Bump the version

Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.18.0 to 0.18.1.
- [Release notes](https://github.com/kubernetes/client-go/releases)
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.18.0...v0.18.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>

.circleci/config.yml

@@ -2,32 +2,30 @@ version: 2
 jobs:
   build:
     docker:
-      - image: circleci/golang:1.13.3
+      - image: cimg/go:1.14
     steps:
       - run: |
-          sudo apt install -y file
-      - run: |
-          mkdir -p ~/bin
-          echo 'export PATH="$HOME/bin:$PATH"' >> $BASH_ENV
-      - run: |
-          curl -L -o ~/bin/ghcp https://github.com/int128/ghcp/releases/download/v1.5.0/ghcp_linux_amd64
-          chmod +x ~/bin/ghcp
-      - run: |
-          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b ~/bin v1.21.0
-      - run: go get github.com/int128/goxzst
-      - run: go get github.com/tcnksm/ghr
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.24.0
       - checkout
+      - restore_cache:
+          keys:
+            - go-sum-{{ checksum "go.sum" }}
+      - run:
+          command: go get -v github.com/int128/goxzst github.com/int128/ghcp
+          working_directory: .circleci
       - run: make check
       - run: bash <(curl -s https://codecov.io/bash)
       - run: make dist
-      - run: |
-          unzip dist/gh/kubelogin_linux_amd64.zip -d /tmp
-          file /tmp/kubelogin
-          /tmp/kubelogin --help
       - run: |
           if [ "$CIRCLE_TAG" ]; then
             make release
           fi
+      - save_cache:
+          key: go-sum-{{ checksum "go.sum" }}
+          paths:
+            - ~/go/pkg
+      - store_artifacts:
+          path: gotest.log
 
 workflows:
   version: 2

.circleci/go.mod

@@ -0,0 +1,3 @@
+module github.com/int128/kubelogin/.circleci
+
+go 1.13

.github/workflows/acceptance-test.yaml

@@ -0,0 +1,30 @@
+name: acceptance-test
+on: [push]
+jobs:
+  build:
+    name: test
+    # https://help.github.com/en/actions/automating-your-workflow-with-github-actions/software-installed-on-github-hosted-runners#ubuntu-1804-lts
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/setup-go@v1
+        with:
+          go-version: 1.14.1
+        id: go
+      - uses: actions/checkout@v1
+      - uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            go-
+      # https://kind.sigs.k8s.io/docs/user/quick-start/
+      - run: |
+          wget -q -O ./kind "https://github.com/kubernetes-sigs/kind/releases/download/v0.7.0/kind-linux-amd64"
+          chmod +x ./kind
+          sudo mv ./kind /usr/local/bin/kind
+          kind version
+      # https://packages.ubuntu.com/xenial/libnss3-tools
+      - run: sudo apt install -y libnss3-tools
+      - run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
+      - run: make -C acceptance_test -j3 setup
+      - run: make -C acceptance_test test

.gitignore

@@ -1,9 +1,10 @@
 /.idea
 
-/.kubeconfig*
+/acceptance_test/output/
 
-/dist
+/dist/output
 /coverage.out
+/gotest.log
 
 /kubelogin
 /kubectl-oidc_login

Makefile

@@ -1,37 +1,49 @@
+# CircleCI specific variables
+CIRCLE_TAG ?= latest
+GITHUB_USERNAME := $(CIRCLE_PROJECT_USERNAME)
+GITHUB_REPONAME := $(CIRCLE_PROJECT_REPONAME)
+
 TARGET := kubelogin
-CIRCLE_TAG ?= HEAD
-LDFLAGS := -X main.version=$(CIRCLE_TAG)
+TARGET_OSARCH := linux_amd64 darwin_amd64 windows_amd64 linux_arm linux_arm64
+VERSION ?= $(CIRCLE_TAG)
+LDFLAGS := -X main.version=$(VERSION)
 
 all: $(TARGET)
 
+$(TARGET): $(wildcard **/*.go)
+	go build -o $@ -ldflags "$(LDFLAGS)"
+
 .PHONY: check
 check:
 	golangci-lint run
-	go test -v -race -cover -coverprofile=coverage.out ./...
+	go test -v -race -cover -coverprofile=coverage.out ./... > gotest.log
 
-$(TARGET): $(wildcard *.go)
-	go build -o $@ -ldflags "$(LDFLAGS)"
-
-dist:
-    # make the zip files for GitHub Releases
-	VERSION=$(CIRCLE_TAG) CGO_ENABLED=0 goxzst -d dist/gh/ -i "LICENSE" -o "$(TARGET)" -t "kubelogin.rb oidc-login.yaml" -- -ldflags "$(LDFLAGS)"
-	zipinfo dist/gh/kubelogin_linux_amd64.zip
-	# make the Homebrew formula
-	mv dist/gh/kubelogin.rb dist/
-	# make the yaml for krew-index
-	mkdir -p dist/plugins
-	cp dist/gh/oidc-login.yaml dist/plugins/oidc-login.yaml
+.PHONY: dist
+dist: dist/output
+dist/output:
+	# make the zip files for GitHub Releases
+	VERSION=$(VERSION) CGO_ENABLED=0 goxzst -d dist/output -i "LICENSE" -o "$(TARGET)" -osarch "$(TARGET_OSARCH)" -t "dist/kubelogin.rb dist/oidc-login.yaml dist/Dockerfile" -- -ldflags "$(LDFLAGS)"
+	# test the zip file
+	zipinfo dist/output/kubelogin_linux_amd64.zip
+	# make the krew yaml structure
+	mkdir -p dist/output/plugins
+	mv dist/output/oidc-login.yaml dist/output/plugins/oidc-login.yaml
 
 .PHONY: release
 release: dist
-    # publish to the GitHub Releases
-	ghr -u "$(CIRCLE_PROJECT_USERNAME)" -r "$(CIRCLE_PROJECT_REPONAME)" "$(CIRCLE_TAG)" dist/gh/
-	# publish to the Homebrew tap repository
-	ghcp commit -u "$(CIRCLE_PROJECT_USERNAME)" -r "homebrew-$(CIRCLE_PROJECT_REPONAME)" -m "$(CIRCLE_TAG)" -C dist/ kubelogin.rb
-	# fork krew-index and create a branch
-	ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(CIRCLE_TAG)" -m "Bump oidc-login to $(CIRCLE_TAG)" -C dist/ plugins/oidc-login.yaml
+	# publish the binaries
+	ghcp release -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)" -t "$(VERSION)" dist/output/
+	# publish the Homebrew formula
+	ghcp commit -u "$(GITHUB_USERNAME)" -r "homebrew-$(GITHUB_REPONAME)" -b "bump-$(VERSION)" -m "Bump the version to $(VERSION)" -C dist/output/ kubelogin.rb
+	ghcp pull-request -u "$(GITHUB_USERNAME)" -r "homebrew-$(GITHUB_REPONAME)" -b "bump-$(VERSION)" --title "Bump the version to $(VERSION)"
+	# publish the Dockerfile
+	ghcp commit -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)-docker" -b "bump-$(VERSION)" -m "Bump the version to $(VERSION)" -C dist/output/ Dockerfile
+	ghcp pull-request -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)-docker" -b "bump-$(VERSION)" --title "Bump the version to $(VERSION)"
+	# publish the Krew manifest
+	ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(VERSION)" -m "Bump oidc-login to $(VERSION)" -C dist/output/ plugins/oidc-login.yaml
 
 .PHONY: clean
 clean:
 	-rm $(TARGET)
-	-rm -r dist/
+	-rm -r dist/output/
+	-rm coverage.out gotest.log

README.md

@@ -1,4 +1,4 @@
-# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
+# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) ![acceptance-test](https://github.com/int128/kubelogin/workflows/acceptance-test/badge.svg) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
 
 This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.
 
@@ -28,7 +28,7 @@ brew install int128/kubelogin/kubelogin
 kubectl krew install oidc-login
 
 # GitHub Releases
-curl -LO https://github.com/int128/kubelogin/releases/download/v1.15.0/kubelogin_linux_amd64.zip
+curl -LO https://github.com/int128/kubelogin/releases/download/v1.19.0/kubelogin_linux_amd64.zip
 unzip kubelogin_linux_amd64.zip
 ln -s kubelogin kubectl-oidc_login
 ```
@@ -91,14 +91,16 @@ Kubelogin will perform authentication if the token cache file does not exist.
 You can dump the claims of token by passing `-v1` option.
 
 ```
-I1212 10:14:17.754394    2517 get_token.go:91] the ID token has the claim: sub=********
-I1212 10:14:17.754434    2517 get_token.go:91] the ID token has the claim: at_hash=********
-I1212 10:14:17.754449    2517 get_token.go:91] the ID token has the claim: nonce=********
-I1212 10:14:17.754459    2517 get_token.go:91] the ID token has the claim: iat=1576113256
-I1212 10:14:17.754467    2517 get_token.go:91] the ID token has the claim: exp=1576116856
-I1212 10:14:17.754484    2517 get_token.go:91] the ID token has the claim: iss=https://accounts.google.com
-I1212 10:14:17.754497    2517 get_token.go:91] the ID token has the claim: azp=********.apps.googleusercontent.com
-I1212 10:14:17.754506    2517 get_token.go:91] the ID token has the claim: aud=********.apps.googleusercontent.com
+I0221 21:54:08.151850   28231 get_token.go:104] you got a token: {
+  "sub": "********",
+  "iss": "https://accounts.google.com",
+  "aud": "********",
+  "iat": 1582289639,
+  "exp": 1582293239,
+  "jti": "********",
+  "nonce": "********",
+  "at_hash": "********"
+}
 ```
 
 
@@ -110,26 +112,27 @@ If you are looking for a specific version, see [the release tags](https://github
 Kubelogin supports the following options:
 
 ```
-% kubectl oidc-login get-token -h
-Run as a kubectl credential plugin
-
 Usage:
   kubelogin get-token [flags]
 
 Flags:
-      --oidc-issuer-url string         Issuer URL of the provider (mandatory)
-      --oidc-client-id string          Client ID of the provider (mandatory)
-      --oidc-client-secret string      Client secret of the provider
-      --oidc-extra-scope strings       Scopes to request to the provider
-      --certificate-authority string   Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-      --token-cache-dir string         Path to a directory for caching tokens (default "~/.kube/cache/oidc-login")
-      --grant-type string              The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
-      --listen-port ints               Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
-      --skip-open-browser              If true, it does not open the browser on authentication
-      --username string                If set, perform the resource owner password credentials grant
-      --password string                If set, use the password instead of asking it
-  -h, --help                           help for get-token
+      --oidc-issuer-url string                          Issuer URL of the provider (mandatory)
+      --oidc-client-id string                           Client ID of the provider (mandatory)
+      --oidc-client-secret string                       Client secret of the provider
+      --oidc-extra-scope strings                        Scopes to request to the provider
+      --certificate-authority string                    Path to a cert file for the certificate authority
+      --certificate-authority-data string               Base64 encoded data for the certificate authority
+      --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --token-cache-dir string                          Path to a directory for caching tokens (default "~/.kube/cache/oidc-login")
+      --grant-type string                               The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
+      --listen-address strings                          Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
+      --listen-port ints                                (Deprecated: use --listen-address)
+      --skip-open-browser                               If true, it does not open the browser on authentication
+      --oidc-redirect-url-hostname string               Hostname of the redirect URL (default "localhost")
+      --oidc-auth-request-extra-params stringToString   Extra query parameters to send with an authentication request (default [])
+      --username string                                 If set, perform the resource owner password credentials grant
+      --password string                                 If set, use the password instead of asking it
+  -h, --help                                            help for get-token
 
 Global Flags:
       --add_dir_header                   If true, adds the file directory to the header
@@ -157,12 +160,13 @@ You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
       - --oidc-extra-scope=profile
 ```
 
-### CA Certificates
+### CA Certificate
 
 You can use your self-signed certificate for the provider.
 
 ```yaml
       - --certificate-authority=/home/user/.kube/keycloak-ca.pem
+      - --certificate-authority-data=LS0t...
 ```
 
 ### HTTP Proxy
@@ -170,7 +174,6 @@ You can use your self-signed certificate for the provider.
 You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
 See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
 
-
 ### Authentication flows
 
 #### Authorization code flow
@@ -183,11 +186,23 @@ You need to register the following redirect URIs to the provider:
 - `http://localhost:8000`
 - `http://localhost:18000` (used if port 8000 is already in use)
 
-You can change the ports by the option:
+You can change the listening address.
 
 ```yaml
-      - --listen-port=12345
-      - --listen-port=23456
+      - --listen-address=127.0.0.1:12345
+      - --listen-address=127.0.0.1:23456
+```
+
+You can change the hostname of redirect URI from the default value `localhost`.
+
+```yaml
+      - --oidc-redirect-url-hostname=127.0.0.1
+```
+
+You can add extra parameters to the authentication request.
+
+```yaml
+      - --oidc-auth-request-extra-params=ttl=86400
 ```
 
 #### Authorization code flow with keyboard interactive
@@ -210,6 +225,12 @@ Enter code: YOUR_CODE
 Note that this flow uses the redirect URI `urn:ietf:wg:oauth:2.0:oob` and
 some OIDC providers do not support it.
 
+You can add extra parameters to the authentication request.
+
+```yaml
+      - --oidc-auth-request-extra-params=ttl=86400
+```
+
 #### Resource owner password credentials grant flow
 
 Kubelogin performs the resource owner password credentials grant flow
@@ -248,6 +269,39 @@ Username: foo
 Password:
 ```
 
+### Docker
+
+You can run [the Docker image](https://quay.io/repository/int128/kubelogin) instead of the binary.
+The kubeconfig looks like:
+
+```yaml
+users:
+- name: oidc
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: docker
+      args:
+      - run
+      - --rm
+      - -v
+      - /tmp/.token-cache:/.token-cache
+      - -p
+      - 8000:8000
+      - quay.io/int128/kubelogin:v1.19.0
+      - get-token
+      - --token-cache-dir=/.token-cache
+      - --listen-address=0.0.0.0:8000
+      - --oidc-issuer-url=ISSUER_URL
+      - --oidc-client-id=YOUR_CLIENT_ID
+      - --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+Known limitations:
+
+- It cannot open the browser automatically.
+- The container port and listen port must be equal for consistency of the redirect URI.
+
 
 ## Related works
 
@@ -273,3 +327,5 @@ make check
 make
 ./kubelogin
 ```
+
+See also [the acceptance test](acceptance_test).

acceptance_test/Makefile

@@ -0,0 +1,109 @@
+CLUSTER_NAME := kubelogin-acceptance-test
+OUTPUT_DIR := $(CURDIR)/output
+
+PATH := $(PATH):$(OUTPUT_DIR)/bin
+export PATH
+KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
+export KUBECONFIG
+
+# run the login script instead of opening chrome
+BROWSER := $(OUTPUT_DIR)/bin/chromelogin
+export BROWSER
+
+.PHONY: test
+test: build
+	# see the setup instruction
+	kubectl oidc-login setup \
+		--oidc-issuer-url=https://dex-server:10443/dex \
+		--oidc-client-id=YOUR_CLIENT_ID \
+		--oidc-client-secret=YOUR_CLIENT_SECRET \
+		--oidc-extra-scope=email \
+		--certificate-authority=$(OUTPUT_DIR)/ca.crt
+	# set up the kubeconfig
+	kubectl config set-credentials oidc \
+		--exec-api-version=client.authentication.k8s.io/v1beta1 \
+		--exec-command=kubectl \
+		--exec-arg=oidc-login \
+		--exec-arg=get-token \
+		--exec-arg=--oidc-issuer-url=https://dex-server:10443/dex \
+		--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
+		--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
+		--exec-arg=--oidc-extra-scope=email \
+		--exec-arg=--certificate-authority=$(OUTPUT_DIR)/ca.crt
+	# make sure we can access the cluster
+	kubectl --user=oidc cluster-info
+	# switch the current context
+	kubectl config set-context --current --user=oidc
+	# make sure we can access the cluster
+	kubectl cluster-info
+
+.PHONY: setup
+setup: build dex cluster setup-chrome
+
+.PHONY: setup-chrome
+setup-chrome: $(OUTPUT_DIR)/ca.crt
+	# add the dex server certificate to the trust store
+	mkdir -p ~/.pki/nssdb
+	cd ~/.pki/nssdb && certutil -A -d sql:. -n dex -i $(OUTPUT_DIR)/ca.crt -t "TC,,"
+
+# build binaries
+.PHONY: build
+build: $(OUTPUT_DIR)/bin/kubectl-oidc_login $(OUTPUT_DIR)/bin/chromelogin
+$(OUTPUT_DIR)/bin/kubectl-oidc_login:
+	go build -o $@ ..
+$(OUTPUT_DIR)/bin/chromelogin: chromelogin/main.go
+	go build -o $@ ./chromelogin
+
+# create a Dex server
+.PHONY: dex
+dex: $(OUTPUT_DIR)/server.crt $(OUTPUT_DIR)/server.key
+	docker create --name dex-server -p 10443:10443 quay.io/dexidp/dex:v2.21.0 serve /dex.yaml
+	docker cp $(OUTPUT_DIR)/server.crt dex-server:/
+	docker cp $(OUTPUT_DIR)/server.key dex-server:/
+	docker cp dex.yaml dex-server:/
+	docker start dex-server
+	docker logs dex-server
+
+$(OUTPUT_DIR)/ca.key:
+	mkdir -p $(OUTPUT_DIR)
+	openssl genrsa -out $@ 2048
+$(OUTPUT_DIR)/ca.csr: $(OUTPUT_DIR)/ca.key
+	openssl req -new -key $(OUTPUT_DIR)/ca.key -out $@ -subj "/CN=dex-ca" -config openssl.cnf
+$(OUTPUT_DIR)/ca.crt: $(OUTPUT_DIR)/ca.key $(OUTPUT_DIR)/ca.csr
+	openssl x509 -req -in $(OUTPUT_DIR)/ca.csr -signkey $(OUTPUT_DIR)/ca.key -out $@ -days 10
+$(OUTPUT_DIR)/server.key:
+	mkdir -p $(OUTPUT_DIR)
+	openssl genrsa -out $@ 2048
+$(OUTPUT_DIR)/server.csr: openssl.cnf $(OUTPUT_DIR)/server.key
+	openssl req -new -key $(OUTPUT_DIR)/server.key -out $@ -subj "/CN=dex-server" -config openssl.cnf
+$(OUTPUT_DIR)/server.crt: openssl.cnf $(OUTPUT_DIR)/server.csr $(OUTPUT_DIR)/ca.crt $(OUTPUT_DIR)/ca.key
+	openssl x509 -req -in $(OUTPUT_DIR)/server.csr -CA $(OUTPUT_DIR)/ca.crt -CAkey $(OUTPUT_DIR)/ca.key -CAcreateserial -out $@ -sha256 -days 10 -extensions v3_req -extfile openssl.cnf
+
+# create a Kubernetes cluster
+.PHONY: cluster
+cluster: dex create-cluster
+	# add the Dex container IP to /etc/hosts of kube-apiserver
+	docker inspect -f '{{.NetworkSettings.IPAddress}}' dex-server | sed -e 's,$$, dex-server,' | \
+		kubectl -n kube-system exec -i kube-apiserver-$(CLUSTER_NAME)-control-plane -- tee -a /etc/hosts
+	# wait for kube-apiserver oidc initialization
+	# (oidc authenticator will retry oidc discovery every 10s)
+	sleep 10
+
+.PHONY: create-cluster
+create-cluster: $(OUTPUT_DIR)/ca.crt
+	cp $(OUTPUT_DIR)/ca.crt /tmp/kubelogin-acceptance-test-dex-ca.crt
+	kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml
+	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
+	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com
+
+# clean up the resources
+.PHONY: clean
+clean:
+	-rm -r $(OUTPUT_DIR)
+.PHONY: delete-cluster
+delete-cluster:
+	kind delete cluster --name $(CLUSTER_NAME)
+.PHONY: delete-dex
+delete-dex:
+	docker stop dex-server
+	docker rm dex-server

acceptance_test/README.md

@@ -0,0 +1,109 @@
+# kubelogin/acceptance_test
+
+This is an acceptance test for walkthrough of the OIDC initial setup and plugin behavior using a real Kubernetes cluster and OpenID Connect provider, running on [GitHub Actions](https://github.com/int128/kubelogin/actions?query=workflow%3Aacceptance-test).
+
+It is intended to verify the following points:
+
+- User can set up Kubernetes OIDC authentication and this plugin.
+- User can access a cluster after login.
+
+It performs the test using the following components:
+
+- Kubernetes cluster (Kind)
+- OIDC provider (Dex)
+- Browser (Chrome)
+- kubectl command
+
+
+## How it works
+
+Let's take a look at the diagram.
+
+![diagram](../docs/acceptance-test-diagram.svg)
+
+It prepares the following resources:
+
+1. Generate a pair of CA certificate and TLS server certificate for Dex.
+1. Run Dex on a container.
+1. Create a Kubernetes cluster using Kind.
+1. Mutate `/etc/hosts` of the CI machine to access Dex.
+1. Mutate `/etc/hosts` of the kube-apiserver pod to access Dex.
+
+It performs the test by the following steps:
+
+1. Run kubectl.
+1. kubectl automatically runs kubelogin.
+1. kubelogin automatically runs [chromelogin](chromelogin).
+1. chromelogin opens the browser, navigates to `http://localhost:8000` and enter the username and password.
+1. kubelogin gets an authorization code from the browser.
+1. kubelogin gets a token.
+1. kubectl accesses an API with the token.
+1. kube-apiserver verifies the token by Dex.
+1. Check if kubectl exited with code 0.
+
+
+## Run locally
+
+You need to set up the following components:
+
+- Docker
+- Kind
+- Chrome or Chromium
+
+You need to add the following line to `/etc/hosts` so that the browser can access the Dex.
+
+```
+127.0.0.1 dex-server
+```
+
+Run the test.
+
+```shell script
+# run the test
+make
+
+# clean up
+make delete-cluster
+make delete-dex
+```
+
+
+## Technical consideration
+
+### Network and DNS
+
+Consider the following issues:
+
+- kube-apiserver runs on the host network of the kind container.
+- kube-apiserver cannot resolve a service name by kube-dns.
+- kube-apiserver cannot access a cluster IP.
+- kube-apiserver can access another container via the Docker network.
+- Chrome requires exactly match of domain name between Dex URL and a server certificate.
+
+Consequently,
+
+- kube-apiserver accesses Dex by resolving `/etc/hosts` and via the Docker network.
+- kubelogin and Chrome accesses Dex by resolving `/etc/hosts` and via the Docker network.
+
+### TLS server certificate
+
+Consider the following issues:
+
+- kube-apiserver requires `--oidc-issuer` is HTTPS URL.
+- kube-apiserver requires a CA certificate at startup, if `--oidc-ca-file` is given.
+- kube-apiserver mounts `/usr/local/share/ca-certificates` from the kind container.
+- It is possible to mount a file from the CI machine.
+- It is not possible to issue a certificate using Let's Encrypt in runtime.
+- Chrome requires a valid certificate in `~/.pki/nssdb`.
+
+As a result,
+
+- kube-apiserver uses the CA certificate of `/usr/local/share/ca-certificates/dex-ca.crt`. See the `extraMounts` section of [`cluster.yaml`](cluster.yaml).
+- kubelogin uses the CA certificate in `output/ca.crt`.
+- Chrome uses the CA certificate in `~/.pki/nssdb`.
+
+### Test environment
+
+- Set the issuer URL to kubectl. See [`kubeconfig_oidc.yaml`](kubeconfig_oidc.yaml).
+- Set the issuer URL to kube-apiserver. See [`cluster.yaml`](cluster.yaml).
+- Set `BROWSER` environment variable to run [`chromelogin`](chromelogin) by `xdg-open`.

acceptance_test/chromelogin/main.go

@@ -0,0 +1,93 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/chromedp/chromedp"
+)
+
+func init() {
+	log.SetFlags(log.Lmicroseconds | log.Lshortfile)
+}
+
+func main() {
+	if len(os.Args) != 2 {
+		log.Fatalf("usage: %s URL", os.Args[0])
+		return
+	}
+	url := os.Args[1]
+	if err := runBrowser(context.Background(), url); err != nil {
+		log.Fatalf("error: %s", err)
+	}
+}
+
+func runBrowser(ctx context.Context, url string) error {
+	execOpts := chromedp.DefaultExecAllocatorOptions[:]
+	execOpts = append(execOpts, chromedp.NoSandbox)
+	ctx, cancel := chromedp.NewExecAllocator(ctx, execOpts...)
+	defer cancel()
+	ctx, cancel = chromedp.NewContext(ctx, chromedp.WithLogf(log.Printf))
+	defer cancel()
+	ctx, cancel = context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+	if err := logInToDex(ctx, url); err != nil {
+		return fmt.Errorf("could not run the browser: %w", err)
+	}
+	return nil
+}
+
+func logInToDex(ctx context.Context, url string) error {
+	for {
+		var location string
+		err := chromedp.Run(ctx,
+			chromedp.Navigate(url),
+			chromedp.Location(&location),
+		)
+		if err != nil {
+			return err
+		}
+		log.Printf("location: %s", location)
+		if strings.HasPrefix(location, `http://`) || strings.HasPrefix(location, `https://`) {
+			break
+		}
+		time.Sleep(1 * time.Second)
+	}
+
+	err := chromedp.Run(ctx,
+		// https://dex-server:10443/dex/auth/local
+		chromedp.WaitVisible(`#login`),
+		logPageMetadata(),
+		chromedp.SendKeys(`#login`, `admin@example.com`),
+		chromedp.SendKeys(`#password`, `password`),
+		chromedp.Submit(`#submit-login`),
+		// https://dex-server:10443/dex/approval
+		chromedp.WaitVisible(`.dex-btn.theme-btn--success`),
+		logPageMetadata(),
+		chromedp.Submit(`.dex-btn.theme-btn--success`),
+		// http://localhost:8000
+		chromedp.WaitReady(`body`),
+		logPageMetadata(),
+	)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func logPageMetadata() chromedp.Action {
+	var location string
+	var title string
+	return chromedp.Tasks{
+		chromedp.Location(&location),
+		chromedp.Title(&title),
+		chromedp.ActionFunc(func(ctx context.Context) error {
+			log.Printf("location: %s [%s]", location, title)
+			return nil
+		}),
+	}
+}

acceptance_test/cluster.yaml

@@ -0,0 +1,20 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+# https://github.com/dexidp/dex/blob/master/Documentation/kubernetes.md
+kubeadmConfigPatches:
+  - |
+    apiVersion: kubeadm.k8s.io/v1beta2
+    kind: ClusterConfiguration
+    metadata:
+      name: config
+    apiServer:
+      extraArgs:
+        oidc-issuer-url: https://dex-server:10443/dex
+        oidc-client-id: YOUR_CLIENT_ID
+        oidc-username-claim: email
+        oidc-ca-file: /usr/local/share/ca-certificates/dex-ca.crt
+nodes:
+  - role: control-plane
+    extraMounts:
+      - hostPath: /tmp/kubelogin-acceptance-test-dex-ca.crt
+        containerPath: /usr/local/share/ca-certificates/dex-ca.crt

acceptance_test/dex.yaml

@@ -0,0 +1,23 @@
+issuer: https://dex-server:10443/dex
+web:
+  https: 0.0.0.0:10443
+  tlsCert: /server.crt
+  tlsKey: /server.key
+storage:
+  type: sqlite3
+  config:
+    file: /tmp/dex.db
+staticClients:
+  - id: YOUR_CLIENT_ID
+    redirectURIs:
+      - http://localhost:8000
+    name: kubelogin
+    secret: YOUR_CLIENT_SECRET
+staticPasswords:
+  - email: "admin@example.com"
+    # bcrypt hash of the string "password"
+    hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+    username: "admin"
+    userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
+# required for staticPasswords
+enablePasswordDB: true

acceptance_test/openssl.cnf

@@ -0,0 +1,15 @@
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[ req_distinguished_name ]
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+extendedKeyUsage = serverAuth
+
+[alt_names]
+DNS.1 = dex-server
+DNS.2 = dex-server:30443

dist/Dockerfile

@@ -0,0 +1,13 @@
+FROM alpine:3.11
+
+ARG KUBELOGIN_VERSION="{{ env "VERSION" }}"
+ARG KUBELOGIN_SHA256="{{ sha256 .linux_amd64_archive }}"
+
+# Download the release and test the checksum
+RUN wget -O /kubelogin.zip "https://github.com/int128/kubelogin/releases/download/$KUBELOGIN_VERSION/kubelogin_linux_amd64.zip" && \
+    echo "$KUBELOGIN_SHA256  /kubelogin.zip" | sha256sum -c - && \
+    unzip /kubelogin.zip && \
+    rm /kubelogin.zip
+
+USER daemon
+ENTRYPOINT ["/kubelogin"]

dist/oidc-login.yaml

@@ -62,3 +62,27 @@ spec:
         matchLabels:
           os: windows
           arch: amd64
+    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm.zip
+      sha256: "{{ sha256 .linux_arm_archive }}"
+      bin: kubelogin
+      files:
+        - from: kubelogin
+          to: .
+        - from: LICENSE
+          to: .
+      selector:
+        matchLabels:
+          os: linux
+          arch: arm
+    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm64.zip
+      sha256: "{{ sha256 .linux_arm64_archive }}"
+      bin: kubelogin
+      files:
+        - from: kubelogin
+          to: .
+        - from: LICENSE
+          to: .
+      selector:
+        matchLabels:
+          os: linux
+          arch: arm64

docs/setup.md

@@ -1,6 +1,6 @@
 # Kubernetes OpenID Connection authentication
 
-This document guides how to set up the Kubernetes OpenID Connect (OIDC) authentication.
+This document guides how to set up Kubernetes OpenID Connect (OIDC) authentication.
 Let's see the following steps:
 
 1. Set up the OIDC provider
@@ -35,7 +35,7 @@ Variable                | Value
 You can log in with a user of Keycloak.
 Make sure you have an administrator role of the Keycloak realm.
 
-Open the Keycloak and create an OIDC client as follows:
+Open Keycloak and create an OIDC client as follows:
 
 - Client ID: `YOUR_CLIENT_ID`
 - Valid Redirect URLs:
@@ -52,7 +52,7 @@ You can associate client roles by adding the following mapper:
 - Token Claim Name: `groups`
 - Add to ID token: on
 
-For example, if you have the `admin` role of the client, you will get a JWT with the claim `{"groups": ["kubernetes:admin"]}`.
+For example, if you have `admin` role of the client, you will get a JWT with the claim `{"groups": ["kubernetes:admin"]}`.
 
 Replace the following variables in the later sections.
 
@@ -72,7 +72,7 @@ Open [GitHub OAuth Apps](https://github.com/settings/developers) and create an a
 - Homepage URL: `https://dex.example.com`
 - Authorization callback URL: `https://dex.example.com/callback`
 
-Deploy the [dex](https://github.com/dexidp/dex) with the following config:
+Deploy [Dex](https://github.com/dexidp/dex) with the following config:
 
 ```yaml
 issuer: https://dex.example.com
@@ -138,31 +138,23 @@ kubectl oidc-login setup \
   --oidc-client-secret=YOUR_CLIENT_SECRET
 ```
 
-It will open the browser and you can log in to the provider.
-Then it will show the instruction.
+It launches the browser and navigates to `http://localhost:8000`.
+Please log in to the provider.
+
+You can set extra options, for example, extra scope or CA certificate.
+See also the full options.
+
+```sh
+kubectl oidc-login setup --help
+```
 
 
 ## 3. Bind a cluster role
 
-In this tutorial, bind the `cluster-admin` role to you.
-Apply the following manifest:
-
-```yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: oidc-cluster-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: User
-  name: ISSUER_URL#YOUR_SUBJECT
-```
+Here bind `cluster-admin` role to you.
 
 ```sh
-kubectl apply -f oidc-cluster-admin.yaml
+kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='ISSUER_URL#YOUR_SUBJECT'
 ```
 
 As well as you can create a custom cluster role and bind it.
@@ -170,14 +162,14 @@ As well as you can create a custom cluster role and bind it.
 
 ## 4. Set up the Kubernetes API server
 
-Add the following options to the kube-apiserver:
+Add the following flags to kube-apiserver:
 
 ```
 --oidc-issuer-url=ISSUER_URL
 --oidc-client-id=YOUR_CLIENT_ID
 ```
 
-See [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for details.
+See [Kubernetes Authenticating: OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for the all flags.
 
 If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
 
@@ -200,35 +192,32 @@ If you are using [kube-aws](https://github.com/kubernetes-incubator/kube-aws), a
 
 ## 5. Set up the kubeconfig
 
-Add the following user to the kubeconfig:
+Add `oidc` user to the kubeconfig.
 
-```yaml
-users:
-- name: oidc
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubectl
-      args:
-      - oidc-login
-      - get-token
-      - --oidc-issuer-url=ISSUER_URL
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
+```sh
+kubectl config set-credentials oidc \
+  --exec-api-version=client.authentication.k8s.io/v1beta1 \
+  --exec-command=kubectl \
+  --exec-arg=oidc-login \
+  --exec-arg=get-token \
+  --exec-arg=--oidc-issuer-url=ISSUER_URL \
+  --exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
+  --exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET
 ```
 
-You can share the kubeconfig to your team members for on-boarding.
-
 
 ## 6. Verify cluster access
 
 Make sure you can access the Kubernetes cluster.
 
