Fix

* Refactor docs

* Update --exec-api-version

* Add device authorization grant

* Fix

.circleci/config.yml

@@ -1,60 +0,0 @@
-version: 2.1
-
-jobs:
-  test:
-    docker:
-      - image: cimg/go:1.14.4
-    steps:
-      - run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.24.0
-      - checkout
-      - restore_cache:
-          keys:
-            - go-sum-{{ checksum "go.sum" }}
-      - run: make check
-      - run: bash <(curl -s https://codecov.io/bash)
-      - save_cache:
-          key: go-sum-{{ checksum "go.sum" }}
-          paths:
-            - ~/go/pkg
-      - store_artifacts:
-          path: gotest.log
-
-  crossbuild:
-    macos:
-      xcode: 11.5.0
-    steps:
-      - run: |
-          curl -sSfL https://dl.google.com/go/go1.14.4.darwin-amd64.tar.gz | tar -C /tmp -xz
-          echo 'export PATH="$PATH:/tmp/go/bin:$HOME/go/bin"' >> $BASH_ENV
-      - checkout
-      - restore_cache:
-          keys:
-            - go-macos-{{ checksum "go.sum" }}
-      - run:
-          command: go get -v github.com/int128/goxzst github.com/int128/ghcp
-          working_directory: .circleci
-      - run: make dist
-      - run: |
-          if [ "$CIRCLE_TAG" ]; then
-            make release
-          fi
-      - save_cache:
-          key: go-macos-{{ checksum "go.sum" }}
-          paths:
-            - ~/go/pkg
-
-workflows:
-  version: 2
-  build:
-    jobs:
-      - test:
-          filters:
-            tags:
-              only: /.*/
-      - crossbuild:
-          context: open-source
-          requires:
-            - test
-          filters:
-            tags:
-              only: /.*/

.circleci/go.mod

@@ -1,3 +0,0 @@
-module github.com/int128/kubelogin/.circleci
-
-go 1.13

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,20 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+## Describe the issue
+A clear and concise description of what the issue is.
+
+## To reproduce
+A console log or steps to reproduce the issue.
+
+## Your environment
+- OS: e.g. macOS
+- kubelogin version: e.g. v1.19
+- kubectl version: e.g. v1.19
+- OpenID Connect provider: e.g. Google

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,15 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+## Purpose of the feature (why)
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+A clear and concise description of what you want to happen.
+
+## Your idea (how)
+A clear and concise description of any alternative solutions or features you've considered.

.github/ISSUE_TEMPLATE/question.md

@@ -0,0 +1,20 @@
+---
+name: Question
+about: Feel free to ask a question
+title: ''
+labels: question
+assignees: ''
+
+---
+
+## Describe the question
+A clear and concise description of what the issue is.
+
+## To reproduce
+A console log or steps to reproduce the issue.
+
+## Your environment
+- OS: e.g. macOS
+- kubelogin version: e.g. v1.19
+- kubectl version: e.g. v1.19
+- OpenID Connect provider: e.g. Google

.github/release.yml

@@ -0,0 +1,16 @@
+# https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+changelog:
+  categories:
+    - title: Features
+      labels:
+        - '*'
+      exclude:
+        labels:
+          - renovate
+          - refactoring
+    - title: Refactoring
+      labels:
+        - refactoring
+    - title: Dependencies
+      labels:
+        - renovate

.github/renovate.json5

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "github>int128/renovate-base",
+    "github>int128/go-renovate-config#v1.7.2",
+    "github>int128/go-renovate-config:go-directive#v1.7.2",
+    "github>int128/go-renovate-config:github-actions#v1.7.2",
+    "github>int128/go-renovate-config:kubernetes#v1.7.2",
+    "github>int128/go-renovate-config:kustomization-github-releases#v1.7.2",
+    "helpers:pinGitHubActionDigests",
+  ],
+}

.github/workflows/acceptance-test.yaml

@@ -1,28 +0,0 @@
-on: [push]
-jobs:
-  acceptance-test:
-    # https://help.github.com/en/actions/automating-your-workflow-with-github-actions/software-installed-on-github-hosted-runners#ubuntu-1804-lts
-    runs-on: ubuntu-18.04
-    steps:
-      - uses: actions/setup-go@v1
-        with:
-          go-version: 1.14.1
-        id: go
-      - uses: actions/checkout@v1
-      - uses: actions/cache@v1
-        with:
-          path: ~/go/pkg/mod
-          key: go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            go-
-      # https://kind.sigs.k8s.io/docs/user/quick-start/
-      - run: |
-          wget -q -O ./kind "https://github.com/kubernetes-sigs/kind/releases/download/v0.8.1/kind-linux-amd64"
-          chmod +x ./kind
-          sudo mv ./kind /usr/local/bin/kind
-          kind version
-      # https://packages.ubuntu.com/xenial/libnss3-tools
-      - run: sudo apt install -y libnss3-tools
-      - run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
-      - run: make -C acceptance_test -j3 setup
-      - run: make -C acceptance_test test

.github/workflows/docker.yaml

@@ -0,0 +1,70 @@
+name: docker
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/docker.yaml
+      - pkg/**
+      - go.*
+      - Dockerfile
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/docker.yaml
+      - pkg/**
+      - go.*
+      - Dockerfile
+    tags:
+      - v*
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      image-uri: ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        id: metadata
+        with:
+          images: ghcr.io/${{ github.repository }}
+      - uses: int128/docker-build-cache-config-action@622932dfa73db7d3a65e40d5fcc094f2101e659a # v1.37.0
+        id: cache
+        with:
+          image: ghcr.io/${{ github.repository }}/cache
+      - uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
+      - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+      - uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
+        id: build
+        with:
+          push: ${{ github.event_name == 'push' }}
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          cache-from: ${{ steps.cache.outputs.cache-from }}
+          cache-to: ${{ steps.cache.outputs.cache-to }}
+          platforms: |
+            linux/amd64
+            linux/arm64
+            linux/ppc64le
+
+  test:
+    if: github.event_name == 'push'
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - run: docker run --rm "$IMAGE_URI" --help
+        env:
+          IMAGE_URI: ${{ needs.build.outputs.image-uri }}

.github/workflows/go.yaml

@@ -0,0 +1,79 @@
+name: go
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/go.yaml
+      - pkg/**
+      - integration_test/**
+      - mocks/**
+      - tools/**
+      - '**/go.*'
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/go.yaml
+      - pkg/**
+      - integration_test/**
+      - mocks/**
+      - tools/**
+      - '**/go.*'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make test
+
+  integration-test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - macos-latest
+          - windows-latest
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make integration-test
+
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: tools/go.mod
+          cache-dependency-path: tools/go.sum
+      - run: make lint
+
+  generate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: tools/go.mod
+          cache-dependency-path: tools/go.sum
+      - run: go mod tidy
+      - run: make generate
+      - uses: int128/update-generated-files-action@65b9a7ae3ededc5679d78343f58fbebcf1ebd785 # v2.57.0

.github/workflows/release.yaml

@@ -0,0 +1,78 @@
+name: release
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/release.yaml
+      - pkg/**
+      - go.*
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/release.yaml
+      - pkg/**
+      - go.*
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        platform:
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: amd64
+            CGO_ENABLED: 0 # https://github.com/int128/kubelogin/issues/567
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: arm64
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: arm
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: ppc64le
+          - runs-on: macos-latest
+            GOOS: darwin
+            GOARCH: amd64
+            CGO_ENABLED: 1 # https://github.com/int128/kubelogin/issues/249
+          - runs-on: macos-latest
+            GOOS: darwin
+            GOARCH: arm64
+            CGO_ENABLED: 1 # https://github.com/int128/kubelogin/issues/762
+          - runs-on: windows-latest
+            GOOS: windows
+            GOARCH: amd64
+          - runs-on: windows-latest
+            GOOS: windows
+            GOARCH: arm64
+    runs-on: ${{ matrix.platform.runs-on }}
+    env:
+      GOOS: ${{ matrix.platform.GOOS }}
+      GOARCH: ${{ matrix.platform.GOARCH }}
+      CGO_ENABLED: ${{ matrix.platform.CGO_ENABLED }}
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: go build -ldflags '-X main.version=${{ github.ref_name }}'
+      - uses: int128/go-release-action@2979cc5b15ceb7ae458e95b0a9467afc7ae25259 # v2.0.0
+        with:
+          binary: kubelogin
+
+  publish:
+    if: github.ref_type == 'tag'
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47

.github/workflows/system-test.yaml

@@ -0,0 +1,43 @@
+name: system-test
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/system-test.yaml
+      - system_test/**
+      - pkg/**
+      - go.*
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/system-test.yaml
+      - system_test/**
+      - pkg/**
+      - go.*
+
+jobs:
+  system-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+
+      - run: sudo apt-get update
+      # Install certutil.
+      # https://packages.ubuntu.com/xenial/libnss3-tools
+      # Install keyring related packages.
+      # https://github.com/zalando/go-keyring/issues/45
+      - run: sudo apt-get install --no-install-recommends -y libnss3-tools dbus-x11 gnome-keyring
+
+      - run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
+
+      - run: make -C system_test -j3
+
+      - run: make -C system_test logs
+        if: always()

.gitignore

@@ -1,10 +1,12 @@
 /.idea
 
+/tools/bin
+
 /acceptance_test/output/
 
-/dist/output
 /coverage.out
-/gotest.log
 
 /kubelogin
 /kubectl-oidc_login
+/kubelogin_*.zip
+/kubelogin_*.zip.sha256

.krew.yaml

@@ -0,0 +1,68 @@
+apiVersion: krew.googlecontainertools.github.com/v1alpha2
+kind: Plugin
+metadata:
+  name: oidc-login
+spec:
+  homepage: https://github.com/int128/kubelogin
+  shortDescription: Log in to the OpenID Connect provider
+  description: |
+    This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
+
+    ## Credential plugin mode
+    kubectl executes oidc-login before calling the Kubernetes APIs.
+    oidc-login automatically opens the browser and you can log in to the provider.
+    After authentication, kubectl gets the token from oidc-login and you can access the cluster.
+    See https://github.com/int128/kubelogin#credential-plugin-mode for more.
+
+    ## Standalone mode
+    Run `kubectl oidc-login`.
+    It automatically opens the browser and you can log in to the provider.
+    After authentication, it writes the token to the kubeconfig and you can access the cluster.
+    See https://github.com/int128/kubelogin#standalone-mode for more.
+
+  caveats: |
+    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
+  version: {{ .TagName }}
+  platforms:
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: amd64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: arm64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_arm.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: arm
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_darwin_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: darwin
+        arch: amd64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_darwin_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
+  - bin: kubelogin.exe
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_windows_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: windows
+        arch: amd64
+  - bin: kubelogin.exe
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_windows_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: windows
+        arch: arm64

.mockery.yaml

@@ -0,0 +1,11 @@
+outpkg: "{{.PackageName}}_mock"
+dir: "mocks/{{.PackagePath}}_mock"
+
+packages:
+  github.com/int128/kubelogin:
+    config:
+      all: true
+      recursive: true
+  io:
+    interfaces:
+      Closer:

Dockerfile

@@ -0,0 +1,20 @@
+FROM --platform=$BUILDPLATFORM golang:1.23 AS builder
+
+WORKDIR /builder
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+RUN go mod download
+
+# Copy the go source
+COPY main.go .
+COPY pkg pkg
+
+ARG TARGETOS
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build
+
+FROM gcr.io/distroless/base-debian12
+COPY --from=builder /builder/kubelogin /
+ENTRYPOINT ["/kubelogin"]

Makefile

@@ -1,49 +1,22 @@
-# CircleCI specific variables
-CIRCLE_TAG ?= latest
-GITHUB_USERNAME := $(CIRCLE_PROJECT_USERNAME)
-GITHUB_REPONAME := $(CIRCLE_PROJECT_REPONAME)
+.PHONY: all
+all:
 
-TARGET := kubelogin
-TARGET_OSARCH := linux_amd64 darwin_amd64 windows_amd64 linux_arm linux_arm64
-VERSION ?= $(CIRCLE_TAG)
-LDFLAGS := -X main.version=$(VERSION)
+.PHONY: test
+test:
+	go test -v -race ./pkg/...
 
-all: $(TARGET)
+.PHONY: integration-test
+integration-test:
+	go test -v -race ./integration_test/...
 
-$(TARGET): $(wildcard **/*.go)
-	go build -o $@ -ldflags "$(LDFLAGS)"
+.PHONY: generate
+generate:
+	$(MAKE) -C tools
+	./tools/bin/wire ./pkg/di
+	rm -fr mocks/
+	./tools/bin/mockery
 
-.PHONY: check
-check:
-	golangci-lint run
-	go test -v -race -cover -coverprofile=coverage.out ./... > gotest.log
-
-.PHONY: dist
-dist: dist/output
-dist/output:
-	# make the zip files for GitHub Releases
-	VERSION=$(VERSION) goxzst -d dist/output -i "LICENSE" -o "$(TARGET)" -osarch "$(TARGET_OSARCH)" -t "dist/kubelogin.rb dist/oidc-login.yaml dist/Dockerfile" -- -ldflags "$(LDFLAGS)"
-	# test the zip file
-	zipinfo dist/output/kubelogin_linux_amd64.zip
-	# make the krew yaml structure
-	mkdir -p dist/output/plugins
-	mv dist/output/oidc-login.yaml dist/output/plugins/oidc-login.yaml
-
-.PHONY: release
-release: dist
-	# publish the binaries
-	ghcp release -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)" -t "$(VERSION)" dist/output/
-	# publish the Homebrew formula
-	ghcp commit -u "$(GITHUB_USERNAME)" -r "homebrew-$(GITHUB_REPONAME)" -b "bump-$(VERSION)" -m "Bump the version to $(VERSION)" -C dist/output/ kubelogin.rb
-	ghcp pull-request -u "$(GITHUB_USERNAME)" -r "homebrew-$(GITHUB_REPONAME)" -b "bump-$(VERSION)" --title "Bump the version to $(VERSION)"
-	# publish the Dockerfile
-	ghcp commit -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)-docker" -b "bump-$(VERSION)" -m "Bump the version to $(VERSION)" -C dist/output/ Dockerfile
-	ghcp pull-request -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)-docker" -b "bump-$(VERSION)" --title "Bump the version to $(VERSION)"
-	# publish the Krew manifest
-	ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(VERSION)" -m "Bump oidc-login to $(VERSION)" -C dist/output/ plugins/oidc-login.yaml
-
-.PHONY: clean
-clean:
-	-rm $(TARGET)
-	-rm -r dist/output/
-	-rm coverage.out gotest.log
+.PHONY: lint
+lint:
+	$(MAKE) -C tools
+	./tools/bin/golangci-lint run

README.md

@@ -1,10 +1,10 @@
-# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) ![acceptance-test](https://github.com/int128/kubelogin/workflows/acceptance-test/badge.svg) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
+# kubelogin [![go](https://github.com/int128/kubelogin/actions/workflows/go.yaml/badge.svg)](https://github.com/int128/kubelogin/actions/workflows/go.yaml) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
 
 This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.
 
 Here is an example of Kubernetes authentication with the Google Identity Platform:
 
-<img alt="screencast" src="https://user-images.githubusercontent.com/321266/70971501-7bcebc80-20e4-11ea-8afc-539dcaea0aa8.gif" width="652" height="455">
+<img alt="screencast" src="https://user-images.githubusercontent.com/321266/85427290-86e43700-b5b6-11ea-9e97-ffefd736c9b7.gif" width="572" height="391">
 
 Kubelogin is designed to run as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
 When you run kubectl, kubelogin opens the browser and you can log in to the provider.
@@ -13,12 +13,11 @@ Take a look at the diagram:
 
 ![Diagram of the credential plugin](docs/credential-plugin-diagram.svg)
 
-
 ## Getting Started
 
 ### Setup
 
-Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew) or [GitHub Releases](https://github.com/int128/kubelogin/releases).
+Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew), [Chocolatey](https://chocolatey.org/packages/kubelogin) or [GitHub Releases](https://github.com/int128/kubelogin/releases).
 
 ```sh
 # Homebrew (macOS and Linux)
@@ -26,28 +25,33 @@ brew install int128/kubelogin/kubelogin
 
 # Krew (macOS, Linux, Windows and ARM)
 kubectl krew install oidc-login
+
+# Chocolatey (Windows)
+choco install kubelogin
 ```
 
+If you install via GitHub releases, save the binary as the name `kubectl-oidc_login` on your path.
+When you invoke `kubectl oidc-login`, kubectl finds it by the [naming convention of kubectl plugins](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/).
+The other install methods do this for you.
+
 You need to set up the OIDC provider, cluster role binding, Kubernetes API server and kubeconfig.
-The kubeconfig looks like:
+Your kubeconfig looks like this:
 
 ```yaml
 users:
-- name: oidc
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubectl
-      args:
-      - oidc-login
-      - get-token
-      - --oidc-issuer-url=ISSUER_URL
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
+  - name: oidc
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1
+        command: kubectl
+        args:
+          - oidc-login
+          - get-token
+          - --oidc-issuer-url=ISSUER_URL
+          - --oidc-client-id=YOUR_CLIENT_ID
 ```
 
-See [the setup guide](docs/setup.md) for more.
-
+See the [setup guide](docs/setup.md) for more.
 
 ### Run
 
@@ -58,269 +62,85 @@ kubectl get pods
 ```
 
 Kubectl executes kubelogin before calling the Kubernetes APIs.
-Kubelogin automatically opens the browser and you can log in to the provider.
+Kubelogin automatically opens the browser, and you can log in to the provider.
 
-<img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">
+After the authentication, kubelogin returns the credentials to kubectl.
+Kubectl then calls the Kubernetes APIs with the credentials.
 
-After authentication, kubelogin returns the credentials to kubectl and finally kubectl calls the Kubernetes APIs with the credential.
-
-```
+```console
 % kubectl get pods
 Open http://localhost:8000 for authentication
 NAME                          READY   STATUS    RESTARTS   AGE
 echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
 ```
 
-Kubelogin writes the ID token and refresh token to the token cache file.
+Kubelogin stores the ID token and refresh token to the cache.
+If the ID token is valid, it just returns it.
+If the ID token has expired, it will refresh the token using the refresh token.
+If the refresh token has expired, it will perform re-authentication.
 
-If the cached ID token is valid, kubelogin just returns it.
-If the cached ID token has expired, kubelogin will refresh the token using the refresh token.
-If the refresh token has expired, kubelogin will perform reauthentication.
+## Troubleshooting
 
+### Token cache
 
-### Troubleshoot
+If the OS keyring is available, kubelogin stores the token cache to the OS keyring.
+Otherwise, kubelogin stores the token cache to the file system.
+See the [token cache](docs/usage.md#token-cache) for details.
 
-You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
-Kubelogin will perform authentication if the token cache file does not exist.
-
-You can dump the claims of token by passing `-v1` option.
+You can log out by deleting the token cache.
 
