Bump the version

Add linux_arm and linux_arm64 binary to distribution (#275 )
Delete snapcraft.yaml
2026-02-27 23:43:49 +00:00 · 2020-04-11 17:14:59 +09:00 · 2020-04-11 17:14:00 +09:00 · 2020-04-11 16:10:48 +09:00 · 2020-04-11 15:57:57 +09:00 · 2020-04-11 15:57:17 +09:00
34 changed files with 326 additions and 268 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -2,17 +2,28 @@ version: 2
 jobs:
  build:
    docker:
-      - image: circleci/golang:1.14.1
+      - image: cimg/go:1.14
    steps:
-      - run: mkdir -p ~/bin
-      - run: echo 'export PATH="$HOME/bin:$PATH"' >> $BASH_ENV
+      - run: |
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.24.0
      - checkout
-      - run: make ci-setup-linux-amd64
-      - run: make VERSION=$CIRCLE_TAG ci
+      - restore_cache:
+          keys:
+            - go-sum-{{ checksum "go.sum" }}
+      - run:
+          command: go get -v github.com/int128/goxzst github.com/int128/ghcp
+          working_directory: .circleci
+      - run: make check
+      - run: bash <(curl -s https://codecov.io/bash)
+      - run: make dist
      - run: |
          if [ "$CIRCLE_TAG" ]; then
-            make VERSION=$CIRCLE_TAG GITHUB_USERNAME=$CIRCLE_PROJECT_USERNAME GITHUB_REPONAME=$CIRCLE_PROJECT_REPONAME release
+            make release
          fi
+      - save_cache:
+          key: go-sum-{{ checksum "go.sum" }}
+          paths:
+            - ~/go/pkg
      - store_artifacts:
          path: gotest.log

--- a/.circleci/go.mod
+++ b/.circleci/go.mod
@@ -0,0 +1,3 @@
+module github.com/int128/kubelogin/.circleci
+
+go 1.13
--- a/31
+++ b/31
@@ -1,10 +1,11 @@
-# CI must provide the following variables (on tag push)
-# VERSION
-# GITHUB_USERNAME
-# GITHUB_REPONAME
+# CircleCI specific variables
+CIRCLE_TAG ?= latest
+GITHUB_USERNAME := $(CIRCLE_PROJECT_USERNAME)
+GITHUB_REPONAME := $(CIRCLE_PROJECT_REPONAME)

 TARGET := kubelogin
-VERSION ?= latest
+TARGET_OSARCH := linux_amd64 darwin_amd64 windows_amd64 linux_arm linux_arm64
+VERSION ?= $(CIRCLE_TAG)
 LDFLAGS := -X main.version=$(VERSION)

 all: $(TARGET)
@@ -12,12 +13,6 @@ all: $(TARGET)
 $(TARGET): $(wildcard **/*.go)
 	go build -o $@ -ldflags "$(LDFLAGS)"

-.PHONY: ci
-ci:
-	$(MAKE) check
-	bash -c "bash <(curl -s https://codecov.io/bash)"
-	$(MAKE) dist
-
 .PHONY: check
 check:
 	golangci-lint run
@@ -27,7 +22,7 @@ check:
 dist: dist/output
 dist/output:
 	# make the zip files for GitHub Releases
-	VERSION=$(VERSION) CGO_ENABLED=0 goxzst -d dist/output -i "LICENSE" -o "$(TARGET)" -t "dist/kubelogin.rb dist/oidc-login.yaml dist/Dockerfile" -- -ldflags "$(LDFLAGS)"
+	VERSION=$(VERSION) CGO_ENABLED=0 goxzst -d dist/output -i "LICENSE" -o "$(TARGET)" -osarch "$(TARGET_OSARCH)" -t "dist/kubelogin.rb dist/oidc-login.yaml dist/Dockerfile" -- -ldflags "$(LDFLAGS)"
 	# test the zip file
 	zipinfo dist/output/kubelogin_linux_amd64.zip
 	# make the krew yaml structure
@@ -52,15 +47,3 @@ clean:
 	-rm $(TARGET)
 	-rm -r dist/output/
 	-rm coverage.out gotest.log
-
-.PHONY: ci-setup-linux-amd64
-ci-setup-linux-amd64:
-	mkdir -p ~/bin
-	# https://github.com/golangci/golangci-lint
-	curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b ~/bin v1.24.0
-	# https://github.com/int128/goxzst
-	curl -sfL -o /tmp/goxzst.zip https://github.com/int128/goxzst/releases/download/v0.3.0/goxzst_linux_amd64.zip
-	unzip /tmp/goxzst.zip -d ~/bin
-	# https://github.com/int128/ghcp
-	curl -sfL -o /tmp/ghcp.zip https://github.com/int128/ghcp/releases/download/v1.8.0/ghcp_linux_amd64.zip
-	unzip /tmp/ghcp.zip -d ~/bin
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ brew install int128/kubelogin/kubelogin
 kubectl krew install oidc-login

 # GitHub Releases
-curl -LO https://github.com/int128/kubelogin/releases/download/v1.18.0/kubelogin_linux_amd64.zip
+curl -LO https://github.com/int128/kubelogin/releases/download/v1.19.0/kubelogin_linux_amd64.zip
 unzip kubelogin_linux_amd64.zip
 ln -s kubelogin kubectl-oidc_login
 ```
@@ -128,6 +128,7 @@ Flags:
      --listen-address strings                          Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
      --listen-port ints                                (Deprecated: use --listen-address)
      --skip-open-browser                               If true, it does not open the browser on authentication
+      --oidc-redirect-url-hostname string               Hostname of the redirect URL (default "localhost")
      --oidc-auth-request-extra-params stringToString   Extra query parameters to send with an authentication request (default [])
      --username string                                 If set, perform the resource owner password credentials grant
      --password string                                 If set, use the password instead of asking it
@@ -192,6 +193,12 @@ You can change the listening address.
      - --listen-address=127.0.0.1:23456
 ```