+```sh
+kubectl --user=oidc cluster-info
 ```
-% kubectl get nodes
-Open http://localhost:8000 for authentication
-You got a valid token until 2019-05-16 22:03:13 +0900 JST
-NAME                                    STATUS    ROLES     AGE       VERSION
-ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
-ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
+
+You can switch the current context to oidc.
+
+```sh
+kubectl config set-context --current --user=oidc
 ```
+
+You can share the kubeconfig to your team members for on-boarding.

docs/standalone-mode.md

@@ -99,30 +99,33 @@ Available Commands:
   version     Print the version information
 
 Flags:
-      --kubeconfig string                Path to the kubeconfig file
-      --context string                   The name of the kubeconfig context to use
-      --user string                      The name of the kubeconfig user to use. Prior to --context
-      --certificate-authority string     Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify         If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-      --grant-type string                The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
-      --listen-port ints                 Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
-      --skip-open-browser                If true, it does not open the browser on authentication
-      --username string                  If set, perform the resource owner password credentials grant
-      --password string                  If set, use the password instead of asking it
-      --add_dir_header                   If true, adds the file directory to the header
-      --alsologtostderr                  log to standard error as well as files
-      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
-      --log_dir string                   If non-empty, write log files in this directory
-      --log_file string                  If non-empty, use this log file
-      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
-      --logtostderr                      log to standard error instead of files (default true)
-      --skip_headers                     If true, avoid header prefixes in the log messages
-      --skip_log_headers                 If true, avoid headers when opening log files
-      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
-  -v, --v Level                          number for the log level verbosity
-      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
-  -h, --help                             help for main
-      --version                          version for main
+      --kubeconfig string                               Path to the kubeconfig file
+      --context string                                  The name of the kubeconfig context to use
+      --user string                                     The name of the kubeconfig user to use. Prior to --context
+      --certificate-authority string                    Path to a cert file for the certificate authority
+      --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --grant-type string                               The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
+      --listen-address strings                          Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
+      --listen-port ints                                (Deprecated: use --listen-address)
+      --skip-open-browser                               If true, it does not open the browser on authentication
+      --oidc-redirect-url-hostname string               Hostname of the redirect URL (default "localhost")
+      --oidc-auth-request-extra-params stringToString   Extra query parameters to send with an authentication request (default [])
+      --username string                                 If set, perform the resource owner password credentials grant
+      --password string                                 If set, use the password instead of asking it
+      --add_dir_header                                  If true, adds the file directory to the header
+      --alsologtostderr                                 log to standard error as well as files
+      --log_backtrace_at traceLocation                  when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                                  If non-empty, write log files in this directory
+      --log_file string                                 If non-empty, use this log file
+      --log_file_max_size uint                          Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                                     log to standard error instead of files (default true)
+      --skip_headers                                    If true, avoid header prefixes in the log messages
+      --skip_log_headers                                If true, avoid headers when opening log files
+      --stderrthreshold severity                        logs at or above this threshold go to stderr (default 2)
+  -v, --v Level                                         number for the log level verbosity
+      --vmodule moduleSpec                              comma-separated list of pattern=N settings for file-filtered logging
+  -h, --help                                            help for kubelogin
+      --version                                         version for kubelogin
 ```
 
 ### Kubeconfig

e2e_test/credetial_plugin_test.go

@@ -1,299 +0,0 @@
-package e2e_test
-
-import (
-	"context"
-	"io/ioutil"
-	"os"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/google/go-cmp/cmp"
-	"github.com/int128/kubelogin/e2e_test/idp"
-	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
-	"github.com/int128/kubelogin/e2e_test/keys"
-	"github.com/int128/kubelogin/e2e_test/localserver"
-	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
-	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin/mock_credentialplugin"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
-	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
-	"github.com/int128/kubelogin/pkg/di"
-	"github.com/int128/kubelogin/pkg/usecases/authentication"
-)
-
-// Run the integration tests of the credential plugin use-case.
-//
-// 1. Start the auth server.
-// 2. Run the Cmd.
-// 3. Open a request for the local server.
-// 4. Verify the output.
-//
-func TestCredentialPlugin(t *testing.T) {
-	cacheDir, err := ioutil.TempDir("", "kube")
-	if err != nil {
-		t.Fatalf("could not create a cache dir: %s", err)
-	}
-	defer func() {
-		if err := os.RemoveAll(cacheDir); err != nil {
-			t.Errorf("could not clean up the cache dir: %s", err)
-		}
-	}()
-
-	t.Run("NoTLS", func(t *testing.T) {
-		testCredentialPlugin(t, cacheDir, keys.None, nil)
-	})
-	t.Run("TLS", func(t *testing.T) {
-		testCredentialPlugin(t, cacheDir, keys.Server, []string{"--certificate-authority", keys.Server.CACertPath})
-	})
-}
-
-func testCredentialPlugin(t *testing.T, cacheDir string, idpTLS keys.Keys, extraArgs []string) {
-	timeout := 1 * time.Second
-
-	t.Run("Defaults", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		assertCredentialPluginOutput(t, credentialPluginInteraction, &idToken)
-
-		args := []string{
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-		}
-		args = append(args, extraArgs...)
-		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
-	})
-
-	t.Run("ResourceOwnerPasswordCredentials", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		idToken := newIDToken(t, serverURL, "", tokenExpiryFuture)
-		setupMockIDPForROPC(service, serverURL, "openid", "USER", "PASS", idToken)
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		assertCredentialPluginOutput(t, credentialPluginInteraction, &idToken)
-
-		args := []string{
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-			"--username", "USER",
-			"--password", "PASS",
-		}
-		args = append(args, extraArgs...)
-		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
-	})
-
-	t.Run("HasValidToken", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-		setupTokenCache(t, cacheDir, tokencache.Key{
-			IssuerURL: serverURL,
-			ClientID:  "kubernetes",
-		}, tokencache.TokenCache{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		assertCredentialPluginOutput(t, credentialPluginInteraction, &idToken)
-
-		args := []string{
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-		}
-		args = append(args, extraArgs...)
-		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
-		assertTokenCache(t, cacheDir, tokencache.Key{
-			IssuerURL: serverURL,
-			ClientID:  "kubernetes",
-		}, tokencache.TokenCache{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("HasValidRefreshToken", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		validIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-		expiredIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast)
-
-		setupMockIDPForDiscovery(service, serverURL)
-		service.EXPECT().Refresh("VALID_REFRESH_TOKEN").
-			Return(idp.NewTokenResponse(validIDToken, "NEW_REFRESH_TOKEN"), nil)
-
-		setupTokenCache(t, cacheDir, tokencache.Key{
-			IssuerURL: serverURL,
-			ClientID:  "kubernetes",
-		}, tokencache.TokenCache{
-			IDToken:      expiredIDToken,
-			RefreshToken: "VALID_REFRESH_TOKEN",
-		})
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		assertCredentialPluginOutput(t, credentialPluginInteraction, &validIDToken)
-
-		args := []string{
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-		}
-		args = append(args, extraArgs...)
-		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
-		assertTokenCache(t, cacheDir, tokencache.Key{
-			IssuerURL: serverURL,
-			ClientID:  "kubernetes",
-		}, tokencache.TokenCache{
-			IDToken:      validIDToken,
-			RefreshToken: "NEW_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("HasExpiredRefreshToken", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		validIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-		expiredIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast)
-
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &validIDToken)
-		service.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
-			Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
-			MaxTimes(2) // package oauth2 will retry refreshing the token
-
-		setupTokenCache(t, cacheDir, tokencache.Key{
-			IssuerURL: serverURL,
-			ClientID:  "kubernetes",
-		}, tokencache.TokenCache{
-			IDToken:      expiredIDToken,
-			RefreshToken: "EXPIRED_REFRESH_TOKEN",
-		})
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		assertCredentialPluginOutput(t, credentialPluginInteraction, &validIDToken)
-
-		args := []string{
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-		}
-		args = append(args, extraArgs...)
-		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
-		assertTokenCache(t, cacheDir, tokencache.Key{
-			IssuerURL: serverURL,
-			ClientID:  "kubernetes",
-		}, tokencache.TokenCache{
-			IDToken:      validIDToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("ExtraScopes", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "email profile openid", &idToken)
-
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		assertCredentialPluginOutput(t, credentialPluginInteraction, &idToken)
-
-		args := []string{
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-			"--oidc-extra-scope", "email",
-			"--oidc-extra-scope", "profile",
-		}
-		args = append(args, extraArgs...)
-		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
-	})
-}
-
-func assertCredentialPluginOutput(t *testing.T, credentialPluginInteraction *mock_credentialplugin.MockInterface, idToken *string) {
-	credentialPluginInteraction.EXPECT().
-		Write(gomock.Any()).
-		Do(func(out credentialplugin.Output) {
-			if out.Token != *idToken {
-				t.Errorf("Token wants %s but %s", *idToken, out.Token)
-			}
-			if out.Expiry != tokenExpiryFuture {
-				t.Errorf("Expiry wants %v but %v", tokenExpiryFuture, out.Expiry)
-			}
-		})
-}
-
-func runGetTokenCmd(t *testing.T, ctx context.Context, localServerReadyFunc authentication.LocalServerReadyFunc, interaction credentialplugin.Interface, args []string) {
-	t.Helper()
-	cmd := di.NewCmdForHeadless(mock_logger.New(t), localServerReadyFunc, interaction)
-	exitCode := cmd.Run(ctx, append([]string{
-		"kubelogin", "get-token",
-		"--v=1",
-		"--skip-open-browser",
-		"--listen-port", "0",
-	}, args...), "HEAD")
-	if exitCode != 0 {
-		t.Errorf("exit status wants 0 but %d", exitCode)
-	}
-}
-
-func setupTokenCache(t *testing.T, cacheDir string, k tokencache.Key, v tokencache.TokenCache) {
-	var r tokencache.Repository
-	err := r.Save(cacheDir, k, v)
-	if err != nil {
-		t.Errorf("could not set up the token cache: %s", err)
-	}
-}
-
-func assertTokenCache(t *testing.T, cacheDir string, k tokencache.Key, want tokencache.TokenCache) {
-	var r tokencache.Repository
-	v, err := r.FindByKey(cacheDir, k)
-	if err != nil {
-		t.Errorf("could not set up the token cache: %s", err)
-	}
-	if diff := cmp.Diff(&want, v); diff != "" {
-		t.Errorf("token cache mismatch: %s", diff)
-	}
-}

e2e_test/helpers_test.go

@@ -1,91 +0,0 @@
-package e2e_test
-
-import (
-	"context"
-	"net/http"
-	"testing"
-	"time"
-
-	"github.com/dgrijalva/jwt-go"
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/e2e_test/idp"
-	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
-	"github.com/int128/kubelogin/e2e_test/keys"
-	"github.com/int128/kubelogin/pkg/usecases/authentication"
-)
-
-var (
-	tokenExpiryFuture = time.Now().Add(time.Hour).Round(time.Second)
-	tokenExpiryPast   = time.Now().Add(-time.Hour).Round(time.Second)
-)
-
-func newIDToken(t *testing.T, issuer, nonce string, expiry time.Time) string {
-	t.Helper()
-	var claims struct {
-		jwt.StandardClaims
-		Nonce  string   `json:"nonce"`
-		Groups []string `json:"groups"`
-	}
-	claims.StandardClaims = jwt.StandardClaims{
-		Issuer:    issuer,
-		Audience:  "kubernetes",
-		Subject:   "SUBJECT",
-		IssuedAt:  time.Now().Unix(),
-		ExpiresAt: expiry.Unix(),
-	}
-	claims.Nonce = nonce
-	claims.Groups = []string{"admin", "users"}
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-	s, err := token.SignedString(keys.JWSKeyPair)
-	if err != nil {
-		t.Fatalf("Could not sign the claims: %s", err)
-	}
-	return s
-}
-
-func setupMockIDPForDiscovery(service *mock_idp.MockService, serverURL string) {
-	service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-	service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-}
-
-func setupMockIDPForCodeFlow(t *testing.T, service *mock_idp.MockService, serverURL, scope string, idToken *string) {
-	var nonce string
-	setupMockIDPForDiscovery(service, serverURL)
-	service.EXPECT().AuthenticateCode(scope, gomock.Any()).
-		DoAndReturn(func(_, gotNonce string) (string, error) {
-			nonce = gotNonce
-			return "YOUR_AUTH_CODE", nil
-		})
-	service.EXPECT().Exchange("YOUR_AUTH_CODE").
-		DoAndReturn(func(string) (*idp.TokenResponse, error) {
-			*idToken = newIDToken(t, serverURL, nonce, tokenExpiryFuture)
-			return idp.NewTokenResponse(*idToken, "YOUR_REFRESH_TOKEN"), nil
-		})
-}
-
-func setupMockIDPForROPC(service *mock_idp.MockService, serverURL, scope, username, password, idToken string) {
-	setupMockIDPForDiscovery(service, serverURL)
-	service.EXPECT().AuthenticatePassword(username, password, scope).
-		Return(idp.NewTokenResponse(idToken, "YOUR_REFRESH_TOKEN"), nil)
-}
-
-func openBrowserOnReadyFunc(t *testing.T, ctx context.Context, k keys.Keys) authentication.LocalServerReadyFunc {
-	return func(url string) {
-		client := http.Client{Transport: &http.Transport{TLSClientConfig: k.TLSConfig}}
-		req, err := http.NewRequest("GET", url, nil)
-		if err != nil {
-			t.Errorf("could not create a request: %s", err)
-			return
-		}
-		req = req.WithContext(ctx)
-		resp, err := client.Do(req)
-		if err != nil {
-			t.Errorf("could not send a request: %s", err)
-			return
-		}
-		defer resp.Body.Close()
-		if resp.StatusCode != 200 {
-			t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
-		}
-	}
-}

e2e_test/keys/keys.go

@@ -1,67 +0,0 @@
-package keys
-
-import (
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
-	"io/ioutil"
-)
-
-// Keys represents a pair of certificate and key.
-type Keys struct {
-	CertPath   string
-	KeyPath    string
-	CACertPath string
-	TLSConfig  *tls.Config
-}
-
-// None represents non-TLS.
-var None Keys
-
-// Server is a Keys for TLS server.
-// These files should be generated by Makefile before test.
-var Server = Keys{
-	CertPath:   "keys/testdata/server.crt",
-	KeyPath:    "keys/testdata/server.key",
-	CACertPath: "keys/testdata/ca.crt",
-	TLSConfig:  newTLSConfig("keys/testdata/ca.crt"),
-}
-
-// JWSKey is path to the key for signing ID tokens.
-// This file should be generated by Makefile before test.
-const JWSKey = "keys/testdata/jws.key"
-
-// JWSKeyPair is the key pair loaded from JWSKey.
-var JWSKeyPair = readPrivateKey(JWSKey)
-
-func newTLSConfig(name string) *tls.Config {
-	b, err := ioutil.ReadFile(name)
-	if err != nil {
-		panic(err)
-	}
-	p := x509.NewCertPool()
-	if !p.AppendCertsFromPEM(b) {
-		panic("could not append the CA cert")
-	}
-	return &tls.Config{RootCAs: p}
-}
-
-func readPrivateKey(name string) *rsa.PrivateKey {
-	b, err := ioutil.ReadFile(name)
-	if err != nil {
-		panic(err)
-	}
-	block, rest := pem.Decode(b)
-	if block == nil {
-		panic("could not decode PEM")
-	}
-	if len(rest) > 0 {
-		panic("PEM should contain single key but multiple keys")
-	}
-	k, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-	if err != nil {
-		panic(err)
-	}
-	return k
-}

e2e_test/keys/testdata/.gitignore

@@ -1 +0,0 @@
-/CA

e2e_test/keys/testdata/Makefile

@@ -1,59 +0,0 @@
-EXPIRY := 3650
-
-all: ca.key ca.crt server.key server.crt jws.key
-
-.PHONY: clean
-clean:
-	-rm -v ca.* server.* jws.*
-
-ca.key:
-	openssl genrsa -out $@ 1024
-
-.INTERMEDIATE: ca.csr
-ca.csr: openssl.cnf ca.key
-	openssl req -config openssl.cnf \
-		-new \
-		-key ca.key \
-		-subj "/CN=Hello CA" \
-		-out $@
-	openssl req -noout -text -in $@
-
-ca.crt: ca.csr ca.key
-	openssl x509 \
-		-req \
-		-days $(EXPIRY) \
-		-signkey ca.key \
-		-in ca.csr \
-		-out $@
-	openssl x509 -text -in $@
-
-server.key:
-	openssl genrsa -out $@ 1024
-
-.INTERMEDIATE: server.csr
-server.csr: openssl.cnf server.key
-	openssl req -config openssl.cnf \
-		-new \
-		-key server.key \
-		-subj "/CN=localhost" \
-		-out $@
-	openssl req -noout -text -in $@
-
-server.crt: openssl.cnf server.csr ca.key ca.crt
-	rm -fr ./CA
-	mkdir -p ./CA
-	touch CA/index.txt
-	touch CA/index.txt.attr
-	echo 00 > CA/serial
-	openssl ca -config openssl.cnf \
-		-days $(EXPIRY) \
-		-extensions v3_req \
-		-batch \
-		-cert ca.crt \
-		-keyfile ca.key \
-		-in server.csr \
-		-out $@
-	openssl x509 -text -in $@
-
-jws.key:
-	openssl genrsa -out $@ 1024

e2e_test/keys/testdata/ca.crt

@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBnTCCAQYCCQC/aR7GRyndljANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAhI
-ZWxsbyBDQTAeFw0xOTA5MjUxNDQ0NTFaFw0yOTA5MjIxNDQ0NTFaMBMxETAPBgNV
-BAMMCEhlbGxvIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnSTDsRx4U
-JmaTWHOAZasfN2O37wMcRez7LDM2qfQ8nlXnEAAZ4Pc51itOycWN1nclNVb489i9
-J8ALgRKzNumSkfl1sCgJoDds75AC3oRRCbhnEP3Lu4mysxyOtYZNsdST8GBCP0m4
-2tWa4W2ditpA44uU4x8opAX2qY919nVLNwIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
-AE/gsgTC4jzYC3icZdhALJTe3JsZ7geN702dE95zSI5LXAzzHJ/j8wGmorQjrMs2
-iNPjVOdTU6cVWa1Ba29wWakVyVCUqDmDiWHaVhM/Qyyxo6mVlZGFwSnto3zq/h4y
-KMFJ8lUtFCYMrzo5wqgj2xOjVrN77F6F4XWZbMufh50G
------END CERTIFICATE-----

e2e_test/keys/testdata/ca.key

@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDnSTDsRx4UJmaTWHOAZasfN2O37wMcRez7LDM2qfQ8nlXnEAAZ
-4Pc51itOycWN1nclNVb489i9J8ALgRKzNumSkfl1sCgJoDds75AC3oRRCbhnEP3L
-u4mysxyOtYZNsdST8GBCP0m42tWa4W2ditpA44uU4x8opAX2qY919nVLNwIDAQAB
-AoGAaYmTYm29QvKW4et9oPxDjpYG0bqlz7P0xFRR9kKtKTATAMHjWeu2xFR/JI+b
-rvJLIdZqHmWe5AmMb3NxZgfLonEB71ohaKQha1L8Vc7aoedRheJvqqaNr+ZxoCMO
-8xcjsaMYxLEVt0tg6XyKyEhi1/hOufFZ4BSng4oQbrpaNIkCQQD6hPEzzPZtMEEe
-eRdwTVUIStKFMQbRdwZ5Oc7pyDk2U+SFRJiqkBkqnmFekcf2UgbBQxem+GMhWNgE
-LItKy/wVAkEA7FiHxbzn2msaE3hZCWudtnXqmJNuPO0zJ5icXe2svwmwPfLA/rm9
-iazCuyzyK67J8IG9QgIjQFYXtQbMr2chGwJBAMm3dghBx0LQEf8Zfdf9TLSqmqyI
-d3b+IgZGl+cCQ58NGfp863ibIsiAUuK0+4/JKItBHLBjXF6jjPx/aYFGkqkCQH4w
-GnXCEYx1qJuCow87jR4xQQsrlC0lfC2E9t/TmWr6UkYRCWg3ZXJPcj0bl0Upcppd
-ut22ZHniPZAizEBOcMcCQQDnMEOxufxhMsx2NC8yON/noewLINqKcbkMsl6DjvJl
-+wLbQmzJ0j+uIBgdpsj4rWnEr7GxoL2eWG44QDUBco79
------END RSA PRIVATE KEY-----

e2e_test/keys/testdata/jws.key

@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXwIBAAKBgQCZukkN1GxMlNXkpOZxCnvCF874/rn1sNKzO98fOwmBRPG2+m/c
-yqBY7t2L2nihqz3+GZTiHmzSrBzMAGPVW1qGmk9KYg3m7akz9SiCxdoUkgM9MCCp
-X/s8IhgtXkyoKFPcGdwHblDl/3aJG02b6TAQD8vTNQAKoKw7L0FST+pvRwIDAQAB
-AoGBAJT1fXR5MbfDQL+dSe6fSex5RYTgzzDTdldW3I1Wl487Tz0OzvYTIe0LCIJL
-4DhHxnpCL5IsCSbav8ytVA+ZxczHpEW6UxbalXt5UfgFu0joTrdoGxDcVWgUCW3J
-Olbln0lOP55wViKh509gt45Za3VxJrNul3khVfVj7qGG9cKBAkEAxwtT8LxwqTYF
-nqoeZvPp15JAqlgdk38ttJa4KEqvpBTSxNIXkL9T5gJ+irKZAzxlz/U7bhn5mw6E
-3xFiljOXpQJBAMW3XRFOjgNBXNjbt81wREF5LdZl9EI8cRMSH6xljt2uwSqw4EG3
-76gFvccUd+WnfspFQZVypSSD4pWzsAqh13sCQQCA9BLW5Y7r4ab0a2y08JNwaT1h
-3yKSO5QF6pu25uQyHpeKkj5YNcyKONV40EqXsRqZB10QcN2omlh1GJNRkm1NAkEA
-qV3lr4mnRUqcinfM/4MINT3k8h/sGUFFa5y+3SMyOtwURMm3kRRLi5c/dmYmPug4
-SHUDNU48AQeo9awzRShWOQJBAJdw+cfRgi4fo3HY33uZdFa1T9G+qTA2ijhco6O3
-8tOc0yOFEtPNXM87MsHGIQP3ZCLfIY1gs2O3WCTFbPxR4rc=
------END RSA PRIVATE KEY-----

e2e_test/keys/testdata/openssl.cnf

@@ -1,36 +0,0 @@
-[ ca ]
-default_ca      = CA_default
-
-[ CA_default ]
-dir             = ./CA
-certs           = $dir
-crl_dir         = $dir
-database        = $dir/index.txt
-new_certs_dir   = $dir
-default_md      = sha256
-policy          = policy_match
-serial          = $dir/serial
-
-[ policy_match ]
-countryName             = optional
-stateOrProvinceName     = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-[ req ]
-distinguished_name	= req_distinguished_name
-req_extensions = v3_req
-x509_extensions = v3_ca
-
-[ req_distinguished_name ]
-commonName			= Common Name (e.g. server FQDN or YOUR name)
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-subjectAltName = DNS:localhost
-
-[ v3_ca ]
-basicConstraints = CA:true

e2e_test/keys/testdata/server.crt

@@ -1,52 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=Hello CA
-        Validity
-            Not Before: Aug 18 06:00:06 2019 GMT
-            Not After : Aug 15 06:00:06 2029 GMT
-        Subject: CN=localhost
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:d6:4e:eb:3a:cb:25:f9:7e:92:22:f2:63:99:da:
-                    08:05:8b:a3:e7:d3:fd:71:3e:bd:da:c5:d5:63:b7:
-                    d3:7b:f8:cd:1a:2e:5c:a2:4f:48:98:c2:b4:da:e8:
-                    1e:d3:d7:8f:d8:ee:a9:70:d0:9d:4f:f4:8d:95:e5:
-                    8e:9a:71:b6:80:aa:0b:cb:28:1d:f6:0d:7e:aa:78:
-                    bf:30:e6:58:d7:6b:92:8f:19:1c:7d:95:f8:d5:2f:
-                    8c:58:49:98:88:05:50:88:80:a9:77:c4:16:b4:c1:
-                    00:45:1e:d3:d0:ed:98:4d:f7:a3:5d:f1:82:cb:a5:
-                    4d:19:64:4d:43:db:13:d4:17
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature, Non Repudiation, Key Encipherment
-            X509v3 Subject Alternative Name: 
-                DNS:localhost
-    Signature Algorithm: sha256WithRSAEncryption
-         5a:5c:5e:8b:de:82:86:f4:98:40:0e:cf:c5:51:fe:89:46:49:
-         f0:26:d2:a5:06:e3:91:43:c1:f8:b2:ad:b7:a1:23:13:1a:80:
-         45:00:51:70:b6:06:63:c6:a8:c8:22:5d:1b:00:e0:4a:8c:2e:
-         ce:b4:da:b1:89:8a:d2:d0:e3:eb:0f:16:34:45:a1:bd:64:5c:
-         48:41:8c:0a:bf:66:be:1c:a8:35:47:ce:b0:dc:c8:4f:5e:c1:
-         ec:ef:21:fb:45:55:95:e3:99:40:46:0b:6c:8a:b3:d5:f0:bf:
-         39:a4:ba:c4:d7:58:88:58:08:07:98:59:6e:ca:9c:08:e4:c4:
-         4f:db
------BEGIN CERTIFICATE-----
-MIIBzTCCATagAwIBAgIBADANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhIZWxs
-byBDQTAeFw0xOTA4MTgwNjAwMDZaFw0yOTA4MTUwNjAwMDZaMBQxEjAQBgNVBAMM
-CWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1k7rOssl+X6S
-IvJjmdoIBYuj59P9cT692sXVY7fTe/jNGi5cok9ImMK02uge09eP2O6pcNCdT/SN
-leWOmnG2gKoLyygd9g1+qni/MOZY12uSjxkcfZX41S+MWEmYiAVQiICpd8QWtMEA
-RR7T0O2YTfejXfGCy6VNGWRNQ9sT1BcCAwEAAaMwMC4wCQYDVR0TBAIwADALBgNV
-HQ8EBAMCBeAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4GB
-AFpcXovegob0mEAOz8VR/olGSfAm0qUG45FDwfiyrbehIxMagEUAUXC2BmPGqMgi
-XRsA4EqMLs602rGJitLQ4+sPFjRFob1kXEhBjAq/Zr4cqDVHzrDcyE9ewezvIftF
-VZXjmUBGC2yKs9XwvzmkusTXWIhYCAeYWW7KnAjkxE/b
------END CERTIFICATE-----

e2e_test/keys/testdata/server.key

@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDWTus6yyX5fpIi8mOZ2ggFi6Pn0/1xPr3axdVjt9N7+M0aLlyi
-T0iYwrTa6B7T14/Y7qlw0J1P9I2V5Y6acbaAqgvLKB32DX6qeL8w5ljXa5KPGRx9
-lfjVL4xYSZiIBVCIgKl3xBa0wQBFHtPQ7ZhN96Nd8YLLpU0ZZE1D2xPUFwIDAQAB
-AoGBAJhNR7Dl1JwFzndViWE6aP7/6UEFEBWeADDs7aTLbFmrTJ+xmRWkgLRHk14L
-HnVwuYLywaoyJ8o9wy1nEbxC2e4zWZ94d351MQf3/komCXDBzEsktfAcNsAFnMmS
-HZuGXfhi0FYWoftpIGxUmEBmQRcq0ctycbLves6TY3y+oajpAkEA8UHmSr/zsM3E
-XQXPp2BCAvRrTH/njk4R0jwB29Bi89gt/XDD4uvfWbHw7TZxnZuCpWisnxpMPIwa
-1rjqIQmhEwJBAONncQUOxwYCIuvraIhV0QtkIUa+YpTvAxP8ZNXx+agtHmHG2TTf
-kGv2YddvjxXZItN/FZOzUGm9OptaeLRTpW0CQHO8CEzNnoqve0agtgf2LlSaiiqt
-pRhoLTZsYPvhEMcnapCNGvtt6bxul0REfOZ9poPRHhZJGE9naqydEnv80Y8CQQC3
-pxLfws95SsBpR/VkJepuCK/XMmrrXRxfR7coEgROjiG7VZyV1vgMOS9Ljg1A19wI
-cto6LtcCjpCGZsqU1/kBAkEAv2tXBts3vuIjguZNMz7KLWmu3zG2SQRaqdEZwL+R
-DQmD5tbI6gEtd5OmgmSiW8A4mpfgFYvG7Um2fwi7TTXtSA==
------END RSA PRIVATE KEY-----

go.mod

@@ -3,24 +3,24 @@ module github.com/int128/kubelogin
 go 1.12
 
 require (
-	github.com/coreos/go-oidc v2.1.0+incompatible
-	github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda
-	github.com/go-test/deep v1.0.4
-	github.com/golang/mock v1.3.1
-	github.com/google/go-cmp v0.3.1
+	github.com/chromedp/chromedp v0.5.3
+	github.com/coreos/go-oidc v2.2.1+incompatible
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/golang/mock v1.4.3
+	github.com/google/go-cmp v0.4.0
 	github.com/google/wire v0.4.0
-	github.com/int128/oauth2cli v1.8.1
+	github.com/int128/oauth2cli v1.11.0
 	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
-	github.com/spf13/cobra v0.0.5
+	github.com/spf13/cobra v0.0.7
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
-	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
-	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
-	golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7
+	golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
+	golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
+	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
 	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
-	gopkg.in/yaml.v2 v2.2.7
-	k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719
-	k8s.io/client-go v0.0.0-20190620085101-78d2af792bab
-	k8s.io/klog v0.4.0
+	gopkg.in/yaml.v2 v2.2.8
+	k8s.io/apimachinery v0.18.1
+	k8s.io/client-go v0.18.1
+	k8s.io/klog v1.0.0
 )

go.sum

@@ -1,175 +1,338 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/Azure/go-autorest v11.1.2+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
+cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
+github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
+github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
+github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
+github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/chromedp/cdproto v0.0.0-20200116234248-4da64dd111ac h1:T7V5BXqnYd55Hj/g5uhDYumg9Fp3rMTS6bykYtTIFX4=
+github.com/chromedp/cdproto v0.0.0-20200116234248-4da64dd111ac/go.mod h1:PfAWWKJqjlGFYJEidUM6aVIWPr0EpobeyVWEEmplX7g=
+github.com/chromedp/chromedp v0.5.3 h1:F9LafxmYpsQhWQBdCs+6Sret1zzeeFyHS5LkRF//Ffg=
+github.com/chromedp/chromedp v0.5.3/go.mod h1:YLdPtndaHQ4rCpSpBG+IPpy9JvX0VD+7aaLxYgYj28w=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-oidc v2.1.0+incompatible h1:sdJrfw8akMnCuUlaZU3tE/uYXFgfqom8DBE9so9EBsM=
-github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
+github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
+github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda h1:NyywMz59neOoVRFDz+ccfKWxn784fiHMDnZSy6T+JXY=
-github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-test/deep v1.0.4 h1:u2CU3YKy9I2pmu9pX0eq50wCgjfGIt539SqR7FbHiho=
-github.com/go-test/deep v1.0.4/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
-github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415 h1:WSBJMqJbLxsn+bTCPyPYZfqHdJmc8MK4wrBjMft6BAM=
