Refactor: remove test of make run (#199)

* Refactor: add e2e tests for credential plugin

* Refactor: extract assertCredentialPluginOutput()

* Refactor: add credential plugin test with TLS

* Refactor: extract helpers

* Refactor: rewrite TLS test cases

* Refactor: add test cases of token lifecycle

.circleci/config.yml

@@ -4,12 +4,11 @@ jobs:
     docker:
       - image: circleci/golang:1.13.3
     steps:
+      - run: |
+          sudo apt install -y file
       - run: |
           mkdir -p ~/bin
           echo 'export PATH="$HOME/bin:$PATH"' >> $BASH_ENV
-      - run: |
-          curl -L -o ~/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.14.0/bin/linux/amd64/kubectl
-          chmod +x ~/bin/kubectl
       - run: |
           curl -L -o ~/bin/ghcp https://github.com/int128/ghcp/releases/download/v1.5.0/ghcp_linux_amd64
           chmod +x ~/bin/ghcp
@@ -20,7 +19,11 @@ jobs:
       - checkout
       - run: make check
       - run: bash <(curl -s https://codecov.io/bash)
-      - run: make run
+      - run: make dist
+      - run: |
+          unzip dist/gh/kubelogin_linux_amd64.zip -d /tmp
+          file /tmp/kubelogin
+          /tmp/kubelogin --help
       - run: |
           if [ "$CIRCLE_TAG" ]; then
             make release

.github/FUNDING.yml

@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: [int128] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

Makefile

@@ -1,5 +1,4 @@
 TARGET := kubelogin
-TARGET_PLUGIN := kubectl-oidc_login
 CIRCLE_TAG ?= HEAD
 LDFLAGS := -X main.version=$(CIRCLE_TAG)
 
@@ -13,27 +12,26 @@ check:
 $(TARGET): $(wildcard *.go)
 	go build -o $@ -ldflags "$(LDFLAGS)"
 
-$(TARGET_PLUGIN): $(TARGET)
-	ln -sf $(TARGET) $@
-
-.PHONY: run
-run: $(TARGET_PLUGIN)
-	-PATH=.:$(PATH) kubectl oidc-login --help
-
 dist:
-	VERSION=$(CIRCLE_TAG) goxzst -d dist/gh/ -o "$(TARGET)" -t "kubelogin.rb oidc-login.yaml" -- -ldflags "$(LDFLAGS)"
+    # make the zip files for GitHub Releases
+	VERSION=$(CIRCLE_TAG) CGO_ENABLED=0 goxzst -d dist/gh/ -i "LICENSE" -o "$(TARGET)" -t "kubelogin.rb oidc-login.yaml" -- -ldflags "$(LDFLAGS)"
+	zipinfo dist/gh/kubelogin_linux_amd64.zip
+	# make the Homebrew formula
 	mv dist/gh/kubelogin.rb dist/
+	# make the yaml for krew-index
 	mkdir -p dist/plugins
 	cp dist/gh/oidc-login.yaml dist/plugins/oidc-login.yaml
 
 .PHONY: release
 release: dist
+    # publish to the GitHub Releases
 	ghr -u "$(CIRCLE_PROJECT_USERNAME)" -r "$(CIRCLE_PROJECT_REPONAME)" "$(CIRCLE_TAG)" dist/gh/
+	# publish to the Homebrew tap repository
 	ghcp commit -u "$(CIRCLE_PROJECT_USERNAME)" -r "homebrew-$(CIRCLE_PROJECT_REPONAME)" -m "$(CIRCLE_TAG)" -C dist/ kubelogin.rb
+	# fork krew-index and create a branch
 	ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(CIRCLE_TAG)" -m "Bump oidc-login to $(CIRCLE_TAG)" -C dist/ plugins/oidc-login.yaml
 
 .PHONY: clean
 clean:
 	-rm $(TARGET)
-	-rm $(TARGET_PLUGIN)
 	-rm -r dist/

README.md

@@ -2,10 +2,14 @@
 
 This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.
 
-This is designed to run as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
+Here is an example of Kubernetes authentication with the Google Identity Platform:
+
+<img alt="screencast" src="https://user-images.githubusercontent.com/321266/70971501-7bcebc80-20e4-11ea-8afc-539dcaea0aa8.gif" width="652" height="455">
+
+Kubelogin is designed to run as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
 When you run kubectl, kubelogin opens the browser and you can log in to the provider.
 Then kubelogin gets a token from the provider and kubectl access Kubernetes APIs with the token.
-Take a look at the following diagram:
+Take a look at the diagram:
 
 ![Diagram of the credential plugin](docs/credential-plugin-diagram.svg)
 
@@ -24,7 +28,7 @@ brew install int128/kubelogin/kubelogin
 kubectl krew install oidc-login
 