+```console
+% kubectl oidc-login clean
+Deleted the token cache at /home/user/.kube/cache/oidc-login
+Deleted the token cache in the keyring
 ```
-I0221 21:54:08.151850   28231 get_token.go:104] you got a token: {
+
+Kubelogin will ask you to log in via the browser again.
+If the browser has a cookie for the provider, you need to log out from the provider or clear the cookie.
+
+### ID token claims
+
+You can run `setup` command to dump the claims of an ID token from the provider.
+
+```console
+% kubectl oidc-login setup --oidc-issuer-url=ISSUER_URL --oidc-client-id=REDACTED
+...
+You got a token with the following claims:
+
+{
   "sub": "********",
   "iss": "https://accounts.google.com",
   "aud": "********",
-  "iat": 1582289639,
-  "exp": 1582293239,
-  "jti": "********",
-  "nonce": "********",
-  "at_hash": "********"
+  ...
 }
 ```
 
-
-## Usage
-
-This document is for the development version.
-If you are looking for a specific version, see [the release tags](https://github.com/int128/kubelogin/tags).
-
-Kubelogin supports the following options:
-
-```
-Usage:
-  kubelogin get-token [flags]
-
-Flags:
-      --oidc-issuer-url string                          Issuer URL of the provider (mandatory)
-      --oidc-client-id string                           Client ID of the provider (mandatory)
-      --oidc-client-secret string                       Client secret of the provider
-      --oidc-extra-scope strings                        Scopes to request to the provider
-      --certificate-authority string                    Path to a cert file for the certificate authority
-      --certificate-authority-data string               Base64 encoded data for the certificate authority
-      --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-      --token-cache-dir string                          Path to a directory for caching tokens (default "~/.kube/cache/oidc-login")
-      --grant-type string                               The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
-      --listen-address strings                          Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
-      --listen-port ints                                (Deprecated: use --listen-address)
-      --skip-open-browser                               If true, it does not open the browser on authentication
-      --oidc-redirect-url-hostname string               Hostname of the redirect URL (default "localhost")
-      --oidc-auth-request-extra-params stringToString   Extra query parameters to send with an authentication request (default [])
-      --username string                                 If set, perform the resource owner password credentials grant
-      --password string                                 If set, use the password instead of asking it
-  -h, --help                                            help for get-token
-
-Global Flags:
-      --add_dir_header                   If true, adds the file directory to the header
-      --alsologtostderr                  log to standard error as well as files
-      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
-      --log_dir string                   If non-empty, write log files in this directory
-      --log_file string                  If non-empty, use this log file
-      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
-      --logtostderr                      log to standard error instead of files (default true)
-      --skip_headers                     If true, avoid header prefixes in the log messages
-      --skip_log_headers                 If true, avoid headers when opening log files
-      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
-  -v, --v Level                          number for the log level verbosity
-      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
-```
-
-See also the options of [standalone mode](docs/standalone-mode.md).
-
-### Extra scopes
-
-You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
-
-```yaml
-      - --oidc-extra-scope=email
-      - --oidc-extra-scope=profile
-```
-
-### CA Certificate
-
-You can use your self-signed certificate for the provider.
-
-```yaml
-      - --certificate-authority=/home/user/.kube/keycloak-ca.pem
-      - --certificate-authority-data=LS0t...
-```
-
-### HTTP Proxy
-
-You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
-See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
-
-### Authentication flows
-
-#### Authorization code flow
-
-Kubelogin performs the authorization code flow by default.
-
-It starts the local server at port 8000 or 18000 by default.
-You need to register the following redirect URIs to the provider:
-
-- `http://localhost:8000`
-- `http://localhost:18000` (used if port 8000 is already in use)
-
-You can change the listening address.
-
-```yaml
-      - --listen-address=127.0.0.1:12345
-      - --listen-address=127.0.0.1:23456
-```
-
-You can change the hostname of redirect URI from the default value `localhost`.
-
-```yaml
-      - --oidc-redirect-url-hostname=127.0.0.1
-```
-
-You can add extra parameters to the authentication request.
-
-```yaml
-      - --oidc-auth-request-extra-params=ttl=86400
-```
-
-#### Authorization code flow with keyboard interactive
-
-If you cannot access the browser, instead use the authorization code flow with keyboard interactive.
-
-```yaml
-      - --grant-type=authcode-keyboard
-```
-
-Kubelogin will show the URL and prompt.
-Open the URL in the browser and then copy the code shown.
-
-```
-% kubectl get pods
-Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=...
-Enter code: YOUR_CODE
-```
-
-Note that this flow uses the redirect URI `urn:ietf:wg:oauth:2.0:oob` and
-some OIDC providers do not support it.
-
-You can add extra parameters to the authentication request.
-
-```yaml
-      - --oidc-auth-request-extra-params=ttl=86400
-```
-
-#### Resource owner password credentials grant flow
-
-Kubelogin performs the resource owner password credentials grant flow
-when `--grant-type=password` or `--username` is set.
-
-Note that most OIDC providers do not support this flow.
-Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
-
-You can set the username and password.
-
-```yaml
-      - --username=USERNAME
-      - --password=PASSWORD
-```
-
-If the password is not set, kubelogin will show the prompt for the password.
-
-```yaml
-      - --username=USERNAME
-```
-
-```
-% kubectl get pods
-Password:
-```
-
-If the username is not set, kubelogin will show the prompt for the username and password.
-
-```yaml
-      - --grant-type=password
-```
-
-```
-% kubectl get pods
-Username: foo
-Password:
-```
-
-### Docker
-
-You can run [the Docker image](https://quay.io/repository/int128/kubelogin) instead of the binary.
-The kubeconfig looks like:
+You can set `-v1` option to increase the log level.
 
 ```yaml
 users:
-- name: oidc
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: docker
-      args:
-      - run
-      - --rm
-      - -v
-      - /tmp/.token-cache:/.token-cache
-      - -p
-      - 8000:8000
-      - quay.io/int128/kubelogin
-      - get-token
-      - --token-cache-dir=/.token-cache
-      - --listen-address=0.0.0.0:8000
-      - --oidc-issuer-url=ISSUER_URL
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
+  - name: oidc
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1
+        command: kubectl
+        args:
+          - oidc-login
+          - get-token
+          - -v1
 ```
 
-Known limitations:
+You can run the [acceptance test](acceptance_test) to verify if kubelogin works with your provider.
 
-- It cannot open the browser automatically.
-- The container port and listen port must be equal for consistency of the redirect URI.
-
-
-## Related works
-
-### Kubernetes Dashboard
-
-You can access the Kubernetes Dashboard using kubelogin and [kauthproxy](https://github.com/int128/kauthproxy).
+## Docs
 
+- [Setup guide](docs/setup.md)
+- [Usage and options](docs/usage.md)
+- [Standalone mode](docs/standalone-mode.md)
+- [System test](system_test)
+- [Acceptance_test for identity providers](acceptance_test)
 
 ## Contributions
 
 This is an open source software licensed under Apache License 2.0.
 Feel free to open issues and pull requests for improving code and documents.
-
-### Development
-
-Go 1.13 or later is required.
-
-```sh
-# Run lint and tests
-make check
-
-# Compile and run the command
-make
-./kubelogin
-```
-
-See also [the acceptance test](acceptance_test).

acceptance_test/Makefile

@@ -1,100 +1,31 @@
 CLUSTER_NAME := kubelogin-acceptance-test
 OUTPUT_DIR := $(CURDIR)/output
 
-PATH := $(PATH):$(OUTPUT_DIR)/bin
-export PATH
 KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
 export KUBECONFIG
 
-# run the login script instead of opening chrome
-BROWSER := $(OUTPUT_DIR)/bin/chromelogin
-export BROWSER
-
-.PHONY: test
-test: build
-	# see the setup instruction
-	kubectl oidc-login setup \
-		--oidc-issuer-url=https://dex-server:10443/dex \
-		--oidc-client-id=YOUR_CLIENT_ID \
-		--oidc-client-secret=YOUR_CLIENT_SECRET \
-		--oidc-extra-scope=email \
-		--certificate-authority=$(OUTPUT_DIR)/ca.crt
-	# set up the kubeconfig
-	kubectl config set-credentials oidc \
-		--exec-api-version=client.authentication.k8s.io/v1beta1 \
-		--exec-command=kubectl \
-		--exec-arg=oidc-login \
-		--exec-arg=get-token \
-		--exec-arg=--oidc-issuer-url=https://dex-server:10443/dex \
-		--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
-		--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
-		--exec-arg=--oidc-extra-scope=email \
-		--exec-arg=--certificate-authority=$(OUTPUT_DIR)/ca.crt
-	# make sure we can access the cluster
-	kubectl --user=oidc cluster-info
-	# switch the current context
-	kubectl config set-context --current --user=oidc
-	# make sure we can access the cluster
-	kubectl cluster-info
-
-.PHONY: setup
-setup: build dex cluster setup-chrome
-
-.PHONY: setup-chrome
-setup-chrome: $(OUTPUT_DIR)/ca.crt
-	# add the dex server certificate to the trust store
-	mkdir -p ~/.pki/nssdb
-	cd ~/.pki/nssdb && certutil -A -d sql:. -n dex -i $(OUTPUT_DIR)/ca.crt -t "TC,,"
-
-# build binaries
-.PHONY: build
-build: $(OUTPUT_DIR)/bin/kubectl-oidc_login $(OUTPUT_DIR)/bin/chromelogin
-$(OUTPUT_DIR)/bin/kubectl-oidc_login:
-	go build -o $@ ..
-$(OUTPUT_DIR)/bin/chromelogin: chromelogin/main.go
-	go build -o $@ ./chromelogin
-
-# create a Dex server
-.PHONY: dex
-dex: $(OUTPUT_DIR)/server.crt $(OUTPUT_DIR)/server.key
-	docker create --name dex-server -p 10443:10443 --network kind quay.io/dexidp/dex:v2.21.0 serve /dex.yaml
-	docker cp $(OUTPUT_DIR)/server.crt dex-server:/
-	docker cp $(OUTPUT_DIR)/server.key dex-server:/
-	docker cp dex.yaml dex-server:/
-	docker start dex-server
-	docker logs dex-server
-
-$(OUTPUT_DIR)/ca.key:
-	mkdir -p $(OUTPUT_DIR)
-	openssl genrsa -out $@ 2048
-$(OUTPUT_DIR)/ca.csr: $(OUTPUT_DIR)/ca.key
-	openssl req -new -key $(OUTPUT_DIR)/ca.key -out $@ -subj "/CN=dex-ca" -config openssl.cnf
-$(OUTPUT_DIR)/ca.crt: $(OUTPUT_DIR)/ca.key $(OUTPUT_DIR)/ca.csr
-	openssl x509 -req -in $(OUTPUT_DIR)/ca.csr -signkey $(OUTPUT_DIR)/ca.key -out $@ -days 10
-$(OUTPUT_DIR)/server.key:
-	mkdir -p $(OUTPUT_DIR)
-	openssl genrsa -out $@ 2048
-$(OUTPUT_DIR)/server.csr: openssl.cnf $(OUTPUT_DIR)/server.key
-	openssl req -new -key $(OUTPUT_DIR)/server.key -out $@ -subj "/CN=dex-server" -config openssl.cnf
-$(OUTPUT_DIR)/server.crt: openssl.cnf $(OUTPUT_DIR)/server.csr $(OUTPUT_DIR)/ca.crt $(OUTPUT_DIR)/ca.key
-	openssl x509 -req -in $(OUTPUT_DIR)/server.csr -CA $(OUTPUT_DIR)/ca.crt -CAkey $(OUTPUT_DIR)/ca.key -CAcreateserial -out $@ -sha256 -days 10 -extensions v3_req -extfile openssl.cnf
-
 # create a Kubernetes cluster
 .PHONY: cluster
-cluster: dex create-cluster
-	# add the Dex container IP to /etc/hosts of kube-apiserver
-	docker inspect -f '{{.NetworkSettings.IPAddress}}' dex-server | sed -e 's,$$, dex-server,' | \
-		kubectl -n kube-system exec -i kube-apiserver-$(CLUSTER_NAME)-control-plane -- tee -a /etc/hosts
-	# wait for kube-apiserver oidc initialization
-	# (oidc authenticator will retry oidc discovery every 10s)
-	sleep 10
-
-.PHONY: create-cluster
-create-cluster: $(OUTPUT_DIR)/ca.crt
-	cp $(OUTPUT_DIR)/ca.crt /tmp/kubelogin-acceptance-test-dex-ca.crt
-	kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml
+cluster:
+	# create a cluster
+	mkdir -p $(OUTPUT_DIR)
+	sed -e "s|OIDC_ISSUER_URL|$(OIDC_ISSUER_URL)|" -e "s|OIDC_CLIENT_ID|$(OIDC_CLIENT_ID)|" cluster.yaml > $(OUTPUT_DIR)/cluster.yaml
+	kind create cluster --name $(CLUSTER_NAME) --config $(OUTPUT_DIR)/cluster.yaml
+	# set up access control
 	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
-	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com
+	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=$(YOUR_EMAIL)
+	# set up kubectl
+	kubectl config set-credentials oidc \
+		--exec-api-version=client.authentication.k8s.io/v1beta1 \
+		--exec-command=$(CURDIR)/../kubelogin \
+		--exec-arg=get-token \
+		--exec-arg=--token-cache-dir=$(OUTPUT_DIR)/token-cache \
+		--exec-arg=--oidc-issuer-url=$(OIDC_ISSUER_URL) \
+		--exec-arg=--oidc-client-id=$(OIDC_CLIENT_ID) \
+		--exec-arg=--oidc-client-secret=$(OIDC_CLIENT_SECRET) \
+		--exec-arg=--oidc-extra-scope=email
+	# switch the default user
+	kubectl config set-context --current --user=oidc
 
 # clean up the resources
 .PHONY: clean
@@ -103,7 +34,9 @@ clean:
 .PHONY: delete-cluster
 delete-cluster:
 	kind delete cluster --name $(CLUSTER_NAME)
-.PHONY: delete-dex
-delete-dex:
-	docker stop dex-server
-	docker rm dex-server
+
+.PHONY: check
+check:
+	docker version
+	kind version
+	kubectl version --client

acceptance_test/README.md

@@ -1,109 +1,75 @@
 # kubelogin/acceptance_test
 
-This is an acceptance test for walkthrough of the OIDC initial setup and plugin behavior using a real Kubernetes cluster and OpenID Connect provider, running on [GitHub Actions](https://github.com/int128/kubelogin/actions?query=workflow%3Aacceptance-test).
-
-It is intended to verify the following points:
-
-- User can set up Kubernetes OIDC authentication and this plugin.
-- User can access a cluster after login.
-
-It performs the test using the following components:
-
-- Kubernetes cluster (Kind)
-- OIDC provider (Dex)
-- Browser (Chrome)
-- kubectl command
+This is a manual test for verifying Kubernetes OIDC authentication with your OIDC provider.
 
 
-## How it works
+## Purpose
 
-Let's take a look at the diagram.
+This test checks the following points:
 
-![diagram](../docs/acceptance-test-diagram.svg)
-
-It prepares the following resources:
-
-1. Generate a pair of CA certificate and TLS server certificate for Dex.
-1. Run Dex on a container.
-1. Create a Kubernetes cluster using Kind.
-1. Mutate `/etc/hosts` of the CI machine to access Dex.
-1. Mutate `/etc/hosts` of the kube-apiserver pod to access Dex.
-
-It performs the test by the following steps:
-
-1. Run kubectl.
-1. kubectl automatically runs kubelogin.
-1. kubelogin automatically runs [chromelogin](chromelogin).
-1. chromelogin opens the browser, navigates to `http://localhost:8000` and enter the username and password.
-1. kubelogin gets an authorization code from the browser.
-1. kubelogin gets a token.
-1. kubectl accesses an API with the token.
-1. kube-apiserver verifies the token by Dex.
-1. Check if kubectl exited with code 0.
+1. You can set up your OIDC provider using [setup guide](../docs/setup.md).
+1. The plugin works with your OIDC provider.
 
 
-## Run locally
+## Getting Started
 
-You need to set up the following components:
+### Prerequisite
+
+You need to build the plugin into the parent directory.
+
+```sh
+make -C ..
+```
+
+You need to set up your provider.
+See [setup guide](../docs/setup.md) for more.
+
+You need to install the following tools:
 
 - Docker
 - Kind
-- Chrome or Chromium
+- kubectl
 
-You need to add the following line to `/etc/hosts` so that the browser can access the Dex.
+You can check if the tools are available.
 
-```
-127.0.0.1 dex-server
+```sh
+make check
 ```
 
-Run the test.
+### 1. Create a cluster
 
-```shell script
-# run the test
-make
+Create a cluster.
+For example, you can create a cluster with Google account authentication.
 
-# clean up
+```sh
+make OIDC_ISSUER_URL=https://accounts.google.com \
+  OIDC_CLIENT_ID=REDACTED.apps.googleusercontent.com \
+  OIDC_CLIENT_SECRET=REDACTED \
+  YOUR_EMAIL=REDACTED@gmail.com
+```
+
+It will do the following steps:
+
+1. Create a cluster.
+1. Set up access control. It allows read-only access from your email address.
+1. Set up kubectl to enable the plugin.
+
+You can change kubectl configuration in generated `output/kubeconfig.yaml`.
+
+### 2. Run kubectl
+
+Make sure you can log in to the provider and access the cluster.
+
+```console
+% export KUBECONFIG=$PWD/output/kubeconfig.yaml
+% kubectl get pods -A
+```
+
+### Clean up
+
+To delete the cluster and generated files:
+
+```sh
 make delete-cluster
-make delete-dex
+make clean
 ```
-
-
-## Technical consideration
-
-### Network and DNS
-
-Consider the following issues:
-
-- kube-apiserver runs on the host network of the kind container.
-- kube-apiserver cannot resolve a service name by kube-dns.
-- kube-apiserver cannot access a cluster IP.
-- kube-apiserver can access another container via the Docker network.
-- Chrome requires exactly match of domain name between Dex URL and a server certificate.
-
-Consequently,
-
-- kube-apiserver accesses Dex by resolving `/etc/hosts` and via the Docker network.
-- kubelogin and Chrome accesses Dex by resolving `/etc/hosts` and via the Docker network.
-
-### TLS server certificate
-
-Consider the following issues:
-
-- kube-apiserver requires `--oidc-issuer` is HTTPS URL.
-- kube-apiserver requires a CA certificate at startup, if `--oidc-ca-file` is given.
-- kube-apiserver mounts `/usr/local/share/ca-certificates` from the kind container.
-- It is possible to mount a file from the CI machine.
-- It is not possible to issue a certificate using Let's Encrypt in runtime.
-- Chrome requires a valid certificate in `~/.pki/nssdb`.
-
-As a result,
-
-- kube-apiserver uses the CA certificate of `/usr/local/share/ca-certificates/dex-ca.crt`. See the `extraMounts` section of [`cluster.yaml`](cluster.yaml).
-- kubelogin uses the CA certificate in `output/ca.crt`.
-- Chrome uses the CA certificate in `~/.pki/nssdb`.
-
-### Test environment
-
-- Set the issuer URL to kubectl. See [`kubeconfig_oidc.yaml`](kubeconfig_oidc.yaml).
-- Set the issuer URL to kube-apiserver. See [`cluster.yaml`](cluster.yaml).
-- Set `BROWSER` environment variable to run [`chromelogin`](chromelogin) by `xdg-open`.