-github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
+github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
+github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
+github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee h1:s+21KNqlpePfkah2I+gwHF8xmJWRjooY+5248k6m4A0=
+github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo=
+github.com/gobwas/pool v0.2.0 h1:QEmUOlnSjWtnpRGHF3SauEiOsy82Cup83Vf2LcMlnc8=
+github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
+github.com/gobwas/ws v1.0.2 h1:CoAavW/wd/kulfZmSIBt6p24n4j7tHgNVCjsfHVNUbo=
+github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
+github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.4.3 h1:GV+pQPG/EUUbkh47niozDcADz6go/dUwhVzdUQHIVRw=
+github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/btree v0.0.0-20160524151835-7d79101e329e/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck=
-github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
+github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
+github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
-github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/wire v0.3.0 h1:imGQZGEVEHpje5056+K+cgdO72p0LQv2xIIFXNGUf60=
-github.com/google/wire v0.3.0/go.mod h1:i1DMg/Lu8Sz5yYl25iOdmc5CT5qusaa+zmRWs16741s=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/wire v0.4.0 h1:kXcsA/rIGzJImVqPdhfnr6q0xsS9gU0515q1EPpJ9fE=
 github.com/google/wire v0.4.0/go.mod h1:ngWDr9Qvq3yZA10YrxfyGELY/AFWGVpy9c1LTRi1EoU=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/gophercloud/gophercloud v0.0.0-20190126172459-c818fa66e4c8/go.mod h1:3WdhXV3rUYy9p6AUW8d94kr+HS62Y4VL9mBnFxsD8q4=
-github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
+github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/int128/listener v1.0.0 h1:a9H3m4jbXgXpxJUK3fxWrh37Iic/UU/kYOGE0WtjbbI=
-github.com/int128/listener v1.0.0/go.mod h1:sho0rrH7mNRRZH4hYOYx+xwRDGmtRndaUiu2z9iumes=
-github.com/int128/oauth2cli v1.7.0 h1:lguQEIJ4IcSFRTqQ6y7avnfvPqVe0U6dlkW8mC1Epts=
-github.com/int128/oauth2cli v1.7.0/go.mod h1:bucNn0/es9IhOf0a2MWPvJ5xO5f6JYrCfitQTyjI5lA=
-github.com/int128/oauth2cli v1.8.1 h1:Vkmfx0w225l4qUpJ1ZWGw1elw7hnXAybSiYoYyh1iBw=
-github.com/int128/oauth2cli v1.8.1/go.mod h1:MkxKWhHUaPOaq/92Z5ifdCWySAKJKo04hUXaKA7OgDE=
-github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be h1:AHimNtVIpiBjPUhEF5KNCkrUyqTSA5zWUl8sQ2bfGBE=
-github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/int128/listener v1.1.0 h1:2Jb41DWLpkQ3I9bIdBzO8H/tNwMvyl/OBZWtCV5Pjuw=
+github.com/int128/listener v1.1.0/go.mod h1:68WkmTN8PQtLzc9DucIaagAKeGVyMnyyKIkW4Xn47UA=
+github.com/int128/oauth2cli v1.11.0 h1:yohafseIxX8xESedQOxB3rpuuodDowYiPaTFMpqPP3Q=
+github.com/int128/oauth2cli v1.11.0/go.mod h1:O3Tjuj1cyQCuM11KbH2ffh0O6LRX0+O97Z3InsY0M3g=
+github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
+github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/knq/sysutil v0.0.0-20191005231841-15668db23d08 h1:V0an7KRw92wmJysvFvtqtKMAPmvS5O0jtB0nYo6t+gs=
+github.com/knq/sysutil v0.0.0-20191005231841-15668db23d08/go.mod h1:dFWs1zEqDjFtnBXsd1vPOZaLsESovai349994nHx3e0=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
+github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4 h1:49lOXmGaUpV9Fz3gd7TFZY106KVlPVa5jcYD1gaQf98=
 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
 github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
-github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s=
-github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
+github.com/spf13/cobra v0.0.7 h1:FfTH+vuMXOas8jmfb5/M7dzEYx7LpcLb7a0LPe34uOU=
+github.com/spf13/cobra v0.0.7/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/pflag v1.0.1 h1:aCvUg6QPl3ibpQUxyLkrEkCHtPqYJL4x9AuhqVqFis4=
-github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
+github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
-golang.org/x/crypto v0.0.0-20181025213731-e84da0312774 h1:a4tQYYYuK9QdeO/+kEvNYyuR21S+7ve5EANok6hABhI=
-golang.org/x/crypto v0.0.0-20181025213731-e84da0312774/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
+go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190206173232-65e2d4e15006 h1:bfLnR+k0tq5Lqt6dflRLcZiz6UaXCMt3vhYJ1l4FQ80=
-golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a h1:tImsplftrFpALCYumobsd0K86vlAs/eXGFms2txfJfA=
-golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 h1:rjwSpXsdiK0dV8/Naq3kAw9ymfAeJIyd0upUIElB+lI=
+golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313 h1:pczuHS43Cp2ktBEEmLwScxgjWsBSzdaQiKzUyf3DTTc=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42 h1:vEOn+mP2zCOVzKckCZy6YsCtDblrpj/w7B9nxGNELpg=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db h1:6/JqlYfC1CCaLnGceQTI+sDGhC9UBSPAsBqI0Gun6kU=
-golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/time v0.0.0-20161028155119-f51c12702a4d h1:TnM+PKb3ylGmZvyPXmo9m/wktg7Jn/a/fNmr33HSj8g=
-golang.org/x/time v0.0.0-20161028155119-f51c12702a4d/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190422233926-fe54fb35175b/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/inf.v0 v0.9.0 h1:3zYtXIO92bvsdS3ggAdA8Gb4Azj0YU+TVY1uGYNFA8o=
-gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4=
 gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.5 h1:ymVxjfMaHvXD8RqPRmzHHsB3VvucivSkIAvJFDI5O3c=
-gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.6 h1:97YCGUei5WVbkKfogoJQsLwUJ17cWvpLrgNvlcbxikE=
-gopkg.in/yaml.v2 v2.2.6/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
-gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-k8s.io/api v0.0.0-20190620084959-7cf5895f2711 h1:BblVYz/wE5WtBsD/Gvu54KyBUTJMflolzc5I2DTvh50=
-k8s.io/api v0.0.0-20190620084959-7cf5895f2711/go.mod h1:TBhBqb1AWbBQbW3XRusr7n7E4v2+5ZY8r8sAMnyFC5A=
-k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719 h1:uV4S5IB5g4Nvi+TBVNf3e9L4wrirlwYJ6w88jUQxTUw=
-k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA=
-k8s.io/client-go v0.0.0-20190620085101-78d2af792bab h1:E8Fecph0qbNsAbijJJQryKu4Oi9QTp5cVpjTE+nqg6g=
-k8s.io/client-go v0.0.0-20190620085101-78d2af792bab/go.mod h1:E95RaSlHr79aHaX0aGSwcPNfygDiPKOVXdmivCIZT0k=
-k8s.io/klog v0.3.1 h1:RVgyDHY/kFKtLqh67NvEWIgkMneNoIrdkN0CxDSQc68=
-k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v0.4.0 h1:lCJCxf/LIowc2IGS9TPjWDyXY4nOmdGdfcwwDQCOURQ=
-k8s.io/klog v0.4.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
-k8s.io/utils v0.0.0-20190221042446-c2654d5206da h1:ElyM7RPonbKnQqOcw7dG2IK5uvQQn3b/WPHqD5mBvP4=
-k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/api v0.18.1 h1:pnHr0LH69kvL29eHldoepUDKTuiOejNZI2A1gaxve3Q=
+k8s.io/api v0.18.1/go.mod h1:3My4jorQWzSs5a+l7Ge6JBbIxChLnY8HnuT58ZWolss=
+k8s.io/apimachinery v0.18.1 h1:hKPYcQRPLQoG2e7fKkVl0YCvm9TBefXTfGILa9vjVVk=
+k8s.io/apimachinery v0.18.1/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA=
+k8s.io/client-go v0.18.1 h1:2+fnu4LwKJjZVOwijkm1UqZG9aQoFsKEpipOzdfcTD8=
+k8s.io/client-go v0.18.1/go.mod h1:iCikYRiXOj/yRRFE/aWqrpPtDt4P2JVWhtHkmESTcfY=
+k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
+k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
+k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
+k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89 h1:d4vVOjXm687F1iLSP2q3lyPPuyvTUt3aVoBpi2DqRsU=
+k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
+rsc.io/quote/v3 v3.1.0 h1:9JKUTTIUgS6kzR9mK1YuGKv6Nl+DijDNIc0ghT58FaY=
+rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+rsc.io/sampler v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/QiW4=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
+sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E=
+sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
 sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
+sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

integration_test/credetial_plugin_test.go

@@ -0,0 +1,392 @@
+package integration_test
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/integration_test/idp"
+	"github.com/int128/kubelogin/integration_test/idp/mock_idp"
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/localserver"
+	"github.com/int128/kubelogin/pkg/adaptors/browser"
+	"github.com/int128/kubelogin/pkg/adaptors/browser/mock_browser"
+	"github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter"
+	"github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter/mock_credentialpluginwriter"
+	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/testing/jwt"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+)
+
+// Run the integration tests of the credential plugin use-case.
+//
+// 1. Start the auth server.
+// 2. Run the Cmd.
+// 3. Open a request for the local server.
+// 4. Verify the output.
+//
+func TestCredentialPlugin(t *testing.T) {
+	tokenCacheDir, err := ioutil.TempDir("", "kube")
+	if err != nil {
+		t.Fatalf("could not create a cache dir: %s", err)
+	}
+	defer func() {
+		if err := os.RemoveAll(tokenCacheDir); err != nil {
+			t.Errorf("could not clean up the cache dir: %s", err)
+		}
+	}()
+
+	t.Run("NoTLS", func(t *testing.T) {
+		testCredentialPlugin(t, credentialPluginTestCase{
+			tokenCacheDir: tokenCacheDir,
+			idpTLS:        keypair.None,
+			extraArgs: []string{
+				"--token-cache-dir", tokenCacheDir,
+			},
+		})
+	})
+	t.Run("TLS", func(t *testing.T) {
+		t.Run("CertFile", func(t *testing.T) {
+			testCredentialPlugin(t, credentialPluginTestCase{
+				tokenCacheDir: tokenCacheDir,
+				tokenCacheKey: tokencache.Key{CACertFilename: keypair.Server.CACertPath},
+				idpTLS:        keypair.Server,
+				extraArgs: []string{
+					"--token-cache-dir", tokenCacheDir,
+					"--certificate-authority", keypair.Server.CACertPath,
+				},
+			})
+		})
+		t.Run("CertData", func(t *testing.T) {
+			testCredentialPlugin(t, credentialPluginTestCase{
+				tokenCacheDir: tokenCacheDir,
+				tokenCacheKey: tokencache.Key{CACertData: keypair.Server.CACertBase64},
+				idpTLS:        keypair.Server,
+				extraArgs: []string{
+					"--token-cache-dir", tokenCacheDir,
+					"--certificate-authority-data", keypair.Server.CACertBase64,
+				},
+			})
+		})
+	})
+}
+
+type credentialPluginTestCase struct {
+	tokenCacheDir string
+	tokenCacheKey tokencache.Key
+	idpTLS        keypair.KeyPair
+	extraArgs     []string
+}
+
+func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
+	timeout := 1 * time.Second
+
+	t.Run("Defaults", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
+		defer server.Shutdown(t, ctx)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &cfg.idToken)
+		browserMock := newBrowserMock(ctx, t, ctrl, tc.idpTLS)
+
+		args := []string{
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+		}
+		args = append(args, tc.extraArgs...)
+		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
+	})
+
+	t.Run("ResourceOwnerPasswordCredentials", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
+		defer server.Shutdown(t, ctx)
+		idToken := newIDToken(t, serverURL, "", tokenExpiryFuture)
+		setupROPCFlow(provider, serverURL, "openid", "USER", "PASS", idToken)
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &idToken)
+		browserMock := mock_browser.NewMockInterface(ctrl)
+
+		args := []string{
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+			"--username", "USER",
+			"--password", "PASS",
+		}
+		args = append(args, tc.extraArgs...)
+		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
+	})
+
+	t.Run("HasValidToken", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
+		defer server.Shutdown(t, ctx)
+		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &idToken)
+		browserMock := mock_browser.NewMockInterface(ctrl)
+		setupTokenCache(t, tc, serverURL, tokencache.Value{
+			IDToken:      idToken,
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		})
+
+		args := []string{
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+		}
+		args = append(args, tc.extraArgs...)
+		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
+		assertTokenCache(t, tc, serverURL, tokencache.Value{
+			IDToken:      idToken,
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		})
+	})
+
+	t.Run("HasValidRefreshToken", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
+		defer server.Shutdown(t, ctx)
+		validIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
+		expiredIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast)
+
+		provider.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
+		provider.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(jwt.PrivateKey))
+		provider.EXPECT().Refresh("VALID_REFRESH_TOKEN").
+			Return(idp.NewTokenResponse(validIDToken, "NEW_REFRESH_TOKEN"), nil)
+
+		setupTokenCache(t, tc, serverURL, tokencache.Value{
+			IDToken:      expiredIDToken,
+			RefreshToken: "VALID_REFRESH_TOKEN",
+		})
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &validIDToken)
+		browserMock := mock_browser.NewMockInterface(ctrl)
+
+		args := []string{
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+		}
+		args = append(args, tc.extraArgs...)
+		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
+		assertTokenCache(t, tc, serverURL, tokencache.Value{
+			IDToken:      validIDToken,
+			RefreshToken: "NEW_REFRESH_TOKEN",
+		})
+	})
+
+	t.Run("HasExpiredRefreshToken", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
+		defer server.Shutdown(t, ctx)
+
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
+		provider.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
+			Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
+			MaxTimes(2) // package oauth2 will retry refreshing the token
+
+		expiredIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast)
+		setupTokenCache(t, tc, serverURL, tokencache.Value{
+			IDToken:      expiredIDToken,
+			RefreshToken: "EXPIRED_REFRESH_TOKEN",
+		})
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &cfg.idToken)
+		browserMock := newBrowserMock(ctx, t, ctrl, tc.idpTLS)
+
+		args := []string{
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+		}
+		args = append(args, tc.extraArgs...)
+		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
+		assertTokenCache(t, tc, serverURL, tokencache.Value{
+			IDToken:      cfg.idToken,
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		})
+	})
+
+	t.Run("ExtraScopes", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
+		defer server.Shutdown(t, ctx)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "email profile openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &cfg.idToken)
+		browserMock := newBrowserMock(ctx, t, ctrl, tc.idpTLS)
+
+		args := []string{
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+			"--oidc-extra-scope", "email",
+			"--oidc-extra-scope", "profile",
+		}
+		args = append(args, tc.extraArgs...)
+		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
+	})
+
+	t.Run("RedirectURLHostname", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
+		defer server.Shutdown(t, ctx)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://127.0.0.1:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &cfg.idToken)
+		browserMock := newBrowserMock(ctx, t, ctrl, tc.idpTLS)
+
+		args := []string{
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+			"--oidc-redirect-url-hostname", "127.0.0.1",
+		}
+		args = append(args, tc.extraArgs...)
+		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
+	})
+
+	t.Run("ExtraParams", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
+		defer server.Shutdown(t, ctx)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://localhost:",
+			extraParams: map[string]string{
+				"ttl":    "86400",
+				"reauth": "false",
+			},
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &cfg.idToken)
+		browserMock := newBrowserMock(ctx, t, ctrl, tc.idpTLS)
+
+		args := []string{
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+			"--oidc-auth-request-extra-params", "ttl=86400",
+			"--oidc-auth-request-extra-params", "reauth=false",
+		}
+		args = append(args, tc.extraArgs...)
+		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
+	})
+}
+
+func newCredentialPluginWriterMock(t *testing.T, ctrl *gomock.Controller, idToken *string) *mock_credentialpluginwriter.MockInterface {
+	writer := mock_credentialpluginwriter.NewMockInterface(ctrl)
+	writer.EXPECT().
+		Write(gomock.Any()).
+		Do(func(got credentialpluginwriter.Output) {
+			want := credentialpluginwriter.Output{
+				Token:  *idToken,
+				Expiry: tokenExpiryFuture,
+			}
+			if diff := cmp.Diff(want, got); diff != "" {
+				t.Errorf("mismatch (-want +got):\n%s", diff)
+			}
+		})
+	return writer
+}
+
+func runGetTokenCmd(t *testing.T, ctx context.Context, b browser.Interface, w credentialpluginwriter.Interface, args []string) {
+	t.Helper()
+	cmd := di.NewCmdForHeadless(logger.New(t), b, w)
+	exitCode := cmd.Run(ctx, append([]string{
+		"kubelogin", "get-token",
+		"--v=1",
+		"--listen-address", "127.0.0.1:0",
+	}, args...), "HEAD")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}
+
+func setupTokenCache(t *testing.T, tc credentialPluginTestCase, serverURL string, v tokencache.Value) {
+	k := tc.tokenCacheKey
+	k.IssuerURL = serverURL
+	k.ClientID = "kubernetes"
+	var r tokencache.Repository
+	err := r.Save(tc.tokenCacheDir, k, v)
+	if err != nil {
+		t.Errorf("could not set up the token cache: %s", err)
+	}
+}
+
+func assertTokenCache(t *testing.T, tc credentialPluginTestCase, serverURL string, want tokencache.Value) {
+	k := tc.tokenCacheKey
+	k.IssuerURL = serverURL
+	k.ClientID = "kubernetes"
+	var r tokencache.Repository
+	got, err := r.FindByKey(tc.tokenCacheDir, k)
+	if err != nil {
+		t.Errorf("could not set up the token cache: %s", err)
+	}
+	if diff := cmp.Diff(&want, got); diff != "" {
+		t.Errorf("mismatch (-want +got):\n%s", diff)
+	}
+}

integration_test/helpers_test.go

@@ -0,0 +1,105 @@
+package integration_test
+
+import (
+	"context"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/integration_test/idp"
+	"github.com/int128/kubelogin/integration_test/idp/mock_idp"
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/pkg/adaptors/browser"
+	"github.com/int128/kubelogin/pkg/adaptors/browser/mock_browser"
+	"github.com/int128/kubelogin/pkg/testing/jwt"
+)
+
+var (
+	tokenExpiryFuture = time.Now().Add(time.Hour).Round(time.Second)
+	tokenExpiryPast   = time.Now().Add(-time.Hour).Round(time.Second)
+)
+
+func newIDToken(t *testing.T, issuer, nonce string, expiry time.Time) string {
+	t.Helper()
+	return jwt.EncodeF(t, func(claims *jwt.Claims) {
+		claims.Issuer = issuer
+		claims.Subject = "SUBJECT"
+		claims.IssuedAt = time.Now().Unix()
+		claims.ExpiresAt = expiry.Unix()
+		claims.Audience = []string{"kubernetes", "system"}
+		claims.Nonce = nonce
+		claims.Groups = []string{"admin", "users"}
+	})
+}
+
+type authCodeFlowConfig struct {
+	serverURL         string
+	scope             string
+	redirectURIPrefix string
+	extraParams       map[string]string
+
+	// setupAuthCodeFlow will set this after authentication
+	idToken string
+}
+
+func setupAuthCodeFlow(t *testing.T, provider *mock_idp.MockProvider, c *authCodeFlowConfig) {
+	var nonce string
+	provider.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(c.serverURL))
+	provider.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(jwt.PrivateKey))
+	provider.EXPECT().AuthenticateCode(gomock.Any()).
+		DoAndReturn(func(req idp.AuthenticationRequest) (string, error) {
+			if req.Scope != c.scope {
+				t.Errorf("scope wants `%s` but was `%s`", c.scope, req.Scope)
+			}
+			if !strings.HasPrefix(req.RedirectURI, c.redirectURIPrefix) {
+				t.Errorf("redirectURI wants prefix `%s` but was `%s`", c.redirectURIPrefix, req.RedirectURI)
+			}
+			for k, v := range c.extraParams {
+				got := req.RawQuery.Get(k)
+				if got != v {
+					t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
+				}
+			}
+			nonce = req.Nonce
+			return "YOUR_AUTH_CODE", nil
+		})
+	provider.EXPECT().Exchange("YOUR_AUTH_CODE").
+		DoAndReturn(func(string) (*idp.TokenResponse, error) {
+			c.idToken = newIDToken(t, c.serverURL, nonce, tokenExpiryFuture)
+			return idp.NewTokenResponse(c.idToken, "YOUR_REFRESH_TOKEN"), nil
+		})
+}
+
+func setupROPCFlow(provider *mock_idp.MockProvider, serverURL, scope, username, password, idToken string) {
+	provider.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
+	provider.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(jwt.PrivateKey))
+	provider.EXPECT().AuthenticatePassword(username, password, scope).
+		Return(idp.NewTokenResponse(idToken, "YOUR_REFRESH_TOKEN"), nil)
+}
+
+func newBrowserMock(ctx context.Context, t *testing.T, ctrl *gomock.Controller, k keypair.KeyPair) browser.Interface {
+	b := mock_browser.NewMockInterface(ctrl)
+	b.EXPECT().
+		Open(gomock.Any()).
+		Do(func(url string) {
+			client := http.Client{Transport: &http.Transport{TLSClientConfig: k.TLSConfig}}
+			req, err := http.NewRequest("GET", url, nil)
+			if err != nil {
+				t.Errorf("could not create a request: %s", err)
+				return
+			}
+			req = req.WithContext(ctx)
+			resp, err := client.Do(req)
+			if err != nil {
+				t.Errorf("could not send a request: %s", err)
+				return
+			}
+			defer resp.Body.Close()
+			if resp.StatusCode != 200 {
+				t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
+			}
+		})
+	return b
+}

integration_test/idp/handler.go

@@ -1,4 +1,3 @@
-// Package idp provides a test double of the identity provider of OpenID Connect.
 package idp
 
 import (
@@ -10,16 +9,16 @@ import (
 	"golang.org/x/xerrors"
 )
 
-func NewHandler(t *testing.T, service Service) *Handler {
-	return &Handler{t, service}
+func NewHandler(t *testing.T, provider Provider) *Handler {
+	return &Handler{t, provider}
 }
 
-// Handler provides a HTTP handler for the identity provider of OpenID Connect.
-// You need to implement the Service interface.
+// Handler provides a HTTP handler for the OpenID Connect Provider.
+// You need to implement the Provider interface.
 // Note that this skips some security checks and is only for testing.
 type Handler struct {
-	t       *testing.T
-	service Service
+	t        *testing.T
+	provider Provider
 }
 
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -58,14 +57,14 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 	p := r.URL.Path
 	switch {
 	case m == "GET" && p == "/.well-known/openid-configuration":
-		discoveryResponse := h.service.Discovery()
+		discoveryResponse := h.provider.Discovery()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(discoveryResponse); err != nil {
 			return xerrors.Errorf("could not render json: %w", err)
 		}
 	case m == "GET" && p == "/certs":
-		certificatesResponse := h.service.GetCertificates()
+		certificatesResponse := h.provider.GetCertificates()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(certificatesResponse); err != nil {
@@ -75,8 +74,14 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 		// 3.1.2.1. Authentication Request
 		// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 		q := r.URL.Query()
-		redirectURI, scope, state, nonce := q.Get("redirect_uri"), q.Get("scope"), q.Get("state"), q.Get("nonce")
-		code, err := h.service.AuthenticateCode(scope, nonce)
+		redirectURI, state := q.Get("redirect_uri"), q.Get("state")
+		code, err := h.provider.AuthenticateCode(AuthenticationRequest{
+			RedirectURI: redirectURI,
+			State:       state,
+			Scope:       q.Get("scope"),
+			Nonce:       q.Get("nonce"),
+			RawQuery:    q,
+		})
 		if err != nil {
 			return xerrors.Errorf("authentication error: %w", err)
 		}
@@ -92,7 +97,7 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 			// 3.1.3.1. Token Request
 			// https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
 			code := r.Form.Get("code")
-			tokenResponse, err := h.service.Exchange(code)
+			tokenResponse, err := h.provider.Exchange(code)
 			if err != nil {
 				return xerrors.Errorf("token request error: %w", err)
 			}
@@ -105,7 +110,7 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 			// 4.3. Resource Owner Password Credentials Grant
 			// https://tools.ietf.org/html/rfc6749#section-4.3
 			username, password, scope := r.Form.Get("username"), r.Form.Get("password"), r.Form.Get("scope")
-			tokenResponse, err := h.service.AuthenticatePassword(username, password, scope)
+			tokenResponse, err := h.provider.AuthenticatePassword(username, password, scope)
 			if err != nil {
 				return xerrors.Errorf("authentication error: %w", err)
 			}
@@ -118,7 +123,7 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 			// 12.1. Refresh Request
 			// https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
 			refreshToken := r.Form.Get("refresh_token")
-			tokenResponse, err := h.service.Refresh(refreshToken)
+			tokenResponse, err := h.provider.Refresh(refreshToken)
 			if err != nil {
 				return xerrors.Errorf("token refresh error: %w", err)
 			}

integration_test/idp/idp.go

@@ -1,22 +1,24 @@
+// Package idp provides a test double of an OpenID Connect Provider.
 package idp
 
-//go:generate mockgen -destination mock_idp/mock_service.go github.com/int128/kubelogin/e2e_test/idp Service
+//go:generate mockgen -destination mock_idp/mock_idp.go github.com/int128/kubelogin/integration_test/idp Provider
 
 import (
 	"crypto/rsa"
 	"encoding/base64"
 	"fmt"
 	"math/big"
+	"net/url"
 )
 
-// Service provides discovery and authentication methods.
+// Provider provides discovery and authentication methods.
 // If an implemented method returns an ErrorResponse,
 // the handler will respond 400 and corresponding json of the ErrorResponse.
 // Otherwise, the handler will respond 500 and fail the current test.
-type Service interface {
+type Provider interface {
 	Discovery() *DiscoveryResponse
 	GetCertificates() *CertificatesResponse
-	AuthenticateCode(scope, nonce string) (code string, err error)
+	AuthenticateCode(req AuthenticationRequest) (code string, err error)
 	Exchange(code string) (*TokenResponse, error)
 	AuthenticatePassword(username, password, scope string) (*TokenResponse, error)
 	Refresh(refreshToken string) (*TokenResponse, error)
@@ -88,6 +90,14 @@ func NewCertificatesResponse(idTokenKeyPair *rsa.PrivateKey) *CertificatesRespon
 	}
 }
 
+type AuthenticationRequest struct {
+	RedirectURI string
+	State       string
+	Scope       string // space separated string
+	Nonce       string
+	RawQuery    url.Values
+}
+
 type TokenResponse struct {
 	AccessToken  string `json:"access_token"`
 	TokenType    string `json:"token_type"`

integration_test/idp/mock_idp/mock_idp.go

@@ -1,55 +1,55 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/e2e_test/idp (interfaces: Service)
+// Source: github.com/int128/kubelogin/integration_test/idp (interfaces: Provider)
 
 // Package mock_idp is a generated GoMock package.
 package mock_idp
 
 import (
 	gomock "github.com/golang/mock/gomock"
-	idp "github.com/int128/kubelogin/e2e_test/idp"
+	idp "github.com/int128/kubelogin/integration_test/idp"
 	reflect "reflect"
 )
 
-// MockService is a mock of Service interface
-type MockService struct {
+// MockProvider is a mock of Provider interface
+type MockProvider struct {
 	ctrl     *gomock.Controller
-	recorder *MockServiceMockRecorder
+	recorder *MockProviderMockRecorder
 }
 
-// MockServiceMockRecorder is the mock recorder for MockService
-type MockServiceMockRecorder struct {
-	mock *MockService
+// MockProviderMockRecorder is the mock recorder for MockProvider
+type MockProviderMockRecorder struct {
+	mock *MockProvider
 }
 
-// NewMockService creates a new mock instance
-func NewMockService(ctrl *gomock.Controller) *MockService {
-	mock := &MockService{ctrl: ctrl}
-	mock.recorder = &MockServiceMockRecorder{mock}
+// NewMockProvider creates a new mock instance
+func NewMockProvider(ctrl *gomock.Controller) *MockProvider {
+	mock := &MockProvider{ctrl: ctrl}
+	mock.recorder = &MockProviderMockRecorder{mock}
 	return mock
 }
 
 // EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockService) EXPECT() *MockServiceMockRecorder {
+func (m *MockProvider) EXPECT() *MockProviderMockRecorder {
 	return m.recorder
 }
 
 // AuthenticateCode mocks base method
-func (m *MockService) AuthenticateCode(arg0, arg1 string) (string, error) {
+func (m *MockProvider) AuthenticateCode(arg0 idp.AuthenticationRequest) (string, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "AuthenticateCode", arg0, arg1)
+	ret := m.ctrl.Call(m, "AuthenticateCode", arg0)