 # GitHub Releases
-curl -LO https://github.com/int128/kubelogin/releases/download/v1.14.2/kubelogin_linux_amd64.zip
+curl -LO https://github.com/int128/kubelogin/releases/download/v1.15.0/kubelogin_linux_amd64.zip
 unzip kubelogin_linux_amd64.zip
 ln -s kubelogin kubectl-oidc_login
 ```
@@ -68,7 +72,6 @@ After authentication, kubelogin returns the credentials to kubectl and finally k
 ```
 % kubectl get pods
 Open http://localhost:8000 for authentication
-You got a valid token until 2019-05-18 10:28:51 +0900 JST
 NAME                          READY   STATUS    RESTARTS   AGE
 echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
 ```
@@ -79,9 +82,25 @@ If the cached ID token is valid, kubelogin just returns it.
 If the cached ID token has expired, kubelogin will refresh the token using the refresh token.
 If the refresh token has expired, kubelogin will perform reauthentication.
 
+
+### Troubleshoot
+
 You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
 Kubelogin will perform authentication if the token cache file does not exist.
 
+You can dump the claims of token by passing `-v1` option.
+
+```
+I1212 10:14:17.754394    2517 get_token.go:91] the ID token has the claim: sub=********
+I1212 10:14:17.754434    2517 get_token.go:91] the ID token has the claim: at_hash=********
+I1212 10:14:17.754449    2517 get_token.go:91] the ID token has the claim: nonce=********
+I1212 10:14:17.754459    2517 get_token.go:91] the ID token has the claim: iat=1576113256
+I1212 10:14:17.754467    2517 get_token.go:91] the ID token has the claim: exp=1576116856
+I1212 10:14:17.754484    2517 get_token.go:91] the ID token has the claim: iss=https://accounts.google.com
+I1212 10:14:17.754497    2517 get_token.go:91] the ID token has the claim: azp=********.apps.googleusercontent.com
+I1212 10:14:17.754506    2517 get_token.go:91] the ID token has the claim: aud=********.apps.googleusercontent.com
+```
+
 
 ## Usage
 
@@ -244,7 +263,7 @@ Feel free to open issues and pull requests for improving code and documents.
 
 ### Development
 
-Go 1.12 or later is required.
+Go 1.13 or later is required.
 
 ```sh
 # Run lint and tests

e2e_test/credetial_plugin_test.go

@@ -8,12 +8,15 @@ import (
 	"time"
 
 	"github.com/golang/mock/gomock"
+	"github.com/google/go-cmp/cmp"
 	"github.com/int128/kubelogin/e2e_test/idp"
 	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
+	"github.com/int128/kubelogin/e2e_test/keys"
 	"github.com/int128/kubelogin/e2e_test/localserver"
 	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
 	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin/mock_credentialplugin"
 	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
 	"github.com/int128/kubelogin/pkg/di"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 )
@@ -25,8 +28,7 @@ import (
 // 3. Open a request for the local server.
 // 4. Verify the output.
 //
-func TestCmd_Run_CredentialPlugin(t *testing.T) {
-	timeout := 1 * time.Second
+func TestCredentialPlugin(t *testing.T) {
 	cacheDir, err := ioutil.TempDir("", "kube")
 	if err != nil {
 		t.Fatalf("could not create a cache dir: %s", err)
@@ -37,48 +39,261 @@ func TestCmd_Run_CredentialPlugin(t *testing.T) {
 		}
 	}()
 
+	t.Run("NoTLS", func(t *testing.T) {
+		testCredentialPlugin(t, cacheDir, keys.None, nil)
+	})
+	t.Run("TLS", func(t *testing.T) {
+		testCredentialPlugin(t, cacheDir, keys.Server, []string{"--certificate-authority", keys.Server.CACertPath})
+	})
+}
+
+func testCredentialPlugin(t *testing.T, cacheDir string, idpTLS keys.Keys, extraArgs []string) {
+	timeout := 1 * time.Second
+
 	t.Run("Defaults", func(t *testing.T) {
 		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 
 		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
 		defer server.Shutdown(t, ctx)
 		var idToken string
 		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-
 		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		credentialPluginInteraction.EXPECT().
-			Write(gomock.Any()).
-			Do(func(out credentialplugin.Output) {
-				if out.Token != idToken {
-					t.Errorf("Token wants %s but %s", idToken, out.Token)
-				}
-				if out.Expiry != tokenExpiryFuture {
-					t.Errorf("Expiry wants %v but %v", tokenExpiryFuture, out.Expiry)
-				}
-			})
+		assertCredentialPluginOutput(t, credentialPluginInteraction, &idToken)
 