acceptance_test/cluster.yaml

@@ -1,6 +1,5 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
-# https://github.com/dexidp/dex/blob/master/Documentation/kubernetes.md
 kubeadmConfigPatches:
   - |
     apiVersion: kubeadm.k8s.io/v1beta2
@@ -9,12 +8,6 @@ kubeadmConfigPatches:
       name: config
     apiServer:
       extraArgs:
-        oidc-issuer-url: https://dex-server:10443/dex
-        oidc-client-id: YOUR_CLIENT_ID
+        oidc-issuer-url: OIDC_ISSUER_URL
+        oidc-client-id: OIDC_CLIENT_ID
         oidc-username-claim: email
-        oidc-ca-file: /usr/local/share/ca-certificates/dex-ca.crt
-nodes:
-  - role: control-plane
-    extraMounts:
-      - hostPath: /tmp/kubelogin-acceptance-test-dex-ca.crt
-        containerPath: /usr/local/share/ca-certificates/dex-ca.crt

dist/Dockerfile

@@ -1,13 +0,0 @@
-FROM alpine:3.11
-
-ARG KUBELOGIN_VERSION="{{ env "VERSION" }}"
-ARG KUBELOGIN_SHA256="{{ sha256 .linux_amd64_archive }}"
-
-# Download the release and test the checksum
-RUN wget -O /kubelogin.zip "https://github.com/int128/kubelogin/releases/download/$KUBELOGIN_VERSION/kubelogin_linux_amd64.zip" && \
-    echo "$KUBELOGIN_SHA256  /kubelogin.zip" | sha256sum -c - && \
-    unzip /kubelogin.zip && \
-    rm /kubelogin.zip
-
-USER daemon
-ENTRYPOINT ["/kubelogin"]

dist/kubelogin.rb

@@ -1,27 +0,0 @@
-class Kubelogin < Formula
-  desc "A kubectl plugin for Kubernetes OpenID Connect authentication"
-  homepage "https://github.com/int128/kubelogin"
-  baseurl = "https://github.com/int128/kubelogin/releases/download"
-  version "{{ env "VERSION" }}"
-  
-  if OS.mac?
-    kernel = "darwin"
-    sha256 "{{ sha256 .darwin_amd64_archive }}"
-  elsif OS.linux?
-    kernel = "linux"
-    sha256 "{{ sha256 .linux_amd64_archive }}"
-  end 
-   
-  url baseurl + "/#{version}/kubelogin_#{kernel}_amd64.zip"
-    
-  def install
-    bin.install "kubelogin" => "kubelogin"
-    ln_s bin/"kubelogin", bin/"kubectl-oidc_login"
-  end
-  
-  test do
-    system "#{bin}/kubelogin -h"
-    system "#{bin}/kubectl-oidc_login -h"
-  end
-    
-end

dist/oidc-login.yaml

@@ -1,88 +0,0 @@
-apiVersion: krew.googlecontainertools.github.com/v1alpha2
-kind: Plugin
-metadata:
-  name: oidc-login
-spec:
-  homepage: https://github.com/int128/kubelogin
-  shortDescription: Log in to the OpenID Connect provider
-  description: |
-    This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
-
-    ## Credential plugin mode
-    kubectl executes oidc-login before calling the Kubernetes APIs.
-    oidc-login automatically opens the browser and you can log in to the provider.
-    After authentication, kubectl gets the token from oidc-login and you can access the cluster.
-    See https://github.com/int128/kubelogin#credential-plugin-mode for more.
-
-    ## Standalone mode
-    Run `kubectl oidc-login`.
-    It automatically opens the browser and you can log in to the provider.
-    After authentication, it writes the token to the kubeconfig and you can access the cluster.
-    See https://github.com/int128/kubelogin#standalone-mode for more.
-
-  caveats: |
-    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
-    See https://github.com/int128/kubelogin for more.
-
-  version: {{ env "VERSION" }}
-  platforms:
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_amd64.zip
-      sha256: "{{ sha256 .linux_amd64_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: linux
-          arch: amd64
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_darwin_amd64.zip
-      sha256: "{{ sha256 .darwin_amd64_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: darwin
-          arch: amd64
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_windows_amd64.zip
-      sha256: "{{ sha256 .windows_amd64_archive }}"
-      bin: kubelogin.exe
-      files:
-        - from: kubelogin.exe
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: windows
-          arch: amd64
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm.zip
-      sha256: "{{ sha256 .linux_arm_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: linux
-          arch: arm
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm64.zip
-      sha256: "{{ sha256 .linux_arm64_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: linux
-          arch: arm64

docs/setup.md

@@ -10,9 +10,16 @@ Let's see the following steps:
 1. Set up the kubeconfig
 1. Verify cluster access
 
-
 ## 1. Set up the OIDC provider
 
+Kubelogin supports the following authentication flows:
+
+- Authorization code flow
+- Device authorization grant
+- Resource owner password credentials grant
+
+See the [usage](usage.md) for the details.
+
 ### Google Identity Platform
 
 You can log in with a Google account.
@@ -24,11 +31,10 @@ Open [Google APIs Console](https://console.developers.google.com/apis/credential
 Check the client ID and secret.
 Replace the following variables in the later sections.
 
-Variable                | Value
-------------------------|------
-`ISSUER_URL`            | `https://accounts.google.com`
-`YOUR_CLIENT_ID`        | `xxx.apps.googleusercontent.com`
-`YOUR_CLIENT_SECRET`    | random string
+| Variable         | Value                            |
+| ---------------- | -------------------------------- |
+| `ISSUER_URL`     | `https://accounts.google.com`    |
+| `YOUR_CLIENT_ID` | `xxx.apps.googleusercontent.com` |
 
 ### Keycloak
 
@@ -39,8 +45,8 @@ Open Keycloak and create an OIDC client as follows:
 
 - Client ID: `YOUR_CLIENT_ID`
 - Valid Redirect URLs:
-    - `http://localhost:8000`
-    - `http://localhost:18000` (used if the port 8000 is already in use)
+  - `http://localhost:8000`
+  - `http://localhost:18000` (used if the port 8000 is already in use)
 - Issuer URL: `https://keycloak.example.com/auth/realms/YOUR_REALM`
 
 You can associate client roles by adding the following mapper:
@@ -56,11 +62,10 @@ For example, if you have `admin` role of the client, you will get a JWT with the
 
 Replace the following variables in the later sections.
 
-Variable                | Value
-------------------------|------
-`ISSUER_URL`            | `https://keycloak.example.com/auth/realms/YOUR_REALM`
-`YOUR_CLIENT_ID`        | `YOUR_CLIENT_ID`
-`YOUR_CLIENT_SECRET`    | random string
+| Variable         | Value                                                 |
+| ---------------- | ----------------------------------------------------- |
+| `ISSUER_URL`     | `https://keycloak.example.com/auth/realms/YOUR_REALM` |
+| `YOUR_CLIENT_ID` | `YOUR_CLIENT_ID`                                      |
 
 ### Dex with GitHub
 
@@ -77,29 +82,29 @@ Deploy [Dex](https://github.com/dexidp/dex) with the following config:
 ```yaml
 issuer: https://dex.example.com
 connectors:
-- type: github
-  id: github
-  name: GitHub
-  config:
-    clientID: YOUR_GITHUB_CLIENT_ID
-    clientSecret: YOUR_GITHUB_CLIENT_SECRET
-    redirectURI: https://dex.example.com/callback
+  - type: github
+    id: github
+    name: GitHub
+    config:
+      clientID: YOUR_GITHUB_CLIENT_ID
+      clientSecret: YOUR_GITHUB_CLIENT_SECRET
+      redirectURI: https://dex.example.com/callback
 staticClients:
-- id: YOUR_CLIENT_ID
-  name: Kubernetes
-  redirectURIs:
-  - http://localhost:8000
-  - http://localhost:18000
-  secret: YOUR_DEX_CLIENT_SECRET
+  - id: YOUR_CLIENT_ID
+    name: Kubernetes
+    redirectURIs:
+      - http://localhost:8000
+      - http://localhost:18000
+    secret: YOUR_DEX_CLIENT_SECRET
 ```
 
 Replace the following variables in the later sections.
 
-Variable                | Value
-------------------------|------
-`ISSUER_URL`            | `https://dex.example.com`
-`YOUR_CLIENT_ID`        | `YOUR_CLIENT_ID`
-`YOUR_CLIENT_SECRET`    | `YOUR_DEX_CLIENT_SECRET`
+| Variable             | Value                     |
+| -------------------- | ------------------------- |
+| `ISSUER_URL`         | `https://dex.example.com` |
+| `YOUR_CLIENT_ID`     | `YOUR_CLIENT_ID`          |
+| `YOUR_CLIENT_SECRET` | `YOUR_DEX_CLIENT_SECRET`  |
 
 ### Okta
 
@@ -112,20 +117,42 @@ Open your Okta organization and create an application with the following options
 - Application type: Native
 - Initiate login URI: `http://localhost:8000`
 - Login redirect URIs:
-    - `http://localhost:8000`
-    - `http://localhost:18000` (used if the port 8000 is already in use)
+  - `http://localhost:8000`
+  - `http://localhost:18000` (used if the port 8000 is already in use)
 - Allowed grant types: Authorization Code
 - Client authentication: Use PKCE (for public clients)
 
 Replace the following variables in the later sections.
 
-Variable                | Value
-------------------------|------
-`ISSUER_URL`            | `https://YOUR_ORGANIZATION.okta.com`
-`YOUR_CLIENT_ID`        | random string
+| Variable         | Value                                |
+| ---------------- | ------------------------------------ |
+| `ISSUER_URL`     | `https://YOUR_ORGANIZATION.okta.com` |
+| `YOUR_CLIENT_ID` | random string                        |
 
 You do not need to set `YOUR_CLIENT_SECRET`.
 
+If you need `groups` claim for access control,
+see [jetstack/okta-kubectl-auth](https://github.com/jetstack/okta-kubectl-auth/blob/master/docs/okta-setup.md) and [#250](https://github.com/int128/kubelogin/issues/250).
+
+### Ping Identity
+
+Login with an account that has permissions to create applications.
+Create an OIDC application with the following configuration:
+
+- Redirect URIs:
+  - `http://localhost:8000`
+  - `http://localhost:18000` (used if the port 8000 is already in use)
+- Grant type: Authorization Code
+- PKCE Enforcement: Required
+
+Leverage the following variables in the next steps.
+
+| Variable         | Value                                             |
+| ---------------- | ------------------------------------------------- |
+| `ISSUER_URL`     | `https://auth.pingone.com/<PingOne Tenant Id>/as` |
+| `YOUR_CLIENT_ID` | random string                                     |
+
+`YOUR_CLIENT_SECRET` is not required for this configuration.
 
 ## 2. Verify authentication
 
@@ -134,8 +161,7 @@ Run the following command:
 ```sh
 kubectl oidc-login setup \
   --oidc-issuer-url=ISSUER_URL \
-  --oidc-client-id=YOUR_CLIENT_ID \
-  --oidc-client-secret=YOUR_CLIENT_SECRET
+  --oidc-client-id=YOUR_CLIENT_ID
 ```
 
 It launches the browser and navigates to `http://localhost:8000`.
@@ -148,7 +174,6 @@ See also the full options.
 kubectl oidc-login setup --help
 ```
 
-
 ## 3. Bind a cluster role
 
 Here bind `cluster-admin` role to you.
@@ -159,7 +184,6 @@ kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin
 
 As well as you can create a custom cluster role and bind it.
 
-
 ## 4. Set up the Kubernetes API server
 
 Add the following flags to kube-apiserver:
@@ -171,41 +195,20 @@ Add the following flags to kube-apiserver:
 
 See [Kubernetes Authenticating: OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for the all flags.
 
-If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
-
-```yaml
-spec:
-  kubeAPIServer:
-    oidcIssuerURL: ISSUER_URL
-    oidcClientID: YOUR_CLIENT_ID
-```
-
-If you are using [kube-aws](https://github.com/kubernetes-incubator/kube-aws), append the following settings to the `cluster.yaml`:
-
-```yaml
-       oidc:
-         enabled: true
-         issuerUrl: ISSUER_URL
-         clientId: YOUR_CLIENT_ID
-```
-
-
 ## 5. Set up the kubeconfig
 
 Add `oidc` user to the kubeconfig.
 
 ```sh
 kubectl config set-credentials oidc \
-  --exec-api-version=client.authentication.k8s.io/v1beta1 \
+  --exec-api-version=client.authentication.k8s.io/v1 \
   --exec-command=kubectl \
   --exec-arg=oidc-login \
   --exec-arg=get-token \
   --exec-arg=--oidc-issuer-url=ISSUER_URL \
-  --exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
-  --exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET
+  --exec-arg=--oidc-client-id=YOUR_CLIENT_ID
 ```
 
-
 ## 6. Verify cluster access
 
 Make sure you can access the Kubernetes cluster.

docs/standalone-mode.md

@@ -1,9 +1,11 @@
 # Standalone mode
 
-You can run kubelogin as a standalone command.
-In this mode, you need to manually run the command before running kubectl.
+Kubelogin supports the standalone mode as well.
+It writes the token to the kubeconfig (typically `~/.kube/config`) after authentication.
 
-Configure the kubeconfig like:
+## Getting started
+
+Configure your kubeconfig like:
 
 ```yaml
 - name: keycloak
@@ -31,7 +33,7 @@ It automatically opens the browser and you can log in to the provider.
 
 After authentication, kubelogin writes the ID token and refresh token to the kubeconfig.
 
-```
+```console
 % kubelogin
 Open http://localhost:8000 for authentication
 You got a valid token until 2019-05-18 10:28:51 +0900 JST
@@ -40,7 +42,7 @@ Updated ~/.kubeconfig
 
 Now you can access the cluster.
 
-```
+```console
 % kubectl get pods
 NAME                          READY   STATUS    RESTARTS   AGE
 echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
@@ -50,21 +52,21 @@ Your kubeconfig looks like:
 
 ```yaml
 users:
-- name: keycloak
-  user:
-    auth-provider:
-      config:
-        client-id: YOUR_CLIENT_ID
-        client-secret: YOUR_CLIENT_SECRET
-        idp-issuer-url: https://issuer.example.com
-        id-token: ey...       # kubelogin will add or update the ID token here
-        refresh-token: ey...  # kubelogin will add or update the refresh token here
-      name: oidc
+  - name: keycloak
+    user:
+      auth-provider:
+        config:
+          client-id: YOUR_CLIENT_ID
+          client-secret: YOUR_CLIENT_SECRET
+          idp-issuer-url: https://issuer.example.com
+          id-token: ey... # kubelogin will add or update the ID token here
+          refresh-token: ey... # kubelogin will add or update the refresh token here
+        name: oidc
 ```
 
 If the ID token is valid, kubelogin does nothing.
 
