Show debug logs in authentication (#325 )

go mod tidy
Build(deps): bump github.com/int128/oauth2cli from 1.11.0 to 1.12.1 (#324 )
2026-02-28 16:00:19 +00:00 · 2020-07-14 09:50:02 +09:00 · 2020-07-14 09:14:51 +09:00 · 2020-07-14 07:06:48 +09:00 · 2020-07-05 19:50:26 +09:00 · 2020-07-03 09:08:57 +09:00
147 changed files with 6537 additions and 3768 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,37 +1,60 @@
-version: 2
+version: 2.1
+
 jobs:
-  build:
+  test:
    docker:
-      - image: circleci/golang:1.12.3
+      - image: cimg/go:1.14.4
    steps:
-      - run: |
-          mkdir -p ~/bin
-          echo 'export PATH="$HOME/bin:$PATH"' >> $BASH_ENV
-      - run: |
-          curl -L -o ~/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.14.0/bin/linux/amd64/kubectl
-          chmod +x ~/bin/kubectl
-      - run: |
-          curl -L -o ~/bin/ghcp https://github.com/int128/ghcp/releases/download/v1.5.0/ghcp_linux_amd64
-          chmod +x ~/bin/ghcp
-      - run: |
-          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b ~/bin v1.16.0
-      - run: go get github.com/int128/goxzst
-      - run: go get github.com/tcnksm/ghr
+      - run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.24.0
      - checkout
+      - restore_cache:
+          keys:
+            - go-sum-{{ checksum "go.sum" }}
      - run: make check
      - run: bash <(curl -s https://codecov.io/bash)
-      - run: make run
+      - save_cache:
+          key: go-sum-{{ checksum "go.sum" }}
+          paths:
+            - ~/go/pkg
+      - store_artifacts:
+          path: gotest.log
+
+  crossbuild:
+    macos:
+      xcode: 11.5.0
+    steps:
+      - run: |
+          curl -sSfL https://dl.google.com/go/go1.14.4.darwin-amd64.tar.gz | tar -C /tmp -xz
+          echo 'export PATH="$PATH:/tmp/go/bin:$HOME/go/bin"' >> $BASH_ENV
+      - checkout
+      - restore_cache:
+          keys:
+            - go-macos-{{ checksum "go.sum" }}
+      - run:
+          command: go get -v github.com/int128/goxzst github.com/int128/ghcp
+          working_directory: .circleci
+      - run: make dist
      - run: |
          if [ "$CIRCLE_TAG" ]; then
            make release
          fi
+      - save_cache:
+          key: go-macos-{{ checksum "go.sum" }}
+          paths:
+            - ~/go/pkg

 workflows:
  version: 2
-  all:
+  build:
    jobs:
-      - build:
-          context: open-source
+      - test:
+          filters:
+            tags:
+              only: /.*/
+      - crossbuild:
+          context: open-source
+          requires:
+            - test
          filters:
            tags:
              only: /.*/
--- a/.circleci/go.mod
+++ b/.circleci/go.mod
@@ -0,0 +1,3 @@
+module github.com/int128/kubelogin/.circleci
+
+go 1.13
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: [int128] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,23 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Environment**
+ - OS: [e.g. macOS, Linux]
+ - kubelogin version: [e.g. 1.19.3]
+ - kubectl version: [e.g. 1.19]
+ - OpenID Connect provider: [e.g. Google, Okta]
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,17 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
--- a/.github/workflows/system-test.yaml
+++ b/.github/workflows/system-test.yaml
@@ -0,0 +1,29 @@
+on: [push]
+jobs:
+  system-test:
+    # https://help.github.com/en/actions/automating-your-workflow-with-github-actions/software-installed-on-github-hosted-runners#ubuntu-1804-lts
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/setup-go@v1
+        with:
+          go-version: 1.14.1
+        id: go
+      - uses: actions/checkout@v1
+      - uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            go-
+      # https://kind.sigs.k8s.io/docs/user/quick-start/
+      - run: |
+          wget -q -O ./kind "https://github.com/kubernetes-sigs/kind/releases/download/v0.8.1/kind-linux-amd64"
+          chmod +x ./kind
+          sudo mv ./kind /usr/local/bin/kind
+          kind version
+      # https://packages.ubuntu.com/xenial/libnss3-tools
+      - run: sudo apt update
+      - run: sudo apt install -y libnss3-tools
+      - run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
+      - run: make -C system_test -j3 setup
+      - run: make -C system_test test
--- a/.gitignore
+++ b/.gitignore
@@ -1,9 +1,11 @@
 /.idea

-/.kubeconfig*
+/system_test/output/
+/acceptance_test/output/

-/dist
+/dist/output
 /coverage.out
+/gotest.log

 /kubelogin
 /kubectl-oidc_login
--- a/58
+++ b/58
@@ -1,39 +1,49 @@
+# CircleCI specific variables
+CIRCLE_TAG ?= latest
+GITHUB_USERNAME := $(CIRCLE_PROJECT_USERNAME)
+GITHUB_REPONAME := $(CIRCLE_PROJECT_REPONAME)
+
 TARGET := kubelogin
-TARGET_PLUGIN := kubectl-oidc_login
-CIRCLE_TAG ?= HEAD
-LDFLAGS := -X main.version=$(CIRCLE_TAG)
+TARGET_OSARCH := linux_amd64 darwin_amd64 windows_amd64 linux_arm linux_arm64
+VERSION ?= $(CIRCLE_TAG)
+LDFLAGS := -X main.version=$(VERSION)

 all: $(TARGET)

+$(TARGET): $(wildcard **/*.go)
+	go build -o $@ -ldflags "$(LDFLAGS)"
+
 .PHONY: check
 check:
 	golangci-lint run
-	go test -v -race -cover -coverprofile=coverage.out ./...
+	go test -v -race -cover -coverprofile=coverage.out ./... > gotest.log

-$(TARGET): $(wildcard *.go)
-	go build -o $@ -ldflags "$(LDFLAGS)"
-
-$(TARGET_PLUGIN): $(TARGET)
-	ln -sf $(TARGET) $@
-
-.PHONY: run
-run: $(TARGET_PLUGIN)
-	-PATH=.:$(PATH) kubectl oidc-login --help
-
-dist:
-	VERSION=$(CIRCLE_TAG) goxzst -d dist/gh/ -o "$(TARGET)" -t "kubelogin.rb oidc-login.yaml" -- -ldflags "$(LDFLAGS)"
-	mv dist/gh/kubelogin.rb dist/
-	mkdir -p dist/plugins
-	cp dist/gh/oidc-login.yaml dist/plugins/oidc-login.yaml
+.PHONY: dist
+dist: dist/output
+dist/output:
+	# make the zip files for GitHub Releases
+	VERSION=$(VERSION) goxzst -d dist/output -i "LICENSE" -o "$(TARGET)" -osarch "$(TARGET_OSARCH)" -t "dist/kubelogin.rb dist/oidc-login.yaml dist/Dockerfile" -- -ldflags "$(LDFLAGS)"
+	# test the zip file
+	zipinfo dist/output/kubelogin_linux_amd64.zip
+	# make the krew yaml structure
+	mkdir -p dist/output/plugins
+	mv dist/output/oidc-login.yaml dist/output/plugins/oidc-login.yaml

 .PHONY: release
 release: dist
-	ghr -u "$(CIRCLE_PROJECT_USERNAME)" -r "$(CIRCLE_PROJECT_REPONAME)" "$(CIRCLE_TAG)" dist/gh/
-	ghcp commit -u "$(CIRCLE_PROJECT_USERNAME)" -r "homebrew-$(CIRCLE_PROJECT_REPONAME)" -m "$(CIRCLE_TAG)" -C dist/ kubelogin.rb
-	ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(CIRCLE_TAG)" -m "Bump oidc-login to $(CIRCLE_TAG)" -C dist/ plugins/oidc-login.yaml
+	# publish the binaries
+	ghcp release -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)" -t "$(VERSION)" dist/output/
+	# publish the Homebrew formula
+	ghcp commit -u "$(GITHUB_USERNAME)" -r "homebrew-$(GITHUB_REPONAME)" -b "bump-$(VERSION)" -m "Bump the version to $(VERSION)" -C dist/output/ kubelogin.rb
+	ghcp pull-request -u "$(GITHUB_USERNAME)" -r "homebrew-$(GITHUB_REPONAME)" -b "bump-$(VERSION)" --title "Bump the version to $(VERSION)"
+	# publish the Dockerfile
+	ghcp commit -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)-docker" -b "bump-$(VERSION)" -m "Bump the version to $(VERSION)" -C dist/output/ Dockerfile
+	ghcp pull-request -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)-docker" -b "bump-$(VERSION)" --title "Bump the version to $(VERSION)"
+	# publish the Krew manifest
+	ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(VERSION)" -m "Bump oidc-login to $(VERSION)" -C dist/output/ plugins/oidc-login.yaml

 .PHONY: clean
 clean:
 	-rm $(TARGET)
-	-rm $(TARGET_PLUGIN)
-	-rm -r dist/
+	-rm -r dist/output/
+	-rm coverage.out gotest.log
--- a/README.md
+++ b/README.md
@@ -2,44 +2,38 @@

 This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.

-This is designed to run as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
+Here is an example of Kubernetes authentication with the Google Identity Platform:
+
+<img alt="screencast" src="https://user-images.githubusercontent.com/321266/85427290-86e43700-b5b6-11ea-9e97-ffefd736c9b7.gif" width="572" height="391">
+
+Kubelogin is designed to run as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
 When you run kubectl, kubelogin opens the browser and you can log in to the provider.
 Then kubelogin gets a token from the provider and kubectl access Kubernetes APIs with the token.
+Take a look at the diagram:
+
+![Diagram of the credential plugin](docs/credential-plugin-diagram.svg)


 ## Getting Started

 ### Setup

-Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew) or [GitHub Releases](https://github.com/int128/kubelogin/releases) as follows:
+Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew) or [GitHub Releases](https://github.com/int128/kubelogin/releases).

 ```sh
-# Homebrew
+# Homebrew (macOS and Linux)
 brew install int128/kubelogin/kubelogin

-# Krew
+# Krew (macOS, Linux, Windows and ARM)
 kubectl krew install oidc-login
-
-# GitHub Releases
-curl -LO https://github.com/int128/kubelogin/releases/download/v1.14.2/kubelogin_linux_amd64.zip
-unzip kubelogin_linux_amd64.zip
-ln -s kubelogin kubectl-oidc_login
 ```

-You need to configure the OIDC provider, Kubernetes API server and role binding.
-See the following documents for more:
-
- [Getting Started with Keycloak](docs/keycloak.md)
- [Getting Started with dex and GitHub](docs/dex.md)
- [Getting Started with Google Identity Platform](docs/google.md)
-
-Configure the kubeconfig to run kubelogin as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
-It provides transparent login without manually running kubelogin command.
-For example,
+You need to set up the OIDC provider, cluster role binding, Kubernetes API server and kubeconfig.
+The kubeconfig looks like:

 ```yaml
 users:
- name: keycloak
+- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
@@ -47,11 +41,14 @@ users:
      args:
      - oidc-login
      - get-token
-      - --oidc-issuer-url=https://issuer.example.com
+      - --oidc-issuer-url=ISSUER_URL
      - --oidc-client-id=YOUR_CLIENT_ID
      - --oidc-client-secret=YOUR_CLIENT_SECRET
 ```

+See [setup guide](docs/setup.md) for more.
+
+
 ### Run

 Run kubectl.
@@ -70,7 +67,6 @@ After authentication, kubelogin returns the credentials to kubectl and finally k
 ```
 % kubectl get pods
 Open http://localhost:8000 for authentication
-You got a valid token until 2019-05-18 10:28:51 +0900 JST
 NAME                          READY   STATUS    RESTARTS   AGE
 echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
 ```
@@ -81,13 +77,31 @@ If the cached ID token is valid, kubelogin just returns it.
 If the cached ID token has expired, kubelogin will refresh the token using the refresh token.
 If the refresh token has expired, kubelogin will perform reauthentication.

+
+### Troubleshoot
+
 You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
 Kubelogin will perform authentication if the token cache file does not exist.

-### Standalone mode
+You can dump claims of an ID token by `setup` command.

-As well as you can update the ID token in the kubeconfig by running the command.
-See [standalone mode](docs/standalone-mode.md) for more.
+```console
+% kubectl oidc-login setup --oidc-issuer-url https://accounts.google.com --oidc-client-id REDACTED --oidc-client-secret REDACTED
+authentication in progress...
+
+## 2. Verify authentication
+
+You got a token with the following claims:
+
+{
+  "sub": "********",
+  "iss": "https://accounts.google.com",
+  "aud": "********",
+  ...
+}
+```
+
+You can verify kubelogin works with your provider using [acceptance test](acceptance_test).


 ## Usage
@@ -98,25 +112,27 @@ If you are looking for a specific version, see [the release tags](https://github
 Kubelogin supports the following options:

 ```
-% kubelogin get-token -h
-Run as a kubectl credential plugin
-
 Usage:
  kubelogin get-token [flags]

 Flags:
-      --listen-port ints               Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
-      --skip-open-browser              If true, it does not open the browser on authentication
-      --username string                If set, perform the resource owner password credentials grant
-      --password string                If set, use the password instead of asking it
-      --oidc-issuer-url string         Issuer URL of the provider (mandatory)
-      --oidc-client-id string          Client ID of the provider (mandatory)
-      --oidc-client-secret string      Client secret of the provider
-      --oidc-extra-scope strings       Scopes to request to the provider
-      --certificate-authority string   Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-      --token-cache-dir string         Path to a directory for caching tokens (default "~/.kube/cache/oidc-login")
-  -h, --help                           help for get-token
+      --oidc-issuer-url string                          Issuer URL of the provider (mandatory)
+      --oidc-client-id string                           Client ID of the provider (mandatory)
+      --oidc-client-secret string                       Client secret of the provider
+      --oidc-extra-scope strings                        Scopes to request to the provider
+      --certificate-authority string                    Path to a cert file for the certificate authority
+      --certificate-authority-data string               Base64 encoded data for the certificate authority
+      --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --token-cache-dir string                          Path to a directory for caching tokens (default "~/.kube/cache/oidc-login")
+      --grant-type string                               The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
+      --listen-address strings                          Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
+      --listen-port ints                                (Deprecated: use --listen-address)
+      --skip-open-browser                               If true, it does not open the browser on authentication
+      --oidc-redirect-url-hostname string               Hostname of the redirect URL (default "localhost")
+      --oidc-auth-request-extra-params stringToString   Extra query parameters to send with an authentication request (default [])
+      --username string                                 If set, perform the resource owner password credentials grant
+      --password string                                 If set, use the password instead of asking it
+  -h, --help                                            help for get-token

 Global Flags:
      --add_dir_header                   If true, adds the file directory to the header
@@ -133,7 +149,7 @@ Global Flags:
      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
 ```

-See also the options in [standalone mode](docs/standalone-mode.md).
+See also the options of [standalone mode](docs/standalone-mode.md).

 ### Extra scopes

@@ -144,12 +160,13 @@ You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
      - --oidc-extra-scope=profile
 ```

-### CA Certificates
+### CA Certificate

 You can use your self-signed certificate for the provider.

 ```yaml
      - --certificate-authority=/home/user/.kube/keycloak-ca.pem
+      - --certificate-authority-data=LS0t...
 ```

 ### HTTP Proxy
@@ -157,7 +174,6 @@ You can use your self-signed certificate for the provider.
 You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
 See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).

-
 ### Authentication flows

 #### Authorization code flow
@@ -170,33 +186,122 @@ You need to register the following redirect URIs to the provider:
 - `http://localhost:8000`
 - `http://localhost:18000` (used if port 8000 is already in use)

-You can change the ports by the option:
+You can change the listening address.

 ```yaml
-      - --listen-port 12345
-      - --listen-port 23456
+      - --listen-address=127.0.0.1:12345
+      - --listen-address=127.0.0.1:23456
+```
+
+You can change the hostname of redirect URI from the default value `localhost`.
+
+```yaml
+      - --oidc-redirect-url-hostname=127.0.0.1
+```
+
+You can add extra parameters to the authentication request.
+
+```yaml
+      - --oidc-auth-request-extra-params=ttl=86400
+```
+
+#### Authorization code flow with keyboard interactive
+
+If you cannot access the browser, instead use the authorization code flow with keyboard interactive.
+
+```yaml
+      - --grant-type=authcode-keyboard
+```
+
+Kubelogin will show the URL and prompt.
+Open the URL in the browser and then copy the code shown.
+
+```
+% kubectl get pods
+Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=...
+Enter code: YOUR_CODE
+```
+
+Note that this flow uses the redirect URI `urn:ietf:wg:oauth:2.0:oob` and
+some OIDC providers do not support it.
+
+You can add extra parameters to the authentication request.
+
+```yaml
+      - --oidc-auth-request-extra-params=ttl=86400
 ```

 #### Resource owner password credentials grant flow

-As well as you can use the resource owner password credentials grant flow.
-Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
-Most OIDC providers do not support this flow.
+Kubelogin performs the resource owner password credentials grant flow
+when `--grant-type=password` or `--username` is set.

-You can pass the username and password:
+Note that most OIDC providers do not support this flow.
+Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
+
+You can set the username and password.

 ```yaml
-      - --username USERNAME
-      - --password PASSWORD
+      - --username=USERNAME
+      - --password=PASSWORD
 ```

-If the password is not set, kubelogin will show the prompt.
+If the password is not set, kubelogin will show the prompt for the password.
+
+```yaml
+      - --username=USERNAME
+```

 ```
-% kubelogin --username USER
+% kubectl get pods
 Password:
 ```

+If the username is not set, kubelogin will show the prompt for the username and password.
+
+```yaml
+      - --grant-type=password
+```
+
+```
+% kubectl get pods
+Username: foo
+Password:
+```
+
+### Docker
+
+You can run [the Docker image](https://quay.io/repository/int128/kubelogin) instead of the binary.
+The kubeconfig looks like:
+
+```yaml
+users:
+- name: oidc
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: docker
+      args:
+      - run
+      - --rm
+      - -v
+      - /tmp/.token-cache:/.token-cache
+      - -p
+      - 8000:8000
+      - quay.io/int128/kubelogin
+      - get-token
+      - --token-cache-dir=/.token-cache
+      - --listen-address=0.0.0.0:8000
+      - --oidc-issuer-url=ISSUER_URL
+      - --oidc-client-id=YOUR_CLIENT_ID
+      - --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+Known limitations:
+
+- It cannot open the browser automatically.
+- The container port and listen port must be equal for consistency of the redirect URI.
+

 ## Related works

@@ -212,7 +317,7 @@ Feel free to open issues and pull requests for improving code and documents.

 ### Development

-Go 1.12 or later is required.
+Go 1.13 or later is required.

 ```sh
 # Run lint and tests
@@ -222,3 +327,5 @@ make check
 make
 ./kubelogin
 ```
+
+See also [the system test](system_test).
--- a/acceptance_test/Makefile
+++ b/acceptance_test/Makefile
@@ -0,0 +1,42 @@
+CLUSTER_NAME := kubelogin-acceptance-test
+OUTPUT_DIR := $(CURDIR)/output
+
+KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
+export KUBECONFIG
+
+# create a Kubernetes cluster
+.PHONY: cluster
+cluster:
+	# create a cluster
+	mkdir -p $(OUTPUT_DIR)
+	sed -e "s|OIDC_ISSUER_URL|$(OIDC_ISSUER_URL)|" -e "s|OIDC_CLIENT_ID|$(OIDC_CLIENT_ID)|" cluster.yaml > $(OUTPUT_DIR)/cluster.yaml
+	kind create cluster --name $(CLUSTER_NAME) --config $(OUTPUT_DIR)/cluster.yaml
+	# set up access control
+	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
+	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=$(YOUR_EMAIL)
+	# set up kubectl
+	kubectl config set-credentials oidc \
+		--exec-api-version=client.authentication.k8s.io/v1beta1 \
+		--exec-command=$(CURDIR)/../kubelogin \
+		--exec-arg=get-token \
+		--exec-arg=--token-cache-dir=$(OUTPUT_DIR)/token-cache \
+		--exec-arg=--oidc-issuer-url=$(OIDC_ISSUER_URL) \
+		--exec-arg=--oidc-client-id=$(OIDC_CLIENT_ID) \
+		--exec-arg=--oidc-client-secret=$(OIDC_CLIENT_SECRET) \
+		--exec-arg=--oidc-extra-scope=email
+	# switch the default user
+	kubectl config set-context --current --user=oidc
+
+# clean up the resources
+.PHONY: clean
+clean:
+	-rm -r $(OUTPUT_DIR)
+.PHONY: delete-cluster
+delete-cluster:
+	kind delete cluster --name $(CLUSTER_NAME)
+
+.PHONY: check
+check:
+	docker version
+	kind version
+	kubectl version --client
--- a/acceptance_test/README.md
+++ b/acceptance_test/README.md
@@ -0,0 +1,75 @@
+# kubelogin/acceptance_test
+
+This is a manual test for verifying Kubernetes OIDC authentication with your OIDC provider.
+
+
+## Purpose
+
+This test checks the following points:
+
+1. You can set up your OIDC provider using [setup guide](../docs/setup.md).
+1. The plugin works with your OIDC provider.
+
+
+## Getting Started
+
+### Prerequisite
+
+You need to build the plugin into the parent directory.
+
+```sh
+make -C ..
+```
+
+You need to set up your provider.
+See [setup guide](../docs/setup.md) for more.
+
+You need to install the following tools:
+
+- Docker
+- Kind
+- kubectl
+
+You can check if the tools are available.
+
+```sh
+make check
+```
+
+### 1. Create a cluster
+
+Create a cluster.
+For example, you can create a cluster with Google account authentication.
+
+```sh
+make OIDC_ISSUER_URL=https://accounts.google.com \
+  OIDC_CLIENT_ID=REDACTED.apps.googleusercontent.com \
+  OIDC_CLIENT_SECRET=REDACTED \
+  YOUR_EMAIL=REDACTED@gmail.com
+```
+
+It will do the following steps:
+
+1. Create a cluster.
+1. Set up access control. It allows read-only access from your email address.
+1. Set up kubectl to enable the plugin.
+
+You can change kubectl configuration in generated `output/kubeconfig.yaml`.
+
+### 2. Run kubectl
+
+Make sure you can log in to the provider and access the cluster.
+
+```console
+% export KUBECONFIG=$PWD/output/kubeconfig.yaml
+% kubectl get pods -A
+```
+
+### Clean up
+
+To delete the cluster and generated files:
+
+```sh
+make delete-cluster
+make clean
+```
--- a/acceptance_test/cluster.yaml
+++ b/acceptance_test/cluster.yaml
@@ -0,0 +1,13 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+kubeadmConfigPatches:
+  - |
+    apiVersion: kubeadm.k8s.io/v1beta2
+    kind: ClusterConfiguration
+    metadata:
+      name: config
+    apiServer:
+      extraArgs:
+        oidc-issuer-url: OIDC_ISSUER_URL
+        oidc-client-id: OIDC_CLIENT_ID
+        oidc-username-claim: email
--- a/dist/Dockerfile
+++ b/dist/Dockerfile
@@ -0,0 +1,13 @@
+FROM alpine:3.11
+
+ARG KUBELOGIN_VERSION="{{ env "VERSION" }}"
+ARG KUBELOGIN_SHA256="{{ sha256 .linux_amd64_archive }}"
+
+# Download the release and test the checksum
+RUN wget -O /kubelogin.zip "https://github.com/int128/kubelogin/releases/download/$KUBELOGIN_VERSION/kubelogin_linux_amd64.zip" && \
+    echo "$KUBELOGIN_SHA256  /kubelogin.zip" | sha256sum -c - && \
+    unzip /kubelogin.zip && \
+    rm /kubelogin.zip
+
+USER daemon
+ENTRYPOINT ["/kubelogin"]
--- a/dist/kubelogin.rb
+++ b/dist/kubelogin.rb
@@ -1,15 +1,27 @@
 class Kubelogin < Formula
  desc "A kubectl plugin for Kubernetes OpenID Connect authentication"
  homepage "https://github.com/int128/kubelogin"
-  url "https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_darwin_amd64.zip"
+  baseurl = "https://github.com/int128/kubelogin/releases/download"
  version "{{ env "VERSION" }}"
-  sha256 "{{ sha256 .darwin_amd64_archive }}"
+  
+  if OS.mac?
+    kernel = "darwin"
+    sha256 "{{ sha256 .darwin_amd64_archive }}"
+  elsif OS.linux?
+    kernel = "linux"
+    sha256 "{{ sha256 .linux_amd64_archive }}"
+  end 
+   
+  url baseurl + "/#{version}/kubelogin_#{kernel}_amd64.zip"
+    
  def install
    bin.install "kubelogin" => "kubelogin"
    ln_s bin/"kubelogin", bin/"kubectl-oidc_login"
  end
+  
  test do
    system "#{bin}/kubelogin -h"
    system "#{bin}/kubectl-oidc_login -h"
  end
+    
 end
--- a/dist/oidc-login.yaml
+++ b/dist/oidc-login.yaml
@@ -22,16 +22,16 @@ spec:

  caveats: |
    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
-    See https://github.com/int128/kubelogin for more.
-
  version: {{ env "VERSION" }}
  platforms:
    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_amd64.zip
      sha256: "{{ sha256 .linux_amd64_archive }}"
      bin: kubelogin
      files:
-        - from: "kubelogin"
-          to: "."
+        - from: kubelogin
+          to: .
+        - from: LICENSE
+          to: .
      selector:
        matchLabels:
          os: linux
@@ -40,8 +40,10 @@ spec:
      sha256: "{{ sha256 .darwin_amd64_archive }}"
      bin: kubelogin
      files:
-        - from: "kubelogin"
-          to: "."
+        - from: kubelogin
+          to: .
+        - from: LICENSE
+          to: .
      selector:
        matchLabels:
          os: darwin
@@ -50,9 +52,35 @@ spec:
      sha256: "{{ sha256 .windows_amd64_archive }}"
      bin: kubelogin.exe
      files:
-        - from: "kubelogin.exe"
-          to: "."
+        - from: kubelogin.exe
+          to: .
+        - from: LICENSE
+          to: .
      selector:
        matchLabels:
          os: windows
          arch: amd64
+    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm.zip
+      sha256: "{{ sha256 .linux_arm_archive }}"
+      bin: kubelogin
+      files:
+        - from: kubelogin
+          to: .
+        - from: LICENSE
+          to: .
+      selector:
+        matchLabels:
+          os: linux
+          arch: arm
+    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm64.zip
+      sha256: "{{ sha256 .linux_arm64_archive }}"
+      bin: kubelogin
+      files:
+        - from: kubelogin
+          to: .
+        - from: LICENSE
+          to: .
+      selector:
+        matchLabels:
+          os: linux
+          arch: arm64
--- a/docs/credential-plugin-diagram.svg
+++ b/docs/credential-plugin-diagram.svg
--- a/docs/dex.md
+++ b/docs/dex.md
@@ -1,141 +0,0 @@
-# Getting Started with dex and GitHub
-
-## Prerequisite
-
- You have a GitHub account.
- You can configure the Kubernetes API server.
- `kubectl` and `kubelogin` are installed.
-
-## 1. Setup GitHub OAuth
-
-Open [GitHub OAuth Apps](https://github.com/settings/developers) and create an application with the following setting:
-
- Application name: (any)
- Homepage URL: `https://dex.example.com`
- Authorization callback URL: `https://dex.example.com/callback`
-
-## 2. Setup dex
-
-Configure the dex with the following config:
-
-```yaml
-issuer: https://dex.example.com
-connectors:
- type: github
-  id: github
-  name: GitHub
-  config:
-    clientID: YOUR_GITHUB_CLIENT_ID
-    clientSecret: YOUR_GITHUB_CLIENT_SECRET
-    redirectURI: https://dex.example.com/callback
-staticClients:
- id: kubernetes
-  name: Kubernetes
-  redirectURIs:
-    - http://localhost:8000
-    - http://localhost:18000
-  secret: YOUR_DEX_CLIENT_SECRET
-```
-
-Now test authentication with the dex.
-
-```sh
-kubectl oidc-login get-token -v1 \
-  --oidc-issuer-url=https://dex.example.com \
-  --oidc-client-id=kubernetes \
-  --oidc-client-secret=YOUR_DEX_CLIENT_SECRET
-```
-
-You should get claims like:
-
-```
-I0827 12:29:03.086531   23722 get_token.go:59] the ID token has the claim: aud=kubernetes
-I0827 12:29:03.086553   23722 get_token.go:59] the ID token has the claim: iss=https://dex.example.com
-I0827 12:29:03.086561   23722 get_token.go:59] the ID token has the claim: sub=YOUR_SUBJECT
-```
-
-## 3. Setup Kubernetes API server
-
-Configure your Kubernetes API server accepts [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
-
-```
--oidc-issuer-url=https://dex.example.com
--oidc-client-id=kubernetes
-```
-
-If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and add the following spec:
-
-```yaml
-spec:
-  kubeAPIServer:
-    oidcIssuerURL: https://dex.example.com
-    oidcClientID: kubernetes
-```
-
-## 4. Create a role binding
-
-Here assign the `cluster-admin` role to your subject.
-
-```yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: keycloak-admin-group
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
- kind: User
-  name: YOUR_SUBJECT
-```
-
-You can create a custom role and assign it as well.
-
-## 5. Setup kubeconfig
-
-Configure the kubeconfig like:
-
-```yaml
-apiVersion: v1
-clusters:
- cluster:
-    server: https://api.example.com
-  name: example.k8s.local
-contexts:
- context:
-    cluster: example.k8s.local
-    user: dex
-  name: dex@example.k8s.local
-current-context: dex@example.k8s.local
-kind: Config
-preferences: {}
-users:
- name: dex
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubectl
-      args:
-      - oidc-login
-      - get-token
-      - --oidc-issuer-url=https://dex.example.com
-      - --oidc-client-id=kubernetes
-      - --oidc-client-secret=YOUR_DEX_CLIENT_SECRET
-```
-
-You can share the kubeconfig to your team members for on-boarding.
-
-## 6. Run kubectl
-
-Make sure you can access the Kubernetes cluster.
-
-```
-% kubectl get nodes
-Open http://localhost:8000 for authentication
-You got a valid token until 2019-05-16 22:03:13 +0900 JST
-Updated ~/.kubeconfig
-NAME                                    STATUS    ROLES     AGE       VERSION
-ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
-ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
-```
--- a/docs/google.md
+++ b/docs/google.md
@@ -1,116 +0,0 @@
-# Getting Started with Google Identity Platform
-
-## Prerequisite
-
- You have a Google account.
- You have the Cluster Admin role of the Kubernetes cluster.
- You can configure the Kubernetes API server.
- `kubectl` and `kubelogin` are installed to your computer.
-
-## 1. Setup Google API
-
-Open [Google APIs Console](https://console.developers.google.com/apis/credentials) and create an OAuth client with the following setting:
-
- Application Type: Other
-
-Now test authentication with Google Identity Platform.
-
-```sh
-kubectl oidc-login get-token -v1 \
-  --oidc-issuer-url=https://accounts.google.com \
-  --oidc-client-id=YOUR_CLIENT_ID.apps.googleusercontent.com \
-  --oidc-client-secret=YOUR_CLIENT_SECRET
-```
-
-You should get claims like:
-
-```
-I0827 12:29:03.086531   23722 get_token.go:59] the ID token has the claim: aud=YOUR_CLIENT_ID.apps.googleusercontent.com
-I0827 12:29:03.086553   23722 get_token.go:59] the ID token has the claim: iss=https://accounts.google.com
-I0827 12:29:03.086561   23722 get_token.go:59] the ID token has the claim: sub=YOUR_SUBJECT
-```
-
-## 2. Setup Kubernetes API server
-
-Configure your Kubernetes API Server accepts [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
-
-```
--oidc-issuer-url=https://accounts.google.com
--oidc-client-id=YOUR_CLIENT_ID.apps.googleusercontent.com
-```
-
-If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
-
-```yaml
-spec:
-  kubeAPIServer:
-    oidcIssuerURL: https://accounts.google.com
-    oidcClientID: YOUR_CLIENT_ID.apps.googleusercontent.com
-```
-
-## 3. Setup Kubernetes cluster
-
-Here assign the `cluster-admin` role to your subject.
-
-```yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: oidc-admin-group
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
- kind: User
-  name: YOUR_SUBJECT
-```
-
-You can create a custom role and assign it as well.
-
-## 4. Setup kubeconfig
-
-Configure the kubeconfig like:
-
-```yaml
-apiVersion: v1
-clusters:
- cluster:
-    server: https://api.example.com
-  name: example.k8s.local
-contexts:
- context:
-    cluster: example.k8s.local
-    user: google
-  name: google@example.k8s.local
-current-context: google@example.k8s.local
-kind: Config
-preferences: {}
-users:
- name: google
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubelogin
-      args:
-      - get-token
-      - --oidc-issuer-url=https://accounts.google.com
-      - --oidc-client-id=YOUR_CLIENT_ID.apps.googleusercontent.com
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
-```
-
-You can share the kubeconfig to your team members for on-boarding.
-
-## 5. Run kubectl
-
-Make sure you can access the Kubernetes cluster.
-
-```
-% kubectl get nodes
-Open http://localhost:8000 for authentication
-You got a valid token until 2019-05-16 22:03:13 +0900 JST
-Updated ~/.kubeconfig
-NAME                                    STATUS    ROLES     AGE       VERSION
-ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
-ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
-```
--- a/docs/keycloak.md
+++ b/docs/keycloak.md
@@ -1,134 +0,0 @@
-# Getting Started with Keycloak
-
-## Prerequisite
-
- You have an administrator role of the Keycloak realm.
- You have an administrator role of the Kubernetes cluster.
- You can configure the Kubernetes API server.
- `kubectl` and `kubelogin` are installed.
-
-## 1. Setup Keycloak
-
-Open the Keycloak and create an OIDC client as follows:
-
- Client ID: `kubernetes`
- Valid Redirect URLs:
-    - `http://localhost:8000`
-    - `http://localhost:18000` (used if the port 8000 is already in use)
- Issuer URL: `https://keycloak.example.com/auth/realms/YOUR_REALM`
-
-You can associate client roles by adding the following mapper:
-
- Name: `groups`
- Mapper Type: `User Client Role`
- Client ID: `kubernetes`
- Client Role prefix: `kubernetes:`
- Token Claim Name: `groups`
- Add to ID token: on
-
-For example, if you have the `admin` role of the client, you will get a JWT with the claim `{"groups": ["kubernetes:admin"]}`.
-
-Now test authentication with the Keycloak.
-
-```sh
-kubectl oidc-login get-token -v1 \
-  --oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM \
-  --oidc-client-id=kubernetes \
-  --oidc-client-secret=YOUR_CLIENT_SECRET
-```
-
-You should get claims like:
-
-```
-I0827 12:29:03.086476   23722 get_token.go:59] the ID token has the claim: groups=[kubernetes:admin]
-I0827 12:29:03.086531   23722 get_token.go:59] the ID token has the claim: aud=kubernetes
-I0827 12:29:03.086553   23722 get_token.go:59] the ID token has the claim: iss=https://keycloak.example.com/auth/realms/YOUR_REALM
-I0827 12:29:03.086561   23722 get_token.go:59] the ID token has the claim: sub=f08655e2-901f-48e5-8c64-bb9f7784d5df
-```
-
-## 2. Setup Kubernetes API server
-
-Configure your Kubernetes API server accepts [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
-
-```
--oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM
--oidc-client-id=kubernetes
--oidc-groups-claim=groups
-```
-
-If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and add the following spec:
-
-```yaml
-spec:
-  kubeAPIServer:
-    oidcIssuerURL: https://keycloak.example.com/auth/realms/YOUR_REALM
-    oidcClientID: kubernetes
-    oidcGroupsClaim: groups
-```
-
-## 3. Setup Kubernetes cluster
-
-Here assign the `cluster-admin` role to the `kubernetes:admin` group.
-
-```yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: keycloak-admin-group
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
- kind: Group
-  name: kubernetes:admin
-```
-
-You can create a custom role and assign it as well.
-
-## 4. Setup kubeconfig
-
-Configure the kubeconfig like:
-
-```yaml
-apiVersion: v1
-clusters:
- cluster:
-    server: https://api.example.com
-  name: example.k8s.local
-contexts:
- context:
-    cluster: example.k8s.local
-    user: keycloak
-  name: keycloak@example.k8s.local
-current-context: keycloak@example.k8s.local
-kind: Config
-preferences: {}
-users:
- name: keycloak
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubelogin
-      args:
-      - get-token
-      - --oidc-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM
-      - --oidc-client-id=kubernetes
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
-```
-
-You can share the kubeconfig to your team members for on-boarding.
-
-## 5. Run kubectl
-
-Make sure you can access the Kubernetes cluster.
-
-```
-% kubectl get nodes
-Open http://localhost:8000 for authentication
-You got a valid token until 2019-05-16 22:03:13 +0900 JST
-Updated ~/.kubeconfig
-NAME                                    STATUS    ROLES     AGE       VERSION
-ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
-ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
-```
--- a/docs/setup.md
+++ b/docs/setup.md
@@ -0,0 +1,226 @@
+# Kubernetes OpenID Connection authentication
+
+This document guides how to set up Kubernetes OpenID Connect (OIDC) authentication.
+Let's see the following steps:
+
+1. Set up the OIDC provider
+1. Verify authentication
+1. Bind a cluster role
+1. Set up the Kubernetes API server
+1. Set up the kubeconfig
+1. Verify cluster access
+
+
+## 1. Set up the OIDC provider
+
+### Google Identity Platform
+
+You can log in with a Google account.
+
+Open [Google APIs Console](https://console.developers.google.com/apis/credentials) and create an OAuth client with the following setting:
+
+- Application Type: Other
+
+Check the client ID and secret.
+Replace the following variables in the later sections.
+
+Variable                | Value
+------------------------|------
+`ISSUER_URL`            | `https://accounts.google.com`
+`YOUR_CLIENT_ID`        | `xxx.apps.googleusercontent.com`
+`YOUR_CLIENT_SECRET`    | random string
+
+### Keycloak
+
+You can log in with a user of Keycloak.
+Make sure you have an administrator role of the Keycloak realm.
+
+Open Keycloak and create an OIDC client as follows:
+
+- Client ID: `YOUR_CLIENT_ID`
+- Valid Redirect URLs:
+    - `http://localhost:8000`
+    - `http://localhost:18000` (used if the port 8000 is already in use)
+- Issuer URL: `https://keycloak.example.com/auth/realms/YOUR_REALM`
+
+You can associate client roles by adding the following mapper:
+
+- Name: `groups`
+- Mapper Type: `User Client Role`
+- Client ID: `YOUR_CLIENT_ID`
+- Client Role prefix: `kubernetes:`
+- Token Claim Name: `groups`
+- Add to ID token: on
+
+For example, if you have `admin` role of the client, you will get a JWT with the claim `{"groups": ["kubernetes:admin"]}`.
+
+Replace the following variables in the later sections.
+
+Variable                | Value
+------------------------|------
+`ISSUER_URL`            | `https://keycloak.example.com/auth/realms/YOUR_REALM`
+`YOUR_CLIENT_ID`        | `YOUR_CLIENT_ID`
+`YOUR_CLIENT_SECRET`    | random string
+
+### Dex with GitHub
+
+You can log in with a GitHub account.
+
+Open [GitHub OAuth Apps](https://github.com/settings/developers) and create an application with the following setting:
+
+- Application name: (any)
+- Homepage URL: `https://dex.example.com`
+- Authorization callback URL: `https://dex.example.com/callback`
+
+Deploy [Dex](https://github.com/dexidp/dex) with the following config:
+
+```yaml
+issuer: https://dex.example.com
+connectors:
+- type: github
+  id: github
+  name: GitHub
+  config:
+    clientID: YOUR_GITHUB_CLIENT_ID
+    clientSecret: YOUR_GITHUB_CLIENT_SECRET
+    redirectURI: https://dex.example.com/callback
+staticClients:
+- id: YOUR_CLIENT_ID
+  name: Kubernetes
+  redirectURIs:
+  - http://localhost:8000
+  - http://localhost:18000
+  secret: YOUR_DEX_CLIENT_SECRET
+```
+
+Replace the following variables in the later sections.
+
+Variable                | Value
+------------------------|------
+`ISSUER_URL`            | `https://dex.example.com`
+`YOUR_CLIENT_ID`        | `YOUR_CLIENT_ID`
+`YOUR_CLIENT_SECRET`    | `YOUR_DEX_CLIENT_SECRET`
+
+### Okta
+
+You can log in with an Okta user.
+Okta supports [the authorization code flow with PKCE](https://developer.okta.com/docs/guides/implement-auth-code-pkce/overview/)
+and this section explains how to set up it.
+
+Open your Okta organization and create an application with the following options:
+
+- Application type: Native
+- Initiate login URI: `http://localhost:8000`
+- Login redirect URIs:
+    - `http://localhost:8000`
+    - `http://localhost:18000` (used if the port 8000 is already in use)
+- Allowed grant types: Authorization Code
+- Client authentication: Use PKCE (for public clients)
+
+Replace the following variables in the later sections.
+
+Variable                | Value
+------------------------|------
+`ISSUER_URL`            | `https://YOUR_ORGANIZATION.okta.com`
+`YOUR_CLIENT_ID`        | random string
+
+You do not need to set `YOUR_CLIENT_SECRET`.
+
+If you need `groups` claim for access control,
+see [jetstack/okta-kubectl-auth](https://github.com/jetstack/okta-kubectl-auth/blob/master/docs/okta-setup.md) and [#250](https://github.com/int128/kubelogin/issues/250).
+
+
+## 2. Verify authentication
+
+Run the following command:
+
+```sh
+kubectl oidc-login setup \
+  --oidc-issuer-url=ISSUER_URL \
+  --oidc-client-id=YOUR_CLIENT_ID \
+  --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+It launches the browser and navigates to `http://localhost:8000`.
+Please log in to the provider.
+
+You can set extra options, for example, extra scope or CA certificate.
+See also the full options.
+
+```sh
+kubectl oidc-login setup --help
+```
+
+
+## 3. Bind a cluster role
+
+Here bind `cluster-admin` role to you.
+
+```sh
+kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='ISSUER_URL#YOUR_SUBJECT'
+```
+
+As well as you can create a custom cluster role and bind it.
+
+
+## 4. Set up the Kubernetes API server
+
+Add the following flags to kube-apiserver:
+
+```
+--oidc-issuer-url=ISSUER_URL
+--oidc-client-id=YOUR_CLIENT_ID
+```
+
+See [Kubernetes Authenticating: OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for the all flags.
+
+If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
+
+```yaml
+spec:
+  kubeAPIServer:
+    oidcIssuerURL: ISSUER_URL
+    oidcClientID: YOUR_CLIENT_ID
+```
+
+If you are using [kube-aws](https://github.com/kubernetes-incubator/kube-aws), append the following settings to the `cluster.yaml`:
+
+```yaml
+       oidc:
+         enabled: true
+         issuerUrl: ISSUER_URL
+         clientId: YOUR_CLIENT_ID
+```
+
+
+## 5. Set up the kubeconfig
+
+Add `oidc` user to the kubeconfig.
+
+```sh
+kubectl config set-credentials oidc \
+  --exec-api-version=client.authentication.k8s.io/v1beta1 \
+  --exec-command=kubectl \
+  --exec-arg=oidc-login \
+  --exec-arg=get-token \
+  --exec-arg=--oidc-issuer-url=ISSUER_URL \
+  --exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
+  --exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+
+## 6. Verify cluster access
+
+Make sure you can access the Kubernetes cluster.
+
+```sh
+kubectl --user=oidc cluster-info
+```
+
+You can switch the current context to oidc.
+
+```sh
+kubectl config set-context --current --user=oidc
+```
+
+You can share the kubeconfig to your team members for on-boarding.
--- a/docs/standalone-mode.md
+++ b/docs/standalone-mode.md
@@ -78,52 +78,54 @@ If the refresh token has expired, kubelogin will proceed the authentication.
 Kubelogin supports the following options:

 ```
-% kubelogin -h
-Login to the OpenID Connect provider and update the kubeconfig
+% kubectl oidc-login -h
+Login to the OpenID Connect provider.
+
+You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
+Run the following command to show the setup instruction:
+
+	kubectl oidc-login setup
+
+See https://github.com/int128/kubelogin for more.

 Usage:
-  kubelogin [flags]
-  kubelogin [command]
-
-Examples:
-  # Login to the provider using the authorization code flow.
-  kubelogin
-
-  # Login to the provider using the resource owner password credentials flow.
-  kubelogin --username USERNAME --password PASSWORD
-
-  # Run as a credential plugin.
-  kubelogin get-token --oidc-issuer-url=https://issuer.example.com
+  main [flags]
+  main [command]

 Available Commands:
  get-token   Run as a kubectl credential plugin
  help        Help about any command
+  setup       Show the setup instruction
  version     Print the version information

 Flags:
-      --kubeconfig string                Path to the kubeconfig file
-      --context string                   The name of the kubeconfig context to use
-      --user string                      The name of the kubeconfig user to use. Prior to --context
-      --certificate-authority string     Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify         If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-      --listen-port ints                 Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
-      --skip-open-browser                If true, it does not open the browser on authentication
-      --username string                  If set, perform the resource owner password credentials grant
-      --password string                  If set, use the password instead of asking it
-      --add_dir_header                   If true, adds the file directory to the header
-      --alsologtostderr                  log to standard error as well as files
-      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
-      --log_dir string                   If non-empty, write log files in this directory
-      --log_file string                  If non-empty, use this log file
-      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
-      --logtostderr                      log to standard error instead of files (default true)
-      --skip_headers                     If true, avoid header prefixes in the log messages
-      --skip_log_headers                 If true, avoid headers when opening log files
-      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
-  -v, --v Level                          number for the log level verbosity
-      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
-  -h, --help                             help for kubelogin
-      --version                          version for kubelogin
+      --kubeconfig string                               Path to the kubeconfig file
+      --context string                                  The name of the kubeconfig context to use
+      --user string                                     The name of the kubeconfig user to use. Prior to --context
+      --certificate-authority string                    Path to a cert file for the certificate authority
+      --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --grant-type string                               The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
+      --listen-address strings                          Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
+      --listen-port ints                                (Deprecated: use --listen-address)
+      --skip-open-browser                               If true, it does not open the browser on authentication
+      --oidc-redirect-url-hostname string               Hostname of the redirect URL (default "localhost")
+      --oidc-auth-request-extra-params stringToString   Extra query parameters to send with an authentication request (default [])
+      --username string                                 If set, perform the resource owner password credentials grant
+      --password string                                 If set, use the password instead of asking it
+      --add_dir_header                                  If true, adds the file directory to the header
+      --alsologtostderr                                 log to standard error as well as files
+      --log_backtrace_at traceLocation                  when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                                  If non-empty, write log files in this directory
+      --log_file string                                 If non-empty, use this log file
+      --log_file_max_size uint                          Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                                     log to standard error instead of files (default true)
+      --skip_headers                                    If true, avoid header prefixes in the log messages
+      --skip_log_headers                                If true, avoid headers when opening log files
+      --stderrthreshold severity                        logs at or above this threshold go to stderr (default 2)
+  -v, --v Level                                         number for the log level verbosity
+      --vmodule moduleSpec                              comma-separated list of pattern=N settings for file-filtered logging
+  -h, --help                                            help for kubelogin
+      --version                                         version for kubelogin
 ```

 ### Kubeconfig
--- a/docs/system-test-diagram.svg
+++ b/docs/system-test-diagram.svg
--- a/e2e_test/credetial_plugin_test.go
+++ b/e2e_test/credetial_plugin_test.go
@@ -1,84 +0,0 @@
-package e2e_test
-
-import (
-	"context"
-	"io/ioutil"
-	"os"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/e2e_test/idp"
-	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
-	"github.com/int128/kubelogin/e2e_test/localserver"
-	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
-	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin/mock_credentialplugin"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
-	"github.com/int128/kubelogin/pkg/di"
-	"github.com/int128/kubelogin/pkg/usecases/auth"
-)
-
-// Run the integration tests of the credential plugin use-case.
-//
-// 1. Start the auth server.
-// 2. Run the Cmd.
-// 3. Open a request for the local server.
-// 4. Verify the output.
-//
-func TestCmd_Run_CredentialPlugin(t *testing.T) {
-	timeout := 1 * time.Second
-	cacheDir, err := ioutil.TempDir("", "kube")
-	if err != nil {
-		t.Fatalf("could not create a cache dir: %s", err)
-	}
-	defer func() {
-		if err := os.RemoveAll(cacheDir); err != nil {
-			t.Errorf("could not clean up the cache dir: %s", err)
-		}
-	}()
-
-	t.Run("Defaults", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		credentialPluginInteraction.EXPECT().
-			Write(gomock.Any()).
-			Do(func(out credentialplugin.Output) {
-				if out.Token != idToken {
-					t.Errorf("Token wants %s but %s", idToken, out.Token)
-				}
-				if out.Expiry != tokenExpiryFuture {
-					t.Errorf("Expiry wants %v but %v", tokenExpiryFuture, out.Expiry)
-				}
-			})
-
-		runGetTokenCmd(t, ctx,
-			openBrowserOnReadyFunc(t, ctx, nil),
-			credentialPluginInteraction,
-			"--skip-open-browser",
-			"--listen-port", "0",
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-		)
-	})
-}
-
-func runGetTokenCmd(t *testing.T, ctx context.Context, localServerReadyFunc auth.LocalServerReadyFunc, interaction credentialplugin.Interface, args ...string) {
-	t.Helper()
-	cmd := di.NewCmdForHeadless(mock_logger.New(t), localServerReadyFunc, interaction)
-	exitCode := cmd.Run(ctx, append([]string{"kubelogin", "get-token", "--v=1"}, args...), "HEAD")
-	if exitCode != 0 {
-		t.Errorf("exit status wants 0 but %d", exitCode)
-	}
-}
--- a/e2e_test/idp/mock_idp/mock_service.go
+++ b/e2e_test/idp/mock_idp/mock_service.go
@@ -1,110 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/e2e_test/idp (interfaces: Service)
-
-// Package mock_idp is a generated GoMock package.
-package mock_idp
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	idp "github.com/int128/kubelogin/e2e_test/idp"
-	reflect "reflect"
-)
-
-// MockService is a mock of Service interface
-type MockService struct {
-	ctrl     *gomock.Controller
-	recorder *MockServiceMockRecorder
-}
-
-// MockServiceMockRecorder is the mock recorder for MockService
-type MockServiceMockRecorder struct {
-	mock *MockService
-}
-
-// NewMockService creates a new mock instance
-func NewMockService(ctrl *gomock.Controller) *MockService {
-	mock := &MockService{ctrl: ctrl}
-	mock.recorder = &MockServiceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockService) EXPECT() *MockServiceMockRecorder {
-	return m.recorder
-}
-
-// AuthenticateCode mocks base method
-func (m *MockService) AuthenticateCode(arg0, arg1 string) (string, error) {
-	ret := m.ctrl.Call(m, "AuthenticateCode", arg0, arg1)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AuthenticateCode indicates an expected call of AuthenticateCode
-func (mr *MockServiceMockRecorder) AuthenticateCode(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateCode", reflect.TypeOf((*MockService)(nil).AuthenticateCode), arg0, arg1)
-}
-
-// AuthenticatePassword mocks base method
-func (m *MockService) AuthenticatePassword(arg0, arg1, arg2 string) (*idp.TokenResponse, error) {
-	ret := m.ctrl.Call(m, "AuthenticatePassword", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*idp.TokenResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AuthenticatePassword indicates an expected call of AuthenticatePassword
-func (mr *MockServiceMockRecorder) AuthenticatePassword(arg0, arg1, arg2 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticatePassword", reflect.TypeOf((*MockService)(nil).AuthenticatePassword), arg0, arg1, arg2)
-}
-
-// Discovery mocks base method
-func (m *MockService) Discovery() *idp.DiscoveryResponse {
-	ret := m.ctrl.Call(m, "Discovery")
-	ret0, _ := ret[0].(*idp.DiscoveryResponse)
-	return ret0
-}
-
-// Discovery indicates an expected call of Discovery
-func (mr *MockServiceMockRecorder) Discovery() *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Discovery", reflect.TypeOf((*MockService)(nil).Discovery))
-}
-
-// Exchange mocks base method
-func (m *MockService) Exchange(arg0 string) (*idp.TokenResponse, error) {
-	ret := m.ctrl.Call(m, "Exchange", arg0)
-	ret0, _ := ret[0].(*idp.TokenResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Exchange indicates an expected call of Exchange
-func (mr *MockServiceMockRecorder) Exchange(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Exchange", reflect.TypeOf((*MockService)(nil).Exchange), arg0)
-}
-
-// GetCertificates mocks base method
-func (m *MockService) GetCertificates() *idp.CertificatesResponse {
-	ret := m.ctrl.Call(m, "GetCertificates")
-	ret0, _ := ret[0].(*idp.CertificatesResponse)
-	return ret0
-}
-
-// GetCertificates indicates an expected call of GetCertificates
-func (mr *MockServiceMockRecorder) GetCertificates() *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificates", reflect.TypeOf((*MockService)(nil).GetCertificates))
-}
-
-// Refresh mocks base method
-func (m *MockService) Refresh(arg0 string) (*idp.TokenResponse, error) {
-	ret := m.ctrl.Call(m, "Refresh", arg0)
-	ret0, _ := ret[0].(*idp.TokenResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Refresh indicates an expected call of Refresh
-func (mr *MockServiceMockRecorder) Refresh(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockService)(nil).Refresh), arg0)
-}
--- a/e2e_test/keys/keys.go
+++ b/e2e_test/keys/keys.go
@@ -1,71 +0,0 @@
-package keys
-
-import (
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/pem"
-	"io/ioutil"
-
-	"golang.org/x/xerrors"
-)
-
-// TLSCACert is path to the CA certificate.
-// This should be generated by Makefile before test.
-const TLSCACert = "keys/testdata/ca.crt"
-
-// TLSCACertAsBase64 is a base64 encoded string of TLSCACert.
-var TLSCACertAsBase64 string
-
-// TLSCACertAsConfig is a TLS config including TLSCACert.
-var TLSCACertAsConfig = &tls.Config{RootCAs: x509.NewCertPool()}
-
-// TLSServerCert is path to the server certificate.
-// This should be generated by Makefile before test.
-const TLSServerCert = "keys/testdata/server.crt"
-
-// TLSServerKey is path to the server key.
-// This should be generated by Makefile before test.
-const TLSServerKey = "keys/testdata/server.key"
-
-// JWSKey is path to the key for signing ID tokens.
-const JWSKey = "keys/testdata/jws.key"
-
-// JWSKeyPair is the key pair loaded from JWSKey.
-var JWSKeyPair *rsa.PrivateKey
-
-func init() {
-	var err error
-	JWSKeyPair, err = readPrivateKey(JWSKey)
-	if err != nil {
-		panic(err)
-	}
-	b, err := ioutil.ReadFile(TLSCACert)
-	if err != nil {
-		panic(err)
-	}
-	TLSCACertAsBase64 = base64.StdEncoding.EncodeToString(b)
-	if !TLSCACertAsConfig.RootCAs.AppendCertsFromPEM(b) {
-		panic("could not append the CA cert")
-	}
-}
-
-func readPrivateKey(name string) (*rsa.PrivateKey, error) {
-	b, err := ioutil.ReadFile(name)
-	if err != nil {
-		return nil, xerrors.Errorf("could not read JWSKey: %w", err)
-	}
-	block, rest := pem.Decode(b)
-	if block == nil {
-		return nil, xerrors.New("could not decode PEM")
-	}
-	if len(rest) > 0 {
-		return nil, xerrors.New("PEM should contain single key but multiple keys")
-	}
-	k, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-	if err != nil {
-		return nil, xerrors.Errorf("could not parse the key: %w", err)
-	}
-	return k, nil
-}
--- a/e2e_test/keys/testdata/.gitignore
+++ b/e2e_test/keys/testdata/.gitignore
@@ -1 +0,0 @@
-/CA
--- a/e2e_test/keys/testdata/Makefile
+++ b/e2e_test/keys/testdata/Makefile
@@ -1,54 +0,0 @@
-all: ca.key ca.crt server.key server.crt jws.key
-
-.PHONY: clean
-clean:
-	-rm -v ca.* server.* jws.*
-
-ca.key:
-	openssl genrsa -out $@ 1024
-
-.INTERMEDIATE: ca.csr
-ca.csr: openssl.cnf ca.key
-	openssl req -config openssl.cnf \
-		-new \
-		-key ca.key \
-		-subj "/CN=Hello CA" \
-		-out $@
-	openssl req -noout -text -in $@
-
-ca.crt: ca.csr ca.key
-	openssl x509 -req \
-		-signkey ca.key \
-		-in ca.csr \
-		-out $@
-	openssl x509 -text -in $@
-
-server.key:
-	openssl genrsa -out $@ 1024
-
-.INTERMEDIATE: server.csr
-server.csr: openssl.cnf server.key
-	openssl req -config openssl.cnf \
-		-new \
-		-key server.key \
-		-subj "/CN=localhost" \
-		-out $@
-	openssl req -noout -text -in $@
-
-server.crt: openssl.cnf server.csr ca.key ca.crt
-	rm -fr ./CA
-	mkdir -p ./CA
-	touch CA/index.txt
-	touch CA/index.txt.attr
-	echo 00 > CA/serial
-	openssl ca -config openssl.cnf \
-		-extensions v3_req \
-		-batch \
-		-cert ca.crt \
-		-keyfile ca.key \
-		-in server.csr \
-		-out $@
-	openssl x509 -text -in $@
-
-jws.key:
-	openssl genrsa -out $@ 1024
--- a/e2e_test/keys/testdata/ca.crt
+++ b/e2e_test/keys/testdata/ca.crt
@@ -1,11 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIBnTCCAQYCCQCuPrhkr+BvGzANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAhI
-ZWxsbyBDQTAeFw0xOTA4MTgwNjAwMDZaFw0xOTA5MTcwNjAwMDZaMBMxETAPBgNV
-BAMMCEhlbGxvIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnSTDsRx4U
-JmaTWHOAZasfN2O37wMcRez7LDM2qfQ8nlXnEAAZ4Pc51itOycWN1nclNVb489i9
-J8ALgRKzNumSkfl1sCgJoDds75AC3oRRCbhnEP3Lu4mysxyOtYZNsdST8GBCP0m4
-2tWa4W2ditpA44uU4x8opAX2qY919nVLNwIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
-ACfgNePlOLnLz1zJrWN6RZ6q0a+SSK8HdgSiKSF66SBIRILFoQmapBLXRY9YyATt
-cdgg7pOd1WGCMqlOnhL56c8X5n+j/LGM5hc9PaEJA5vru7EBrnbxCkg0n8yp4Swc
-8KFV5IiZ5D8t03AHjrXLQg8/HRzTuFRJJ1nJmc+FbnjT
-----END CERTIFICATE-----
--- a/e2e_test/keys/testdata/ca.key
+++ b/e2e_test/keys/testdata/ca.key
@@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDnSTDsRx4UJmaTWHOAZasfN2O37wMcRez7LDM2qfQ8nlXnEAAZ
-4Pc51itOycWN1nclNVb489i9J8ALgRKzNumSkfl1sCgJoDds75AC3oRRCbhnEP3L
-u4mysxyOtYZNsdST8GBCP0m42tWa4W2ditpA44uU4x8opAX2qY919nVLNwIDAQAB
-AoGAaYmTYm29QvKW4et9oPxDjpYG0bqlz7P0xFRR9kKtKTATAMHjWeu2xFR/JI+b
-rvJLIdZqHmWe5AmMb3NxZgfLonEB71ohaKQha1L8Vc7aoedRheJvqqaNr+ZxoCMO
-8xcjsaMYxLEVt0tg6XyKyEhi1/hOufFZ4BSng4oQbrpaNIkCQQD6hPEzzPZtMEEe
-eRdwTVUIStKFMQbRdwZ5Oc7pyDk2U+SFRJiqkBkqnmFekcf2UgbBQxem+GMhWNgE
-LItKy/wVAkEA7FiHxbzn2msaE3hZCWudtnXqmJNuPO0zJ5icXe2svwmwPfLA/rm9
-iazCuyzyK67J8IG9QgIjQFYXtQbMr2chGwJBAMm3dghBx0LQEf8Zfdf9TLSqmqyI
-d3b+IgZGl+cCQ58NGfp863ibIsiAUuK0+4/JKItBHLBjXF6jjPx/aYFGkqkCQH4w
-GnXCEYx1qJuCow87jR4xQQsrlC0lfC2E9t/TmWr6UkYRCWg3ZXJPcj0bl0Upcppd
-ut22ZHniPZAizEBOcMcCQQDnMEOxufxhMsx2NC8yON/noewLINqKcbkMsl6DjvJl
-+wLbQmzJ0j+uIBgdpsj4rWnEr7GxoL2eWG44QDUBco79
-----END RSA PRIVATE KEY-----
--- a/e2e_test/keys/testdata/jws.key
+++ b/e2e_test/keys/testdata/jws.key
@@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXwIBAAKBgQCZukkN1GxMlNXkpOZxCnvCF874/rn1sNKzO98fOwmBRPG2+m/c
-yqBY7t2L2nihqz3+GZTiHmzSrBzMAGPVW1qGmk9KYg3m7akz9SiCxdoUkgM9MCCp
-X/s8IhgtXkyoKFPcGdwHblDl/3aJG02b6TAQD8vTNQAKoKw7L0FST+pvRwIDAQAB
-AoGBAJT1fXR5MbfDQL+dSe6fSex5RYTgzzDTdldW3I1Wl487Tz0OzvYTIe0LCIJL
-4DhHxnpCL5IsCSbav8ytVA+ZxczHpEW6UxbalXt5UfgFu0joTrdoGxDcVWgUCW3J
-Olbln0lOP55wViKh509gt45Za3VxJrNul3khVfVj7qGG9cKBAkEAxwtT8LxwqTYF
-nqoeZvPp15JAqlgdk38ttJa4KEqvpBTSxNIXkL9T5gJ+irKZAzxlz/U7bhn5mw6E
-3xFiljOXpQJBAMW3XRFOjgNBXNjbt81wREF5LdZl9EI8cRMSH6xljt2uwSqw4EG3
-76gFvccUd+WnfspFQZVypSSD4pWzsAqh13sCQQCA9BLW5Y7r4ab0a2y08JNwaT1h
-3yKSO5QF6pu25uQyHpeKkj5YNcyKONV40EqXsRqZB10QcN2omlh1GJNRkm1NAkEA
-qV3lr4mnRUqcinfM/4MINT3k8h/sGUFFa5y+3SMyOtwURMm3kRRLi5c/dmYmPug4
-SHUDNU48AQeo9awzRShWOQJBAJdw+cfRgi4fo3HY33uZdFa1T9G+qTA2ijhco6O3
-8tOc0yOFEtPNXM87MsHGIQP3ZCLfIY1gs2O3WCTFbPxR4rc=
-----END RSA PRIVATE KEY-----
--- a/e2e_test/keys/testdata/openssl.cnf
+++ b/e2e_test/keys/testdata/openssl.cnf
@@ -1,37 +0,0 @@
-[ ca ]
-default_ca      = CA_default
-
-[ CA_default ]
-dir             = ./CA
-certs           = $dir
-crl_dir         = $dir
-database        = $dir/index.txt
-new_certs_dir   = $dir
-default_md      = sha256
-policy          = policy_match
-serial          = $dir/serial
-default_days    = 3650
-
-[ policy_match ]
-countryName             = optional
-stateOrProvinceName     = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-[ req ]
-distinguished_name	= req_distinguished_name
-req_extensions = v3_req
-x509_extensions = v3_ca
-
-[ req_distinguished_name ]
-commonName			= Common Name (e.g. server FQDN or YOUR name)
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-subjectAltName = DNS:localhost
-
-[ v3_ca ]
-basicConstraints = CA:true
--- a/e2e_test/keys/testdata/server.crt
+++ b/e2e_test/keys/testdata/server.crt
@@ -1,52 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=Hello CA
-        Validity
-            Not Before: Aug 18 06:00:06 2019 GMT
-            Not After : Aug 15 06:00:06 2029 GMT
-        Subject: CN=localhost
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:d6:4e:eb:3a:cb:25:f9:7e:92:22:f2:63:99:da:
-                    08:05:8b:a3:e7:d3:fd:71:3e:bd:da:c5:d5:63:b7:
-                    d3:7b:f8:cd:1a:2e:5c:a2:4f:48:98:c2:b4:da:e8:
-                    1e:d3:d7:8f:d8:ee:a9:70:d0:9d:4f:f4:8d:95:e5:
-                    8e:9a:71:b6:80:aa:0b:cb:28:1d:f6:0d:7e:aa:78:
-                    bf:30:e6:58:d7:6b:92:8f:19:1c:7d:95:f8:d5:2f:
-                    8c:58:49:98:88:05:50:88:80:a9:77:c4:16:b4:c1:
-                    00:45:1e:d3:d0:ed:98:4d:f7:a3:5d:f1:82:cb:a5:
-                    4d:19:64:4d:43:db:13:d4:17
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature, Non Repudiation, Key Encipherment
-            X509v3 Subject Alternative Name: 
-                DNS:localhost
-    Signature Algorithm: sha256WithRSAEncryption
-         5a:5c:5e:8b:de:82:86:f4:98:40:0e:cf:c5:51:fe:89:46:49:
-         f0:26:d2:a5:06:e3:91:43:c1:f8:b2:ad:b7:a1:23:13:1a:80:
-         45:00:51:70:b6:06:63:c6:a8:c8:22:5d:1b:00:e0:4a:8c:2e:
-         ce:b4:da:b1:89:8a:d2:d0:e3:eb:0f:16:34:45:a1:bd:64:5c:
-         48:41:8c:0a:bf:66:be:1c:a8:35:47:ce:b0:dc:c8:4f:5e:c1:
-         ec:ef:21:fb:45:55:95:e3:99:40:46:0b:6c:8a:b3:d5:f0:bf:
-         39:a4:ba:c4:d7:58:88:58:08:07:98:59:6e:ca:9c:08:e4:c4:
-         4f:db
-----BEGIN CERTIFICATE-----
-MIIBzTCCATagAwIBAgIBADANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhIZWxs
-byBDQTAeFw0xOTA4MTgwNjAwMDZaFw0yOTA4MTUwNjAwMDZaMBQxEjAQBgNVBAMM
-CWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1k7rOssl+X6S
-IvJjmdoIBYuj59P9cT692sXVY7fTe/jNGi5cok9ImMK02uge09eP2O6pcNCdT/SN
-leWOmnG2gKoLyygd9g1+qni/MOZY12uSjxkcfZX41S+MWEmYiAVQiICpd8QWtMEA
-RR7T0O2YTfejXfGCy6VNGWRNQ9sT1BcCAwEAAaMwMC4wCQYDVR0TBAIwADALBgNV
-HQ8EBAMCBeAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4GB
-AFpcXovegob0mEAOz8VR/olGSfAm0qUG45FDwfiyrbehIxMagEUAUXC2BmPGqMgi
-XRsA4EqMLs602rGJitLQ4+sPFjRFob1kXEhBjAq/Zr4cqDVHzrDcyE9ewezvIftF
-VZXjmUBGC2yKs9XwvzmkusTXWIhYCAeYWW7KnAjkxE/b
-----END CERTIFICATE-----
--- a/e2e_test/keys/testdata/server.key
+++ b/e2e_test/keys/testdata/server.key
@@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDWTus6yyX5fpIi8mOZ2ggFi6Pn0/1xPr3axdVjt9N7+M0aLlyi
-T0iYwrTa6B7T14/Y7qlw0J1P9I2V5Y6acbaAqgvLKB32DX6qeL8w5ljXa5KPGRx9
-lfjVL4xYSZiIBVCIgKl3xBa0wQBFHtPQ7ZhN96Nd8YLLpU0ZZE1D2xPUFwIDAQAB
-AoGBAJhNR7Dl1JwFzndViWE6aP7/6UEFEBWeADDs7aTLbFmrTJ+xmRWkgLRHk14L
-HnVwuYLywaoyJ8o9wy1nEbxC2e4zWZ94d351MQf3/komCXDBzEsktfAcNsAFnMmS
-HZuGXfhi0FYWoftpIGxUmEBmQRcq0ctycbLves6TY3y+oajpAkEA8UHmSr/zsM3E
-XQXPp2BCAvRrTH/njk4R0jwB29Bi89gt/XDD4uvfWbHw7TZxnZuCpWisnxpMPIwa
-1rjqIQmhEwJBAONncQUOxwYCIuvraIhV0QtkIUa+YpTvAxP8ZNXx+agtHmHG2TTf
-kGv2YddvjxXZItN/FZOzUGm9OptaeLRTpW0CQHO8CEzNnoqve0agtgf2LlSaiiqt
-pRhoLTZsYPvhEMcnapCNGvtt6bxul0REfOZ9poPRHhZJGE9naqydEnv80Y8CQQC3
-pxLfws95SsBpR/VkJepuCK/XMmrrXRxfR7coEgROjiG7VZyV1vgMOS9Ljg1A19wI
-cto6LtcCjpCGZsqU1/kBAkEAv2tXBts3vuIjguZNMz7KLWmu3zG2SQRaqdEZwL+R
-DQmD5tbI6gEtd5OmgmSiW8A4mpfgFYvG7Um2fwi7TTXtSA==
-----END RSA PRIVATE KEY-----
--- a/e2e_test/standalone_test.go
+++ b/e2e_test/standalone_test.go
@@ -1,357 +0,0 @@
-package e2e_test
-
-import (
-	"context"
-	"crypto/tls"
-	"net/http"
-	"os"
-	"testing"
-	"time"
-
-	"github.com/dgrijalva/jwt-go"
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/e2e_test/idp"
-	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
-	"github.com/int128/kubelogin/e2e_test/keys"
-	"github.com/int128/kubelogin/e2e_test/kubeconfig"
-	"github.com/int128/kubelogin/e2e_test/localserver"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
-	"github.com/int128/kubelogin/pkg/di"
-	"github.com/int128/kubelogin/pkg/usecases/auth"
-)
-
-var (
-	tokenExpiryFuture = time.Now().Add(time.Hour).Round(time.Second)
-	tokenExpiryPast   = time.Now().Add(-time.Hour).Round(time.Second)
-)
-
-// Run the integration tests of the Login use-case.
-//
-// 1. Start the auth server.
-// 2. Run the Cmd.
-// 3. Open a request for the local server.
-// 4. Verify the kubeconfig.
-//
-func TestCmd_Run_Standalone(t *testing.T) {
-	timeout := 1 * time.Second
-
-	type testParameter struct {
-		startServer                       func(t *testing.T, h http.Handler) (string, localserver.Shutdowner)
-		kubeconfigIDPCertificateAuthority string
-		clientTLSConfig                   *tls.Config
-	}
-
-	testParameters := map[string]testParameter{
-		"NoTLS": {
-			startServer: localserver.Start,
-		},
-		"CACert": {
-			startServer: func(t *testing.T, h http.Handler) (string, localserver.Shutdowner) {
-				return localserver.StartTLS(t, keys.TLSServerCert, keys.TLSServerKey, h)
-			},
-			kubeconfigIDPCertificateAuthority: keys.TLSCACert,
-			clientTLSConfig:                   keys.TLSCACertAsConfig,
-		},
-	}
-
-	runTest := func(t *testing.T, p testParameter) {
-		t.Run("Defaults", func(t *testing.T) {
-			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.Background(), timeout)
-			defer cancel()
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			service := mock_idp.NewMockService(ctrl)
-			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
-			defer server.Shutdown(t, ctx)
-			var idToken string
-			setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-
-			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-				Issuer:                  serverURL,
-				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
-			})
-			defer os.Remove(kubeConfigFilename)
-
-			runCmd(t, ctx,
-				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
-				"--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
-			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-				IDToken:      idToken,
-				RefreshToken: "YOUR_REFRESH_TOKEN",
-			})
-		})
-
-		t.Run("ResourceOwnerPasswordCredentials", func(t *testing.T) {
-			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.Background(), timeout)
-			defer cancel()
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			service := mock_idp.NewMockService(ctrl)
-			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
-			defer server.Shutdown(t, ctx)
-			idToken := newIDToken(t, serverURL, "", tokenExpiryFuture)
-			service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-			service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-			service.EXPECT().AuthenticatePassword("USER", "PASS", "openid").
-				Return(idp.NewTokenResponse(idToken, "YOUR_REFRESH_TOKEN"), nil)
-
-			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-				Issuer:                  serverURL,
-				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
-			})
-			defer os.Remove(kubeConfigFilename)
-
-			runCmd(t, ctx,
-				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
-				"--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--username", "USER", "--password", "PASS")
-			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-				IDToken:      idToken,
-				RefreshToken: "YOUR_REFRESH_TOKEN",
-			})
-		})
-
-		t.Run("HasValidToken", func(t *testing.T) {
-			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.Background(), timeout)
-			defer cancel()
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			service := mock_idp.NewMockService(ctrl)
-			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
-			defer server.Shutdown(t, ctx)
-			idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-
-			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-				Issuer:                  serverURL,
-				IDToken:                 idToken,
-				RefreshToken:            "YOUR_REFRESH_TOKEN",
-				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
-			})
-			defer os.Remove(kubeConfigFilename)
-
-			runCmd(t, ctx,
-				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
-				"--kubeconfig", kubeConfigFilename, "--skip-open-browser")
-			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-				IDToken:      idToken,
-				RefreshToken: "YOUR_REFRESH_TOKEN",
-			})
-		})
-
-		t.Run("HasValidRefreshToken", func(t *testing.T) {
-			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.Background(), timeout)
-			defer cancel()
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			service := mock_idp.NewMockService(ctrl)
-			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
-			defer server.Shutdown(t, ctx)
-			idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-			service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-			service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-			service.EXPECT().Refresh("VALID_REFRESH_TOKEN").
