfig.OIDCConfig{
-				ClientID:     "YOUR_CLIENT_ID",
-				ClientSecret: "YOUR_CLIENT_SECRET",
-			},
-		}
-		mockOIDCClient := mock_adaptors.NewMockOIDCClient(ctrl)
-		mockOIDCClient.EXPECT().
-			AuthenticateByPassword(ctx, adaptors.OIDCAuthenticateByPasswordIn{
-				Username: "USER",
-				Password: "PASS",
-			}).
-			Return(&adaptors.OIDCAuthenticateOut{
-				IDToken:       "YOUR_ID_TOKEN",
-				RefreshToken:  "YOUR_REFRESH_TOKEN",
-				IDTokenExpiry: futureTime,
-				IDTokenClaims: dummyTokenClaims,
-			}, nil)
-		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
-		mockOIDC.EXPECT().
-			New(ctx, adaptors.OIDCClientConfig{
-				Config:         in.OIDCConfig,
-				CACertFilename: "/path/to/cert",
-				SkipTLSVerify:  true,
-			}).
-			Return(mockOIDCClient, nil)
-		u := Authentication{
-			OIDC:   mockOIDC,
-			Logger: mock_adaptors.NewLogger(t, ctrl),
-		}
-		out, err := u.Do(ctx, in)
-		if err != nil {
-			t.Errorf("Do returned error: %+v", err)
-		}
-		want := &usecases.AuthenticationOut{
-			IDToken:       "YOUR_ID_TOKEN",
-			RefreshToken:  "YOUR_REFRESH_TOKEN",
-			IDTokenExpiry: futureTime,
-			IDTokenClaims: dummyTokenClaims,
-		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
-		}
-	})
-
-	t.Run("ResourceOwnerPasswordCredentialsFlow/AskPassword", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-		in := usecases.AuthenticationIn{
-			Username: "USER",
-			OIDCConfig: kubeconfig.OIDCConfig{
-				ClientID:     "YOUR_CLIENT_ID",
-				ClientSecret: "YOUR_CLIENT_SECRET",
-			},
-		}
-		mockOIDCClient := mock_adaptors.NewMockOIDCClient(ctrl)
-		mockOIDCClient.EXPECT().
-			AuthenticateByPassword(ctx, adaptors.OIDCAuthenticateByPasswordIn{
-				Username: "USER",
-				Password: "PASS",
-			}).
-			Return(&adaptors.OIDCAuthenticateOut{
-				IDToken:       "YOUR_ID_TOKEN",
-				RefreshToken:  "YOUR_REFRESH_TOKEN",
-				IDTokenExpiry: futureTime,
-				IDTokenClaims: dummyTokenClaims,
-			}, nil)
-		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
-		mockOIDC.EXPECT().
-			New(ctx, adaptors.OIDCClientConfig{
-				Config: in.OIDCConfig,
-			}).
-			Return(mockOIDCClient, nil)
-		mockEnv := mock_adaptors.NewMockEnv(ctrl)
-		mockEnv.EXPECT().ReadPassword(passwordPrompt).Return("PASS", nil)
-		u := Authentication{
-			OIDC:   mockOIDC,
-			Env:    mockEnv,
-			Logger: mock_adaptors.NewLogger(t, ctrl),
-		}
-		out, err := u.Do(ctx, in)
-		if err != nil {
-			t.Errorf("Do returned error: %+v", err)
-		}
-		want := &usecases.AuthenticationOut{
-			IDToken:       "YOUR_ID_TOKEN",
-			RefreshToken:  "YOUR_REFRESH_TOKEN",
-			IDTokenExpiry: futureTime,
-			IDTokenClaims: dummyTokenClaims,
-		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
-		}
-	})
-
-	t.Run("ResourceOwnerPasswordCredentialsFlow/AskPasswordError", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-		in := usecases.AuthenticationIn{
-			Username: "USER",
-			OIDCConfig: kubeconfig.OIDCConfig{
-				ClientID:     "YOUR_CLIENT_ID",
-				ClientSecret: "YOUR_CLIENT_SECRET",
-			},
-		}
-		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
-		mockOIDC.EXPECT().