-```
+```console
 % kubelogin
 You already have a valid token until 2019-05-18 10:28:51 +0900 JST
 ```
@@ -72,64 +74,8 @@ You already have a valid token until 2019-05-18 10:28:51 +0900 JST
 If the ID token has expired, kubelogin will refresh the token using the refresh token in the kubeconfig.
 If the refresh token has expired, kubelogin will proceed the authentication.
 
-
 ## Usage
 
-Kubelogin supports the following options:
-
-```
-% kubectl oidc-login -h
-Login to the OpenID Connect provider.
-
-You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
-Run the following command to show the setup instruction:
-
-	kubectl oidc-login setup
-
-See https://github.com/int128/kubelogin for more.
-
-Usage:
-  main [flags]
-  main [command]
-
-Available Commands:
-  get-token   Run as a kubectl credential plugin
-  help        Help about any command
-  setup       Show the setup instruction
-  version     Print the version information
-
-Flags:
-      --kubeconfig string                               Path to the kubeconfig file
-      --context string                                  The name of the kubeconfig context to use
-      --user string                                     The name of the kubeconfig user to use. Prior to --context
-      --certificate-authority string                    Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-      --grant-type string                               The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
-      --listen-address strings                          Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
-      --listen-port ints                                (Deprecated: use --listen-address)
-      --skip-open-browser                               If true, it does not open the browser on authentication
-      --oidc-redirect-url-hostname string               Hostname of the redirect URL (default "localhost")
-      --oidc-auth-request-extra-params stringToString   Extra query parameters to send with an authentication request (default [])
-      --username string                                 If set, perform the resource owner password credentials grant
-      --password string                                 If set, use the password instead of asking it
-      --add_dir_header                                  If true, adds the file directory to the header
-      --alsologtostderr                                 log to standard error as well as files
-      --log_backtrace_at traceLocation                  when logging hits line file:N, emit a stack trace (default :0)
-      --log_dir string                                  If non-empty, write log files in this directory
-      --log_file string                                 If non-empty, use this log file
-      --log_file_max_size uint                          Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
-      --logtostderr                                     log to standard error instead of files (default true)
-      --skip_headers                                    If true, avoid header prefixes in the log messages
-      --skip_log_headers                                If true, avoid headers when opening log files
-      --stderrthreshold severity                        logs at or above this threshold go to stderr (default 2)
-  -v, --v Level                                         number for the log level verbosity
-      --vmodule moduleSpec                              comma-separated list of pattern=N settings for file-filtered logging
-  -h, --help                                            help for kubelogin
-      --version                                         version for kubelogin
-```
-
-### Kubeconfig
-
 You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
 It defaults to `~/.kube/config`.
 
@@ -146,37 +92,15 @@ If you set multiple files, kubelogin will find the file which has the current au
 Kubelogin supports the following keys of `auth-provider` in a kubeconfig.
 See [kubectl authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl) for more.
 
-Key | Direction | Value
-----|-----------|------
-`idp-issuer-url`                  | Read (Mandatory) | Issuer URL of the provider.
-`client-id`                       | Read (Mandatory) | Client ID of the provider.
-`client-secret`                   | Read (Mandatory) | Client Secret of the provider.
-`idp-certificate-authority`       | Read | CA certificate path of the provider.
-`idp-certificate-authority-data`  | Read | Base64 encoded CA certificate of the provider.
-`extra-scopes`                    | Read | Scopes to request to the provider (comma separated).
-`id-token`                        | Write | ID token got from the provider.
-`refresh-token`                   | Write | Refresh token got from the provider.
+| Key                              | Direction        | Value                                                |
+| -------------------------------- | ---------------- | ---------------------------------------------------- |
+| `idp-issuer-url`                 | Read (Mandatory) | Issuer URL of the provider.                          |
+| `client-id`                      | Read (Mandatory) | Client ID of the provider.                           |
+| `client-secret`                  | Read (Mandatory) | Client Secret of the provider.                       |
+| `idp-certificate-authority`      | Read             | CA certificate path of the provider.                 |
+| `idp-certificate-authority-data` | Read             | Base64 encoded CA certificate of the provider.       |
+| `extra-scopes`                   | Read             | Scopes to request to the provider (comma separated). |
+| `id-token`                       | Write            | ID token got from the provider.                      |
+| `refresh-token`                  | Write            | Refresh token got from the provider.                 |
 
-### Extra scopes
-
-You can set the extra scopes to request to the provider by `extra-scopes` in the kubeconfig.
-
-```sh
-kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=email
-```
-
-Currently kubectl does not accept multiple scopes, so you need to edit the kubeconfig as like:
-
-```sh
-kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=SCOPES
-sed -i '' -e s/SCOPES/email,profile/ $KUBECONFIG
-```
-
-### CA Certificates
-
-You can use your self-signed certificates for the provider.
-
-```sh
-kubectl config set-credentials keycloak \
-  --auth-provider-arg idp-certificate-authority=$HOME/.kube/keycloak-ca.pem
-```
+See also [usage.md](usage.md).

docs/usage.md

@@ -0,0 +1,328 @@
+# Usage
+
+Kubelogin supports the following options:
+
+```
+Usage:
+  kubelogin get-token [flags]
+
+Flags:
+      --oidc-issuer-url string                          Issuer URL of the provider (mandatory)
+      --oidc-client-id string                           Client ID of the provider (mandatory)
+      --oidc-client-secret string                       Client secret of the provider
+      --oidc-extra-scope strings                        Scopes to request to the provider
+      --oidc-use-access-token                           Instead of using the id_token, use the access_token to authenticate to Kubernetes
+      --force-refresh                                   If set, refresh the ID token regardless of its expiration time
+      --token-cache-dir string                          Path to a directory of the token cache (default "~/.kube/cache/oidc-login")
+      --token-cache-storage string                      Storage for the token cache. One of (auto|keyring|disk) (default "auto")
+      --certificate-authority stringArray               Path to a cert file for the certificate authority
+      --certificate-authority-data stringArray          Base64 encoded cert for the certificate authority
+      --insecure-skip-tls-verify                        [SECURITY RISK] If set, the server's certificate will not be checked for validity
+      --tls-renegotiation-once                          If set, allow a remote server to request renegotiation once per connection
+      --tls-renegotiation-freely                        If set, allow a remote server to repeatedly request renegotiation
+      --oidc-pkce-method string                         PKCE code challenge method. Automatically determined by default. One of (auto|no|S256) (default "auto")
+      --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password|device-code) (default "auto")
+      --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
+      --skip-open-browser                               [authcode] Do not open the browser automatically
+      --browser-command string                          [authcode] Command to open the browser
+      --authentication-timeout-sec int                  [authcode] Timeout of authentication in seconds (default 180)
+      --local-server-cert string                        [authcode] Certificate path for the local server
+      --local-server-key string                         [authcode] Certificate key path for the local server
+      --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
+      --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")
+      --oidc-redirect-url-authcode-keyboard string      [authcode-keyboard] Redirect URL (default "urn:ietf:wg:oauth:2.0:oob")
+      --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard] Extra query parameters to send with an authentication request (default [])
+      --username string                                 [password] Username for resource owner password credentials grant
+      --password string                                 [password] Password for resource owner password credentials grant
+  -h, --help                                            help for get-token
+
+Global Flags:
+      --add_dir_header                   If true, adds the file directory to the header of the log messages
+      --alsologtostderr                  log to standard error as well as files (no effect when -logtostderr=true)
+      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                   If non-empty, write log files in this directory (no effect when -logtostderr=true)
+      --log_file string                  If non-empty, use this log file (no effect when -logtostderr=true)
+      --log_file_max_size uint           Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                      log to standard error instead of files (default true)
+      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
+      --skip_headers                     If true, avoid header prefixes in the log messages
+      --skip_log_headers                 If true, avoid headers when opening log files (no effect when -logtostderr=true)
+      --stderrthreshold severity         logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2)
+  -v, --v Level                          number for the log level verbosity
+      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
+```
+
+Here is the sequence diagram of the credential plugin.
+
+```mermaid
+sequenceDiagram
+  actor User
+  User ->>+ kubectl: Run
+  kubectl ->>+ kubelogin: Run the plugin
+  kubelogin ->>+ Provider: Authentication request
+  Note over User, Provider: Browser interaction
+  Provider -->>- kubelogin: Authentication response
+  kubelogin ->>+ Provider: Token request
+  Provider -->>- kubelogin: Token response
+  kubelogin -->>- kubectl: Credential
+  kubectl ->>+ kube-apiserver: Request with the credential
+  kube-apiserver -->>- kubectl: Response
+  kubectl -->>- User: Response
+```
+
+## Options
+
+### Authentication timeout
+
+By default, you need to log in to your provider in the browser within 3 minutes.
+This prevents a process from remaining forever.
+You can change the timeout by the following flag:
+
+```yaml
+- --authentication-timeout-sec=60
+```
+
+For now this timeout works only for the authorization code flow.
+
+### Extra scopes
+
+You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
+
+```yaml
+- --oidc-extra-scope=email
+- --oidc-extra-scope=profile
+```
+
+### PKCE
+
+Kubelogin automatically uses the PKCE if the provider supports it.
+It determines the code challenge method by the `code_challenge_methods_supported` claim of the OpenID Connect Discovery document.
+
+If your provider does not return a valid `code_challenge_methods_supported` claim,
+you can enforce the code challenge method by `--oidc-pkce-method`.
+
+```yaml
+- --oidc-pkce-method=S256
+```
+
+For the most providers, you don't need to set this option explicitly.
+
+### CA certificate
+
+You can use your self-signed certificate for the provider.
+
+```yaml
+- --certificate-authority=/home/user/.kube/keycloak-ca.pem
+- --certificate-authority-data=LS0t...
+```
+
+### HTTP proxy
+
+You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
+See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
+
+### Token cache
+
+Kubelogin stores the token cache to the OS keyring if available.
+It depends on [zalando/go-keyring](https://github.com/zalando/go-keyring) for the keyring storage.
+
+If you encounter a problem, try `--token-cache-storage` to set the storage.
+
+```yaml
+# Force to use the OS keyring
+- --token-cache-storage=keyring
+# Force to use the file system
+- --token-cache-storage=disk
+```
+
+### Home directory expansion
+
+If a value in the following options begins with a tilde character `~`, it is expanded to the home directory.
+
+- `--certificate-authority`
+- `--local-server-cert`
+- `--local-server-key`
+- `--token-cache-dir`
+
+## Authentication flows
+
+Kubelogin support the following flows:
+
+- [Authorization code flow](#authorization-code-flow)
+- [Authorization code flow with a keyboard](#authorization-code-flow-with-a-keyboard)
+- [Device authorization grant](#device-authorization-grant)
+- [Resource owner password credentials grant](#resource-owner-password-credentials-grant)
+
+### Authorization code flow
+
+Kubelogin performs the [authorization code flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) by default.
+
+It starts the local server at port 8000 or 18000 by default.
+You need to register the following redirect URIs to the provider:
+
+- `http://localhost:8000`
+- `http://localhost:18000` (used if port 8000 is already in use)
+
+You can change the listening address.
+
+```yaml
+- --listen-address=127.0.0.1:12345
+- --listen-address=127.0.0.1:23456
+```
+
+You can specify a certificate for the local webserver if HTTPS is required by your identity provider.
+
+```yaml
+- --local-server-cert=localhost.crt
+- --local-server-key=localhost.key
+```
+
+You can change the hostname of redirect URI from the default value `localhost`.
+
+```yaml
+- --oidc-redirect-url-hostname=127.0.0.1
+```
+
+You can add extra parameters to the authentication request.
+
+```yaml
+- --oidc-auth-request-extra-params=ttl=86400
+```
+
+When authentication completed, kubelogin shows a message to close the browser.
+You can change the URL to show after authentication.
+
+```yaml
+- --open-url-after-authentication=https://example.com/success.html
+```
+
+If you encounter a problem with the browser, you can change the browser command or skip opening the browser.
+
+```yaml
+# Change the browser command
+- --browser-command=google-chrome
+# Do not open the browser
+- --skip-open-browser
+```
+
+### Authorization code flow with a keyboard
+
+If you cannot access the browser, instead use the authorization code flow with a keyboard.
+
+```yaml
+- --grant-type=authcode-keyboard
+```
+
+Kubelogin will show the URL and prompt.
+Open the URL in the browser and then copy the code shown.
+
+```
+% kubectl get pods
+Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=...
+Enter code: YOUR_CODE
+```
+
+The default of redirect URI is `urn:ietf:wg:oauth:2.0:oob`.
+You can overwrite it.
+
+```yaml
+- oidc-redirect-url-authcode-keyboard=http://localhost
+```
+
+You can add extra parameters to the authentication request.
+
+```yaml
+- --oidc-auth-request-extra-params=ttl=86400
+```
+
+### Device authorization grant
+
+Kubelogin performs the [device authorization grant](https://tools.ietf.org/html/rfc8628) when `--grant-type=device-code` is set.
+
+```yaml
+- --grant-type=device-code
+```
+
+It automatically opens the browser.
+If the provider returns the `verification_uri_complete` parameter, you don't need to enter the code.
+Otherwise, you need to enter the code shown.
+
+If you encounter a problem with the browser, you can change the browser command or skip opening the browser.
+
+```yaml
+# Change the browser command
+- --browser-command=google-chrome
+# Do not open the browser
+- --skip-open-browser
+```
+
+### Resource owner password credentials grant
+
+Kubelogin performs the resource owner password credentials grant
+when `--grant-type=password` or `--username` is set.
+
+Note that most OIDC providers do not support this grant.
+Keycloak supports this grant but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
+
+You can set the username and password.
+
+```yaml
+- --username=USERNAME
+- --password=PASSWORD
+```
+
+If the password is not set, kubelogin will show the prompt for the password.
+
+```yaml
+- --username=USERNAME
+```
+
+```
+% kubectl get pods
+Password:
+```
+
+If the username is not set, kubelogin will show the prompt for the username and password.
+
+```yaml
+- --grant-type=password
+```
+
+```
+% kubectl get pods
+Username: foo
+Password:
+```
+
+## Run in Docker
+
+You can run [the Docker image](https://ghcr.io/int128/kubelogin) instead of the binary.
+The kubeconfig looks like:
+
+```yaml
+users:
+  - name: oidc
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1
+        command: docker
+        args:
+          - run
+          - --rm
+          - -v
+          - /tmp/.token-cache:/.token-cache
+          - -p
+          - 8000:8000
+          - ghcr.io/int128/kubelogin
+          - get-token
+          - --token-cache-dir=/.token-cache
+          - --listen-address=0.0.0.0:8000
+          - --oidc-issuer-url=ISSUER_URL
+          - --oidc-client-id=YOUR_CLIENT_ID
+          - --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+Known limitations:
+
+- It cannot open the browser automatically.
+- The container port and listen port must be equal for consistency of the redirect URI.

go.mod

@@ -1,26 +1,66 @@
 module github.com/int128/kubelogin
 
-go 1.12
+go 1.23.5
 
 require (
-	github.com/chromedp/chromedp v0.5.3
-	github.com/coreos/go-oidc v2.2.1+incompatible
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/golang/mock v1.4.3
-	github.com/google/go-cmp v0.4.1
-	github.com/google/wire v0.4.0
-	github.com/int128/oauth2cli v1.11.0
-	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
-	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
-	github.com/spf13/cobra v1.0.0
+	github.com/chromedp/chromedp v0.11.2
+	github.com/coreos/go-oidc/v3 v3.12.0
+	github.com/gofrs/flock v0.12.1
+	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/google/go-cmp v0.6.0
+	github.com/google/wire v0.6.0
+	github.com/int128/oauth2cli v1.14.1
+	github.com/int128/oauth2dev v1.0.1
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
+	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
-	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
-	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
-	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
-	gopkg.in/yaml.v2 v2.3.0
-	k8s.io/apimachinery v0.18.3
-	k8s.io/client-go v0.18.3
-	k8s.io/klog v1.0.0
+	github.com/stretchr/testify v1.10.0
+	github.com/zalando/go-keyring v0.2.6
+	golang.org/x/oauth2 v0.25.0
+	golang.org/x/sync v0.10.0
+	golang.org/x/term v0.28.0
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/apimachinery v0.32.1
+	k8s.io/client-go v0.32.1
+	k8s.io/klog/v2 v2.130.1
+)
+
+require (
+	al.essio.dev/pkg/shellescape v1.5.1 // indirect
+	github.com/chromedp/cdproto v0.0.0-20241022234722-4d5d5faf59fb // indirect
+	github.com/chromedp/sysutil v1.1.0 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/gobwas/httphead v0.1.0 // indirect
+	github.com/gobwas/pool v0.2.1 // indirect
+	github.com/gobwas/ws v1.4.0 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/int128/listener v1.1.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

go.sum

@@ -1,342 +1,237 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
-github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
-github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
-github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
-github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/chromedp/cdproto v0.0.0-20200116234248-4da64dd111ac h1:T7V5BXqnYd55Hj/g5uhDYumg9Fp3rMTS6bykYtTIFX4=
-github.com/chromedp/cdproto v0.0.0-20200116234248-4da64dd111ac/go.mod h1:PfAWWKJqjlGFYJEidUM6aVIWPr0EpobeyVWEEmplX7g=
-github.com/chromedp/chromedp v0.5.3 h1:F9LafxmYpsQhWQBdCs+6Sret1zzeeFyHS5LkRF//Ffg=
-github.com/chromedp/chromedp v0.5.3/go.mod h1:YLdPtndaHQ4rCpSpBG+IPpy9JvX0VD+7aaLxYgYj28w=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
-github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
-github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
+al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+github.com/chromedp/cdproto v0.0.0-20241022234722-4d5d5faf59fb h1:noKVm2SsG4v0Yd0lHNtFYc9EUxIVvrr4kJ6hM8wvIYU=
+github.com/chromedp/cdproto v0.0.0-20241022234722-4d5d5faf59fb/go.mod h1:4XqMl3iIW08jtieURWL6Tt5924w21pxirC6th662XUM=
+github.com/chromedp/chromedp v0.11.2 h1:ZRHTh7DjbNTlfIv3NFTbB7eVeu5XCNkgrpcGSpn2oX0=
+github.com/chromedp/chromedp v0.11.2/go.mod h1:lr8dFRLKsdTTWb75C/Ttol2vnBKOSnt0BW8R9Xaupi8=
+github.com/chromedp/sysutil v1.1.0 h1:PUFNv5EcprjqXZD9nJb9b/c9ibAbxiYo4exNWZyipwM=
+github.com/chromedp/sysutil v1.1.0/go.mod h1:WiThHUdltqCNKGc4gaU50XgYjwjYIhKWoHGPTUfWTJ8=
+github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo=
+github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee h1:s+21KNqlpePfkah2I+gwHF8xmJWRjooY+5248k6m4A0=
-github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo=
-github.com/gobwas/pool v0.2.0 h1:QEmUOlnSjWtnpRGHF3SauEiOsy82Cup83Vf2LcMlnc8=
-github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
-github.com/gobwas/ws v1.0.2 h1:CoAavW/wd/kulfZmSIBt6p24n4j7tHgNVCjsfHVNUbo=
-github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
-github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
-github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.4.3 h1:GV+pQPG/EUUbkh47niozDcADz6go/dUwhVzdUQHIVRw=
-github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
+github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
+github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/gobwas/httphead v0.1.0 h1:exrUm0f4YX0L7EBwZHuCF4GDp8aJfVeBrlLQrs6NqWU=
+github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
+github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
+github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
+github.com/gobwas/ws v1.4.0 h1:CTaoG1tojrh4ucGPcoJFiAQUAsEWekEWvLy7GsVNqGs=
+github.com/gobwas/ws v1.4.0/go.mod h1:G3gNqMNtPppf5XUz7O4shetPpcZ1VJ7zt18dlUeakrc=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
+github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.4.1 h1:/exdXoGamhu5ONeUJH0deniYLWYvQwW66yvlfiiKTu0=
-github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
-github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/wire v0.4.0 h1:kXcsA/rIGzJImVqPdhfnr6q0xsS9gU0515q1EPpJ9fE=