-				Return(idp.NewTokenResponse(idToken, "NEW_REFRESH_TOKEN"), nil)
-
-			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-				Issuer:                  serverURL,
-				IDToken:                 newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast), // expired
-				RefreshToken:            "VALID_REFRESH_TOKEN",
-				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
-			})
-			defer os.Remove(kubeConfigFilename)
-
-			runCmd(t, ctx,
-				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
-				"--kubeconfig", kubeConfigFilename, "--skip-open-browser")
-			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-				IDToken:      idToken,
-				RefreshToken: "NEW_REFRESH_TOKEN",
-			})
-		})
-
-		t.Run("HasExpiredRefreshToken", func(t *testing.T) {
-			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.Background(), timeout)
-			defer cancel()
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			service := mock_idp.NewMockService(ctrl)
-			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
-			defer server.Shutdown(t, ctx)
-			var idToken string
-			setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-			service.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
-				Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
-				MaxTimes(2) // package oauth2 will retry refreshing the token
-
-			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-				Issuer:                  serverURL,
-				IDToken:                 newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast), // expired
-				RefreshToken:            "EXPIRED_REFRESH_TOKEN",
-				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
-			})
-			defer os.Remove(kubeConfigFilename)
-
-			runCmd(t, ctx,
-				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
-				"--kubeconfig", kubeConfigFilename, "--skip-open-browser")
-			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-				IDToken:      idToken,
-				RefreshToken: "YOUR_REFRESH_TOKEN",
-			})
-		})
-	}
-
-	for name, p := range testParameters {
-		t.Run(name, func(t *testing.T) {
-			runTest(t, p)
-		})
-	}
-
-	t.Run("env:KUBECONFIG", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{Issuer: serverURL})
-		defer os.Remove(kubeConfigFilename)
-		setenv(t, "KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
-		defer unsetenv(t, "KUBECONFIG")
-
-		runCmd(t, ctx,
-			openBrowserOnReadyFunc(t, ctx, nil),
-			"--skip-open-browser", "--listen-port", "0")
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("ExtraScopes", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "profile groups openid", &idToken)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:      serverURL,
-			ExtraScopes: "profile,groups",
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		runCmd(t, ctx,
-			openBrowserOnReadyFunc(t, ctx, nil),
-			"--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-}
-
-func newIDToken(t *testing.T, issuer, nonce string, expiry time.Time) string {
-	t.Helper()
-	var claims struct {
-		jwt.StandardClaims
-		Nonce  string   `json:"nonce"`
-		Groups []string `json:"groups"`
-	}
-	claims.StandardClaims = jwt.StandardClaims{
-		Issuer:    issuer,
-		Audience:  "kubernetes",
-		Subject:   "SUBJECT",
-		IssuedAt:  time.Now().Unix(),
-		ExpiresAt: expiry.Unix(),
-	}
-	claims.Nonce = nonce
-	claims.Groups = []string{"admin", "users"}
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-	s, err := token.SignedString(keys.JWSKeyPair)
-	if err != nil {
-		t.Fatalf("Could not sign the claims: %s", err)
-	}
-	return s
-}
-
-func setupMockIDPForCodeFlow(t *testing.T, service *mock_idp.MockService, serverURL, scope string, idToken *string) {
-	var nonce string
-	service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-	service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-	service.EXPECT().AuthenticateCode(scope, gomock.Any()).
-		DoAndReturn(func(_, gotNonce string) (string, error) {
-			nonce = gotNonce
-			return "YOUR_AUTH_CODE", nil
-		})
-	service.EXPECT().Exchange("YOUR_AUTH_CODE").
-		DoAndReturn(func(string) (*idp.TokenResponse, error) {
-			*idToken = newIDToken(t, serverURL, nonce, tokenExpiryFuture)
-			return idp.NewTokenResponse(*idToken, "YOUR_REFRESH_TOKEN"), nil
-		})
-}
-
-func runCmd(t *testing.T, ctx context.Context, localServerReadyFunc auth.LocalServerReadyFunc, args ...string) {
-	t.Helper()
-	cmd := di.NewCmdForHeadless(mock_logger.New(t), localServerReadyFunc, nil)
-	exitCode := cmd.Run(ctx, append([]string{"kubelogin", "--v=1"}, args...), "HEAD")
-	if exitCode != 0 {
-		t.Errorf("exit status wants 0 but %d", exitCode)
-	}
-}
-
-func openBrowserOnReadyFunc(t *testing.T, ctx context.Context, clientConfig *tls.Config) auth.LocalServerReadyFunc {
-	return func(url string) {
-		client := http.Client{Transport: &http.Transport{TLSClientConfig: clientConfig}}
-		req, err := http.NewRequest("GET", url, nil)
-		if err != nil {
-			t.Errorf("could not create a request: %s", err)
-			return
-		}
-		req = req.WithContext(ctx)
-		resp, err := client.Do(req)
-		if err != nil {
-			t.Errorf("could not send a request: %s", err)
-			return
-		}
-		defer resp.Body.Close()
-		if resp.StatusCode != 200 {
-			t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
-		}
-	}
-}
-
-func setenv(t *testing.T, key, value string) {
-	t.Helper()
-	if err := os.Setenv(key, value); err != nil {
-		t.Fatalf("Could not set the env var %s=%s: %s", key, value, err)
-	}
-}
-
-func unsetenv(t *testing.T, key string) {
-	t.Helper()
-	if err := os.Unsetenv(key); err != nil {
-		t.Fatalf("Could not unset the env var %s: %s", key, err)
-	}
-}
--- a/go.mod
+++ b/go.mod
@@ -3,23 +3,24 @@ module github.com/int128/kubelogin
 go 1.12

 require (
-	github.com/coreos/go-oidc v2.1.0+incompatible
-	github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda
-	github.com/go-test/deep v1.0.3
-	github.com/golang/mock v1.3.1
-	github.com/google/wire v0.3.0
-	github.com/int128/oauth2cli v1.5.0
+	github.com/chromedp/chromedp v0.5.3
+	github.com/coreos/go-oidc v2.2.1+incompatible
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/golang/mock v1.4.3
+	github.com/google/go-cmp v0.5.0
+	github.com/google/wire v0.4.0
+	github.com/int128/oauth2cli v1.12.1
 	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
-	github.com/spf13/cobra v0.0.5
-	github.com/spf13/pflag v1.0.3
-	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
-	golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a
-	golang.org/x/sync v0.0.0-20190423024810-112230192c58
-	golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7
+	github.com/spf13/cobra v1.0.0
+	github.com/spf13/pflag v1.0.5
+	golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
+	golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
+	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
 	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
-	gopkg.in/yaml.v2 v2.2.2
-	k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719
-	k8s.io/client-go v0.0.0-20190620085101-78d2af792bab
-	k8s.io/klog v0.4.0
+	gopkg.in/yaml.v2 v2.3.0
+	k8s.io/apimachinery v0.18.5
+	k8s.io/client-go v0.18.5
+	k8s.io/klog v1.0.0
 )
--- a/go.sum
+++ b/go.sum
@@ -1,154 +1,340 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/Azure/go-autorest v11.1.2+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
+cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
+github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
+github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
+github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
+github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/chromedp/cdproto v0.0.0-20200116234248-4da64dd111ac h1:T7V5BXqnYd55Hj/g5uhDYumg9Fp3rMTS6bykYtTIFX4=
+github.com/chromedp/cdproto v0.0.0-20200116234248-4da64dd111ac/go.mod h1:PfAWWKJqjlGFYJEidUM6aVIWPr0EpobeyVWEEmplX7g=
+github.com/chromedp/chromedp v0.5.3 h1:F9LafxmYpsQhWQBdCs+6Sret1zzeeFyHS5LkRF//Ffg=
+github.com/chromedp/chromedp v0.5.3/go.mod h1:YLdPtndaHQ4rCpSpBG+IPpy9JvX0VD+7aaLxYgYj28w=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-oidc v2.0.0+incompatible h1:+RStIopZ8wooMx+Vs5Bt8zMXxV1ABl5LbakNExNmZIg=
-github.com/coreos/go-oidc v2.0.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/coreos/go-oidc v2.1.0+incompatible h1:sdJrfw8akMnCuUlaZU3tE/uYXFgfqom8DBE9so9EBsM=
-github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
+github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
+github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda h1:NyywMz59neOoVRFDz+ccfKWxn784fiHMDnZSy6T+JXY=
-github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw=
-github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
-github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
-github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
-github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415 h1:WSBJMqJbLxsn+bTCPyPYZfqHdJmc8MK4wrBjMft6BAM=
-github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
+github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
+github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
+github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee h1:s+21KNqlpePfkah2I+gwHF8xmJWRjooY+5248k6m4A0=
+github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo=
+github.com/gobwas/pool v0.2.0 h1:QEmUOlnSjWtnpRGHF3SauEiOsy82Cup83Vf2LcMlnc8=
+github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
+github.com/gobwas/ws v1.0.2 h1:CoAavW/wd/kulfZmSIBt6p24n4j7tHgNVCjsfHVNUbo=
+github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
+github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.4.3 h1:GV+pQPG/EUUbkh47niozDcADz6go/dUwhVzdUQHIVRw=
+github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/btree v0.0.0-20160524151835-7d79101e329e/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck=
-github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
+github.com/google/go-cmp v0.5.0 h1:/QaMHBdZ26BB3SSst0Iwl10Epc+xhTquomWX0oZEB6w=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
+github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
-github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/wire v0.3.0 h1:imGQZGEVEHpje5056+K+cgdO72p0LQv2xIIFXNGUf60=
-github.com/google/wire v0.3.0/go.mod h1:i1DMg/Lu8Sz5yYl25iOdmc5CT5qusaa+zmRWs16741s=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/wire v0.4.0 h1:kXcsA/rIGzJImVqPdhfnr6q0xsS9gU0515q1EPpJ9fE=
+github.com/google/wire v0.4.0/go.mod h1:ngWDr9Qvq3yZA10YrxfyGELY/AFWGVpy9c1LTRi1EoU=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/gophercloud/gophercloud v0.0.0-20190126172459-c818fa66e4c8/go.mod h1:3WdhXV3rUYy9p6AUW8d94kr+HS62Y4VL9mBnFxsD8q4=
-github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
+github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/int128/oauth2cli v1.4.1 h1:IsaYMafEDS1jyArxYdmksw+nMsNxiYCQzdkPj3QF9BY=
-github.com/int128/oauth2cli v1.4.1/go.mod h1:CMJjyUSgKiobye1M/9byFACOjtB2LRo2mo7boklEKlI=
-github.com/int128/oauth2cli v1.5.0 h1:EOBMCWfroql1hPqPhP+EtDhgO7y6ClFZ/NwJEpBCo1s=
-github.com/int128/oauth2cli v1.5.0/go.mod h1:ivzuzt+k+bpwLI1Mb1bRq8PiBvwLBsO8L7tX2F9iKKA=
-github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be h1:AHimNtVIpiBjPUhEF5KNCkrUyqTSA5zWUl8sQ2bfGBE=
-github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/int128/listener v1.1.0 h1:2Jb41DWLpkQ3I9bIdBzO8H/tNwMvyl/OBZWtCV5Pjuw=
+github.com/int128/listener v1.1.0/go.mod h1:68WkmTN8PQtLzc9DucIaagAKeGVyMnyyKIkW4Xn47UA=
+github.com/int128/oauth2cli v1.12.1 h1:F+6sykVdM+0rede+jAJ2RICP3GAsLLGvPjSFLlI0U9Q=
+github.com/int128/oauth2cli v1.12.1/go.mod h1:0Wf2wAxKJNzbkPkUIYNhTjeLn/pqIBDOBAGfwrxGYQw=
+github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
+github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/knq/sysutil v0.0.0-20191005231841-15668db23d08 h1:V0an7KRw92wmJysvFvtqtKMAPmvS5O0jtB0nYo6t+gs=
+github.com/knq/sysutil v0.0.0-20191005231841-15668db23d08/go.mod h1:dFWs1zEqDjFtnBXsd1vPOZaLsESovai349994nHx3e0=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
+github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4 h1:49lOXmGaUpV9Fz3gd7TFZY106KVlPVa5jcYD1gaQf98=
 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
 github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
-github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s=
-github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
+github.com/spf13/cobra v1.0.0 h1:6m/oheQuQ13N9ks4hubMG6BnvwOeaJrqSPLahSnczz8=
+github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/pflag v1.0.1 h1:aCvUg6QPl3ibpQUxyLkrEkCHtPqYJL4x9AuhqVqFis4=
-github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
-golang.org/x/crypto v0.0.0-20181025213731-e84da0312774 h1:a4tQYYYuK9QdeO/+kEvNYyuR21S+7ve5EANok6hABhI=
-golang.org/x/crypto v0.0.0-20181025213731-e84da0312774/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
+go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190206173232-65e2d4e15006 h1:bfLnR+k0tq5Lqt6dflRLcZiz6UaXCMt3vhYJ1l4FQ80=
-golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/oauth2 v0.0.0-20190319182350-c85d3e98c914/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a h1:tImsplftrFpALCYumobsd0K86vlAs/eXGFms2txfJfA=
-golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 h1:rjwSpXsdiK0dV8/Naq3kAw9ymfAeJIyd0upUIElB+lI=
+golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313 h1:pczuHS43Cp2ktBEEmLwScxgjWsBSzdaQiKzUyf3DTTc=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42 h1:vEOn+mP2zCOVzKckCZy6YsCtDblrpj/w7B9nxGNELpg=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db h1:6/JqlYfC1CCaLnGceQTI+sDGhC9UBSPAsBqI0Gun6kU=
-golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/time v0.0.0-20161028155119-f51c12702a4d h1:TnM+PKb3ylGmZvyPXmo9m/wktg7Jn/a/fNmr33HSj8g=
-golang.org/x/time v0.0.0-20161028155119-f51c12702a4d/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190422233926-fe54fb35175b/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/inf.v0 v0.9.0 h1:3zYtXIO92bvsdS3ggAdA8Gb4Azj0YU+TVY1uGYNFA8o=
-gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4=
 gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-k8s.io/api v0.0.0-20190620084959-7cf5895f2711/go.mod h1:TBhBqb1AWbBQbW3XRusr7n7E4v2+5ZY8r8sAMnyFC5A=
-k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719 h1:uV4S5IB5g4Nvi+TBVNf3e9L4wrirlwYJ6w88jUQxTUw=
-k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA=
-k8s.io/client-go v0.0.0-20190620085101-78d2af792bab h1:E8Fecph0qbNsAbijJJQryKu4Oi9QTp5cVpjTE+nqg6g=
-k8s.io/client-go v0.0.0-20190620085101-78d2af792bab/go.mod h1:E95RaSlHr79aHaX0aGSwcPNfygDiPKOVXdmivCIZT0k=
-k8s.io/client-go v11.0.0+incompatible h1:LBbX2+lOwY9flffWlJM7f1Ct8V2SRNiMRDFeiwnJo9o=
-k8s.io/klog v0.3.1 h1:RVgyDHY/kFKtLqh67NvEWIgkMneNoIrdkN0CxDSQc68=
-k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v0.4.0 h1:lCJCxf/LIowc2IGS9TPjWDyXY4nOmdGdfcwwDQCOURQ=
-k8s.io/klog v0.4.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
-k8s.io/utils v0.0.0-20190221042446-c2654d5206da h1:ElyM7RPonbKnQqOcw7dG2IK5uvQQn3b/WPHqD5mBvP4=
-k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/api v0.18.5 h1:fKbCxr+U3fu7k6jB+QeYPD/c6xKYeSJ2KVWmyUypuWM=
+k8s.io/api v0.18.5/go.mod h1:tN+e/2nbdGKOAH55NMV8oGrMG+3uRlA9GaRfvnCCSNk=
+k8s.io/apimachinery v0.18.5 h1:Lh6tgsM9FMkC12K5T5QjRm7rDs6aQN5JHkA0JomULDM=
+k8s.io/apimachinery v0.18.5/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
+k8s.io/client-go v0.18.5 h1:cLhGZdOmyPhwtt20Lrb7uAqxxB1uvY+NTmNJvno1oKA=
+k8s.io/client-go v0.18.5/go.mod h1:EsiD+7Fx+bRckKWZXnAXRKKetm1WuzPagH4iOSC8x58=
+k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
+k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
+k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
+k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89 h1:d4vVOjXm687F1iLSP2q3lyPPuyvTUt3aVoBpi2DqRsU=
+k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
+rsc.io/quote/v3 v3.1.0 h1:9JKUTTIUgS6kzR9mK1YuGKv6Nl+DijDNIc0ghT58FaY=
+rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+rsc.io/sampler v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/QiW4=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
+sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E=
+sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
 sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
+sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
--- a/integration_test/credetial_plugin_test.go
+++ b/integration_test/credetial_plugin_test.go
@@ -0,0 +1,389 @@
+package integration_test
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/integration_test/httpdriver"
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/oidcserver"
+	"github.com/int128/kubelogin/pkg/adaptors/browser"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/testing/clock"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
+)
+
+// Run the integration tests of the credential plugin use-case.
+//
+// 1. Start the auth server.
+// 2. Run the Cmd.
+// 3. Open a request for the local server.
+// 4. Verify the output.
+//
+func TestCredentialPlugin(t *testing.T) {
+	timeout := 3 * time.Second
+	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
+	tokenCacheDir, err := ioutil.TempDir("", "kube")
+	if err != nil {
+		t.Fatalf("could not create a cache dir: %s", err)
+	}
+	defer func() {
+		if err := os.RemoveAll(tokenCacheDir); err != nil {
+			t.Errorf("could not clean up the cache dir: %s", err)
+		}
+	}()
+
+	for name, tc := range map[string]struct {
+		keyPair keypair.KeyPair
+		args    []string
+	}{
+		"NoTLS": {},
+		"TLS": {
+			keyPair: keypair.Server,
+			args:    []string{"--certificate-authority", keypair.Server.CACertPath},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			t.Run("AuthCode", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
+					Want: oidcserver.Want{
+						Scope:             "openid",
+						RedirectURIPrefix: "http://localhost:",
+					},
+					Response: oidcserver.Response{
+						IDTokenExpiry: now.Add(time.Hour),
+					},
+				})
+				defer sv.Shutdown(t, ctx)
+				var stdout bytes.Buffer
+				runGetToken(t, ctx, getTokenConfig{
+					tokenCacheDir: tokenCacheDir,
+					issuerURL:     sv.IssuerURL(),
+					httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+					now:           now,
+					stdout:        &stdout,
+					args:          tc.args,
+				})
+				assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+			})
+
+			t.Run("ROPC", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
+					Want: oidcserver.Want{
+						Scope:             "openid",
+						RedirectURIPrefix: "http://localhost:",
+						Username:          "USER1",
+						Password:          "PASS1",
+					},
+					Response: oidcserver.Response{
+						IDTokenExpiry: now.Add(time.Hour),
+					},
+				})
+				defer sv.Shutdown(t, ctx)
+				var stdout bytes.Buffer
+				runGetToken(t, ctx, getTokenConfig{
+					tokenCacheDir: tokenCacheDir,
+					issuerURL:     sv.IssuerURL(),
+					httpDriver:    httpdriver.Zero(t),
+					now:           now,
+					stdout:        &stdout,
+					args: append([]string{
+						"--username", "USER1",
+						"--password", "PASS1",
+					}, tc.args...),
+				})
+				assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+			})
+
+			t.Run("TokenCacheLifecycle", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
+				defer sv.Shutdown(t, ctx)
+
+				t.Run("NoCache", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{
+						Want: oidcserver.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+						},
+						Response: oidcserver.Response{
+							IDTokenExpiry: now.Add(time.Hour),
+							RefreshToken:  "REFRESH_TOKEN_1",
+						},
+					})
+					var stdout bytes.Buffer
+					runGetToken(t, ctx, getTokenConfig{
+						tokenCacheDir: tokenCacheDir,
+						issuerURL:     sv.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						now:           now,
+						stdout:        &stdout,
+						args:          tc.args,
+					})
+					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+				})
+				t.Run("Valid", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{})
+					var stdout bytes.Buffer
+					runGetToken(t, ctx, getTokenConfig{
+						tokenCacheDir: tokenCacheDir,
+						issuerURL:     sv.IssuerURL(),
+						httpDriver:    httpdriver.Zero(t),
+						now:           now,
+						stdout:        &stdout,
+						args:          tc.args,
+					})
+					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+				})
+				t.Run("Refresh", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{
+						Want: oidcserver.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+							RefreshToken:      "REFRESH_TOKEN_1",
+						},
+						Response: oidcserver.Response{
+							IDTokenExpiry: now.Add(3 * time.Hour),
+							RefreshToken:  "REFRESH_TOKEN_2",
+						},
+					})
+					var stdout bytes.Buffer
+					runGetToken(t, ctx, getTokenConfig{
+						tokenCacheDir: tokenCacheDir,
+						issuerURL:     sv.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						now:           now.Add(2 * time.Hour),
+						stdout:        &stdout,
+						args:          tc.args,
+					})
+					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(3*time.Hour))
+				})
+				t.Run("RefreshAgain", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{
+						Want: oidcserver.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+							RefreshToken:      "REFRESH_TOKEN_2",
+						},
+						Response: oidcserver.Response{
+							IDTokenExpiry: now.Add(5 * time.Hour),
+						},
+					})
+					var stdout bytes.Buffer
+					runGetToken(t, ctx, getTokenConfig{
+						tokenCacheDir: tokenCacheDir,
+						issuerURL:     sv.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						now:           now.Add(4 * time.Hour),
+						stdout:        &stdout,
+						args:          tc.args,
+					})
+					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(5*time.Hour))
+				})
+			})
+		})
+	}
+
+	t.Run("PKCE", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, nil),
+			now:           now,
+			stdout:        &stdout,
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("TLSData", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, keypair.Server.TLSConfig),
+			now:           now,
+			stdout:        &stdout,
+			args:          []string{"--certificate-authority-data", keypair.Server.CACertBase64},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("ExtraScopes", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "email profile openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, nil),
+			now:           now,
+			stdout:        &stdout,
+			args: []string{
+				"--oidc-extra-scope", "email",
+				"--oidc-extra-scope", "profile",
+			},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("RedirectURLHostname", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://127.0.0.1:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, nil),
+			now:           now,
+			stdout:        &stdout,
+			args:          []string{"--oidc-redirect-url-hostname", "127.0.0.1"},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("ExtraParams", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://localhost:",
+				ExtraParams: map[string]string{
+					"ttl":    "86400",
+					"reauth": "false",
+				},
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, nil),
+			now:           now,
+			stdout:        &stdout,
+			args: []string{
+				"--oidc-auth-request-extra-params", "ttl=86400",
+				"--oidc-auth-request-extra-params", "reauth=false",
+			},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+}
+
+type getTokenConfig struct {
+	tokenCacheDir string
+	issuerURL     string
+	httpDriver    browser.Interface
+	stdout        io.Writer
+	now           time.Time
+	args          []string
+}
+
+func runGetToken(t *testing.T, ctx context.Context, cfg getTokenConfig) {
+	cmd := di.NewCmdForHeadless(clock.Fake(cfg.now), os.Stdin, cfg.stdout, logger.New(t), cfg.httpDriver)
+	exitCode := cmd.Run(ctx, append([]string{
+		"kubelogin",
+		"get-token",
+		"--token-cache-dir", cfg.tokenCacheDir,
+		"--oidc-issuer-url", cfg.issuerURL,
+		"--oidc-client-id", "kubernetes",
+		"--listen-address", "127.0.0.1:0",
+	}, cfg.args...), "latest")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}
+
+func assertCredentialPluginStdout(t *testing.T, stdout io.Reader, token string, expiry time.Time) {
+	var got clientauthenticationv1beta1.ExecCredential
+	if err := json.NewDecoder(stdout).Decode(&got); err != nil {
+		t.Errorf("could not decode json of the credential plugin: %s", err)
+		return
+	}
+	want := clientauthenticationv1beta1.ExecCredential{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "client.authentication.k8s.io/v1beta1",
+			Kind:       "ExecCredential",
+		},
+		Status: &clientauthenticationv1beta1.ExecCredentialStatus{
+			Token:               token,
+			ExpirationTimestamp: &metav1.Time{Time: expiry},
+		},
+	}
+	if diff := cmp.Diff(want, got); diff != "" {
+		t.Errorf("kubeconfig mismatch (-want +got):\n%s", diff)
+	}
+}
--- a/integration_test/httpdriver/http_driver.go
+++ b/integration_test/httpdriver/http_driver.go
@@ -0,0 +1,54 @@
+// Package httpdriver provides a test double of the browser.
+package httpdriver
+
+import (
+	"context"
+	"crypto/tls"
+	"net/http"
+	"testing"
+)
+
+// New returns a client to simulate browser access.
+func New(ctx context.Context, t *testing.T, tlsConfig *tls.Config) *client {
+	return &client{ctx, t, tlsConfig}
+}
+
+// Zero returns a client which call is not expected.
+func Zero(t *testing.T) *zeroClient {
+	return &zeroClient{t}
+}
+
+type client struct {
+	ctx       context.Context
+	t         *testing.T
+	tlsConfig *tls.Config
+}
+
+func (c *client) Open(url string) error {
+	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.tlsConfig}}
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		c.t.Errorf("could not create a request: %s", err)
+		return nil
+	}
+	req = req.WithContext(c.ctx)
+	resp, err := client.Do(req)
+	if err != nil {
+		c.t.Errorf("could not send a request: %s", err)
+		return nil
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != 200 {
+		c.t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
+	}
+	return nil
+}
+
+type zeroClient struct {
+	t *testing.T
+}
+
+func (c *zeroClient) Open(url string) error {
+	c.t.Errorf("unexpected function call Open(%s)", url)
+	return nil
+}
--- a/integration_test/keypair/keypair.go
+++ b/integration_test/keypair/keypair.go
@@ -0,0 +1,62 @@
+package keypair
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+)
+
+// KeyPair represents a pair of certificate and key.
+type KeyPair struct {
+	CertPath     string
+	KeyPath      string
+	CACertPath   string
+	CACertBase64 string
+	TLSConfig    *tls.Config
+}
+
+// None represents non-TLS.
+var None KeyPair
+
+// Server is a KeyPair for TLS server.
+// These files should be generated by Makefile before test.
+var Server = KeyPair{
+	CertPath:     "keypair/testdata/server.crt",
+	KeyPath:      "keypair/testdata/server.key",
+	CACertPath:   "keypair/testdata/ca.crt",
+	CACertBase64: readAsBase64("keypair/testdata/ca.crt"),
+	TLSConfig:    newTLSConfig("keypair/testdata/ca.crt"),
+}
+
+func readAsBase64(name string) string {
+	f, err := os.Open(name)