+You can change the hostname of redirect URI from the default value `localhost`.
+
+```yaml
+      - --oidc-redirect-url-hostname=127.0.0.1
+```
+
 You can add extra parameters to the authentication request.

 ```yaml
@@ -281,7 +288,7 @@ users:
      - /tmp/.token-cache:/.token-cache
      - -p
      - 8000:8000
-      - quay.io/int128/kubelogin:v1.18.0
+      - quay.io/int128/kubelogin:v1.19.0
      - get-token
      - --token-cache-dir=/.token-cache
      - --listen-address=0.0.0.0:8000
--- a/acceptance_test/Makefile
+++ b/acceptance_test/Makefile
@@ -93,7 +93,8 @@ cluster: dex create-cluster
 create-cluster: $(OUTPUT_DIR)/ca.crt
 	cp $(OUTPUT_DIR)/ca.crt /tmp/kubelogin-acceptance-test-dex-ca.crt
 	kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml
-	kubectl apply -f role.yaml
+	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
+	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com

 # clean up the resources
 .PHONY: clean
--- a/acceptance_test/role.yaml
+++ b/acceptance_test/role.yaml
@@ -1,21 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: readonly-all-resources
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["get", "watch", "list"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: readonly-all-resources
-subjects:
-  - kind: User
-    name: admin@example.com
-    apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: ClusterRole
-  name: readonly-all-resources
-  apiGroup: rbac.authorization.k8s.io
--- a/dist/oidc-login.yaml
+++ b/dist/oidc-login.yaml
@@ -62,3 +62,27 @@ spec:
        matchLabels:
          os: windows
          arch: amd64
+    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm.zip
+      sha256: "{{ sha256 .linux_arm_archive }}"
+      bin: kubelogin
+      files:
+        - from: kubelogin
+          to: .
+        - from: LICENSE
+          to: .
+      selector:
+        matchLabels:
+          os: linux
+          arch: arm
+    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm64.zip
+      sha256: "{{ sha256 .linux_arm64_archive }}"
+      bin: kubelogin
+      files:
+        - from: kubelogin
+          to: .
+        - from: LICENSE
+          to: .
+      selector:
+        matchLabels:
+          os: linux
+          arch: arm64
--- a/docs/setup.md
+++ b/docs/setup.md
@@ -152,24 +152,9 @@ kubectl oidc-login setup --help
 ## 3. Bind a cluster role

 Here bind `cluster-admin` role to you.
-Apply the following manifest:
-
-```yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: oidc-cluster-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
- kind: User
-  name: ISSUER_URL#YOUR_SUBJECT
-```

 ```sh
-kubectl apply -f oidc-cluster-admin.yaml
+kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='ISSUER_URL#YOUR_SUBJECT'
 ```

 As well as you can create a custom cluster role and bind it.
--- a/docs/standalone-mode.md
+++ b/docs/standalone-mode.md
@@ -99,31 +99,33 @@ Available Commands:
  version     Print the version information

 Flags:
-      --kubeconfig string                Path to the kubeconfig file
-      --context string                   The name of the kubeconfig context to use
-      --user string                      The name of the kubeconfig user to use. Prior to --context
-      --certificate-authority string     Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify         If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-      --grant-type string                The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
-      --listen-address strings           Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
-      --listen-port ints                 (Deprecated: use --listen-address)
-      --skip-open-browser                If true, it does not open the browser on authentication
-      --username string                  If set, perform the resource owner password credentials grant
-      --password string                  If set, use the password instead of asking it
-      --add_dir_header                   If true, adds the file directory to the header
-      --alsologtostderr                  log to standard error as well as files
-      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
-      --log_dir string                   If non-empty, write log files in this directory
-      --log_file string                  If non-empty, use this log file
-      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
-      --logtostderr                      log to standard error instead of files (default true)
-      --skip_headers                     If true, avoid header prefixes in the log messages
-      --skip_log_headers                 If true, avoid headers when opening log files
-      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
-  -v, --v Level                          number for the log level verbosity
-      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
-  -h, --help                             help for main
-      --version                          version for main
+      --kubeconfig string                               Path to the kubeconfig file
+      --context string                                  The name of the kubeconfig context to use
+      --user string                                     The name of the kubeconfig user to use. Prior to --context
+      --certificate-authority string                    Path to a cert file for the certificate authority
+      --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --grant-type string                               The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
+      --listen-address strings                          Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
+      --listen-port ints                                (Deprecated: use --listen-address)
+      --skip-open-browser                               If true, it does not open the browser on authentication
+      --oidc-redirect-url-hostname string               Hostname of the redirect URL (default "localhost")
+      --oidc-auth-request-extra-params stringToString   Extra query parameters to send with an authentication request (default [])
+      --username string                                 If set, perform the resource owner password credentials grant
+      --password string                                 If set, use the password instead of asking it
+      --add_dir_header                                  If true, adds the file directory to the header
+      --alsologtostderr                                 log to standard error as well as files
+      --log_backtrace_at traceLocation                  when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                                  If non-empty, write log files in this directory
+      --log_file string                                 If non-empty, use this log file
+      --log_file_max_size uint                          Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                                     log to standard error instead of files (default true)
+      --skip_headers                                    If true, avoid header prefixes in the log messages
+      --skip_log_headers                                If true, avoid headers when opening log files
+      --stderrthreshold severity                        logs at or above this threshold go to stderr (default 2)
+  -v, --v Level                                         number for the log level verbosity
+      --vmodule moduleSpec                              comma-separated list of pattern=N settings for file-filtered logging
+  -h, --help                                            help for kubelogin
+      --version                                         version for kubelogin
 ```