-		runGetTokenCmd(t, ctx,
-			openBrowserOnReadyFunc(t, ctx, nil),
-			credentialPluginInteraction,
-			"--skip-open-browser",
-			"--listen-port", "0",
+		args := []string{
 			"--token-cache-dir", cacheDir,
 			"--oidc-issuer-url", serverURL,
 			"--oidc-client-id", "kubernetes",
-		)
+		}
+		args = append(args, extraArgs...)
+		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
+	})
+
+	t.Run("ResourceOwnerPasswordCredentials", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		defer server.Shutdown(t, ctx)
+		idToken := newIDToken(t, serverURL, "", tokenExpiryFuture)
+		setupMockIDPForROPC(service, serverURL, "openid", "USER", "PASS", idToken)
+		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
+		assertCredentialPluginOutput(t, credentialPluginInteraction, &idToken)
+
+		args := []string{
+			"--token-cache-dir", cacheDir,
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+			"--username", "USER",
+			"--password", "PASS",
+		}
+		args = append(args, extraArgs...)
+		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
+	})
+
+	t.Run("HasValidToken", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		defer server.Shutdown(t, ctx)
+		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
+		setupTokenCache(t, cacheDir, tokencache.Key{
+			IssuerURL: serverURL,
+			ClientID:  "kubernetes",
+		}, tokencache.TokenCache{
+			IDToken:      idToken,
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		})
+		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
+		assertCredentialPluginOutput(t, credentialPluginInteraction, &idToken)
+
+		args := []string{
+			"--token-cache-dir", cacheDir,
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+		}
+		args = append(args, extraArgs...)
+		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
+		assertTokenCache(t, cacheDir, tokencache.Key{
+			IssuerURL: serverURL,
+			ClientID:  "kubernetes",
+		}, tokencache.TokenCache{
+			IDToken:      idToken,
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		})
+	})
+
+	t.Run("HasValidRefreshToken", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		defer server.Shutdown(t, ctx)
+		validIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
+		expiredIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast)
+
+		setupMockIDPForDiscovery(service, serverURL)
+		service.EXPECT().Refresh("VALID_REFRESH_TOKEN").
+			Return(idp.NewTokenResponse(validIDToken, "NEW_REFRESH_TOKEN"), nil)
+
+		setupTokenCache(t, cacheDir, tokencache.Key{
+			IssuerURL: serverURL,
+			ClientID:  "kubernetes",
+		}, tokencache.TokenCache{
+			IDToken:      expiredIDToken,
+			RefreshToken: "VALID_REFRESH_TOKEN",
+		})
+		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
+		assertCredentialPluginOutput(t, credentialPluginInteraction, &validIDToken)
+
+		args := []string{
+			"--token-cache-dir", cacheDir,
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+		}
+		args = append(args, extraArgs...)
+		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
+		assertTokenCache(t, cacheDir, tokencache.Key{
+			IssuerURL: serverURL,
+			ClientID:  "kubernetes",
+		}, tokencache.TokenCache{
+			IDToken:      validIDToken,
+			RefreshToken: "NEW_REFRESH_TOKEN",
+		})
+	})
+
+	t.Run("HasExpiredRefreshToken", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		defer server.Shutdown(t, ctx)
+		validIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
+		expiredIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast)
+
+		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &validIDToken)
+		service.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
+			Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
+			MaxTimes(2) // package oauth2 will retry refreshing the token
+
+		setupTokenCache(t, cacheDir, tokencache.Key{
+			IssuerURL: serverURL,
+			ClientID:  "kubernetes",
+		}, tokencache.TokenCache{
+			IDToken:      expiredIDToken,
+			RefreshToken: "EXPIRED_REFRESH_TOKEN",
+		})
+		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
+		assertCredentialPluginOutput(t, credentialPluginInteraction, &validIDToken)
+
+		args := []string{
+			"--token-cache-dir", cacheDir,
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+		}
+		args = append(args, extraArgs...)
+		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
+		assertTokenCache(t, cacheDir, tokencache.Key{
+			IssuerURL: serverURL,
+			ClientID:  "kubernetes",
+		}, tokencache.TokenCache{
+			IDToken:      validIDToken,
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		})
+	})
+
+	t.Run("ExtraScopes", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		defer server.Shutdown(t, ctx)
+		var idToken string
+		setupMockIDPForCodeFlow(t, service, serverURL, "email profile openid", &idToken)
+
+		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
+		assertCredentialPluginOutput(t, credentialPluginInteraction, &idToken)
+
+		args := []string{
+			"--token-cache-dir", cacheDir,
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+			"--oidc-extra-scope", "email",
+			"--oidc-extra-scope", "profile",
+		}
+		args = append(args, extraArgs...)
+		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
 	})
 }
 
-func runGetTokenCmd(t *testing.T, ctx context.Context, localServerReadyFunc authentication.LocalServerReadyFunc, interaction credentialplugin.Interface, args ...string) {
+func assertCredentialPluginOutput(t *testing.T, credentialPluginInteraction *mock_credentialplugin.MockInterface, idToken *string) {
+	credentialPluginInteraction.EXPECT().
+		Write(gomock.Any()).
+		Do(func(out credentialplugin.Output) {
+			if out.Token != *idToken {
+				t.Errorf("Token wants %s but %s", *idToken, out.Token)
+			}
+			if out.Expiry != tokenExpiryFuture {
+				t.Errorf("Expiry wants %v but %v", tokenExpiryFuture, out.Expiry)
+			}
+		})
+}
+
+func runGetTokenCmd(t *testing.T, ctx context.Context, localServerReadyFunc authentication.LocalServerReadyFunc, interaction credentialplugin.Interface, args []string) {
 	t.Helper()
 	cmd := di.NewCmdForHeadless(mock_logger.New(t), localServerReadyFunc, interaction)
-	exitCode := cmd.Run(ctx, append([]string{"kubelogin", "get-token", "--v=1"}, args...), "HEAD")
+	exitCode := cmd.Run(ctx, append([]string{
+		"kubelogin", "get-token",
+		"--v=1",
+		"--skip-open-browser",
+		"--listen-port", "0",
+	}, args...), "HEAD")
 	if exitCode != 0 {
 		t.Errorf("exit status wants 0 but %d", exitCode)
 	}
 }
+
+func setupTokenCache(t *testing.T, cacheDir string, k tokencache.Key, v tokencache.TokenCache) {
+	var r tokencache.Repository
+	err := r.Save(cacheDir, k, v)
+	if err != nil {
+		t.Errorf("could not set up the token cache: %s", err)
+	}
+}
+
+func assertTokenCache(t *testing.T, cacheDir string, k tokencache.Key, want tokencache.TokenCache) {
+	var r tokencache.Repository
+	v, err := r.FindByKey(cacheDir, k)
+	if err != nil {
+		t.Errorf("could not set up the token cache: %s", err)
+	}
+	if diff := cmp.Diff(&want, v); diff != "" {
+		t.Errorf("token cache mismatch: %s", diff)
+	}
+}