+	if err != nil {
+		panic(err)
+	}
+	defer f.Close()
+	var s strings.Builder
+	e := base64.NewEncoder(base64.StdEncoding, &s)
+	if _, err := io.Copy(e, f); err != nil {
+		panic(err)
+	}
+	if err := e.Close(); err != nil {
+		panic(err)
+	}
+	return s.String()
+}
+
+func newTLSConfig(name string) *tls.Config {
+	b, err := ioutil.ReadFile(name)
+	if err != nil {
+		panic(err)
+	}
+	p := x509.NewCertPool()
+	if !p.AppendCertsFromPEM(b) {
+		panic("could not append the CA cert")
+	}
+	return &tls.Config{RootCAs: p}
+}
--- a/integration_test/keypair/testdata/Makefile
+++ b/integration_test/keypair/testdata/Makefile
@@ -0,0 +1,26 @@
+EXPIRY := 3650
+OUTPUT_DIR := testdata
+TARGETS := ca.key
+TARGETS += ca.crt
+TARGETS += server.key
+TARGETS += server.crt
+
+.PHONY: all
+all: $(TARGETS)
+
+ca.key:
+	openssl genrsa -out $@ 2048
+ca.csr: ca.key
+	openssl req -new -key ca.key -out $@ -subj "/CN=hello-ca" -config openssl.cnf
+ca.crt: ca.key ca.csr
+	openssl x509 -req -in ca.csr -signkey ca.key -out $@ -days $(EXPIRY)
+server.key:
+	openssl genrsa -out $@ 2048
+server.csr: openssl.cnf server.key
+	openssl req -new -key server.key -out $@ -subj "/CN=localhost" -config openssl.cnf
+server.crt: openssl.cnf server.csr ca.crt ca.key
+	openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $@ -sha256 -days $(EXPIRY) -extensions v3_req -extfile openssl.cnf
+
+.PHONY: clean
+clean:
+	-rm -v $(TARGETS)
--- a/integration_test/keypair/testdata/ca.crt
+++ b/integration_test/keypair/testdata/ca.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICojCCAYoCCQCNsdXicWqF2DANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAho
+ZWxsby1jYTAeFw0yMDAyMDYwMTMzMzNaFw0zMDAyMDMwMTMzMzNaMBMxETAPBgNV
+BAMMCGhlbGxvLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxcPN
+dS88B6ewqVn/m9yO74OLIwNrqMci8l7olP9XlcJhxUZs+3WZQpsSj5nC4yEx8uPQ
+bTtBKnXXVDe+8k7OsLTruu9+isTaYk4o/TZbuw/N31ZAiT0pJw8hdypTQyMLbeDr
+Vl4bbrfbYywx30DyrHxUkgzOWs459Uwc1wWu0W7M21GY4KENHFE3OAcD58FMvvrh
+vgkslATwwW4M2UtXUFJ8XHh26g/J450DU2gwNxpcSdIsvFE6zSyAxU55RElph7mE
+ru9cNWAYhCRZvlZQ2VlH7C6JQ3SHyA9RZmBbPpXhtl9zavFkGx2MEwDp/3FmUukR
+yJnS2KnAo0QdBeS1LQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAXGfoDwuKY4TyF
+fhKg553Y5I6VDCDc97jyW9yyfc0kvPjQc4EGQV+1eQqMSeh2THpgEEKk9hH/g35a
+grPRcBTsEWpbQd16yWyulQeyOtPeWZB2FvAigMaAdMmeXlTs6++gJ6PjPuACa2Jl
+nJ/AjCqKFxkn0yEVkPTY0c/I9A12xhCmATqIrQiK1pPowiFxQb4M8Cm0z0AkaJZr
+iW0NCOJlLzBqRpFquL4umNaIsxTmOshfM70NpQGRjKREBuK6S0qWsRR0wz4b9Rvi
+62qW4zU94q2EDIoCItjHP4twGENXJDC0vLCsKfA5AvbPzszd5/4ifYe2C00Rn7/O
+lIxrspMm
+-----END CERTIFICATE-----
--- a/integration_test/keypair/testdata/ca.csr
+++ b/integration_test/keypair/testdata/ca.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrDCCAZQCAQAwEzERMA8GA1UEAwwIaGVsbG8tY2EwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDFw811LzwHp7CpWf+b3I7vg4sjA2uoxyLyXuiU/1eV
+wmHFRmz7dZlCmxKPmcLjITHy49BtO0EqdddUN77yTs6wtOu6736KxNpiTij9Nlu7
+D83fVkCJPSknDyF3KlNDIwtt4OtWXhtut9tjLDHfQPKsfFSSDM5azjn1TBzXBa7R
+bszbUZjgoQ0cUTc4BwPnwUy++uG+CSyUBPDBbgzZS1dQUnxceHbqD8njnQNTaDA3
+GlxJ0iy8UTrNLIDFTnlESWmHuYSu71w1YBiEJFm+VlDZWUfsLolDdIfID1FmYFs+
+leG2X3Nq8WQbHYwTAOn/cWZS6RHImdLYqcCjRB0F5LUtAgMBAAGgVDBSBgkqhkiG
+9w0BCQ4xRTBDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBQGA1UdEQQNMAuCCWxv
+Y2FsaG9zdDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEA
+o/Uthp3NWx0ydTn/GBZI+vA3gI7Qd9UwLvwkeinldRlPM9DOXpG6LR0C40f6u+fj
+mXvUDerveYJI8rpo+Ds0UVqy63AH/zZLG7M96L5Nv2KnK40bkfVNez858Yqp1u17
+/ci1ZsQIElU5v2qKozaHdQThDVtD5ZZdZoQwLvBLE/Dwpe/4VZZFh8smPMR+Mhcq
+b7gpSy1RiUffk0ZMjuF9Nc9OODdQMTCf+86i0qWXGVzkhfHKAGv+xarHEztcmxF
+GUgUYW8DMvYBjEzaGRM1n0aIFkQO6y8SUXvGMIGBSMC4jfBH3ghIXg1+nD6Uah4D
+16r+CLjFsDUdn/DK/fIQVw==
+-----END CERTIFICATE REQUEST-----
--- a/integration_test/keypair/testdata/ca.key
+++ b/integration_test/keypair/testdata/ca.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAxcPNdS88B6ewqVn/m9yO74OLIwNrqMci8l7olP9XlcJhxUZs
+3WZQpsSj5nC4yEx8uPQbTtBKnXXVDe+8k7OsLTruu9+isTaYk4o/TZbuw/N31ZA
+iT0pJw8hdypTQyMLbeDrVl4bbrfbYywx30DyrHxUkgzOWs459Uwc1wWu0W7M21GY
+4KENHFE3OAcD58FMvvrhvgkslATwwW4M2UtXUFJ8XHh26g/J450DU2gwNxpcSdIs
+vFE6zSyAxU55RElph7mEru9cNWAYhCRZvlZQ2VlH7C6JQ3SHyA9RZmBbPpXhtl9z
+avFkGx2MEwDp/3FmUukRyJnS2KnAo0QdBeS1LQIDAQABAoIBAHSoWtMsaMnPNlu/
+thM32K0auIGP6/rkdQ3pxGLX+M9jmY7oSzNOHHj4xssklZyroS45CmLU2Ez2tG1+
+cMm4iR4dqwxbaBbtpjDlEDLF1PiUiwmadHlANb1PpJsJwZHR41UOn2QUITR/ig+H
+K2gZhM0QjkaU/Uj9a5zyJ/UC6iupmgCtj8ij65B49qKMODxV4gqZstRSZiJ3gb6R
+TBeR3PUWQS62MZueEQz2eF0eXkXKsFWcbLfHArjfIJ533zW68A0vabgqOhCwJTks
+rkyaKUjEwJJQcgpCfUI4t9HAwICqYtw0fQdDDaMak2XTDFnGHn1/VfSi818U5Sa
+jZ+/uIECgYEA4uCd5ISsLWebSv2r5f97N8+WcW0MSJ0XP5MniiMvlaNOtJmoN3H0
+PlgR3uwpH9TNWHITZEEb/I93r2E3f24v2018g0uJuwiRDusxHs7yuxw/93Y5rwtG
+3twL1k0GyeLCxfM2y2QQU/awXISx7nNk2f0umvTWmjrEw632oQSWCSECgYEA3yaF
+zDk7k1u1GdZAh+pQAyUtjzHSvQjiE2JzLaH8BTorACrczRascX5yyMi0QfLYnoYt
+UL9dCb4Z8HUclj55kBSx8anvVtf3XAT3hZ3sm8LV3JLGDeURGS8rGdV+tyFk7zw9
+XgvaLj3xjB5CoJvtOhbXvqF9M9yp4TMBb5El7o0CgYBTx5Bm15thNPZCrgQxbbOJ
+u42ZmyRDGEeCgYvDVhT3VBP3WxqkRt9juk/3GwxgpcuikpWYmvaDwFL5H5RH6V+g
+wy9sqJNWzuYKNU2xS8iU0ezJLA5HFon4OBfi7hTIroUwZgzg9LWW2+zqbVHrdQ9T
+9Eumiy1ITNVmUTJW6YOiIQKBgBE4BsEAdZFkVTAeMTKLqQrlFoPjI1DE27UFNsAB
+rNG2cFT9+bW1ly7WxAKsQgSIuaBZ2CtP6Nz0l0nPr5oEThsJDcYJB9faqFKoa3Ua
+/4PxX9E6Xh/6WfxogFno+HMnF4PCUTXtkjNZQkc+moOMJJ0D4DfsfB3BXDZtWiIC
+wDuNAoGBAN5ZFTXwE1VpWxIWq5dV9+0aVOP/eB+h7Pt+u2xyRip31FGcpGEzGniu
+VmOzWApW7NmvD0QWtstJWlCpsw+rOptAL0oVunlB70KuYuA+2Q5g/Cw3kUrvXqbe
+mkCoV21eFAmpU+I6z/n7pUDXPuUsmTkzmwedv0HUuNSQJmHZOMPD
+-----END RSA PRIVATE KEY-----
--- a/integration_test/keypair/testdata/ca.srl
+++ b/integration_test/keypair/testdata/ca.srl
@@ -0,0 +1 @@
+9E12C7A1AF348811
--- a/integration_test/keypair/testdata/openssl.cnf
+++ b/integration_test/keypair/testdata/openssl.cnf
@@ -0,0 +1,14 @@
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[ req_distinguished_name ]
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+extendedKeyUsage = serverAuth
+
+[alt_names]
+DNS.1 = localhost
--- a/integration_test/keypair/testdata/server.crt
+++ b/integration_test/keypair/testdata/server.crt
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIJAJ4Sx6GvNIgRMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
+BAMMCGhlbGxvLWNhMB4XDTIwMDIwNjAxMzMzM1oXDTMwMDIwMzAxMzMzM1owFDES
+MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA3CJvDbbiiY/o9lgzeABLCtZe56h2w9Dzejy02M6F7yVyphLtJr+/AxI8k5Er
+MFRitkzgIUkLn/90CZjPI3k5OnLtUAJ4XLj4gUGjziy4TKyVaU0XK41ZSbDAchbW
+349lsEgW5ZnL4qNaZeCvvbYec+RroVc6ZXCcDp4BATTkC3gSVF92+TzrrlbkZ5+W
+YVeoMpAPWDPq2zwQx4RcYlpkpI/fzLezRqjRcZJx3FDgkGuwwhzXfVUpxJ/DYLXZ
+yHCKyaT7e8YIs8e7TRekOwrLCfssfhJSdWopf6aYRZFV+2ovP0Nggn6XJNh/g1QK
+o4wzJAf6v5WMc0jEvb7EuSG+nwIDAQABo0UwQzAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIF4DAUBgNVHREEDTALgglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
+DQYJKoZIhvcNAQELBQADggEBACqlq8b7trNRtKUm1PbY7dnrAFCOnV4OT2R98s17
+Q6tmCXM1DvQ101W0ih/lh6iPyU4JM2A0kvO+gizuL/Dmvb6oh+3ox0mMLposptso
+gCE1K3SXlvlcLdM6hXRJ5+XwlSCHM6o2Y4yABnKjT6Zr+CMh86a5abDx33hkJ4QR
+6I+/iBHVLiCVv0wUF3jD/T+HxinEQrB4cQsSgKmfPClrc8n7rkWWE+MdwEL4VZCH
+ufabw178aYibVvJ8k3rushjLlftkDyCNno2rz8YWrnaxabVR0EqSPInyYQenmv2r
+/CedVKpmdH2RV8ubkwqa0s6cmpRkyu6FS2g3LviJhmm0nwQ=
+-----END CERTIFICATE-----
--- a/integration_test/keypair/testdata/server.csr
+++ b/integration_test/keypair/testdata/server.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrTCCAZUCAQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA3CJvDbbiiY/o9lgzeABLCtZe56h2w9Dzejy02M6F
+7yVyphLtJr+/AxI8k5ErMFRitkzgIUkLn/90CZjPI3k5OnLtUAJ4XLj4gUGjziy4
+TKyVaU0XK41ZSbDAchbW349lsEgW5ZnL4qNaZeCvvbYec+RroVc6ZXCcDp4BATTk
+C3gSVF92+TzrrlbkZ5+WYVeoMpAPWDPq2zwQx4RcYlpkpI/fzLezRqjRcZJx3FDg
+kGuwwhzXfVUpxJ/DYLXZyHCKyaT7e8YIs8e7TRekOwrLCfssfhJSdWopf6aYRZFV
+2ovP0Nggn6XJNh/g1QKo4wzJAf6v5WMc0jEvb7EuSG+nwIDAQABoFQwUgYJKoZI
+hvcNAQkOMUUwQzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAUBgNVHREEDTALggls
+b2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEB
+ACUQ0j3XuUZY3fso5tEgOGVjVsTU+C4pIsEw3e1KyIB93i56ANKaq1uBLtnlWtYi
+R4RxZ3Sf08GzoEHAHpWoQ4BQ3WGDQjxSdezbudWMuNnNyvyhkh36tmmp/PLA4iZD
+Q/d1odzGWg1HMqY0/Q3hfz40MQ9IEBBm+5zKw3tLsKNIKdSdlY7Ul3Z9PUsqsOVW
+uF0LKsTMEh1CpbYnOBS2EQjComVM5kYfdQwDNh+BMok8rH7mHFYRmrwYUrU9njsM
+eoKqhLkoSu6hw1Cgd9Yru5lC541KfxsSN4Cj6rkm+Qv/5zjvIPxYZ+akSQQR9hR3
+2O9THHKqaQS0xmD+y8NjfYk=
+-----END CERTIFICATE REQUEST-----
--- a/integration_test/keypair/testdata/server.key
+++ b/integration_test/keypair/testdata/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA3CJvDbbiiY/o9lgzeABLCtZe56h2w9Dzejy02M6F7yVyphLt
+Jr+/AxI8k5ErMFRitkzgIUkLn/90CZjPI3k5OnLtUAJ4XLj4gUGjziy4TKyVaU0X
+K41ZSbDAchbW349lsEgW5ZnL4qNaZeCvvbYec+RroVc6ZXCcDp4BATTkC3gSVF92
+TzrrlbkZ5+WYVeoMpAPWDPq2zwQx4RcYlpkpI/fzLezRqjRcZJx3FDgkGuwwhzX
+fVUpxJ/DYLXZyHCKyaT7e8YIs8e7TRekOwrLCfssfhJSdWopf6aYRZFV+2ovP0Ng
+gn6XJNh/g1QKo4wzJAf6v5WMc0jEvb7EuSG+nwIDAQABAoIBAEYvWFb4C0wurOj2
+ABrvhP2Ekaesh4kxMp+zgTlqxzsTJnWarS/gjKcPBm9KJon3La3P3tnd7y3pBXcV
+2F0IBl4DTHRpBTUS6HBVnENc8LnJgK2dHZkOLPyYtRLrA0Et+A73PQ2hNmchC+5V
+b9K9oQH0Pvim1gCHocnrSIi480hQPazO9/gnHvFtu9Tdsx9kM9jgChhh5VaR+nzM
+uw6MpUSzCri3/W6K5Hz8F1lLQcZ6o3vyyFtLPjFrWT4J1UiHqAoxuCGeWTvMbGQl
+9Cg0SMX4FLBpbIoMonhM3hb9Cw3FVRGU/1i4oF+gEIGlX/v9CPT5HAZmD59rawc8
+11x7yTECgYEA8EYVGKauLHeI1nJdCoVrWI73W1wtwt6prJbzltpoAR4tb3Qu6gBX
+JQNd+Ifhl28lK6lPnCGk/SsmfiKSp/XE4IyS1GBd2LpxWj5R50GePCg4hAzk9Xyx
+M9SJAFQw73pODgu4RWFXTCOMo9crahJ6X/O+MckHqbFqqohJ8nChGDkCgYEA6oro
+Ql/ymO7UdYCay7OlzKeg8ud6XgkZ+wkpSG/5TQ0QZWVN3aSOLztEdVfh3PAqWob0
+KgVhLmq6CYwq+HSzU92bvFqCgYUMU8tYzeRboGLxyEdAGL+EW0j8wQyZKYR5cNz4
+yM0hpM6kbJ0zZqkYVM/XfRT2RTGwTMakF/FOHZcCgYEAmf4guTriuIcoAWEstniK
+Myj16ezrO1Df6Eia+B0kuUqxDhSlmL39HDDLQmU8NYU7in8qEcQSbVwBgKgB3HoM
+42nVFR5qJ2RfD9qPPar1klKo3iExgRCYtcJKyBYtgt6dNi1WvcjEXX0PP1bBcWtE
+WUjrphbUvXKDDabp1eNPrCkCgYBOw/F2APTeyS4Oe+8AQ8eFcDIMARLGK7ZO6Oe1
+TO1jI+UCuD+rFI0vbW7zHV1brkf6+OFcj0vwo6TweeMgZ0il/IFFgvva9UyLg3nC
+Q1NGDJR4Fv1+kiqn4V4IkuuI1tVVws/F16XZzA/J7g0KB/WE3fvXJMgDuskjL36C
+D+aU5wKBgQCvEg+mJYny1QiR/mQuowX34xf4CkMl7Xq9YDH7W/3AlwuPrPNHaZjh
+SvSCz9I8vV0E4ur6atazgCblnvA/G3d4r8YYx+e1l30WJHMgoZRxxHMH74tmUPAj
+Klic16BJikSQclMeFdlJqf2UHd37eEuYnxorpep8YGP7/eN1ghHWAw==
+-----END RSA PRIVATE KEY-----
--- a/integration_test/kubeconfig/kubeconfig.go
+++ b/integration_test/kubeconfig/kubeconfig.go
--- a/integration_test/kubeconfig/testdata/dummy.yaml
+++ b/integration_test/kubeconfig/testdata/dummy.yaml
--- a/integration_test/kubeconfig/testdata/kubeconfig.yaml
+++ b/integration_test/kubeconfig/testdata/kubeconfig.yaml
--- a/integration_test/oidcserver/handler/handler.go
+++ b/integration_test/oidcserver/handler/handler.go
@@ -1,5 +1,5 @@
-// Package idp provides a test double of the identity provider of OpenID Connect.
-package idp
+// Package handler provides a HTTP handler for the OpenID Connect Provider.
+package handler

 import (
 	"encoding/json"
@@ -10,16 +10,16 @@ import (
 	"golang.org/x/xerrors"
 )

-func NewHandler(t *testing.T, service Service) *Handler {
-	return &Handler{t, service}
+func New(t *testing.T, provider Provider) *Handler {
+	return &Handler{t, provider}
 }

-// Handler provides a HTTP handler for the identity provider of OpenID Connect.
-// You need to implement the Service interface.
+// Handler provides a HTTP handler for the OpenID Connect Provider.
+// You need to implement the Provider interface.
 // Note that this skips some security checks and is only for testing.
 type Handler struct {
-	t       *testing.T
-	service Service
+	t        *testing.T
+	provider Provider
 }

 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -58,25 +58,31 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 	p := r.URL.Path
 	switch {
 	case m == "GET" && p == "/.well-known/openid-configuration":
-		discoveryResponse := h.service.Discovery()
+		discoveryResponse := h.provider.Discovery()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(discoveryResponse); err != nil {
 			return xerrors.Errorf("could not render json: %w", err)
 		}
 	case m == "GET" && p == "/certs":
-		certificatesResponse := h.service.GetCertificates()
+		certificatesResponse := h.provider.GetCertificates()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(certificatesResponse); err != nil {
 			return xerrors.Errorf("could not render json: %w", err)
 		}
 	case m == "GET" && p == "/auth":
-		// 3.1.2.1. Authentication Request
-		// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 		q := r.URL.Query()
-		redirectURI, scope, state, nonce := q.Get("redirect_uri"), q.Get("scope"), q.Get("state"), q.Get("nonce")
-		code, err := h.service.AuthenticateCode(scope, nonce)
+		redirectURI, state := q.Get("redirect_uri"), q.Get("state")
+		code, err := h.provider.AuthenticateCode(AuthenticationRequest{
+			RedirectURI:         redirectURI,
+			State:               state,
+			Scope:               q.Get("scope"),
+			Nonce:               q.Get("nonce"),
+			CodeChallenge:       q.Get("code_challenge"),
+			CodeChallengeMethod: q.Get("code_challenge_method"),
+			RawQuery:            q,
+		})
 		if err != nil {
 			return xerrors.Errorf("authentication error: %w", err)
 		}
@@ -89,10 +95,10 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 		grantType := r.Form.Get("grant_type")
 		switch grantType {
 		case "authorization_code":
-			// 3.1.3.1. Token Request
-			// https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
-			code := r.Form.Get("code")
-			tokenResponse, err := h.service.Exchange(code)
+			tokenResponse, err := h.provider.Exchange(TokenRequest{
+				Code:         r.Form.Get("code"),
+				CodeVerifier: r.Form.Get("code_verifier"),
+			})
 			if err != nil {
 				return xerrors.Errorf("token request error: %w", err)
 			}
@@ -105,7 +111,7 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 			// 4.3. Resource Owner Password Credentials Grant
 			// https://tools.ietf.org/html/rfc6749#section-4.3
 			username, password, scope := r.Form.Get("username"), r.Form.Get("password"), r.Form.Get("scope")
-			tokenResponse, err := h.service.AuthenticatePassword(username, password, scope)
+			tokenResponse, err := h.provider.AuthenticatePassword(username, password, scope)
 			if err != nil {
 				return xerrors.Errorf("authentication error: %w", err)
 			}
@@ -118,7 +124,7 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 			// 12.1. Refresh Request
 			// https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
 			refreshToken := r.Form.Get("refresh_token")
-			tokenResponse, err := h.service.Refresh(refreshToken)
+			tokenResponse, err := h.provider.Refresh(refreshToken)
 			if err != nil {
 				return xerrors.Errorf("token refresh error: %w", err)
 			}
--- a/integration_test/oidcserver/handler/types.go
+++ b/integration_test/oidcserver/handler/types.go
@@ -1,23 +1,19 @@
-package idp
-
-//go:generate mockgen -destination mock_idp/mock_service.go github.com/int128/kubelogin/e2e_test/idp Service
+package handler

 import (
-	"crypto/rsa"
-	"encoding/base64"
 	"fmt"
-	"math/big"
+	"net/url"
 )

-// Service provides discovery and authentication methods.
+// Provider provides discovery and authentication methods.
 // If an implemented method returns an ErrorResponse,
 // the handler will respond 400 and corresponding json of the ErrorResponse.
 // Otherwise, the handler will respond 500 and fail the current test.
-type Service interface {
+type Provider interface {
 	Discovery() *DiscoveryResponse
 	GetCertificates() *CertificatesResponse
-	AuthenticateCode(scope, nonce string) (code string, err error)
-	Exchange(code string) (*TokenResponse, error)
+	AuthenticateCode(req AuthenticationRequest) (code string, err error)
+	Exchange(req TokenRequest) (*TokenResponse, error)
 	AuthenticatePassword(username, password, scope string) (*TokenResponse, error)
 	Refresh(refreshToken string) (*TokenResponse, error)
 }
@@ -38,26 +34,6 @@ type DiscoveryResponse struct {
 	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`
 }

-// NewDiscoveryResponse returns a DiscoveryResponse for the local server.
-// This is based on https://accounts.google.com/.well-known/openid-configuration.
-func NewDiscoveryResponse(issuer string) *DiscoveryResponse {
-	return &DiscoveryResponse{
-		Issuer:                            issuer,
-		AuthorizationEndpoint:             issuer + "/auth",
-		TokenEndpoint:                     issuer + "/token",
-		JwksURI:                           issuer + "/certs",
-		UserinfoEndpoint:                  issuer + "/userinfo",
-		RevocationEndpoint:                issuer + "/revoke",
-		ResponseTypesSupported:            []string{"code id_token"},
-		SubjectTypesSupported:             []string{"public"},
-		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
-		ScopesSupported:                   []string{"openid", "email", "profile"},
-		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
-		CodeChallengeMethodsSupported:     []string{"plain", "S256"},
-		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
-	}
-}
-
 type CertificatesResponse struct {
 	Keys []*CertificatesResponseKey `json:"keys"`
 }
@@ -71,21 +47,23 @@ type CertificatesResponseKey struct {
 	E   string `json:"e"`
 }

-// NewCertificatesResponse returns a CertificatesResponse using the key pair.
-// This is used for verifying a signature of ID token.
-func NewCertificatesResponse(idTokenKeyPair *rsa.PrivateKey) *CertificatesResponse {
-	return &CertificatesResponse{
-		Keys: []*CertificatesResponseKey{
-			{
-				Kty: "RSA",
-				Alg: "RS256",
-				Use: "sig",
-				Kid: "dummy",
-				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
-				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
-			},
-		},
-	}
+// AuthenticationRequest represents a type of:
+// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+type AuthenticationRequest struct {
+	RedirectURI         string
+	State               string
+	Scope               string // space separated string
+	Nonce               string
+	CodeChallenge       string
+	CodeChallengeMethod string
+	RawQuery            url.Values
+}
+
+// TokenRequest represents a type of:
+// https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
+type TokenRequest struct {
+	Code         string
+	CodeVerifier string
 }

 type TokenResponse struct {
@@ -96,17 +74,6 @@ type TokenResponse struct {
 	IDToken      string `json:"id_token"`
 }

-// NewTokenResponse returns a TokenResponse.
-func NewTokenResponse(idToken, refreshToken string) *TokenResponse {
-	return &TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		IDToken:      idToken,
-		RefreshToken: refreshToken,
-	}
-}
-
 // ErrorResponse represents an error response described in the following section:
 // 5.2 Error Response
 // https://tools.ietf.org/html/rfc6749#section-5.2
--- a/integration_test/oidcserver/http/http.go
+++ b/integration_test/oidcserver/http/http.go
@@ -1,13 +1,13 @@
-// Package localserver provides a http server running on localhost.
-// This is only for testing.
-//
-package localserver
+// Package http provides a http server running on localhost for testing.
+package http

 import (
 	"context"
 	"net"
 	"net/http"
 	"testing"
+
+	"github.com/int128/kubelogin/integration_test/keypair"
 )

 type Shutdowner interface {
@@ -15,20 +15,23 @@ type Shutdowner interface {
 }

 type shutdowner struct {
-	l net.Listener
 	s *http.Server
 }

 func (s *shutdowner) Shutdown(t *testing.T, ctx context.Context) {
-	// s.Shutdown() closes the lister as well,
-	// so we do not need to call l.Close() explicitly
 	if err := s.s.Shutdown(ctx); err != nil {
-		t.Errorf("Could not shutdown the server: %s", err)
+		t.Errorf("could not shutdown the server: %s", err)
 	}
 }

-// Start starts an authentication server.
-func Start(t *testing.T, h http.Handler) (string, Shutdowner) {
+func Start(t *testing.T, h http.Handler, k keypair.KeyPair) (string, Shutdowner) {
+	if k == keypair.None {
+		return startNoTLS(t, h)
+	}
+	return startTLS(t, h, k)
+}
+
+func startNoTLS(t *testing.T, h http.Handler) (string, *shutdowner) {
 	t.Helper()
 	l, port := newLocalhostListener(t)
 	url := "http://localhost:" + port
@@ -41,11 +44,10 @@ func Start(t *testing.T, h http.Handler) (string, Shutdowner) {
 			t.Error(err)
 		}
 	}()
-	return url, &shutdowner{l, s}
+	return url, &shutdowner{s}
 }

-// Start starts an authentication server with TLS.
-func StartTLS(t *testing.T, cert string, key string, h http.Handler) (string, Shutdowner) {
+func startTLS(t *testing.T, h http.Handler, k keypair.KeyPair) (string, *shutdowner) {
 	t.Helper()
 	l, port := newLocalhostListener(t)
 	url := "https://localhost:" + port
@@ -53,12 +55,12 @@ func StartTLS(t *testing.T, cert string, key string, h http.Handler) (string, Sh
 		Handler: h,
 	}
 	go func() {
-		err := s.ServeTLS(l, cert, key)
+		err := s.ServeTLS(l, k.CertPath, k.KeyPath)
 		if err != nil && err != http.ErrServerClosed {
 			t.Error(err)
 		}
 	}()
-	return url, &shutdowner{l, s}
+	return url, &shutdowner{s}
 }

 func newLocalhostListener(t *testing.T) (net.Listener, string) {
--- a/integration_test/oidcserver/server.go
+++ b/integration_test/oidcserver/server.go
@@ -0,0 +1,217 @@
+// Package oidcserver provides a stub of OpenID Connect provider.
+package oidcserver
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"math/big"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/oidcserver/handler"
+	"github.com/int128/kubelogin/integration_test/oidcserver/http"
+	"github.com/int128/kubelogin/pkg/testing/jwt"
+	"golang.org/x/xerrors"
+)
+
+type Server interface {
+	http.Shutdowner
+	IssuerURL() string
+	SetConfig(Config)
+	LastTokenResponse() *handler.TokenResponse
+}
+
+// Want represents a set of expected values.
+type Want struct {
+	Scope               string
+	RedirectURIPrefix   string
+	CodeChallengeMethod string            // optional
+	ExtraParams         map[string]string // optional
+	Username            string            // optional
+	Password            string            // optional
+	RefreshToken        string            // optional
+}
+
+// Response represents a set of response values.
+type Response struct {
+	IDTokenExpiry                 time.Time
+	RefreshToken                  string
+	RefreshError                  string   // if set, Refresh() will return the error
+	CodeChallengeMethodsSupported []string // optional
+}
+
+// Config represents a configuration of the OpenID Connect provider.
+type Config struct {
+	Want     Want
+	Response Response
+}
+
+// New starts a HTTP server for the OpenID Connect provider.
+func New(t *testing.T, k keypair.KeyPair, c Config) Server {
+	sv := server{Config: c, t: t}
+	sv.issuerURL, sv.Shutdowner = http.Start(t, handler.New(t, &sv), k)
+	return &sv
+}
+
+type server struct {
+	Config
+	http.Shutdowner
+	t                         *testing.T
+	issuerURL                 string
+	lastAuthenticationRequest *handler.AuthenticationRequest
+	lastTokenResponse         *handler.TokenResponse
+}
+
+func (sv *server) IssuerURL() string {
+	return sv.issuerURL
+}
+
+func (sv *server) SetConfig(cfg Config) {
+	sv.Config = cfg
+}
+
+func (sv *server) LastTokenResponse() *handler.TokenResponse {
+	return sv.lastTokenResponse
+}
+
+func (sv *server) Discovery() *handler.DiscoveryResponse {
+	// based on https://accounts.google.com/.well-known/openid-configuration
+	return &handler.DiscoveryResponse{
+		Issuer:                            sv.issuerURL,
+		AuthorizationEndpoint:             sv.issuerURL + "/auth",
+		TokenEndpoint:                     sv.issuerURL + "/token",
+		JwksURI:                           sv.issuerURL + "/certs",
+		UserinfoEndpoint:                  sv.issuerURL + "/userinfo",
+		RevocationEndpoint:                sv.issuerURL + "/revoke",
+		ResponseTypesSupported:            []string{"code id_token"},
+		SubjectTypesSupported:             []string{"public"},
+		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+		ScopesSupported:                   []string{"openid", "email", "profile"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
+		CodeChallengeMethodsSupported:     sv.Config.Response.CodeChallengeMethodsSupported,
+		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
+	}
+}
+
+func (sv *server) GetCertificates() *handler.CertificatesResponse {
+	idTokenKeyPair := jwt.PrivateKey
+	return &handler.CertificatesResponse{
+		Keys: []*handler.CertificatesResponseKey{
+			{
+				Kty: "RSA",
+				Alg: "RS256",
+				Use: "sig",
+				Kid: "dummy",
+				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
+				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
+			},
+		},
+	}
+}
+
+func (sv *server) AuthenticateCode(req handler.AuthenticationRequest) (code string, err error) {
+	if req.Scope != sv.Want.Scope {
+		sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, req.Scope)
+	}
+	if !strings.HasPrefix(req.RedirectURI, sv.Want.RedirectURIPrefix) {
+		sv.t.Errorf("redirectURI wants prefix `%s` but was `%s`", sv.Want.RedirectURIPrefix, req.RedirectURI)
+	}
+	if req.CodeChallengeMethod != sv.Want.CodeChallengeMethod {
+		sv.t.Errorf("code_challenge_method wants `%s` but was `%s`", sv.Want.CodeChallengeMethod, req.CodeChallengeMethod)
+	}
+	for k, v := range sv.Want.ExtraParams {
+		got := req.RawQuery.Get(k)
+		if got != v {
+			sv.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
+		}
+	}
+	sv.lastAuthenticationRequest = &req
+	return "YOUR_AUTH_CODE", nil
+}
+
+func (sv *server) Exchange(req handler.TokenRequest) (*handler.TokenResponse, error) {
+	if req.Code != "YOUR_AUTH_CODE" {
+		return nil, xerrors.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
+	}
+	if sv.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
+		// https://tools.ietf.org/html/rfc7636#section-4.6
+		challenge := computeS256Challenge(req.CodeVerifier)
+		if challenge != sv.lastAuthenticationRequest.CodeChallenge {
+			sv.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", sv.lastAuthenticationRequest.CodeChallenge, challenge)
+		}
+	}
+	resp := &handler.TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: sv.Response.RefreshToken,
+		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
+			claims.Issuer = sv.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
+			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
+			claims.Audience = []string{"kubernetes"}
+			claims.Nonce = sv.lastAuthenticationRequest.Nonce
+		}),
+	}
+	sv.lastTokenResponse = resp
+	return resp, nil
+}
+
+func computeS256Challenge(verifier string) string {
+	c := sha256.Sum256([]byte(verifier))
+	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
+}
+
+func (sv *server) AuthenticatePassword(username, password, scope string) (*handler.TokenResponse, error) {
+	if scope != sv.Want.Scope {
+		sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, scope)
+	}
+	if username != sv.Want.Username {
+		sv.t.Errorf("username wants `%s` but was `%s`", sv.Want.Username, username)
+	}
+	if password != sv.Want.Password {
+		sv.t.Errorf("password wants `%s` but was `%s`", sv.Want.Password, password)
+	}
+	resp := &handler.TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: sv.Response.RefreshToken,
+		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
+			claims.Issuer = sv.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
+			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	sv.lastTokenResponse = resp