 ### Kubeconfig
--- a/go.mod
+++ b/go.mod
@@ -9,18 +9,18 @@ require (
 	github.com/golang/mock v1.4.3
 	github.com/google/go-cmp v0.4.0
 	github.com/google/wire v0.4.0
-	github.com/int128/oauth2cli v1.10.0
+	github.com/int128/oauth2cli v1.11.0
 	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
-	github.com/spf13/cobra v0.0.6
+	github.com/spf13/cobra v0.0.7
 	github.com/spf13/pflag v1.0.5
 	golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
+	golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
 	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
 	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
 	gopkg.in/yaml.v2 v2.2.8
-	k8s.io/apimachinery v0.17.4
-	k8s.io/client-go v0.17.4
+	k8s.io/apimachinery v0.18.1
+	k8s.io/client-go v0.18.1
 	k8s.io/klog v1.0.0
 )
--- a/go.sum
+++ b/go.sum
@@ -32,7 +32,6 @@ github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -40,7 +39,7 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumC
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -63,8 +62,8 @@ github.com/gobwas/ws v1.0.2 h1:CoAavW/wd/kulfZmSIBt6p24n4j7tHgNVCjsfHVNUbo=
 github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
-github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I=
-github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
+github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -85,9 +84,10 @@ github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
+github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
@@ -96,6 +96,7 @@ github.com/google/wire v0.4.0 h1:kXcsA/rIGzJImVqPdhfnr6q0xsS9gU0515q1EPpJ9fE=
 github.com/google/wire v0.4.0/go.mod h1:ngWDr9Qvq3yZA10YrxfyGELY/AFWGVpy9c1LTRi1EoU=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
 github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
@@ -110,12 +111,12 @@ github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/int128/listener v1.0.0 h1:a9H3m4jbXgXpxJUK3fxWrh37Iic/UU/kYOGE0WtjbbI=
-github.com/int128/listener v1.0.0/go.mod h1:sho0rrH7mNRRZH4hYOYx+xwRDGmtRndaUiu2z9iumes=
-github.com/int128/oauth2cli v1.10.0 h1:ypYxwjuBblyTRTdZTFQLgA08gYhVwsdlBEvuoNs6Xsw=
-github.com/int128/oauth2cli v1.10.0/go.mod h1:m5tJro14TyPDlIg+RIlGVnavkm1kTooROlcFlnhteVo=
+github.com/int128/listener v1.1.0 h1:2Jb41DWLpkQ3I9bIdBzO8H/tNwMvyl/OBZWtCV5Pjuw=
+github.com/int128/listener v1.1.0/go.mod h1:68WkmTN8PQtLzc9DucIaagAKeGVyMnyyKIkW4Xn47UA=
+github.com/int128/oauth2cli v1.11.0 h1:yohafseIxX8xESedQOxB3rpuuodDowYiPaTFMpqPP3Q=
+github.com/int128/oauth2cli v1.11.0/go.mod h1:O3Tjuj1cyQCuM11KbH2ffh0O6LRX0+O97Z3InsY0M3g=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
-github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
 github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
@@ -142,7 +143,6 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
@@ -152,7 +152,7 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
@@ -160,7 +160,6 @@ github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR
 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4 h1:49lOXmGaUpV9Fz3gd7TFZY106KVlPVa5jcYD1gaQf98=
 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
@@ -183,8 +182,8 @@ github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasO
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cobra v0.0.6 h1:breEStsVwemnKh2/s6gMvSdMEkwW0sK8vGStnlVBMCs=
-github.com/spf13/cobra v0.0.6/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
+github.com/spf13/cobra v0.0.7 h1:FfTH+vuMXOas8jmfb5/M7dzEYx7LpcLb7a0LPe34uOU=
+github.com/spf13/cobra v0.0.7/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
@@ -194,7 +193,6 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
@@ -247,8 +245,8 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -258,8 +256,7 @@ golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456 h1:ng0gs1AKnRRuEMZoTLLlbOd+C17zUDepwGQBb/n+JVg=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42 h1:vEOn+mP2zCOVzKckCZy6YsCtDblrpj/w7B9nxGNELpg=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -281,8 +278,6 @@ golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190422233926-fe54fb35175b/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
@@ -316,24 +311,28 @@ gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.17.4 h1:HbwOhDapkguO8lTAE8OX3hdF2qp8GtpC9CW/MQATXXo=
-k8s.io/api v0.17.4/go.mod h1:5qxx6vjmwUVG2nHQTKGlLts8Tbok8PzHl4vHtVFuZCA=
-k8s.io/apimachinery v0.17.4 h1:UzM+38cPUJnzqSQ+E1PY4YxMHIzQyCg29LOoGfo79Zw=
-k8s.io/apimachinery v0.17.4/go.mod h1:gxLnyZcGNdZTCLnq3fgzyg2A5BVCHTNDFrw8AmuJ+0g=
-k8s.io/client-go v0.17.4 h1:VVdVbpTY70jiNHS1eiFkUt7ZIJX3txd29nDxxXH4en8=
-k8s.io/client-go v0.17.4/go.mod h1:ouF6o5pz3is8qU0/qYL2RnoxOPqgfuidYLowytyLJmc=
+k8s.io/api v0.18.1 h1:pnHr0LH69kvL29eHldoepUDKTuiOejNZI2A1gaxve3Q=
+k8s.io/api v0.18.1/go.mod h1:3My4jorQWzSs5a+l7Ge6JBbIxChLnY8HnuT58ZWolss=
+k8s.io/apimachinery v0.18.1 h1:hKPYcQRPLQoG2e7fKkVl0YCvm9TBefXTfGILa9vjVVk=
+k8s.io/apimachinery v0.18.1/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA=
+k8s.io/client-go v0.18.1 h1:2+fnu4LwKJjZVOwijkm1UqZG9aQoFsKEpipOzdfcTD8=
+k8s.io/client-go v0.18.1/go.mod h1:iCikYRiXOj/yRRFE/aWqrpPtDt4P2JVWhtHkmESTcfY=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
-k8s.io/utils v0.0.0-20191114184206-e782cd3c129f h1:GiPwtSzdP43eI1hpPCbROQCCIgCuiMMNF8YUVLF3vJo=
-k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
+k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
+k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89 h1:d4vVOjXm687F1iLSP2q3lyPPuyvTUt3aVoBpi2DqRsU=
+k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 rsc.io/quote/v3 v3.1.0 h1:9JKUTTIUgS6kzR9mK1YuGKv6Nl+DijDNIc0ghT58FaY=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/QiW4=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
+sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
+sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E=
+sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
 sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
+sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
--- a/integration_test/credetial_plugin_test.go
+++ b/integration_test/credetial_plugin_test.go
@@ -11,7 +11,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/int128/kubelogin/integration_test/idp"
 	"github.com/int128/kubelogin/integration_test/idp/mock_idp"
-	"github.com/int128/kubelogin/integration_test/keys"
+	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/integration_test/localserver"
 	"github.com/int128/kubelogin/pkg/adaptors/browser"
 	"github.com/int128/kubelogin/pkg/adaptors/browser/mock_browser"
@@ -43,9 +43,9 @@ func TestCredentialPlugin(t *testing.T) {