 	ret0, _ := ret[0].(string)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 
 // AuthenticateCode indicates an expected call of AuthenticateCode
-func (mr *MockServiceMockRecorder) AuthenticateCode(arg0, arg1 interface{}) *gomock.Call {
+func (mr *MockProviderMockRecorder) AuthenticateCode(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateCode", reflect.TypeOf((*MockService)(nil).AuthenticateCode), arg0, arg1)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateCode", reflect.TypeOf((*MockProvider)(nil).AuthenticateCode), arg0)
 }
 
 // AuthenticatePassword mocks base method
-func (m *MockService) AuthenticatePassword(arg0, arg1, arg2 string) (*idp.TokenResponse, error) {
+func (m *MockProvider) AuthenticatePassword(arg0, arg1, arg2 string) (*idp.TokenResponse, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AuthenticatePassword", arg0, arg1, arg2)
 	ret0, _ := ret[0].(*idp.TokenResponse)
@@ -58,13 +58,13 @@ func (m *MockService) AuthenticatePassword(arg0, arg1, arg2 string) (*idp.TokenR
 }
 
 // AuthenticatePassword indicates an expected call of AuthenticatePassword
-func (mr *MockServiceMockRecorder) AuthenticatePassword(arg0, arg1, arg2 interface{}) *gomock.Call {
+func (mr *MockProviderMockRecorder) AuthenticatePassword(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticatePassword", reflect.TypeOf((*MockService)(nil).AuthenticatePassword), arg0, arg1, arg2)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticatePassword", reflect.TypeOf((*MockProvider)(nil).AuthenticatePassword), arg0, arg1, arg2)
 }
 
 // Discovery mocks base method
-func (m *MockService) Discovery() *idp.DiscoveryResponse {
+func (m *MockProvider) Discovery() *idp.DiscoveryResponse {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Discovery")
 	ret0, _ := ret[0].(*idp.DiscoveryResponse)
@@ -72,13 +72,13 @@ func (m *MockService) Discovery() *idp.DiscoveryResponse {
 }
 
 // Discovery indicates an expected call of Discovery
-func (mr *MockServiceMockRecorder) Discovery() *gomock.Call {
+func (mr *MockProviderMockRecorder) Discovery() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Discovery", reflect.TypeOf((*MockService)(nil).Discovery))
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Discovery", reflect.TypeOf((*MockProvider)(nil).Discovery))
 }
 
 // Exchange mocks base method
-func (m *MockService) Exchange(arg0 string) (*idp.TokenResponse, error) {
+func (m *MockProvider) Exchange(arg0 string) (*idp.TokenResponse, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Exchange", arg0)
 	ret0, _ := ret[0].(*idp.TokenResponse)
@@ -87,13 +87,13 @@ func (m *MockService) Exchange(arg0 string) (*idp.TokenResponse, error) {
 }
 
 // Exchange indicates an expected call of Exchange
-func (mr *MockServiceMockRecorder) Exchange(arg0 interface{}) *gomock.Call {
+func (mr *MockProviderMockRecorder) Exchange(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Exchange", reflect.TypeOf((*MockService)(nil).Exchange), arg0)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Exchange", reflect.TypeOf((*MockProvider)(nil).Exchange), arg0)
 }
 
 // GetCertificates mocks base method
-func (m *MockService) GetCertificates() *idp.CertificatesResponse {
+func (m *MockProvider) GetCertificates() *idp.CertificatesResponse {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetCertificates")
 	ret0, _ := ret[0].(*idp.CertificatesResponse)
@@ -101,13 +101,13 @@ func (m *MockService) GetCertificates() *idp.CertificatesResponse {
 }
 
 // GetCertificates indicates an expected call of GetCertificates
-func (mr *MockServiceMockRecorder) GetCertificates() *gomock.Call {
+func (mr *MockProviderMockRecorder) GetCertificates() *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificates", reflect.TypeOf((*MockService)(nil).GetCertificates))
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificates", reflect.TypeOf((*MockProvider)(nil).GetCertificates))
 }
 
 // Refresh mocks base method
-func (m *MockService) Refresh(arg0 string) (*idp.TokenResponse, error) {
+func (m *MockProvider) Refresh(arg0 string) (*idp.TokenResponse, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Refresh", arg0)
 	ret0, _ := ret[0].(*idp.TokenResponse)
@@ -116,7 +116,7 @@ func (m *MockService) Refresh(arg0 string) (*idp.TokenResponse, error) {
 }
 
 // Refresh indicates an expected call of Refresh
-func (mr *MockServiceMockRecorder) Refresh(arg0 interface{}) *gomock.Call {
+func (mr *MockProviderMockRecorder) Refresh(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockService)(nil).Refresh), arg0)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockProvider)(nil).Refresh), arg0)
 }

integration_test/keypair/keypair.go

@@ -0,0 +1,62 @@
+package keypair
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+)
+
+// KeyPair represents a pair of certificate and key.
+type KeyPair struct {
+	CertPath     string
+	KeyPath      string
+	CACertPath   string
+	CACertBase64 string
+	TLSConfig    *tls.Config
+}
+
+// None represents non-TLS.
+var None KeyPair
+
+// Server is a KeyPair for TLS server.
+// These files should be generated by Makefile before test.
+var Server = KeyPair{
+	CertPath:     "keypair/testdata/server.crt",
+	KeyPath:      "keypair/testdata/server.key",
+	CACertPath:   "keypair/testdata/ca.crt",
+	CACertBase64: readAsBase64("keypair/testdata/ca.crt"),
+	TLSConfig:    newTLSConfig("keypair/testdata/ca.crt"),
+}
+
+func readAsBase64(name string) string {
+	f, err := os.Open(name)
+	if err != nil {
+		panic(err)
+	}
+	defer f.Close()
+	var s strings.Builder
+	e := base64.NewEncoder(base64.StdEncoding, &s)
+	if _, err := io.Copy(e, f); err != nil {
+		panic(err)
+	}
+	if err := e.Close(); err != nil {
+		panic(err)
+	}
+	return s.String()
+}
+
+func newTLSConfig(name string) *tls.Config {
+	b, err := ioutil.ReadFile(name)
+	if err != nil {
+		panic(err)
+	}
+	p := x509.NewCertPool()
+	if !p.AppendCertsFromPEM(b) {
+		panic("could not append the CA cert")
+	}
+	return &tls.Config{RootCAs: p}
+}

integration_test/keypair/testdata/Makefile

@@ -0,0 +1,26 @@
+EXPIRY := 3650
+OUTPUT_DIR := testdata
+TARGETS := ca.key
+TARGETS += ca.crt
+TARGETS += server.key
+TARGETS += server.crt
+
+.PHONY: all
+all: $(TARGETS)
+
+ca.key:
+	openssl genrsa -out $@ 2048
+ca.csr: ca.key
+	openssl req -new -key ca.key -out $@ -subj "/CN=hello-ca" -config openssl.cnf
+ca.crt: ca.key ca.csr
+	openssl x509 -req -in ca.csr -signkey ca.key -out $@ -days $(EXPIRY)
+server.key:
+	openssl genrsa -out $@ 2048
+server.csr: openssl.cnf server.key
+	openssl req -new -key server.key -out $@ -subj "/CN=localhost" -config openssl.cnf
+server.crt: openssl.cnf server.csr ca.crt ca.key
+	openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $@ -sha256 -days $(EXPIRY) -extensions v3_req -extfile openssl.cnf
+
+.PHONY: clean
+clean:
+	-rm -v $(TARGETS)

integration_test/keypair/testdata/ca.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICojCCAYoCCQCNsdXicWqF2DANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAho
+ZWxsby1jYTAeFw0yMDAyMDYwMTMzMzNaFw0zMDAyMDMwMTMzMzNaMBMxETAPBgNV
+BAMMCGhlbGxvLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxcPN
+dS88B6ewqVn/m9yO74OLIwNrqMci8l7olP9XlcJhxUZs+3WZQpsSj5nC4yEx8uPQ
+bTtBKnXXVDe+8k7OsLTruu9+isTaYk4o/TZbuw/N31ZAiT0pJw8hdypTQyMLbeDr
+Vl4bbrfbYywx30DyrHxUkgzOWs459Uwc1wWu0W7M21GY4KENHFE3OAcD58FMvvrh
+vgkslATwwW4M2UtXUFJ8XHh26g/J450DU2gwNxpcSdIsvFE6zSyAxU55RElph7mE
+ru9cNWAYhCRZvlZQ2VlH7C6JQ3SHyA9RZmBbPpXhtl9zavFkGx2MEwDp/3FmUukR
+yJnS2KnAo0QdBeS1LQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAXGfoDwuKY4TyF
+fhKg553Y5I6VDCDc97jyW9yyfc0kvPjQc4EGQV+1eQqMSeh2THpgEEKk9hH/g35a
+grPRcBTsEWpbQd16yWyulQeyOtPeWZB2FvAigMaAdMmeXlTs6++gJ6PjPuACa2Jl
+nJ/AjCqKFxkn0yEVkPTY0c/I9A12xhCmATqIrQiK1pPowiFxQb4M8Cm0z0AkaJZr
+iW0NCOJlLzBqRpFquL4umNaIsxTmOshfM70NpQGRjKREBuK6S0qWsRR0wz4b9Rvi
+62qW4zU94q2EDIoCItjHP4twGENXJDC0vLCsKfA5AvbPzszd5/4ifYe2C00Rn7/O
+lIxrspMm
+-----END CERTIFICATE-----

integration_test/keypair/testdata/ca.csr

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrDCCAZQCAQAwEzERMA8GA1UEAwwIaGVsbG8tY2EwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDFw811LzwHp7CpWf+b3I7vg4sjA2uoxyLyXuiU/1eV
+wmHFRmz7dZlCmxKPmcLjITHy49BtO0EqdddUN77yTs6wtOu6736KxNpiTij9Nlu7
+D83fVkCJPSknDyF3KlNDIwtt4OtWXhtut9tjLDHfQPKsfFSSDM5azjn1TBzXBa7R
+bszbUZjgoQ0cUTc4BwPnwUy++uG+CSyUBPDBbgzZS1dQUnxceHbqD8njnQNTaDA3
+GlxJ0iy8UTrNLIDFTnlESWmHuYSu71w1YBiEJFm+VlDZWUfsLolDdIfID1FmYFs+
+leG2X3Nq8WQbHYwTAOn/cWZS6RHImdLYqcCjRB0F5LUtAgMBAAGgVDBSBgkqhkiG
+9w0BCQ4xRTBDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBQGA1UdEQQNMAuCCWxv
+Y2FsaG9zdDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEA
+o/Uthp3NWx0ydTn/GBZI+vA3gI7Qd9UwLvwkeinldRlPM9DOXpG6LR0C40f6u+fj
+mXvUDerveYJI8rpo+Ds0UVqy63AH/zZLG7M96L5Nv2KnK40bkfVNez858Yqp1u17
+/ci1ZsQIElU5v2qKozaHdQThDVtD5ZZdZoQwLvBLE/Dwpe/4VZZFh8smPMR+Mhcq
++b7gpSy1RiUffk0ZMjuF9Nc9OODdQMTCf+86i0qWXGVzkhfHKAGv+xarHEztcmxF
+GUgUYW8DMvYBjEzaGRM1n0aIFkQO6y8SUXvGMIGBSMC4jfBH3ghIXg1+nD6Uah4D
+16r+CLjFsDUdn/DK/fIQVw==
+-----END CERTIFICATE REQUEST-----

integration_test/keypair/testdata/ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAxcPNdS88B6ewqVn/m9yO74OLIwNrqMci8l7olP9XlcJhxUZs
++3WZQpsSj5nC4yEx8uPQbTtBKnXXVDe+8k7OsLTruu9+isTaYk4o/TZbuw/N31ZA
+iT0pJw8hdypTQyMLbeDrVl4bbrfbYywx30DyrHxUkgzOWs459Uwc1wWu0W7M21GY
+4KENHFE3OAcD58FMvvrhvgkslATwwW4M2UtXUFJ8XHh26g/J450DU2gwNxpcSdIs
+vFE6zSyAxU55RElph7mEru9cNWAYhCRZvlZQ2VlH7C6JQ3SHyA9RZmBbPpXhtl9z
+avFkGx2MEwDp/3FmUukRyJnS2KnAo0QdBeS1LQIDAQABAoIBAHSoWtMsaMnPNlu/
+thM32K0auIGP6/rkdQ3pxGLX+M9jmY7oSzNOHHj4xssklZyroS45CmLU2Ez2tG1+
+cMm4iR4dqwxbaBbtpjDlEDLF1PiUiwmadHlANb1PpJsJwZHR41UOn2QUITR/ig+H
+K2gZhM0QjkaU/Uj9a5zyJ/UC6iupmgCtj8ij65B49qKMODxV4gqZstRSZiJ3gb6R
+TBeR3PUWQS62MZueEQz2eF0eXkXKsFWcbLfHArjfIJ533zW68A0vabgqOhCwJTks
++rkyaKUjEwJJQcgpCfUI4t9HAwICqYtw0fQdDDaMak2XTDFnGHn1/VfSi818U5Sa
+jZ+/uIECgYEA4uCd5ISsLWebSv2r5f97N8+WcW0MSJ0XP5MniiMvlaNOtJmoN3H0
+PlgR3uwpH9TNWHITZEEb/I93r2E3f24v2018g0uJuwiRDusxHs7yuxw/93Y5rwtG
+3twL1k0GyeLCxfM2y2QQU/awXISx7nNk2f0umvTWmjrEw632oQSWCSECgYEA3yaF
+zDk7k1u1GdZAh+pQAyUtjzHSvQjiE2JzLaH8BTorACrczRascX5yyMi0QfLYnoYt
+UL9dCb4Z8HUclj55kBSx8anvVtf3XAT3hZ3sm8LV3JLGDeURGS8rGdV+tyFk7zw9
+XgvaLj3xjB5CoJvtOhbXvqF9M9yp4TMBb5El7o0CgYBTx5Bm15thNPZCrgQxbbOJ
+u42ZmyRDGEeCgYvDVhT3VBP3WxqkRt9juk/3GwxgpcuikpWYmvaDwFL5H5RH6V+g
+wy9sqJNWzuYKNU2xS8iU0ezJLA5HFon4OBfi7hTIroUwZgzg9LWW2+zqbVHrdQ9T
+9Eumiy1ITNVmUTJW6YOiIQKBgBE4BsEAdZFkVTAeMTKLqQrlFoPjI1DE27UFNsAB
+rNG2cFT9+bW1ly7WxAKsQgSIuaBZ2CtP6Nz0l0nPr5oEThsJDcYJB9faqFKoa3Ua
+/4PxX9E6Xh/6WfxogFno+HMnF4PCUTXtkjNZQkc+moOMJJ0D4DfsfB3BXDZtWiIC
+wDuNAoGBAN5ZFTXwE1VpWxIWq5dV9+0aVOP/eB+h7Pt+u2xyRip31FGcpGEzGniu
+VmOzWApW7NmvD0QWtstJWlCpsw+rOptAL0oVunlB70KuYuA+2Q5g/Cw3kUrvXqbe
+mkCoV21eFAmpU+I6z/n7pUDXPuUsmTkzmwedv0HUuNSQJmHZOMPD
+-----END RSA PRIVATE KEY-----

integration_test/keypair/testdata/ca.srl

@@ -0,0 +1 @@
+9E12C7A1AF348811

integration_test/keypair/testdata/openssl.cnf

@@ -0,0 +1,14 @@
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[ req_distinguished_name ]
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+extendedKeyUsage = serverAuth
+
+[alt_names]
+DNS.1 = localhost

integration_test/keypair/testdata/server.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIJAJ4Sx6GvNIgRMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
+BAMMCGhlbGxvLWNhMB4XDTIwMDIwNjAxMzMzM1oXDTMwMDIwMzAxMzMzM1owFDES
+MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA3CJvDbbiiY/o9lgzeABLCtZe56h2w9Dzejy02M6F7yVyphLtJr+/AxI8k5Er
+MFRitkzgIUkLn/90CZjPI3k5OnLtUAJ4XLj4gUGjziy4TKyVaU0XK41ZSbDAchbW
+349lsEgW5ZnL4qNaZeCvvbYec+RroVc6ZXCcDp4BATTkC3gSVF92+TzrrlbkZ5+W
+YVeoMpAPWDPq2zwQx4RcYlpkpI/fzLezRqjRcZJx3FDgkGuwwhzXfVUpxJ/DYLXZ
+yHCKyaT7e8YIs8e7TRekOwrLCfssfhJSdWopf6aYRZFV+2ovP0Nggn6XJNh/g1QK
+o4wzJAf6v5WMc0jEvb7EuSG+nwIDAQABo0UwQzAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIF4DAUBgNVHREEDTALgglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
+DQYJKoZIhvcNAQELBQADggEBACqlq8b7trNRtKUm1PbY7dnrAFCOnV4OT2R98s17
+Q6tmCXM1DvQ101W0ih/lh6iPyU4JM2A0kvO+gizuL/Dmvb6oh+3ox0mMLposptso
+gCE1K3SXlvlcLdM6hXRJ5+XwlSCHM6o2Y4yABnKjT6Zr+CMh86a5abDx33hkJ4QR
+6I+/iBHVLiCVv0wUF3jD/T+HxinEQrB4cQsSgKmfPClrc8n7rkWWE+MdwEL4VZCH
+ufabw178aYibVvJ8k3rushjLlftkDyCNno2rz8YWrnaxabVR0EqSPInyYQenmv2r
+/CedVKpmdH2RV8ubkwqa0s6cmpRkyu6FS2g3LviJhmm0nwQ=
+-----END CERTIFICATE-----

integration_test/keypair/testdata/server.csr

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrTCCAZUCAQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA3CJvDbbiiY/o9lgzeABLCtZe56h2w9Dzejy02M6F
+7yVyphLtJr+/AxI8k5ErMFRitkzgIUkLn/90CZjPI3k5OnLtUAJ4XLj4gUGjziy4
+TKyVaU0XK41ZSbDAchbW349lsEgW5ZnL4qNaZeCvvbYec+RroVc6ZXCcDp4BATTk
+C3gSVF92+TzrrlbkZ5+WYVeoMpAPWDPq2zwQx4RcYlpkpI/fzLezRqjRcZJx3FDg
+kGuwwhzXfVUpxJ/DYLXZyHCKyaT7e8YIs8e7TRekOwrLCfssfhJSdWopf6aYRZFV
++2ovP0Nggn6XJNh/g1QKo4wzJAf6v5WMc0jEvb7EuSG+nwIDAQABoFQwUgYJKoZI
+hvcNAQkOMUUwQzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAUBgNVHREEDTALggls
+b2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEB
+ACUQ0j3XuUZY3fso5tEgOGVjVsTU+C4pIsEw3e1KyIB93i56ANKaq1uBLtnlWtYi
+R4RxZ3Sf08GzoEHAHpWoQ4BQ3WGDQjxSdezbudWMuNnNyvyhkh36tmmp/PLA4iZD
+Q/d1odzGWg1HMqY0/Q3hfz40MQ9IEBBm+5zKw3tLsKNIKdSdlY7Ul3Z9PUsqsOVW
+uF0LKsTMEh1CpbYnOBS2EQjComVM5kYfdQwDNh+BMok8rH7mHFYRmrwYUrU9njsM
+eoKqhLkoSu6hw1Cgd9Yru5lC541KfxsSN4Cj6rkm+Qv/5zjvIPxYZ+akSQQR9hR3
+2O9THHKqaQS0xmD+y8NjfYk=
+-----END CERTIFICATE REQUEST-----

integration_test/keypair/testdata/server.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA3CJvDbbiiY/o9lgzeABLCtZe56h2w9Dzejy02M6F7yVyphLt
+Jr+/AxI8k5ErMFRitkzgIUkLn/90CZjPI3k5OnLtUAJ4XLj4gUGjziy4TKyVaU0X
+K41ZSbDAchbW349lsEgW5ZnL4qNaZeCvvbYec+RroVc6ZXCcDp4BATTkC3gSVF92
++TzrrlbkZ5+WYVeoMpAPWDPq2zwQx4RcYlpkpI/fzLezRqjRcZJx3FDgkGuwwhzX
+fVUpxJ/DYLXZyHCKyaT7e8YIs8e7TRekOwrLCfssfhJSdWopf6aYRZFV+2ovP0Ng
+gn6XJNh/g1QKo4wzJAf6v5WMc0jEvb7EuSG+nwIDAQABAoIBAEYvWFb4C0wurOj2
+ABrvhP2Ekaesh4kxMp+zgTlqxzsTJnWarS/gjKcPBm9KJon3La3P3tnd7y3pBXcV
+2F0IBl4DTHRpBTUS6HBVnENc8LnJgK2dHZkOLPyYtRLrA0Et+A73PQ2hNmchC+5V
+b9K9oQH0Pvim1gCHocnrSIi480hQPazO9/gnHvFtu9Tdsx9kM9jgChhh5VaR+nzM
+uw6MpUSzCri3/W6K5Hz8F1lLQcZ6o3vyyFtLPjFrWT4J1UiHqAoxuCGeWTvMbGQl
+9Cg0SMX4FLBpbIoMonhM3hb9Cw3FVRGU/1i4oF+gEIGlX/v9CPT5HAZmD59rawc8
+11x7yTECgYEA8EYVGKauLHeI1nJdCoVrWI73W1wtwt6prJbzltpoAR4tb3Qu6gBX
+JQNd+Ifhl28lK6lPnCGk/SsmfiKSp/XE4IyS1GBd2LpxWj5R50GePCg4hAzk9Xyx
+M9SJAFQw73pODgu4RWFXTCOMo9crahJ6X/O+MckHqbFqqohJ8nChGDkCgYEA6oro
+Ql/ymO7UdYCay7OlzKeg8ud6XgkZ+wkpSG/5TQ0QZWVN3aSOLztEdVfh3PAqWob0
+KgVhLmq6CYwq+HSzU92bvFqCgYUMU8tYzeRboGLxyEdAGL+EW0j8wQyZKYR5cNz4
+yM0hpM6kbJ0zZqkYVM/XfRT2RTGwTMakF/FOHZcCgYEAmf4guTriuIcoAWEstniK
+Myj16ezrO1Df6Eia+B0kuUqxDhSlmL39HDDLQmU8NYU7in8qEcQSbVwBgKgB3HoM
+42nVFR5qJ2RfD9qPPar1klKo3iExgRCYtcJKyBYtgt6dNi1WvcjEXX0PP1bBcWtE
+WUjrphbUvXKDDabp1eNPrCkCgYBOw/F2APTeyS4Oe+8AQ8eFcDIMARLGK7ZO6Oe1
+TO1jI+UCuD+rFI0vbW7zHV1brkf6+OFcj0vwo6TweeMgZ0il/IFFgvva9UyLg3nC
+Q1NGDJR4Fv1+kiqn4V4IkuuI1tVVws/F16XZzA/J7g0KB/WE3fvXJMgDuskjL36C
+D+aU5wKBgQCvEg+mJYny1QiR/mQuowX34xf4CkMl7Xq9YDH7W/3AlwuPrPNHaZjh
+SvSCz9I8vV0E4ur6atazgCblnvA/G3d4r8YYx+e1l30WJHMgoZRxxHMH74tmUPAj
+Klic16BJikSQclMeFdlJqf2UHd37eEuYnxorpep8YGP7/eN1ghHWAw==
+-----END RSA PRIVATE KEY-----

integration_test/localserver/authserver.go

@@ -9,7 +9,7 @@ import (
 	"net/http"
 	"testing"
 
-	"github.com/int128/kubelogin/e2e_test/keys"
+	"github.com/int128/kubelogin/integration_test/keypair"
 )
 
 type Shutdowner interface {
@@ -31,8 +31,8 @@ func (s *shutdowner) Shutdown(t *testing.T, ctx context.Context) {
 
 // Start starts an authentication server.
 // If k is non-nil, it starts a TLS server.
-func Start(t *testing.T, h http.Handler, k keys.Keys) (string, Shutdowner) {
-	if k == keys.None {
+func Start(t *testing.T, h http.Handler, k keypair.KeyPair) (string, Shutdowner) {
+	if k == keypair.None {
 		return startNoTLS(t, h)
 	}
 	return startTLS(t, h, k)
@@ -54,7 +54,7 @@ func startNoTLS(t *testing.T, h http.Handler) (string, Shutdowner) {
 	return url, &shutdowner{l, s}
 }
 
-func startTLS(t *testing.T, h http.Handler, k keys.Keys) (string, Shutdowner) {
+func startTLS(t *testing.T, h http.Handler, k keypair.KeyPair) (string, Shutdowner) {
 	t.Helper()
 	l, port := newLocalhostListener(t)
 	url := "https://localhost:" + port

integration_test/standalone_test.go

@@ -1,4 +1,4 @@
-package e2e_test
+package integration_test
 
 import (
 	"context"
@@ -7,14 +7,16 @@ import (
 	"time"
 
 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/e2e_test/idp"
-	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
-	"github.com/int128/kubelogin/e2e_test/keys"
-	"github.com/int128/kubelogin/e2e_test/kubeconfig"
-	"github.com/int128/kubelogin/e2e_test/localserver"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/integration_test/idp"
+	"github.com/int128/kubelogin/integration_test/idp/mock_idp"
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/kubeconfig"
+	"github.com/int128/kubelogin/integration_test/localserver"
+	"github.com/int128/kubelogin/pkg/adaptors/browser"
+	"github.com/int128/kubelogin/pkg/adaptors/browser/mock_browser"
 	"github.com/int128/kubelogin/pkg/di"
-	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	"github.com/int128/kubelogin/pkg/testing/jwt"
+	"github.com/int128/kubelogin/pkg/testing/logger"
 )
 
 // Run the integration tests of the Login use-case.
@@ -26,14 +28,14 @@ import (
 //
 func TestStandalone(t *testing.T) {
 	t.Run("NoTLS", func(t *testing.T) {
-		testStandalone(t, keys.None)
+		testStandalone(t, keypair.None)
 	})
 	t.Run("TLS", func(t *testing.T) {
-		testStandalone(t, keys.Server)
+		testStandalone(t, keypair.Server)
 	})
 }
 
-func testStandalone(t *testing.T, idpTLS keys.Keys) {
+func testStandalone(t *testing.T, idpTLS keypair.KeyPair) {
 	timeout := 5 * time.Second
 
 	t.Run("Defaults", func(t *testing.T) {
@@ -43,11 +45,16 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), idpTLS)
 		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
+		browserMock := newBrowserMock(ctx, t, ctrl, idpTLS)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer:                  serverURL,
 			IDPCertificateAuthority: idpTLS.CACertPath,
@@ -57,9 +64,9 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		args := []string{
 			"--kubeconfig", kubeConfigFilename,
 		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
+		runRootCmd(t, ctx, browserMock, args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
+			IDToken:      cfg.idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
 		})
 	})
@@ -71,11 +78,12 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), idpTLS)
 		defer server.Shutdown(t, ctx)
+		browserMock := mock_browser.NewMockInterface(ctrl)
 		idToken := newIDToken(t, serverURL, "", tokenExpiryFuture)
-		setupMockIDPForROPC(service, serverURL, "openid", "USER", "PASS", idToken)
+		setupROPCFlow(provider, serverURL, "openid", "USER", "PASS", idToken)
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer:                  serverURL,
 			IDPCertificateAuthority: idpTLS.CACertPath,
@@ -87,7 +95,7 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 			"--username", "USER",
 			"--password", "PASS",
 		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
+		runRootCmd(t, ctx, browserMock, args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
 			IDToken:      idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
@@ -101,10 +109,11 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), idpTLS)
 		defer server.Shutdown(t, ctx)
 		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
+		browserMock := mock_browser.NewMockInterface(ctrl)
 
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer:                  serverURL,
@@ -117,7 +126,7 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		args := []string{
 			"--kubeconfig", kubeConfigFilename,
 		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
+		runRootCmd(t, ctx, browserMock, args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
 			IDToken:      idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
@@ -131,14 +140,15 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), idpTLS)
 		defer server.Shutdown(t, ctx)
 		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-		service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-		service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-		service.EXPECT().Refresh("VALID_REFRESH_TOKEN").
+		provider.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
+		provider.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(jwt.PrivateKey))
+		provider.EXPECT().Refresh("VALID_REFRESH_TOKEN").
 			Return(idp.NewTokenResponse(idToken, "NEW_REFRESH_TOKEN"), nil)
+		browserMock := mock_browser.NewMockInterface(ctrl)
 
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer:                  serverURL,
@@ -151,7 +161,7 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		args := []string{
 			"--kubeconfig", kubeConfigFilename,
 		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
+		runRootCmd(t, ctx, browserMock, args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
 			IDToken:      idToken,
 			RefreshToken: "NEW_REFRESH_TOKEN",
@@ -165,14 +175,19 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), idpTLS)
 		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-		service.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
+		provider.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
 			Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
 			MaxTimes(2) // package oauth2 will retry refreshing the token
+		browserMock := newBrowserMock(ctx, t, ctrl, idpTLS)
 
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer:                  serverURL,
@@ -185,9 +200,9 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		args := []string{
 			"--kubeconfig", kubeConfigFilename,
 		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
+		runRootCmd(t, ctx, browserMock, args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
+			IDToken:      cfg.idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
 		})
 	})
@@ -199,11 +214,16 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), idpTLS)
 		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
+		browserMock := newBrowserMock(ctx, t, ctrl, idpTLS)
 
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer:                  serverURL,
@@ -216,9 +236,9 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		args := []string{
 			"--kubeconfig", kubeConfigFilename,
 		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
+		runRootCmd(t, ctx, browserMock, args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
+			IDToken:      cfg.idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
 		})
 	})
@@ -230,11 +250,16 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), idpTLS)
 		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "profile groups openid", &idToken)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "profile groups openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
+		browserMock := newBrowserMock(ctx, t, ctrl, idpTLS)
 
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer:                  serverURL,
@@ -246,22 +271,21 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		args := []string{
 			"--kubeconfig", kubeConfigFilename,
 		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
+		runRootCmd(t, ctx, browserMock, args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
+			IDToken:      cfg.idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
 		})
 	})
 }
 
-func runRootCmd(t *testing.T, ctx context.Context, localServerReadyFunc authentication.LocalServerReadyFunc, args []string) {
+func runRootCmd(t *testing.T, ctx context.Context, b browser.Interface, args []string) {
 	t.Helper()
-	cmd := di.NewCmdForHeadless(mock_logger.New(t), localServerReadyFunc, nil)
+	cmd := di.NewCmdForHeadless(logger.New(t), b, nil)
 	exitCode := cmd.Run(ctx, append([]string{
 		"kubelogin",
 		"--v=1",
-		"--listen-port", "0",
-		"--skip-open-browser",
+		"--listen-address", "127.0.0.1:0",
 	}, args...), "HEAD")
 	if exitCode != 0 {
 		t.Errorf("exit status wants 0 but %d", exitCode)

pkg/adaptors/browser/browser.go

@@ -0,0 +1,33 @@
+package browser
+
+import (
+	"os"
+
+	"github.com/google/wire"
+	"github.com/pkg/browser"
+)
+
+//go:generate mockgen -destination mock_browser/mock_browser.go github.com/int128/kubelogin/pkg/adaptors/browser Interface
+
+func init() {
+	// In credential plugin mode, some browser launcher writes a message to stdout
+	// and it may break the credential json for client-go.
+	// This prevents the browser launcher from breaking the credential json.
+	browser.Stdout = os.Stderr
+}
+
+var Set = wire.NewSet(
+	wire.Struct(new(Browser)),
+	wire.Bind(new(Interface), new(*Browser)),
+)
+
+type Interface interface {
+	Open(url string) error
+}
+
+type Browser struct{}
+
+// Open opens the default browser.
+func (*Browser) Open(url string) error {
+	return browser.OpenURL(url)
+}

pkg/adaptors/browser/mock_browser/mock_browser.go

@@ -1,12 +1,11 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/jwtdecoder (interfaces: Interface)
+// Source: github.com/int128/kubelogin/pkg/adaptors/browser (interfaces: Interface)
 
-// Package mock_jwtdecoder is a generated GoMock package.
-package mock_jwtdecoder
+// Package mock_browser is a generated GoMock package.
+package mock_browser
 
 import (
 	gomock "github.com/golang/mock/gomock"
-	jwtdecoder "github.com/int128/kubelogin/pkg/adaptors/jwtdecoder"
 	reflect "reflect"
 )
 
@@ -33,17 +32,16 @@ func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }
 
-// Decode mocks base method
-func (m *MockInterface) Decode(arg0 string) (*jwtdecoder.Claims, error) {
+// Open mocks base method
+func (m *MockInterface) Open(arg0 string) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Decode", arg0)
-	ret0, _ := ret[0].(*jwtdecoder.Claims)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
+	ret := m.ctrl.Call(m, "Open", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
 }
 
-// Decode indicates an expected call of Decode
-func (mr *MockInterfaceMockRecorder) Decode(arg0 interface{}) *gomock.Call {
+// Open indicates an expected call of Open
+func (mr *MockInterfaceMockRecorder) Open(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Decode", reflect.TypeOf((*MockInterface)(nil).Decode), arg0)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Open", reflect.TypeOf((*MockInterface)(nil).Open), arg0)
 }

pkg/adaptors/certpool/cert.go

@@ -11,24 +11,19 @@ import (
 	"golang.org/x/xerrors"
 )
 
-//go:generate mockgen -destination mock_certpool/mock_certpool.go github.com/int128/kubelogin/pkg/adaptors/certpool FactoryInterface,Interface
+//go:generate mockgen -destination mock_certpool/mock_certpool.go github.com/int128/kubelogin/pkg/adaptors/certpool Interface
 
 // Set provides an implementation and interface.
 var Set = wire.NewSet(
-	wire.Struct(new(Factory), "*"),
-	wire.Bind(new(FactoryInterface), new(*Factory)),
+	wire.Value(NewFunc(New)),
 	wire.Struct(new(CertPool), "*"),
 	wire.Bind(new(Interface), new(*CertPool)),
 )
 
-type FactoryInterface interface {
-	New() Interface
-}
-
-type Factory struct{}
+type NewFunc func() Interface
 
 // New returns an instance which implements the Interface.
-func (f *Factory) New() Interface {
+func New() Interface {
 	return &CertPool{pool: x509.NewCertPool()}
 }
 

pkg/adaptors/certpool/cert_test.go

@@ -8,8 +8,7 @@ import (
 
 func TestCertPool_AddFile(t *testing.T) {
 	t.Run("Valid", func(t *testing.T) {
-		var f Factory
-		p := f.New()
+		p := New()
 		if err := p.AddFile("testdata/ca1.crt"); err != nil {
 			t.Errorf("AddFile error: %s", err)
 		}
@@ -20,8 +19,7 @@ func TestCertPool_AddFile(t *testing.T) {
 		}
 	})
 	t.Run("Invalid", func(t *testing.T) {
-		var f Factory
-		p := f.New()
+		p := New()
 		err := p.AddFile("testdata/Makefile")
 		if err == nil {
 			t.Errorf("AddFile wants an error but was nil")
@@ -30,8 +28,7 @@ func TestCertPool_AddFile(t *testing.T) {
 }
 
 func TestCertPool_AddBase64Encoded(t *testing.T) {
-	var f Factory
-	p := f.New()
+	p := New()
 	if err := p.AddBase64Encoded(readFile(t, "testdata/ca2.crt.base64")); err != nil {
 		t.Errorf("AddBase64Encoded error: %s", err)
 	}
@@ -43,8 +40,7 @@ func TestCertPool_AddBase64Encoded(t *testing.T) {
 }
 
 func TestCertPool_SetRootCAs(t *testing.T) {
-	var f Factory
-	p := f.New()
+	p := New()
 	var cfg tls.Config