-			New(ctx, adaptors.OIDCClientConfig{
-				Config: in.OIDCConfig,
-			}).
-			Return(mock_adaptors.NewMockOIDCClient(ctrl), nil)
-		mockEnv := mock_adaptors.NewMockEnv(ctrl)
-		mockEnv.EXPECT().ReadPassword(passwordPrompt).Return("", xerrors.New("error"))
-		u := Authentication{
-			OIDC:   mockOIDC,
-			Env:    mockEnv,
-			Logger: mock_adaptors.NewLogger(t, ctrl),
-		}
-		out, err := u.Do(ctx, in)
-		if err == nil {
-			t.Errorf("err wants non-nil but nil")
-		}
-		if out != nil {
-			t.Errorf("out wants nil but %+v", out)
-		}
-	})
-
-	t.Run("HasValidIDToken", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-		in := usecases.AuthenticationIn{
-			OIDCConfig: kubeconfig.OIDCConfig{
-				ClientID:     "YOUR_CLIENT_ID",
-				ClientSecret: "YOUR_CLIENT_SECRET",
-				IDToken:      "VALID_ID_TOKEN",
-			},
-		}
-		mockOIDCClient := mock_adaptors.NewMockOIDCClient(ctrl)
-		mockOIDCClient.EXPECT().
-			Verify(ctx, adaptors.OIDCVerifyIn{IDToken: "VALID_ID_TOKEN"}).
-			Return(&adaptors.OIDCVerifyOut{
-				IDTokenExpiry: futureTime,
-				IDTokenClaims: dummyTokenClaims,
-			}, nil)
-		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
-		mockOIDC.EXPECT().
-			New(ctx, adaptors.OIDCClientConfig{
-				Config: in.OIDCConfig,
-			}).
-			Return(mockOIDCClient, nil)
-		u := Authentication{
-			OIDC:   mockOIDC,
-			Logger: mock_adaptors.NewLogger(t, ctrl),
-		}
-		out, err := u.Do(ctx, in)
-		if err != nil {
-			t.Errorf("Do returned error: %+v", err)
-		}
-		want := &usecases.AuthenticationOut{
-			AlreadyHasValidIDToken: true,
-			IDToken:                "VALID_ID_TOKEN",
-			IDTokenExpiry:          futureTime,
-			IDTokenClaims:          dummyTokenClaims,
-		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
-		}
-	})
-
-	t.Run("HasValidRefreshToken", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-		in := usecases.AuthenticationIn{
-			OIDCConfig: kubeconfig.OIDCConfig{
-				ClientID:     "YOUR_CLIENT_ID",
-				ClientSecret: "YOUR_CLIENT_SECRET",
-				IDToken:      "EXPIRED_ID_TOKEN",
-				RefreshToken: "VALID_REFRESH_TOKEN",
-			},
-		}
-		mockOIDCClient := mock_adaptors.NewMockOIDCClient(ctrl)
-		mockOIDCClient.EXPECT().
-			Verify(ctx, adaptors.OIDCVerifyIn{IDToken: "EXPIRED_ID_TOKEN"}).
-			Return(&adaptors.OIDCVerifyOut{
-				IDTokenExpiry: pastTime,
-				IDTokenClaims: dummyTokenClaims,
-			}, nil)
-		mockOIDCClient.EXPECT().
-			Refresh(ctx, adaptors.OIDCRefreshIn{
-				RefreshToken: "VALID_REFRESH_TOKEN",
-			}).
-			Return(&adaptors.OIDCAuthenticateOut{
-				IDToken:       "NEW_ID_TOKEN",
-				RefreshToken:  "NEW_REFRESH_TOKEN",
-				IDTokenExpiry: futureTime,
-				IDTokenClaims: dummyTokenClaims,
-			}, nil)
-		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
-		mockOIDC.EXPECT().