 	t.Run("NoTLS", func(t *testing.T) {
 		testCredentialPlugin(t, credentialPluginTestCase{
-			TokenCacheDir: tokenCacheDir,
-			Keys:          keys.None,
-			ExtraArgs: []string{
+			tokenCacheDir: tokenCacheDir,
+			idpTLS:        keypair.None,
+			extraArgs: []string{
 				"--token-cache-dir", tokenCacheDir,
 			},
 		})
@@ -53,23 +53,23 @@ func TestCredentialPlugin(t *testing.T) {
 	t.Run("TLS", func(t *testing.T) {
 		t.Run("CertFile", func(t *testing.T) {
 			testCredentialPlugin(t, credentialPluginTestCase{
-				TokenCacheDir: tokenCacheDir,
-				TokenCacheKey: tokencache.Key{CACertFilename: keys.Server.CACertPath},
-				Keys:          keys.Server,
-				ExtraArgs: []string{
+				tokenCacheDir: tokenCacheDir,
+				tokenCacheKey: tokencache.Key{CACertFilename: keypair.Server.CACertPath},
+				idpTLS:        keypair.Server,
+				extraArgs: []string{
 					"--token-cache-dir", tokenCacheDir,
-					"--certificate-authority", keys.Server.CACertPath,
+					"--certificate-authority", keypair.Server.CACertPath,
 				},
 			})
 		})
 		t.Run("CertData", func(t *testing.T) {
 			testCredentialPlugin(t, credentialPluginTestCase{
-				TokenCacheDir: tokenCacheDir,
-				TokenCacheKey: tokencache.Key{CACertData: keys.Server.CACertBase64},
-				Keys:          keys.Server,
-				ExtraArgs: []string{
+				tokenCacheDir: tokenCacheDir,
+				tokenCacheKey: tokencache.Key{CACertData: keypair.Server.CACertBase64},
+				idpTLS:        keypair.Server,
+				extraArgs: []string{
 					"--token-cache-dir", tokenCacheDir,
-					"--certificate-authority-data", keys.Server.CACertBase64,
+					"--certificate-authority-data", keypair.Server.CACertBase64,
 				},
 			})
 		})
@@ -77,10 +77,10 @@ func TestCredentialPlugin(t *testing.T) {
 }

 type credentialPluginTestCase struct {
-	TokenCacheDir string
-	TokenCacheKey tokencache.Key
-	Keys          keys.Keys
-	ExtraArgs     []string
+	tokenCacheDir string
+	tokenCacheKey tokencache.Key
+	idpTLS        keypair.KeyPair
+	extraArgs     []string
 }

 func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
@@ -94,18 +94,22 @@ func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
 		defer ctrl.Finish()

 		provider := mock_idp.NewMockProvider(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.Keys)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
 		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupAuthCodeFlow(t, provider, serverURL, "openid", nil, &idToken)
-		writerMock := newCredentialPluginWriterMock(t, ctrl, &idToken)
-		browserMock := newBrowserMock(ctx, t, ctrl, tc.Keys)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &cfg.idToken)
+		browserMock := newBrowserMock(ctx, t, ctrl, tc.idpTLS)

 		args := []string{
 			"--oidc-issuer-url", serverURL,
 			"--oidc-client-id", "kubernetes",
 		}
-		args = append(args, tc.ExtraArgs...)
+		args = append(args, tc.extraArgs...)
 		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
 	})

@@ -117,7 +121,7 @@ func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
 		defer ctrl.Finish()

 		provider := mock_idp.NewMockProvider(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.Keys)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
 		defer server.Shutdown(t, ctx)
 		idToken := newIDToken(t, serverURL, "", tokenExpiryFuture)
 		setupROPCFlow(provider, serverURL, "openid", "USER", "PASS", idToken)
@@ -130,7 +134,7 @@ func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
 			"--username", "USER",
 			"--password", "PASS",
 		}
-		args = append(args, tc.ExtraArgs...)
+		args = append(args, tc.extraArgs...)
 		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
 	})

@@ -142,7 +146,7 @@ func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
 		defer ctrl.Finish()

 		provider := mock_idp.NewMockProvider(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.Keys)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
 		defer server.Shutdown(t, ctx)
 		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
 		writerMock := newCredentialPluginWriterMock(t, ctrl, &idToken)
@@ -156,7 +160,7 @@ func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
 			"--oidc-issuer-url", serverURL,
 			"--oidc-client-id", "kubernetes",
 		}
-		args = append(args, tc.ExtraArgs...)
+		args = append(args, tc.extraArgs...)
 		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
 		assertTokenCache(t, tc, serverURL, tokencache.Value{
 			IDToken:      idToken,
@@ -172,7 +176,7 @@ func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
 		defer ctrl.Finish()

 		provider := mock_idp.NewMockProvider(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.Keys)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
 		defer server.Shutdown(t, ctx)
 		validIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
 		expiredIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast)
@@ -193,7 +197,7 @@ func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
 			"--oidc-issuer-url", serverURL,
 			"--oidc-client-id", "kubernetes",
 		}
-		args = append(args, tc.ExtraArgs...)
+		args = append(args, tc.extraArgs...)
 		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
 		assertTokenCache(t, tc, serverURL, tokencache.Value{
 			IDToken:      validIDToken,
@@ -209,31 +213,35 @@ func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
 		defer ctrl.Finish()

 		provider := mock_idp.NewMockProvider(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.Keys)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
 		defer server.Shutdown(t, ctx)
-		validIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-		expiredIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast)

-		setupAuthCodeFlow(t, provider, serverURL, "openid", nil, &validIDToken)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
 		provider.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
 			Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
 			MaxTimes(2) // package oauth2 will retry refreshing the token

+		expiredIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast)
 		setupTokenCache(t, tc, serverURL, tokencache.Value{
 			IDToken:      expiredIDToken,
 			RefreshToken: "EXPIRED_REFRESH_TOKEN",
 		})
-		writerMock := newCredentialPluginWriterMock(t, ctrl, &validIDToken)
-		browserMock := newBrowserMock(ctx, t, ctrl, tc.Keys)
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &cfg.idToken)
+		browserMock := newBrowserMock(ctx, t, ctrl, tc.idpTLS)

 		args := []string{
 			"--oidc-issuer-url", serverURL,
 			"--oidc-client-id", "kubernetes",
 		}
-		args = append(args, tc.ExtraArgs...)
+		args = append(args, tc.extraArgs...)
 		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
 		assertTokenCache(t, tc, serverURL, tokencache.Value{
-			IDToken:      validIDToken,
+			IDToken:      cfg.idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
 		})
 	})
@@ -246,12 +254,16 @@ func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
 		defer ctrl.Finish()

 		provider := mock_idp.NewMockProvider(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.Keys)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
 		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupAuthCodeFlow(t, provider, serverURL, "email profile openid", nil, &idToken)
-		writerMock := newCredentialPluginWriterMock(t, ctrl, &idToken)
-		browserMock := newBrowserMock(ctx, t, ctrl, tc.Keys)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "email profile openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &cfg.idToken)
+		browserMock := newBrowserMock(ctx, t, ctrl, tc.idpTLS)

 		args := []string{
 			"--oidc-issuer-url", serverURL,
@@ -259,7 +271,35 @@ func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
 			"--oidc-extra-scope", "email",
 			"--oidc-extra-scope", "profile",
 		}
-		args = append(args, tc.ExtraArgs...)
+		args = append(args, tc.extraArgs...)
+		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
+	})
+
+	t.Run("RedirectURLHostname", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		provider := mock_idp.NewMockProvider(ctrl)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
+		defer server.Shutdown(t, ctx)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://127.0.0.1:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &cfg.idToken)
+		browserMock := newBrowserMock(ctx, t, ctrl, tc.idpTLS)
+
+		args := []string{
+			"--oidc-issuer-url", serverURL,
+			"--oidc-client-id", "kubernetes",
+			"--oidc-redirect-url-hostname", "127.0.0.1",
+		}
+		args = append(args, tc.extraArgs...)
 		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
 	})