 	p.SetRootCAs(&cfg)
 	if cfg.RootCAs != nil {

pkg/adaptors/certpool/mock_certpool/mock_certpool.go

@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/certpool (interfaces: FactoryInterface,Interface)
+// Source: github.com/int128/kubelogin/pkg/adaptors/certpool (interfaces: Interface)
 
 // Package mock_certpool is a generated GoMock package.
 package mock_certpool
@@ -7,47 +7,9 @@ package mock_certpool
 import (
 	tls "crypto/tls"
 	gomock "github.com/golang/mock/gomock"
-	certpool "github.com/int128/kubelogin/pkg/adaptors/certpool"
 	reflect "reflect"
 )
 
-// MockFactoryInterface is a mock of FactoryInterface interface
-type MockFactoryInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockFactoryInterfaceMockRecorder
-}
-
-// MockFactoryInterfaceMockRecorder is the mock recorder for MockFactoryInterface
-type MockFactoryInterfaceMockRecorder struct {
-	mock *MockFactoryInterface
-}
-
-// NewMockFactoryInterface creates a new mock instance
-func NewMockFactoryInterface(ctrl *gomock.Controller) *MockFactoryInterface {
-	mock := &MockFactoryInterface{ctrl: ctrl}
-	mock.recorder = &MockFactoryInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockFactoryInterface) EXPECT() *MockFactoryInterfaceMockRecorder {
-	return m.recorder
-}
-
-// New mocks base method
-func (m *MockFactoryInterface) New() certpool.Interface {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "New")
-	ret0, _ := ret[0].(certpool.Interface)
-	return ret0
-}
-
-// New indicates an expected call of New
-func (mr *MockFactoryInterfaceMockRecorder) New() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "New", reflect.TypeOf((*MockFactoryInterface)(nil).New))
-}
-
 // MockInterface is a mock of Interface interface
 type MockInterface struct {
 	ctrl     *gomock.Controller

pkg/adaptors/clock/clock.go

@@ -0,0 +1,24 @@
+// Package clock provides the system clock.
+package clock
+
+import (
+	"time"
+
+	"github.com/google/wire"
+)
+
+var Set = wire.NewSet(
+	wire.Struct(new(Clock), "*"),
+	wire.Bind(new(Interface), new(*Clock)),
+)
+
+type Interface interface {
+	Now() time.Time
+}
+
+type Clock struct{}
+
+// Now returns the current time.
+func (c *Clock) Now() time.Time {
+	return time.Now()
+}

pkg/adaptors/cmd/cmd.go

@@ -2,8 +2,7 @@ package cmd
 
 import (
 	"context"
-	"fmt"
-	"path/filepath"
+	"runtime"
 
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
@@ -24,16 +23,9 @@ type Interface interface {
 	Run(ctx context.Context, args []string, version string) int
 }
 
-var defaultListenPort = []int{8000, 18000}
+var defaultListenAddress = []string{"127.0.0.1:8000", "127.0.0.1:18000"}
 var defaultTokenCacheDir = homedir.HomeDir() + "/.kube/cache/oidc-login"
 
-func translateListenPortToBindAddress(ports []int) (address []string) {
-	for _, p := range ports {
-		address = append(address, fmt.Sprintf("127.0.0.1:%d", p))
-	}
-	return
-}
-
 // Cmd provides interaction with command line interface (CLI).
 type Cmd struct {
 	Root     *Root
@@ -45,17 +37,15 @@ type Cmd struct {
 // Run parses the command line arguments and executes the specified use-case.
 // It returns an exit code, that is 0 on success or 1 on error.
 func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
-	executable := filepath.Base(args[0])
-
-	rootCmd := cmd.Root.New(ctx, executable)
+	rootCmd := cmd.Root.New()
 	rootCmd.Version = version
 	rootCmd.SilenceUsage = true
 	rootCmd.SilenceErrors = true
 
-	getTokenCmd := cmd.GetToken.New(ctx)
+	getTokenCmd := cmd.GetToken.New()
 	rootCmd.AddCommand(getTokenCmd)
 
-	setupCmd := cmd.Setup.New(ctx)
+	setupCmd := cmd.Setup.New()
 	rootCmd.AddCommand(setupCmd)
 
 	versionCmd := &cobra.Command{
@@ -63,13 +53,13 @@ func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
 		Short: "Print the version information",
 		Args:  cobra.NoArgs,
 		Run: func(*cobra.Command, []string) {
-			cmd.Logger.Printf("%s version %s", executable, version)
+			cmd.Logger.Printf("kubelogin version %s (%s %s_%s)", version, runtime.Version(), runtime.GOOS, runtime.GOARCH)
 		},
 	}
 	rootCmd.AddCommand(versionCmd)
 
 	rootCmd.SetArgs(args[1:])
-	if err := rootCmd.Execute(); err != nil {
+	if err := rootCmd.ExecuteContext(ctx); err != nil {
 		cmd.Logger.Printf("error: %s", err)
 		cmd.Logger.V(1).Infof("stacktrace: %+v", err)
 		return 1

pkg/adaptors/cmd/cmd_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 
 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin/mock_credentialplugin"
@@ -27,7 +27,40 @@ func TestCmd_Run(t *testing.T) {
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress: []string{"127.0.0.1:8000", "127.0.0.1:18000"},
+							BindAddress:         defaultListenAddress,
+							RedirectURLHostname: "localhost",
+						},
+					},
+				},
+			},
+			"when --listen-port is set, it should convert the port to address": {
+				args: []string{
+					executable,
+					"--listen-port", "10080",
+					"--listen-port", "20080",
+				},
+				in: standalone.Input{
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeOption: &authentication.AuthCodeOption{
+							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							RedirectURLHostname: "localhost",
+						},
+					},
+				},
+			},
+			"when --listen-port is set, it should ignore --listen-address flags": {
+				args: []string{
+					executable,
+					"--listen-port", "10080",
+					"--listen-port", "20080",
+					"--listen-address", "127.0.0.1:30080",
+					"--listen-address", "127.0.0.1:40080",
+				},
+				in: standalone.Input{
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeOption: &authentication.AuthCodeOption{
+							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							RedirectURLHostname: "localhost",
 						},
 					},
 				},
@@ -41,8 +74,8 @@ func TestCmd_Run(t *testing.T) {
 					"--insecure-skip-tls-verify",
 					"-v1",
 					"--grant-type", "authcode",
-					"--listen-port", "10080",
-					"--listen-port", "20080",
+					"--listen-address", "127.0.0.1:10080",
+					"--listen-address", "127.0.0.1:20080",
 					"--skip-open-browser",
 					"--username", "USER",
 					"--password", "PASS",
@@ -55,8 +88,9 @@ func TestCmd_Run(t *testing.T) {
 					SkipTLSVerify:      true,
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress:     []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser: true,
+							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							SkipOpenBrowser:     true,
+							RedirectURLHostname: "localhost",
 						},
 					},
 				},
@@ -74,8 +108,8 @@ func TestCmd_Run(t *testing.T) {
 			"GrantType=password": {
 				args: []string{executable,
 					"--grant-type", "password",
-					"--listen-port", "10080",
-					"--listen-port", "20080",
+					"--listen-address", "127.0.0.1:10080",
+					"--listen-address", "127.0.0.1:20080",
 					"--username", "USER",
 					"--password", "PASS",
 				},
@@ -90,8 +124,8 @@ func TestCmd_Run(t *testing.T) {
 			},
 			"GrantType=auto": {
 				args: []string{executable,
-					"--listen-port", "10080",
-					"--listen-port", "20080",
+					"--listen-address", "127.0.0.1:10080",
+					"--listen-address", "127.0.0.1:20080",
 					"--username", "USER",
 					"--password", "PASS",
 				},
@@ -116,9 +150,9 @@ func TestCmd_Run(t *testing.T) {
 				cmd := Cmd{
 					Root: &Root{
 						Standalone: mockStandalone,
-						Logger:     mock_logger.New(t),
+						Logger:     logger.New(t),
 					},
-					Logger: mock_logger.New(t),
+					Logger: logger.New(t),
 				}
 				exitCode := cmd.Run(ctx, c.args, version)
 				if exitCode != 0 {
@@ -133,9 +167,9 @@ func TestCmd_Run(t *testing.T) {
 			cmd := Cmd{
 				Root: &Root{
 					Standalone: mock_standalone.NewMockInterface(ctrl),
-					Logger:     mock_logger.New(t),
+					Logger:     logger.New(t),
 				},
-				Logger: mock_logger.New(t),
+				Logger: logger.New(t),
 			}
 			exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
 			if exitCode != 1 {
@@ -161,7 +195,8 @@ func TestCmd_Run(t *testing.T) {
 					ClientID:      "YOUR_CLIENT_ID",
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress: []string{"127.0.0.1:8000", "127.0.0.1:18000"},
+							BindAddress:         []string{"127.0.0.1:8000", "127.0.0.1:18000"},
+							RedirectURLHostname: "localhost",
 						},
 					},
 				},
@@ -175,12 +210,15 @@ func TestCmd_Run(t *testing.T) {
 					"--oidc-extra-scope", "email",
 					"--oidc-extra-scope", "profile",
 					"--certificate-authority", "/path/to/cacert",
+					"--certificate-authority-data", "BASE64ENCODED",
 					"--insecure-skip-tls-verify",
 					"-v1",
 					"--grant-type", "authcode",
-					"--listen-port", "10080",
-					"--listen-port", "20080",
+					"--listen-address", "127.0.0.1:10080",
+					"--listen-address", "127.0.0.1:20080",
 					"--skip-open-browser",
+					"--oidc-auth-request-extra-params", "ttl=86400",
+					"--oidc-auth-request-extra-params", "reauth=true",
 					"--username", "USER",
 					"--password", "PASS",
 				},
@@ -191,11 +229,14 @@ func TestCmd_Run(t *testing.T) {
 					ClientSecret:   "YOUR_CLIENT_SECRET",
 					ExtraScopes:    []string{"email", "profile"},
 					CACertFilename: "/path/to/cacert",
+					CACertData:     "BASE64ENCODED",
 					SkipTLSVerify:  true,
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress:     []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser: true,
+							BindAddress:            []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							SkipOpenBrowser:        true,
+							RedirectURLHostname:    "localhost",
+							AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
 						},
 					},
 				},
@@ -206,13 +247,16 @@ func TestCmd_Run(t *testing.T) {
 					"--oidc-issuer-url", "https://issuer.example.com",
 					"--oidc-client-id", "YOUR_CLIENT_ID",
 					"--grant-type", "authcode-keyboard",
+					"--oidc-auth-request-extra-params", "ttl=86400",
 				},
 				in: credentialplugin.Input{
 					TokenCacheDir: defaultTokenCacheDir,
 					IssuerURL:     "https://issuer.example.com",
 					ClientID:      "YOUR_CLIENT_ID",
 					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeKeyboardOption: &authentication.AuthCodeKeyboardOption{},
+						AuthCodeKeyboardOption: &authentication.AuthCodeKeyboardOption{
+							AuthRequestExtraParams: map[string]string{"ttl": "86400"},
+						},
 					},
 				},
 			},
@@ -222,8 +266,8 @@ func TestCmd_Run(t *testing.T) {
 					"--oidc-issuer-url", "https://issuer.example.com",
 					"--oidc-client-id", "YOUR_CLIENT_ID",
 					"--grant-type", "password",
-					"--listen-port", "10080",
-					"--listen-port", "20080",
+					"--listen-address", "127.0.0.1:10080",
+					"--listen-address", "127.0.0.1:20080",
 					"--username", "USER",
 					"--password", "PASS",
 				},
@@ -244,8 +288,8 @@ func TestCmd_Run(t *testing.T) {
 					"get-token",
 					"--oidc-issuer-url", "https://issuer.example.com",
 					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--listen-port", "10080",
-					"--listen-port", "20080",
+					"--listen-address", "127.0.0.1:10080",
+					"--listen-address", "127.0.0.1:20080",
 					"--username", "USER",
 					"--password", "PASS",
 				},
@@ -272,13 +316,13 @@ func TestCmd_Run(t *testing.T) {
 					Do(ctx, c.in)
 				cmd := Cmd{
 					Root: &Root{
-						Logger: mock_logger.New(t),
+						Logger: logger.New(t),
 					},
 					GetToken: &GetToken{
 						GetToken: getToken,
-						Logger:   mock_logger.New(t),
+						Logger:   logger.New(t),
 					},
-					Logger: mock_logger.New(t),
+					Logger: logger.New(t),
 				}
 				exitCode := cmd.Run(ctx, c.args, version)
 				if exitCode != 0 {
@@ -293,13 +337,13 @@ func TestCmd_Run(t *testing.T) {
 			ctx := context.TODO()
 			cmd := Cmd{
 				Root: &Root{
-					Logger: mock_logger.New(t),
+					Logger: logger.New(t),
 				},
 				GetToken: &GetToken{
 					GetToken: mock_credentialplugin.NewMockInterface(ctrl),
-					Logger:   mock_logger.New(t),
+					Logger:   logger.New(t),
 				},
-				Logger: mock_logger.New(t),
+				Logger: logger.New(t),
 			}
 			exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
 			if exitCode != 1 {
@@ -313,13 +357,13 @@ func TestCmd_Run(t *testing.T) {
 			ctx := context.TODO()
 			cmd := Cmd{
 				Root: &Root{
-					Logger: mock_logger.New(t),
+					Logger: logger.New(t),
 				},
 				GetToken: &GetToken{
 					GetToken: mock_credentialplugin.NewMockInterface(ctrl),
-					Logger:   mock_logger.New(t),
+					Logger:   logger.New(t),
 				},
-				Logger: mock_logger.New(t),
+				Logger: logger.New(t),
 			}
 			exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
 			if exitCode != 1 {

pkg/adaptors/cmd/get_token.go

@@ -1,8 +1,6 @@
 package cmd
 
 import (
-	"context"
-
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/spf13/cobra"
@@ -16,7 +14,8 @@ type getTokenOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
-	CertificateAuthority  string
+	CACertFilename        string
+	CACertData            string
 	SkipTLSVerify         bool
 	TokenCacheDir         string
 	authenticationOptions authenticationOptions
@@ -28,7 +27,8 @@ func (o *getTokenOptions) register(f *pflag.FlagSet) {
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.StringVar(&o.CACertFilename, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.StringVar(&o.CACertData, "certificate-authority-data", "", "Base64 encoded data for the certificate authority")
 	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
 	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for caching tokens")
 	o.authenticationOptions.register(f)
@@ -39,7 +39,7 @@ type GetToken struct {
 	Logger   logger.Interface
 }
 
-func (cmd *GetToken) New(ctx context.Context) *cobra.Command {
+func (cmd *GetToken) New() *cobra.Command {
 	var o getTokenOptions
 	c := &cobra.Command{
 		Use:   "get-token [flags]",
@@ -56,23 +56,24 @@ func (cmd *GetToken) New(ctx context.Context) *cobra.Command {
 			}
 			return nil
 		},
-		RunE: func(*cobra.Command, []string) error {
+		RunE: func(c *cobra.Command, _ []string) error {
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
-				return xerrors.Errorf("error: %w", err)
+				return xerrors.Errorf("get-token: %w", err)
 			}
 			in := credentialplugin.Input{
 				IssuerURL:      o.IssuerURL,
 				ClientID:       o.ClientID,
 				ClientSecret:   o.ClientSecret,
 				ExtraScopes:    o.ExtraScopes,
-				CACertFilename: o.CertificateAuthority,
+				CACertFilename: o.CACertFilename,
+				CACertData:     o.CACertData,
 				SkipTLSVerify:  o.SkipTLSVerify,
 				TokenCacheDir:  o.TokenCacheDir,
 				GrantOptionSet: grantOptionSet,
 			}
-			if err := cmd.GetToken.Do(ctx, in); err != nil {
-				return xerrors.Errorf("error: %w", err)
+			if err := cmd.GetToken.Do(c.Context(), in); err != nil {
+				return xerrors.Errorf("get-token: %w", err)
 			}
 			return nil
 		},

pkg/adaptors/cmd/root.go

@@ -1,7 +1,6 @@
 package cmd
 
 import (
-	"context"
 	"fmt"
 	"strings"
 
@@ -45,11 +44,29 @@ func (o *rootOptions) register(f *pflag.FlagSet) {
 }
 
 type authenticationOptions struct {
-	GrantType       string
-	ListenPort      []int
-	SkipOpenBrowser bool
-	Username        string
-	Password        string
+	GrantType              string
+	ListenAddress          []string
+	ListenPort             []int // deprecated
+	SkipOpenBrowser        bool
+	RedirectURLHostname    string
+	AuthRequestExtraParams map[string]string
+	Username               string
+	Password               string
+}
+
+// determineListenAddress returns the addresses from the flags.
+// Note that --listen-address is always given due to the default value.
+// If --listen-port is not set, it returns --listen-address.
+// If --listen-port is set, it returns the strings of --listen-port.
+func (o *authenticationOptions) determineListenAddress() []string {
+	if len(o.ListenPort) == 0 {
+		return o.ListenAddress
+	}
+	var a []string
+	for _, p := range o.ListenPort {
+		a = append(a, fmt.Sprintf("127.0.0.1:%d", p))
+	}
+	return a
 }
 
 var allGrantType = strings.Join([]string{
@@ -61,8 +78,12 @@ var allGrantType = strings.Join([]string{
 
 func (o *authenticationOptions) register(f *pflag.FlagSet) {
 	f.StringVar(&o.GrantType, "grant-type", "auto", fmt.Sprintf("The authorization grant type to use. One of (%s)", allGrantType))
-	f.IntSliceVar(&o.ListenPort, "listen-port", defaultListenPort, "Port to bind to the local server. If multiple ports are given, it will try the ports in order")
+	f.StringSliceVar(&o.ListenAddress, "listen-address", defaultListenAddress, "Address to bind to the local server. If multiple addresses are given, it will try binding in order")
+	//TODO: remove the deprecated flag
+	f.IntSliceVar(&o.ListenPort, "listen-port", nil, "(Deprecated: use --listen-address)")
 	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
+	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "Hostname of the redirect URL")
+	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "Extra query parameters to send with an authentication request")
 	f.StringVar(&o.Username, "username", "", "If set, perform the resource owner password credentials grant")
 	f.StringVar(&o.Password, "password", "", "If set, use the password instead of asking it")
 }
@@ -71,11 +92,15 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 	switch {
 	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
 		s.AuthCodeOption = &authentication.AuthCodeOption{
-			BindAddress:     translateListenPortToBindAddress(o.ListenPort),
-			SkipOpenBrowser: o.SkipOpenBrowser,
+			BindAddress:            o.determineListenAddress(),
+			SkipOpenBrowser:        o.SkipOpenBrowser,
+			RedirectURLHostname:    o.RedirectURLHostname,
+			AuthRequestExtraParams: o.AuthRequestExtraParams,
 		}
 	case o.GrantType == "authcode-keyboard":
-		s.AuthCodeKeyboardOption = &authentication.AuthCodeKeyboardOption{}
+		s.AuthCodeKeyboardOption = &authentication.AuthCodeKeyboardOption{
+			AuthRequestExtraParams: o.AuthRequestExtraParams,
+		}
 	case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
 		s.ROPCOption = &authentication.ROPCOption{
 			Username: o.Username,
@@ -92,14 +117,14 @@ type Root struct {
 	Logger     logger.Interface
 }
 
-func (cmd *Root) New(ctx context.Context, executable string) *cobra.Command {
+func (cmd *Root) New() *cobra.Command {
 	var o rootOptions
 	rootCmd := &cobra.Command{
-		Use:   executable,
+		Use:   "kubelogin",
 		Short: "Login to the OpenID Connect provider",
 		Long:  longDescription,
 		Args:  cobra.NoArgs,
-		RunE: func(*cobra.Command, []string) error {
+		RunE: func(c *cobra.Command, _ []string) error {
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
 				return xerrors.Errorf("invalid option: %w", err)
@@ -112,8 +137,8 @@ func (cmd *Root) New(ctx context.Context, executable string) *cobra.Command {
 				SkipTLSVerify:      o.SkipTLSVerify,
 				GrantOptionSet:     grantOptionSet,
 			}
-			if err := cmd.Standalone.Do(ctx, in); err != nil {
-				return xerrors.Errorf("error: %w", err)
+			if err := cmd.Standalone.Do(c.Context(), in); err != nil {
+				return xerrors.Errorf("login: %w", err)
 			}
 			return nil
 		},

pkg/adaptors/cmd/setup.go

@@ -1,8 +1,6 @@
 package cmd
 
 import (
-	"context"
-
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -15,7 +13,8 @@ type setupOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
-	CertificateAuthority  string
+	CACertFilename        string
+	CACertData            string
 	SkipTLSVerify         bool
 	authenticationOptions authenticationOptions
 }
@@ -26,7 +25,8 @@ func (o *setupOptions) register(f *pflag.FlagSet) {
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.StringVar(&o.CACertFilename, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.StringVar(&o.CACertData, "certificate-authority-data", "", "Base64 encoded data for the certificate authority")
 	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
 	o.authenticationOptions.register(f)
 }
@@ -35,7 +35,7 @@ type Setup struct {
 	Setup setup.Interface
 }
 
-func (cmd *Setup) New(ctx context.Context) *cobra.Command {
+func (cmd *Setup) New() *cobra.Command {
 	var o setupOptions
 	c := &cobra.Command{
 		Use:   "setup",
@@ -44,26 +44,27 @@ func (cmd *Setup) New(ctx context.Context) *cobra.Command {
 		RunE: func(c *cobra.Command, _ []string) error {
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
-				return xerrors.Errorf("error: %w", err)
+				return xerrors.Errorf("setup: %w", err)
 			}
 			in := setup.Stage2Input{
 				IssuerURL:      o.IssuerURL,
 				ClientID:       o.ClientID,
 				ClientSecret:   o.ClientSecret,
 				ExtraScopes:    o.ExtraScopes,
-				CACertFilename: o.CertificateAuthority,
+				CACertFilename: o.CACertFilename,
+				CACertData:     o.CACertData,
 				SkipTLSVerify:  o.SkipTLSVerify,
 				GrantOptionSet: grantOptionSet,
 			}
-			if c.Flags().Lookup("listen-port").Changed {
-				in.ListenPortArgs = o.authenticationOptions.ListenPort
+			if c.Flags().Lookup("listen-address").Changed {
+				in.ListenAddressArgs = o.authenticationOptions.ListenAddress
 			}
 			if in.IssuerURL == "" || in.ClientID == "" {
 				cmd.Setup.DoStage1()
 				return nil
 			}
-			if err := cmd.Setup.DoStage2(ctx, in); err != nil {
-				return xerrors.Errorf("error: %w", err)
+			if err := cmd.Setup.DoStage2(c.Context(), in); err != nil {
+				return xerrors.Errorf("setup: %w", err)
 			}
 			return nil
 		},

pkg/adaptors/credentialpluginwriter/credential_plugin.go

@@ -1,5 +1,5 @@
-// Package credentialplugin provides interaction with kubectl for a credential plugin.
-package credentialplugin
+// Package credentialpluginwriter provides a writer for a credential plugin.
+package credentialpluginwriter
 
 import (
 	"encoding/json"
@@ -12,11 +12,11 @@ import (
 	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 )
 
-//go:generate mockgen -destination mock_credentialplugin/mock_credentialplugin.go github.com/int128/kubelogin/pkg/adaptors/credentialplugin Interface
+//go:generate mockgen -destination mock_credentialpluginwriter/mock_credentialpluginwriter.go github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter Interface
 
 var Set = wire.NewSet(
-	wire.Struct(new(Interaction), "*"),
-	wire.Bind(new(Interface), new(*Interaction)),
+	wire.Struct(new(Writer), "*"),
+	wire.Bind(new(Interface), new(*Writer)),
 )
 
 type Interface interface {
@@ -29,10 +29,10 @@ type Output struct {
 	Expiry time.Time
 }
 
-type Interaction struct{}
+type Writer struct{}
 
 // Write writes the ExecCredential to standard output for kubectl.
-func (*Interaction) Write(out Output) error {
+func (*Writer) Write(out Output) error {
 	ec := &v1beta1.ExecCredential{
 		TypeMeta: v1.TypeMeta{
 			APIVersion: "client.authentication.k8s.io/v1beta1",

pkg/adaptors/credentialpluginwriter/mock_credentialpluginwriter/mock_credentialpluginwriter.go

@@ -1,12 +1,12 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/credentialplugin (interfaces: Interface)
+// Source: github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter (interfaces: Interface)
 
-// Package mock_credentialplugin is a generated GoMock package.
-package mock_credentialplugin
+// Package mock_credentialpluginwriter is a generated GoMock package.
+package mock_credentialpluginwriter
 
 import (
 	gomock "github.com/golang/mock/gomock"
-	credentialplugin "github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
+	credentialpluginwriter "github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter"
 	reflect "reflect"
 )
 
@@ -34,7 +34,7 @@ func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 }
 
 // Write mocks base method
-func (m *MockInterface) Write(arg0 credentialplugin.Output) error {
+func (m *MockInterface) Write(arg0 credentialpluginwriter.Output) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Write", arg0)
 	ret0, _ := ret[0].(error)

pkg/adaptors/env/env.go

@@ -1,76 +0,0 @@
-// Package env provides environment dependent facilities.
-package env
-
-import (
-	"bufio"
-	"fmt"
-	"os"
-	"strings"
-	"syscall"
-
-	"github.com/google/wire"
-	"github.com/pkg/browser"
-	"golang.org/x/crypto/ssh/terminal"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_env/mock_env.go github.com/int128/kubelogin/pkg/adaptors/env Interface
-
-func init() {
-	// In credential plugin mode, some browser launcher writes a message to stdout
-	// and it may break the credential json for client-go.
-	// This prevents the browser launcher from breaking the credential json.
-	browser.Stdout = os.Stderr
-}
-
-// Set provides an implementation and interface for Env.
-var Set = wire.NewSet(
-	wire.Struct(new(Env), "*"),
-	wire.Bind(new(Interface), new(*Env)),
-)
-
-type Interface interface {
-	ReadString(prompt string) (string, error)
-	ReadPassword(prompt string) (string, error)
-	OpenBrowser(url string) error
-}
-
-// Env provides environment specific facilities.
-type Env struct{}
-
-// ReadString reads a string from the stdin.
-func (*Env) ReadString(prompt string) (string, error) {
-	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
-		return "", xerrors.Errorf("could not write the prompt: %w", err)
-	}
-	r := bufio.NewReader(os.Stdin)
-	s, err := r.ReadString('\n')
-	if err != nil {
-		return "", xerrors.Errorf("could not read from stdin: %w", err)
-	}
-	s = strings.TrimRight(s, "\r\n")
-	return s, nil
-}
-
-// ReadPassword reads a password from the stdin without echo back.
-func (*Env) ReadPassword(prompt string) (string, error) {
-	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
-		return "", xerrors.Errorf("could not write the prompt: %w", err)
-	}
-	b, err := terminal.ReadPassword(int(syscall.Stdin))
-	if err != nil {
-		return "", xerrors.Errorf("could not read from stdin: %w", err)
-	}
-	if _, err := fmt.Fprintln(os.Stderr); err != nil {
-		return "", xerrors.Errorf("could not write a new line: %w", err)
-	}
-	return string(b), nil
-}
-
-// OpenBrowser opens the default browser.
-func (env *Env) OpenBrowser(url string) error {
-	if err := browser.OpenURL(url); err != nil {
-		return xerrors.Errorf("could not open the browser: %w", err)
-	}
-	return nil
-}

pkg/adaptors/jwtdecoder/decoder.go

@@ -1,74 +0,0 @@
-// Package jwtdecoder provides decoding a JWT.
-package jwtdecoder
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/dgrijalva/jwt-go"
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_jwtdecoder/mock_jwtdecoder.go github.com/int128/kubelogin/pkg/adaptors/jwtdecoder Interface
-
-// Set provides an implementation and interface.
-var Set = wire.NewSet(
-	wire.Struct(new(Decoder), "*"),
-	wire.Bind(new(Interface), new(*Decoder)),
-)
-
-type Interface interface {
-	Decode(s string) (*Claims, error)
-}
-
-// Claims represents claims of a token.
-type Claims struct {
-	Subject string
-	Expiry  time.Time
-	Pretty  map[string]string // string representation for debug and logging
-}
-
-type Decoder struct{}
-
-// Decode returns the claims of the JWT.
-// Note that this method does not verify the signature and always trust it.
-func (d *Decoder) Decode(s string) (*Claims, error) {
-	parts := strings.Split(s, ".")
-	if len(parts) != 3 {
-		return nil, xerrors.Errorf("token contains an invalid number of segments")
-	}
-	b, err := jwt.DecodeSegment(parts[1])
-	if err != nil {
-		return nil, xerrors.Errorf("could not decode the token: %w", err)
-	}
-	var claims jwt.StandardClaims
-	if err := json.NewDecoder(bytes.NewBuffer(b)).Decode(&claims); err != nil {
-		return nil, xerrors.Errorf("could not decode the json of token: %w", err)
-	}
-	var rawClaims map[string]interface{}
-	if err := json.NewDecoder(bytes.NewBuffer(b)).Decode(&rawClaims); err != nil {
-		return nil, xerrors.Errorf("could not decode the json of token: %w", err)
-	}
-	return &Claims{
-		Subject: claims.Subject,
-		Expiry:  time.Unix(claims.ExpiresAt, 0),
-		Pretty:  dumpRawClaims(rawClaims),
-	}, nil
-}
-
-func dumpRawClaims(rawClaims map[string]interface{}) map[string]string {
-	claims := make(map[string]string)
-	for k, v := range rawClaims {
-		switch v := v.(type) {
-		case float64:
-			claims[k] = fmt.Sprintf("%.f", v)
-		default:
-			claims[k] = fmt.Sprintf("%v", v)
-		}
-	}
-	return claims
-}

pkg/adaptors/jwtdecoder/decoder_test.go

@@ -1,87 +0,0 @@
-package jwtdecoder
-
-import (
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"io/ioutil"
-	"testing"
-	"time"
-
-	"github.com/dgrijalva/jwt-go"
-)
-
-func TestDecoder_Decode(t *testing.T) {
-	var decoder Decoder
-
-	t.Run("ValidToken", func(t *testing.T) {
-		expiry := time.Now().Round(time.Second)