-github.com/google/wire v0.4.0/go.mod h1:ngWDr9Qvq3yZA10YrxfyGELY/AFWGVpy9c1LTRi1EoU=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
-github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
-github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
-github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
-github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
-github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
-github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
+github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/wire v0.6.0 h1:HBkoIh4BdSxoyo9PveV8giw7ZsaBOvzWKfcg/6MrVwI=
+github.com/google/wire v0.6.0/go.mod h1:F4QhpQ9EDIdJ1Mbop/NZBRB+5yrR6qg3BnctaoUk6NA=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/int128/listener v1.1.0 h1:2Jb41DWLpkQ3I9bIdBzO8H/tNwMvyl/OBZWtCV5Pjuw=
 github.com/int128/listener v1.1.0/go.mod h1:68WkmTN8PQtLzc9DucIaagAKeGVyMnyyKIkW4Xn47UA=
-github.com/int128/oauth2cli v1.11.0 h1:yohafseIxX8xESedQOxB3rpuuodDowYiPaTFMpqPP3Q=
-github.com/int128/oauth2cli v1.11.0/go.mod h1:O3Tjuj1cyQCuM11KbH2ffh0O6LRX0+O97Z3InsY0M3g=
-github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
-github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
-github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/int128/oauth2cli v1.14.1 h1:MxkiSSMT1RcsVKxyzaJYGgmMXvGWPXTMduhG4a1OqTs=
+github.com/int128/oauth2cli v1.14.1/go.mod h1:ha/eC3cUAixVzJ0V+voMRNQejLWGvk49AWDWN4Gawsk=
+github.com/int128/oauth2dev v1.0.1 h1:TWokv4obxKuRZXvcXFMOYcaAcdZ/rcZYcbjkJNu+6Ek=
+github.com/int128/oauth2dev v1.0.1/go.mod h1:caoxoXz7nlt2nc7/o3GKgGCyuruOAmsViPSRmrUmV9o=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/knq/sysutil v0.0.0-20191005231841-15668db23d08 h1:V0an7KRw92wmJysvFvtqtKMAPmvS5O0jtB0nYo6t+gs=
-github.com/knq/sysutil v0.0.0-20191005231841-15668db23d08/go.mod h1:dFWs1zEqDjFtnBXsd1vPOZaLsESovai349994nHx3e0=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
-github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80 h1:6Yzfa6GP0rIo/kULo2bwGEkFvCePZ3qHDDTC3/J9Swo=
+github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4 h1:49lOXmGaUpV9Fz3gd7TFZY106KVlPVa5jcYD1gaQf98=
-github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde h1:x0TT0RDC7UhAVbbWWBzr41ElhJx5tXPWkIHA2HWPRuw=
+github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
-github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
-github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
-github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cobra v1.0.0 h1:6m/oheQuQ13N9ks4hubMG6BnvwOeaJrqSPLahSnczz8=
-github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
-github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
-github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
-github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
-github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
-go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
-go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s=
+github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo=
-golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
+golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 h1:rjwSpXsdiK0dV8/Naq3kAw9ymfAeJIyd0upUIElB+lI=
-golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
+golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
+golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
+golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42 h1:vEOn+mP2zCOVzKckCZy6YsCtDblrpj/w7B9nxGNELpg=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
+golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190422233926-fe54fb35175b/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
+google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
+gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
-gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4=
-gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
-gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.18.3 h1:2AJaUQdgUZLoDZHrun21PW2Nx9+ll6cUzvn3IKhSIn0=
-k8s.io/api v0.18.3/go.mod h1:UOaMwERbqJMfeeeHc8XJKawj4P9TgDRnViIqqBeH2QA=
-k8s.io/apimachinery v0.18.3 h1:pOGcbVAhxADgUYnjS08EFXs9QMl8qaH5U4fr5LGUrSk=
-k8s.io/apimachinery v0.18.3/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
-k8s.io/client-go v0.18.3 h1:QaJzz92tsN67oorwzmoB0a9r9ZVHuD5ryjbCKP0U22k=
-k8s.io/client-go v0.18.3/go.mod h1:4a/dpQEvzAhT1BbuWW09qvIaGw6Gbu1gZYiQZIi1DMw=
-k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
-k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
-k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89 h1:d4vVOjXm687F1iLSP2q3lyPPuyvTUt3aVoBpi2DqRsU=
-k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
-rsc.io/quote/v3 v3.1.0 h1:9JKUTTIUgS6kzR9mK1YuGKv6Nl+DijDNIc0ghT58FaY=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/QiW4=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
-sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E=
-sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
-sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
-sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc=
+k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k=
+k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
+k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU=
+k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
+k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

integration_test/clean_test.go

@@ -0,0 +1,28 @@
+package integration_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/integration_test/httpdriver"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/testing/clock"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+)
+
+func TestClean(t *testing.T) {
+	tokenCacheDir := t.TempDir()
+
+	cmd := di.NewCmdForHeadless(clock.Fake(time.Now()), os.Stdin, os.Stdout, logger.New(t), httpdriver.Zero(t))
+	exitCode := cmd.Run(context.TODO(), []string{
+		"kubelogin",
+		"clean",
+		"--token-cache-dir", tokenCacheDir,
+		"--token-cache-storage", "disk",
+	}, "HEAD")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}

integration_test/credetial_plugin_test.go

@@ -5,7 +5,6 @@ import (
 	"context"
 	"encoding/json"
 	"io"
-	"io/ioutil"
 	"os"
 	"testing"
 	"time"
@@ -14,8 +13,9 @@ import (
 	"github.com/int128/kubelogin/integration_test/httpdriver"
 	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/integration_test/oidcserver"
-	"github.com/int128/kubelogin/pkg/adaptors/browser"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
 	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/testing/clock"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -28,19 +28,10 @@ import (
 // 2. Run the Cmd.
 // 3. Open a request for the local server.
 // 4. Verify the output.
-//
 func TestCredentialPlugin(t *testing.T) {
-	timeout := 3 * time.Second
+	timeout := 10 * time.Second
 	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
-	tokenCacheDir, err := ioutil.TempDir("", "kube")
-	if err != nil {
-		t.Fatalf("could not create a cache dir: %s", err)
-	}
-	defer func() {
-		if err := os.RemoveAll(tokenCacheDir); err != nil {
-			t.Errorf("could not clean up the cache dir: %s", err)
-		}
-	}()
+	tokenCacheDir := t.TempDir()
 
 	for name, tc := range map[string]struct {
 		keyPair keypair.KeyPair
@@ -52,53 +43,59 @@ func TestCredentialPlugin(t *testing.T) {
 			args:    []string{"--certificate-authority", keypair.Server.CACertPath},
 		},
 	} {
+		httpDriverConfig := httpdriver.Config{
+			TLSConfig:    tc.keyPair.TLSConfig,
+			BodyContains: "Authenticated",
+		}
+
 		t.Run(name, func(t *testing.T) {
 			t.Run("AuthCode", func(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
-						Scope:             "openid",
-						RedirectURIPrefix: "http://localhost:",
+				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
+						Scope:               "openid",
+						RedirectURIPrefix:   "http://localhost:",
+						CodeChallengeMethod: "S256",
 					},
-					Response: oidcserver.Response{
-						IDTokenExpiry: now.Add(time.Hour),
+					Response: testconfig.Response{
+						IDTokenExpiry:                 now.Add(time.Hour),
+						CodeChallengeMethodsSupported: []string{"plain", "S256"},
 					},
 				})
-				defer sv.Shutdown(t, ctx)
 				var stdout bytes.Buffer
 				runGetToken(t, ctx, getTokenConfig{
 					tokenCacheDir: tokenCacheDir,
-					issuerURL:     sv.IssuerURL(),
-					httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+					issuerURL:     svc.IssuerURL(),
+					httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
 					now:           now,
 					stdout:        &stdout,
 					args:          tc.args,
 				})
-				assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+				assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 			})
 
 			t.Run("ROPC", func(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 						Username:          "USER1",
 						Password:          "PASS1",
 					},
-					Response: oidcserver.Response{
-						IDTokenExpiry: now.Add(time.Hour),
+					Response: testconfig.Response{
+						IDTokenExpiry:                 now.Add(time.Hour),
+						CodeChallengeMethodsSupported: []string{"plain", "S256"},
 					},
 				})
-				defer sv.Shutdown(t, ctx)
 				var stdout bytes.Buffer
 				runGetToken(t, ctx, getTokenConfig{
 					tokenCacheDir: tokenCacheDir,
-					issuerURL:     sv.IssuerURL(),
+					issuerURL:     svc.IssuerURL(),
 					httpDriver:    httpdriver.Zero(t),
 					now:           now,
 					stdout:        &stdout,
@@ -107,172 +104,205 @@ func TestCredentialPlugin(t *testing.T) {
 						"--password", "PASS1",
 					}, tc.args...),
 				})
-				assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+				assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 			})
 
 			t.Run("TokenCacheLifecycle", func(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
-				defer sv.Shutdown(t, ctx)
+				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{})
 
 				t.Run("NoCache", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
-							Scope:             "openid",
-							RedirectURIPrefix: "http://localhost:",
+					svc.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
+							Scope:               "openid",
+							RedirectURIPrefix:   "http://localhost:",
+							CodeChallengeMethod: "S256",
 						},
-						Response: oidcserver.Response{
-							IDTokenExpiry: now.Add(time.Hour),
-							RefreshToken:  "REFRESH_TOKEN_1",
+						Response: testconfig.Response{
+							IDTokenExpiry:                 now.Add(time.Hour),
+							RefreshToken:                  "REFRESH_TOKEN_1",
+							CodeChallengeMethodsSupported: []string{"plain", "S256"},
 						},
 					})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
-						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
 						now:           now,
 						stdout:        &stdout,
 						args:          tc.args,
 					})
-					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 				})
 				t.Run("Valid", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{})
+					svc.SetConfig(testconfig.Config{})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
-						issuerURL:     sv.IssuerURL(),
+						issuerURL:     svc.IssuerURL(),
 						httpDriver:    httpdriver.Zero(t),
 						now:           now,
 						stdout:        &stdout,
 						args:          tc.args,
 					})
-					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 				})
 				t.Run("Refresh", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					svc.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_1",
 						},
-						Response: oidcserver.Response{
-							IDTokenExpiry: now.Add(3 * time.Hour),
-							RefreshToken:  "REFRESH_TOKEN_2",
+						Response: testconfig.Response{
+							IDTokenExpiry:                 now.Add(3 * time.Hour),
+							RefreshToken:                  "REFRESH_TOKEN_2",
+							CodeChallengeMethodsSupported: []string{"plain", "S256"},
 						},
 					})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
-						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
 						now:           now.Add(2 * time.Hour),
 						stdout:        &stdout,
 						args:          tc.args,
 					})
-					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(3*time.Hour))
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(3*time.Hour))
 				})
 				t.Run("RefreshAgain", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					svc.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_2",
 						},
-						Response: oidcserver.Response{
-							IDTokenExpiry: now.Add(5 * time.Hour),
+						Response: testconfig.Response{
+							IDTokenExpiry:                 now.Add(5 * time.Hour),
+							CodeChallengeMethodsSupported: []string{"plain", "S256"},
 						},
 					})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
-						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
 						now:           now.Add(4 * time.Hour),
 						stdout:        &stdout,
 						args:          tc.args,
 					})
-					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(5*time.Hour))
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(5*time.Hour))
 				})
 			})
 		})
 	}
 
 	t.Run("PKCE", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:               "openid",
-				RedirectURIPrefix:   "http://localhost:",
-				CodeChallengeMethod: "S256",
-			},
-			Response: oidcserver.Response{
-				IDTokenExpiry:                 now.Add(time.Hour),
-				CodeChallengeMethodsSupported: []string{"plain", "S256"},
-			},
+		t.Run("Not supported by provider", func(t *testing.T) {
+			t.Parallel()
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+			defer cancel()
+			svc := oidcserver.New(t, keypair.None, testconfig.Config{
+				Want: testconfig.Want{
+					Scope:               "openid",
+					RedirectURIPrefix:   "http://localhost:",
+					CodeChallengeMethod: "",
+				},
+				Response: testconfig.Response{
+					IDTokenExpiry:                 now.Add(time.Hour),
+					CodeChallengeMethodsSupported: nil,
+				},
+			})
+			var stdout bytes.Buffer
+			runGetToken(t, ctx, getTokenConfig{
+				tokenCacheDir: tokenCacheDir,
+				issuerURL:     svc.IssuerURL(),
+				httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
+				now:           now,
+				stdout:        &stdout,
+			})
+			assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 		})
-		defer sv.Shutdown(t, ctx)
-		var stdout bytes.Buffer
-		runGetToken(t, ctx, getTokenConfig{
-			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, nil),
-			now:           now,
-			stdout:        &stdout,
+
+		t.Run("Enforce", func(t *testing.T) {
+			t.Parallel()
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+			defer cancel()
+			svc := oidcserver.New(t, keypair.None, testconfig.Config{
+				Want: testconfig.Want{
+					Scope:               "openid",
+					RedirectURIPrefix:   "http://localhost:",
+					CodeChallengeMethod: "S256",
+				},
+				Response: testconfig.Response{
+					IDTokenExpiry:                 now.Add(time.Hour),
+					CodeChallengeMethodsSupported: nil,
+				},
+			})
+			var stdout bytes.Buffer
+			runGetToken(t, ctx, getTokenConfig{
+				tokenCacheDir: tokenCacheDir,
+				issuerURL:     svc.IssuerURL(),
+				httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
+				now:           now,
+				stdout:        &stdout,
+				args:          []string{"--oidc-use-pkce"},
+			})
+			assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 
 	t.Run("TLSData", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "http://localhost:",
+		svc := oidcserver.New(t, keypair.Server, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, keypair.Server.TLSConfig),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{TLSConfig: keypair.Server.TLSConfig, BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args:          []string{"--certificate-authority-data", keypair.Server.CACertBase64},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 
 	t.Run("ExtraScopes", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "email profile openid",
-				RedirectURIPrefix: "http://localhost:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "email profile openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, nil),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args: []string{
@@ -280,58 +310,120 @@ func TestCredentialPlugin(t *testing.T) {
 				"--oidc-extra-scope", "profile",
 			},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("OpenURLAfterAuthentication", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
+			},
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
+			},
+		})
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "URL=https://example.com/success"}),
+			now:           now,
+			stdout:        &stdout,
+			args:          []string{"--open-url-after-authentication", "https://example.com/success"},
+		})
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 
 	t.Run("RedirectURLHostname", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "http://127.0.0.1:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://127.0.0.1:",
+				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, nil),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args:          []string{"--oidc-redirect-url-hostname", "127.0.0.1"},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("RedirectURLHTTPS", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "https://localhost:",
+				CodeChallengeMethod: "S256",
+			},
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
+			},
+		})
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     svc.IssuerURL(),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Config{
+				TLSConfig:    keypair.Server.TLSConfig,
+				BodyContains: "Authenticated",
+			}),
+			now:    now,
+			stdout: &stdout,
+			args: []string{
+				"--local-server-cert", keypair.Server.CertPath,
+				"--local-server-key", keypair.Server.KeyPath,
+			},
+		})
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 
 	t.Run("ExtraParams", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "http://localhost:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
 				ExtraParams: map[string]string{
 					"ttl":    "86400",
 					"reauth": "false",
 				},
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, nil),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args: []string{
@@ -339,7 +431,7 @@ func TestCredentialPlugin(t *testing.T) {
 				"--oidc-auth-request-extra-params", "reauth=false",
 			},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 }
 
@@ -358,6 +450,7 @@ func runGetToken(t *testing.T, ctx context.Context, cfg getTokenConfig) {
 		"kubelogin",
 		"get-token",
 		"--token-cache-dir", cfg.tokenCacheDir,
+		"--token-cache-storage", "disk",
 		"--oidc-issuer-url", cfg.issuerURL,
 		"--oidc-client-id", "kubernetes",
 		"--listen-address", "127.0.0.1:0",

integration_test/httpdriver/http_driver.go

@@ -4,13 +4,20 @@ package httpdriver
 import (
 	"context"
 	"crypto/tls"
+	"io"
 	"net/http"
+	"strings"
 	"testing"
 )
 
+type Config struct {
+	TLSConfig    *tls.Config
+	BodyContains string
+}
+
 // New returns a client to simulate browser access.
-func New(ctx context.Context, t *testing.T, tlsConfig *tls.Config) *client {
-	return &client{ctx, t, tlsConfig}
+func New(ctx context.Context, t *testing.T, config Config) *client {
+	return &client{ctx, t, config}
 }
 
 // Zero returns a client which call is not expected.
@@ -19,13 +26,13 @@ func Zero(t *testing.T) *zeroClient {
 }
 
 type client struct {
-	ctx       context.Context
-	t         *testing.T
-	tlsConfig *tls.Config
+	ctx    context.Context
+	t      *testing.T
+	config Config
 }
 
 func (c *client) Open(url string) error {
-	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.tlsConfig}}
+	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.config.TLSConfig}}
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
 		c.t.Errorf("could not create a request: %s", err)
@@ -41,9 +48,22 @@ func (c *client) Open(url string) error {
 	if resp.StatusCode != 200 {
 		c.t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
 	}
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		c.t.Errorf("could not read body: %s", err)
+		return nil
+	}
+	body := string(b)
+	if !strings.Contains(body, c.config.BodyContains) {
+		c.t.Errorf("body should contain %s but was %s", c.config.BodyContains, body)
+	}
 	return nil
 }
 
+func (c *client) OpenCommand(_ context.Context, url, _ string) error {
+	return c.Open(url)
+}
+
 type zeroClient struct {
 	t *testing.T
 }
@@ -52,3 +72,7 @@ func (c *zeroClient) Open(url string) error {
 	c.t.Errorf("unexpected function call Open(%s)", url)
 	return nil
 }
+
+func (c *zeroClient) OpenCommand(_ context.Context, url, _ string) error {
+	return c.Open(url)
+}

integration_test/keypair/keypair.go

@@ -5,7 +5,6 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"io"
-	"io/ioutil"
 	"os"
 	"strings"
 )
@@ -50,7 +49,7 @@ func readAsBase64(name string) string {
 }
 
 func newTLSConfig(name string) *tls.Config {
-	b, err := ioutil.ReadFile(name)
+	b, err := os.ReadFile(name)
 	if err != nil {
 		panic(err)
 	}

integration_test/kubeconfig/kubeconfig.go

@@ -2,11 +2,11 @@ package kubeconfig
 
 import (
 	"html/template"
-	"io/ioutil"
 	"os"
+	"path/filepath"
 	"testing"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 // Values represents values in .kubeconfig template.
@@ -22,7 +22,8 @@ type Values struct {
 // Create creates a kubeconfig file and returns path to it.
 func Create(t *testing.T, v *Values) string {
 	t.Helper()
-	f, err := ioutil.TempFile("", "kubeconfig")
+	name := filepath.Join(t.TempDir(), "kubeconfig")
+	f, err := os.Create(name)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -34,7 +35,7 @@ func Create(t *testing.T, v *Values) string {
 	if err := tpl.Execute(f, v); err != nil {
 		t.Fatal(err)
 	}
-	return f.Name()
+	return name
 }
 
 type AuthProviderConfig struct {

integration_test/oidcserver/handler/handler.go

@@ -1,35 +1,39 @@
-// Package handler provides a HTTP handler for the OpenID Connect Provider.
+// Package handler provides HTTP handlers for the OpenID Connect Provider.
 package handler
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 	"testing"
 
-	"golang.org/x/xerrors"
+	"github.com/int128/kubelogin/integration_test/oidcserver/service"
 )
 
-func New(t *testing.T, provider Provider) *Handler {
-	return &Handler{t, provider}
+func Register(t *testing.T, mux *http.ServeMux, provider service.Provider) {
+	h := &Handlers{t, provider}
+	mux.HandleFunc("GET /.well-known/openid-configuration", h.Discovery)
+	mux.HandleFunc("GET /certs", h.GetCertificates)
+	mux.HandleFunc("GET /auth", h.AuthenticateCode)
+	mux.HandleFunc("POST /token", h.Exchange)
 }
 
-// Handler provides a HTTP handler for the OpenID Connect Provider.
+// Handlers provides HTTP handlers for the OpenID Connect Provider.
 // You need to implement the Provider interface.
 // Note that this skips some security checks and is only for testing.
-type Handler struct {
+type Handlers struct {
 	t        *testing.T
-	provider Provider
+	provider service.Provider
 }
 
-func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	wr := &responseWriterRecorder{w, 200}
-	err := h.serveHTTP(wr, r)
+func (h *Handlers) handleError(w http.ResponseWriter, r *http.Request, f func() error) {
+	err := f()
 	if err == nil {
-		h.t.Logf("%d %s %s", wr.statusCode, r.Method, r.RequestURI)
 		return
 	}
-	if errResp := new(ErrorResponse); xerrors.As(err, &errResp) {
+	if errResp := new(service.ErrorResponse); errors.As(err, &errResp) {
 		h.t.Logf("400 %s %s: %s", r.Method, r.RequestURI, err)