+	return resp, nil
+}
+
+func (sv *server) Refresh(refreshToken string) (*handler.TokenResponse, error) {
+	if refreshToken != sv.Want.RefreshToken {
+		sv.t.Errorf("refreshToken wants %s but was %s", sv.Want.RefreshToken, refreshToken)
+	}
+	if sv.Response.RefreshError != "" {
+		return nil, &handler.ErrorResponse{Code: "invalid_request", Description: sv.Response.RefreshError}
+	}
+	resp := &handler.TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: sv.Response.RefreshToken,
+		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
+			claims.Issuer = sv.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
+			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	sv.lastTokenResponse = resp
+	return resp, nil
+}
--- a/integration_test/standalone_test.go
+++ b/integration_test/standalone_test.go
@@ -0,0 +1,329 @@
+package integration_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/integration_test/httpdriver"
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/kubeconfig"
+	"github.com/int128/kubelogin/integration_test/oidcserver"
+	"github.com/int128/kubelogin/pkg/adaptors/browser"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/testing/clock"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+)
+
+// Run the integration tests of the Login use-case.
+//
+// 1. Start the auth server.
+// 2. Run the Cmd.
+// 3. Open a request for the local server.
+// 4. Verify the kubeconfig.
+//
+func TestStandalone(t *testing.T) {
+	timeout := 3 * time.Second
+	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
+
+	for name, tc := range map[string]struct {
+		keyPair keypair.KeyPair
+		args    []string
+	}{
+		"NoTLS": {},
+		"TLS": {
+			keyPair: keypair.Server,
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			t.Run("AuthCode", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
+					Want: oidcserver.Want{
+						Scope:             "openid",
+						RedirectURIPrefix: "http://localhost:",
+					},
+					Response: oidcserver.Response{
+						IDTokenExpiry: now.Add(time.Hour),
+					},
+				})
+				defer sv.Shutdown(t, ctx)
+				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+					Issuer:                  sv.IssuerURL(),
+					IDPCertificateAuthority: tc.keyPair.CACertPath,
+				})
+				defer os.Remove(kubeConfigFilename)
+				runStandalone(t, ctx, standaloneConfig{
+					issuerURL:          sv.IssuerURL(),
+					kubeConfigFilename: kubeConfigFilename,
+					httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+					now:                now,
+				})
+				kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+					IDToken:      sv.LastTokenResponse().IDToken,
+					RefreshToken: sv.LastTokenResponse().RefreshToken,
+				})
+			})
+
+			t.Run("ROPC", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
+					Want: oidcserver.Want{
+						Scope:             "openid",
+						RedirectURIPrefix: "http://localhost:",
+						Username:          "USER1",
+						Password:          "PASS1",
+					},
+					Response: oidcserver.Response{
+						IDTokenExpiry: now.Add(time.Hour),
+					},
+				})
+				defer sv.Shutdown(t, ctx)
+				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+					Issuer:                  sv.IssuerURL(),
+					IDPCertificateAuthority: tc.keyPair.CACertPath,
+				})
+				defer os.Remove(kubeConfigFilename)
+				runStandalone(t, ctx, standaloneConfig{
+					issuerURL:          sv.IssuerURL(),
+					kubeConfigFilename: kubeConfigFilename,
+					httpDriver:         httpdriver.Zero(t),
+					now:                now,
+					args: []string{
+						"--username", "USER1",
+						"--password", "PASS1",
+					},
+				})
+				kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+					IDToken:      sv.LastTokenResponse().IDToken,
+					RefreshToken: sv.LastTokenResponse().RefreshToken,
+				})
+			})
+
+			t.Run("TokenLifecycle", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
+				defer sv.Shutdown(t, ctx)
+				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+					Issuer:                  sv.IssuerURL(),
+					IDPCertificateAuthority: tc.keyPair.CACertPath,
+				})
+				defer os.Remove(kubeConfigFilename)
+
+				t.Run("NoToken", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{
+						Want: oidcserver.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+						},
+						Response: oidcserver.Response{
+							IDTokenExpiry: now.Add(time.Hour),
+							RefreshToken:  "REFRESH_TOKEN_1",
+						},
+					})
+					runStandalone(t, ctx, standaloneConfig{
+						issuerURL:          sv.IssuerURL(),
+						kubeConfigFilename: kubeConfigFilename,
+						httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						now:                now,
+					})
+					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+						IDToken:      sv.LastTokenResponse().IDToken,
+						RefreshToken: "REFRESH_TOKEN_1",
+					})
+				})
+				t.Run("Valid", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{})
+					runStandalone(t, ctx, standaloneConfig{
+						issuerURL:          sv.IssuerURL(),
+						kubeConfigFilename: kubeConfigFilename,
+						httpDriver:         httpdriver.Zero(t),
+						now:                now,
+					})
+					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+						IDToken:      sv.LastTokenResponse().IDToken,
+						RefreshToken: "REFRESH_TOKEN_1",
+					})
+				})
+				t.Run("Refresh", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{
+						Want: oidcserver.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+							RefreshToken:      "REFRESH_TOKEN_1",
+						},
+						Response: oidcserver.Response{
+							IDTokenExpiry: now.Add(3 * time.Hour),
+							RefreshToken:  "REFRESH_TOKEN_2",
+						},
+					})
+					runStandalone(t, ctx, standaloneConfig{
+						issuerURL:          sv.IssuerURL(),
+						kubeConfigFilename: kubeConfigFilename,
+						httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						now:                now.Add(2 * time.Hour),
+					})
+					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+						IDToken:      sv.LastTokenResponse().IDToken,
+						RefreshToken: "REFRESH_TOKEN_2",
+					})
+				})
+				t.Run("RefreshAgain", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{
+						Want: oidcserver.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+							RefreshToken:      "REFRESH_TOKEN_2",
+						},
+						Response: oidcserver.Response{
+							IDTokenExpiry: now.Add(5 * time.Hour),
+						},
+					})
+					runStandalone(t, ctx, standaloneConfig{
+						issuerURL:          sv.IssuerURL(),
+						kubeConfigFilename: kubeConfigFilename,
+						httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						now:                now.Add(4 * time.Hour),
+					})
+					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+						IDToken:      sv.LastTokenResponse().IDToken,
+						RefreshToken: "REFRESH_TOKEN_2",
+					})
+				})
+			})
+		})
+	}
+
+	t.Run("TLSData", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:                      sv.IssuerURL(),
+			IDPCertificateAuthorityData: keypair.Server.CACertBase64,
+		})
+		defer os.Remove(kubeConfigFilename)
+		runStandalone(t, ctx, standaloneConfig{
+			issuerURL:          sv.IssuerURL(),
+			kubeConfigFilename: kubeConfigFilename,
+			httpDriver:         httpdriver.New(ctx, t, keypair.Server.TLSConfig),
+			now:                now,
+		})
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      sv.LastTokenResponse().IDToken,
+			RefreshToken: sv.LastTokenResponse().RefreshToken,
+		})
+	})
+
+	t.Run("env_KUBECONFIG", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer: sv.IssuerURL(),
+		})
+		defer os.Remove(kubeConfigFilename)
+		setenv(t, "KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
+		defer unsetenv(t, "KUBECONFIG")
+		runStandalone(t, ctx, standaloneConfig{
+			issuerURL:  sv.IssuerURL(),
+			httpDriver: httpdriver.New(ctx, t, nil),
+			now:        now,
+		})
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      sv.LastTokenResponse().IDToken,
+			RefreshToken: sv.LastTokenResponse().RefreshToken,
+		})
+	})
+
+	t.Run("ExtraScopes", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "profile groups openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:      sv.IssuerURL(),
+			ExtraScopes: "profile,groups",
+		})
+		defer os.Remove(kubeConfigFilename)
+		runStandalone(t, ctx, standaloneConfig{
+			issuerURL:          sv.IssuerURL(),
+			kubeConfigFilename: kubeConfigFilename,
+			httpDriver:         httpdriver.New(ctx, t, nil),
+			now:                now,
+		})
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      sv.LastTokenResponse().IDToken,
+			RefreshToken: sv.LastTokenResponse().RefreshToken,
+		})
+	})
+}
+
+type standaloneConfig struct {
+	issuerURL          string
+	kubeConfigFilename string
+	httpDriver         browser.Interface
+	now                time.Time
+	args               []string
+}
+
+func runStandalone(t *testing.T, ctx context.Context, cfg standaloneConfig) {
+	cmd := di.NewCmdForHeadless(clock.Fake(cfg.now), os.Stdin, os.Stdout, logger.New(t), cfg.httpDriver)
+	exitCode := cmd.Run(ctx, append([]string{
+		"kubelogin",
+		"--kubeconfig", cfg.kubeConfigFilename,
+		"--listen-address", "127.0.0.1:0",
+	}, cfg.args...), "HEAD")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}
+
+func setenv(t *testing.T, key, value string) {
+	t.Helper()
+	if err := os.Setenv(key, value); err != nil {
+		t.Fatalf("Could not set the env var %s=%s: %s", key, value, err)
+	}
+}
+
+func unsetenv(t *testing.T, key string) {
+	t.Helper()
+	if err := os.Unsetenv(key); err != nil {
+		t.Fatalf("Could not unset the env var %s: %s", key, err)
+	}
+}
--- a/pkg/adaptors/browser/browser.go
+++ b/pkg/adaptors/browser/browser.go
@@ -0,0 +1,33 @@
+package browser
+
+import (
+	"os"
+
+	"github.com/google/wire"
+	"github.com/pkg/browser"
+)
+
+//go:generate mockgen -destination mock_browser/mock_browser.go github.com/int128/kubelogin/pkg/adaptors/browser Interface
+
+func init() {
+	// In credential plugin mode, some browser launcher writes a message to stdout
+	// and it may break the credential json for client-go.
+	// This prevents the browser launcher from breaking the credential json.
+	browser.Stdout = os.Stderr
+}
+
+var Set = wire.NewSet(
+	wire.Struct(new(Browser)),
+	wire.Bind(new(Interface), new(*Browser)),
+)
+
+type Interface interface {
+	Open(url string) error
+}
+
+type Browser struct{}
+
+// Open opens the default browser.
+func (*Browser) Open(url string) error {
+	return browser.OpenURL(url)
+}
--- a/pkg/adaptors/browser/mock_browser/mock_browser.go
+++ b/pkg/adaptors/browser/mock_browser/mock_browser.go
@@ -0,0 +1,47 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/adaptors/browser (interfaces: Interface)
+
+// Package mock_browser is a generated GoMock package.
+package mock_browser
+
+import (
+	gomock "github.com/golang/mock/gomock"
+	reflect "reflect"
+)
+
+// MockInterface is a mock of Interface interface
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// Open mocks base method
+func (m *MockInterface) Open(arg0 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Open", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Open indicates an expected call of Open
+func (mr *MockInterfaceMockRecorder) Open(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Open", reflect.TypeOf((*MockInterface)(nil).Open), arg0)
+}
--- a/pkg/adaptors/certpool/cert.go
+++ b/pkg/adaptors/certpool/cert.go
@@ -0,0 +1,71 @@
+// Package certpool provides loading certificates from files or base64 encoded string.
+package certpool
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"io/ioutil"
+
+	"github.com/google/wire"
+	"golang.org/x/xerrors"
+)
+
+//go:generate mockgen -destination mock_certpool/mock_certpool.go github.com/int128/kubelogin/pkg/adaptors/certpool Interface
+
+// Set provides an implementation and interface.
+var Set = wire.NewSet(
+	wire.Value(NewFunc(New)),
+	wire.Struct(new(CertPool), "*"),
+	wire.Bind(new(Interface), new(*CertPool)),
+)
+
+type NewFunc func() Interface
+
+// New returns an instance which implements the Interface.
+func New() Interface {
+	return &CertPool{pool: x509.NewCertPool()}
+}
+
+type Interface interface {
+	AddFile(filename string) error
+	AddBase64Encoded(s string) error
+	SetRootCAs(cfg *tls.Config)
+}
+
+// CertPool represents a pool of certificates.
+type CertPool struct {
+	pool *x509.CertPool
+}
+
+// SetRootCAs sets cfg.RootCAs if it has any certificate.
+// Otherwise do nothing.
+func (p *CertPool) SetRootCAs(cfg *tls.Config) {
+	if len(p.pool.Subjects()) > 0 {
+		cfg.RootCAs = p.pool
+	}
+}
+
+// AddFile loads the certificate from the file.
+func (p *CertPool) AddFile(filename string) error {
+	b, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return xerrors.Errorf("could not read %s: %w", filename, err)
+	}
+	if !p.pool.AppendCertsFromPEM(b) {
+		return xerrors.Errorf("could not append certificate from %s", filename)
+	}
+	return nil
+}
+
+// AddBase64Encoded loads the certificate from the base64 encoded string.
+func (p *CertPool) AddBase64Encoded(s string) error {
+	b, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return xerrors.Errorf("could not decode base64: %w", err)
+	}
+	if !p.pool.AppendCertsFromPEM(b) {
+		return xerrors.Errorf("could not append certificate")
+	}
+	return nil
+}
--- a/pkg/adaptors/certpool/cert_test.go
+++ b/pkg/adaptors/certpool/cert_test.go
@@ -0,0 +1,58 @@
+package certpool
+
+import (
+	"crypto/tls"
+	"io/ioutil"
+	"testing"
+)
+
+func TestCertPool_AddFile(t *testing.T) {
+	t.Run("Valid", func(t *testing.T) {
+		p := New()
+		if err := p.AddFile("testdata/ca1.crt"); err != nil {
+			t.Errorf("AddFile error: %s", err)
+		}
+		var cfg tls.Config
+		p.SetRootCAs(&cfg)
+		if n := len(cfg.RootCAs.Subjects()); n != 1 {
+			t.Errorf("n wants 1 but was %d", n)
+		}
+	})
+	t.Run("Invalid", func(t *testing.T) {
+		p := New()
+		err := p.AddFile("testdata/Makefile")
+		if err == nil {
+			t.Errorf("AddFile wants an error but was nil")
+		}
+	})
+}
+
+func TestCertPool_AddBase64Encoded(t *testing.T) {
+	p := New()
+	if err := p.AddBase64Encoded(readFile(t, "testdata/ca2.crt.base64")); err != nil {
+		t.Errorf("AddBase64Encoded error: %s", err)
+	}
+	var cfg tls.Config
+	p.SetRootCAs(&cfg)
+	if n := len(cfg.RootCAs.Subjects()); n != 1 {
+		t.Errorf("n wants 1 but was %d", n)
+	}
+}
+
+func TestCertPool_SetRootCAs(t *testing.T) {
+	p := New()
+	var cfg tls.Config
+	p.SetRootCAs(&cfg)
+	if cfg.RootCAs != nil {
+		t.Errorf("cfg.RootCAs wants nil but was %+v", cfg.RootCAs)
+	}
+}
+
+func readFile(t *testing.T, filename string) string {
+	t.Helper()
+	b, err := ioutil.ReadFile(filename)
+	if err != nil {
+		t.Fatalf("ReadFile error: %s", err)
+	}
+	return string(b)
+}
--- a/pkg/adaptors/certpool/mock_certpool/mock_certpool.go
+++ b/pkg/adaptors/certpool/mock_certpool/mock_certpool.go
@@ -0,0 +1,74 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/adaptors/certpool (interfaces: Interface)
+
+// Package mock_certpool is a generated GoMock package.
+package mock_certpool
+
+import (
+	tls "crypto/tls"
+	gomock "github.com/golang/mock/gomock"
+	reflect "reflect"
+)
+
+// MockInterface is a mock of Interface interface
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// AddBase64Encoded mocks base method
+func (m *MockInterface) AddBase64Encoded(arg0 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AddBase64Encoded", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// AddBase64Encoded indicates an expected call of AddBase64Encoded
+func (mr *MockInterfaceMockRecorder) AddBase64Encoded(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddBase64Encoded", reflect.TypeOf((*MockInterface)(nil).AddBase64Encoded), arg0)
+}
+
+// AddFile mocks base method
+func (m *MockInterface) AddFile(arg0 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AddFile", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// AddFile indicates an expected call of AddFile
+func (mr *MockInterfaceMockRecorder) AddFile(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddFile", reflect.TypeOf((*MockInterface)(nil).AddFile), arg0)
+}
+
+// SetRootCAs mocks base method
+func (m *MockInterface) SetRootCAs(arg0 *tls.Config) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "SetRootCAs", arg0)
+}
+
+// SetRootCAs indicates an expected call of SetRootCAs
+func (mr *MockInterfaceMockRecorder) SetRootCAs(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetRootCAs", reflect.TypeOf((*MockInterface)(nil).SetRootCAs), arg0)
+}
--- a/pkg/adaptors/certpool/testdata/Makefile
+++ b/pkg/adaptors/certpool/testdata/Makefile
--- a/pkg/adaptors/certpool/testdata/ca1.crt
+++ b/pkg/adaptors/certpool/testdata/ca1.crt
--- a/pkg/adaptors/certpool/testdata/ca1.crt.base64
+++ b/pkg/adaptors/certpool/testdata/ca1.crt.base64
--- a/pkg/adaptors/certpool/testdata/ca2.crt
+++ b/pkg/adaptors/certpool/testdata/ca2.crt
--- a/pkg/adaptors/certpool/testdata/ca2.crt.base64
+++ b/pkg/adaptors/certpool/testdata/ca2.crt.base64
--- a/pkg/adaptors/certpool/testdata/ca3.crt
+++ b/pkg/adaptors/certpool/testdata/ca3.crt
--- a/pkg/adaptors/certpool/testdata/ca3.crt.base64
+++ b/pkg/adaptors/certpool/testdata/ca3.crt.base64
--- a/pkg/adaptors/clock/clock.go
+++ b/pkg/adaptors/clock/clock.go
@@ -0,0 +1,24 @@
+// Package clock provides the system clock.
+package clock
+
+import (
+	"time"
+
+	"github.com/google/wire"
+)
+
+var Set = wire.NewSet(
+	wire.Struct(new(Real), "*"),
+	wire.Bind(new(Interface), new(*Real)),
+)
+
+type Interface interface {
+	Now() time.Time
+}
+
+type Real struct{}
+
+// Now returns the current time.
+func (c *Real) Now() time.Time {
+	return time.Now()
+}
--- a/pkg/adaptors/cmd/cmd.go
+++ b/pkg/adaptors/cmd/cmd.go
@@ -2,7 +2,7 @@ package cmd

 import (
 	"context"
-	"path/filepath"
+	"runtime"

 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
@@ -16,56 +16,50 @@ var Set = wire.NewSet(
 	wire.Bind(new(Interface), new(*Cmd)),
 	wire.Struct(new(Root), "*"),
 	wire.Struct(new(GetToken), "*"),
+	wire.Struct(new(Setup), "*"),
 )

 type Interface interface {
 	Run(ctx context.Context, args []string, version string) int
 }

-const examples = `  # Login to the provider using the authorization code flow.
-  %[1]s
-
-  # Login to the provider using the resource owner password credentials flow.
-  %[1]s --username USERNAME --password PASSWORD
-
-  # Run as a credential plugin.
-  %[1]s get-token --oidc-issuer-url=https://issuer.example.com`
-
-var defaultListenPort = []int{8000, 18000}
+var defaultListenAddress = []string{"127.0.0.1:8000", "127.0.0.1:18000"}
 var defaultTokenCacheDir = homedir.HomeDir() + "/.kube/cache/oidc-login"

 // Cmd provides interaction with command line interface (CLI).
 type Cmd struct {
 	Root     *Root
 	GetToken *GetToken
+	Setup    *Setup
 	Logger   logger.Interface
 }

 // Run parses the command line arguments and executes the specified use-case.
 // It returns an exit code, that is 0 on success or 1 on error.
 func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
-	executable := filepath.Base(args[0])
-
-	rootCmd := cmd.Root.New(ctx, executable)
+	rootCmd := cmd.Root.New()
 	rootCmd.Version = version
 	rootCmd.SilenceUsage = true
 	rootCmd.SilenceErrors = true

-	getTokenCmd := cmd.GetToken.New(ctx)
+	getTokenCmd := cmd.GetToken.New()
 	rootCmd.AddCommand(getTokenCmd)

+	setupCmd := cmd.Setup.New()
+	rootCmd.AddCommand(setupCmd)
+
 	versionCmd := &cobra.Command{
 		Use:   "version",
 		Short: "Print the version information",
 		Args:  cobra.NoArgs,
 		Run: func(*cobra.Command, []string) {
-			cmd.Logger.Printf("%s version %s", executable, version)
+			cmd.Logger.Printf("kubelogin version %s (%s %s_%s)", version, runtime.Version(), runtime.GOOS, runtime.GOARCH)
 		},
 	}
 	rootCmd.AddCommand(versionCmd)

 	rootCmd.SetArgs(args[1:])
-	if err := rootCmd.Execute(); err != nil {
+	if err := rootCmd.ExecuteContext(ctx); err != nil {
 		cmd.Logger.Printf("error: %s", err)
 		cmd.Logger.V(1).Infof("stacktrace: %+v", err)
 		return 1
--- a/pkg/adaptors/cmd/cmd_test.go
+++ b/pkg/adaptors/cmd/cmd_test.go
@@ -5,7 +5,8 @@ import (
 	"testing"

 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin/mock_credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
@@ -16,213 +17,358 @@ func TestCmd_Run(t *testing.T) {
 	const executable = "kubelogin"
 	const version = "HEAD"

-	t.Run("login/Defaults", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-
-		mockStandalone := mock_standalone.NewMockInterface(ctrl)
-		mockStandalone.EXPECT().
-			Do(ctx, standalone.Input{
-				ListenPort: defaultListenPort,
+	t.Run("root", func(t *testing.T) {
+		tests := map[string]struct {
+			args []string
+			in   standalone.Input
+		}{
+			"Defaults": {
+				args: []string{executable},
+				in: standalone.Input{
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeOption: &authentication.AuthCodeOption{
+							BindAddress:         defaultListenAddress,
+							RedirectURLHostname: "localhost",
+						},
+					},
+				},
+			},
+			"when --listen-port is set, it should convert the port to address": {
+				args: []string{
+					executable,
+					"--listen-port", "10080",
+					"--listen-port", "20080",
+				},
+				in: standalone.Input{
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeOption: &authentication.AuthCodeOption{
+							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							RedirectURLHostname: "localhost",
+						},
+					},
+				},
+			},
+			"when --listen-port is set, it should ignore --listen-address flags": {
+				args: []string{
+					executable,
+					"--listen-port", "10080",
+					"--listen-port", "20080",
+					"--listen-address", "127.0.0.1:30080",
+					"--listen-address", "127.0.0.1:40080",
+				},
+				in: standalone.Input{
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeOption: &authentication.AuthCodeOption{
+							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							RedirectURLHostname: "localhost",
+						},
+					},
+				},
+			},
+			"FullOptions": {
+				args: []string{executable,
+					"--kubeconfig", "/path/to/kubeconfig",
+					"--context", "hello.k8s.local",
+					"--user", "google",
+					"--certificate-authority", "/path/to/cacert",
+					"--insecure-skip-tls-verify",
+					"-v1",
+					"--grant-type", "authcode",
+					"--listen-address", "127.0.0.1:10080",
+					"--listen-address", "127.0.0.1:20080",
+					"--skip-open-browser",
+					"--username", "USER",
+					"--password", "PASS",
+				},
+				in: standalone.Input{
+					KubeconfigFilename: "/path/to/kubeconfig",
+					KubeconfigContext:  "hello.k8s.local",
+					KubeconfigUser:     "google",
+					CACertFilename:     "/path/to/cacert",
+					SkipTLSVerify:      true,
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeOption: &authentication.AuthCodeOption{
+							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							SkipOpenBrowser:     true,
+							RedirectURLHostname: "localhost",
+						},
+					},
+				},
+			},
+			"GrantType=authcode-keyboard": {
+				args: []string{executable,
+					"--grant-type", "authcode-keyboard",
+				},
+				in: standalone.Input{
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeKeyboardOption: &authentication.AuthCodeKeyboardOption{},
+					},
+				},
+			},
+			"GrantType=password": {
+				args: []string{executable,
+					"--grant-type", "password",
+					"--listen-address", "127.0.0.1:10080",
+					"--listen-address", "127.0.0.1:20080",
+					"--username", "USER",
+					"--password", "PASS",
+				},
+				in: standalone.Input{
+					GrantOptionSet: authentication.GrantOptionSet{
+						ROPCOption: &authentication.ROPCOption{
+							Username: "USER",
+							Password: "PASS",
+						},
+					},
+				},
+			},
+			"GrantType=auto": {
+				args: []string{executable,
+					"--listen-address", "127.0.0.1:10080",
+					"--listen-address", "127.0.0.1:20080",
+					"--username", "USER",
+					"--password", "PASS",
+				},
+				in: standalone.Input{
+					GrantOptionSet: authentication.GrantOptionSet{
+						ROPCOption: &authentication.ROPCOption{
+							Username: "USER",
+							Password: "PASS",
+						},
+					},
+				},
+			},
+		}
+		for name, c := range tests {
+			t.Run(name, func(t *testing.T) {
+				ctrl := gomock.NewController(t)
+				defer ctrl.Finish()
+				ctx := context.TODO()
+				mockStandalone := mock_standalone.NewMockInterface(ctrl)
+				mockStandalone.EXPECT().
+					Do(ctx, c.in)
+				cmd := Cmd{
+					Root: &Root{
+						Standalone: mockStandalone,
+						Logger:     logger.New(t),
+					},
+					Logger: logger.New(t),
+				}
+				exitCode := cmd.Run(ctx, c.args, version)
+				if exitCode != 0 {
+					t.Errorf("exitCode wants 0 but %d", exitCode)
+				}
 			})
+		}

-		cmd := Cmd{
-			Root: &Root{
-				Standalone: mockStandalone,
-				Logger:     mock_logger.New(t),
-			},
-			Logger: mock_logger.New(t),
-		}
-		exitCode := cmd.Run(ctx, []string{executable}, version)
-		if exitCode != 0 {
-			t.Errorf("exitCode wants 0 but %d", exitCode)
-		}
+		t.Run("TooManyArgs", func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+			cmd := Cmd{
+				Root: &Root{
+					Standalone: mock_standalone.NewMockInterface(ctrl),
+					Logger:     logger.New(t),
+				},
+				Logger: logger.New(t),
+			}
+			exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
+			if exitCode != 1 {
+				t.Errorf("exitCode wants 1 but %d", exitCode)
+			}
+		})
 	})

-	t.Run("login/FullOptions", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-
-		mockStandalone := mock_standalone.NewMockInterface(ctrl)
-		mockStandalone.EXPECT().
-			Do(ctx, standalone.Input{
-				KubeconfigFilename: "/path/to/kubeconfig",
-				KubeconfigContext:  "hello.k8s.local",
-				KubeconfigUser:     "google",
-				CACertFilename:     "/path/to/cacert",
-				SkipTLSVerify:      true,
-				ListenPort:         []int{10080, 20080},
-				SkipOpenBrowser:    true,
-				Username:           "USER",
-				Password:           "PASS",
+	t.Run("get-token", func(t *testing.T) {
+		tests := map[string]struct {
+			args []string
+			in   credentialplugin.Input
+		}{
+			"Defaults": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: defaultTokenCacheDir,
+					IssuerURL:     "https://issuer.example.com",
+					ClientID:      "YOUR_CLIENT_ID",
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeOption: &authentication.AuthCodeOption{
+							BindAddress:         []string{"127.0.0.1:8000", "127.0.0.1:18000"},
+							RedirectURLHostname: "localhost",
+						},
+					},
+				},
+			},
+			"FullOptions": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--oidc-client-secret", "YOUR_CLIENT_SECRET",
+					"--oidc-extra-scope", "email",
+					"--oidc-extra-scope", "profile",
+					"--certificate-authority", "/path/to/cacert",
+					"--certificate-authority-data", "BASE64ENCODED",
+					"--insecure-skip-tls-verify",
+					"-v1",
+					"--grant-type", "authcode",
+					"--listen-address", "127.0.0.1:10080",
+					"--listen-address", "127.0.0.1:20080",
+					"--skip-open-browser",
+					"--oidc-auth-request-extra-params", "ttl=86400",
+					"--oidc-auth-request-extra-params", "reauth=true",
+					"--username", "USER",
+					"--password", "PASS",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir:  defaultTokenCacheDir,