@@ -271,15 +311,20 @@ func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
 		defer ctrl.Finish()

 		provider := mock_idp.NewMockProvider(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.Keys)
+		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), tc.idpTLS)
 		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupAuthCodeFlow(t, provider, serverURL, "openid", map[string]string{
-			"ttl":    "86400",
-			"reauth": "false",
-		}, &idToken)
-		writerMock := newCredentialPluginWriterMock(t, ctrl, &idToken)
-		browserMock := newBrowserMock(ctx, t, ctrl, tc.Keys)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://localhost:",
+			extraParams: map[string]string{
+				"ttl":    "86400",
+				"reauth": "false",
+			},
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
+		writerMock := newCredentialPluginWriterMock(t, ctrl, &cfg.idToken)
+		browserMock := newBrowserMock(ctx, t, ctrl, tc.idpTLS)

 		args := []string{
 			"--oidc-issuer-url", serverURL,
@@ -287,7 +332,7 @@ func testCredentialPlugin(t *testing.T, tc credentialPluginTestCase) {
 			"--oidc-auth-request-extra-params", "ttl=86400",
 			"--oidc-auth-request-extra-params", "reauth=false",
 		}
-		args = append(args, tc.ExtraArgs...)
+		args = append(args, tc.extraArgs...)
 		runGetTokenCmd(t, ctx, browserMock, writerMock, args)
 	})
 }
@@ -322,22 +367,22 @@ func runGetTokenCmd(t *testing.T, ctx context.Context, b browser.Interface, w cr
 }

 func setupTokenCache(t *testing.T, tc credentialPluginTestCase, serverURL string, v tokencache.Value) {
-	k := tc.TokenCacheKey
+	k := tc.tokenCacheKey
 	k.IssuerURL = serverURL
 	k.ClientID = "kubernetes"
 	var r tokencache.Repository
-	err := r.Save(tc.TokenCacheDir, k, v)
+	err := r.Save(tc.tokenCacheDir, k, v)
 	if err != nil {
 		t.Errorf("could not set up the token cache: %s", err)
 	}
 }

 func assertTokenCache(t *testing.T, tc credentialPluginTestCase, serverURL string, want tokencache.Value) {
-	k := tc.TokenCacheKey
+	k := tc.tokenCacheKey
 	k.IssuerURL = serverURL
 	k.ClientID = "kubernetes"
 	var r tokencache.Repository
-	got, err := r.FindByKey(tc.TokenCacheDir, k)
+	got, err := r.FindByKey(tc.tokenCacheDir, k)
 	if err != nil {
 		t.Errorf("could not set up the token cache: %s", err)
 	}
--- a/integration_test/helpers_test.go
+++ b/integration_test/helpers_test.go
@@ -3,13 +3,14 @@ package integration_test
 import (
 	"context"
 	"net/http"
+	"strings"
 	"testing"
 	"time"

 	"github.com/golang/mock/gomock"
 	"github.com/int128/kubelogin/integration_test/idp"
 	"github.com/int128/kubelogin/integration_test/idp/mock_idp"
-	"github.com/int128/kubelogin/integration_test/keys"
+	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/pkg/adaptors/browser"
 	"github.com/int128/kubelogin/pkg/adaptors/browser/mock_browser"
 	"github.com/int128/kubelogin/pkg/testing/jwt"
@@ -33,16 +34,29 @@ func newIDToken(t *testing.T, issuer, nonce string, expiry time.Time) string {
 	})
 }

-func setupAuthCodeFlow(t *testing.T, provider *mock_idp.MockProvider, serverURL, scope string, extraParams map[string]string, idToken *string) {
+type authCodeFlowConfig struct {
+	serverURL         string
+	scope             string
+	redirectURIPrefix string
+	extraParams       map[string]string
+
+	// setupAuthCodeFlow will set this after authentication
+	idToken string
+}
+
+func setupAuthCodeFlow(t *testing.T, provider *mock_idp.MockProvider, c *authCodeFlowConfig) {
 	var nonce string
-	provider.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
+	provider.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(c.serverURL))
 	provider.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(jwt.PrivateKey))
 	provider.EXPECT().AuthenticateCode(gomock.Any()).
 		DoAndReturn(func(req idp.AuthenticationRequest) (string, error) {
-			if req.Scope != scope {
-				t.Errorf("scope wants `%s` but was `%s`", scope, req.Scope)
+			if req.Scope != c.scope {
+				t.Errorf("scope wants `%s` but was `%s`", c.scope, req.Scope)
 			}
-			for k, v := range extraParams {
+			if !strings.HasPrefix(req.RedirectURI, c.redirectURIPrefix) {
+				t.Errorf("redirectURI wants prefix `%s` but was `%s`", c.redirectURIPrefix, req.RedirectURI)
+			}
+			for k, v := range c.extraParams {
 				got := req.RawQuery.Get(k)
 				if got != v {
 					t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
@@ -53,8 +67,8 @@ func setupAuthCodeFlow(t *testing.T, provider *mock_idp.MockProvider, serverURL,
 		})
 	provider.EXPECT().Exchange("YOUR_AUTH_CODE").
 		DoAndReturn(func(string) (*idp.TokenResponse, error) {
-			*idToken = newIDToken(t, serverURL, nonce, tokenExpiryFuture)
-			return idp.NewTokenResponse(*idToken, "YOUR_REFRESH_TOKEN"), nil
+			c.idToken = newIDToken(t, c.serverURL, nonce, tokenExpiryFuture)
+			return idp.NewTokenResponse(c.idToken, "YOUR_REFRESH_TOKEN"), nil
 		})
 }

@@ -65,7 +79,7 @@ func setupROPCFlow(provider *mock_idp.MockProvider, serverURL, scope, username,
 		Return(idp.NewTokenResponse(idToken, "YOUR_REFRESH_TOKEN"), nil)
 }