-		idToken := newIDToken(t, "https://issuer.example.com", expiry)
-		decodedToken, err := decoder.Decode(idToken)
-		if err != nil {
-			t.Fatalf("Decode error: %s", err)
-		}
-		if decodedToken.Expiry != expiry {
-			t.Errorf("Expiry wants %s but %s", expiry, decodedToken.Expiry)
-		}
-		t.Logf("Pretty=%+v", decodedToken.Pretty)
-	})
-	t.Run("InvalidToken", func(t *testing.T) {
-		decodedToken, err := decoder.Decode("HEADER.INVALID_TOKEN.SIGNATURE")
-		if err == nil {
-			t.Errorf("error wants non-nil but nil")
-		} else {
-			t.Logf("expected error: %+v", err)
-		}
-		if decodedToken != nil {
-			t.Errorf("decodedToken wants nil but %+v", decodedToken)
-		}
-	})
-}
-
-func newIDToken(t *testing.T, issuer string, expiry time.Time) string {
-	t.Helper()
-	claims := struct {
-		jwt.StandardClaims
-		Nonce         string   `json:"nonce"`
-		Groups        []string `json:"groups"`
-		EmailVerified bool     `json:"email_verified"`
-	}{
-		StandardClaims: jwt.StandardClaims{
-			Issuer:    issuer,
-			Audience:  "kubernetes",
-			Subject:   "SUBJECT",
-			IssuedAt:  time.Now().Unix(),
-			ExpiresAt: expiry.Unix(),
-		},
-		Nonce:         "NONCE",
-		Groups:        []string{"admin", "users"},
-		EmailVerified: false,
-	}
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-	s, err := token.SignedString(readPrivateKey(t, "testdata/jws.key"))
-	if err != nil {
-		t.Fatalf("Could not sign the claims: %s", err)
-	}
-	return s
-}
-
-func readPrivateKey(t *testing.T, name string) *rsa.PrivateKey {
-	t.Helper()
-	b, err := ioutil.ReadFile(name)
-	if err != nil {
-		t.Fatalf("could not read the file: %s", err)
-	}
-	block, rest := pem.Decode(b)
-	if block == nil {
-		t.Fatalf("could not decode PEM")
-	}
-	if len(rest) > 0 {
-		t.Fatalf("PEM should contain single key but multiple keys")
-	}
-	k, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-	if err != nil {
-		t.Fatalf("could not parse the key: %s", err)
-	}
-	return k
-}

pkg/adaptors/jwtdecoder/testdata/Makefile

@@ -1,8 +0,0 @@
-all: jws.key
-
-jws.key:
-	openssl genrsa -out $@ 1024
-
-.PHONY: clean
-clean:
-	-rm -v jws.key

pkg/adaptors/jwtdecoder/testdata/jws.key

@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCrH34yA/f/sBOUlkYnRtd2jgDZ3WivhidqvoQaa73xqTazbkn6
-GZ9r7jx0CGLRV2bmErj2WoyT54yrhezrKh0YXAHlrwLdsmV4dwiV0lOfUJd9P/vF
-e2hiAWv4CcO9ZuNkTsrxM5W8Wdj2tjqOvsIn4We+HWPkpknT7VtT5RrumwIDAQAB
-AoGAFqy5oA7+kZbXQV0YNqQgcMkoO7Ym5Ps1xeMwxf94z8jIQsZebxFuGnMa95UU
-4wBd1ias85fUANUxwpigaBjQee5Hk+dnfUe1snUWYNm9H6tKrXEF8ajer3a2knEv
-GfK0CSEumFougfW2xG88ChGTS60wc+MIRfXERCvWpGm/5EECQQDdv5IBSi89g/R1
-5AGZKFCoqr6Zw5bWEKPzCCYJZzncR1ER9vP2AnMExM8Io/87WYvmpZIUrXJvQYm8
-hkfVOcBZAkEAxY4VcqmRWru3zmnbj21MwcwtgESaONkWsHeYs1C/Y/3zt7TuelYz
-ZJ9aUuUsaiJLEs9Y26nMt0L0snWGr2noEwJBANaDp1PWFyMUTt3pB17JcFXqb15C
-pt1I1cGapWk9Uez1lMijNNhNAEWhuoKqW5Nnif5DN7EHJYfZR8x3vm/YYWkCQHAA
-0iAkCwjKDLe2RIjYiwAE5ncmbdl1GuwJokVnrlrei+LHbb1mSdTuk6MT006JCs8r
-R1GivzHXgCv9fdLN1IkCQHxRvv9RPND80eEkdMv4qu0s22OLRhLQ/pb+YeT5Cjjv
-pJYWKrvXdRZcuNde9JiiTgK2UW1wM8KeD/EGvK2yF6M=
------END RSA PRIVATE KEY-----

pkg/adaptors/kubeconfig/load.go

@@ -11,7 +11,7 @@ import (
 func (*Kubeconfig) GetCurrentAuthProvider(explicitFilename string, contextName ContextName, userName UserName) (*AuthProvider, error) {
 	config, err := loadByDefaultRules(explicitFilename)
 	if err != nil {
-		return nil, xerrors.Errorf("could not load kubeconfig: %w", err)
+		return nil, xerrors.Errorf("could not load the kubeconfig: %w", err)
 	}
 	auth, err := findCurrentAuthProvider(config, contextName, userName)
 	if err != nil {
@@ -25,7 +25,7 @@ func loadByDefaultRules(explicitFilename string) (*api.Config, error) {
 	rules.ExplicitPath = explicitFilename
 	config, err := rules.Load()
 	if err != nil {
-		return nil, xerrors.Errorf("error while loading config: %w", err)
+		return nil, xerrors.Errorf("load error: %w", err)
 	}
 	return config, err
 }

pkg/adaptors/kubeconfig/load_test.go

@@ -4,7 +4,7 @@ import (
 	"os"
 	"testing"
 
-	"github.com/go-test/deep"
+	"github.com/google/go-cmp/cmp"
 	"k8s.io/client-go/tools/clientcmd/api"
 )
 
@@ -76,7 +76,7 @@ func unsetenv(t *testing.T, key string) {
 
 func Test_findCurrentAuthProvider(t *testing.T) {
 	t.Run("CurrentContext", func(t *testing.T) {
-		auth, err := findCurrentAuthProvider(&api.Config{
+		got, err := findCurrentAuthProvider(&api.Config{
 			CurrentContext: "theContext",
 			Contexts: map[string]*api.Context{
 				"theContext": {
@@ -118,13 +118,13 @@ func Test_findCurrentAuthProvider(t *testing.T) {
 			IDToken:                     "YOUR_ID_TOKEN",
 			RefreshToken:                "YOUR_REFRESH_TOKEN",
 		}
-		if diff := deep.Equal(want, auth); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 
 	t.Run("ByContextName", func(t *testing.T) {
-		auth, err := findCurrentAuthProvider(&api.Config{
+		got, err := findCurrentAuthProvider(&api.Config{
 			Contexts: map[string]*api.Context{
 				"theContext": {
 					AuthInfo: "theUser",
@@ -151,13 +151,13 @@ func Test_findCurrentAuthProvider(t *testing.T) {
 			ContextName:      "theContext",
 			IDPIssuerURL:     "https://accounts.google.com",
 		}
-		if diff := deep.Equal(want, auth); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 
 	t.Run("ByUserName", func(t *testing.T) {
-		auth, err := findCurrentAuthProvider(&api.Config{
+		got, err := findCurrentAuthProvider(&api.Config{
 			AuthInfos: map[string]*api.AuthInfo{
 				"theUser": {
 					LocationOfOrigin: "/path/to/kubeconfig",
@@ -178,8 +178,8 @@ func Test_findCurrentAuthProvider(t *testing.T) {
 			UserName:         "theUser",
 			IDPIssuerURL:     "https://accounts.google.com",
 		}
-		if diff := deep.Equal(want, auth); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 

pkg/adaptors/kubeconfig/write_test.go

@@ -4,6 +4,8 @@ import (
 	"io/ioutil"
 	"os"
 	"testing"
+
+	"github.com/google/go-cmp/cmp"
 )
 
 func TestKubeconfig_UpdateAuth(t *testing.T) {
@@ -32,9 +34,10 @@ func TestKubeconfig_UpdateAuth(t *testing.T) {
 			t.Fatalf("Could not read kubeconfig: %s", err)
 		}
 
+		got := string(b)
 		want := `apiVersion: v1
-clusters: []
-contexts: []
+clusters: null
+contexts: null
 current-context: ""
 kind: Config
 preferences: {}
@@ -50,8 +53,8 @@ users:
         refresh-token: YOUR_REFRESH_TOKEN
       name: oidc
 `
-		if want != string(b) {
-			t.Errorf("---- kubeconfig wants ----\n%s\n---- but ----\n%s", want, string(b))
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("kubeconfig mismatch (-want +got):\n%s", diff)
 		}
 	})
 
@@ -81,9 +84,10 @@ users:
 			t.Fatalf("Could not read kubeconfig: %s", err)
 		}
 
+		got := string(b)
 		want := `apiVersion: v1
-clusters: []
-contexts: []
+clusters: null
+contexts: null
 current-context: ""
 kind: Config
 preferences: {}
@@ -102,8 +106,8 @@ users:
         refresh-token: YOUR_REFRESH_TOKEN
       name: oidc
 `
-		if want != string(b) {
-			t.Errorf("---- kubeconfig wants ----\n%s\n---- but ----\n%s", want, string(b))
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("kubeconfig mismatch (-want +got):\n%s", diff)
 		}
 	})
 }

pkg/adaptors/oidcclient/factory.go

@@ -14,9 +14,7 @@ import (
 	"golang.org/x/xerrors"
 )
 
-type FactoryInterface interface {
-	New(ctx context.Context, config Config) (Interface, error)
-}
+type NewFunc func(ctx context.Context, config Config) (Interface, error)
 
 // Config represents a configuration of OpenID Connect client.
 type Config struct {
@@ -26,14 +24,11 @@ type Config struct {
 	ExtraScopes   []string // optional
 	CertPool      certpool.Interface
 	SkipTLSVerify bool
-}
-
-type Factory struct {
-	Logger logger.Interface
+	Logger        logger.Interface
 }
 
 // New returns an instance of adaptors.Interface with the given configuration.
-func (f *Factory) New(ctx context.Context, config Config) (Interface, error) {
+func New(ctx context.Context, config Config) (Interface, error) {
 	var tlsConfig tls.Config
 	tlsConfig.InsecureSkipVerify = config.SkipTLSVerify
 	config.CertPool.SetRootCAs(&tlsConfig)
@@ -43,7 +38,7 @@ func (f *Factory) New(ctx context.Context, config Config) (Interface, error) {
 	}
 	loggingTransport := &logging.Transport{
 		Base:   baseTransport,
-		Logger: f.Logger,
+		Logger: config.Logger,
 	}
 	httpClient := &http.Client{
 		Transport: loggingTransport,
@@ -52,7 +47,7 @@ func (f *Factory) New(ctx context.Context, config Config) (Interface, error) {
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 	provider, err := oidc.NewProvider(ctx, config.IssuerURL)
 	if err != nil {
-		return nil, xerrors.Errorf("could not discovery the OIDCClientFactory issuer: %w", err)
+		return nil, xerrors.Errorf("oidc discovery error: %w", err)
 	}
 	return &client{
 		httpClient: httpClient,
@@ -63,6 +58,6 @@ func (f *Factory) New(ctx context.Context, config Config) (Interface, error) {
 			ClientSecret: config.ClientSecret,
 			Scopes:       append(config.ExtraScopes, oidc.ScopeOpenID),
 		},
-		logger: f.Logger,
+		logger: config.Logger,
 	}, nil
 }

pkg/adaptors/oidcclient/logging/transport_test.go

@@ -8,7 +8,7 @@ import (
 	"testing"
 
 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/int128/kubelogin/pkg/testing/logger"
 )
 
 type mockTransport struct {
@@ -37,7 +37,7 @@ dummy`)), req)
 
 	transport := &Transport{
 		Base:   &mockTransport{resp: resp},
-		Logger: mock_logger.New(t),
+		Logger: logger.New(t),
 	}
 	gotResp, err := transport.RoundTrip(req)
 	if err != nil {

pkg/adaptors/oidcclient/mock_oidcclient/mock_oidcclient.go

@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/oidcclient (interfaces: FactoryInterface,Interface)
+// Source: github.com/int128/kubelogin/pkg/adaptors/oidcclient (interfaces: Interface)
 
 // Package mock_oidcclient is a generated GoMock package.
 package mock_oidcclient
@@ -11,44 +11,6 @@ import (
 	reflect "reflect"
 )
 
-// MockFactoryInterface is a mock of FactoryInterface interface
-type MockFactoryInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockFactoryInterfaceMockRecorder
-}
-
-// MockFactoryInterfaceMockRecorder is the mock recorder for MockFactoryInterface
-type MockFactoryInterfaceMockRecorder struct {
-	mock *MockFactoryInterface
-}
-
-// NewMockFactoryInterface creates a new mock instance
-func NewMockFactoryInterface(ctrl *gomock.Controller) *MockFactoryInterface {
-	mock := &MockFactoryInterface{ctrl: ctrl}
-	mock.recorder = &MockFactoryInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockFactoryInterface) EXPECT() *MockFactoryInterfaceMockRecorder {
-	return m.recorder
-}
-
-// New mocks base method
-func (m *MockFactoryInterface) New(arg0 context.Context, arg1 oidcclient.Config) (oidcclient.Interface, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "New", arg0, arg1)
-	ret0, _ := ret[0].(oidcclient.Interface)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// New indicates an expected call of New
-func (mr *MockFactoryInterfaceMockRecorder) New(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "New", reflect.TypeOf((*MockFactoryInterface)(nil).New), arg0, arg1)
-}
-
 // MockInterface is a mock of Interface interface
 type MockInterface struct {
 	ctrl     *gomock.Controller

pkg/adaptors/oidcclient/oidcclient.go

@@ -2,24 +2,22 @@ package oidcclient
 
 import (
 	"context"
-	"fmt"
 	"net/http"
 	"time"
 
 	"github.com/coreos/go-oidc"
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
 	"github.com/int128/oauth2cli"
 	"golang.org/x/oauth2"
 	"golang.org/x/xerrors"
 )
 
-//go:generate mockgen -destination mock_oidcclient/mock_oidcclient.go github.com/int128/kubelogin/pkg/adaptors/oidcclient FactoryInterface,Interface
+//go:generate mockgen -destination mock_oidcclient/mock_oidcclient.go github.com/int128/kubelogin/pkg/adaptors/oidcclient Interface
 
-// Set provides an implementation and interface for OIDC.
 var Set = wire.NewSet(
-	wire.Struct(new(Factory), "*"),
-	wire.Bind(new(FactoryInterface), new(*Factory)),
+	wire.Value(NewFunc(New)),
 )
 
 type Interface interface {
@@ -31,11 +29,12 @@ type Interface interface {
 }
 
 type AuthCodeURLInput struct {
-	State               string
-	Nonce               string
-	CodeChallenge       string
-	CodeChallengeMethod string
-	RedirectURI         string
+	State                  string
+	Nonce                  string
+	CodeChallenge          string
+	CodeChallengeMethod    string
+	RedirectURI            string
+	AuthRequestExtraParams map[string]string
 }
 
 type ExchangeAuthCodeInput struct {
@@ -46,21 +45,22 @@ type ExchangeAuthCodeInput struct {
 }
 
 type GetTokenByAuthCodeInput struct {
-	BindAddress         []string
-	Nonce               string
-	CodeChallenge       string
-	CodeChallengeMethod string
-	CodeVerifier        string
+	BindAddress            []string
+	State                  string
+	Nonce                  string
+	CodeChallenge          string
+	CodeChallengeMethod    string
+	CodeVerifier           string
+	RedirectURLHostname    string
+	AuthRequestExtraParams map[string]string
 }
 
 // TokenSet represents an output DTO of
 // Interface.GetTokenByAuthCode, Interface.GetTokenByROPC and Interface.Refresh.
 type TokenSet struct {
-	IDToken        string
-	RefreshToken   string
-	IDTokenSubject string
-	IDTokenExpiry  time.Time
-	IDTokenClaims  map[string]string // string representation of claims for logging
+	IDToken       string
+	RefreshToken  string
+	IDTokenClaims jwt.Claims
 }
 
 type client struct {
@@ -82,6 +82,7 @@ func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeIn
 	ctx = c.wrapContext(ctx)
 	config := oauth2cli.Config{
 		OAuth2Config: c.oauth2Config,
+		State:        in.State,
 		AuthCodeOptions: []oauth2.AuthCodeOption{
 			oauth2.AccessTypeOffline,
 			oidc.Nonce(in.Nonce),
@@ -93,10 +94,15 @@ func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeIn
 		},
 		LocalServerBindAddress: in.BindAddress,
 		LocalServerReadyChan:   localServerReadyChan,
+		RedirectURLHostname:    in.RedirectURLHostname,
 	}
+	for key, value := range in.AuthRequestExtraParams {
+		config.AuthCodeOptions = append(config.AuthCodeOptions, oauth2.SetAuthURLParam(key, value))
+	}
+
 	token, err := oauth2cli.GetToken(ctx, config)
 	if err != nil {
-		return nil, xerrors.Errorf("could not get a token: %w", err)
+		return nil, xerrors.Errorf("oauth2 error: %w", err)
 	}
 	return c.verifyToken(ctx, token, in.Nonce)
 }
@@ -105,12 +111,16 @@ func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeIn
 func (c *client) GetAuthCodeURL(in AuthCodeURLInput) string {
 	cfg := c.oauth2Config
 	cfg.RedirectURL = in.RedirectURI
-	return cfg.AuthCodeURL(in.State,
+	opts := []oauth2.AuthCodeOption{
 		oauth2.AccessTypeOffline,
 		oidc.Nonce(in.Nonce),
 		oauth2.SetAuthURLParam("code_challenge", in.CodeChallenge),
 		oauth2.SetAuthURLParam("code_challenge_method", in.CodeChallengeMethod),
-	)
+	}
+	for key, value := range in.AuthRequestExtraParams {
+		opts = append(opts, oauth2.SetAuthURLParam(key, value))
+	}
+	return cfg.AuthCodeURL(in.State, opts...)
 }
 
 // ExchangeAuthCode exchanges the authorization code and token.
@@ -120,7 +130,7 @@ func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput)
 	cfg.RedirectURL = in.RedirectURI
 	token, err := cfg.Exchange(ctx, in.Code, oauth2.SetAuthURLParam("code_verifier", in.CodeVerifier))
 	if err != nil {
-		return nil, xerrors.Errorf("could not exchange the authorization code: %w", err)
+		return nil, xerrors.Errorf("exchange error: %w", err)
 	}
 	return c.verifyToken(ctx, token, in.Nonce)
 }
@@ -130,7 +140,7 @@ func (c *client) GetTokenByROPC(ctx context.Context, username, password string)
 	ctx = c.wrapContext(ctx)
 	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, username, password)
 	if err != nil {
-		return nil, xerrors.Errorf("could not get a token: %w", err)
+		return nil, xerrors.Errorf("resource owner password credentials flow error: %w", err)
 	}
 	return c.verifyToken(ctx, token, "")
 }
@@ -153,45 +163,29 @@ func (c *client) Refresh(ctx context.Context, refreshToken string) (*TokenSet, e
 // verifyToken verifies the token with the certificates of the provider and the nonce.
 // If the nonce is an empty string, it does not verify the nonce.
 func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce string) (*TokenSet, error) {
-	idTokenString, ok := token.Extra("id_token").(string)
+	idToken, ok := token.Extra("id_token").(string)
 	if !ok {
 		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
 	}
 	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
-	idToken, err := verifier.Verify(ctx, idTokenString)
+	verifiedIDToken, err := verifier.Verify(ctx, idToken)
 	if err != nil {
 		return nil, xerrors.Errorf("could not verify the ID token: %w", err)
 	}
-	if nonce != "" && nonce != idToken.Nonce {
-		return nil, xerrors.Errorf("nonce did not match (wants %s but was %s)", nonce, idToken.Nonce)
+	if nonce != "" && nonce != verifiedIDToken.Nonce {
+		return nil, xerrors.Errorf("nonce did not match (wants %s but got %s)", nonce, verifiedIDToken.Nonce)
 	}
-	claims, err := dumpClaims(idToken)
+	pretty, err := jwt.DecodePayloadAsPrettyJSON(idToken)
 	if err != nil {
-		c.logger.V(1).Infof("incomplete claims of the ID token: %w", err)
+		return nil, xerrors.Errorf("could not decode the token: %w", err)
 	}
 	return &TokenSet{
-		IDToken:       idTokenString,
-		RefreshToken:  token.RefreshToken,
-		IDTokenExpiry: idToken.Expiry,
-		IDTokenClaims: claims,
+		IDToken: idToken,
+		IDTokenClaims: jwt.Claims{
+			Subject: verifiedIDToken.Subject,
+			Expiry:  verifiedIDToken.Expiry,
+			Pretty:  pretty,
+		},
+		RefreshToken: token.RefreshToken,
 	}, nil
 }
-
-func dumpClaims(token *oidc.IDToken) (map[string]string, error) {
-	var rawClaims map[string]interface{}
-	err := token.Claims(&rawClaims)
-	return dumpRawClaims(rawClaims), err
-}
-
-func dumpRawClaims(rawClaims map[string]interface{}) map[string]string {
-	claims := make(map[string]string)
-	for k, v := range rawClaims {
-		switch v := v.(type) {
-		case float64:
-			claims[k] = fmt.Sprintf("%.f", v)
-		default:
-			claims[k] = fmt.Sprintf("%v", v)
-		}
-	}
-	return claims
-}

pkg/adaptors/reader/mock_reader/mock_reader.go

@@ -1,8 +1,8 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/env (interfaces: Interface)
+// Source: github.com/int128/kubelogin/pkg/adaptors/reader (interfaces: Interface)
 
-// Package mock_env is a generated GoMock package.
-package mock_env
+// Package mock_reader is a generated GoMock package.
+package mock_reader
 
 import (
 	gomock "github.com/golang/mock/gomock"
@@ -32,20 +32,6 @@ func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }
 
-// OpenBrowser mocks base method
-func (m *MockInterface) OpenBrowser(arg0 string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "OpenBrowser", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// OpenBrowser indicates an expected call of OpenBrowser
-func (mr *MockInterfaceMockRecorder) OpenBrowser(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OpenBrowser", reflect.TypeOf((*MockInterface)(nil).OpenBrowser), arg0)
-}
-
 // ReadPassword mocks base method
 func (m *MockInterface) ReadPassword(arg0 string) (string, error) {
 	m.ctrl.T.Helper()

pkg/adaptors/reader/reader.go

@@ -0,0 +1,58 @@
+// Package reader provides the reader of standard input.
+package reader
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+	"syscall"
+
+	"github.com/google/wire"
+	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/xerrors"
+)
+
+//go:generate mockgen -destination mock_reader/mock_reader.go github.com/int128/kubelogin/pkg/adaptors/reader Interface
+
+// Set provides an implementation and interface for Reader.
+var Set = wire.NewSet(
+	wire.Struct(new(Reader), "*"),
+	wire.Bind(new(Interface), new(*Reader)),
+)
+
+type Interface interface {
+	ReadString(prompt string) (string, error)
+	ReadPassword(prompt string) (string, error)
+}
+
+type Reader struct{}
+
+// ReadString reads a string from the stdin.
+func (*Reader) ReadString(prompt string) (string, error) {
+	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
+		return "", xerrors.Errorf("write error: %w", err)
+	}
+	r := bufio.NewReader(os.Stdin)
+	s, err := r.ReadString('\n')
+	if err != nil {
+		return "", xerrors.Errorf("read error: %w", err)
+	}
+	s = strings.TrimRight(s, "\r\n")
+	return s, nil
+}
+
+// ReadPassword reads a password from the stdin without echo back.
+func (*Reader) ReadPassword(prompt string) (string, error) {
+	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
+		return "", xerrors.Errorf("write error: %w", err)
+	}
+	b, err := terminal.ReadPassword(int(syscall.Stdin))
+	if err != nil {
+		return "", xerrors.Errorf("read error: %w", err)
+	}
+	if _, err := fmt.Fprintln(os.Stderr); err != nil {
+		return "", xerrors.Errorf("write error: %w", err)
+	}
+	return string(b), nil
+}

pkg/adaptors/tokencache/mock_tokencache/mock_tokencache.go

@@ -34,10 +34,10 @@ func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 }
 
 // FindByKey mocks base method
-func (m *MockInterface) FindByKey(arg0 string, arg1 tokencache.Key) (*tokencache.TokenCache, error) {
+func (m *MockInterface) FindByKey(arg0 string, arg1 tokencache.Key) (*tokencache.Value, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "FindByKey", arg0, arg1)
-	ret0, _ := ret[0].(*tokencache.TokenCache)
+	ret0, _ := ret[0].(*tokencache.Value)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
@@ -49,7 +49,7 @@ func (mr *MockInterfaceMockRecorder) FindByKey(arg0, arg1 interface{}) *gomock.C
 }
 
 // Save mocks base method
-func (m *MockInterface) Save(arg0 string, arg1 tokencache.Key, arg2 tokencache.TokenCache) error {
+func (m *MockInterface) Save(arg0 string, arg1 tokencache.Key, arg2 tokencache.Value) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Save", arg0, arg1, arg2)
 	ret0, _ := ret[0].(error)

pkg/adaptors/tokencache/tokencache.go

@@ -2,6 +2,7 @@ package tokencache
 
 import (
 	"crypto/sha256"
+	"encoding/gob"
 	"encoding/hex"
 	"encoding/json"
 	"os"
@@ -20,18 +21,23 @@ var Set = wire.NewSet(
 )
 
 type Interface interface {
-	FindByKey(dir string, key Key) (*TokenCache, error)
-	Save(dir string, key Key, cache TokenCache) error
+	FindByKey(dir string, key Key) (*Value, error)
+	Save(dir string, key Key, value Value) error
 }
 
 // Key represents a key of a token cache.
 type Key struct {
-	IssuerURL string
-	ClientID  string
+	IssuerURL      string
+	ClientID       string
+	ClientSecret   string
+	ExtraScopes    []string
+	CACertFilename string
+	CACertData     string
+	SkipTLSVerify  bool
 }
 
-// TokenCache represents a token cache.
-type TokenCache struct {
+// Value represents a value of a token cache.
+type Value struct {
 	IDToken      string `json:"id_token,omitempty"`
 	RefreshToken string `json:"refresh_token,omitempty"`
 }
@@ -40,42 +46,52 @@ type TokenCache struct {
 // Filename of a token cache is sha256 digest of the issuer, zero-character and client ID.
 type Repository struct{}
 
-func (r *Repository) FindByKey(dir string, key Key) (*TokenCache, error) {
-	filename := filepath.Join(dir, computeFilename(key))
-	f, err := os.Open(filename)
+func (r *Repository) FindByKey(dir string, key Key) (*Value, error) {
+	filename, err := computeFilename(key)
 	if err != nil {
-		return nil, xerrors.Errorf("could not open file %s: %w", filename, err)
+		return nil, xerrors.Errorf("could not compute the key: %w", err)
+	}
+	p := filepath.Join(dir, filename)
+	f, err := os.Open(p)
+	if err != nil {
+		return nil, xerrors.Errorf("could not open file %s: %w", p, err)
 	}
 	defer f.Close()
 	d := json.NewDecoder(f)
-	var c TokenCache
+	var c Value
 	if err := d.Decode(&c); err != nil {
-		return nil, xerrors.Errorf("could not decode json file %s: %w", filename, err)
+		return nil, xerrors.Errorf("invalid json file %s: %w", p, err)
 	}
 	return &c, nil
 }
 
-func (r *Repository) Save(dir string, key Key, cache TokenCache) error {
+func (r *Repository) Save(dir string, key Key, value Value) error {
 	if err := os.MkdirAll(dir, 0700); err != nil {
 		return xerrors.Errorf("could not create directory %s: %w", dir, err)
 	}
-	filename := filepath.Join(dir, computeFilename(key))
-	f, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	filename, err := computeFilename(key)
 	if err != nil {
-		return xerrors.Errorf("could not create file %s: %w", filename, err)
+		return xerrors.Errorf("could not compute the key: %w", err)
+	}
+	p := filepath.Join(dir, filename)
+	f, err := os.OpenFile(p, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return xerrors.Errorf("could not create file %s: %w", p, err)
 	}
 	defer f.Close()
 	e := json.NewEncoder(f)
-	if err := e.Encode(&cache); err != nil {
-		return xerrors.Errorf("could not encode json to file %s: %w", filename, err)
+	if err := e.Encode(&value); err != nil {
+		return xerrors.Errorf("json encode error: %w", err)
 	}
 	return nil
 }
 
-func computeFilename(key Key) string {
+func computeFilename(key Key) (string, error) {
 	s := sha256.New()
-	_, _ = s.Write([]byte(key.IssuerURL))
-	_, _ = s.Write([]byte{0x00})
-	_, _ = s.Write([]byte(key.ClientID))
-	return hex.EncodeToString(s.Sum(nil))
+	e := gob.NewEncoder(s)
+	if err := e.Encode(&key); err != nil {
+		return "", xerrors.Errorf("could not encode the key: %w", err)
+	}
+	h := hex.EncodeToString(s.Sum(nil))
+	return h, nil
 }

pkg/adaptors/tokencache/tokencache_test.go

@@ -6,7 +6,7 @@ import (
 	"path/filepath"
 	"testing"
 
-	"github.com/go-test/deep"
+	"github.com/google/go-cmp/cmp"
 )
 
 func TestRepository_FindByKey(t *testing.T) {
@@ -23,22 +23,30 @@ func TestRepository_FindByKey(t *testing.T) {
 			}
 		}()
 		key := Key{
-			IssuerURL: "YOUR_ISSUER",
-			ClientID:  "YOUR_CLIENT_ID",
+			IssuerURL:      "YOUR_ISSUER",
+			ClientID:       "YOUR_CLIENT_ID",
+			ClientSecret:   "YOUR_CLIENT_SECRET",
+			ExtraScopes:    []string{"openid", "email"},
+			CACertFilename: "/path/to/cert",
+			SkipTLSVerify:  false,
 		}
 		json := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}`
-		filename := filepath.Join(dir, computeFilename(key))
-		if err := ioutil.WriteFile(filename, []byte(json), 0600); err != nil {
+		filename, err := computeFilename(key)
+		if err != nil {
+			t.Errorf("could not compute the key: %s", err)
+		}
+		p := filepath.Join(dir, filename)
+		if err := ioutil.WriteFile(p, []byte(json), 0600); err != nil {
 			t.Fatalf("could not write to the temp file: %s", err)
 		}
 
-		tokenCache, err := r.FindByKey(dir, key)
+		value, err := r.FindByKey(dir, key)
 		if err != nil {
 			t.Errorf("err wants nil but %+v", err)
 		}
-		want := &TokenCache{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
-		if diff := deep.Equal(tokenCache, want); diff != nil {
-			t.Error(diff)
+		want := &Value{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
+		if diff := cmp.Diff(want, value); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 }
@@ -58,23 +66,32 @@ func TestRepository_Save(t *testing.T) {
 		}()
 
 		key := Key{
-			IssuerURL: "YOUR_ISSUER",
-			ClientID:  "YOUR_CLIENT_ID",
+			IssuerURL:      "YOUR_ISSUER",
+			ClientID:       "YOUR_CLIENT_ID",
+			ClientSecret:   "YOUR_CLIENT_SECRET",
+			ExtraScopes:    []string{"openid", "email"},
+			CACertFilename: "/path/to/cert",
+			SkipTLSVerify:  false,
 		}
-		tokenCache := TokenCache{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
-		if err := r.Save(dir, key, tokenCache); err != nil {
+		value := Value{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
+		if err := r.Save(dir, key, value); err != nil {
 			t.Errorf("err wants nil but %+v", err)
 		}
 
-		filename := filepath.Join(dir, computeFilename(key))
-		b, err := ioutil.ReadFile(filename)
+		filename, err := computeFilename(key)
+		if err != nil {
+			t.Errorf("could not compute the key: %s", err)
+		}
+		p := filepath.Join(dir, filename)
+		b, err := ioutil.ReadFile(p)
 		if err != nil {
 			t.Fatalf("could not read the token cache file: %s", err)
 		}
 		want := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}
 `
-		if diff := deep.Equal(string(b), want); diff != nil {
-			t.Error(diff)
+		got := string(b)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 }

pkg/di/di.go

@@ -5,17 +5,18 @@ package di
 
 import (
 	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/adaptors/browser"
 	"github.com/int128/kubelogin/pkg/adaptors/certpool"
+	"github.com/int128/kubelogin/pkg/adaptors/clock"
 	"github.com/int128/kubelogin/pkg/adaptors/cmd"