 		w.Header().Add("Content-Type", "application/json")
 		w.WriteHeader(400)
@@ -43,38 +47,35 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	http.Error(w, err.Error(), 500)
 }
 
-type responseWriterRecorder struct {
-	http.ResponseWriter
-	statusCode int
-}
-
-func (w *responseWriterRecorder) WriteHeader(statusCode int) {
-	w.ResponseWriter.WriteHeader(statusCode)
-	w.statusCode = statusCode
-}
-
-func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
-	m := r.Method
-	p := r.URL.Path
-	switch {
-	case m == "GET" && p == "/.well-known/openid-configuration":
+func (h *Handlers) Discovery(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		discoveryResponse := h.provider.Discovery()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(discoveryResponse); err != nil {
-			return xerrors.Errorf("could not render json: %w", err)
+			return fmt.Errorf("could not render json: %w", err)
 		}
-	case m == "GET" && p == "/certs":
+		return nil
+	})
+}
+
+func (h *Handlers) GetCertificates(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		certificatesResponse := h.provider.GetCertificates()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(certificatesResponse); err != nil {
-			return xerrors.Errorf("could not render json: %w", err)
+			return fmt.Errorf("could not render json: %w", err)
 		}
-	case m == "GET" && p == "/auth":
+		return nil
+	})
+}
+
+func (h *Handlers) AuthenticateCode(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		q := r.URL.Query()
 		redirectURI, state := q.Get("redirect_uri"), q.Get("state")
-		code, err := h.provider.AuthenticateCode(AuthenticationRequest{
+		code, err := h.provider.AuthenticateCode(service.AuthenticationRequest{
 			RedirectURI:         redirectURI,
 			State:               state,
 			Scope:               q.Get("scope"),
@@ -84,28 +85,37 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 			RawQuery:            q,
 		})
 		if err != nil {
-			return xerrors.Errorf("authentication error: %w", err)
+			return fmt.Errorf("authentication error: %w", err)
 		}
-		to := fmt.Sprintf("%s?state=%s&code=%s", redirectURI, state, code)
-		http.Redirect(w, r, to, 302)
-	case m == "POST" && p == "/token":
+		redirectTo, err := url.Parse(redirectURI)
+		if err != nil {
+			return fmt.Errorf("invalid redirect_uri: %w", err)
+		}
+		redirectTo.RawQuery = url.Values{"state": {state}, "code": {code}}.Encode()
+		http.Redirect(w, r, redirectTo.String(), http.StatusFound)
+		return nil
+	})
+}
+
+func (h *Handlers) Exchange(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		if err := r.ParseForm(); err != nil {
-			return xerrors.Errorf("could not parse the form: %w", err)
+			return fmt.Errorf("could not parse the form: %w", err)
 		}
 		grantType := r.Form.Get("grant_type")
 		switch grantType {
 		case "authorization_code":
-			tokenResponse, err := h.provider.Exchange(TokenRequest{
+			tokenResponse, err := h.provider.Exchange(service.TokenRequest{
 				Code:         r.Form.Get("code"),
 				CodeVerifier: r.Form.Get("code_verifier"),
 			})
 			if err != nil {
-				return xerrors.Errorf("token request error: %w", err)
+				return fmt.Errorf("token request error: %w", err)
 			}
 			w.Header().Add("Content-Type", "application/json")
 			e := json.NewEncoder(w)
 			if err := e.Encode(tokenResponse); err != nil {
-				return xerrors.Errorf("could not render json: %w", err)
+				return fmt.Errorf("could not render json: %w", err)
 			}
 		case "password":
 			// 4.3. Resource Owner Password Credentials Grant
@@ -113,12 +123,12 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 			username, password, scope := r.Form.Get("username"), r.Form.Get("password"), r.Form.Get("scope")
 			tokenResponse, err := h.provider.AuthenticatePassword(username, password, scope)
 			if err != nil {
-				return xerrors.Errorf("authentication error: %w", err)
+				return fmt.Errorf("authentication error: %w", err)
 			}
 			w.Header().Add("Content-Type", "application/json")
 			e := json.NewEncoder(w)
 			if err := e.Encode(tokenResponse); err != nil {
-				return xerrors.Errorf("could not render json: %w", err)
+				return fmt.Errorf("could not render json: %w", err)
 			}
 		case "refresh_token":
 			// 12.1. Refresh Request
@@ -126,23 +136,21 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 			refreshToken := r.Form.Get("refresh_token")
 			tokenResponse, err := h.provider.Refresh(refreshToken)
 			if err != nil {
-				return xerrors.Errorf("token refresh error: %w", err)
+				return fmt.Errorf("token refresh error: %w", err)
 			}
 			w.Header().Add("Content-Type", "application/json")
 			e := json.NewEncoder(w)
 			if err := e.Encode(tokenResponse); err != nil {
-				return xerrors.Errorf("could not render json: %w", err)
+				return fmt.Errorf("could not render json: %w", err)
 			}
 		default:
 			// 5.2. Error Response
 			// https://tools.ietf.org/html/rfc6749#section-5.2
-			return &ErrorResponse{
+			return &service.ErrorResponse{
 				Code:        "invalid_grant",
 				Description: fmt.Sprintf("unknown grant_type %s", grantType),
 			}
 		}
-	default:
-		http.NotFound(w, r)
-	}
-	return nil
+		return nil
+	})
 }

integration_test/oidcserver/http/http.go

@@ -1,78 +0,0 @@
-// Package http provides a http server running on localhost for testing.
-package http
-
-import (
-	"context"
-	"net"
-	"net/http"
-	"testing"
-
-	"github.com/int128/kubelogin/integration_test/keypair"
-)
-
-type Shutdowner interface {
-	Shutdown(t *testing.T, ctx context.Context)
-}
-
-type shutdowner struct {
-	s *http.Server
-}
-
-func (s *shutdowner) Shutdown(t *testing.T, ctx context.Context) {
-	if err := s.s.Shutdown(ctx); err != nil {
-		t.Errorf("could not shutdown the server: %s", err)
-	}
-}
-
-func Start(t *testing.T, h http.Handler, k keypair.KeyPair) (string, Shutdowner) {
-	if k == keypair.None {
-		return startNoTLS(t, h)
-	}
-	return startTLS(t, h, k)
-}
-
-func startNoTLS(t *testing.T, h http.Handler) (string, *shutdowner) {
-	t.Helper()
-	l, port := newLocalhostListener(t)
-	url := "http://localhost:" + port
-	s := &http.Server{
-		Handler: h,
-	}
-	go func() {
-		err := s.Serve(l)
-		if err != nil && err != http.ErrServerClosed {
-			t.Error(err)
-		}
-	}()
-	return url, &shutdowner{s}
-}
-
-func startTLS(t *testing.T, h http.Handler, k keypair.KeyPair) (string, *shutdowner) {
-	t.Helper()
-	l, port := newLocalhostListener(t)
-	url := "https://localhost:" + port
-	s := &http.Server{
-		Handler: h,
-	}
-	go func() {
-		err := s.ServeTLS(l, k.CertPath, k.KeyPath)
-		if err != nil && err != http.ErrServerClosed {
-			t.Error(err)
-		}
-	}()
-	return url, &shutdowner{s}
-}
-
-func newLocalhostListener(t *testing.T) (net.Listener, string) {
-	t.Helper()
-	l, err := net.Listen("tcp", "localhost:0")
-	if err != nil {
-		t.Fatalf("Could not create a listener: %s", err)
-	}
-	addr := l.Addr().String()
-	_, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		t.Fatalf("Could not parse the address %s: %s", addr, err)
-	}
-	return l, port
-}

integration_test/oidcserver/oidcserver.go

@@ -0,0 +1,54 @@
+// Package oidcserver provides a stub of OpenID Connect provider.
+package oidcserver
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/oidcserver/handler"
+	"github.com/int128/kubelogin/integration_test/oidcserver/service"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+)
+
+// New starts a server for the OpenID Connect provider.
+func New(t *testing.T, kp keypair.KeyPair, config testconfig.Config) service.Service {
+	mux := http.NewServeMux()
+	serverURL := startServer(t, mux, kp)
+
+	svc := service.New(t, serverURL, config)
+	handler.Register(t, mux, svc)
+	return svc
+}
+
+func startServer(t *testing.T, h http.Handler, kp keypair.KeyPair) string {
+	if kp == keypair.None {
+		srv := httptest.NewServer(h)
+		t.Cleanup(srv.Close)
+		return srv.URL
+	}
+
+	// Unfortunately, httptest package did not work with keypair.KeyPair.
+	// We use httptest package only for allocating a new port.
+	portAllocator := httptest.NewUnstartedServer(h)
+	t.Cleanup(portAllocator.Close)
+	serverURL := fmt.Sprintf("https://localhost:%d", portAllocator.Listener.Addr().(*net.TCPAddr).Port)
+	srv := &http.Server{Handler: h}
+	go func() {
+		err := srv.ServeTLS(portAllocator.Listener, kp.CertPath, kp.KeyPath)
+		if err != nil && !errors.Is(err, http.ErrServerClosed) {
+			t.Error(err)
+		}
+	}()
+	t.Cleanup(func() {
+		if err := srv.Shutdown(context.TODO()); err != nil {
+			t.Errorf("could not shutdown the server: %s", err)
+		}
+	})
+	return serverURL
+}

integration_test/oidcserver/server.go

@@ -1,217 +0,0 @@
-// Package oidcserver provides a stub of OpenID Connect provider.
-package oidcserver
-
-import (
-	"crypto/sha256"
-	"encoding/base64"
-	"math/big"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/int128/kubelogin/integration_test/keypair"
-	"github.com/int128/kubelogin/integration_test/oidcserver/handler"
-	"github.com/int128/kubelogin/integration_test/oidcserver/http"
-	"github.com/int128/kubelogin/pkg/testing/jwt"
-	"golang.org/x/xerrors"
-)
-
-type Server interface {
-	http.Shutdowner
-	IssuerURL() string
-	SetConfig(Config)
-	LastTokenResponse() *handler.TokenResponse
-}
-
-// Want represents a set of expected values.
-type Want struct {
-	Scope               string
-	RedirectURIPrefix   string
-	CodeChallengeMethod string            // optional
-	ExtraParams         map[string]string // optional
-	Username            string            // optional
-	Password            string            // optional
-	RefreshToken        string            // optional
-}
-
-// Response represents a set of response values.
-type Response struct {
-	IDTokenExpiry                 time.Time
-	RefreshToken                  string
-	RefreshError                  string   // if set, Refresh() will return the error
-	CodeChallengeMethodsSupported []string // optional
-}
-
-// Config represents a configuration of the OpenID Connect provider.
-type Config struct {
-	Want     Want
-	Response Response
-}
-
-// New starts a HTTP server for the OpenID Connect provider.
-func New(t *testing.T, k keypair.KeyPair, c Config) Server {
-	sv := server{Config: c, t: t}
-	sv.issuerURL, sv.Shutdowner = http.Start(t, handler.New(t, &sv), k)
-	return &sv
-}
-
-type server struct {
-	Config
-	http.Shutdowner
-	t                         *testing.T
-	issuerURL                 string
-	lastAuthenticationRequest *handler.AuthenticationRequest
-	lastTokenResponse         *handler.TokenResponse
-}
-
-func (sv *server) IssuerURL() string {
-	return sv.issuerURL
-}
-
-func (sv *server) SetConfig(cfg Config) {
-	sv.Config = cfg
-}
-
-func (sv *server) LastTokenResponse() *handler.TokenResponse {
-	return sv.lastTokenResponse
-}
-
-func (sv *server) Discovery() *handler.DiscoveryResponse {
-	// based on https://accounts.google.com/.well-known/openid-configuration
-	return &handler.DiscoveryResponse{
-		Issuer:                            sv.issuerURL,
-		AuthorizationEndpoint:             sv.issuerURL + "/auth",
-		TokenEndpoint:                     sv.issuerURL + "/token",
-		JwksURI:                           sv.issuerURL + "/certs",
-		UserinfoEndpoint:                  sv.issuerURL + "/userinfo",
-		RevocationEndpoint:                sv.issuerURL + "/revoke",
-		ResponseTypesSupported:            []string{"code id_token"},
-		SubjectTypesSupported:             []string{"public"},
-		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
-		ScopesSupported:                   []string{"openid", "email", "profile"},
-		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
-		CodeChallengeMethodsSupported:     sv.Config.Response.CodeChallengeMethodsSupported,
-		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
-	}
-}
-
-func (sv *server) GetCertificates() *handler.CertificatesResponse {
-	idTokenKeyPair := jwt.PrivateKey
-	return &handler.CertificatesResponse{
-		Keys: []*handler.CertificatesResponseKey{
-			{
-				Kty: "RSA",
-				Alg: "RS256",
-				Use: "sig",
-				Kid: "dummy",
-				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
-				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
-			},
-		},
-	}
-}
-
-func (sv *server) AuthenticateCode(req handler.AuthenticationRequest) (code string, err error) {
-	if req.Scope != sv.Want.Scope {
-		sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, req.Scope)
-	}
-	if !strings.HasPrefix(req.RedirectURI, sv.Want.RedirectURIPrefix) {
-		sv.t.Errorf("redirectURI wants prefix `%s` but was `%s`", sv.Want.RedirectURIPrefix, req.RedirectURI)
-	}
-	if req.CodeChallengeMethod != sv.Want.CodeChallengeMethod {
-		sv.t.Errorf("code_challenge_method wants `%s` but was `%s`", sv.Want.CodeChallengeMethod, req.CodeChallengeMethod)
-	}
-	for k, v := range sv.Want.ExtraParams {
-		got := req.RawQuery.Get(k)
-		if got != v {
-			sv.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
-		}
-	}
-	sv.lastAuthenticationRequest = &req
-	return "YOUR_AUTH_CODE", nil
-}
-
-func (sv *server) Exchange(req handler.TokenRequest) (*handler.TokenResponse, error) {
-	if req.Code != "YOUR_AUTH_CODE" {
-		return nil, xerrors.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
-	}
-	if sv.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
-		// https://tools.ietf.org/html/rfc7636#section-4.6
-		challenge := computeS256Challenge(req.CodeVerifier)
-		if challenge != sv.lastAuthenticationRequest.CodeChallenge {
-			sv.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", sv.lastAuthenticationRequest.CodeChallenge, challenge)
-		}
-	}
-	resp := &handler.TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		RefreshToken: sv.Response.RefreshToken,
-		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
-			claims.Issuer = sv.issuerURL
-			claims.Subject = "SUBJECT"
-			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
-			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
-			claims.Audience = []string{"kubernetes"}
-			claims.Nonce = sv.lastAuthenticationRequest.Nonce
-		}),
-	}
-	sv.lastTokenResponse = resp
-	return resp, nil
-}
-
-func computeS256Challenge(verifier string) string {
-	c := sha256.Sum256([]byte(verifier))
-	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
-}
-
-func (sv *server) AuthenticatePassword(username, password, scope string) (*handler.TokenResponse, error) {
-	if scope != sv.Want.Scope {
-		sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, scope)
-	}
-	if username != sv.Want.Username {
-		sv.t.Errorf("username wants `%s` but was `%s`", sv.Want.Username, username)
-	}
-	if password != sv.Want.Password {
-		sv.t.Errorf("password wants `%s` but was `%s`", sv.Want.Password, password)
-	}
-	resp := &handler.TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		RefreshToken: sv.Response.RefreshToken,
-		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
-			claims.Issuer = sv.issuerURL
-			claims.Subject = "SUBJECT"
-			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
-			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
-			claims.Audience = []string{"kubernetes"}
-		}),
-	}
-	sv.lastTokenResponse = resp
-	return resp, nil
-}
-
-func (sv *server) Refresh(refreshToken string) (*handler.TokenResponse, error) {
-	if refreshToken != sv.Want.RefreshToken {
-		sv.t.Errorf("refreshToken wants %s but was %s", sv.Want.RefreshToken, refreshToken)
-	}
-	if sv.Response.RefreshError != "" {
-		return nil, &handler.ErrorResponse{Code: "invalid_request", Description: sv.Response.RefreshError}
-	}
-	resp := &handler.TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		RefreshToken: sv.Response.RefreshToken,
-		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
-			claims.Issuer = sv.issuerURL
-			claims.Subject = "SUBJECT"
-			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
-			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
-			claims.Audience = []string{"kubernetes"}
-		}),
-	}
-	sv.lastTokenResponse = resp
-	return resp, nil
-}

integration_test/oidcserver/service/service.go

@@ -0,0 +1,184 @@
+package service
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"math/big"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+	testingJWT "github.com/int128/kubelogin/pkg/testing/jwt"
+)
+
+func New(t *testing.T, issuerURL string, config testconfig.Config) Service {
+	return &service{
+		config:    config,
+		t:         t,
+		issuerURL: issuerURL,
+	}
+}
+
+type service struct {
+	config                    testconfig.Config
+	t                         *testing.T
+	issuerURL                 string
+	lastAuthenticationRequest *AuthenticationRequest
+	lastTokenResponse         *TokenResponse
+}
+
+func (svc *service) IssuerURL() string {
+	return svc.issuerURL
+}
+
+func (svc *service) SetConfig(cfg testconfig.Config) {
+	svc.config = cfg
+}
+
+func (svc *service) LastTokenResponse() *TokenResponse {
+	return svc.lastTokenResponse
+}
+
+func (svc *service) Discovery() *DiscoveryResponse {
+	// based on https://accounts.google.com/.well-known/openid-configuration
+	return &DiscoveryResponse{
+		Issuer:                            svc.issuerURL,
+		AuthorizationEndpoint:             svc.issuerURL + "/auth",
+		TokenEndpoint:                     svc.issuerURL + "/token",
+		JwksURI:                           svc.issuerURL + "/certs",
+		UserinfoEndpoint:                  svc.issuerURL + "/userinfo",
+		RevocationEndpoint:                svc.issuerURL + "/revoke",
+		ResponseTypesSupported:            []string{"code id_token"},
+		SubjectTypesSupported:             []string{"public"},
+		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+		ScopesSupported:                   []string{"openid", "email", "profile"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
+		CodeChallengeMethodsSupported:     svc.config.Response.CodeChallengeMethodsSupported,
+		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
+	}
+}
+
+func (svc *service) GetCertificates() *CertificatesResponse {
+	idTokenKeyPair := testingJWT.PrivateKey
+	return &CertificatesResponse{
+		Keys: []*CertificatesResponseKey{
+			{
+				Kty: "RSA",
+				Alg: "RS256",
+				Use: "sig",
+				Kid: "dummy",
+				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
+				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
+			},
+		},
+	}
+}
+
+func (svc *service) AuthenticateCode(req AuthenticationRequest) (code string, err error) {
+	if req.Scope != svc.config.Want.Scope {
+		svc.t.Errorf("scope wants `%s` but was `%s`", svc.config.Want.Scope, req.Scope)
+	}
+	if !strings.HasPrefix(req.RedirectURI, svc.config.Want.RedirectURIPrefix) {
+		svc.t.Errorf("redirectURI wants prefix `%s` but was `%s`", svc.config.Want.RedirectURIPrefix, req.RedirectURI)
+	}
+	if diff := cmp.Diff(svc.config.Want.CodeChallengeMethod, req.CodeChallengeMethod); diff != "" {
+		svc.t.Errorf("code_challenge_method mismatch (-want +got):\n%s", diff)
+	}
+	for k, v := range svc.config.Want.ExtraParams {
+		got := req.RawQuery.Get(k)
+		if got != v {
+			svc.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
+		}
+	}
+	svc.lastAuthenticationRequest = &req
+	return "YOUR_AUTH_CODE", nil
+}
+
+func (svc *service) Exchange(req TokenRequest) (*TokenResponse, error) {
+	if req.Code != "YOUR_AUTH_CODE" {
+		return nil, fmt.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
+	}
+	if svc.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
+		// https://tools.ietf.org/html/rfc7636#section-4.6
+		challenge := computeS256Challenge(req.CodeVerifier)
+		if challenge != svc.lastAuthenticationRequest.CodeChallenge {
+			svc.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", svc.lastAuthenticationRequest.CodeChallenge, challenge)
+		}
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+			claims.Nonce = svc.lastAuthenticationRequest.Nonce
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}
+
+func computeS256Challenge(verifier string) string {
+	c := sha256.Sum256([]byte(verifier))
+	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
+}
+
+func (svc *service) AuthenticatePassword(username, password, scope string) (*TokenResponse, error) {
+	if scope != svc.config.Want.Scope {
+		svc.t.Errorf("scope wants `%s` but was `%s`", svc.config.Want.Scope, scope)
+	}
+	if username != svc.config.Want.Username {
+		svc.t.Errorf("username wants `%s` but was `%s`", svc.config.Want.Username, username)
+	}
+	if password != svc.config.Want.Password {
+		svc.t.Errorf("password wants `%s` but was `%s`", svc.config.Want.Password, password)
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}
+
+func (svc *service) Refresh(refreshToken string) (*TokenResponse, error) {
+	if refreshToken != svc.config.Want.RefreshToken {
+		svc.t.Errorf("refreshToken wants %s but was %s", svc.config.Want.RefreshToken, refreshToken)
+	}
+	if svc.config.Response.RefreshError != "" {
+		return nil, &ErrorResponse{Code: "invalid_request", Description: svc.config.Response.RefreshError}
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}

integration_test/oidcserver/service/types.go

@@ -1,11 +1,24 @@
-package handler
+package service
 
 import (
 	"fmt"
 	"net/url"
+
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
 )
 
-// Provider provides discovery and authentication methods.
+// Service represents the test service of OpenID Connect Provider.
+// It provides the feature of Provider and additional methods for testing.
+type Service interface {
+	Provider
+
+	IssuerURL() string
+	SetConfig(config testconfig.Config)
+	LastTokenResponse() *TokenResponse
+}
+
+// Provider represents an OpenID Connect Provider.
+//
 // If an implemented method returns an ErrorResponse,
 // the handler will respond 400 and corresponding json of the ErrorResponse.
 // Otherwise, the handler will respond 500 and fail the current test.
@@ -18,6 +31,8 @@ type Provider interface {
 	Refresh(refreshToken string) (*TokenResponse, error)
 }
 
+// DiscoveryResponse represents the type of:
+// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
 type DiscoveryResponse struct {
 	Issuer                            string   `json:"issuer"`
 	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
@@ -34,10 +49,14 @@ type DiscoveryResponse struct {
 	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`
 }
 
+// CertificatesResponse represents the type of:
+// https://datatracker.ietf.org/doc/html/rfc7517#section-5
 type CertificatesResponse struct {
 	Keys []*CertificatesResponseKey `json:"keys"`
 }
 
+// CertificatesResponseKey represents the type of:
+// https://datatracker.ietf.org/doc/html/rfc7517#section-4
 type CertificatesResponseKey struct {
 	Kty string `json:"kty"`
 	Alg string `json:"alg"`
@@ -47,7 +66,7 @@ type CertificatesResponseKey struct {
 	E   string `json:"e"`
 }
 
-// AuthenticationRequest represents a type of:
+// AuthenticationRequest represents the type of:
 // https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 type AuthenticationRequest struct {
 	RedirectURI         string
@@ -59,13 +78,15 @@ type AuthenticationRequest struct {
 	RawQuery            url.Values
 }
 
-// TokenRequest represents a type of:
+// TokenRequest represents the type of:
 // https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
 type TokenRequest struct {
 	Code         string
 	CodeVerifier string
 }
 
+// TokenResponse represents the type of:
+// https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
 type TokenResponse struct {
 	AccessToken  string `json:"access_token"`
 	TokenType    string `json:"token_type"`
@@ -74,7 +95,7 @@ type TokenResponse struct {
 	IDToken      string `json:"id_token"`
 }
 
-// ErrorResponse represents an error response described in the following section:
+// ErrorResponse represents the error response described in the following section:
 // 5.2 Error Response
 // https://tools.ietf.org/html/rfc6749#section-5.2
 type ErrorResponse struct {

integration_test/oidcserver/testconfig/types.go

@@ -0,0 +1,28 @@
+package testconfig
+
+import "time"
+
+// Want represents a set of expected values.
+type Want struct {
+	Scope               string
+	RedirectURIPrefix   string
+	CodeChallengeMethod string
+	ExtraParams         map[string]string // optional
+	Username            string            // optional
+	Password            string            // optional
+	RefreshToken        string            // optional
+}
+
+// Response represents a set of response values.
+type Response struct {
+	IDTokenExpiry                 time.Time
+	RefreshToken                  string
+	RefreshError                  string // if set, Refresh() will return the error
+	CodeChallengeMethodsSupported []string
+}
+
+// Config represents a configuration of the OpenID Connect provider.
+type Config struct {
+	Want     Want
+	Response Response
+}

integration_test/standalone_test.go

@@ -10,8 +10,9 @@ import (
 	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/integration_test/kubeconfig"
 	"github.com/int128/kubelogin/integration_test/oidcserver"
-	"github.com/int128/kubelogin/pkg/adaptors/browser"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
 	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/testing/clock"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 )
@@ -22,7 +23,6 @@ import (
 // 2. Run the Cmd.
 // 3. Open a request for the local server.
 // 4. Verify the kubeconfig.
-//
 func TestStandalone(t *testing.T) {
 	timeout := 3 * time.Second
 	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
@@ -36,30 +36,33 @@ func TestStandalone(t *testing.T) {
 			keyPair: keypair.Server,
 		},
 	} {
+		httpDriverOption := httpdriver.Config{
+			TLSConfig:    tc.keyPair.TLSConfig,
+			BodyContains: "Authenticated",
+		}
+
 		t.Run(name, func(t *testing.T) {
 			t.Run("AuthCode", func(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				sv := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 					},
-					Response: oidcserver.Response{
+					Response: testconfig.Response{
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
-				defer sv.Shutdown(t, ctx)
 				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 					Issuer:                  sv.IssuerURL(),
 					IDPCertificateAuthority: tc.keyPair.CACertPath,
 				})
-				defer os.Remove(kubeConfigFilename)
 				runStandalone(t, ctx, standaloneConfig{
 					issuerURL:          sv.IssuerURL(),
 					kubeConfigFilename: kubeConfigFilename,
-					httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+					httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
 					now:                now,
 				})
 				kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -72,23 +75,21 @@ func TestStandalone(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				sv := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 						Username:          "USER1",
 						Password:          "PASS1",
 					},
-					Response: oidcserver.Response{
+					Response: testconfig.Response{
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
-				defer sv.Shutdown(t, ctx)
 				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 					Issuer:                  sv.IssuerURL(),
 					IDPCertificateAuthority: tc.keyPair.CACertPath,
 				})
-				defer os.Remove(kubeConfigFilename)
 				runStandalone(t, ctx, standaloneConfig{
 					issuerURL:          sv.IssuerURL(),
 					kubeConfigFilename: kubeConfigFilename,
@@ -109,21 +110,19 @@ func TestStandalone(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
-				defer sv.Shutdown(t, ctx)
+				sv := oidcserver.New(t, tc.keyPair, testconfig.Config{})
 				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 					Issuer:                  sv.IssuerURL(),
 					IDPCertificateAuthority: tc.keyPair.CACertPath,
 				})
-				defer os.Remove(kubeConfigFilename)
 
 				t.Run("NoToken", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(time.Hour),
 							RefreshToken:  "REFRESH_TOKEN_1",
 						},
@@ -131,7 +130,7 @@ func TestStandalone(t *testing.T) {
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
-						httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
 						now:                now,
 					})
 					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -140,7 +139,7 @@ func TestStandalone(t *testing.T) {
 					})
 				})
 				t.Run("Valid", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{})
+					sv.SetConfig(testconfig.Config{})
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
@@ -153,13 +152,13 @@ func TestStandalone(t *testing.T) {
 					})
 				})
 				t.Run("Refresh", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_1",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(3 * time.Hour),
 							RefreshToken:  "REFRESH_TOKEN_2",
 						},
@@ -167,7 +166,7 @@ func TestStandalone(t *testing.T) {
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
-						httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
 						now:                now.Add(2 * time.Hour),
 					})
 					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -176,20 +175,20 @@ func TestStandalone(t *testing.T) {
 					})
 				})
 				t.Run("RefreshAgain", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_2",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(5 * time.Hour),
 						},
 					})
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
-						httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
+						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
 						now:                now.Add(4 * time.Hour),
 					})
 					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -205,25 +204,23 @@ func TestStandalone(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.Server, testconfig.Config{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer:                      sv.IssuerURL(),
 			IDPCertificateAuthorityData: keypair.Server.CACertBase64,
 		})
-		defer os.Remove(kubeConfigFilename)
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:          sv.IssuerURL(),
 			kubeConfigFilename: kubeConfigFilename,
-			httpDriver:         httpdriver.New(ctx, t, keypair.Server.TLSConfig),
+			httpDriver:         httpdriver.New(ctx, t, httpdriver.Config{TLSConfig: keypair.Server.TLSConfig}),
 			now:                now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -235,25 +232,22 @@ func TestStandalone(t *testing.T) {
 	t.Run("env_KUBECONFIG", func(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer: sv.IssuerURL(),
 		})
-		defer os.Remove(kubeConfigFilename)
-		setenv(t, "KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
-		defer unsetenv(t, "KUBECONFIG")
+		t.Setenv("KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:  sv.IssuerURL(),
-			httpDriver: httpdriver.New(ctx, t, nil),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Config{}),
 			now:        now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -266,25 +260,23 @@ func TestStandalone(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
 				Scope:             "profile groups openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer:      sv.IssuerURL(),
 			ExtraScopes: "profile,groups",
 		})
-		defer os.Remove(kubeConfigFilename)
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:          sv.IssuerURL(),
 			kubeConfigFilename: kubeConfigFilename,
-			httpDriver:         httpdriver.New(ctx, t, nil),
+			httpDriver:         httpdriver.New(ctx, t, httpdriver.Config{}),
 			now:                now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -313,17 +305,3 @@ func runStandalone(t *testing.T, ctx context.Context, cfg standaloneConfig) {
 		t.Errorf("exit status wants 0 but %d", exitCode)
 	}
 }
-
-func setenv(t *testing.T, key, value string) {
-	t.Helper()
-	if err := os.Setenv(key, value); err != nil {
-		t.Fatalf("Could not set the env var %s=%s: %s", key, value, err)
-	}
-}
-
-func unsetenv(t *testing.T, key string) {
-	t.Helper()
-	if err := os.Unsetenv(key); err != nil {
-		t.Fatalf("Could not unset the env var %s: %s", key, err)
-	}
-}

main.go

@@ -3,6 +3,8 @@ package main
 import (
 	"context"
 	"os"
+	"os/signal"
+	"syscall"
 
 	"github.com/int128/kubelogin/pkg/di"
 )
@@ -10,5 +12,8 @@ import (
 var version = "HEAD"
 
 func main() {
-	os.Exit(di.NewCmd().Run(context.Background(), os.Args, version))
+	ctx := context.Background()
+	ctx, stop := signal.NotifyContext(ctx, os.Interrupt, syscall.SIGTERM)
+	defer stop()
+	os.Exit(di.NewCmd().Run(ctx, os.Args, version))
 }

mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mock_Provider.go

@@ -0,0 +1,361 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package service_mock
+
+import (
+	service "github.com/int128/kubelogin/integration_test/oidcserver/service"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockProvider is an autogenerated mock type for the Provider type
+type MockProvider struct {
+	mock.Mock
+}
+
+type MockProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockProvider) EXPECT() *MockProvider_Expecter {
+	return &MockProvider_Expecter{mock: &_m.Mock}
+}
+
+// AuthenticateCode provides a mock function with given fields: req
+func (_m *MockProvider) AuthenticateCode(req service.AuthenticationRequest) (string, error) {
+	ret := _m.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticateCode")
+	}
+
+	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(service.AuthenticationRequest) (string, error)); ok {
+		return rf(req)
+	}
+	if rf, ok := ret.Get(0).(func(service.AuthenticationRequest) string); ok {
+		r0 = rf(req)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	if rf, ok := ret.Get(1).(func(service.AuthenticationRequest) error); ok {
+		r1 = rf(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockProvider_AuthenticateCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticateCode'
+type MockProvider_AuthenticateCode_Call struct {
+	*mock.Call
+}
+
+// AuthenticateCode is a helper method to define mock.On call
+//   - req service.AuthenticationRequest
+func (_e *MockProvider_Expecter) AuthenticateCode(req interface{}) *MockProvider_AuthenticateCode_Call {
+	return &MockProvider_AuthenticateCode_Call{Call: _e.mock.On("AuthenticateCode", req)}
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) Run(run func(req service.AuthenticationRequest)) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(service.AuthenticationRequest))
+	})
+	return _c
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) Return(code string, err error) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Return(code, err)
+	return _c
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) RunAndReturn(run func(service.AuthenticationRequest) (string, error)) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// AuthenticatePassword provides a mock function with given fields: username, password, scope
+func (_m *MockProvider) AuthenticatePassword(username string, password string, scope string) (*service.TokenResponse, error) {
+	ret := _m.Called(username, password, scope)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticatePassword")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string, string, string) (*service.TokenResponse, error)); ok {
+		return rf(username, password, scope)
+	}
+	if rf, ok := ret.Get(0).(func(string, string, string) *service.TokenResponse); ok {
+		r0 = rf(username, password, scope)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string, string, string) error); ok {
+		r1 = rf(username, password, scope)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockProvider_AuthenticatePassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticatePassword'
+type MockProvider_AuthenticatePassword_Call struct {
+	*mock.Call
+}
+
+// AuthenticatePassword is a helper method to define mock.On call
+//   - username string
+//   - password string
+//   - scope string
+func (_e *MockProvider_Expecter) AuthenticatePassword(username interface{}, password interface{}, scope interface{}) *MockProvider_AuthenticatePassword_Call {
+	return &MockProvider_AuthenticatePassword_Call{Call: _e.mock.On("AuthenticatePassword", username, password, scope)}
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) Run(run func(username string, password string, scope string)) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string), args[1].(string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) RunAndReturn(run func(string, string, string) (*service.TokenResponse, error)) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Discovery provides a mock function with no fields
+func (_m *MockProvider) Discovery() *service.DiscoveryResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Discovery")
+	}
+
+	var r0 *service.DiscoveryResponse
+	if rf, ok := ret.Get(0).(func() *service.DiscoveryResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.DiscoveryResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockProvider_Discovery_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discovery'
+type MockProvider_Discovery_Call struct {
+	*mock.Call
+}
+
+// Discovery is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) Discovery() *MockProvider_Discovery_Call {
+	return &MockProvider_Discovery_Call{Call: _e.mock.On("Discovery")}
+}
+
+func (_c *MockProvider_Discovery_Call) Run(run func()) *MockProvider_Discovery_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_Discovery_Call) Return(_a0 *service.DiscoveryResponse) *MockProvider_Discovery_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockProvider_Discovery_Call) RunAndReturn(run func() *service.DiscoveryResponse) *MockProvider_Discovery_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Exchange provides a mock function with given fields: req
+func (_m *MockProvider) Exchange(req service.TokenRequest) (*service.TokenResponse, error) {
+	ret := _m.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Exchange")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(service.TokenRequest) (*service.TokenResponse, error)); ok {
+		return rf(req)
+	}
+	if rf, ok := ret.Get(0).(func(service.TokenRequest) *service.TokenResponse); ok {
+		r0 = rf(req)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(service.TokenRequest) error); ok {
+		r1 = rf(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockProvider_Exchange_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exchange'
+type MockProvider_Exchange_Call struct {
+	*mock.Call
+}
+
+// Exchange is a helper method to define mock.On call
+//   - req service.TokenRequest
+func (_e *MockProvider_Expecter) Exchange(req interface{}) *MockProvider_Exchange_Call {
+	return &MockProvider_Exchange_Call{Call: _e.mock.On("Exchange", req)}
+}
+
+func (_c *MockProvider_Exchange_Call) Run(run func(req service.TokenRequest)) *MockProvider_Exchange_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(service.TokenRequest))
+	})
+	return _c
+}
+
+func (_c *MockProvider_Exchange_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockProvider_Exchange_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockProvider_Exchange_Call) RunAndReturn(run func(service.TokenRequest) (*service.TokenResponse, error)) *MockProvider_Exchange_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCertificates provides a mock function with no fields
+func (_m *MockProvider) GetCertificates() *service.CertificatesResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCertificates")
+	}
+
+	var r0 *service.CertificatesResponse
+	if rf, ok := ret.Get(0).(func() *service.CertificatesResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.CertificatesResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockProvider_GetCertificates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCertificates'
+type MockProvider_GetCertificates_Call struct {
+	*mock.Call
+}
+
+// GetCertificates is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) GetCertificates() *MockProvider_GetCertificates_Call {
+	return &MockProvider_GetCertificates_Call{Call: _e.mock.On("GetCertificates")}
+}
+
+func (_c *MockProvider_GetCertificates_Call) Run(run func()) *MockProvider_GetCertificates_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetCertificates_Call) Return(_a0 *service.CertificatesResponse) *MockProvider_GetCertificates_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockProvider_GetCertificates_Call) RunAndReturn(run func() *service.CertificatesResponse) *MockProvider_GetCertificates_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function with given fields: refreshToken
+func (_m *MockProvider) Refresh(refreshToken string) (*service.TokenResponse, error) {
+	ret := _m.Called(refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (*service.TokenResponse, error)); ok {
+		return rf(refreshToken)
+	}
+	if rf, ok := ret.Get(0).(func(string) *service.TokenResponse); ok {
+		r0 = rf(refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string) error); ok {
+		r1 = rf(refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockProvider_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockProvider_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - refreshToken string
+func (_e *MockProvider_Expecter) Refresh(refreshToken interface{}) *MockProvider_Refresh_Call {
+	return &MockProvider_Refresh_Call{Call: _e.mock.On("Refresh", refreshToken)}
+}
+
+func (_c *MockProvider_Refresh_Call) Run(run func(refreshToken string)) *MockProvider_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string))
+	})
+	return _c
+}
+
+func (_c *MockProvider_Refresh_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockProvider_Refresh_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockProvider_Refresh_Call) RunAndReturn(run func(string) (*service.TokenResponse, error)) *MockProvider_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockProvider creates a new instance of MockProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockProvider {
+	mock := &MockProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mock_Service.go

@@ -0,0 +1,487 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package service_mock
+
+import (
+	service "github.com/int128/kubelogin/integration_test/oidcserver/service"
+	testconfig "github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockService is an autogenerated mock type for the Service type
+type MockService struct {
+	mock.Mock
+}
+
+type MockService_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockService) EXPECT() *MockService_Expecter {
+	return &MockService_Expecter{mock: &_m.Mock}
+}
+
+// AuthenticateCode provides a mock function with given fields: req
+func (_m *MockService) AuthenticateCode(req service.AuthenticationRequest) (string, error) {
+	ret := _m.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticateCode")
+	}
+
+	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(service.AuthenticationRequest) (string, error)); ok {
+		return rf(req)
+	}
+	if rf, ok := ret.Get(0).(func(service.AuthenticationRequest) string); ok {
+		r0 = rf(req)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	if rf, ok := ret.Get(1).(func(service.AuthenticationRequest) error); ok {
+		r1 = rf(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockService_AuthenticateCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticateCode'
+type MockService_AuthenticateCode_Call struct {
+	*mock.Call
+}
+
+// AuthenticateCode is a helper method to define mock.On call
+//   - req service.AuthenticationRequest
+func (_e *MockService_Expecter) AuthenticateCode(req interface{}) *MockService_AuthenticateCode_Call {
+	return &MockService_AuthenticateCode_Call{Call: _e.mock.On("AuthenticateCode", req)}
+}
+
+func (_c *MockService_AuthenticateCode_Call) Run(run func(req service.AuthenticationRequest)) *MockService_AuthenticateCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(service.AuthenticationRequest))
+	})
+	return _c
+}
+
+func (_c *MockService_AuthenticateCode_Call) Return(code string, err error) *MockService_AuthenticateCode_Call {
+	_c.Call.Return(code, err)
+	return _c
+}
+
+func (_c *MockService_AuthenticateCode_Call) RunAndReturn(run func(service.AuthenticationRequest) (string, error)) *MockService_AuthenticateCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// AuthenticatePassword provides a mock function with given fields: username, password, scope
+func (_m *MockService) AuthenticatePassword(username string, password string, scope string) (*service.TokenResponse, error) {
+	ret := _m.Called(username, password, scope)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticatePassword")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string, string, string) (*service.TokenResponse, error)); ok {
+		return rf(username, password, scope)
+	}
+	if rf, ok := ret.Get(0).(func(string, string, string) *service.TokenResponse); ok {
+		r0 = rf(username, password, scope)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string, string, string) error); ok {
+		r1 = rf(username, password, scope)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockService_AuthenticatePassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticatePassword'
+type MockService_AuthenticatePassword_Call struct {
+	*mock.Call
+}
+
+// AuthenticatePassword is a helper method to define mock.On call
+//   - username string
+//   - password string
+//   - scope string
+func (_e *MockService_Expecter) AuthenticatePassword(username interface{}, password interface{}, scope interface{}) *MockService_AuthenticatePassword_Call {
+	return &MockService_AuthenticatePassword_Call{Call: _e.mock.On("AuthenticatePassword", username, password, scope)}
+}
+
+func (_c *MockService_AuthenticatePassword_Call) Run(run func(username string, password string, scope string)) *MockService_AuthenticatePassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string), args[1].(string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockService_AuthenticatePassword_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockService_AuthenticatePassword_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockService_AuthenticatePassword_Call) RunAndReturn(run func(string, string, string) (*service.TokenResponse, error)) *MockService_AuthenticatePassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Discovery provides a mock function with no fields
+func (_m *MockService) Discovery() *service.DiscoveryResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Discovery")
+	}
+
+	var r0 *service.DiscoveryResponse
+	if rf, ok := ret.Get(0).(func() *service.DiscoveryResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.DiscoveryResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockService_Discovery_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discovery'
+type MockService_Discovery_Call struct {
+	*mock.Call
+}
+
+// Discovery is a helper method to define mock.On call
+func (_e *MockService_Expecter) Discovery() *MockService_Discovery_Call {
+	return &MockService_Discovery_Call{Call: _e.mock.On("Discovery")}
+}
+
+func (_c *MockService_Discovery_Call) Run(run func()) *MockService_Discovery_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_Discovery_Call) Return(_a0 *service.DiscoveryResponse) *MockService_Discovery_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockService_Discovery_Call) RunAndReturn(run func() *service.DiscoveryResponse) *MockService_Discovery_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Exchange provides a mock function with given fields: req