-func newBrowserMock(ctx context.Context, t *testing.T, ctrl *gomock.Controller, k keys.Keys) browser.Interface {
+func newBrowserMock(ctx context.Context, t *testing.T, ctrl *gomock.Controller, k keypair.KeyPair) browser.Interface {
 	b := mock_browser.NewMockInterface(ctrl)
 	b.EXPECT().
 		Open(gomock.Any()).
--- a/integration_test/keypair/keypair.go
+++ b/integration_test/keypair/keypair.go
@@ -1,4 +1,4 @@
-package keys
+package keypair

 import (
 	"crypto/tls"
@@ -10,8 +10,8 @@ import (
 	"strings"
 )

-// Keys represents a pair of certificate and key.
-type Keys struct {
+// KeyPair represents a pair of certificate and key.
+type KeyPair struct {
 	CertPath     string
 	KeyPath      string
 	CACertPath   string
@@ -20,16 +20,16 @@ type Keys struct {
 }

 // None represents non-TLS.
-var None Keys
+var None KeyPair

-// Server is a Keys for TLS server.
+// Server is a KeyPair for TLS server.
 // These files should be generated by Makefile before test.
-var Server = Keys{
-	CertPath:     "keys/testdata/server.crt",
-	KeyPath:      "keys/testdata/server.key",
-	CACertPath:   "keys/testdata/ca.crt",
-	CACertBase64: readAsBase64("keys/testdata/ca.crt"),
-	TLSConfig:    newTLSConfig("keys/testdata/ca.crt"),
+var Server = KeyPair{
+	CertPath:     "keypair/testdata/server.crt",
+	KeyPath:      "keypair/testdata/server.key",
+	CACertPath:   "keypair/testdata/ca.crt",
+	CACertBase64: readAsBase64("keypair/testdata/ca.crt"),
+	TLSConfig:    newTLSConfig("keypair/testdata/ca.crt"),
 }

 func readAsBase64(name string) string {
--- a/integration_test/keypair/testdata/Makefile
+++ b/integration_test/keypair/testdata/Makefile
--- a/integration_test/keypair/testdata/ca.crt
+++ b/integration_test/keypair/testdata/ca.crt
--- a/integration_test/keypair/testdata/ca.csr
+++ b/integration_test/keypair/testdata/ca.csr
--- a/integration_test/keypair/testdata/ca.key
+++ b/integration_test/keypair/testdata/ca.key
--- a/integration_test/keypair/testdata/ca.srl
+++ b/integration_test/keypair/testdata/ca.srl
--- a/integration_test/keypair/testdata/openssl.cnf
+++ b/integration_test/keypair/testdata/openssl.cnf
--- a/integration_test/keypair/testdata/server.crt
+++ b/integration_test/keypair/testdata/server.crt
--- a/integration_test/keypair/testdata/server.csr
+++ b/integration_test/keypair/testdata/server.csr
--- a/integration_test/keypair/testdata/server.key
+++ b/integration_test/keypair/testdata/server.key
--- a/integration_test/localserver/authserver.go
+++ b/integration_test/localserver/authserver.go
@@ -9,7 +9,7 @@ import (
 	"net/http"
 	"testing"

-	"github.com/int128/kubelogin/integration_test/keys"
+	"github.com/int128/kubelogin/integration_test/keypair"
 )

 type Shutdowner interface {
@@ -31,8 +31,8 @@ func (s *shutdowner) Shutdown(t *testing.T, ctx context.Context) {

 // Start starts an authentication server.
 // If k is non-nil, it starts a TLS server.
-func Start(t *testing.T, h http.Handler, k keys.Keys) (string, Shutdowner) {
-	if k == keys.None {
+func Start(t *testing.T, h http.Handler, k keypair.KeyPair) (string, Shutdowner) {
+	if k == keypair.None {
 		return startNoTLS(t, h)
 	}
 	return startTLS(t, h, k)
@@ -54,7 +54,7 @@ func startNoTLS(t *testing.T, h http.Handler) (string, Shutdowner) {
 	return url, &shutdowner{l, s}
 }

-func startTLS(t *testing.T, h http.Handler, k keys.Keys) (string, Shutdowner) {
+func startTLS(t *testing.T, h http.Handler, k keypair.KeyPair) (string, Shutdowner) {
 	t.Helper()
 	l, port := newLocalhostListener(t)
 	url := "https://localhost:" + port
--- a/integration_test/standalone_test.go
+++ b/integration_test/standalone_test.go
@@ -9,7 +9,7 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/int128/kubelogin/integration_test/idp"
 	"github.com/int128/kubelogin/integration_test/idp/mock_idp"
-	"github.com/int128/kubelogin/integration_test/keys"
+	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/integration_test/kubeconfig"
 	"github.com/int128/kubelogin/integration_test/localserver"
 	"github.com/int128/kubelogin/pkg/adaptors/browser"
@@ -28,14 +28,14 @@ import (
 //
 func TestStandalone(t *testing.T) {
 	t.Run("NoTLS", func(t *testing.T) {
-		testStandalone(t, keys.None)
+		testStandalone(t, keypair.None)
 	})
 	t.Run("TLS", func(t *testing.T) {
-		testStandalone(t, keys.Server)
+		testStandalone(t, keypair.Server)
 	})
 }

-func testStandalone(t *testing.T, idpTLS keys.Keys) {
+func testStandalone(t *testing.T, idpTLS keypair.KeyPair) {
 	timeout := 5 * time.Second

 	t.Run("Defaults", func(t *testing.T) {
@@ -49,8 +49,12 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), idpTLS)
 		defer server.Shutdown(t, ctx)
 		browserMock := newBrowserMock(ctx, t, ctrl, idpTLS)
-		var idToken string
-		setupAuthCodeFlow(t, provider, serverURL, "openid", nil, &idToken)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer:                  serverURL,
 			IDPCertificateAuthority: idpTLS.CACertPath,
@@ -62,7 +66,7 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		}
 		runRootCmd(t, ctx, browserMock, args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
+			IDToken:      cfg.idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
 		})
 	})
@@ -174,8 +178,12 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		provider := mock_idp.NewMockProvider(ctrl)
 		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), idpTLS)
 		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupAuthCodeFlow(t, provider, serverURL, "openid", nil, &idToken)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
 		provider.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
 			Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
 			MaxTimes(2) // package oauth2 will retry refreshing the token
@@ -194,7 +202,7 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		}
 		runRootCmd(t, ctx, browserMock, args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
+			IDToken:      cfg.idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
 		})
 	})
@@ -209,8 +217,12 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		provider := mock_idp.NewMockProvider(ctrl)
 		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), idpTLS)
 		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupAuthCodeFlow(t, provider, serverURL, "openid", nil, &idToken)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
 		browserMock := newBrowserMock(ctx, t, ctrl, idpTLS)