-	credentialPluginAdaptor "github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
-	"github.com/int128/kubelogin/pkg/adaptors/env"
-	"github.com/int128/kubelogin/pkg/adaptors/jwtdecoder"
+	"github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter"
 	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
+	"github.com/int128/kubelogin/pkg/adaptors/reader"
 	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	credentialPluginUseCase "github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
 )
@@ -23,41 +24,32 @@ import (
 // NewCmd returns an instance of adaptors.Cmd.
 func NewCmd() cmd.Interface {
 	wire.Build(
-		// use-cases
-		authentication.Set,
-		wire.Value(authentication.DefaultLocalServerReadyFunc),
-		standalone.Set,
-		credentialPluginUseCase.Set,
-		setup.Set,
+		NewCmdForHeadless,
 
-		// adaptors
-		cmd.Set,
-		env.Set,
-		kubeconfig.Set,
-		tokencache.Set,
-		credentialPluginAdaptor.Set,
-		oidcclient.Set,
-		jwtdecoder.Set,
-		certpool.Set,
+		// dependencies for production
 		logger.Set,
+		browser.Set,
+		credentialpluginwriter.Set,
 	)
 	return nil
 }
 
 // NewCmdForHeadless returns an instance of adaptors.Cmd for headless testing.
-func NewCmdForHeadless(logger.Interface, authentication.LocalServerReadyFunc, credentialPluginAdaptor.Interface) cmd.Interface {
+func NewCmdForHeadless(logger.Interface, browser.Interface, credentialpluginwriter.Interface) cmd.Interface {
 	wire.Build(
+		// use-cases
 		authentication.Set,
 		standalone.Set,
-		credentialPluginUseCase.Set,
+		credentialplugin.Set,
 		setup.Set,
 
+		// adaptors
 		cmd.Set,
-		env.Set,
+		reader.Set,
+		clock.Set,
 		kubeconfig.Set,
 		tokencache.Set,
 		oidcclient.Set,
-		jwtdecoder.Set,
 		certpool.Set,
 	)
 	return nil

pkg/di/wire_gen.go

@@ -6,17 +6,18 @@
 package di
 
 import (
+	"github.com/int128/kubelogin/pkg/adaptors/browser"
 	"github.com/int128/kubelogin/pkg/adaptors/certpool"
+	"github.com/int128/kubelogin/pkg/adaptors/clock"
 	"github.com/int128/kubelogin/pkg/adaptors/cmd"
-	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
-	"github.com/int128/kubelogin/pkg/adaptors/env"
-	"github.com/int128/kubelogin/pkg/adaptors/jwtdecoder"
+	"github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter"
 	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
+	"github.com/int128/kubelogin/pkg/adaptors/reader"
 	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	credentialplugin2 "github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
 )
@@ -25,54 +26,56 @@ import (
 
 func NewCmd() cmd.Interface {
 	loggerInterface := logger.New()
-	factory := &oidcclient.Factory{
-		Logger: loggerInterface,
-	}
-	decoder := &jwtdecoder.Decoder{}
-	envEnv := &env.Env{}
-	localServerReadyFunc := _wireLocalServerReadyFuncValue
+	browserBrowser := &browser.Browser{}
+	writer := &credentialpluginwriter.Writer{}
+	cmdInterface := NewCmdForHeadless(loggerInterface, browserBrowser, writer)
+	return cmdInterface
+}
+
+func NewCmdForHeadless(loggerInterface logger.Interface, browserInterface browser.Interface, credentialpluginwriterInterface credentialpluginwriter.Interface) cmd.Interface {
+	newFunc := _wireNewFuncValue
+	clockClock := &clock.Clock{}
 	authCode := &authentication.AuthCode{
-		Env:                  envEnv,
-		Logger:               loggerInterface,
-		LocalServerReadyFunc: localServerReadyFunc,
+		Browser: browserInterface,
+		Logger:  loggerInterface,
 	}
+	readerReader := &reader.Reader{}
 	authCodeKeyboard := &authentication.AuthCodeKeyboard{
-		Env:    envEnv,
+		Reader: readerReader,
 		Logger: loggerInterface,
 	}
 	ropc := &authentication.ROPC{
-		Env:    envEnv,
+		Reader: readerReader,
 		Logger: loggerInterface,
 	}
 	authenticationAuthentication := &authentication.Authentication{
-		OIDCClientFactory: factory,
-		JWTDecoder:        decoder,
-		Logger:            loggerInterface,
-		AuthCode:          authCode,
-		AuthCodeKeyboard:  authCodeKeyboard,
-		ROPC:              ropc,
+		NewOIDCClient:    newFunc,
+		Logger:           loggerInterface,
+		Clock:            clockClock,
+		AuthCode:         authCode,
+		AuthCodeKeyboard: authCodeKeyboard,
+		ROPC:             ropc,
 	}
 	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{
 		Logger: loggerInterface,
 	}
-	certpoolFactory := &certpool.Factory{}
+	certpoolNewFunc := _wireCertpoolNewFuncValue
 	standaloneStandalone := &standalone.Standalone{
-		Authentication:  authenticationAuthentication,
-		Kubeconfig:      kubeconfigKubeconfig,
-		CertPoolFactory: certpoolFactory,
-		Logger:          loggerInterface,
+		Authentication: authenticationAuthentication,
+		Kubeconfig:     kubeconfigKubeconfig,
+		NewCertPool:    certpoolNewFunc,
+		Logger:         loggerInterface,
 	}
 	root := &cmd.Root{
 		Standalone: standaloneStandalone,
 		Logger:     loggerInterface,
 	}
 	repository := &tokencache.Repository{}
-	interaction := &credentialplugin.Interaction{}
-	getToken := &credentialplugin2.GetToken{
+	getToken := &credentialplugin.GetToken{
 		Authentication:       authenticationAuthentication,
 		TokenCacheRepository: repository,
-		CertPoolFactory:      certpoolFactory,
-		Interaction:          interaction,
+		NewCertPool:          certpoolNewFunc,
+		Writer:               credentialpluginwriterInterface,
 		Logger:               loggerInterface,
 	}
 	cmdGetToken := &cmd.GetToken{
@@ -80,9 +83,9 @@ func NewCmd() cmd.Interface {
 		Logger:   loggerInterface,
 	}
 	setupSetup := &setup.Setup{
-		Authentication:  authenticationAuthentication,
-		CertPoolFactory: certpoolFactory,
-		Logger:          loggerInterface,
+		Authentication: authenticationAuthentication,
+		NewCertPool:    certpoolNewFunc,
+		Logger:         loggerInterface,
 	}
 	cmdSetup := &cmd.Setup{
 		Setup: setupSetup,
@@ -97,75 +100,6 @@ func NewCmd() cmd.Interface {
 }
 
 var (
-	_wireLocalServerReadyFuncValue = authentication.DefaultLocalServerReadyFunc
+	_wireNewFuncValue         = oidcclient.NewFunc(oidcclient.New)
+	_wireCertpoolNewFuncValue = certpool.NewFunc(certpool.New)
 )
-
-func NewCmdForHeadless(loggerInterface logger.Interface, localServerReadyFunc authentication.LocalServerReadyFunc, credentialpluginInterface credentialplugin.Interface) cmd.Interface {
-	factory := &oidcclient.Factory{
-		Logger: loggerInterface,
-	}
-	decoder := &jwtdecoder.Decoder{}
-	envEnv := &env.Env{}
-	authCode := &authentication.AuthCode{
-		Env:                  envEnv,
-		Logger:               loggerInterface,
-		LocalServerReadyFunc: localServerReadyFunc,
-	}
-	authCodeKeyboard := &authentication.AuthCodeKeyboard{
-		Env:    envEnv,
-		Logger: loggerInterface,
-	}
-	ropc := &authentication.ROPC{
-		Env:    envEnv,
-		Logger: loggerInterface,
-	}
-	authenticationAuthentication := &authentication.Authentication{
-		OIDCClientFactory: factory,
-		JWTDecoder:        decoder,
-		Logger:            loggerInterface,
-		AuthCode:          authCode,
-		AuthCodeKeyboard:  authCodeKeyboard,
-		ROPC:              ropc,
-	}
-	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{
-		Logger: loggerInterface,
-	}
-	certpoolFactory := &certpool.Factory{}
-	standaloneStandalone := &standalone.Standalone{
-		Authentication:  authenticationAuthentication,
-		Kubeconfig:      kubeconfigKubeconfig,
-		CertPoolFactory: certpoolFactory,
-		Logger:          loggerInterface,
-	}
-	root := &cmd.Root{
-		Standalone: standaloneStandalone,
-		Logger:     loggerInterface,
-	}
-	repository := &tokencache.Repository{}
-	getToken := &credentialplugin2.GetToken{
-		Authentication:       authenticationAuthentication,
-		TokenCacheRepository: repository,
-		CertPoolFactory:      certpoolFactory,
-		Interaction:          credentialpluginInterface,
-		Logger:               loggerInterface,
-	}
-	cmdGetToken := &cmd.GetToken{
-		GetToken: getToken,
-		Logger:   loggerInterface,
-	}
-	setupSetup := &setup.Setup{
-		Authentication:  authenticationAuthentication,
-		CertPoolFactory: certpoolFactory,
-		Logger:          loggerInterface,
-	}
-	cmdSetup := &cmd.Setup{
-		Setup: setupSetup,
-	}
-	cmdCmd := &cmd.Cmd{
-		Root:     root,
-		GetToken: cmdGetToken,
-		Setup:    cmdSetup,
-		Logger:   loggerInterface,
-	}
-	return cmdCmd
-}

pkg/domain/jwt/decode.go

@@ -0,0 +1,72 @@
+// Package jwt provides JWT manipulations.
+// See https://tools.ietf.org/html/rfc7519#section-4.1.3
+package jwt
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"strings"
+	"time"
+
+	"golang.org/x/xerrors"
+)
+
+// DecodeWithoutVerify decodes the JWT string and returns the claims.
+// Note that this method does not verify the signature and always trust it.
+func DecodeWithoutVerify(s string) (*Claims, error) {
+	payload, err := DecodePayloadAsRawJSON(s)
+	if err != nil {
+		return nil, xerrors.Errorf("could not decode the payload: %w", err)
+	}
+	var claims struct {
+		Subject   string `json:"sub,omitempty"`
+		ExpiresAt int64  `json:"exp,omitempty"`
+	}
+	if err := json.NewDecoder(bytes.NewReader(payload)).Decode(&claims); err != nil {
+		return nil, xerrors.Errorf("could not decode the json of token: %w", err)
+	}
+	var prettyJson bytes.Buffer
+	if err := json.Indent(&prettyJson, payload, "", "  "); err != nil {
+		return nil, xerrors.Errorf("could not indent the json of token: %w", err)
+	}
+	return &Claims{
+		Subject: claims.Subject,
+		Expiry:  time.Unix(claims.ExpiresAt, 0),
+		Pretty:  prettyJson.String(),
+	}, nil
+}
+
+// DecodePayloadAsPrettyJSON decodes the JWT string and returns the pretty JSON string.
+func DecodePayloadAsPrettyJSON(s string) (string, error) {
+	payload, err := DecodePayloadAsRawJSON(s)
+	if err != nil {
+		return "", xerrors.Errorf("could not decode the payload: %w", err)
+	}
+	var prettyJson bytes.Buffer
+	if err := json.Indent(&prettyJson, payload, "", "  "); err != nil {
+		return "", xerrors.Errorf("could not indent the json of token: %w", err)
+	}
+	return prettyJson.String(), nil
+}
+
+// DecodePayloadAsRawJSON extracts the payload and returns the raw JSON.
+func DecodePayloadAsRawJSON(s string) ([]byte, error) {
+	parts := strings.SplitN(s, ".", 3)
+	if len(parts) != 3 {
+		return nil, xerrors.Errorf("wants %d segments but got %d segments", 3, len(parts))
+	}
+	payloadJSON, err := decodePayload(parts[1])
+	if err != nil {
+		return nil, xerrors.Errorf("could not decode the payload: %w", err)
+	}
+	return payloadJSON, nil
+}
+
+func decodePayload(payload string) ([]byte, error) {
+	b, err := base64.URLEncoding.WithPadding(base64.NoPadding).DecodeString(payload)
+	if err != nil {
+		return nil, xerrors.Errorf("invalid base64: %w", err)
+	}
+	return b, nil
+}

pkg/domain/jwt/decode_test.go

@@ -0,0 +1,48 @@
+package jwt
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestDecode(t *testing.T) {
+	t.Run("ValidToken", func(t *testing.T) {
+		const (
+			// https://tools.ietf.org/html/rfc7519#section-3.1
+			header    = "eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9"
+			payload   = "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ"
+			signature = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
+			token     = header + "." + payload + "." + signature
+		)
+		got, err := DecodeWithoutVerify(token)
+		if err != nil {
+			t.Fatalf("Decode error: %s", err)
+		}
+		want := &Claims{
+			Subject: "",
+			Expiry:  time.Unix(1300819380, 0),
+			Pretty: `{
+  "iss": "joe",
+  "exp": 1300819380,
+  "http://example.com/is_root": true
+}`,
+		}
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
+		}
+	})
+
+	t.Run("InvalidToken", func(t *testing.T) {
+		decodedToken, err := DecodeWithoutVerify("HEADER.INVALID_TOKEN.SIGNATURE")
+		if err == nil {
+			t.Errorf("error wants non-nil but nil")
+		} else {
+			t.Logf("expected error: %+v", err)
+		}
+		if decodedToken != nil {
+			t.Errorf("decodedToken wants nil but %+v", decodedToken)
+		}
+	})
+}

pkg/domain/jwt/token.go

@@ -0,0 +1,20 @@
+package jwt
+
+import "time"
+
+// Claims represents claims of an ID token.
+type Claims struct {
+	Subject string
+	Expiry  time.Time
+	Pretty  string // string representation for debug and logging
+}
+
+// Clock provides the current time.
+type Clock interface {
+	Now() time.Time
+}
+
+// IsExpired returns true if the token is expired.
+func (c *Claims) IsExpired(clock Clock) bool {
+	return c.Expiry.Before(clock.Now())
+}

pkg/domain/jwt/token_test.go

@@ -0,0 +1,36 @@
+package jwt_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/pkg/domain/jwt"
+)
+
+type timeProvider time.Time
+
+func (tp timeProvider) Now() time.Time {
+	return time.Time(tp)
+}
+
+func TestClaims_IsExpired(t *testing.T) {
+	claims := jwt.Claims{
+		Expiry: time.Date(2019, 1, 2, 3, 4, 5, 0, time.UTC),
+	}
+
+	t.Run("Expired", func(t *testing.T) {
+		tp := timeProvider(time.Date(2019, 1, 2, 4, 0, 0, 0, time.UTC))
+		got := claims.IsExpired(tp)
+		if got != true {
+			t.Errorf("IsExpired() wants true but false")
+		}
+	})
+
+	t.Run("NotExpired", func(t *testing.T) {
+		tp := timeProvider(time.Date(2019, 1, 2, 0, 0, 0, 0, time.UTC))
+		got := claims.IsExpired(tp)
+		if got != false {
+			t.Errorf("IsExpired() wants false but true")
+		}
+	})
+}

pkg/domain/oidc/oidc.go

@@ -5,7 +5,6 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/binary"
-	"strings"
 
 	"golang.org/x/xerrors"
 )
@@ -44,7 +43,7 @@ func NewPKCEParams() (*PKCEParams, error) {
 func random32() ([]byte, error) {
 	b := make([]byte, 32)
 	if err := binary.Read(rand.Reader, binary.LittleEndian, b); err != nil {
-		return nil, xerrors.Errorf("could not read: %w", err)
+		return nil, xerrors.Errorf("read error: %w", err)
 	}
 	return b, nil
 }
@@ -61,5 +60,5 @@ func computeS256(b []byte) PKCEParams {
 }
 
 func base64URLEncode(b []byte) string {
-	return strings.TrimRight(base64.URLEncoding.EncodeToString(b), "=")
+	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(b)
 }

pkg/testing/clock/clock.go

@@ -0,0 +1,9 @@
+package clock
+
+import "time"
+
+type Fake time.Time
+
+func (f Fake) Now() time.Time {
+	return time.Time(f)
+}

pkg/testing/jwt/encode.go

@@ -0,0 +1,43 @@
+package jwt
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"testing"
+
+	"github.com/dgrijalva/jwt-go"
+)
+
+var PrivateKey = generateKey(1024)
+
+func generateKey(b int) *rsa.PrivateKey {
+	k, err := rsa.GenerateKey(rand.Reader, b)
+	if err != nil {
+		panic(err)
+	}
+	return k
+}
+
+type Claims struct {
+	jwt.StandardClaims
+	// aud claim is either a string or an array of strings.
+	// https://tools.ietf.org/html/rfc7519#section-4.1.3
+	Audience      []string `json:"aud,omitempty"`
+	Nonce         string   `json:"nonce,omitempty"`
+	Groups        []string `json:"groups,omitempty"`
+	EmailVerified bool     `json:"email_verified,omitempty"`
+}
+
+func Encode(t *testing.T, claims Claims) string {
+	s, err := jwt.NewWithClaims(jwt.SigningMethodRS256, claims).SignedString(PrivateKey)
+	if err != nil {
+		t.Fatalf("could not encode JWT: %s", err)
+	}
+	return s
+}
+
+func EncodeF(t *testing.T, mutation func(*Claims)) string {
+	var claims Claims
+	mutation(&claims)
+	return Encode(t, claims)
+}

pkg/testing/logger/logger.go

@@ -1,4 +1,4 @@
-package mock_logger
+package logger
 
 import (
 	"fmt"
@@ -8,7 +8,7 @@ import (
 )
 
 func New(t testingLogger) *Logger {
-	return &Logger{t}
+	return &Logger{t: t}
 }
 
 type testingLogger interface {
@@ -17,30 +17,38 @@ type testingLogger interface {
 
 // Logger provides logging facility using testing.T.
 type Logger struct {
-	t testingLogger
+	t        testingLogger
+	maxLevel int
 }
 
-func (*Logger) AddFlags(f *pflag.FlagSet) {
-	f.IntP("v", "v", 0, "dummy flag used in the tests")
+func (l *Logger) AddFlags(f *pflag.FlagSet) {
+	f.IntVarP(&l.maxLevel, "v", "v", 0, "dummy flag used in the tests")
 }
 
 func (l *Logger) Printf(format string, args ...interface{}) {
 	l.t.Logf(format, args...)
 }
 
-type Verbose struct {
+func (l *Logger) V(level int) logger.Verbose {
+	if l.IsEnabled(level) {
+		return &verbose{l.t, level}
+	}
+	return &noopVerbose{}
+}
+
+func (l *Logger) IsEnabled(level int) bool {
+	return level <= l.maxLevel
+}
+
+type verbose struct {
 	t     testingLogger
 	level int
 }
 
-func (v *Verbose) Infof(format string, args ...interface{}) {
+func (v *verbose) Infof(format string, args ...interface{}) {
 	v.t.Logf(fmt.Sprintf("I%d] ", v.level)+format, args...)
 }
 
-func (l *Logger) V(level int) logger.Verbose {
-	return &Verbose{l.t, level}
-}
+type noopVerbose struct{}
 
-func (*Logger) IsEnabled(level int) bool {
-	return true
-}
+func (*noopVerbose) Infof(string, ...interface{}) {}

pkg/usecases/authentication/authcode.go

@@ -3,7 +3,7 @@ package authentication
 import (
 	"context"
 
-	"github.com/int128/kubelogin/pkg/adaptors/env"
+	"github.com/int128/kubelogin/pkg/adaptors/browser"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
 	"github.com/int128/kubelogin/pkg/domain/oidc"
@@ -13,13 +13,16 @@ import (
 
 // AuthCode provides the authentication code flow.
 type AuthCode struct {
-	Env                  env.Interface
-	Logger               logger.Interface
-	LocalServerReadyFunc LocalServerReadyFunc // only for e2e tests
+	Browser browser.Interface
+	Logger  logger.Interface
 }
 
 func (u *AuthCode) Do(ctx context.Context, o *AuthCodeOption, client oidcclient.Interface) (*Output, error) {
 	u.Logger.V(1).Infof("performing the authentication code flow")
+	state, err := oidc.NewState()
+	if err != nil {
+		return nil, xerrors.Errorf("could not generate a state: %w", err)
+	}
 	nonce, err := oidc.NewNonce()
 	if err != nil {
 		return nil, xerrors.Errorf("could not generate a nonce: %w", err)
@@ -29,11 +32,14 @@ func (u *AuthCode) Do(ctx context.Context, o *AuthCodeOption, client oidcclient.
 		return nil, xerrors.Errorf("could not generate PKCE parameters: %w", err)
 	}
 	in := oidcclient.GetTokenByAuthCodeInput{
-		BindAddress:         o.BindAddress,
-		Nonce:               nonce,
-		CodeChallenge:       p.CodeChallenge,
-		CodeChallengeMethod: p.CodeChallengeMethod,
-		CodeVerifier:        p.CodeVerifier,
+		BindAddress:            o.BindAddress,
+		State:                  state,
+		Nonce:                  nonce,
+		CodeChallenge:          p.CodeChallenge,
+		CodeChallengeMethod:    p.CodeChallengeMethod,
+		CodeVerifier:           p.CodeVerifier,
+		RedirectURLHostname:    o.RedirectURLHostname,
+		AuthRequestExtraParams: o.AuthRequestExtraParams,
 	}
 	readyChan := make(chan string, 1)
 	defer close(readyChan)
@@ -45,15 +51,15 @@ func (u *AuthCode) Do(ctx context.Context, o *AuthCodeOption, client oidcclient.
 			if !ok {
 				return nil
 			}
-			u.Logger.Printf("Open %s for authentication", url)
-			if u.LocalServerReadyFunc != nil {
-				u.LocalServerReadyFunc(url)
-			}
 			if o.SkipOpenBrowser {
+				u.Logger.Printf("Please visit the following URL in your browser: %s", url)
 				return nil
 			}
-			if err := u.Env.OpenBrowser(url); err != nil {
-				u.Logger.V(1).Infof("could not open the browser: %s", err)
+			if err := u.Browser.Open(url); err != nil {
+				u.Logger.Printf(`error: could not open the browser: %s
+
+Please visit the following URL in your browser manually: %s`, err, url)
+				return nil
 			}
 			return nil
 		case <-ctx.Done():
@@ -63,19 +69,17 @@ func (u *AuthCode) Do(ctx context.Context, o *AuthCodeOption, client oidcclient.
 	eg.Go(func() error {
 		tokenSet, err := client.GetTokenByAuthCode(ctx, in, readyChan)
 		if err != nil {
-			return xerrors.Errorf("error while the authorization code flow: %w", err)
+			return xerrors.Errorf("authorization code flow error: %w", err)
 		}
 		out = Output{
-			IDToken:        tokenSet.IDToken,
-			RefreshToken:   tokenSet.RefreshToken,
-			IDTokenSubject: tokenSet.IDTokenSubject,
-			IDTokenExpiry:  tokenSet.IDTokenExpiry,
-			IDTokenClaims:  tokenSet.IDTokenClaims,
+			IDToken:       tokenSet.IDToken,
+			IDTokenClaims: tokenSet.IDTokenClaims,
+			RefreshToken:  tokenSet.RefreshToken,
 		}
 		return nil
 	})
 	if err := eg.Wait(); err != nil {
-		return nil, xerrors.Errorf("error while the authorization code flow: %w", err)
+		return nil, xerrors.Errorf("authentication error: %w", err)
 	}
 	return &out, nil
 }

pkg/usecases/authentication/authcode_keyboard.go

@@ -3,9 +3,9 @@ package authentication
 import (
 	"context"
 
-	"github.com/int128/kubelogin/pkg/adaptors/env"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
+	"github.com/int128/kubelogin/pkg/adaptors/reader"
 	"github.com/int128/kubelogin/pkg/domain/oidc"
 	"golang.org/x/xerrors"
 )
@@ -15,7 +15,7 @@ const oobRedirectURI = "urn:ietf:wg:oauth:2.0:oob"
 
 // AuthCodeKeyboard provides the authorization code flow with keyboard interactive.
 type AuthCodeKeyboard struct {
-	Env    env.Interface
+	Reader reader.Interface
 	Logger logger.Interface
 }
 
@@ -34,16 +34,17 @@ func (u *AuthCodeKeyboard) Do(ctx context.Context, o *AuthCodeKeyboardOption, cl
 		return nil, xerrors.Errorf("could not generate PKCE parameters: %w", err)
 	}
 	authCodeURL := client.GetAuthCodeURL(oidcclient.AuthCodeURLInput{
-		State:               state,
-		Nonce:               nonce,
-		CodeChallenge:       p.CodeChallenge,
-		CodeChallengeMethod: p.CodeChallengeMethod,
-		RedirectURI:         oobRedirectURI,
+		State:                  state,
+		Nonce:                  nonce,
+		CodeChallenge:          p.CodeChallenge,
+		CodeChallengeMethod:    p.CodeChallengeMethod,
+		RedirectURI:            oobRedirectURI,
+		AuthRequestExtraParams: o.AuthRequestExtraParams,
 	})
 	u.Logger.Printf("Open %s", authCodeURL)
-	code, err := u.Env.ReadString(authCodeKeyboardPrompt)
+	code, err := u.Reader.ReadString(authCodeKeyboardPrompt)
 	if err != nil {
-		return nil, xerrors.Errorf("could not read the authorization code: %w", err)
+		return nil, xerrors.Errorf("could not read an authorization code: %w", err)
 	}
 
 	tokenSet, err := client.ExchangeAuthCode(ctx, oidcclient.ExchangeAuthCodeInput{
@@ -53,13 +54,11 @@ func (u *AuthCodeKeyboard) Do(ctx context.Context, o *AuthCodeKeyboardOption, cl
 		RedirectURI:  oobRedirectURI,
 	})
 	if err != nil {
-		return nil, xerrors.Errorf("could not get the token: %w", err)
+		return nil, xerrors.Errorf("could not exchange the authorization code: %w", err)
 	}
 	return &Output{
-		IDToken:        tokenSet.IDToken,
-		RefreshToken:   tokenSet.RefreshToken,
-		IDTokenSubject: tokenSet.IDTokenSubject,
-		IDTokenExpiry:  tokenSet.IDTokenExpiry,
-		IDTokenClaims:  tokenSet.IDTokenClaims,
+		IDToken:       tokenSet.IDToken,
+		IDTokenClaims: tokenSet.IDTokenClaims,
+		RefreshToken:  tokenSet.RefreshToken,
 	}, nil
 }

pkg/usecases/authentication/authcode_keyboard_test.go

@@ -5,19 +5,23 @@ import (
 	"testing"
 	"time"
 
-	"github.com/go-test/deep"
 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/pkg/adaptors/env/mock_env"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/google/go-cmp/cmp"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient/mock_oidcclient"
+	"github.com/int128/kubelogin/pkg/adaptors/reader/mock_reader"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
+	"github.com/int128/kubelogin/pkg/testing/logger"
 )
 
 var nonNil = gomock.Not(gomock.Nil())
 
 func TestAuthCodeKeyboard_Do(t *testing.T) {
-	dummyTokenClaims := map[string]string{"sub": "YOUR_SUBJECT"}
-	futureTime := time.Now().Add(time.Hour) //TODO: inject time service
+	dummyTokenClaims := jwt.Claims{
+		Subject: "YOUR_SUBJECT",
+		Expiry:  time.Date(2019, 1, 2, 3, 4, 5, 0, time.UTC),
+		Pretty:  "PRETTY_JSON",
+	}
 	timeout := 5 * time.Second
 
 	t.Run("Success", func(t *testing.T) {
@@ -25,9 +29,17 @@ func TestAuthCodeKeyboard_Do(t *testing.T) {
 		defer ctrl.Finish()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
+		o := &AuthCodeKeyboardOption{
+			AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
+		}
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
 		mockOIDCClient.EXPECT().
 			GetAuthCodeURL(nonNil).
+			Do(func(in oidcclient.AuthCodeURLInput) {
+				if diff := cmp.Diff(o.AuthRequestExtraParams, in.AuthRequestExtraParams); diff != "" {
+					t.Errorf("AuthRequestExtraParams mismatch (-want +got):\n%s", diff)
+				}
+			}).
 			Return("https://issuer.example.com/auth")
 		mockOIDCClient.EXPECT().
 			ExchangeAuthCode(nonNil, nonNil).
@@ -37,33 +49,29 @@ func TestAuthCodeKeyboard_Do(t *testing.T) {
 				}
 			}).
 			Return(&oidcclient.TokenSet{
-				IDToken:        "YOUR_ID_TOKEN",
-				RefreshToken:   "YOUR_REFRESH_TOKEN",
-				IDTokenSubject: "YOUR_SUBJECT",
-				IDTokenExpiry:  futureTime,
-				IDTokenClaims:  dummyTokenClaims,
+				IDToken:       "YOUR_ID_TOKEN",
+				IDTokenClaims: dummyTokenClaims,
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
 			}, nil)
-		mockEnv := mock_env.NewMockInterface(ctrl)
-		mockEnv.EXPECT().
+		mockReader := mock_reader.NewMockInterface(ctrl)
+		mockReader.EXPECT().
 			ReadString(authCodeKeyboardPrompt).
 			Return("YOUR_AUTH_CODE", nil)
 		u := AuthCodeKeyboard{
-			Env:    mockEnv,
-			Logger: mock_logger.New(t),
+			Reader: mockReader,
+			Logger: logger.New(t),
 		}
-		out, err := u.Do(ctx, nil, mockOIDCClient)
+		got, err := u.Do(ctx, o, mockOIDCClient)
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
-			IDToken:        "YOUR_ID_TOKEN",
-			RefreshToken:   "YOUR_REFRESH_TOKEN",
-			IDTokenSubject: "YOUR_SUBJECT",
-			IDTokenExpiry:  futureTime,
-			IDTokenClaims:  dummyTokenClaims,
+			IDToken:       "YOUR_ID_TOKEN",
+			IDTokenClaims: dummyTokenClaims,
+			RefreshToken:  "YOUR_REFRESH_TOKEN",
 		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 }

pkg/usecases/authentication/authcode_test.go

@@ -5,17 +5,21 @@ import (
 	"testing"
 	"time"
 
-	"github.com/go-test/deep"
 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/pkg/adaptors/env/mock_env"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/adaptors/browser/mock_browser"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient/mock_oidcclient"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
+	"github.com/int128/kubelogin/pkg/testing/logger"
 )
 
 func TestAuthCode_Do(t *testing.T) {
-	dummyTokenClaims := map[string]string{"sub": "YOUR_SUBJECT"}
-	futureTime := time.Now().Add(time.Hour) //TODO: inject time service
+	dummyTokenClaims := jwt.Claims{
+		Subject: "YOUR_SUBJECT",
+		Expiry:  time.Date(2019, 1, 2, 3, 4, 5, 0, time.UTC),
+		Pretty:  "PRETTY_JSON",
+	}
 	timeout := 5 * time.Second
 
 	t.Run("Success", func(t *testing.T) {
@@ -24,38 +28,45 @@ func TestAuthCode_Do(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		o := &AuthCodeOption{
-			BindAddress:     []string{"127.0.0.1:8000"},
-			SkipOpenBrowser: true,
+			BindAddress:            []string{"127.0.0.1:8000"},
+			SkipOpenBrowser:        true,
+			RedirectURLHostname:    "localhost",
+			AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
 		}
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
 		mockOIDCClient.EXPECT().
 			GetTokenByAuthCode(gomock.Any(), gomock.Any(), gomock.Any()).
-			Do(func(_ context.Context, _ oidcclient.GetTokenByAuthCodeInput, readyChan chan<- string) {
+			Do(func(_ context.Context, in oidcclient.GetTokenByAuthCodeInput, readyChan chan<- string) {
+				if diff := cmp.Diff(o.BindAddress, in.BindAddress); diff != "" {
+					t.Errorf("BindAddress mismatch (-want +got):\n%s", diff)
+				}
+				if diff := cmp.Diff(o.RedirectURLHostname, in.RedirectURLHostname); diff != "" {
+					t.Errorf("RedirectURLHostname mismatch (-want +got):\n%s", diff)
+				}
+				if diff := cmp.Diff(o.AuthRequestExtraParams, in.AuthRequestExtraParams); diff != "" {
+					t.Errorf("AuthRequestExtraParams mismatch (-want +got):\n%s", diff)
+				}
 				readyChan <- "LOCAL_SERVER_URL"
 			}).
 			Return(&oidcclient.TokenSet{
-				IDToken:        "YOUR_ID_TOKEN",
-				RefreshToken:   "YOUR_REFRESH_TOKEN",
-				IDTokenSubject: "YOUR_SUBJECT",
-				IDTokenExpiry:  futureTime,
-				IDTokenClaims:  dummyTokenClaims,
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenClaims: dummyTokenClaims,
 			}, nil)
 		u := AuthCode{
-			Logger: mock_logger.New(t),
+			Logger: logger.New(t),
 		}
-		out, err := u.Do(ctx, o, mockOIDCClient)
+		got, err := u.Do(ctx, o, mockOIDCClient)
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
-			IDToken:        "YOUR_ID_TOKEN",
-			RefreshToken:   "YOUR_REFRESH_TOKEN",
-			IDTokenSubject: "YOUR_SUBJECT",
-			IDTokenExpiry:  futureTime,
-			IDTokenClaims:  dummyTokenClaims,
+			IDToken:       "YOUR_ID_TOKEN",
+			RefreshToken:  "YOUR_REFRESH_TOKEN",