-			New(ctx, adaptors.OIDCClientConfig{
-				Config: in.OIDCConfig,
-			}).
-			Return(mockOIDCClient, nil)
-		u := Authentication{
-			OIDC:   mockOIDC,
-			Logger: mock_adaptors.NewLogger(t, ctrl),
-		}
-		out, err := u.Do(ctx, in)
-		if err != nil {
-			t.Errorf("Do returned error: %+v", err)
-		}
-		want := &usecases.AuthenticationOut{
-			IDToken:       "NEW_ID_TOKEN",
-			RefreshToken:  "NEW_REFRESH_TOKEN",
-			IDTokenExpiry: futureTime,
-			IDTokenClaims: dummyTokenClaims,
-		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
-		}
-	})
-
-	t.Run("HasExpiredRefreshToken", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-		in := usecases.AuthenticationIn{
-			ListenPort: []int{10000},
-			OIDCConfig: kubeconfig.OIDCConfig{
-				ClientID:     "YOUR_CLIENT_ID",
-				ClientSecret: "YOUR_CLIENT_SECRET",
-				IDToken:      "EXPIRED_ID_TOKEN",
-				RefreshToken: "EXPIRED_REFRESH_TOKEN",
-			},
-		}
-		mockOIDCClient := mock_adaptors.NewMockOIDCClient(ctrl)
-		mockOIDCClient.EXPECT().
-			Verify(ctx, adaptors.OIDCVerifyIn{IDToken: "EXPIRED_ID_TOKEN"}).
-			Return(&adaptors.OIDCVerifyOut{
-				IDTokenExpiry: pastTime,
-				IDTokenClaims: dummyTokenClaims,
-			}, nil)
-		mockOIDCClient.EXPECT().
-			Refresh(ctx, adaptors.OIDCRefreshIn{
-				RefreshToken: "EXPIRED_REFRESH_TOKEN",
-			}).
-			Return(nil, xerrors.New("token has expired"))
-		mockOIDCClient.EXPECT().
-			AuthenticateByCode(ctx, adaptors.OIDCAuthenticateByCodeIn{
-				LocalServerPort: []int{10000},
-			}).
-			Return(&adaptors.OIDCAuthenticateOut{
-				IDToken:       "NEW_ID_TOKEN",
-				RefreshToken:  "NEW_REFRESH_TOKEN",
-				IDTokenExpiry: futureTime,
-				IDTokenClaims: dummyTokenClaims,
-			}, nil)
-		mockOIDC := mock_adaptors.NewMockOIDC(ctrl)
-		mockOIDC.EXPECT().
-			New(ctx, adaptors.OIDCClientConfig{
-				Config: in.OIDCConfig,
-			}).
-			Return(mockOIDCClient, nil)
-		u := Authentication{
-			OIDC:   mockOIDC,
-			Logger: mock_adaptors.NewLogger(t, ctrl),
-		}
-		out, err := u.Do(ctx, in)
-		if err != nil {
-			t.Errorf("Do returned error: %+v", err)
-		}
-		want := &usecases.AuthenticationOut{
-			IDToken:       "NEW_ID_TOKEN",
-			RefreshToken:  "NEW_REFRESH_TOKEN",
-			IDTokenExpiry: futureTime,
-			IDTokenClaims: dummyTokenClaims,
-		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
-		}
-	})
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Hidetake Iwata	fccef52a73	Bump to Go 1.13.3 (#166 ) * Bump to Go 1.13.3 and golangci-lint 1.21.0 * go mod tidy	2019-10-22 11:24:46 +09:00
Hidetake Iwata	581284c626	Suppress success log to prevent screen disturbance (#165 )	2019-10-19 15:36:47 +09:00
Hidetake Iwata	b5922f9419	Refactor: fix error handling and improve stability (#163 ) * Fix ReadPassword() does not respect argument * Do not ignore error when context has been cancelled * Use longer timeout to reveal concurrency design failure * Refactor: use context.TODO in test	2019-10-04 22:28:09 +09:00
Hidetake Iwata	7a0ca206d1	Bump Go 1.13 and dependencies (#162 ) * Bump Go 1.13 and dependencies * Fix lint error	2019-10-04 21:26:26 +09:00