 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
@@ -226,7 +238,7 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		}
 		runRootCmd(t, ctx, browserMock, args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
+			IDToken:      cfg.idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
 		})
 	})
@@ -241,8 +253,12 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		provider := mock_idp.NewMockProvider(ctrl)
 		serverURL, server := localserver.Start(t, idp.NewHandler(t, provider), idpTLS)
 		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupAuthCodeFlow(t, provider, serverURL, "profile groups openid", nil, &idToken)
+		cfg := authCodeFlowConfig{
+			serverURL:         serverURL,
+			scope:             "profile groups openid",
+			redirectURIPrefix: "http://localhost:",
+		}
+		setupAuthCodeFlow(t, provider, &cfg)
 		browserMock := newBrowserMock(ctx, t, ctrl, idpTLS)

 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
@@ -257,7 +273,7 @@ func testStandalone(t *testing.T, idpTLS keys.Keys) {
 		}
 		runRootCmd(t, ctx, browserMock, args)
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
+			IDToken:      cfg.idToken,
 			RefreshToken: "YOUR_REFRESH_TOKEN",
 		})
 	})
--- a/pkg/adaptors/cmd/cmd.go
+++ b/pkg/adaptors/cmd/cmd.go
@@ -2,6 +2,7 @@ package cmd

 import (
 	"context"
+	"runtime"

 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
@@ -52,7 +53,7 @@ func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
 		Short: "Print the version information",
 		Args:  cobra.NoArgs,
 		Run: func(*cobra.Command, []string) {
-			cmd.Logger.Printf("kubelogin version %s", version)
+			cmd.Logger.Printf("kubelogin version %s (%s %s_%s)", version, runtime.Version(), runtime.GOOS, runtime.GOARCH)
 		},
 	}
 	rootCmd.AddCommand(versionCmd)
--- a/pkg/adaptors/cmd/cmd_test.go
+++ b/pkg/adaptors/cmd/cmd_test.go
@@ -27,7 +27,8 @@ func TestCmd_Run(t *testing.T) {
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress: defaultListenAddress,
+							BindAddress:         defaultListenAddress,
+							RedirectURLHostname: "localhost",
 						},
 					},
 				},
@@ -41,7 +42,8 @@ func TestCmd_Run(t *testing.T) {
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress: []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							RedirectURLHostname: "localhost",
 						},
 					},
 				},
@@ -57,7 +59,8 @@ func TestCmd_Run(t *testing.T) {
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress: []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							RedirectURLHostname: "localhost",
 						},
 					},
 				},
@@ -85,8 +88,9 @@ func TestCmd_Run(t *testing.T) {
 					SkipTLSVerify:      true,
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress:     []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser: true,
+							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							SkipOpenBrowser:     true,
+							RedirectURLHostname: "localhost",
 						},
 					},
 				},
@@ -191,7 +195,8 @@ func TestCmd_Run(t *testing.T) {
 					ClientID:      "YOUR_CLIENT_ID",
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress: []string{"127.0.0.1:8000", "127.0.0.1:18000"},
+							BindAddress:         []string{"127.0.0.1:8000", "127.0.0.1:18000"},
+							RedirectURLHostname: "localhost",
 						},
 					},
 				},
@@ -230,6 +235,7 @@ func TestCmd_Run(t *testing.T) {
 						AuthCodeOption: &authentication.AuthCodeOption{
 							BindAddress:            []string{"127.0.0.1:10080", "127.0.0.1:20080"},
 							SkipOpenBrowser:        true,
+							RedirectURLHostname:    "localhost",
 							AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
 						},
 					},
--- a/pkg/adaptors/cmd/root.go
+++ b/pkg/adaptors/cmd/root.go
@@ -48,6 +48,7 @@ type authenticationOptions struct {
 	ListenAddress          []string
 	ListenPort             []int // deprecated
 	SkipOpenBrowser        bool
+	RedirectURLHostname    string
 	AuthRequestExtraParams map[string]string
 	Username               string
 	Password               string
@@ -81,6 +82,7 @@ func (o *authenticationOptions) register(f *pflag.FlagSet) {
 	//TODO: remove the deprecated flag
 	f.IntSliceVar(&o.ListenPort, "listen-port", nil, "(Deprecated: use --listen-address)")
 	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
+	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "Hostname of the redirect URL")
 	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "Extra query parameters to send with an authentication request")
 	f.StringVar(&o.Username, "username", "", "If set, perform the resource owner password credentials grant")
 	f.StringVar(&o.Password, "password", "", "If set, use the password instead of asking it")
@@ -92,6 +94,7 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 		s.AuthCodeOption = &authentication.AuthCodeOption{
 			BindAddress:            o.determineListenAddress(),
 			SkipOpenBrowser:        o.SkipOpenBrowser,
+			RedirectURLHostname:    o.RedirectURLHostname,
 			AuthRequestExtraParams: o.AuthRequestExtraParams,
 		}
 	case o.GrantType == "authcode-keyboard":
--- a/pkg/adaptors/oidcclient/oidcclient.go
+++ b/pkg/adaptors/oidcclient/oidcclient.go
@@ -51,6 +51,7 @@ type GetTokenByAuthCodeInput struct {
 	CodeChallenge          string
 	CodeChallengeMethod    string
 	CodeVerifier           string
+	RedirectURLHostname    string
 	AuthRequestExtraParams map[string]string
 }