e2e_test/helpers_test.go

@@ -0,0 +1,91 @@
+package e2e_test
+
+import (
+	"context"
+	"net/http"
+	"testing"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/e2e_test/idp"
+	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
+	"github.com/int128/kubelogin/e2e_test/keys"
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
+)
+
+var (
+	tokenExpiryFuture = time.Now().Add(time.Hour).Round(time.Second)
+	tokenExpiryPast   = time.Now().Add(-time.Hour).Round(time.Second)
+)
+
+func newIDToken(t *testing.T, issuer, nonce string, expiry time.Time) string {
+	t.Helper()
+	var claims struct {
+		jwt.StandardClaims
+		Nonce  string   `json:"nonce"`
+		Groups []string `json:"groups"`
+	}
+	claims.StandardClaims = jwt.StandardClaims{
+		Issuer:    issuer,
+		Audience:  "kubernetes",
+		Subject:   "SUBJECT",
+		IssuedAt:  time.Now().Unix(),
+		ExpiresAt: expiry.Unix(),
+	}
+	claims.Nonce = nonce
+	claims.Groups = []string{"admin", "users"}
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	s, err := token.SignedString(keys.JWSKeyPair)
+	if err != nil {
+		t.Fatalf("Could not sign the claims: %s", err)
+	}
+	return s
+}
+
+func setupMockIDPForDiscovery(service *mock_idp.MockService, serverURL string) {
+	service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
+	service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
+}
+
+func setupMockIDPForCodeFlow(t *testing.T, service *mock_idp.MockService, serverURL, scope string, idToken *string) {
+	var nonce string
+	setupMockIDPForDiscovery(service, serverURL)
+	service.EXPECT().AuthenticateCode(scope, gomock.Any()).
+		DoAndReturn(func(_, gotNonce string) (string, error) {
+			nonce = gotNonce
+			return "YOUR_AUTH_CODE", nil
+		})
+	service.EXPECT().Exchange("YOUR_AUTH_CODE").
+		DoAndReturn(func(string) (*idp.TokenResponse, error) {
+			*idToken = newIDToken(t, serverURL, nonce, tokenExpiryFuture)
+			return idp.NewTokenResponse(*idToken, "YOUR_REFRESH_TOKEN"), nil
+		})
+}
+
+func setupMockIDPForROPC(service *mock_idp.MockService, serverURL, scope, username, password, idToken string) {
+	setupMockIDPForDiscovery(service, serverURL)
+	service.EXPECT().AuthenticatePassword(username, password, scope).
+		Return(idp.NewTokenResponse(idToken, "YOUR_REFRESH_TOKEN"), nil)
+}
+
+func openBrowserOnReadyFunc(t *testing.T, ctx context.Context, k keys.Keys) authentication.LocalServerReadyFunc {
+	return func(url string) {
+		client := http.Client{Transport: &http.Transport{TLSClientConfig: k.TLSConfig}}
+		req, err := http.NewRequest("GET", url, nil)
+		if err != nil {
+			t.Errorf("could not create a request: %s", err)
+			return
+		}
+		req = req.WithContext(ctx)
+		resp, err := client.Do(req)
+		if err != nil {
+			t.Errorf("could not send a request: %s", err)
+			return
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != 200 {
+			t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
+		}
+	}
+}

e2e_test/keys/keys.go

@@ -4,68 +4,64 @@ import (
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/base64"
 	"encoding/pem"
 	"io/ioutil"
-
-	"golang.org/x/xerrors"
 )
 
-// TLSCACert is path to the CA certificate.
-// This should be generated by Makefile before test.
-const TLSCACert = "keys/testdata/ca.crt"
+// Keys represents a pair of certificate and key.
+type Keys struct {
+	CertPath   string
+	KeyPath    string
+	CACertPath string
+	TLSConfig  *tls.Config
+}
 
-// TLSCACertAsBase64 is a base64 encoded string of TLSCACert.
-var TLSCACertAsBase64 string
+// None represents non-TLS.
+var None Keys
 
-// TLSCACertAsConfig is a TLS config including TLSCACert.
-var TLSCACertAsConfig = &tls.Config{RootCAs: x509.NewCertPool()}
-
-// TLSServerCert is path to the server certificate.
-// This should be generated by Makefile before test.
-const TLSServerCert = "keys/testdata/server.crt"
-
-// TLSServerKey is path to the server key.
-// This should be generated by Makefile before test.
-const TLSServerKey = "keys/testdata/server.key"
+// Server is a Keys for TLS server.
+// These files should be generated by Makefile before test.
+var Server = Keys{
+	CertPath:   "keys/testdata/server.crt",
+	KeyPath:    "keys/testdata/server.key",
+	CACertPath: "keys/testdata/ca.crt",
+	TLSConfig:  newTLSConfig("keys/testdata/ca.crt"),
+}
 
 // JWSKey is path to the key for signing ID tokens.
+// This file should be generated by Makefile before test.
 const JWSKey = "keys/testdata/jws.key"
 
 // JWSKeyPair is the key pair loaded from JWSKey.
-var JWSKeyPair *rsa.PrivateKey
+var JWSKeyPair = readPrivateKey(JWSKey)
 