+					IssuerURL:      "https://issuer.example.com",
+					ClientID:       "YOUR_CLIENT_ID",
+					ClientSecret:   "YOUR_CLIENT_SECRET",
+					ExtraScopes:    []string{"email", "profile"},
+					CACertFilename: "/path/to/cacert",
+					CACertData:     "BASE64ENCODED",
+					SkipTLSVerify:  true,
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeOption: &authentication.AuthCodeOption{
+							BindAddress:            []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							SkipOpenBrowser:        true,
+							RedirectURLHostname:    "localhost",
+							AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
+						},
+					},
+				},
+			},
+			"GrantType=authcode-keyboard": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--grant-type", "authcode-keyboard",
+					"--oidc-auth-request-extra-params", "ttl=86400",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: defaultTokenCacheDir,
+					IssuerURL:     "https://issuer.example.com",
+					ClientID:      "YOUR_CLIENT_ID",
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeKeyboardOption: &authentication.AuthCodeKeyboardOption{
+							AuthRequestExtraParams: map[string]string{"ttl": "86400"},
+						},
+					},
+				},
+			},
+			"GrantType=password": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--grant-type", "password",
+					"--listen-address", "127.0.0.1:10080",
+					"--listen-address", "127.0.0.1:20080",
+					"--username", "USER",
+					"--password", "PASS",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: defaultTokenCacheDir,
+					IssuerURL:     "https://issuer.example.com",
+					ClientID:      "YOUR_CLIENT_ID",
+					GrantOptionSet: authentication.GrantOptionSet{
+						ROPCOption: &authentication.ROPCOption{
+							Username: "USER",
+							Password: "PASS",
+						},
+					},
+				},
+			},
+			"GrantType=auto": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--listen-address", "127.0.0.1:10080",
+					"--listen-address", "127.0.0.1:20080",
+					"--username", "USER",
+					"--password", "PASS",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: defaultTokenCacheDir,
+					IssuerURL:     "https://issuer.example.com",
+					ClientID:      "YOUR_CLIENT_ID",
+					GrantOptionSet: authentication.GrantOptionSet{
+						ROPCOption: &authentication.ROPCOption{
+							Username: "USER",
+							Password: "PASS",
+						},
+					},
+				},
+			},
+		}
+		for name, c := range tests {
+			t.Run(name, func(t *testing.T) {
+				ctrl := gomock.NewController(t)
+				defer ctrl.Finish()
+				ctx := context.TODO()
+				getToken := mock_credentialplugin.NewMockInterface(ctrl)
+				getToken.EXPECT().
+					Do(ctx, c.in)
+				cmd := Cmd{
+					Root: &Root{
+						Logger: logger.New(t),
+					},
+					GetToken: &GetToken{
+						GetToken: getToken,
+						Logger:   logger.New(t),
+					},
+					Logger: logger.New(t),
+				}
+				exitCode := cmd.Run(ctx, c.args, version)
+				if exitCode != 0 {
+					t.Errorf("exitCode wants 0 but %d", exitCode)
+				}
 			})
+		}

-		cmd := Cmd{
-			Root: &Root{
-				Standalone: mockStandalone,
-				Logger:     mock_logger.New(t),
-			},
-			Logger: mock_logger.New(t),
-		}
-		exitCode := cmd.Run(ctx, []string{executable,
-			"--kubeconfig", "/path/to/kubeconfig",
-			"--context", "hello.k8s.local",
-			"--user", "google",
-			"--certificate-authority", "/path/to/cacert",
-			"--insecure-skip-tls-verify",
-			"-v1",
-			"--listen-port", "10080",
-			"--listen-port", "20080",
-			"--skip-open-browser",
-			"--username", "USER",
-			"--password", "PASS",
-		}, version)
-		if exitCode != 0 {
-			t.Errorf("exitCode wants 0 but %d", exitCode)
-		}
-	})
+		t.Run("MissingMandatoryOptions", func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+			ctx := context.TODO()
+			cmd := Cmd{
+				Root: &Root{
+					Logger: logger.New(t),
+				},
+				GetToken: &GetToken{
+					GetToken: mock_credentialplugin.NewMockInterface(ctrl),
+					Logger:   logger.New(t),
+				},
+				Logger: logger.New(t),
+			}
+			exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
+			if exitCode != 1 {
+				t.Errorf("exitCode wants 1 but %d", exitCode)
+			}
+		})

-	t.Run("login/TooManyArgs", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		cmd := Cmd{
-			Root: &Root{
-				Standalone: mock_standalone.NewMockInterface(ctrl),
-				Logger:     mock_logger.New(t),
-			},
-			Logger: mock_logger.New(t),
-		}
-		exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
-		if exitCode != 1 {
-			t.Errorf("exitCode wants 1 but %d", exitCode)
-		}
-	})
-
-	t.Run("get-token/Defaults", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-
-		getToken := mock_credentialplugin.NewMockInterface(ctrl)
-		getToken.EXPECT().
-			Do(ctx, credentialplugin.Input{
-				ListenPort:    defaultListenPort,
-				TokenCacheDir: defaultTokenCacheDir,
-				IssuerURL:     "https://issuer.example.com",
-				ClientID:      "YOUR_CLIENT_ID",
-			})
-
-		cmd := Cmd{
-			Root: &Root{
-				Logger: mock_logger.New(t),
-			},
-			GetToken: &GetToken{
-				GetToken: getToken,
-				Logger:   mock_logger.New(t),
-			},
-			Logger: mock_logger.New(t),
-		}
-		exitCode := cmd.Run(ctx, []string{executable,
-			"get-token",
-			"--oidc-issuer-url", "https://issuer.example.com",
-			"--oidc-client-id", "YOUR_CLIENT_ID",
-		}, version)
-		if exitCode != 0 {
-			t.Errorf("exitCode wants 0 but %d", exitCode)
-		}
-	})
-
-	t.Run("get-token/FullOptions", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-
-		getToken := mock_credentialplugin.NewMockInterface(ctrl)
-		getToken.EXPECT().
-			Do(ctx, credentialplugin.Input{
-				TokenCacheDir:   defaultTokenCacheDir,
-				IssuerURL:       "https://issuer.example.com",
-				ClientID:        "YOUR_CLIENT_ID",
-				ClientSecret:    "YOUR_CLIENT_SECRET",
-				ExtraScopes:     []string{"email", "profile"},
-				CACertFilename:  "/path/to/cacert",
-				SkipTLSVerify:   true,
-				ListenPort:      []int{10080, 20080},
-				SkipOpenBrowser: true,
-				Username:        "USER",
-				Password:        "PASS",
-			})
-
-		cmd := Cmd{
-			Root: &Root{
-				Logger: mock_logger.New(t),
-			},
-			GetToken: &GetToken{
-				GetToken: getToken,
-				Logger:   mock_logger.New(t),
-			},
-			Logger: mock_logger.New(t),
-		}
-		exitCode := cmd.Run(ctx, []string{executable,
-			"get-token",
-			"--oidc-issuer-url", "https://issuer.example.com",
-			"--oidc-client-id", "YOUR_CLIENT_ID",
-			"--oidc-client-secret", "YOUR_CLIENT_SECRET",
-			"--oidc-extra-scope", "email",
-			"--oidc-extra-scope", "profile",
-			"--certificate-authority", "/path/to/cacert",
-			"--insecure-skip-tls-verify",
-			"-v1",
-			"--listen-port", "10080",
-			"--listen-port", "20080",
-			"--skip-open-browser",
-			"--username", "USER",
-			"--password", "PASS",
-		}, version)
-		if exitCode != 0 {
-			t.Errorf("exitCode wants 0 but %d", exitCode)
-		}
-	})
-
-	t.Run("get-token/MissingMandatoryOptions", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-		cmd := Cmd{
-			Root: &Root{
-				Logger: mock_logger.New(t),
-			},
-			GetToken: &GetToken{
-				GetToken: mock_credentialplugin.NewMockInterface(ctrl),
-				Logger:   mock_logger.New(t),
-			},
-			Logger: mock_logger.New(t),
-		}
-		exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
-		if exitCode != 1 {
-			t.Errorf("exitCode wants 1 but %d", exitCode)
-		}
-	})
-
-	t.Run("get-token/TooManyArgs", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-		ctx := context.TODO()
-		cmd := Cmd{
-			Root: &Root{
-				Logger: mock_logger.New(t),
-			},
-			GetToken: &GetToken{
-				GetToken: mock_credentialplugin.NewMockInterface(ctrl),
-				Logger:   mock_logger.New(t),
-			},
-			Logger: mock_logger.New(t),
-		}
-		exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
-		if exitCode != 1 {
-			t.Errorf("exitCode wants 1 but %d", exitCode)
-		}
+		t.Run("TooManyArgs", func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+			ctx := context.TODO()
+			cmd := Cmd{
+				Root: &Root{
+					Logger: logger.New(t),
+				},
+				GetToken: &GetToken{
+					GetToken: mock_credentialplugin.NewMockInterface(ctrl),
+					Logger:   logger.New(t),
+				},
+				Logger: logger.New(t),
+			}
+			exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
+			if exitCode != 1 {
+				t.Errorf("exitCode wants 1 but %d", exitCode)
+			}
+		})
 	})
 }
--- a/pkg/adaptors/cmd/get_token.go
+++ b/pkg/adaptors/cmd/get_token.go
@@ -1,8 +1,6 @@
 package cmd

 import (
-	"context"
-
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/spf13/cobra"
@@ -12,27 +10,28 @@ import (

 // getTokenOptions represents the options for get-token command.
 type getTokenOptions struct {
-	loginOptions
-	IssuerURL            string
-	ClientID             string
-	ClientSecret         string
-	ExtraScopes          []string
-	CertificateAuthority string
-	SkipTLSVerify        bool
-	Verbose              int
-	TokenCacheDir        string
+	IssuerURL             string
+	ClientID              string
+	ClientSecret          string
+	ExtraScopes           []string
+	CACertFilename        string
+	CACertData            string
+	SkipTLSVerify         bool
+	TokenCacheDir         string
+	authenticationOptions authenticationOptions
 }

 func (o *getTokenOptions) register(f *pflag.FlagSet) {
 	f.SortFlags = false
-	o.loginOptions.register(f)
 	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)")
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.StringVar(&o.CACertFilename, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.StringVar(&o.CACertData, "certificate-authority-data", "", "Base64 encoded data for the certificate authority")
 	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
 	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for caching tokens")
+	o.authenticationOptions.register(f)
 }

 type GetToken struct {
@@ -40,7 +39,7 @@ type GetToken struct {
 	Logger   logger.Interface
 }

-func (cmd *GetToken) New(ctx context.Context) *cobra.Command {
+func (cmd *GetToken) New() *cobra.Command {
 	var o getTokenOptions
 	c := &cobra.Command{
 		Use:   "get-token [flags]",
@@ -57,22 +56,24 @@ func (cmd *GetToken) New(ctx context.Context) *cobra.Command {
 			}
 			return nil
 		},
-		RunE: func(*cobra.Command, []string) error {
-			in := credentialplugin.Input{
-				IssuerURL:       o.IssuerURL,
-				ClientID:        o.ClientID,
-				ClientSecret:    o.ClientSecret,
-				ExtraScopes:     o.ExtraScopes,
-				CACertFilename:  o.CertificateAuthority,
-				SkipTLSVerify:   o.SkipTLSVerify,
-				ListenPort:      o.ListenPort,
-				SkipOpenBrowser: o.SkipOpenBrowser,
-				Username:        o.Username,
-				Password:        o.Password,
-				TokenCacheDir:   o.TokenCacheDir,
+		RunE: func(c *cobra.Command, _ []string) error {
+			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
+			if err != nil {
+				return xerrors.Errorf("get-token: %w", err)
 			}
-			if err := cmd.GetToken.Do(ctx, in); err != nil {
-				return xerrors.Errorf("error: %w", err)
+			in := credentialplugin.Input{
+				IssuerURL:      o.IssuerURL,
+				ClientID:       o.ClientID,
+				ClientSecret:   o.ClientSecret,
+				ExtraScopes:    o.ExtraScopes,
+				CACertFilename: o.CACertFilename,
+				CACertData:     o.CACertData,
+				SkipTLSVerify:  o.SkipTLSVerify,
+				TokenCacheDir:  o.TokenCacheDir,
+				GrantOptionSet: grantOptionSet,
+			}
+			if err := cmd.GetToken.Do(c.Context(), in); err != nil {
+				return xerrors.Errorf("get-token: %w", err)
 			}
 			return nil
 		},
--- a/pkg/adaptors/cmd/root.go
+++ b/pkg/adaptors/cmd/root.go
@@ -1,86 +1,149 @@
 package cmd

 import (
-	"context"
 	"fmt"
+	"strings"

 	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"golang.org/x/xerrors"
 )

-// kubectlOptions represents kubectl specific options.
-type kubectlOptions struct {
-	Kubeconfig           string
-	Context              string
-	User                 string
-	CertificateAuthority string
-	SkipTLSVerify        bool
+const longDescription = `Login to the OpenID Connect provider.
+
+You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
+Run the following command to show the setup instruction:
+
+	kubectl oidc-login setup
+
+See https://github.com/int128/kubelogin for more.
+`
+
+// rootOptions represents the options for the root command.
+type rootOptions struct {
+	Kubeconfig            string
+	Context               string
+	User                  string
+	CertificateAuthority  string
+	SkipTLSVerify         bool
+	authenticationOptions authenticationOptions
 }

-func (o *kubectlOptions) register(f *pflag.FlagSet) {
+func (o *rootOptions) register(f *pflag.FlagSet) {
 	f.SortFlags = false
 	f.StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to the kubeconfig file")
 	f.StringVar(&o.Context, "context", "", "The name of the kubeconfig context to use")
 	f.StringVar(&o.User, "user", "", "The name of the kubeconfig user to use. Prior to --context")
 	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
 	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	o.authenticationOptions.register(f)
 }

-// loginOptions represents the options for Login use-case.
-type loginOptions struct {
-	ListenPort      []int
-	SkipOpenBrowser bool
-	Username        string
-	Password        string
+type authenticationOptions struct {
+	GrantType              string
+	ListenAddress          []string
+	ListenPort             []int // deprecated
+	SkipOpenBrowser        bool
+	RedirectURLHostname    string
+	AuthRequestExtraParams map[string]string
+	Username               string
+	Password               string
 }

-func (o *loginOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
-	f.IntSliceVar(&o.ListenPort, "listen-port", defaultListenPort, "Port to bind to the local server. If multiple ports are given, it will try the ports in order")
+// determineListenAddress returns the addresses from the flags.
+// Note that --listen-address is always given due to the default value.
+// If --listen-port is not set, it returns --listen-address.
+// If --listen-port is set, it returns the strings of --listen-port.
+func (o *authenticationOptions) determineListenAddress() []string {
+	if len(o.ListenPort) == 0 {
+		return o.ListenAddress
+	}
+	var a []string
+	for _, p := range o.ListenPort {
+		a = append(a, fmt.Sprintf("127.0.0.1:%d", p))
+	}
+	return a
+}
+
+var allGrantType = strings.Join([]string{
+	"auto",
+	"authcode",
+	"authcode-keyboard",
+	"password",
+}, "|")
+
+func (o *authenticationOptions) register(f *pflag.FlagSet) {
+	f.StringVar(&o.GrantType, "grant-type", "auto", fmt.Sprintf("The authorization grant type to use. One of (%s)", allGrantType))
+	f.StringSliceVar(&o.ListenAddress, "listen-address", defaultListenAddress, "Address to bind to the local server. If multiple addresses are given, it will try binding in order")
+	//TODO: remove the deprecated flag
+	f.IntSliceVar(&o.ListenPort, "listen-port", nil, "(Deprecated: use --listen-address)")
 	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
+	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "Hostname of the redirect URL")
+	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "Extra query parameters to send with an authentication request")
 	f.StringVar(&o.Username, "username", "", "If set, perform the resource owner password credentials grant")
 	f.StringVar(&o.Password, "password", "", "If set, use the password instead of asking it")
 }

+func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSet, err error) {
+	switch {
+	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
+		s.AuthCodeOption = &authentication.AuthCodeOption{
+			BindAddress:            o.determineListenAddress(),
+			SkipOpenBrowser:        o.SkipOpenBrowser,
+			RedirectURLHostname:    o.RedirectURLHostname,
+			AuthRequestExtraParams: o.AuthRequestExtraParams,
+		}
+	case o.GrantType == "authcode-keyboard":
+		s.AuthCodeKeyboardOption = &authentication.AuthCodeKeyboardOption{
+			AuthRequestExtraParams: o.AuthRequestExtraParams,
+		}
+	case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
+		s.ROPCOption = &authentication.ROPCOption{
+			Username: o.Username,
+			Password: o.Password,
+		}
+	default:
+		err = xerrors.Errorf("grant-type must be one of (%s)", allGrantType)
+	}
+	return
+}
+
 type Root struct {
 	Standalone standalone.Interface
 	Logger     logger.Interface
 }

-func (cmd *Root) New(ctx context.Context, executable string) *cobra.Command {
-	var o struct {
-		kubectlOptions
-		loginOptions
-	}
+func (cmd *Root) New() *cobra.Command {
+	var o rootOptions
 	rootCmd := &cobra.Command{
-		Use:     executable,
-		Short:   "Login to the OpenID Connect provider and update the kubeconfig",
-		Example: fmt.Sprintf(examples, executable),
-		Args:    cobra.NoArgs,
-		RunE: func(*cobra.Command, []string) error {
+		Use:   "kubelogin",
+		Short: "Login to the OpenID Connect provider",
+		Long:  longDescription,
+		Args:  cobra.NoArgs,
+		RunE: func(c *cobra.Command, _ []string) error {
+			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
+			if err != nil {
+				return xerrors.Errorf("invalid option: %w", err)
+			}
 			in := standalone.Input{
 				KubeconfigFilename: o.Kubeconfig,
 				KubeconfigContext:  kubeconfig.ContextName(o.Context),
 				KubeconfigUser:     kubeconfig.UserName(o.User),
 				CACertFilename:     o.CertificateAuthority,
 				SkipTLSVerify:      o.SkipTLSVerify,
-				ListenPort:         o.ListenPort,
-				SkipOpenBrowser:    o.SkipOpenBrowser,
-				Username:           o.Username,
-				Password:           o.Password,
+				GrantOptionSet:     grantOptionSet,
 			}
-			if err := cmd.Standalone.Do(ctx, in); err != nil {
-				return xerrors.Errorf("error: %w", err)
+			if err := cmd.Standalone.Do(c.Context(), in); err != nil {
+				return xerrors.Errorf("login: %w", err)
 			}
 			return nil
 		},
 	}
-	o.kubectlOptions.register(rootCmd.Flags())
-	o.loginOptions.register(rootCmd.Flags())
+	o.register(rootCmd.Flags())
 	cmd.Logger.AddFlags(rootCmd.PersistentFlags())
 	return rootCmd
 }
--- a/pkg/adaptors/cmd/setup.go
+++ b/pkg/adaptors/cmd/setup.go
@@ -0,0 +1,74 @@
+package cmd
+
+import (
+	"github.com/int128/kubelogin/pkg/usecases/setup"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"golang.org/x/xerrors"
+)
+
+// setupOptions represents the options for setup command.
+type setupOptions struct {
+	IssuerURL             string
+	ClientID              string
+	ClientSecret          string
+	ExtraScopes           []string
+	CACertFilename        string
+	CACertData            string
+	SkipTLSVerify         bool
+	authenticationOptions authenticationOptions
+}
+
+func (o *setupOptions) register(f *pflag.FlagSet) {
+	f.SortFlags = false
+	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider")
+	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider")
+	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
+	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
+	f.StringVar(&o.CACertFilename, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.StringVar(&o.CACertData, "certificate-authority-data", "", "Base64 encoded data for the certificate authority")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	o.authenticationOptions.register(f)
+}
+
+type Setup struct {
+	Setup setup.Interface
+}
+
+func (cmd *Setup) New() *cobra.Command {
+	var o setupOptions
+	c := &cobra.Command{
+		Use:   "setup",
+		Short: "Show the setup instruction",
+		Args:  cobra.NoArgs,
+		RunE: func(c *cobra.Command, _ []string) error {
+			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
+			if err != nil {
+				return xerrors.Errorf("setup: %w", err)
+			}
+			in := setup.Stage2Input{
+				IssuerURL:      o.IssuerURL,
+				ClientID:       o.ClientID,
+				ClientSecret:   o.ClientSecret,
+				ExtraScopes:    o.ExtraScopes,
+				CACertFilename: o.CACertFilename,
+				CACertData:     o.CACertData,
+				SkipTLSVerify:  o.SkipTLSVerify,
+				GrantOptionSet: grantOptionSet,
+			}
+			if c.Flags().Lookup("listen-address").Changed {
+				in.ListenAddressArgs = o.authenticationOptions.ListenAddress
+			}
+			if in.IssuerURL == "" || in.ClientID == "" {
+				cmd.Setup.DoStage1()
+				return nil
+			}
+			if err := cmd.Setup.DoStage2(c.Context(), in); err != nil {
+				return xerrors.Errorf("setup: %w", err)
+			}
+			return nil
+		},
+	}
+	o.register(c.Flags())
+	return c
+}
--- a/pkg/adaptors/credentialplugin/credential_plugin.go
+++ b/pkg/adaptors/credentialplugin/credential_plugin.go
@@ -1,51 +0,0 @@
-// Package credentialplugin provides interaction with kubectl for a credential plugin.
-package credentialplugin
-
-import (
-	"encoding/json"
-	"os"
-	"time"
-
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-	"k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
-)
-
-//go:generate mockgen -destination mock_credentialplugin/mock_credentialplugin.go github.com/int128/kubelogin/pkg/adaptors/credentialplugin Interface
-
-var Set = wire.NewSet(
-	wire.Struct(new(Interaction), "*"),
-	wire.Bind(new(Interface), new(*Interaction)),
-)
-
-type Interface interface {
-	Write(out Output) error
-}
-
-// Output represents an output object of the credential plugin.
-type Output struct {
-	Token  string
-	Expiry time.Time
-}
-
-type Interaction struct{}
-
-// Write writes the ExecCredential to standard output for kubectl.
-func (*Interaction) Write(out Output) error {
-	ec := &v1beta1.ExecCredential{
-		TypeMeta: v1.TypeMeta{
-			APIVersion: "client.authentication.k8s.io/v1beta1",
-			Kind:       "ExecCredential",
-		},
-		Status: &v1beta1.ExecCredentialStatus{
-			Token:               out.Token,
-			ExpirationTimestamp: &v1.Time{Time: out.Expiry},
-		},
-	}
-	e := json.NewEncoder(os.Stdout)
-	if err := e.Encode(ec); err != nil {
-		return xerrors.Errorf("could not write the ExecCredential: %w", err)
-	}
-	return nil
-}
--- a/pkg/adaptors/credentialpluginwriter/credential_plugin.go
+++ b/pkg/adaptors/credentialpluginwriter/credential_plugin.go
@@ -0,0 +1,53 @@
+// Package credentialpluginwriter provides a writer for a credential plugin.
+package credentialpluginwriter
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors/stdio"
+	"golang.org/x/xerrors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
+)
+
+//go:generate mockgen -destination mock_credentialpluginwriter/mock_credentialpluginwriter.go github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter Interface
+
+var Set = wire.NewSet(
+	wire.Struct(new(Writer), "*"),
+	wire.Bind(new(Interface), new(*Writer)),
+)
+
+type Interface interface {
+	Write(out Output) error
+}
+
+// Output represents an output object of the credential plugin.
+type Output struct {
+	Token  string
+	Expiry time.Time
+}
+
+type Writer struct {
+	Stdout stdio.Stdout
+}
+
+// Write writes the ExecCredential to standard output for kubectl.
+func (w *Writer) Write(out Output) error {
+	ec := &clientauthenticationv1beta1.ExecCredential{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "client.authentication.k8s.io/v1beta1",
+			Kind:       "ExecCredential",
+		},
+		Status: &clientauthenticationv1beta1.ExecCredentialStatus{
+			Token:               out.Token,
+			ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
+		},
+	}
+	e := json.NewEncoder(w.Stdout)
+	if err := e.Encode(ec); err != nil {
+		return xerrors.Errorf("could not write the ExecCredential: %w", err)
+	}
+	return nil
+}
--- a/pkg/adaptors/credentialpluginwriter/mock_credentialpluginwriter/mock_credentialpluginwriter.go
+++ b/pkg/adaptors/credentialpluginwriter/mock_credentialpluginwriter/mock_credentialpluginwriter.go
@@ -1,12 +1,12 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/credentialplugin (interfaces: Interface)
+// Source: github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter (interfaces: Interface)

-// Package mock_credentialplugin is a generated GoMock package.
-package mock_credentialplugin
+// Package mock_credentialpluginwriter is a generated GoMock package.
+package mock_credentialpluginwriter

 import (
 	gomock "github.com/golang/mock/gomock"
-	credentialplugin "github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
+	credentialpluginwriter "github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter"
 	reflect "reflect"
 )

@@ -34,7 +34,8 @@ func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 }

 // Write mocks base method
-func (m *MockInterface) Write(arg0 credentialplugin.Output) error {
+func (m *MockInterface) Write(arg0 credentialpluginwriter.Output) error {
+	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Write", arg0)
 	ret0, _ := ret[0].(error)
 	return ret0
@@ -42,5 +43,6 @@ func (m *MockInterface) Write(arg0 credentialplugin.Output) error {

 // Write indicates an expected call of Write
 func (mr *MockInterfaceMockRecorder) Write(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockInterface)(nil).Write), arg0)
 }
--- a/pkg/adaptors/env/env.go
+++ b/pkg/adaptors/env/env.go
@@ -1,58 +0,0 @@
-package env
-
-import (
-	"fmt"
-	"os"
-	"syscall"
-
-	"github.com/google/wire"
-	"github.com/pkg/browser"
-	"golang.org/x/crypto/ssh/terminal"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_env/mock_env.go github.com/int128/kubelogin/pkg/adaptors/env Interface
-
-func init() {
-	// In credential plugin mode, some browser launcher writes a message to stdout
-	// and it may break the credential json for client-go.
-	// This prevents the browser launcher from breaking the credential json.
-	browser.Stdout = os.Stderr
-}
-
-// Set provides an implementation and interface for Env.
-var Set = wire.NewSet(
-	wire.Struct(new(Env), "*"),
-	wire.Bind(new(Interface), new(*Env)),
-)
-
-type Interface interface {
-	ReadPassword(prompt string) (string, error)
-	OpenBrowser(url string) error
-}
-
-// Env provides environment specific facilities.
-type Env struct{}
-
-// ReadPassword reads a password from the stdin without echo back.
-func (*Env) ReadPassword(prompt string) (string, error) {
-	if _, err := fmt.Fprint(os.Stderr, "Password: "); err != nil {
-		return "", xerrors.Errorf("could not write the prompt: %w", err)
-	}
-	b, err := terminal.ReadPassword(int(syscall.Stdin))
-	if err != nil {
-		return "", xerrors.Errorf("could not read: %w", err)
-	}
-	if _, err := fmt.Fprintln(os.Stderr); err != nil {
-		return "", xerrors.Errorf("could not write a new line: %w", err)
-	}
-	return string(b), nil
-}
-
-// OpenBrowser opens the default browser.
-func (env *Env) OpenBrowser(url string) error {
-	if err := browser.OpenURL(url); err != nil {
-		return xerrors.Errorf("could not open the browser: %w", err)
-	}
-	return nil
-}
--- a/pkg/adaptors/kubeconfig/kubeconfig.go
+++ b/pkg/adaptors/kubeconfig/kubeconfig.go
@@ -2,6 +2,7 @@ package kubeconfig

 import (
 	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
 )

 //go:generate mockgen -destination mock_kubeconfig/mock_kubeconfig.go github.com/int128/kubelogin/pkg/adaptors/kubeconfig Interface
@@ -26,22 +27,19 @@ type UserName string
 // AuthProvider represents the authentication provider,
 // i.e. context, user and auth-provider in a kubeconfig.
 type AuthProvider struct {
-	LocationOfOrigin string      // Path to the kubeconfig file which contains the user
-	UserName         UserName    // User name
-	ContextName      ContextName // Context name (optional)