dependabot-preview[bot]	0bca9ef54b	Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.4 (#161 ) Bumps [gopkg.in/yaml.v2](https://github.com/go-yaml/yaml) from 2.2.2 to 2.2.4. - [Release notes](https://github.com/go-yaml/yaml/releases) - [Commits](https://github.com/go-yaml/yaml/compare/v2.2.2...v2.2.4) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-10-04 21:08:52 +09:00
dependabot-preview[bot]	2fb551bf1b	Bump github.com/int128/oauth2cli from 1.6.0 to 1.7.0 (#160 ) Bumps [github.com/int128/oauth2cli](https://github.com/int128/oauth2cli) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/int128/oauth2cli/releases) - [Commits](https://github.com/int128/oauth2cli/compare/v1.6.0...v1.7.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-10-04 10:50:08 +09:00
Hidetake Iwata	0bc117ddc7	Refactor (#158 ) * Refactor: template rendering * Refactor: rename DecodedIDToken fields * Refactor: expand command options * Refactor: improve help messages	2019-09-30 18:27:23 +09:00
Hidetake Iwata	8c640f6c73	Add setup command (#157 ) * Add setup command * Refactor: extract IDTokenSubject instead of sub claims	2019-09-29 18:34:59 +09:00
Hidetake Iwata	8a5efac337	Add deprecation message of standalone mode (#155 )	2019-09-28 11:03:03 +09:00
dependabot-preview[bot]	d6e0c761ac	Bump github.com/int128/oauth2cli from 1.5.0 to 1.6.0 (#153 ) Bumps [github.com/int128/oauth2cli](https://github.com/int128/oauth2cli) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/int128/oauth2cli/releases) - [Commits](https://github.com/int128/oauth2cli/compare/v1.5.0...v1.6.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-09-26 13:07:01 +09:00
dependabot-preview[bot]	8925226afe	Bump github.com/go-test/deep from 1.0.3 to 1.0.4 (#150 ) Bumps [github.com/go-test/deep](https://github.com/go-test/deep) from 1.0.3 to 1.0.4. - [Release notes](https://github.com/go-test/deep/releases) - [Changelog](https://github.com/go-test/deep/blob/master/CHANGES.md) - [Commits](https://github.com/go-test/deep/compare/v1.0.3...v1.0.4) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-09-26 12:32:20 +09:00
dependabot-preview[bot]	89a0f9a79e	Bump github.com/spf13/pflag from 1.0.3 to 1.0.5 (#152 ) Bumps [github.com/spf13/pflag](https://github.com/spf13/pflag) from 1.0.3 to 1.0.5. - [Release notes](https://github.com/spf13/pflag/releases) - [Commits](https://github.com/spf13/pflag/compare/v1.0.3...v1.0.5) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-09-26 12:18:22 +09:00
Hidetake Iwata	74bb4c62c5	Fix expiration of CA certificate for E2E tests (#154 )	2019-09-25 23:56:24 +09:00
Hidetake Iwata	25c7c1e703	Add snapcraft.yaml (#147 ) * Create snapcraft.yaml * Update snapcraft.yaml	2019-09-11 10:01:25 +09:00
Hidetake Iwata	6b1e11f071	Refactor: use channel to wait for opening browser (#143 )	2019-08-30 20:41:36 +09:00
Hidetake Iwata	554daf7655	Fix doc: add klog options	2019-08-29 18:28:59 +09:00
Hidetake Iwata	d67d16b333	Fix README.md: add klog options	2019-08-29 18:01:19 +09:00