-func init() {
-	var err error
-	JWSKeyPair, err = readPrivateKey(JWSKey)
-	if err != nil {
-		panic(err)
-	}
-	b, err := ioutil.ReadFile(TLSCACert)
-	if err != nil {
-		panic(err)
-	}
-	TLSCACertAsBase64 = base64.StdEncoding.EncodeToString(b)
-	if !TLSCACertAsConfig.RootCAs.AppendCertsFromPEM(b) {
-		panic("could not append the CA cert")
-	}
-}
-
-func readPrivateKey(name string) (*rsa.PrivateKey, error) {
+func newTLSConfig(name string) *tls.Config {
 	b, err := ioutil.ReadFile(name)
 	if err != nil {
-		return nil, xerrors.Errorf("could not read JWSKey: %w", err)
+		panic(err)
+	}
+	p := x509.NewCertPool()
+	if !p.AppendCertsFromPEM(b) {
+		panic("could not append the CA cert")
+	}
+	return &tls.Config{RootCAs: p}
+}
+
+func readPrivateKey(name string) *rsa.PrivateKey {
+	b, err := ioutil.ReadFile(name)
+	if err != nil {
+		panic(err)
 	}
 	block, rest := pem.Decode(b)
 	if block == nil {
-		return nil, xerrors.New("could not decode PEM")
+		panic("could not decode PEM")
 	}
 	if len(rest) > 0 {
-		return nil, xerrors.New("PEM should contain single key but multiple keys")
+		panic("PEM should contain single key but multiple keys")
 	}
 	k, err := x509.ParsePKCS1PrivateKey(block.Bytes)
 	if err != nil {
-		return nil, xerrors.Errorf("could not parse the key: %w", err)
+		panic(err)
 	}
-	return k, nil
+	return k
 }

e2e_test/localserver/authserver.go

@@ -8,6 +8,8 @@ import (
 	"net"
 	"net/http"
 	"testing"
+
+	"github.com/int128/kubelogin/e2e_test/keys"
 )
 
 type Shutdowner interface {
@@ -28,7 +30,15 @@ func (s *shutdowner) Shutdown(t *testing.T, ctx context.Context) {
 }
 
 // Start starts an authentication server.
-func Start(t *testing.T, h http.Handler) (string, Shutdowner) {
+// If k is non-nil, it starts a TLS server.
+func Start(t *testing.T, h http.Handler, k keys.Keys) (string, Shutdowner) {
+	if k == keys.None {
+		return startNoTLS(t, h)
+	}
+	return startTLS(t, h, k)
+}
+
+func startNoTLS(t *testing.T, h http.Handler) (string, Shutdowner) {
 	t.Helper()
 	l, port := newLocalhostListener(t)
 	url := "http://localhost:" + port
@@ -44,8 +54,7 @@ func Start(t *testing.T, h http.Handler) (string, Shutdowner) {
 	return url, &shutdowner{l, s}
 }
 
-// Start starts an authentication server with TLS.
-func StartTLS(t *testing.T, cert string, key string, h http.Handler) (string, Shutdowner) {
+func startTLS(t *testing.T, h http.Handler, k keys.Keys) (string, Shutdowner) {
 	t.Helper()
 	l, port := newLocalhostListener(t)
 	url := "https://localhost:" + port
@@ -53,7 +62,7 @@ func StartTLS(t *testing.T, cert string, key string, h http.Handler) (string, Sh
 		Handler: h,
 	}
 	go func() {
-		err := s.ServeTLS(l, cert, key)
+		err := s.ServeTLS(l, k.CertPath, k.KeyPath)
 		if err != nil && err != http.ErrServerClosed {
 			t.Error(err)
 		}

e2e_test/standalone_test.go

@@ -2,13 +2,10 @@ package e2e_test
 
 import (
 	"context"
-	"crypto/tls"
-	"net/http"
 	"os"
 	"testing"
 	"time"
 
-	"github.com/dgrijalva/jwt-go"
 	"github.com/golang/mock/gomock"
 	"github.com/int128/kubelogin/e2e_test/idp"
 	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
@@ -20,11 +17,6 @@ import (
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 )
 
-var (
-	tokenExpiryFuture = time.Now().Add(time.Hour).Round(time.Second)
-	tokenExpiryPast   = time.Now().Add(-time.Hour).Round(time.Second)
-)
-
 // Run the integration tests of the Login use-case.
 //
 // 1. Start the auth server.
@@ -32,191 +24,19 @@ var (
 // 3. Open a request for the local server.
 // 4. Verify the kubeconfig.
 //
-func TestCmd_Run_Standalone(t *testing.T) {
+func TestStandalone(t *testing.T) {
+	t.Run("NoTLS", func(t *testing.T) {
+		testStandalone(t, keys.None)
+	})
+	t.Run("TLS", func(t *testing.T) {
+		testStandalone(t, keys.Server)
+	})
+}
+
+func testStandalone(t *testing.T, idpTLS keys.Keys) {
 	timeout := 5 * time.Second
 