-	OIDCConfig       OIDCConfig
+	LocationOfOrigin            string      // Path to the kubeconfig file which contains the user
+	UserName                    UserName    // User name
+	ContextName                 ContextName // (optional) Context name
+	IDPIssuerURL                string      // idp-issuer-url
+	ClientID                    string      // client-id
+	ClientSecret                string      // (optional) client-secret
+	IDPCertificateAuthority     string      // (optional) idp-certificate-authority
+	IDPCertificateAuthorityData string      // (optional) idp-certificate-authority-data
+	ExtraScopes                 []string    // (optional) extra-scopes
+	IDToken                     string      // (optional) id-token
+	RefreshToken                string      // (optional) refresh-token
 }

-// OIDCConfig represents a configuration of an OIDC provider.
-type OIDCConfig struct {
-	IDPIssuerURL                string   // idp-issuer-url
-	ClientID                    string   // client-id
-	ClientSecret                string   // client-secret
-	IDPCertificateAuthority     string   // (optional) idp-certificate-authority
-	IDPCertificateAuthorityData string   // (optional) idp-certificate-authority-data
-	ExtraScopes                 []string // (optional) extra-scopes
-	IDToken                     string   // (optional) id-token
-	RefreshToken                string   // (optional) refresh-token
+type Kubeconfig struct {
+	Logger logger.Interface
 }
-
-type Kubeconfig struct{}
--- a/pkg/adaptors/kubeconfig/load.go
+++ b/pkg/adaptors/kubeconfig/load.go
@@ -11,7 +11,7 @@ import (
 func (*Kubeconfig) GetCurrentAuthProvider(explicitFilename string, contextName ContextName, userName UserName) (*AuthProvider, error) {
 	config, err := loadByDefaultRules(explicitFilename)
 	if err != nil {
-		return nil, xerrors.Errorf("could not load kubeconfig: %w", err)
+		return nil, xerrors.Errorf("could not load the kubeconfig: %w", err)
 	}
 	auth, err := findCurrentAuthProvider(config, contextName, userName)
 	if err != nil {
@@ -25,7 +25,7 @@ func loadByDefaultRules(explicitFilename string) (*api.Config, error) {
 	rules.ExplicitPath = explicitFilename
 	config, err := rules.Load()
 	if err != nil {
-		return nil, xerrors.Errorf("error while loading config: %w", err)
+		return nil, xerrors.Errorf("load error: %w", err)
 	}
 	return config, err
 }
@@ -58,20 +58,16 @@ func findCurrentAuthProvider(config *api.Config, contextName ContextName, userNa
 	if userNode.AuthProvider.Config == nil {
 		return nil, xerrors.New("auth-provider.config is missing")
 	}
-	return &AuthProvider{
-		LocationOfOrigin: userNode.LocationOfOrigin,
-		UserName:         userName,
-		ContextName:      contextName,
-		OIDCConfig:       makeOIDCConfig(userNode.AuthProvider.Config),
-	}, nil
-}

-func makeOIDCConfig(m map[string]string) OIDCConfig {
+	m := userNode.AuthProvider.Config
 	var extraScopes []string
 	if m["extra-scopes"] != "" {
 		extraScopes = strings.Split(m["extra-scopes"], ",")
 	}
-	return OIDCConfig{
+	return &AuthProvider{
+		LocationOfOrigin:            userNode.LocationOfOrigin,
+		UserName:                    userName,
+		ContextName:                 contextName,
 		IDPIssuerURL:                m["idp-issuer-url"],
 		ClientID:                    m["client-id"],
 		ClientSecret:                m["client-secret"],
@@ -80,5 +76,5 @@ func makeOIDCConfig(m map[string]string) OIDCConfig {
 		ExtraScopes:                 extraScopes,
 		IDToken:                     m["id-token"],
 		RefreshToken:                m["refresh-token"],
-	}
+	}, nil
 }
--- a/pkg/adaptors/kubeconfig/load_test.go
+++ b/pkg/adaptors/kubeconfig/load_test.go
@@ -4,7 +4,7 @@ import (
 	"os"
 	"testing"

-	"github.com/go-test/deep"
+	"github.com/google/go-cmp/cmp"
 	"k8s.io/client-go/tools/clientcmd/api"
 )

@@ -76,7 +76,7 @@ func unsetenv(t *testing.T, key string) {

 func Test_findCurrentAuthProvider(t *testing.T) {
 	t.Run("CurrentContext", func(t *testing.T) {
-		auth, err := findCurrentAuthProvider(&api.Config{
+		got, err := findCurrentAuthProvider(&api.Config{
 			CurrentContext: "theContext",
 			Contexts: map[string]*api.Context{
 				"theContext": {
@@ -106,27 +106,25 @@ func Test_findCurrentAuthProvider(t *testing.T) {
 			t.Fatalf("Could not find the current auth: %s", err)
 		}
 		want := &AuthProvider{
-			LocationOfOrigin: "/path/to/kubeconfig",
-			UserName:         "theUser",
-			ContextName:      "theContext",
-			OIDCConfig: OIDCConfig{
-				IDPIssuerURL:                "https://accounts.google.com",
-				ClientID:                    "GOOGLE_CLIENT_ID",
-				ClientSecret:                "GOOGLE_CLIENT_SECRET",
-				IDPCertificateAuthority:     "/path/to/cert",
-				IDPCertificateAuthorityData: "BASE64",
-				ExtraScopes:                 []string{"email", "profile"},
-				IDToken:                     "YOUR_ID_TOKEN",
-				RefreshToken:                "YOUR_REFRESH_TOKEN",
-			},
+			LocationOfOrigin:            "/path/to/kubeconfig",
+			UserName:                    "theUser",
+			ContextName:                 "theContext",
+			IDPIssuerURL:                "https://accounts.google.com",
+			ClientID:                    "GOOGLE_CLIENT_ID",
+			ClientSecret:                "GOOGLE_CLIENT_SECRET",
+			IDPCertificateAuthority:     "/path/to/cert",
+			IDPCertificateAuthorityData: "BASE64",
+			ExtraScopes:                 []string{"email", "profile"},
+			IDToken:                     "YOUR_ID_TOKEN",
+			RefreshToken:                "YOUR_REFRESH_TOKEN",
 		}
-		if diff := deep.Equal(want, auth); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})

 	t.Run("ByContextName", func(t *testing.T) {
-		auth, err := findCurrentAuthProvider(&api.Config{
+		got, err := findCurrentAuthProvider(&api.Config{
 			Contexts: map[string]*api.Context{
 				"theContext": {
 					AuthInfo: "theUser",
@@ -151,17 +149,15 @@ func Test_findCurrentAuthProvider(t *testing.T) {
 			LocationOfOrigin: "/path/to/kubeconfig",
 			UserName:         "theUser",
 			ContextName:      "theContext",
-			OIDCConfig: OIDCConfig{
-				IDPIssuerURL: "https://accounts.google.com",
-			},
+			IDPIssuerURL:     "https://accounts.google.com",
 		}
-		if diff := deep.Equal(want, auth); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})

 	t.Run("ByUserName", func(t *testing.T) {
-		auth, err := findCurrentAuthProvider(&api.Config{
+		got, err := findCurrentAuthProvider(&api.Config{
 			AuthInfos: map[string]*api.AuthInfo{
 				"theUser": {
 					LocationOfOrigin: "/path/to/kubeconfig",
@@ -180,12 +176,10 @@ func Test_findCurrentAuthProvider(t *testing.T) {
 		want := &AuthProvider{
 			LocationOfOrigin: "/path/to/kubeconfig",
 			UserName:         "theUser",
-			OIDCConfig: OIDCConfig{
-				IDPIssuerURL: "https://accounts.google.com",
-			},
+			IDPIssuerURL:     "https://accounts.google.com",
 		}
-		if diff := deep.Equal(want, auth); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})

--- a/pkg/adaptors/kubeconfig/mock_kubeconfig/mock_kubeconfig.go
+++ b/pkg/adaptors/kubeconfig/mock_kubeconfig/mock_kubeconfig.go
@@ -35,6 +35,7 @@ func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {

 // GetCurrentAuthProvider mocks base method
 func (m *MockInterface) GetCurrentAuthProvider(arg0 string, arg1 kubeconfig.ContextName, arg2 kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
+	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetCurrentAuthProvider", arg0, arg1, arg2)
 	ret0, _ := ret[0].(*kubeconfig.AuthProvider)
 	ret1, _ := ret[1].(error)
@@ -43,11 +44,13 @@ func (m *MockInterface) GetCurrentAuthProvider(arg0 string, arg1 kubeconfig.Cont

 // GetCurrentAuthProvider indicates an expected call of GetCurrentAuthProvider
 func (mr *MockInterfaceMockRecorder) GetCurrentAuthProvider(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCurrentAuthProvider", reflect.TypeOf((*MockInterface)(nil).GetCurrentAuthProvider), arg0, arg1, arg2)
 }

 // UpdateAuthProvider mocks base method
 func (m *MockInterface) UpdateAuthProvider(arg0 *kubeconfig.AuthProvider) error {
+	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "UpdateAuthProvider", arg0)
 	ret0, _ := ret[0].(error)
 	return ret0
@@ -55,5 +58,6 @@ func (m *MockInterface) UpdateAuthProvider(arg0 *kubeconfig.AuthProvider) error

 // UpdateAuthProvider indicates an expected call of UpdateAuthProvider
 func (mr *MockInterfaceMockRecorder) UpdateAuthProvider(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAuthProvider", reflect.TypeOf((*MockInterface)(nil).UpdateAuthProvider), arg0)
 }
--- a/pkg/adaptors/kubeconfig/write.go
+++ b/pkg/adaptors/kubeconfig/write.go
@@ -7,14 +7,14 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 )

-func (*Kubeconfig) UpdateAuthProvider(auth *AuthProvider) error {
-	config, err := clientcmd.LoadFromFile(auth.LocationOfOrigin)
+func (*Kubeconfig) UpdateAuthProvider(p *AuthProvider) error {
+	config, err := clientcmd.LoadFromFile(p.LocationOfOrigin)
 	if err != nil {
-		return xerrors.Errorf("could not load %s: %w", auth.LocationOfOrigin, err)
+		return xerrors.Errorf("could not load %s: %w", p.LocationOfOrigin, err)
 	}
-	userNode, ok := config.AuthInfos[string(auth.UserName)]
+	userNode, ok := config.AuthInfos[string(p.UserName)]
 	if !ok {
-		return xerrors.Errorf("user %s does not exist", auth.UserName)
+		return xerrors.Errorf("user %s does not exist", p.UserName)
 	}
 	if userNode.AuthProvider == nil {
 		return xerrors.Errorf("auth-provider is missing")
@@ -22,23 +22,23 @@ func (*Kubeconfig) UpdateAuthProvider(auth *AuthProvider) error {
 	if userNode.AuthProvider.Name != "oidc" {
 		return xerrors.Errorf("auth-provider must be oidc but is %s", userNode.AuthProvider.Name)
 	}
-	copyOIDCConfig(auth.OIDCConfig, userNode.AuthProvider.Config)
-	if err := clientcmd.WriteToFile(*config, auth.LocationOfOrigin); err != nil {
-		return xerrors.Errorf("could not update %s: %w", auth.LocationOfOrigin, err)
+	copyAuthProviderConfig(p, userNode.AuthProvider.Config)
+	if err := clientcmd.WriteToFile(*config, p.LocationOfOrigin); err != nil {
+		return xerrors.Errorf("could not update %s: %w", p.LocationOfOrigin, err)
 	}
 	return nil
 }

-func copyOIDCConfig(config OIDCConfig, m map[string]string) {
-	setOrDeleteKey(m, "idp-issuer-url", config.IDPIssuerURL)
-	setOrDeleteKey(m, "client-id", config.ClientID)
-	setOrDeleteKey(m, "client-secret", config.ClientSecret)
-	setOrDeleteKey(m, "idp-certificate-authority", config.IDPCertificateAuthority)
-	setOrDeleteKey(m, "idp-certificate-authority-data", config.IDPCertificateAuthorityData)
-	extraScopes := strings.Join(config.ExtraScopes, ",")
+func copyAuthProviderConfig(p *AuthProvider, m map[string]string) {
+	setOrDeleteKey(m, "idp-issuer-url", p.IDPIssuerURL)
+	setOrDeleteKey(m, "client-id", p.ClientID)
+	setOrDeleteKey(m, "client-secret", p.ClientSecret)
+	setOrDeleteKey(m, "idp-certificate-authority", p.IDPCertificateAuthority)
+	setOrDeleteKey(m, "idp-certificate-authority-data", p.IDPCertificateAuthorityData)
+	extraScopes := strings.Join(p.ExtraScopes, ",")
 	setOrDeleteKey(m, "extra-scopes", extraScopes)
-	setOrDeleteKey(m, "id-token", config.IDToken)
-	setOrDeleteKey(m, "refresh-token", config.RefreshToken)
+	setOrDeleteKey(m, "id-token", p.IDToken)
+	setOrDeleteKey(m, "refresh-token", p.RefreshToken)
 }

 func setOrDeleteKey(m map[string]string, key, value string) {
--- a/pkg/adaptors/kubeconfig/write_test.go
+++ b/pkg/adaptors/kubeconfig/write_test.go
@@ -4,6 +4,8 @@ import (
 	"io/ioutil"
 	"os"
 	"testing"
+
+	"github.com/google/go-cmp/cmp"
 )

 func TestKubeconfig_UpdateAuth(t *testing.T) {
@@ -19,13 +21,11 @@ func TestKubeconfig_UpdateAuth(t *testing.T) {
 		if err := k.UpdateAuthProvider(&AuthProvider{
 			LocationOfOrigin: f.Name(),
 			UserName:         "google",
-			OIDCConfig: OIDCConfig{
-				IDPIssuerURL: "https://accounts.google.com",
-				ClientID:     "GOOGLE_CLIENT_ID",
-				ClientSecret: "GOOGLE_CLIENT_SECRET",
-				IDToken:      "YOUR_ID_TOKEN",
-				RefreshToken: "YOUR_REFRESH_TOKEN",
-			},
+			IDPIssuerURL:     "https://accounts.google.com",
+			ClientID:         "GOOGLE_CLIENT_ID",
+			ClientSecret:     "GOOGLE_CLIENT_SECRET",
+			IDToken:          "YOUR_ID_TOKEN",
+			RefreshToken:     "YOUR_REFRESH_TOKEN",
 		}); err != nil {
 			t.Fatalf("Could not update auth: %s", err)
 		}
@@ -34,9 +34,10 @@ func TestKubeconfig_UpdateAuth(t *testing.T) {
 			t.Fatalf("Could not read kubeconfig: %s", err)
 		}

+		got := string(b)
 		want := `apiVersion: v1
-clusters: []
-contexts: []
+clusters: null
+contexts: null
 current-context: ""
 kind: Config
 preferences: {}
@@ -52,8 +53,8 @@ users:
        refresh-token: YOUR_REFRESH_TOKEN
      name: oidc
 `
-		if want != string(b) {
-			t.Errorf("---- kubeconfig wants ----\n%s\n---- but ----\n%s", want, string(b))
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("kubeconfig mismatch (-want +got):\n%s", diff)
 		}
 	})

@@ -65,18 +66,16 @@ users:
 			}
 		}()
 		if err := k.UpdateAuthProvider(&AuthProvider{
-			LocationOfOrigin: f.Name(),
-			UserName:         "google",
-			OIDCConfig: OIDCConfig{
-				IDPIssuerURL:                "https://accounts.google.com",
-				ClientID:                    "GOOGLE_CLIENT_ID",
-				ClientSecret:                "GOOGLE_CLIENT_SECRET",
-				IDPCertificateAuthority:     "/path/to/cert",
-				IDPCertificateAuthorityData: "BASE64",
-				ExtraScopes:                 []string{"email", "profile"},
-				IDToken:                     "YOUR_ID_TOKEN",
-				RefreshToken:                "YOUR_REFRESH_TOKEN",
-			},
+			LocationOfOrigin:            f.Name(),
+			UserName:                    "google",
+			IDPIssuerURL:                "https://accounts.google.com",
+			ClientID:                    "GOOGLE_CLIENT_ID",
+			ClientSecret:                "GOOGLE_CLIENT_SECRET",
+			IDPCertificateAuthority:     "/path/to/cert",
+			IDPCertificateAuthorityData: "BASE64",
+			ExtraScopes:                 []string{"email", "profile"},
+			IDToken:                     "YOUR_ID_TOKEN",
+			RefreshToken:                "YOUR_REFRESH_TOKEN",
 		}); err != nil {
 			t.Fatalf("Could not update auth: %s", err)
 		}
@@ -85,9 +84,10 @@ users:
 			t.Fatalf("Could not read kubeconfig: %s", err)
 		}

+		got := string(b)
 		want := `apiVersion: v1
-clusters: []
-contexts: []
+clusters: null
+contexts: null
 current-context: ""
 kind: Config
 preferences: {}
@@ -106,8 +106,8 @@ users:
        refresh-token: YOUR_REFRESH_TOKEN
      name: oidc
 `
-		if want != string(b) {
-			t.Errorf("---- kubeconfig wants ----\n%s\n---- but ----\n%s", want, string(b))
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("kubeconfig mismatch (-want +got):\n%s", diff)
 		}
 	})
 }
--- a/pkg/adaptors/oidc/client.go
+++ b/pkg/adaptors/oidc/client.go
@@ -1,161 +0,0 @@
-package oidc
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/binary"
-	"fmt"
-	"net/http"
-	"time"
-
-	"github.com/coreos/go-oidc"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/oauth2cli"
-	"golang.org/x/oauth2"
-	"golang.org/x/xerrors"
-)
-
-type Interface interface {
-	AuthenticateByCode(ctx context.Context, localServerPort []int, localServerReadyChan chan<- string) (*TokenSet, error)
-	AuthenticateByPassword(ctx context.Context, username, password string) (*TokenSet, error)
-	Refresh(ctx context.Context, refreshToken string) (*TokenSet, error)
-}
-
-// TokenSet represents an output DTO of
-// Interface.AuthenticateByCode, Interface.AuthenticateByPassword and Interface.Refresh.
-type TokenSet struct {
-	IDToken       string
-	RefreshToken  string
-	IDTokenExpiry time.Time
-	IDTokenClaims map[string]string // string representation of claims for logging
-}
-
-type client struct {
-	httpClient   *http.Client
-	provider     *oidc.Provider
-	oauth2Config oauth2.Config
-	logger       logger.Interface
-}
-
-func (c *client) wrapContext(ctx context.Context) context.Context {
-	if c.httpClient != nil {
-		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.httpClient)
-	}
-	return ctx
-}
-
-// AuthenticateByCode performs the authorization code flow.
-func (c *client) AuthenticateByCode(ctx context.Context, localServerPort []int, localServerReadyChan chan<- string) (*TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	nonce, err := newNonce()
-	if err != nil {
-		return nil, xerrors.Errorf("could not generate a nonce parameter")
-	}
-	config := oauth2cli.Config{
-		OAuth2Config:         c.oauth2Config,
-		LocalServerPort:      localServerPort,
-		AuthCodeOptions:      []oauth2.AuthCodeOption{oauth2.AccessTypeOffline, oidc.Nonce(nonce)},
-		LocalServerReadyChan: localServerReadyChan,
-	}
-	token, err := oauth2cli.GetToken(ctx, config)
-	if err != nil {
-		return nil, xerrors.Errorf("could not get a token: %w", err)
-	}
-	idToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
-	}
-	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
-	verifiedIDToken, err := verifier.Verify(ctx, idToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
-	}
-	if verifiedIDToken.Nonce != nonce {
-		return nil, xerrors.Errorf("nonce of ID token did not match (want %s but was %s)", nonce, verifiedIDToken.Nonce)
-	}
-	claims, err := dumpClaims(verifiedIDToken)
-	if err != nil {
-		c.logger.V(1).Infof("incomplete claims of the ID token: %w", err)
-	}
-	return &TokenSet{
-		IDToken:       idToken,
-		RefreshToken:  token.RefreshToken,
-		IDTokenExpiry: verifiedIDToken.Expiry,
-		IDTokenClaims: claims,
-	}, nil
-}
-
-func newNonce() (string, error) {
-	var n uint64
-	if err := binary.Read(rand.Reader, binary.LittleEndian, &n); err != nil {
-		return "", xerrors.Errorf("error while reading random: %w", err)
-	}
-	return fmt.Sprintf("%x", n), nil
-}
-
-// AuthenticateByPassword performs the resource owner password credentials flow.
-func (c *client) AuthenticateByPassword(ctx context.Context, username, password string) (*TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, username, password)
-	if err != nil {
-		return nil, xerrors.Errorf("could not get a token: %w", err)
-	}
-	idToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
-	}
-	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
-	verifiedIDToken, err := verifier.Verify(ctx, idToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
-	}
-	claims, err := dumpClaims(verifiedIDToken)
-	if err != nil {
-		c.logger.V(1).Infof("incomplete claims of the ID token: %w", err)
-	}
-	return &TokenSet{
-		IDToken:       idToken,
-		RefreshToken:  token.RefreshToken,
-		IDTokenExpiry: verifiedIDToken.Expiry,
-		IDTokenClaims: claims,
-	}, nil
-}
-
-// Refresh sends a refresh token request and returns a token set.
-func (c *client) Refresh(ctx context.Context, refreshToken string) (*TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	currentToken := &oauth2.Token{
-		Expiry:       time.Now(),
-		RefreshToken: refreshToken,
-	}
-	source := c.oauth2Config.TokenSource(ctx, currentToken)
-	token, err := source.Token()
-	if err != nil {
-		return nil, xerrors.Errorf("could not refresh the token: %w", err)
-	}
-	idToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
-	}
-	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
-	verifiedIDToken, err := verifier.Verify(ctx, idToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the id_token: %w", err)
-	}
-	claims, err := dumpClaims(verifiedIDToken)
-	if err != nil {
-		c.logger.V(1).Infof("incomplete claims of the ID token: %w", err)
-	}
-	return &TokenSet{
-		IDToken:       idToken,
-		RefreshToken:  token.RefreshToken,
-		IDTokenExpiry: verifiedIDToken.Expiry,
-		IDTokenClaims: claims,
-	}, nil
-}
-
-func dumpClaims(token *oidc.IDToken) (map[string]string, error) {
-	var rawClaims map[string]interface{}
-	err := token.Claims(&rawClaims)
-	return dumpRawClaims(rawClaims), err
-}
--- a/pkg/adaptors/oidc/decoder.go
+++ b/pkg/adaptors/oidc/decoder.go
@@ -1,61 +0,0 @@
-package oidc
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/dgrijalva/jwt-go"
-	"golang.org/x/xerrors"
-)
-
-type DecoderInterface interface {
-	DecodeIDToken(t string) (*DecodedIDToken, error)
-}
-
-type DecodedIDToken struct {
-	IDTokenExpiry time.Time
-	IDTokenClaims map[string]string // string representation of claims for logging
-}
-
-type Decoder struct{}
-
-// DecodeIDToken returns the claims of the ID token.
-// Note that this method does not verify the signature and always trust it.
-func (d *Decoder) DecodeIDToken(t string) (*DecodedIDToken, error) {
-	parts := strings.Split(t, ".")
-	if len(parts) != 3 {
-		return nil, xerrors.Errorf("token contains an invalid number of segments")
-	}
-	b, err := jwt.DecodeSegment(parts[1])
-	if err != nil {
-		return nil, xerrors.Errorf("could not decode the token: %w", err)
-	}
-	var claims jwt.StandardClaims
-	if err := json.NewDecoder(bytes.NewBuffer(b)).Decode(&claims); err != nil {
-		return nil, xerrors.Errorf("could not decode the json of token: %w", err)
-	}
-	var rawClaims map[string]interface{}
-	if err := json.NewDecoder(bytes.NewBuffer(b)).Decode(&rawClaims); err != nil {
-		return nil, xerrors.Errorf("could not decode the json of token: %w", err)
-	}
-	return &DecodedIDToken{
-		IDTokenExpiry: time.Unix(claims.ExpiresAt, 0),
-		IDTokenClaims: dumpRawClaims(rawClaims),
-	}, nil
-}
-
-func dumpRawClaims(rawClaims map[string]interface{}) map[string]string {
-	claims := make(map[string]string)
-	for k, v := range rawClaims {
-		switch v.(type) {
-		case float64:
-			claims[k] = fmt.Sprintf("%.f", v.(float64))
-		default:
-			claims[k] = fmt.Sprintf("%v", v)
-		}
-	}
-	return claims
-}
--- a/pkg/adaptors/oidc/decoder_test.go
+++ b/pkg/adaptors/oidc/decoder_test.go
@@ -1,87 +0,0 @@
-package oidc
-
-import (
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"io/ioutil"
-	"testing"
-	"time"
-
-	"github.com/dgrijalva/jwt-go"
-)
-
-func TestDecoder_DecodeIDToken(t *testing.T) {
-	var decoder Decoder
-
-	t.Run("ValidToken", func(t *testing.T) {
-		expiry := time.Now().Round(time.Second)
-		idToken := newIDToken(t, "https://issuer.example.com", expiry)
-		decodedToken, err := decoder.DecodeIDToken(idToken)
-		if err != nil {
-			t.Fatalf("DecodeIDToken error: %s", err)
-		}
-		if decodedToken.IDTokenExpiry != expiry {
-			t.Errorf("IDTokenExpiry wants %s but %s", expiry, decodedToken.IDTokenExpiry)
-		}
-		t.Logf("IDTokenClaims=%+v", decodedToken.IDTokenClaims)
-	})
-	t.Run("InvalidToken", func(t *testing.T) {
-		decodedToken, err := decoder.DecodeIDToken("HEADER.INVALID_TOKEN.SIGNATURE")
-		if err == nil {
-			t.Errorf("error wants non-nil but nil")
-		} else {
-			t.Logf("expected error: %+v", err)
-		}
-		if decodedToken != nil {
-			t.Errorf("decodedToken wants nil but %+v", decodedToken)
-		}
-	})
-}
-
-func newIDToken(t *testing.T, issuer string, expiry time.Time) string {
-	t.Helper()
-	claims := struct {
-		jwt.StandardClaims
-		Nonce         string   `json:"nonce"`
-		Groups        []string `json:"groups"`
-		EmailVerified bool     `json:"email_verified"`
-	}{
-		StandardClaims: jwt.StandardClaims{
-			Issuer:    issuer,
-			Audience:  "kubernetes",
-			Subject:   "SUBJECT",
-			IssuedAt:  time.Now().Unix(),
-			ExpiresAt: expiry.Unix(),
-		},
-		Nonce:         "NONCE",
-		Groups:        []string{"admin", "users"},
-		EmailVerified: false,
-	}
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-	s, err := token.SignedString(readPrivateKey(t, "testdata/jws.key"))
-	if err != nil {
-		t.Fatalf("Could not sign the claims: %s", err)
-	}
-	return s
-}
-
-func readPrivateKey(t *testing.T, name string) *rsa.PrivateKey {
-	t.Helper()
-	b, err := ioutil.ReadFile(name)
-	if err != nil {
-		t.Fatalf("could not read the file: %s", err)
-	}
-	block, rest := pem.Decode(b)
-	if block == nil {
-		t.Fatalf("could not decode PEM")
-	}
-	if len(rest) > 0 {
-		t.Fatalf("PEM should contain single key but multiple keys")
-	}
-	k, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-	if err != nil {
-		t.Fatalf("could not parse the key: %s", err)
-	}
-	return k
-}
--- a/pkg/adaptors/oidc/factory.go
+++ b/pkg/adaptors/oidc/factory.go
@@ -1,122 +0,0 @@
-package oidc
-
-import (
-	"context"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"io/ioutil"
-	"net/http"
-
-	"github.com/coreos/go-oidc"
-	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/adaptors/oidc/logging"
-	"golang.org/x/oauth2"
-	"golang.org/x/xerrors"
-)
-
-type FactoryInterface interface {
-	New(ctx context.Context, config ClientConfig) (Interface, error)
-}
-
-// ClientConfig represents a configuration of an Interface to create.
-type ClientConfig struct {
-	Config         kubeconfig.OIDCConfig
-	CACertFilename string
-	SkipTLSVerify  bool
-}
-
-type Factory struct {
-	Logger logger.Interface
-}
-
-// New returns an instance of adaptors.Interface with the given configuration.
-func (f *Factory) New(ctx context.Context, config ClientConfig) (Interface, error) {
-	tlsConfig, err := f.tlsConfigFor(config)
-	if err != nil {
-		return nil, xerrors.Errorf("could not initialize TLS config: %w", err)
-	}
-	baseTransport := &http.Transport{
-		TLSClientConfig: tlsConfig,
-		Proxy:           http.ProxyFromEnvironment,
-	}
-	loggingTransport := &logging.Transport{
-		Base:   baseTransport,
-		Logger: f.Logger,
-	}
-	httpClient := &http.Client{
-		Transport: loggingTransport,
-	}
-
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
-	provider, err := oidc.NewProvider(ctx, config.Config.IDPIssuerURL)
-	if err != nil {
-		return nil, xerrors.Errorf("could not discovery the OIDCFactory issuer: %w", err)
-	}
-	return &client{
-		httpClient: httpClient,
-		provider:   provider,
-		oauth2Config: oauth2.Config{
-			Endpoint:     provider.Endpoint(),
-			ClientID:     config.Config.ClientID,
-			ClientSecret: config.Config.ClientSecret,
-			Scopes:       append(config.Config.ExtraScopes, oidc.ScopeOpenID),
-		},
-		logger: f.Logger,
-	}, nil
-}
-
-func (f *Factory) tlsConfigFor(config ClientConfig) (*tls.Config, error) {
-	pool := x509.NewCertPool()
-	if config.Config.IDPCertificateAuthority != "" {
-		f.Logger.V(1).Infof("loading the certificate %s", config.Config.IDPCertificateAuthority)
-		err := appendCertificateFromFile(pool, config.Config.IDPCertificateAuthority)
-		if err != nil {
-			return nil, xerrors.Errorf("could not load the certificate of idp-certificate-authority: %w", err)
-		}
-	}
-	if config.Config.IDPCertificateAuthorityData != "" {
-		f.Logger.V(1).Infof("loading the certificate of idp-certificate-authority-data")
-		err := appendEncodedCertificate(pool, config.Config.IDPCertificateAuthorityData)
-		if err != nil {
-			return nil, xerrors.Errorf("could not load the certificate of idp-certificate-authority-data: %w", err)
-		}
-	}
-	if config.CACertFilename != "" {
-		f.Logger.V(1).Infof("loading the certificate %s", config.CACertFilename)
-		err := appendCertificateFromFile(pool, config.CACertFilename)
-		if err != nil {
-			return nil, xerrors.Errorf("could not load the certificate: %w", err)
-		}
-	}
-	c := &tls.Config{
-		InsecureSkipVerify: config.SkipTLSVerify,
-	}
-	if len(pool.Subjects()) > 0 {
-		c.RootCAs = pool
-	}
-	return c, nil
-}
-
-func appendCertificateFromFile(pool *x509.CertPool, filename string) error {
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return xerrors.Errorf("could not read %s: %w", filename, err)