@@ -93,6 +94,7 @@ func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeIn
 		},
 		LocalServerBindAddress: in.BindAddress,
 		LocalServerReadyChan:   localServerReadyChan,
+		RedirectURLHostname:    in.RedirectURLHostname,
 	}
 	for key, value := range in.AuthRequestExtraParams {
 		config.AuthCodeOptions = append(config.AuthCodeOptions, oauth2.SetAuthURLParam(key, value))
--- a/pkg/usecases/authentication/authcode.go
+++ b/pkg/usecases/authentication/authcode.go
@@ -38,6 +38,7 @@ func (u *AuthCode) Do(ctx context.Context, o *AuthCodeOption, client oidcclient.
 		CodeChallenge:          p.CodeChallenge,
 		CodeChallengeMethod:    p.CodeChallengeMethod,
 		CodeVerifier:           p.CodeVerifier,
+		RedirectURLHostname:    o.RedirectURLHostname,
 		AuthRequestExtraParams: o.AuthRequestExtraParams,
 	}
 	readyChan := make(chan string, 1)
--- a/pkg/usecases/authentication/authcode_test.go
+++ b/pkg/usecases/authentication/authcode_test.go
@@ -30,6 +30,7 @@ func TestAuthCode_Do(t *testing.T) {
 		o := &AuthCodeOption{
 			BindAddress:            []string{"127.0.0.1:8000"},
 			SkipOpenBrowser:        true,
+			RedirectURLHostname:    "localhost",
 			AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
 		}
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
@@ -39,6 +40,9 @@ func TestAuthCode_Do(t *testing.T) {
 				if diff := cmp.Diff(o.BindAddress, in.BindAddress); diff != "" {
 					t.Errorf("BindAddress mismatch (-want +got):\n%s", diff)
 				}
+				if diff := cmp.Diff(o.RedirectURLHostname, in.RedirectURLHostname); diff != "" {
+					t.Errorf("RedirectURLHostname mismatch (-want +got):\n%s", diff)
+				}
 				if diff := cmp.Diff(o.AuthRequestExtraParams, in.AuthRequestExtraParams); diff != "" {
 					t.Errorf("AuthRequestExtraParams mismatch (-want +got):\n%s", diff)
 				}
--- a/pkg/usecases/authentication/authentication.go
+++ b/pkg/usecases/authentication/authentication.go
@@ -49,6 +49,7 @@ type GrantOptionSet struct {
 type AuthCodeOption struct {
 	SkipOpenBrowser        bool
 	BindAddress            []string
+	RedirectURLHostname    string
 	AuthRequestExtraParams map[string]string
 }

--- a/pkg/usecases/setup/stage2.go
+++ b/pkg/usecases/setup/stage2.go
@@ -18,19 +18,9 @@ You got a token with the following claims:

 ## 3. Bind a cluster role

-Apply the following manifest:
+Run the following command:

-	kind: ClusterRoleBinding
-	apiVersion: rbac.authorization.k8s.io/v1
-	metadata:
-	  name: oidc-cluster-admin
-	roleRef:
-	  apiGroup: rbac.authorization.k8s.io
-	  kind: ClusterRole
-	  name: cluster-admin
-	subjects:
-	- kind: User
-	  name: {{ .IssuerURL }}#{{ .Subject }}
+	kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='{{ .IssuerURL }}#{{ .Subject }}'

 ## 4. Set up the Kubernetes API server

@@ -49,7 +39,7 @@ Run the following command:
 	  --exec-arg=oidc-login \
 	  --exec-arg=get-token \
 {{- range .Args }}
-	  --exec-arg={{ . }}
+	  --exec-arg={{ . }} \
 {{- end }}

 ## 6. Verify cluster access
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -1,19 +0,0 @@
-name: kubelogin
-version: git
-summary: Log in to the OpenID Connect provider
-description: |
-  This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
-confinement: strict
-base: core18
-parts:
-  kubelogin:
-    plugin: nil
-    source: .
-    source-type: git
-    build-snaps: [go]
-    override-build: |
-      make CIRCLE_TAG=$SNAPCRAFT_PROJECT_VERSION
-      cp -av kubelogin $SNAPCRAFT_PART_INSTALL/bin
-apps:
-  kubelogin:
-    command: bin/kubelogin
Author	SHA1	Message	Date
Hidetake Iwata	4ffc914d0e	Bump the version	2020-04-11 17:14:59 +09:00
Hidetake Iwata	fa008bef55	Add linux_arm and linux_arm64 binary to distribution (#275 )	2020-04-11 17:14:00 +09:00
Hidetake Iwata	50047417ab	Delete snapcraft.yaml	2020-04-11 16:10:48 +09:00
Hidetake Iwata	4c0ebb0284	go mod tidy	2020-04-11 15:57:57 +09:00
dependabot-preview[bot]	c1173accd3	Build(deps): bump k8s.io/client-go from 0.18.0 to 0.18.1 (#273 ) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.18.0 to 0.18.1. - [Release notes](https://github.com/kubernetes/client-go/releases) - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.18.0...v0.18.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>	2020-04-11 15:57:17 +09:00
Hidetake Iwata	d4addcfc6e	Show Go version, GOOS and GOARCH in version command (#272 )	2020-04-11 11:39:49 +09:00
Hidetake Iwata	695347e419	Merge pull request #271 from int128/refactor Refactor integration test	2020-04-10 20:39:18 +09:00
Hidetake Iwata	d5c738697f	Refactor: tidy up	2020-04-10 20:32:22 +09:00
Hidetake Iwata	777a60c96c	Refactor: rename package	2020-04-10 17:15:02 +09:00
Hidetake Iwata	6f6e0723f1	Refactor: extract integration_test.authCodeFlowConfig	2020-04-10 16:32:02 +09:00
Hidetake Iwata	3fb074a4a8	Refactor: replace ClusterRoleBinding manifest with kubectl command (#270 )	2020-04-08 20:38:35 +09:00
Hidetake Iwata	59b5f1bd89	Add --oidc-redirect-url-hostname flag (#269 )	2020-04-08 15:25:19 +09:00
Hidetake Iwata	70819843f0	go mod tidy	2020-04-07 10:30:13 +09:00
dependabot-preview[bot]	87c46a24ae	Build(deps): bump github.com/int128/oauth2cli from 1.10.0 to 1.11.0 (#268 ) Bumps [github.com/int128/oauth2cli](https://github.com/int128/oauth2cli) from 1.10.0 to 1.11.0. - [Release notes](https://github.com/int128/oauth2cli/releases) - [Commits](https://github.com/int128/oauth2cli/compare/v1.10.0...v1.11.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>	2020-04-07 10:27:30 +09:00
Hidetake Iwata	ac504150b2	Bump k8s.io/apimachinery, k8s.io/client-go to 0.18.0 (#267 )	2020-04-06 21:58:53 +09:00
Hidetake Iwata	caeb55f21d	Refactor: enable Go module cache (#264 )	2020-04-02 20:08:52 +09:00
dependabot-preview[bot]	2ccda6099f	Build(deps): bump github.com/spf13/cobra from 0.0.6 to 0.0.7 (#263 ) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 0.0.6 to 0.0.7. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](https://github.com/spf13/cobra/compare/v0.0.6...0.0.7) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>	2020-03-31 11:34:19 +09:00
MOZGIII	7f4f72c9e0	Correct the command args at stage 2 instructions (#261 )	2020-03-29 18:26:29 +09:00