-	type testParameter struct {
-		startServer                       func(t *testing.T, h http.Handler) (string, localserver.Shutdowner)
-		kubeconfigIDPCertificateAuthority string
-		clientTLSConfig                   *tls.Config
-	}
-
-	testParameters := map[string]testParameter{
-		"NoTLS": {
-			startServer: localserver.Start,
-		},
-		"CACert": {
-			startServer: func(t *testing.T, h http.Handler) (string, localserver.Shutdowner) {
-				return localserver.StartTLS(t, keys.TLSServerCert, keys.TLSServerKey, h)
-			},
-			kubeconfigIDPCertificateAuthority: keys.TLSCACert,
-			clientTLSConfig:                   keys.TLSCACertAsConfig,
-		},
-	}
-
-	runTest := func(t *testing.T, p testParameter) {
-		t.Run("Defaults", func(t *testing.T) {
-			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-			defer cancel()
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			service := mock_idp.NewMockService(ctrl)
-			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
-			defer server.Shutdown(t, ctx)
-			var idToken string
-			setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-
-			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-				Issuer:                  serverURL,
-				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
-			})
-			defer os.Remove(kubeConfigFilename)
-
-			runCmd(t, ctx,
-				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
-				"--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
-			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-				IDToken:      idToken,
-				RefreshToken: "YOUR_REFRESH_TOKEN",
-			})
-		})
-
-		t.Run("ResourceOwnerPasswordCredentials", func(t *testing.T) {
-			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-			defer cancel()
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			service := mock_idp.NewMockService(ctrl)
-			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
-			defer server.Shutdown(t, ctx)
-			idToken := newIDToken(t, serverURL, "", tokenExpiryFuture)
-			service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-			service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-			service.EXPECT().AuthenticatePassword("USER", "PASS", "openid").
-				Return(idp.NewTokenResponse(idToken, "YOUR_REFRESH_TOKEN"), nil)
-
-			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-				Issuer:                  serverURL,
-				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
-			})
-			defer os.Remove(kubeConfigFilename)
-
-			runCmd(t, ctx,
-				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
-				"--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--username", "USER", "--password", "PASS")
-			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-				IDToken:      idToken,
-				RefreshToken: "YOUR_REFRESH_TOKEN",
-			})
-		})
-
-		t.Run("HasValidToken", func(t *testing.T) {
-			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-			defer cancel()
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			service := mock_idp.NewMockService(ctrl)
-			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
-			defer server.Shutdown(t, ctx)
-			idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-
-			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-				Issuer:                  serverURL,
-				IDToken:                 idToken,
-				RefreshToken:            "YOUR_REFRESH_TOKEN",
-				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
-			})
-			defer os.Remove(kubeConfigFilename)
-
-			runCmd(t, ctx,
-				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
-				"--kubeconfig", kubeConfigFilename, "--skip-open-browser")
-			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-				IDToken:      idToken,
-				RefreshToken: "YOUR_REFRESH_TOKEN",
-			})
-		})
-
-		t.Run("HasValidRefreshToken", func(t *testing.T) {
-			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-			defer cancel()
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			service := mock_idp.NewMockService(ctrl)
-			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
-			defer server.Shutdown(t, ctx)
-			idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-			service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-			service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-			service.EXPECT().Refresh("VALID_REFRESH_TOKEN").
-				Return(idp.NewTokenResponse(idToken, "NEW_REFRESH_TOKEN"), nil)
-
-			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-				Issuer:                  serverURL,
-				IDToken:                 newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast), // expired
-				RefreshToken:            "VALID_REFRESH_TOKEN",
-				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
-			})
-			defer os.Remove(kubeConfigFilename)
-
-			runCmd(t, ctx,
-				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
-				"--kubeconfig", kubeConfigFilename, "--skip-open-browser")
-			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-				IDToken:      idToken,
-				RefreshToken: "NEW_REFRESH_TOKEN",
-			})
-		})
-
-		t.Run("HasExpiredRefreshToken", func(t *testing.T) {
-			t.Parallel()
-			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-			defer cancel()
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			service := mock_idp.NewMockService(ctrl)
-			serverURL, server := p.startServer(t, idp.NewHandler(t, service))
-			defer server.Shutdown(t, ctx)
-			var idToken string
-			setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-			service.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
-				Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
-				MaxTimes(2) // package oauth2 will retry refreshing the token
-
-			kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-				Issuer:                  serverURL,
-				IDToken:                 newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast), // expired
-				RefreshToken:            "EXPIRED_REFRESH_TOKEN",
-				IDPCertificateAuthority: p.kubeconfigIDPCertificateAuthority,
-			})
-			defer os.Remove(kubeConfigFilename)
-
-			runCmd(t, ctx,
-				openBrowserOnReadyFunc(t, ctx, p.clientTLSConfig),
-				"--kubeconfig", kubeConfigFilename, "--skip-open-browser")
-			kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-				IDToken:      idToken,
-				RefreshToken: "YOUR_REFRESH_TOKEN",
-			})
-		})
-	}
-
-	for name, p := range testParameters {
-		t.Run(name, func(t *testing.T) {
-			runTest(t, p)
-		})
-	}
-
-	t.Run("env:KUBECONFIG", func(t *testing.T) {
+	t.Run("Defaults", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
@@ -224,19 +44,179 @@ func TestCmd_Run_Standalone(t *testing.T) {
 		defer ctrl.Finish()
 