-	}
-	if !pool.AppendCertsFromPEM(b) {
-		return xerrors.Errorf("could not append certificate from %s", filename)
-	}
-	return nil
-}
-
-func appendEncodedCertificate(pool *x509.CertPool, base64String string) error {
-	b, err := base64.StdEncoding.DecodeString(base64String)
-	if err != nil {
-		return xerrors.Errorf("could not decode base64: %w", err)
-	}
-	if !pool.AppendCertsFromPEM(b) {
-		return xerrors.Errorf("could not append certificate")
-	}
-	return nil
-}
--- a/pkg/adaptors/oidc/factory_test.go
+++ b/pkg/adaptors/oidc/factory_test.go
@@ -1,88 +0,0 @@
-package oidc
-
-import (
-	"io/ioutil"
-	"testing"
-
-	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
-)
-
-func TestFactory_tlsConfigFor(t *testing.T) {
-	testingLogger := mock_logger.New(t)
-	factory := &Factory{Logger: testingLogger}
-
-	t.Run("Defaults", func(t *testing.T) {
-		c, err := factory.tlsConfigFor(ClientConfig{})
-		if err != nil {
-			t.Fatalf("NewConfig error: %+v", err)
-		}
-		if c.InsecureSkipVerify {
-			t.Errorf("InsecureSkipVerify wants false but true")
-		}
-		if c.RootCAs != nil {
-			t.Errorf("RootCAs wants nil but %+v", c.RootCAs)
-		}
-	})
-	t.Run("SkipTLSVerify", func(t *testing.T) {
-		config := ClientConfig{
-			SkipTLSVerify: true,
-		}
-		c, err := factory.tlsConfigFor(config)
-		if err != nil {
-			t.Fatalf("NewConfig error: %+v", err)
-		}
-		if !c.InsecureSkipVerify {
-			t.Errorf("InsecureSkipVerify wants true but false")
-		}
-		if c.RootCAs != nil {
-			t.Errorf("RootCAs wants nil but %+v", c.RootCAs)
-		}
-	})
-	t.Run("AllCertificates", func(t *testing.T) {
-		config := ClientConfig{
-			Config: kubeconfig.OIDCConfig{
-				IDPCertificateAuthority:     "testdata/tls/ca1.crt",
-				IDPCertificateAuthorityData: string(readFile(t, "testdata/tls/ca2.crt.base64")),
-			},
-			CACertFilename: "testdata/tls/ca3.crt",
-		}
-		c, err := factory.tlsConfigFor(config)
-		if err != nil {
-			t.Fatalf("NewConfig error: %+v", err)
-		}
-		if c.InsecureSkipVerify {
-			t.Errorf("InsecureSkipVerify wants false but true")
-		}
-		if c.RootCAs == nil {
-			t.Fatalf("RootCAs wants non-nil but nil")
-		}
-		subjects := c.RootCAs.Subjects()
-		if len(subjects) != 3 {
-			t.Errorf("len(subjects) wants 3 but %d", len(subjects))
-		}
-	})
-	t.Run("InvalidCertificate", func(t *testing.T) {
-		config := ClientConfig{
-			Config: kubeconfig.OIDCConfig{
-				IDPCertificateAuthority:     "testdata/tls/ca1.crt",
-				IDPCertificateAuthorityData: string(readFile(t, "testdata/tls/ca2.crt.base64")),
-			},
-			CACertFilename: "testdata/Makefile", // invalid cert
-		}
-		_, err := factory.tlsConfigFor(config)
-		if err == nil {
-			t.Fatalf("NewConfig wants non-nil but nil")
-		}
-		t.Logf("expected error: %+v", err)
-	})
-}
-
-func readFile(t *testing.T, filename string) []byte {
-	t.Helper()
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		t.Fatalf("ReadFile error: %s", err)
-	}
-	return b
-}
--- a/pkg/adaptors/oidc/mock_oidc/mock_oidc.go
+++ b/pkg/adaptors/oidc/mock_oidc/mock_oidc.go
@@ -1,146 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/oidc (interfaces: FactoryInterface,Interface,DecoderInterface)
-
-// Package mock_oidc is a generated GoMock package.
-package mock_oidc
-
-import (
-	context "context"
-	gomock "github.com/golang/mock/gomock"
-	oidc "github.com/int128/kubelogin/pkg/adaptors/oidc"
-	reflect "reflect"
-)
-
-// MockFactoryInterface is a mock of FactoryInterface interface
-type MockFactoryInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockFactoryInterfaceMockRecorder
-}
-
-// MockFactoryInterfaceMockRecorder is the mock recorder for MockFactoryInterface
-type MockFactoryInterfaceMockRecorder struct {
-	mock *MockFactoryInterface
-}
-
-// NewMockFactoryInterface creates a new mock instance
-func NewMockFactoryInterface(ctrl *gomock.Controller) *MockFactoryInterface {
-	mock := &MockFactoryInterface{ctrl: ctrl}
-	mock.recorder = &MockFactoryInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockFactoryInterface) EXPECT() *MockFactoryInterfaceMockRecorder {
-	return m.recorder
-}
-
-// New mocks base method
-func (m *MockFactoryInterface) New(arg0 context.Context, arg1 oidc.ClientConfig) (oidc.Interface, error) {
-	ret := m.ctrl.Call(m, "New", arg0, arg1)
-	ret0, _ := ret[0].(oidc.Interface)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// New indicates an expected call of New
-func (mr *MockFactoryInterfaceMockRecorder) New(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "New", reflect.TypeOf((*MockFactoryInterface)(nil).New), arg0, arg1)
-}
-
-// MockInterface is a mock of Interface interface
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// AuthenticateByCode mocks base method
-func (m *MockInterface) AuthenticateByCode(arg0 context.Context, arg1 []int, arg2 chan<- string) (*oidc.TokenSet, error) {
-	ret := m.ctrl.Call(m, "AuthenticateByCode", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*oidc.TokenSet)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AuthenticateByCode indicates an expected call of AuthenticateByCode
-func (mr *MockInterfaceMockRecorder) AuthenticateByCode(arg0, arg1, arg2 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateByCode", reflect.TypeOf((*MockInterface)(nil).AuthenticateByCode), arg0, arg1, arg2)
-}
-
-// AuthenticateByPassword mocks base method
-func (m *MockInterface) AuthenticateByPassword(arg0 context.Context, arg1, arg2 string) (*oidc.TokenSet, error) {
-	ret := m.ctrl.Call(m, "AuthenticateByPassword", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*oidc.TokenSet)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AuthenticateByPassword indicates an expected call of AuthenticateByPassword
-func (mr *MockInterfaceMockRecorder) AuthenticateByPassword(arg0, arg1, arg2 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateByPassword", reflect.TypeOf((*MockInterface)(nil).AuthenticateByPassword), arg0, arg1, arg2)
-}
-
-// Refresh mocks base method
-func (m *MockInterface) Refresh(arg0 context.Context, arg1 string) (*oidc.TokenSet, error) {
-	ret := m.ctrl.Call(m, "Refresh", arg0, arg1)
-	ret0, _ := ret[0].(*oidc.TokenSet)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Refresh indicates an expected call of Refresh
-func (mr *MockInterfaceMockRecorder) Refresh(arg0, arg1 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockInterface)(nil).Refresh), arg0, arg1)
-}
-
-// MockDecoderInterface is a mock of DecoderInterface interface
-type MockDecoderInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockDecoderInterfaceMockRecorder
-}
-
-// MockDecoderInterfaceMockRecorder is the mock recorder for MockDecoderInterface
-type MockDecoderInterfaceMockRecorder struct {
-	mock *MockDecoderInterface
-}
-
-// NewMockDecoderInterface creates a new mock instance
-func NewMockDecoderInterface(ctrl *gomock.Controller) *MockDecoderInterface {
-	mock := &MockDecoderInterface{ctrl: ctrl}
-	mock.recorder = &MockDecoderInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockDecoderInterface) EXPECT() *MockDecoderInterfaceMockRecorder {
-	return m.recorder
-}
-
-// DecodeIDToken mocks base method
-func (m *MockDecoderInterface) DecodeIDToken(arg0 string) (*oidc.DecodedIDToken, error) {
-	ret := m.ctrl.Call(m, "DecodeIDToken", arg0)
-	ret0, _ := ret[0].(*oidc.DecodedIDToken)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DecodeIDToken indicates an expected call of DecodeIDToken
-func (mr *MockDecoderInterfaceMockRecorder) DecodeIDToken(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DecodeIDToken", reflect.TypeOf((*MockDecoderInterface)(nil).DecodeIDToken), arg0)
-}
--- a/pkg/adaptors/oidc/oidc.go
+++ b/pkg/adaptors/oidc/oidc.go
@@ -1,15 +0,0 @@
-package oidc
-
-import (
-	"github.com/google/wire"
-)
-
-//go:generate mockgen -destination mock_oidc/mock_oidc.go github.com/int128/kubelogin/pkg/adaptors/oidc FactoryInterface,Interface,DecoderInterface
-
-// Set provides an implementation and interface for OIDC.
-var Set = wire.NewSet(
-	wire.Struct(new(Factory), "*"),
-	wire.Bind(new(FactoryInterface), new(*Factory)),
-	wire.Struct(new(Decoder)),
-	wire.Bind(new(DecoderInterface), new(*Decoder)),
-)
--- a/pkg/adaptors/oidc/testdata/Makefile
+++ b/pkg/adaptors/oidc/testdata/Makefile
@@ -1,8 +0,0 @@
-all: jws.key
-
-jws.key:
-	openssl genrsa -out $@ 1024
-
-.PHONY: clean
-clean:
-	-rm -v jws.key
--- a/pkg/adaptors/oidc/testdata/jws.key
+++ b/pkg/adaptors/oidc/testdata/jws.key
@@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCrH34yA/f/sBOUlkYnRtd2jgDZ3WivhidqvoQaa73xqTazbkn6
-GZ9r7jx0CGLRV2bmErj2WoyT54yrhezrKh0YXAHlrwLdsmV4dwiV0lOfUJd9P/vF
-e2hiAWv4CcO9ZuNkTsrxM5W8Wdj2tjqOvsIn4We+HWPkpknT7VtT5RrumwIDAQAB
-AoGAFqy5oA7+kZbXQV0YNqQgcMkoO7Ym5Ps1xeMwxf94z8jIQsZebxFuGnMa95UU
-4wBd1ias85fUANUxwpigaBjQee5Hk+dnfUe1snUWYNm9H6tKrXEF8ajer3a2knEv
-GfK0CSEumFougfW2xG88ChGTS60wc+MIRfXERCvWpGm/5EECQQDdv5IBSi89g/R1
-5AGZKFCoqr6Zw5bWEKPzCCYJZzncR1ER9vP2AnMExM8Io/87WYvmpZIUrXJvQYm8
-hkfVOcBZAkEAxY4VcqmRWru3zmnbj21MwcwtgESaONkWsHeYs1C/Y/3zt7TuelYz
-ZJ9aUuUsaiJLEs9Y26nMt0L0snWGr2noEwJBANaDp1PWFyMUTt3pB17JcFXqb15C
-pt1I1cGapWk9Uez1lMijNNhNAEWhuoKqW5Nnif5DN7EHJYfZR8x3vm/YYWkCQHAA
-0iAkCwjKDLe2RIjYiwAE5ncmbdl1GuwJokVnrlrei+LHbb1mSdTuk6MT006JCs8r
-R1GivzHXgCv9fdLN1IkCQHxRvv9RPND80eEkdMv4qu0s22OLRhLQ/pb+YeT5Cjjv
-pJYWKrvXdRZcuNde9JiiTgK2UW1wM8KeD/EGvK2yF6M=
-----END RSA PRIVATE KEY-----
--- a/pkg/adaptors/oidcclient/factory.go
+++ b/pkg/adaptors/oidcclient/factory.go
@@ -0,0 +1,93 @@
+// Package oidcclient provides a client of OpenID Connect.
+package oidcclient
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net/http"
+
+	"github.com/coreos/go-oidc"
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors/certpool"
+	"github.com/int128/kubelogin/pkg/adaptors/clock"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/adaptors/oidcclient/logging"
+	"golang.org/x/oauth2"
+	"golang.org/x/xerrors"
+)
+
+var Set = wire.NewSet(
+	wire.Struct(new(Factory), "*"),
+	wire.Bind(new(FactoryInterface), new(*Factory)),
+)
+
+type FactoryInterface interface {
+	New(ctx context.Context, config Config) (Interface, error)
+}
+
+// Config represents a configuration of OpenID Connect client.
+type Config struct {
+	IssuerURL     string
+	ClientID      string
+	ClientSecret  string
+	ExtraScopes   []string // optional
+	CertPool      certpool.Interface
+	SkipTLSVerify bool
+}
+
+type Factory struct {
+	Clock  clock.Interface
+	Logger logger.Interface
+}
+
+// New returns an instance of adaptors.Interface with the given configuration.
+func (f *Factory) New(ctx context.Context, config Config) (Interface, error) {
+	var tlsConfig tls.Config
+	tlsConfig.InsecureSkipVerify = config.SkipTLSVerify
+	config.CertPool.SetRootCAs(&tlsConfig)
+	baseTransport := &http.Transport{
+		TLSClientConfig: &tlsConfig,
+		Proxy:           http.ProxyFromEnvironment,
+	}
+	loggingTransport := &logging.Transport{
+		Base:   baseTransport,
+		Logger: f.Logger,
+	}
+	httpClient := &http.Client{
+		Transport: loggingTransport,
+	}
+
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
+	provider, err := oidc.NewProvider(ctx, config.IssuerURL)
+	if err != nil {
+		return nil, xerrors.Errorf("oidc discovery error: %w", err)
+	}
+	supportedPKCEMethods, err := extractSupportedPKCEMethods(provider)
+	if err != nil {
+		return nil, xerrors.Errorf("could not determine supported PKCE methods: %w", err)
+	}
+	return &client{
+		httpClient: httpClient,
+		provider:   provider,
+		oauth2Config: oauth2.Config{
+			Endpoint:     provider.Endpoint(),
+			ClientID:     config.ClientID,
+			ClientSecret: config.ClientSecret,
+			Scopes:       append(config.ExtraScopes, oidc.ScopeOpenID),
+		},
+		clock:                f.Clock,
+		logger:               f.Logger,
+		supportedPKCEMethods: supportedPKCEMethods,
+	}, nil
+}
+
+func extractSupportedPKCEMethods(provider *oidc.Provider) ([]string, error) {
+	var d struct {
+		CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
+	}
+	if err := provider.Claims(&d); err != nil {
+		return nil, fmt.Errorf("invalid discovery document: %w", err)
+	}
+	return d.CodeChallengeMethodsSupported, nil
+}
--- a/pkg/adaptors/oidcclient/logging/transport.go
+++ b/pkg/adaptors/oidcclient/logging/transport.go
--- a/pkg/adaptors/oidcclient/logging/transport_test.go
+++ b/pkg/adaptors/oidcclient/logging/transport_test.go
@@ -8,7 +8,7 @@ import (
 	"testing"

 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/pkg/testing/logger"
 )

 type mockTransport struct {
@@ -37,7 +37,7 @@ dummy`)), req)

 	transport := &Transport{
 		Base:   &mockTransport{resp: resp},
-		Logger: mock_logger.New(t),
+		Logger: logger.New(t),
 	}
 	gotResp, err := transport.RoundTrip(req)
 	if err != nil {
--- a/pkg/adaptors/oidcclient/mock_oidcclient/mock_oidcclient.go
+++ b/pkg/adaptors/oidcclient/mock_oidcclient/mock_oidcclient.go
@@ -0,0 +1,123 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/adaptors/oidcclient (interfaces: Interface)
+
+// Package mock_oidcclient is a generated GoMock package.
+package mock_oidcclient
+
+import (
+	context "context"
+	gomock "github.com/golang/mock/gomock"
+	oidcclient "github.com/int128/kubelogin/pkg/adaptors/oidcclient"
+	reflect "reflect"
+)
+
+// MockInterface is a mock of Interface interface.
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface.
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance.
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// ExchangeAuthCode mocks base method.
+func (m *MockInterface) ExchangeAuthCode(arg0 context.Context, arg1 oidcclient.ExchangeAuthCodeInput) (*oidcclient.TokenSet, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ExchangeAuthCode", arg0, arg1)
+	ret0, _ := ret[0].(*oidcclient.TokenSet)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ExchangeAuthCode indicates an expected call of ExchangeAuthCode.
+func (mr *MockInterfaceMockRecorder) ExchangeAuthCode(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExchangeAuthCode", reflect.TypeOf((*MockInterface)(nil).ExchangeAuthCode), arg0, arg1)
+}
+
+// GetAuthCodeURL mocks base method.
+func (m *MockInterface) GetAuthCodeURL(arg0 oidcclient.AuthCodeURLInput) string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetAuthCodeURL", arg0)
+	ret0, _ := ret[0].(string)
+	return ret0
+}
+
+// GetAuthCodeURL indicates an expected call of GetAuthCodeURL.
+func (mr *MockInterfaceMockRecorder) GetAuthCodeURL(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAuthCodeURL", reflect.TypeOf((*MockInterface)(nil).GetAuthCodeURL), arg0)
+}
+
+// GetTokenByAuthCode mocks base method.
+func (m *MockInterface) GetTokenByAuthCode(arg0 context.Context, arg1 oidcclient.GetTokenByAuthCodeInput, arg2 chan<- string) (*oidcclient.TokenSet, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetTokenByAuthCode", arg0, arg1, arg2)
+	ret0, _ := ret[0].(*oidcclient.TokenSet)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetTokenByAuthCode indicates an expected call of GetTokenByAuthCode.
+func (mr *MockInterfaceMockRecorder) GetTokenByAuthCode(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTokenByAuthCode", reflect.TypeOf((*MockInterface)(nil).GetTokenByAuthCode), arg0, arg1, arg2)
+}
+
+// GetTokenByROPC mocks base method.
+func (m *MockInterface) GetTokenByROPC(arg0 context.Context, arg1, arg2 string) (*oidcclient.TokenSet, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetTokenByROPC", arg0, arg1, arg2)
+	ret0, _ := ret[0].(*oidcclient.TokenSet)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetTokenByROPC indicates an expected call of GetTokenByROPC.
+func (mr *MockInterfaceMockRecorder) GetTokenByROPC(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTokenByROPC", reflect.TypeOf((*MockInterface)(nil).GetTokenByROPC), arg0, arg1, arg2)
+}
+
+// Refresh mocks base method.
+func (m *MockInterface) Refresh(arg0 context.Context, arg1 string) (*oidcclient.TokenSet, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Refresh", arg0, arg1)
+	ret0, _ := ret[0].(*oidcclient.TokenSet)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Refresh indicates an expected call of Refresh.
+func (mr *MockInterfaceMockRecorder) Refresh(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockInterface)(nil).Refresh), arg0, arg1)
+}
+
+// SupportedPKCEMethods mocks base method.
+func (m *MockInterface) SupportedPKCEMethods() []string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SupportedPKCEMethods")
+	ret0, _ := ret[0].([]string)
+	return ret0
+}
+
+// SupportedPKCEMethods indicates an expected call of SupportedPKCEMethods.
+func (mr *MockInterfaceMockRecorder) SupportedPKCEMethods() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SupportedPKCEMethods", reflect.TypeOf((*MockInterface)(nil).SupportedPKCEMethods))
+}
--- a/pkg/adaptors/oidcclient/oidcclient.go
+++ b/pkg/adaptors/oidcclient/oidcclient.go
@@ -0,0 +1,203 @@
+package oidcclient
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/coreos/go-oidc"
+	"github.com/int128/kubelogin/pkg/adaptors/clock"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
+	"github.com/int128/kubelogin/pkg/domain/pkce"
+	"github.com/int128/oauth2cli"
+	"golang.org/x/oauth2"
+	"golang.org/x/xerrors"
+)
+
+//go:generate mockgen -destination mock_oidcclient/mock_oidcclient.go github.com/int128/kubelogin/pkg/adaptors/oidcclient Interface
+
+type Interface interface {
+	GetAuthCodeURL(in AuthCodeURLInput) string
+	ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*TokenSet, error)
+	GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*TokenSet, error)
+	GetTokenByROPC(ctx context.Context, username, password string) (*TokenSet, error)
+	Refresh(ctx context.Context, refreshToken string) (*TokenSet, error)
+	SupportedPKCEMethods() []string
+}
+
+type AuthCodeURLInput struct {
+	State                  string
+	Nonce                  string
+	PKCEParams             pkce.Params
+	RedirectURI            string
+	AuthRequestExtraParams map[string]string
+}
+
+type ExchangeAuthCodeInput struct {
+	Code        string
+	PKCEParams  pkce.Params
+	Nonce       string
+	RedirectURI string
+}
+
+type GetTokenByAuthCodeInput struct {
+	BindAddress            []string
+	State                  string
+	Nonce                  string
+	PKCEParams             pkce.Params
+	RedirectURLHostname    string
+	AuthRequestExtraParams map[string]string
+	LocalServerSuccessHTML string
+}
+
+// TokenSet represents an output DTO of
+// Interface.GetTokenByAuthCode, Interface.GetTokenByROPC and Interface.Refresh.
+type TokenSet struct {
+	IDToken       string
+	RefreshToken  string
+	IDTokenClaims jwt.Claims
+}
+
+type client struct {
+	httpClient           *http.Client
+	provider             *oidc.Provider
+	oauth2Config         oauth2.Config
+	clock                clock.Interface
+	logger               logger.Interface
+	supportedPKCEMethods []string
+}
+
+func (c *client) wrapContext(ctx context.Context) context.Context {
+	if c.httpClient != nil {
+		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.httpClient)
+	}
+	return ctx
+}
+
+// GetTokenByAuthCode performs the authorization code flow.
+func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	config := oauth2cli.Config{
+		OAuth2Config:           c.oauth2Config,
+		State:                  in.State,
+		AuthCodeOptions:        authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams),
+		TokenRequestOptions:    tokenRequestOptions(in.PKCEParams),
+		LocalServerBindAddress: in.BindAddress,
+		LocalServerReadyChan:   localServerReadyChan,
+		RedirectURLHostname:    in.RedirectURLHostname,
+		LocalServerSuccessHTML: in.LocalServerSuccessHTML,
+		Logf:                   c.logger.V(1).Infof,
+	}
+	token, err := oauth2cli.GetToken(ctx, config)
+	if err != nil {
+		return nil, xerrors.Errorf("oauth2 error: %w", err)
+	}
+	return c.verifyToken(ctx, token, in.Nonce)
+}
+
+// GetAuthCodeURL returns the URL of authentication request for the authorization code flow.
+func (c *client) GetAuthCodeURL(in AuthCodeURLInput) string {
+	cfg := c.oauth2Config
+	cfg.RedirectURL = in.RedirectURI
+	opts := authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams)
+	return cfg.AuthCodeURL(in.State, opts...)
+}
+
+// ExchangeAuthCode exchanges the authorization code and token.
+func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	cfg := c.oauth2Config
+	cfg.RedirectURL = in.RedirectURI
+	opts := tokenRequestOptions(in.PKCEParams)
+	token, err := cfg.Exchange(ctx, in.Code, opts...)
+	if err != nil {
+		return nil, xerrors.Errorf("exchange error: %w", err)
+	}
+	return c.verifyToken(ctx, token, in.Nonce)
+}
+
+func authorizationRequestOptions(n string, p pkce.Params, e map[string]string) []oauth2.AuthCodeOption {
+	o := []oauth2.AuthCodeOption{
+		oauth2.AccessTypeOffline,
+		oidc.Nonce(n),
+	}
+	if !p.IsZero() {
+		o = append(o,
+			oauth2.SetAuthURLParam("code_challenge", p.CodeChallenge),
+			oauth2.SetAuthURLParam("code_challenge_method", p.CodeChallengeMethod),
+		)
+	}
+	for key, value := range e {
+		o = append(o, oauth2.SetAuthURLParam(key, value))
+	}
+	return o
+}
+
+func tokenRequestOptions(p pkce.Params) (o []oauth2.AuthCodeOption) {
+	if !p.IsZero() {
+		o = append(o, oauth2.SetAuthURLParam("code_verifier", p.CodeVerifier))
+	}
+	return
+}
+
+// SupportedPKCEMethods returns the PKCE methods supported by the provider.
+// This may return nil if PKCE is not supported.
+func (c *client) SupportedPKCEMethods() []string {
+	return c.supportedPKCEMethods
+}
+
+// GetTokenByROPC performs the resource owner password credentials flow.
+func (c *client) GetTokenByROPC(ctx context.Context, username, password string) (*TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, username, password)
+	if err != nil {
+		return nil, xerrors.Errorf("resource owner password credentials flow error: %w", err)
+	}
+	return c.verifyToken(ctx, token, "")
+}
+
+// Refresh sends a refresh token request and returns a token set.
+func (c *client) Refresh(ctx context.Context, refreshToken string) (*TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	currentToken := &oauth2.Token{
+		Expiry:       time.Now(),
+		RefreshToken: refreshToken,
+	}
+	source := c.oauth2Config.TokenSource(ctx, currentToken)
+	token, err := source.Token()
+	if err != nil {
+		return nil, xerrors.Errorf("could not refresh the token: %w", err)
+	}
+	return c.verifyToken(ctx, token, "")
+}
+
+// verifyToken verifies the token with the certificates of the provider and the nonce.
+// If the nonce is an empty string, it does not verify the nonce.
+func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce string) (*TokenSet, error) {
+	idToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
+	}
+	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID, Now: c.clock.Now})
+	verifiedIDToken, err := verifier.Verify(ctx, idToken)
+	if err != nil {
+		return nil, xerrors.Errorf("could not verify the ID token: %w", err)
+	}
+	if nonce != "" && nonce != verifiedIDToken.Nonce {
+		return nil, xerrors.Errorf("nonce did not match (wants %s but got %s)", nonce, verifiedIDToken.Nonce)
+	}
+	pretty, err := jwt.DecodePayloadAsPrettyJSON(idToken)
+	if err != nil {
+		return nil, xerrors.Errorf("could not decode the token: %w", err)
+	}
+	return &TokenSet{
+		IDToken: idToken,
+		IDTokenClaims: jwt.Claims{
+			Subject: verifiedIDToken.Subject,
+			Expiry:  verifiedIDToken.Expiry,
+			Pretty:  pretty,
+		},
+		RefreshToken: token.RefreshToken,
+	}, nil
+}
--- a/pkg/adaptors/reader/mock_reader/mock_reader.go
+++ b/pkg/adaptors/reader/mock_reader/mock_reader.go
@@ -1,8 +1,8 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/env (interfaces: Interface)
+// Source: github.com/int128/kubelogin/pkg/adaptors/reader (interfaces: Interface)

-// Package mock_env is a generated GoMock package.
-package mock_env
+// Package mock_reader is a generated GoMock package.
+package mock_reader

 import (
 	gomock "github.com/golang/mock/gomock"
@@ -32,20 +32,9 @@ func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }

-// OpenBrowser mocks base method
-func (m *MockInterface) OpenBrowser(arg0 string) error {
-	ret := m.ctrl.Call(m, "OpenBrowser", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// OpenBrowser indicates an expected call of OpenBrowser
-func (mr *MockInterfaceMockRecorder) OpenBrowser(arg0 interface{}) *gomock.Call {
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OpenBrowser", reflect.TypeOf((*MockInterface)(nil).OpenBrowser), arg0)
-}
-
 // ReadPassword mocks base method
 func (m *MockInterface) ReadPassword(arg0 string) (string, error) {
+	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ReadPassword", arg0)
 	ret0, _ := ret[0].(string)
 	ret1, _ := ret[1].(error)
@@ -54,5 +43,21 @@ func (m *MockInterface) ReadPassword(arg0 string) (string, error) {

 // ReadPassword indicates an expected call of ReadPassword
 func (mr *MockInterfaceMockRecorder) ReadPassword(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadPassword", reflect.TypeOf((*MockInterface)(nil).ReadPassword), arg0)
 }
+
+// ReadString mocks base method
+func (m *MockInterface) ReadString(arg0 string) (string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ReadString", arg0)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ReadString indicates an expected call of ReadString
+func (mr *MockInterfaceMockRecorder) ReadString(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadString", reflect.TypeOf((*MockInterface)(nil).ReadString), arg0)
+}
--- a/pkg/adaptors/reader/reader.go
+++ b/pkg/adaptors/reader/reader.go
@@ -0,0 +1,61 @@
+// Package reader provides the reader of standard input.
+package reader
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+	"syscall"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors/stdio"
+	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/xerrors"
+)
+
+//go:generate mockgen -destination mock_reader/mock_reader.go github.com/int128/kubelogin/pkg/adaptors/reader Interface
+
+// Set provides an implementation and interface for Reader.
+var Set = wire.NewSet(
+	wire.Struct(new(Reader), "*"),
+	wire.Bind(new(Interface), new(*Reader)),
+)
+
+type Interface interface {
+	ReadString(prompt string) (string, error)
+	ReadPassword(prompt string) (string, error)
+}
+
+type Reader struct {
+	Stdin stdio.Stdin
+}
+
+// ReadString reads a string from the stdin.
+func (x *Reader) ReadString(prompt string) (string, error) {
+	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
+		return "", xerrors.Errorf("write error: %w", err)
+	}
+	r := bufio.NewReader(x.Stdin)
+	s, err := r.ReadString('\n')
+	if err != nil {
+		return "", xerrors.Errorf("read error: %w", err)
+	}
+	s = strings.TrimRight(s, "\r\n")
+	return s, nil
+}
+
+// ReadPassword reads a password from the stdin without echo back.
+func (*Reader) ReadPassword(prompt string) (string, error) {
+	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
+		return "", xerrors.Errorf("write error: %w", err)
+	}
+	b, err := terminal.ReadPassword(int(syscall.Stdin))
+	if err != nil {
+		return "", xerrors.Errorf("read error: %w", err)
+	}
+	if _, err := fmt.Fprintln(os.Stderr); err != nil {
+		return "", xerrors.Errorf("write error: %w", err)
+	}
+	return string(b), nil
+}
--- a/Show More
+++ b/Show More