+			IDTokenClaims: dummyTokenClaims,
 		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 
@@ -74,32 +85,28 @@ func TestAuthCode_Do(t *testing.T) {
 				readyChan <- "LOCAL_SERVER_URL"
 			}).
 			Return(&oidcclient.TokenSet{
-				IDToken:        "YOUR_ID_TOKEN",
-				RefreshToken:   "YOUR_REFRESH_TOKEN",
-				IDTokenSubject: "YOUR_SUBJECT",
-				IDTokenExpiry:  futureTime,
-				IDTokenClaims:  dummyTokenClaims,
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenClaims: dummyTokenClaims,
 			}, nil)
-		mockEnv := mock_env.NewMockInterface(ctrl)
-		mockEnv.EXPECT().
-			OpenBrowser("LOCAL_SERVER_URL")
+		mockBrowser := mock_browser.NewMockInterface(ctrl)
+		mockBrowser.EXPECT().
+			Open("LOCAL_SERVER_URL")
 		u := AuthCode{
-			Logger: mock_logger.New(t),
-			Env:    mockEnv,
+			Logger:  logger.New(t),
+			Browser: mockBrowser,
 		}
-		out, err := u.Do(ctx, o, mockOIDCClient)
+		got, err := u.Do(ctx, o, mockOIDCClient)
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
-			IDToken:        "YOUR_ID_TOKEN",
-			RefreshToken:   "YOUR_REFRESH_TOKEN",
-			IDTokenSubject: "YOUR_SUBJECT",
-			IDTokenExpiry:  futureTime,
-			IDTokenClaims:  dummyTokenClaims,
+			IDToken:       "YOUR_ID_TOKEN",
+			RefreshToken:  "YOUR_REFRESH_TOKEN",
+			IDTokenClaims: dummyTokenClaims,
 		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 }

pkg/usecases/authentication/authentication.go

@@ -2,13 +2,13 @@ package authentication
 
 import (
 	"context"
-	"time"
 
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/adaptors/certpool"
-	"github.com/int128/kubelogin/pkg/adaptors/jwtdecoder"
+	"github.com/int128/kubelogin/pkg/adaptors/clock"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
 	"golang.org/x/xerrors"
 )
 
@@ -23,12 +23,6 @@ var Set = wire.NewSet(
 	wire.Struct(new(ROPC), "*"),
 )
 
-// LocalServerReadyFunc provides an extension point for e2e tests.
-type LocalServerReadyFunc func(url string)
-
-// DefaultLocalServerReadyFunc is the default noop function.
-var DefaultLocalServerReadyFunc = LocalServerReadyFunc(nil)
-
 type Interface interface {
 	Do(ctx context.Context, in Input) (*Output, error)
 }
@@ -41,8 +35,8 @@ type Input struct {
 	ExtraScopes    []string // optional
 	CertPool       certpool.Interface
 	SkipTLSVerify  bool
-	IDToken        string // optional
-	RefreshToken   string // optional
+	IDToken        string // optional, from the token cache
+	RefreshToken   string // optional, from the token cache
 	GrantOptionSet GrantOptionSet
 }
 
@@ -53,24 +47,26 @@ type GrantOptionSet struct {
 }
 
 type AuthCodeOption struct {
-	SkipOpenBrowser bool
-	BindAddress     []string
+	SkipOpenBrowser        bool
+	BindAddress            []string
+	RedirectURLHostname    string
+	AuthRequestExtraParams map[string]string
 }
 
-type AuthCodeKeyboardOption struct{}
+type AuthCodeKeyboardOption struct {
+	AuthRequestExtraParams map[string]string
+}
 
 type ROPCOption struct {
 	Username string
-	Password string // If empty, read a password using Env.ReadPassword()
+	Password string // If empty, read a password using Reader.ReadPassword()
 }
 
 // Output represents an output DTO of the Authentication use-case.
 type Output struct {
 	AlreadyHasValidIDToken bool
-	IDTokenSubject         string
-	IDTokenExpiry          time.Time
-	IDTokenClaims          map[string]string
 	IDToken                string
+	IDTokenClaims          jwt.Claims
 	RefreshToken           string
 }
 
@@ -91,12 +87,12 @@ const passwordPrompt = "Password: "
 // If the Password is not set, it asks a password by the prompt.
 //
 type Authentication struct {
-	OIDCClientFactory oidcclient.FactoryInterface
-	JWTDecoder        jwtdecoder.Interface
-	Logger            logger.Interface
-	AuthCode          *AuthCode
-	AuthCodeKeyboard  *AuthCodeKeyboard
-	ROPC              *ROPC
+	NewOIDCClient    oidcclient.NewFunc
+	Logger           logger.Interface
+	Clock            clock.Interface
+	AuthCode         *AuthCode
+	AuthCodeKeyboard *AuthCodeKeyboard
+	ROPC             *ROPC
 }
 
 func (u *Authentication) Do(ctx context.Context, in Input) (*Output, error) {
@@ -105,35 +101,34 @@ func (u *Authentication) Do(ctx context.Context, in Input) (*Output, error) {
 		// Skip verification of the token to reduce time of a discovery request.
 		// Here it trusts the signature and claims and checks only expiration,
 		// because the token has been verified before caching.
-		claims, err := u.JWTDecoder.Decode(in.IDToken)
+		claims, err := jwt.DecodeWithoutVerify(in.IDToken)
 		if err != nil {
-			return nil, xerrors.Errorf("invalid token and you need to remove the cache: %w", err)
+			return nil, xerrors.Errorf("invalid token cache (you may need to remove): %w", err)
 		}
-		if claims.Expiry.After(time.Now()) { //TODO: inject time service
+		if !claims.IsExpired(u.Clock) {
 			u.Logger.V(1).Infof("you already have a valid token until %s", claims.Expiry)
 			return &Output{
 				AlreadyHasValidIDToken: true,
 				IDToken:                in.IDToken,
 				RefreshToken:           in.RefreshToken,
-				IDTokenSubject:         claims.Subject,
-				IDTokenExpiry:          claims.Expiry,
-				IDTokenClaims:          claims.Pretty,
+				IDTokenClaims:          *claims,
 			}, nil
 		}
 		u.Logger.V(1).Infof("you have an expired token at %s", claims.Expiry)
 	}
 
 	u.Logger.V(1).Infof("initializing an OpenID Connect client")
-	client, err := u.OIDCClientFactory.New(ctx, oidcclient.Config{
+	client, err := u.NewOIDCClient(ctx, oidcclient.Config{
 		IssuerURL:     in.IssuerURL,
 		ClientID:      in.ClientID,
 		ClientSecret:  in.ClientSecret,
 		ExtraScopes:   in.ExtraScopes,
 		CertPool:      in.CertPool,
 		SkipTLSVerify: in.SkipTLSVerify,
+		Logger:        u.Logger,
 	})
 	if err != nil {
-		return nil, xerrors.Errorf("could not create an OpenID Connect client: %w", err)
+		return nil, xerrors.Errorf("oidc error: %w", err)
 	}
 
 	if in.RefreshToken != "" {
@@ -141,11 +136,9 @@ func (u *Authentication) Do(ctx context.Context, in Input) (*Output, error) {
 		out, err := client.Refresh(ctx, in.RefreshToken)
 		if err == nil {
 			return &Output{
-				IDToken:        out.IDToken,
-				RefreshToken:   out.RefreshToken,
-				IDTokenSubject: out.IDTokenSubject,
-				IDTokenExpiry:  out.IDTokenExpiry,
-				IDTokenClaims:  out.IDTokenClaims,
+				IDToken:       out.IDToken,
+				IDTokenClaims: out.IDTokenClaims,
+				RefreshToken:  out.RefreshToken,
 			}, nil
 		}
 		u.Logger.V(1).Infof("could not refresh the token: %s", err)

pkg/usecases/authentication/authentication_test.go

@@ -5,21 +5,34 @@ import (
 	"testing"
 	"time"
 
-	"github.com/go-test/deep"
 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/pkg/adaptors/jwtdecoder"
-	"github.com/int128/kubelogin/pkg/adaptors/jwtdecoder/mock_jwtdecoder"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient/mock_oidcclient"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
+	"github.com/int128/kubelogin/pkg/testing/clock"
+	testingJWT "github.com/int128/kubelogin/pkg/testing/jwt"
+	testingLogger "github.com/int128/kubelogin/pkg/testing/logger"
 	"golang.org/x/xerrors"
 )
 
+var cmpIgnoreLogger = cmpopts.IgnoreInterfaces(struct{ logger.Interface }{})
+
 func TestAuthentication_Do(t *testing.T) {
-	dummyTokenClaims := map[string]string{"sub": "YOUR_SUBJECT"}
-	pastTime := time.Now().Add(-time.Hour)  //TODO: inject time service
-	futureTime := time.Now().Add(time.Hour) //TODO: inject time service
 	timeout := 5 * time.Second
+	expiryTime := time.Date(2020, 1, 2, 3, 4, 5, 0, time.UTC)
+	cachedIDToken := testingJWT.EncodeF(t, func(claims *testingJWT.Claims) {
+		claims.Issuer = "https://issuer.example.com"
+		claims.Subject = "SUBJECT"
+		claims.ExpiresAt = expiryTime.Unix()
+	})
+	dummyClaims := jwt.Claims{
+		Subject: "SUBJECT",
+		Expiry:  time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC),
+		Pretty:  "PRETTY_JSON",
+	}
 
 	t.Run("HasValidIDToken", func(t *testing.T) {
 		ctrl := gomock.NewController(t)
@@ -30,34 +43,31 @@ func TestAuthentication_Do(t *testing.T) {
 			IssuerURL:    "https://issuer.example.com",
 			ClientID:     "YOUR_CLIENT_ID",
 			ClientSecret: "YOUR_CLIENT_SECRET",
-			IDToken:      "VALID_ID_TOKEN",
+			IDToken:      cachedIDToken,
 		}
-		mockDecoder := mock_jwtdecoder.NewMockInterface(ctrl)
-		mockDecoder.EXPECT().
-			Decode("VALID_ID_TOKEN").
-			Return(&jwtdecoder.Claims{
-				Subject: "YOUR_SUBJECT",
-				Expiry:  futureTime,
-				Pretty:  dummyTokenClaims,
-			}, nil)
 		u := Authentication{
-			OIDCClientFactory: mock_oidcclient.NewMockFactoryInterface(ctrl),
-			JWTDecoder:        mockDecoder,
-			Logger:            mock_logger.New(t),
+			Logger: testingLogger.New(t),
+			Clock:  clock.Fake(expiryTime.Add(-time.Hour)),
 		}
-		out, err := u.Do(ctx, in)
+		got, err := u.Do(ctx, in)
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
 			AlreadyHasValidIDToken: true,
-			IDToken:                "VALID_ID_TOKEN",
-			IDTokenSubject:         "YOUR_SUBJECT",
-			IDTokenExpiry:          futureTime,
-			IDTokenClaims:          dummyTokenClaims,
+			IDToken:                cachedIDToken,
+			IDTokenClaims: jwt.Claims{
+				Subject: "SUBJECT",
+				Expiry:  expiryTime,
+				Pretty: `{
+  "exp": 1577934245,
+  "iss": "https://issuer.example.com",
+  "sub": "SUBJECT"
+}`,
+			},
 		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 
@@ -70,53 +80,43 @@ func TestAuthentication_Do(t *testing.T) {
 			IssuerURL:    "https://issuer.example.com",
 			ClientID:     "YOUR_CLIENT_ID",
 			ClientSecret: "YOUR_CLIENT_SECRET",
-			IDToken:      "EXPIRED_ID_TOKEN",
+			IDToken:      cachedIDToken,
 			RefreshToken: "VALID_REFRESH_TOKEN",
 		}
-		mockDecoder := mock_jwtdecoder.NewMockInterface(ctrl)
-		mockDecoder.EXPECT().
-			Decode("EXPIRED_ID_TOKEN").
-			Return(&jwtdecoder.Claims{
-				Subject: "YOUR_SUBJECT",
-				Expiry:  pastTime,
-				Pretty:  dummyTokenClaims,
-			}, nil)
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
 		mockOIDCClient.EXPECT().
 			Refresh(ctx, "VALID_REFRESH_TOKEN").
 			Return(&oidcclient.TokenSet{
-				IDToken:        "NEW_ID_TOKEN",
-				RefreshToken:   "NEW_REFRESH_TOKEN",
-				IDTokenSubject: "YOUR_SUBJECT",
-				IDTokenExpiry:  futureTime,
-				IDTokenClaims:  dummyTokenClaims,
+				IDToken:       "NEW_ID_TOKEN",
+				RefreshToken:  "NEW_REFRESH_TOKEN",
+				IDTokenClaims: dummyClaims,
 			}, nil)
-		mockOIDCClientFactory := mock_oidcclient.NewMockFactoryInterface(ctrl)
-		mockOIDCClientFactory.EXPECT().
-			New(ctx, oidcclient.Config{
-				IssuerURL:    "https://issuer.example.com",
-				ClientID:     "YOUR_CLIENT_ID",
-				ClientSecret: "YOUR_CLIENT_SECRET",
-			}).
-			Return(mockOIDCClient, nil)
 		u := Authentication{
-			OIDCClientFactory: mockOIDCClientFactory,
-			JWTDecoder:        mockDecoder,
-			Logger:            mock_logger.New(t),
+			NewOIDCClient: func(_ context.Context, got oidcclient.Config) (oidcclient.Interface, error) {
+				want := oidcclient.Config{
+					IssuerURL:    "https://issuer.example.com",
+					ClientID:     "YOUR_CLIENT_ID",
+					ClientSecret: "YOUR_CLIENT_SECRET",
+				}
+				if diff := cmp.Diff(want, got, cmpIgnoreLogger); diff != "" {
+					t.Errorf("mismatch (-want +got):\n%s", diff)
+				}
+				return mockOIDCClient, nil
+			},
+			Logger: testingLogger.New(t),
+			Clock:  clock.Fake(expiryTime.Add(+time.Hour)),
 		}
-		out, err := u.Do(ctx, in)
+		got, err := u.Do(ctx, in)
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
-			IDToken:        "NEW_ID_TOKEN",
-			RefreshToken:   "NEW_REFRESH_TOKEN",
-			IDTokenSubject: "YOUR_SUBJECT",
-			IDTokenExpiry:  futureTime,
-			IDTokenClaims:  dummyTokenClaims,
+			IDToken:       "NEW_ID_TOKEN",
+			RefreshToken:  "NEW_REFRESH_TOKEN",
+			IDTokenClaims: dummyClaims,
 		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 
@@ -135,17 +135,9 @@ func TestAuthentication_Do(t *testing.T) {
 			IssuerURL:    "https://issuer.example.com",
 			ClientID:     "YOUR_CLIENT_ID",
 			ClientSecret: "YOUR_CLIENT_SECRET",
-			IDToken:      "EXPIRED_ID_TOKEN",
+			IDToken:      cachedIDToken,
 			RefreshToken: "EXPIRED_REFRESH_TOKEN",
 		}
-		mockDecoder := mock_jwtdecoder.NewMockInterface(ctrl)
-		mockDecoder.EXPECT().
-			Decode("EXPIRED_ID_TOKEN").
-			Return(&jwtdecoder.Claims{
-				Subject: "YOUR_SUBJECT",
-				Expiry:  pastTime,
-				Pretty:  dummyTokenClaims,
-			}, nil)
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
 		mockOIDCClient.EXPECT().
 			Refresh(ctx, "EXPIRED_REFRESH_TOKEN").
@@ -156,41 +148,39 @@ func TestAuthentication_Do(t *testing.T) {
 				readyChan <- "LOCAL_SERVER_URL"
 			}).
 			Return(&oidcclient.TokenSet{
-				IDToken:        "NEW_ID_TOKEN",
-				RefreshToken:   "NEW_REFRESH_TOKEN",
-				IDTokenSubject: "YOUR_SUBJECT",
-				IDTokenExpiry:  futureTime,
-				IDTokenClaims:  dummyTokenClaims,
+				IDToken:       "NEW_ID_TOKEN",
+				RefreshToken:  "NEW_REFRESH_TOKEN",
+				IDTokenClaims: dummyClaims,
 			}, nil)
-		mockOIDCClientFactory := mock_oidcclient.NewMockFactoryInterface(ctrl)
-		mockOIDCClientFactory.EXPECT().
-			New(ctx, oidcclient.Config{
-				IssuerURL:    "https://issuer.example.com",
-				ClientID:     "YOUR_CLIENT_ID",
-				ClientSecret: "YOUR_CLIENT_SECRET",
-			}).
-			Return(mockOIDCClient, nil)
 		u := Authentication{
-			OIDCClientFactory: mockOIDCClientFactory,
-			JWTDecoder:        mockDecoder,
-			Logger:            mock_logger.New(t),
+			NewOIDCClient: func(_ context.Context, got oidcclient.Config) (oidcclient.Interface, error) {
+				want := oidcclient.Config{
+					IssuerURL:    "https://issuer.example.com",
+					ClientID:     "YOUR_CLIENT_ID",
+					ClientSecret: "YOUR_CLIENT_SECRET",
+				}
+				if diff := cmp.Diff(want, got, cmpIgnoreLogger); diff != "" {
+					t.Errorf("mismatch (-want +got):\n%s", diff)
+				}
+				return mockOIDCClient, nil
+			},
+			Logger: testingLogger.New(t),
+			Clock:  clock.Fake(expiryTime.Add(+time.Hour)),
 			AuthCode: &AuthCode{
-				Logger: mock_logger.New(t),
+				Logger: testingLogger.New(t),
 			},
 		}
-		out, err := u.Do(ctx, in)
+		got, err := u.Do(ctx, in)
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
-			IDToken:        "NEW_ID_TOKEN",
-			RefreshToken:   "NEW_REFRESH_TOKEN",
-			IDTokenSubject: "YOUR_SUBJECT",
-			IDTokenExpiry:  futureTime,
-			IDTokenClaims:  dummyTokenClaims,
+			IDToken:       "NEW_ID_TOKEN",
+			RefreshToken:  "NEW_REFRESH_TOKEN",
+			IDTokenClaims: dummyClaims,
 		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 
@@ -214,40 +204,38 @@ func TestAuthentication_Do(t *testing.T) {
 		mockOIDCClient.EXPECT().
 			GetTokenByROPC(gomock.Any(), "USER", "PASS").
 			Return(&oidcclient.TokenSet{
-				IDToken:        "YOUR_ID_TOKEN",
-				RefreshToken:   "YOUR_REFRESH_TOKEN",
-				IDTokenSubject: "YOUR_SUBJECT",
-				IDTokenExpiry:  futureTime,
-				IDTokenClaims:  dummyTokenClaims,
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenClaims: dummyClaims,
 			}, nil)
-		mockOIDCClientFactory := mock_oidcclient.NewMockFactoryInterface(ctrl)
-		mockOIDCClientFactory.EXPECT().
-			New(ctx, oidcclient.Config{
-				IssuerURL:    "https://issuer.example.com",
-				ClientID:     "YOUR_CLIENT_ID",
-				ClientSecret: "YOUR_CLIENT_SECRET",
-			}).
-			Return(mockOIDCClient, nil)
 		u := Authentication{
-			OIDCClientFactory: mockOIDCClientFactory,
-			Logger:            mock_logger.New(t),
+			NewOIDCClient: func(_ context.Context, got oidcclient.Config) (oidcclient.Interface, error) {
+				want := oidcclient.Config{
+					IssuerURL:    "https://issuer.example.com",
+					ClientID:     "YOUR_CLIENT_ID",
+					ClientSecret: "YOUR_CLIENT_SECRET",
+				}
+				if diff := cmp.Diff(want, got, cmpIgnoreLogger); diff != "" {
+					t.Errorf("mismatch (-want +got):\n%s", diff)
+				}
+				return mockOIDCClient, nil
+			},
+			Logger: testingLogger.New(t),
 			ROPC: &ROPC{
-				Logger: mock_logger.New(t),
+				Logger: testingLogger.New(t),
 			},
 		}
-		out, err := u.Do(ctx, in)
+		got, err := u.Do(ctx, in)
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
-			IDToken:        "YOUR_ID_TOKEN",
-			RefreshToken:   "YOUR_REFRESH_TOKEN",
-			IDTokenSubject: "YOUR_SUBJECT",
-			IDTokenExpiry:  futureTime,
-			IDTokenClaims:  dummyTokenClaims,
+			IDToken:       "YOUR_ID_TOKEN",
+			RefreshToken:  "YOUR_REFRESH_TOKEN",
+			IDTokenClaims: dummyClaims,
 		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 }

pkg/usecases/authentication/password.go

@@ -3,15 +3,15 @@ package authentication
 import (
 	"context"
 
-	"github.com/int128/kubelogin/pkg/adaptors/env"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
+	"github.com/int128/kubelogin/pkg/adaptors/reader"
 	"golang.org/x/xerrors"
 )
 
 // ROPC provides the resource owner password credentials flow.
 type ROPC struct {
-	Env    env.Interface
+	Reader reader.Interface
 	Logger logger.Interface
 }
 
@@ -19,27 +19,25 @@ func (u *ROPC) Do(ctx context.Context, in *ROPCOption, client oidcclient.Interfa
 	u.Logger.V(1).Infof("performing the resource owner password credentials flow")
 	if in.Username == "" {
 		var err error
-		in.Username, err = u.Env.ReadString(usernamePrompt)
+		in.Username, err = u.Reader.ReadString(usernamePrompt)
 		if err != nil {
-			return nil, xerrors.Errorf("could not get the username: %w", err)
+			return nil, xerrors.Errorf("could not read a username: %w", err)
 		}
 	}
 	if in.Password == "" {
 		var err error
-		in.Password, err = u.Env.ReadPassword(passwordPrompt)
+		in.Password, err = u.Reader.ReadPassword(passwordPrompt)
 		if err != nil {
 			return nil, xerrors.Errorf("could not read a password: %w", err)
 		}
 	}
 	tokenSet, err := client.GetTokenByROPC(ctx, in.Username, in.Password)
 	if err != nil {
-		return nil, xerrors.Errorf("error while the resource owner password credentials flow: %w", err)
+		return nil, xerrors.Errorf("resource owner password credentials flow error: %w", err)
 	}
 	return &Output{
-		IDToken:        tokenSet.IDToken,
-		RefreshToken:   tokenSet.RefreshToken,
-		IDTokenSubject: tokenSet.IDTokenSubject,
-		IDTokenExpiry:  tokenSet.IDTokenExpiry,
-		IDTokenClaims:  tokenSet.IDTokenClaims,
+		IDToken:       tokenSet.IDToken,
+		IDTokenClaims: tokenSet.IDTokenClaims,
+		RefreshToken:  tokenSet.RefreshToken,
 	}, nil
 }

pkg/usecases/authentication/password_test.go

@@ -5,18 +5,22 @@ import (
 	"testing"
 	"time"
 
-	"github.com/go-test/deep"
 	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/pkg/adaptors/env/mock_env"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
+	"github.com/google/go-cmp/cmp"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient/mock_oidcclient"
+	"github.com/int128/kubelogin/pkg/adaptors/reader/mock_reader"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
+	"github.com/int128/kubelogin/pkg/testing/logger"
 	"golang.org/x/xerrors"
 )
 
 func TestROPC_Do(t *testing.T) {
-	dummyTokenClaims := map[string]string{"sub": "YOUR_SUBJECT"}
-	futureTime := time.Now().Add(time.Hour) //TODO: inject time service
+	dummyTokenClaims := jwt.Claims{
+		Subject: "YOUR_SUBJECT",
+		Expiry:  time.Date(2019, 1, 2, 3, 4, 5, 0, time.UTC),
+		Pretty:  "PRETTY_JSON",
+	}
 	timeout := 5 * time.Second
 
 	t.Run("AskUsernameAndPassword", func(t *testing.T) {
@@ -29,32 +33,28 @@ func TestROPC_Do(t *testing.T) {
 		mockOIDCClient.EXPECT().
 			GetTokenByROPC(gomock.Any(), "USER", "PASS").
 			Return(&oidcclient.TokenSet{
-				IDToken:        "YOUR_ID_TOKEN",
-				RefreshToken:   "YOUR_REFRESH_TOKEN",
-				IDTokenSubject: "YOUR_SUBJECT",
-				IDTokenExpiry:  futureTime,
-				IDTokenClaims:  dummyTokenClaims,
+				IDToken:       "YOUR_ID_TOKEN",
+				IDTokenClaims: dummyTokenClaims,
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
 			}, nil)
-		mockEnv := mock_env.NewMockInterface(ctrl)
-		mockEnv.EXPECT().ReadString(usernamePrompt).Return("USER", nil)
-		mockEnv.EXPECT().ReadPassword(passwordPrompt).Return("PASS", nil)
+		mockReader := mock_reader.NewMockInterface(ctrl)
+		mockReader.EXPECT().ReadString(usernamePrompt).Return("USER", nil)
+		mockReader.EXPECT().ReadPassword(passwordPrompt).Return("PASS", nil)
 		u := ROPC{
-			Env:    mockEnv,
-			Logger: mock_logger.New(t),
+			Reader: mockReader,
+			Logger: logger.New(t),
 		}
-		out, err := u.Do(ctx, o, mockOIDCClient)
+		got, err := u.Do(ctx, o, mockOIDCClient)
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
-			IDToken:        "YOUR_ID_TOKEN",
-			RefreshToken:   "YOUR_REFRESH_TOKEN",
-			IDTokenSubject: "YOUR_SUBJECT",
-			IDTokenExpiry:  futureTime,
-			IDTokenClaims:  dummyTokenClaims,
+			IDToken:       "YOUR_ID_TOKEN",
+			RefreshToken:  "YOUR_REFRESH_TOKEN",
+			IDTokenClaims: dummyTokenClaims,
 		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 
@@ -71,28 +71,24 @@ func TestROPC_Do(t *testing.T) {
 		mockOIDCClient.EXPECT().
 			GetTokenByROPC(gomock.Any(), "USER", "PASS").
 			Return(&oidcclient.TokenSet{
-				IDToken:        "YOUR_ID_TOKEN",
-				RefreshToken:   "YOUR_REFRESH_TOKEN",
-				IDTokenSubject: "YOUR_SUBJECT",
-				IDTokenExpiry:  futureTime,
-				IDTokenClaims:  dummyTokenClaims,
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenClaims: dummyTokenClaims,
 			}, nil)
 		u := ROPC{
-			Logger: mock_logger.New(t),
+			Logger: logger.New(t),
 		}
-		out, err := u.Do(ctx, o, mockOIDCClient)
+		got, err := u.Do(ctx, o, mockOIDCClient)
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
-			IDToken:        "YOUR_ID_TOKEN",
-			RefreshToken:   "YOUR_REFRESH_TOKEN",
-			IDTokenSubject: "YOUR_SUBJECT",
-			IDTokenExpiry:  futureTime,
-			IDTokenClaims:  dummyTokenClaims,
+			IDToken:       "YOUR_ID_TOKEN",
+			RefreshToken:  "YOUR_REFRESH_TOKEN",
+			IDTokenClaims: dummyTokenClaims,
 		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 
@@ -108,31 +104,27 @@ func TestROPC_Do(t *testing.T) {
 		mockOIDCClient.EXPECT().
 			GetTokenByROPC(gomock.Any(), "USER", "PASS").
 			Return(&oidcclient.TokenSet{
-				IDToken:        "YOUR_ID_TOKEN",
-				RefreshToken:   "YOUR_REFRESH_TOKEN",
-				IDTokenSubject: "YOUR_SUBJECT",
-				IDTokenExpiry:  futureTime,
-				IDTokenClaims:  dummyTokenClaims,
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenClaims: dummyTokenClaims,
 			}, nil)
-		mockEnv := mock_env.NewMockInterface(ctrl)
+		mockEnv := mock_reader.NewMockInterface(ctrl)
 		mockEnv.EXPECT().ReadPassword(passwordPrompt).Return("PASS", nil)
 		u := ROPC{
-			Env:    mockEnv,
-			Logger: mock_logger.New(t),
+			Reader: mockEnv,
+			Logger: logger.New(t),
 		}
-		out, err := u.Do(ctx, o, mockOIDCClient)
+		got, err := u.Do(ctx, o, mockOIDCClient)
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
-			IDToken:        "YOUR_ID_TOKEN",
-			RefreshToken:   "YOUR_REFRESH_TOKEN",
-			IDTokenSubject: "YOUR_SUBJECT",
-			IDTokenExpiry:  futureTime,
-			IDTokenClaims:  dummyTokenClaims,
+			IDToken:       "YOUR_ID_TOKEN",
+			RefreshToken:  "YOUR_REFRESH_TOKEN",
+			IDTokenClaims: dummyTokenClaims,
 		}
-		if diff := deep.Equal(want, out); diff != nil {
-			t.Error(diff)
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 
@@ -144,11 +136,11 @@ func TestROPC_Do(t *testing.T) {
 		o := &ROPCOption{
 			Username: "USER",
 		}
-		mockEnv := mock_env.NewMockInterface(ctrl)
+		mockEnv := mock_reader.NewMockInterface(ctrl)
 		mockEnv.EXPECT().ReadPassword(passwordPrompt).Return("", xerrors.New("error"))
 		u := ROPC{
-			Env:    mockEnv,
-			Logger: mock_logger.New(t),
+			Reader: mockEnv,
+			Logger: logger.New(t),
 		}
 		out, err := u.Do(ctx, o, mock_oidcclient.NewMockInterface(ctrl))
 		if err == nil {

pkg/usecases/credentialplugin/get_token.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/adaptors/certpool"
-	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
+	"github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
@@ -32,7 +32,8 @@ type Input struct {
 	ClientID       string
 	ClientSecret   string
 	ExtraScopes    []string // optional
-	CACertFilename string   // If set, use the CA cert
+	CACertFilename string   // optional
+	CACertData     string   // optional
 	SkipTLSVerify  bool
 	TokenCacheDir  string
 	GrantOptionSet authentication.GrantOptionSet
@@ -41,8 +42,8 @@ type Input struct {
 type GetToken struct {
 	Authentication       authentication.Interface
 	TokenCacheRepository tokencache.Interface
-	CertPoolFactory      certpool.FactoryInterface
-	Interaction          credentialplugin.Interface
+	NewCertPool          certpool.NewFunc
+	Writer               credentialpluginwriter.Interface
 	Logger               logger.Interface
 }
 
@@ -50,10 +51,10 @@ func (u *GetToken) Do(ctx context.Context, in Input) error {
 	u.Logger.V(1).Infof("WARNING: log may contain your secrets such as token or password")
 	out, err := u.getTokenFromCacheOrProvider(ctx, in)
 	if err != nil {
-		return xerrors.Errorf("could not get a token from the cache or provider: %w", err)
+		return xerrors.Errorf("could not get a token: %w", err)
 	}
 	u.Logger.V(1).Infof("writing the token to client-go")
-	if err := u.Interaction.Write(credentialplugin.Output{Token: out.IDToken, Expiry: out.IDTokenExpiry}); err != nil {
+	if err := u.Writer.Write(credentialpluginwriter.Output{Token: out.IDToken, Expiry: out.IDTokenClaims.Expiry}); err != nil {
 		return xerrors.Errorf("could not write the token to client-go: %w", err)
 	}
 	return nil
@@ -61,16 +62,29 @@ func (u *GetToken) Do(ctx context.Context, in Input) error {
 
 func (u *GetToken) getTokenFromCacheOrProvider(ctx context.Context, in Input) (*authentication.Output, error) {
 	u.Logger.V(1).Infof("finding a token from cache directory %s", in.TokenCacheDir)
-	cacheKey := tokencache.Key{IssuerURL: in.IssuerURL, ClientID: in.ClientID}
-	cache, err := u.TokenCacheRepository.FindByKey(in.TokenCacheDir, cacheKey)
+	tokenCacheKey := tokencache.Key{
+		IssuerURL:      in.IssuerURL,
+		ClientID:       in.ClientID,
+		ClientSecret:   in.ClientSecret,
+		ExtraScopes:    in.ExtraScopes,
+		CACertFilename: in.CACertFilename,
+		CACertData:     in.CACertData,
+		SkipTLSVerify:  in.SkipTLSVerify,
+	}
+	tokenCacheValue, err := u.TokenCacheRepository.FindByKey(in.TokenCacheDir, tokenCacheKey)
 	if err != nil {
 		u.Logger.V(1).Infof("could not find a token cache: %s", err)
-		cache = &tokencache.TokenCache{}
+		tokenCacheValue = &tokencache.Value{}
 	}
-	certPool := u.CertPoolFactory.New()
+	certPool := u.NewCertPool()
 	if in.CACertFilename != "" {
 		if err := certPool.AddFile(in.CACertFilename); err != nil {
-			return nil, xerrors.Errorf("could not load the certificate: %w", err)
+			return nil, xerrors.Errorf("could not load the certificate file: %w", err)
+		}
+	}
+	if in.CACertData != "" {
+		if err := certPool.AddBase64Encoded(in.CACertData); err != nil {
+			return nil, xerrors.Errorf("could not load the certificate data: %w", err)
 		}
 	}
 	out, err := u.Authentication.Do(ctx, authentication.Input{
@@ -80,27 +94,25 @@ func (u *GetToken) getTokenFromCacheOrProvider(ctx context.Context, in Input) (*
 		ExtraScopes:    in.ExtraScopes,
 		CertPool:       certPool,
 		SkipTLSVerify:  in.SkipTLSVerify,
-		IDToken:        cache.IDToken,
-		RefreshToken:   cache.RefreshToken,
+		IDToken:        tokenCacheValue.IDToken,
+		RefreshToken:   tokenCacheValue.RefreshToken,
 		GrantOptionSet: in.GrantOptionSet,
 	})
 	if err != nil {
-		return nil, xerrors.Errorf("error while authentication: %w", err)
-	}
-	for k, v := range out.IDTokenClaims {
-		u.Logger.V(1).Infof("the ID token has the claim: %s=%v", k, v)
+		return nil, xerrors.Errorf("authentication error: %w", err)
 	}
+	u.Logger.V(1).Infof("you got a token: %s", out.IDTokenClaims.Pretty)
 	if out.AlreadyHasValidIDToken {
-		u.Logger.V(1).Infof("you already have a valid token until %s", out.IDTokenExpiry)
+		u.Logger.V(1).Infof("you already have a valid token until %s", out.IDTokenClaims.Expiry)
 		return out, nil
 	}
 
-	u.Logger.V(1).Infof("you got a valid token until %s", out.IDTokenExpiry)
-	newCache := tokencache.TokenCache{
+	u.Logger.V(1).Infof("you got a valid token until %s", out.IDTokenClaims.Expiry)
+	newTokenCacheValue := tokencache.Value{
 		IDToken:      out.IDToken,
 		RefreshToken: out.RefreshToken,
 	}
-	if err := u.TokenCacheRepository.Save(in.TokenCacheDir, cacheKey, newCache); err != nil {
+	if err := u.TokenCacheRepository.Save(in.TokenCacheDir, tokenCacheKey, newTokenCacheValue); err != nil {
 		return nil, xerrors.Errorf("could not write the token cache: %w", err)
 	}
 	return out, nil