 		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		defer server.Shutdown(t, ctx)
+		var idToken string
+		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:                  serverURL,
+			IDPCertificateAuthority: idpTLS.CACertPath,
+		})
+		defer os.Remove(kubeConfigFilename)
+
+		args := []string{
+			"--kubeconfig", kubeConfigFilename,
+		}
+		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      idToken,
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		})
+	})
+
+	t.Run("ResourceOwnerPasswordCredentials", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		defer server.Shutdown(t, ctx)
+		idToken := newIDToken(t, serverURL, "", tokenExpiryFuture)
+		setupMockIDPForROPC(service, serverURL, "openid", "USER", "PASS", idToken)
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:                  serverURL,
+			IDPCertificateAuthority: idpTLS.CACertPath,
+		})
+		defer os.Remove(kubeConfigFilename)
+
+		args := []string{
+			"--kubeconfig", kubeConfigFilename,
+			"--username", "USER",
+			"--password", "PASS",
+		}
+		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      idToken,
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		})
+	})
+
+	t.Run("HasValidToken", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		defer server.Shutdown(t, ctx)
+		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
+
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:                  serverURL,
+			IDToken:                 idToken,
+			RefreshToken:            "YOUR_REFRESH_TOKEN",
+			IDPCertificateAuthority: idpTLS.CACertPath,
+		})
+		defer os.Remove(kubeConfigFilename)
+
+		args := []string{
+			"--kubeconfig", kubeConfigFilename,
+		}
+		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      idToken,
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		})
+	})
+
+	t.Run("HasValidRefreshToken", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		defer server.Shutdown(t, ctx)
+		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
+		service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
+		service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
+		service.EXPECT().Refresh("VALID_REFRESH_TOKEN").
+			Return(idp.NewTokenResponse(idToken, "NEW_REFRESH_TOKEN"), nil)
+
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:                  serverURL,
+			IDToken:                 newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast), // expired
+			RefreshToken:            "VALID_REFRESH_TOKEN",
+			IDPCertificateAuthority: idpTLS.CACertPath,
+		})
+		defer os.Remove(kubeConfigFilename)
+
+		args := []string{
+			"--kubeconfig", kubeConfigFilename,
+		}
+		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      idToken,
+			RefreshToken: "NEW_REFRESH_TOKEN",
+		})
+	})
+
+	t.Run("HasExpiredRefreshToken", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		defer server.Shutdown(t, ctx)
+		var idToken string
+		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
+		service.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
+			Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
+			MaxTimes(2) // package oauth2 will retry refreshing the token
+
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:                  serverURL,
+			IDToken:                 newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast), // expired
+			RefreshToken:            "EXPIRED_REFRESH_TOKEN",
+			IDPCertificateAuthority: idpTLS.CACertPath,
+		})
+		defer os.Remove(kubeConfigFilename)
+
+		args := []string{
+			"--kubeconfig", kubeConfigFilename,
+		}
+		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      idToken,
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		})
+	})
+
+	t.Run("env_KUBECONFIG", func(t *testing.T) {
+		// do not run this in parallel due to change of the env var
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		service := mock_idp.NewMockService(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
 		defer server.Shutdown(t, ctx)
 		var idToken string
 		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
 
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{Issuer: serverURL})
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:                  serverURL,
+			IDPCertificateAuthority: idpTLS.CACertPath,
+		})
 		defer os.Remove(kubeConfigFilename)
 		setenv(t, "KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
 		defer unsetenv(t, "KUBECONFIG")
 
-		runCmd(t, ctx,
-			openBrowserOnReadyFunc(t, ctx, nil),
-			"--skip-open-browser", "--listen-port", "0")
+		args := []string{
+			"--kubeconfig", kubeConfigFilename,
+		}
+		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
 			IDToken:      idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
@@ -251,20 +231,22 @@ func TestCmd_Run_Standalone(t *testing.T) {
 		defer ctrl.Finish()
 
 		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service))
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
 		defer server.Shutdown(t, ctx)
 		var idToken string
 		setupMockIDPForCodeFlow(t, service, serverURL, "profile groups openid", &idToken)
 
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:      serverURL,
-			ExtraScopes: "profile,groups",
+			Issuer:                  serverURL,
+			ExtraScopes:             "profile,groups",
+			IDPCertificateAuthority: idpTLS.CACertPath,
 		})
 		defer os.Remove(kubeConfigFilename)
 
-		runCmd(t, ctx,
-			openBrowserOnReadyFunc(t, ctx, nil),
-			"--kubeconfig", kubeConfigFilename, "--skip-open-browser", "--listen-port", "0")
+		args := []string{
+			"--kubeconfig", kubeConfigFilename,
+		}
+		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
 			IDToken:      idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
@@ -272,76 +254,20 @@ func TestCmd_Run_Standalone(t *testing.T) {
 	})
 }
 
-func newIDToken(t *testing.T, issuer, nonce string, expiry time.Time) string {
-	t.Helper()
-	var claims struct {
-		jwt.StandardClaims
-		Nonce  string   `json:"nonce"`
-		Groups []string `json:"groups"`
-	}
-	claims.StandardClaims = jwt.StandardClaims{
-		Issuer:    issuer,
-		Audience:  "kubernetes",
-		Subject:   "SUBJECT",
-		IssuedAt:  time.Now().Unix(),
-		ExpiresAt: expiry.Unix(),
-	}
-	claims.Nonce = nonce
-	claims.Groups = []string{"admin", "users"}
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-	s, err := token.SignedString(keys.JWSKeyPair)
-	if err != nil {
-		t.Fatalf("Could not sign the claims: %s", err)
-	}
-	return s
-}
-
-func setupMockIDPForCodeFlow(t *testing.T, service *mock_idp.MockService, serverURL, scope string, idToken *string) {
-	var nonce string
-	service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-	service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-	service.EXPECT().AuthenticateCode(scope, gomock.Any()).
-		DoAndReturn(func(_, gotNonce string) (string, error) {
-			nonce = gotNonce
-			return "YOUR_AUTH_CODE", nil
-		})
-	service.EXPECT().Exchange("YOUR_AUTH_CODE").
-		DoAndReturn(func(string) (*idp.TokenResponse, error) {
-			*idToken = newIDToken(t, serverURL, nonce, tokenExpiryFuture)
-			return idp.NewTokenResponse(*idToken, "YOUR_REFRESH_TOKEN"), nil
-		})
-}
-
-func runCmd(t *testing.T, ctx context.Context, localServerReadyFunc authentication.LocalServerReadyFunc, args ...string) {
+func runRootCmd(t *testing.T, ctx context.Context, localServerReadyFunc authentication.LocalServerReadyFunc, args []string) {
 	t.Helper()
 	cmd := di.NewCmdForHeadless(mock_logger.New(t), localServerReadyFunc, nil)
-	exitCode := cmd.Run(ctx, append([]string{"kubelogin", "--v=1"}, args...), "HEAD")
+	exitCode := cmd.Run(ctx, append([]string{
+		"kubelogin",
+		"--v=1",
+		"--listen-port", "0",
+		"--skip-open-browser",
+	}, args...), "HEAD")
 	if exitCode != 0 {
 		t.Errorf("exit status wants 0 but %d", exitCode)
 	}
 }
 