dependabot-preview[bot]	3d0973054b	Bump k8s.io/klog from 0.3.1 to 0.4.0 (#140 ) Bumps [k8s.io/klog](https://github.com/kubernetes/klog) from 0.3.1 to 0.4.0. - [Release notes](https://github.com/kubernetes/klog/releases) - [Changelog](https://github.com/kubernetes/klog/blob/master/RELEASE.md) - [Commits](https://github.com/kubernetes/klog/compare/v0.3.1...v0.4.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-08-29 17:54:40 +09:00
Hidetake Iwata	bf02210f2a	Refactor: merge interface and implementation package (#141 ) * Refactor: move logger interfaces * Refactor: move oidc interfaces * Refactor: move env interface * Refactor: move credential plugin interface * Refactor: move token cache interface * Refactor: move kubeconfig interface * Refactor: move cmd interface * Refactor: move use-cases interfaces	2019-08-28 22:55:28 +09:00
Hidetake Iwata	53e8284b63	Move to k8s.io/klog (#139 )	2019-08-27 14:48:44 +09:00
Hidetake Iwata	d9b8d99fae	Refactor docs (#138 ) * Refactor: extract standalone-mode.md * Refactor: remove diagram * Refactor: remove DESIGN.md * Refactor: change README.md	2019-08-27 11:51:48 +09:00
Hidetake Iwata	3e30346c9b	Update README.md	2019-08-23 16:33:53 +09:00
Hidetake Iwata	1e80481145	Refactor: split commands (#137 )	2019-08-22 17:22:03 +09:00
dependabot-preview[bot]	9242b1917b	Bump github.com/coreos/go-oidc (#136 ) Bumps [github.com/coreos/go-oidc](https://github.com/coreos/go-oidc) from 2.0.0+incompatible to 2.1.0+incompatible. - [Release notes](https://github.com/coreos/go-oidc/releases) - [Commits](https://github.com/coreos/go-oidc/compare/v2.0.0...v2.1.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-08-22 09:47:42 +09:00
dependabot-preview[bot]	306bf09485	Bump github.com/go-test/deep from 1.0.2 to 1.0.3 (#135 ) Bumps [github.com/go-test/deep](https://github.com/go-test/deep) from 1.0.2 to 1.0.3. - [Release notes](https://github.com/go-test/deep/releases) - [Changelog](https://github.com/go-test/deep/blob/master/CHANGES.md) - [Commits](https://github.com/go-test/deep/compare/v1.0.2...v1.0.3) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>	2019-08-20 10:20:07 +09:00
Hidetake Iwata	4ad77cd5f8	Update README.md	2019-08-19 23:24:23 +09:00
Hidetake Iwata	c8967faf6b	Fix krew yaml (#134 )	2019-08-18 16:57:47 +09:00
Hidetake Iwata	315d6151d7	Refactor (#133 ) * Refactor: change debug messages to lowercase * Refactor: add debug messages * Refactor Makefile * Refactor: add keys and certificates of e2e tests	2019-08-18 15:14:07 +09:00
Hidetake Iwata	1ff03fdfb3	Skip verification of cached token to reduce time (#132 )	2019-08-17 21:40:14 +09:00
Hidetake Iwata	5e0fc7f399	Save token cache for each issuer and client ID (#131 )	2019-08-14 14:52:58 +09:00
Hidetake Iwata	9423a65f46	Add dex documentation (#130 )	2019-08-11 16:09:53 +09:00
Hidetake Iwata	45417a18fd	Refactor docs	2019-08-10 15:25:06 +09:00
Hidetake Iwata	760416fd04	Update README.md	2019-08-09 17:01:36 +09:00
Hidetake Iwata	0a4ebb26c2	Refactor packages structure (#129 )	2019-08-09 10:15:17 +09:00
Hidetake Iwata	de9f7a2a01	Fix typo (#128 ) * Fix typo * Update google.md * Update keycloak.md	2019-08-03 20:05:13 +09:00
Hidetake Iwata	0006cdda2d	Update README.md	2019-08-02 14:10:20 +09:00
Hidetake Iwata	c89a8a1823	Update README.md	2019-08-01 11:00:55 +09:00