-func openBrowserOnReadyFunc(t *testing.T, ctx context.Context, clientConfig *tls.Config) authentication.LocalServerReadyFunc {
-	return func(url string) {
-		client := http.Client{Transport: &http.Transport{TLSClientConfig: clientConfig}}
-		req, err := http.NewRequest("GET", url, nil)
-		if err != nil {
-			t.Errorf("could not create a request: %s", err)
-			return
-		}
-		req = req.WithContext(ctx)
-		resp, err := client.Do(req)
-		if err != nil {
-			t.Errorf("could not send a request: %s", err)
-			return
-		}
-		defer resp.Body.Close()
-		if resp.StatusCode != 200 {
-			t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
-		}
-	}
-}
-
 func setenv(t *testing.T, key, value string) {
 	t.Helper()
 	if err := os.Setenv(key, value); err != nil {

go.mod

@@ -7,7 +7,8 @@ require (
 	github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda
 	github.com/go-test/deep v1.0.4
 	github.com/golang/mock v1.3.1
-	github.com/google/wire v0.3.0
+	github.com/google/go-cmp v0.3.1
+	github.com/google/wire v0.4.0
 	github.com/int128/oauth2cli v1.8.1
 	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
@@ -18,7 +19,7 @@ require (
 	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
 	golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7
 	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
-	gopkg.in/yaml.v2 v2.2.4
+	gopkg.in/yaml.v2 v2.2.7
 	k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719
 	k8s.io/client-go v0.0.0-20190620085101-78d2af792bab
 	k8s.io/klog v0.4.0

go.sum

@@ -31,6 +31,7 @@ github.com/google/btree v0.0.0-20160524151835-7d79101e329e/go.mod h1:lNA+9X1NB3Z
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck=
 github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
@@ -38,6 +39,8 @@ github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/wire v0.3.0 h1:imGQZGEVEHpje5056+K+cgdO72p0LQv2xIIFXNGUf60=
 github.com/google/wire v0.3.0/go.mod h1:i1DMg/Lu8Sz5yYl25iOdmc5CT5qusaa+zmRWs16741s=
+github.com/google/wire v0.4.0 h1:kXcsA/rIGzJImVqPdhfnr6q0xsS9gU0515q1EPpJ9fE=
+github.com/google/wire v0.4.0/go.mod h1:ngWDr9Qvq3yZA10YrxfyGELY/AFWGVpy9c1LTRi1EoU=
 github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
 github.com/gophercloud/gophercloud v0.0.0-20190126172459-c818fa66e4c8/go.mod h1:3WdhXV3rUYy9p6AUW8d94kr+HS62Y4VL9mBnFxsD8q4=
 github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
@@ -149,6 +152,12 @@ gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.5 h1:ymVxjfMaHvXD8RqPRmzHHsB3VvucivSkIAvJFDI5O3c=
+gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.6 h1:97YCGUei5WVbkKfogoJQsLwUJ17cWvpLrgNvlcbxikE=
+gopkg.in/yaml.v2 v2.2.6/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
+gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 k8s.io/api v0.0.0-20190620084959-7cf5895f2711 h1:BblVYz/wE5WtBsD/Gvu54KyBUTJMflolzc5I2DTvh50=
 k8s.io/api v0.0.0-20190620084959-7cf5895f2711/go.mod h1:TBhBqb1AWbBQbW3XRusr7n7E4v2+5ZY8r8sAMnyFC5A=
 k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719 h1:uV4S5IB5g4Nvi+TBVNf3e9L4wrirlwYJ6w88jUQxTUw=

oidc-login.yaml

@@ -30,8 +30,10 @@ spec:
       sha256: "{{ sha256 .linux_amd64_archive }}"
       bin: kubelogin
       files:
-        - from: "kubelogin"
-          to: "."
+        - from: kubelogin
+          to: .
+        - from: LICENSE
+          to: .
       selector:
         matchLabels:
           os: linux
@@ -40,8 +42,10 @@ spec:
       sha256: "{{ sha256 .darwin_amd64_archive }}"
       bin: kubelogin
       files:
-        - from: "kubelogin"
-          to: "."
+        - from: kubelogin
+          to: .
+        - from: LICENSE
+          to: .
       selector:
         matchLabels:
           os: darwin
@@ -50,8 +54,10 @@ spec:
       sha256: "{{ sha256 .windows_amd64_archive }}"
       bin: kubelogin.exe
       files:
-        - from: "kubelogin.exe"
-          to: "."
+        - from: kubelogin.exe
+          to: .
+        - from: LICENSE
+          to: .
       selector:
         matchLabels:
           os: windows