+func (_m *MockService) Exchange(req service.TokenRequest) (*service.TokenResponse, error) {
+	ret := _m.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Exchange")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(service.TokenRequest) (*service.TokenResponse, error)); ok {
+		return rf(req)
+	}
+	if rf, ok := ret.Get(0).(func(service.TokenRequest) *service.TokenResponse); ok {
+		r0 = rf(req)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(service.TokenRequest) error); ok {
+		r1 = rf(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockService_Exchange_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exchange'
+type MockService_Exchange_Call struct {
+	*mock.Call
+}
+
+// Exchange is a helper method to define mock.On call
+//   - req service.TokenRequest
+func (_e *MockService_Expecter) Exchange(req interface{}) *MockService_Exchange_Call {
+	return &MockService_Exchange_Call{Call: _e.mock.On("Exchange", req)}
+}
+
+func (_c *MockService_Exchange_Call) Run(run func(req service.TokenRequest)) *MockService_Exchange_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(service.TokenRequest))
+	})
+	return _c
+}
+
+func (_c *MockService_Exchange_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockService_Exchange_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockService_Exchange_Call) RunAndReturn(run func(service.TokenRequest) (*service.TokenResponse, error)) *MockService_Exchange_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCertificates provides a mock function with no fields
+func (_m *MockService) GetCertificates() *service.CertificatesResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCertificates")
+	}
+
+	var r0 *service.CertificatesResponse
+	if rf, ok := ret.Get(0).(func() *service.CertificatesResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.CertificatesResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockService_GetCertificates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCertificates'
+type MockService_GetCertificates_Call struct {
+	*mock.Call
+}
+
+// GetCertificates is a helper method to define mock.On call
+func (_e *MockService_Expecter) GetCertificates() *MockService_GetCertificates_Call {
+	return &MockService_GetCertificates_Call{Call: _e.mock.On("GetCertificates")}
+}
+
+func (_c *MockService_GetCertificates_Call) Run(run func()) *MockService_GetCertificates_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_GetCertificates_Call) Return(_a0 *service.CertificatesResponse) *MockService_GetCertificates_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockService_GetCertificates_Call) RunAndReturn(run func() *service.CertificatesResponse) *MockService_GetCertificates_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// IssuerURL provides a mock function with no fields
+func (_m *MockService) IssuerURL() string {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for IssuerURL")
+	}
+
+	var r0 string
+	if rf, ok := ret.Get(0).(func() string); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	return r0
+}
+
+// MockService_IssuerURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IssuerURL'
+type MockService_IssuerURL_Call struct {
+	*mock.Call
+}
+
+// IssuerURL is a helper method to define mock.On call
+func (_e *MockService_Expecter) IssuerURL() *MockService_IssuerURL_Call {
+	return &MockService_IssuerURL_Call{Call: _e.mock.On("IssuerURL")}
+}
+
+func (_c *MockService_IssuerURL_Call) Run(run func()) *MockService_IssuerURL_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_IssuerURL_Call) Return(_a0 string) *MockService_IssuerURL_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockService_IssuerURL_Call) RunAndReturn(run func() string) *MockService_IssuerURL_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// LastTokenResponse provides a mock function with no fields
+func (_m *MockService) LastTokenResponse() *service.TokenResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for LastTokenResponse")
+	}
+
+	var r0 *service.TokenResponse
+	if rf, ok := ret.Get(0).(func() *service.TokenResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockService_LastTokenResponse_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'LastTokenResponse'
+type MockService_LastTokenResponse_Call struct {
+	*mock.Call
+}
+
+// LastTokenResponse is a helper method to define mock.On call
+func (_e *MockService_Expecter) LastTokenResponse() *MockService_LastTokenResponse_Call {
+	return &MockService_LastTokenResponse_Call{Call: _e.mock.On("LastTokenResponse")}
+}
+
+func (_c *MockService_LastTokenResponse_Call) Run(run func()) *MockService_LastTokenResponse_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_LastTokenResponse_Call) Return(_a0 *service.TokenResponse) *MockService_LastTokenResponse_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockService_LastTokenResponse_Call) RunAndReturn(run func() *service.TokenResponse) *MockService_LastTokenResponse_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function with given fields: refreshToken
+func (_m *MockService) Refresh(refreshToken string) (*service.TokenResponse, error) {
+	ret := _m.Called(refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (*service.TokenResponse, error)); ok {
+		return rf(refreshToken)
+	}
+	if rf, ok := ret.Get(0).(func(string) *service.TokenResponse); ok {
+		r0 = rf(refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string) error); ok {
+		r1 = rf(refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockService_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockService_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - refreshToken string
+func (_e *MockService_Expecter) Refresh(refreshToken interface{}) *MockService_Refresh_Call {
+	return &MockService_Refresh_Call{Call: _e.mock.On("Refresh", refreshToken)}
+}
+
+func (_c *MockService_Refresh_Call) Run(run func(refreshToken string)) *MockService_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string))
+	})
+	return _c
+}
+
+func (_c *MockService_Refresh_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockService_Refresh_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockService_Refresh_Call) RunAndReturn(run func(string) (*service.TokenResponse, error)) *MockService_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SetConfig provides a mock function with given fields: config
+func (_m *MockService) SetConfig(config testconfig.Config) {
+	_m.Called(config)
+}
+
+// MockService_SetConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SetConfig'
+type MockService_SetConfig_Call struct {
+	*mock.Call
+}
+
+// SetConfig is a helper method to define mock.On call
+//   - config testconfig.Config
+func (_e *MockService_Expecter) SetConfig(config interface{}) *MockService_SetConfig_Call {
+	return &MockService_SetConfig_Call{Call: _e.mock.On("SetConfig", config)}
+}
+
+func (_c *MockService_SetConfig_Call) Run(run func(config testconfig.Config)) *MockService_SetConfig_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(testconfig.Config))
+	})
+	return _c
+}
+
+func (_c *MockService_SetConfig_Call) Return() *MockService_SetConfig_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockService_SetConfig_Call) RunAndReturn(run func(testconfig.Config)) *MockService_SetConfig_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMockService creates a new instance of MockService. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockService(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockService {
+	mock := &MockService{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/cmd_mock/mock_Interface.go

@@ -0,0 +1,84 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package cmd_mock
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Run provides a mock function with given fields: ctx, args, version
+func (_m *MockInterface) Run(ctx context.Context, args []string, version string) int {
+	ret := _m.Called(ctx, args, version)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Run")
+	}
+
+	var r0 int
+	if rf, ok := ret.Get(0).(func(context.Context, []string, string) int); ok {
+		r0 = rf(ctx, args, version)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+
+	return r0
+}
+
+// MockInterface_Run_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Run'
+type MockInterface_Run_Call struct {
+	*mock.Call
+}
+
+// Run is a helper method to define mock.On call
+//   - ctx context.Context
+//   - args []string
+//   - version string
+func (_e *MockInterface_Expecter) Run(ctx interface{}, args interface{}, version interface{}) *MockInterface_Run_Call {
+	return &MockInterface_Run_Call{Call: _e.mock.On("Run", ctx, args, version)}
+}
+
+func (_c *MockInterface_Run_Call) Run(run func(ctx context.Context, args []string, version string)) *MockInterface_Run_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].([]string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Run_Call) Return(_a0 int) *MockInterface_Run_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_Run_Call) RunAndReturn(run func(context.Context, []string, string) int) *MockInterface_Run_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/credentialplugin/reader_mock/mock_Interface.go

@@ -0,0 +1,90 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package reader_mock
+
+import (
+	credentialplugin "github.com/int128/kubelogin/pkg/credentialplugin"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Read provides a mock function with no fields
+func (_m *MockInterface) Read() (credentialplugin.Input, error) {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Read")
+	}
+
+	var r0 credentialplugin.Input
+	var r1 error
+	if rf, ok := ret.Get(0).(func() (credentialplugin.Input, error)); ok {
+		return rf()
+	}
+	if rf, ok := ret.Get(0).(func() credentialplugin.Input); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(credentialplugin.Input)
+	}
+
+	if rf, ok := ret.Get(1).(func() error); ok {
+		r1 = rf()
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Read_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Read'
+type MockInterface_Read_Call struct {
+	*mock.Call
+}
+
+// Read is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) Read() *MockInterface_Read_Call {
+	return &MockInterface_Read_Call{Call: _e.mock.On("Read")}
+}
+
+func (_c *MockInterface_Read_Call) Run(run func()) *MockInterface_Read_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_Read_Call) Return(_a0 credentialplugin.Input, _a1 error) *MockInterface_Read_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_Read_Call) RunAndReturn(run func() (credentialplugin.Input, error)) *MockInterface_Read_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/credentialplugin/writer_mock/mock_Interface.go

@@ -0,0 +1,81 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package writer_mock
+
+import (
+	credentialplugin "github.com/int128/kubelogin/pkg/credentialplugin"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Write provides a mock function with given fields: out
+func (_m *MockInterface) Write(out credentialplugin.Output) error {
+	ret := _m.Called(out)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Write")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(credentialplugin.Output) error); ok {
+		r0 = rf(out)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'
+type MockInterface_Write_Call struct {
+	*mock.Call
+}
+
+// Write is a helper method to define mock.On call
+//   - out credentialplugin.Output
+func (_e *MockInterface_Expecter) Write(out interface{}) *MockInterface_Write_Call {
+	return &MockInterface_Write_Call{Call: _e.mock.On("Write", out)}
+}
+
+func (_c *MockInterface_Write_Call) Run(run func(out credentialplugin.Output)) *MockInterface_Write_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(credentialplugin.Output))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Write_Call) Return(_a0 error) *MockInterface_Write_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_Write_Call) RunAndReturn(run func(credentialplugin.Output) error) *MockInterface_Write_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/infrastructure/browser_mock/mock_Interface.go

@@ -0,0 +1,130 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package browser_mock
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Open provides a mock function with given fields: url
+func (_m *MockInterface) Open(url string) error {
+	ret := _m.Called(url)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Open")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(string) error); ok {
+		r0 = rf(url)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_Open_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Open'
+type MockInterface_Open_Call struct {
+	*mock.Call
+}
+
+// Open is a helper method to define mock.On call
+//   - url string
+func (_e *MockInterface_Expecter) Open(url interface{}) *MockInterface_Open_Call {
+	return &MockInterface_Open_Call{Call: _e.mock.On("Open", url)}
+}
+
+func (_c *MockInterface_Open_Call) Run(run func(url string)) *MockInterface_Open_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Open_Call) Return(_a0 error) *MockInterface_Open_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_Open_Call) RunAndReturn(run func(string) error) *MockInterface_Open_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// OpenCommand provides a mock function with given fields: ctx, url, command
+func (_m *MockInterface) OpenCommand(ctx context.Context, url string, command string) error {
+	ret := _m.Called(ctx, url, command)
+
+	if len(ret) == 0 {
+		panic("no return value specified for OpenCommand")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) error); ok {
+		r0 = rf(ctx, url, command)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_OpenCommand_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'OpenCommand'
+type MockInterface_OpenCommand_Call struct {
+	*mock.Call
+}
+
+// OpenCommand is a helper method to define mock.On call
+//   - ctx context.Context
+//   - url string
+//   - command string
+func (_e *MockInterface_Expecter) OpenCommand(ctx interface{}, url interface{}, command interface{}) *MockInterface_OpenCommand_Call {
+	return &MockInterface_OpenCommand_Call{Call: _e.mock.On("OpenCommand", ctx, url, command)}
+}
+
+func (_c *MockInterface_OpenCommand_Call) Run(run func(ctx context.Context, url string, command string)) *MockInterface_OpenCommand_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_OpenCommand_Call) Return(_a0 error) *MockInterface_OpenCommand_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_OpenCommand_Call) RunAndReturn(run func(context.Context, string, string) error) *MockInterface_OpenCommand_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/infrastructure/clock_mock/mock_Interface.go

@@ -0,0 +1,81 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package clock_mock
+
+import (
+	time "time"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Now provides a mock function with no fields
+func (_m *MockInterface) Now() time.Time {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Now")
+	}
+
+	var r0 time.Time
+	if rf, ok := ret.Get(0).(func() time.Time); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(time.Time)
+	}
+
+	return r0
+}
+
+// MockInterface_Now_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Now'
+type MockInterface_Now_Call struct {
+	*mock.Call
+}
+
+// Now is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) Now() *MockInterface_Now_Call {
+	return &MockInterface_Now_Call{Call: _e.mock.On("Now")}
+}
+
+func (_c *MockInterface_Now_Call) Run(run func()) *MockInterface_Now_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_Now_Call) Return(_a0 time.Time) *MockInterface_Now_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_Now_Call) RunAndReturn(run func() time.Time) *MockInterface_Now_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mock_Interface.go

@@ -0,0 +1,208 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package logger_mock
+
+import (
+	logger "github.com/int128/kubelogin/pkg/infrastructure/logger"
+	mock "github.com/stretchr/testify/mock"
+
+	pflag "github.com/spf13/pflag"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// AddFlags provides a mock function with given fields: f
+func (_m *MockInterface) AddFlags(f *pflag.FlagSet) {
+	_m.Called(f)
+}
+
+// MockInterface_AddFlags_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AddFlags'
+type MockInterface_AddFlags_Call struct {
+	*mock.Call
+}
+
+// AddFlags is a helper method to define mock.On call
+//   - f *pflag.FlagSet
+func (_e *MockInterface_Expecter) AddFlags(f interface{}) *MockInterface_AddFlags_Call {
+	return &MockInterface_AddFlags_Call{Call: _e.mock.On("AddFlags", f)}
+}
+
+func (_c *MockInterface_AddFlags_Call) Run(run func(f *pflag.FlagSet)) *MockInterface_AddFlags_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(*pflag.FlagSet))
+	})
+	return _c
+}
+
+func (_c *MockInterface_AddFlags_Call) Return() *MockInterface_AddFlags_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockInterface_AddFlags_Call) RunAndReturn(run func(*pflag.FlagSet)) *MockInterface_AddFlags_Call {
+	_c.Run(run)
+	return _c
+}
+
+// IsEnabled provides a mock function with given fields: level
+func (_m *MockInterface) IsEnabled(level int) bool {
+	ret := _m.Called(level)
+
+	if len(ret) == 0 {
+		panic("no return value specified for IsEnabled")
+	}
+
+	var r0 bool
+	if rf, ok := ret.Get(0).(func(int) bool); ok {
+		r0 = rf(level)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+
+	return r0
+}
+
+// MockInterface_IsEnabled_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IsEnabled'
+type MockInterface_IsEnabled_Call struct {
+	*mock.Call
+}
+
+// IsEnabled is a helper method to define mock.On call
+//   - level int
+func (_e *MockInterface_Expecter) IsEnabled(level interface{}) *MockInterface_IsEnabled_Call {
+	return &MockInterface_IsEnabled_Call{Call: _e.mock.On("IsEnabled", level)}
+}
+
+func (_c *MockInterface_IsEnabled_Call) Run(run func(level int)) *MockInterface_IsEnabled_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(int))
+	})
+	return _c
+}
+
+func (_c *MockInterface_IsEnabled_Call) Return(_a0 bool) *MockInterface_IsEnabled_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_IsEnabled_Call) RunAndReturn(run func(int) bool) *MockInterface_IsEnabled_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Printf provides a mock function with given fields: format, args
+func (_m *MockInterface) Printf(format string, args ...interface{}) {
+	var _ca []interface{}
+	_ca = append(_ca, format)
+	_ca = append(_ca, args...)
+	_m.Called(_ca...)
+}
+
+// MockInterface_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
+type MockInterface_Printf_Call struct {
+	*mock.Call
+}
+
+// Printf is a helper method to define mock.On call
+//   - format string
+//   - args ...interface{}
+func (_e *MockInterface_Expecter) Printf(format interface{}, args ...interface{}) *MockInterface_Printf_Call {
+	return &MockInterface_Printf_Call{Call: _e.mock.On("Printf",
+		append([]interface{}{format}, args...)...)}
+}
+
+func (_c *MockInterface_Printf_Call) Run(run func(format string, args ...interface{})) *MockInterface_Printf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]interface{}, len(args)-1)
+		for i, a := range args[1:] {
+			if a != nil {
+				variadicArgs[i] = a.(interface{})
+			}
+		}
+		run(args[0].(string), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Printf_Call) Return() *MockInterface_Printf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockInterface_Printf_Call) RunAndReturn(run func(string, ...interface{})) *MockInterface_Printf_Call {
+	_c.Run(run)
+	return _c
+}
+
+// V provides a mock function with given fields: level
+func (_m *MockInterface) V(level int) logger.Verbose {
+	ret := _m.Called(level)
+
+	if len(ret) == 0 {
+		panic("no return value specified for V")
+	}
+
+	var r0 logger.Verbose
+	if rf, ok := ret.Get(0).(func(int) logger.Verbose); ok {
+		r0 = rf(level)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(logger.Verbose)
+		}
+	}
+
+	return r0
+}
+
+// MockInterface_V_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'V'
+type MockInterface_V_Call struct {
+	*mock.Call
+}
+
+// V is a helper method to define mock.On call
+//   - level int
+func (_e *MockInterface_Expecter) V(level interface{}) *MockInterface_V_Call {
+	return &MockInterface_V_Call{Call: _e.mock.On("V", level)}
+}
+
+func (_c *MockInterface_V_Call) Run(run func(level int)) *MockInterface_V_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(int))
+	})
+	return _c
+}
+
+func (_c *MockInterface_V_Call) Return(_a0 logger.Verbose) *MockInterface_V_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_V_Call) RunAndReturn(run func(int) logger.Verbose) *MockInterface_V_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mock_Verbose.go

@@ -0,0 +1,76 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package logger_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockVerbose is an autogenerated mock type for the Verbose type
+type MockVerbose struct {
+	mock.Mock
+}
+
+type MockVerbose_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockVerbose) EXPECT() *MockVerbose_Expecter {
+	return &MockVerbose_Expecter{mock: &_m.Mock}
+}
+
+// Infof provides a mock function with given fields: format, args
+func (_m *MockVerbose) Infof(format string, args ...interface{}) {
+	var _ca []interface{}
+	_ca = append(_ca, format)
+	_ca = append(_ca, args...)
+	_m.Called(_ca...)
+}
+
+// MockVerbose_Infof_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Infof'
+type MockVerbose_Infof_Call struct {
+	*mock.Call
+}
+
+// Infof is a helper method to define mock.On call
+//   - format string
+//   - args ...interface{}
+func (_e *MockVerbose_Expecter) Infof(format interface{}, args ...interface{}) *MockVerbose_Infof_Call {
+	return &MockVerbose_Infof_Call{Call: _e.mock.On("Infof",
+		append([]interface{}{format}, args...)...)}
+}
+
+func (_c *MockVerbose_Infof_Call) Run(run func(format string, args ...interface{})) *MockVerbose_Infof_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]interface{}, len(args)-1)
+		for i, a := range args[1:] {
+			if a != nil {
+				variadicArgs[i] = a.(interface{})
+			}
+		}
+		run(args[0].(string), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *MockVerbose_Infof_Call) Return() *MockVerbose_Infof_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockVerbose_Infof_Call) RunAndReturn(run func(string, ...interface{})) *MockVerbose_Infof_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMockVerbose creates a new instance of MockVerbose. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockVerbose(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockVerbose {
+	mock := &MockVerbose{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mock_goLogger.go

@@ -0,0 +1,76 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package logger_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockgoLogger is an autogenerated mock type for the goLogger type
+type MockgoLogger struct {
+	mock.Mock
+}
+
+type MockgoLogger_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockgoLogger) EXPECT() *MockgoLogger_Expecter {
+	return &MockgoLogger_Expecter{mock: &_m.Mock}
+}
+
+// Printf provides a mock function with given fields: format, v
+func (_m *MockgoLogger) Printf(format string, v ...interface{}) {
+	var _ca []interface{}
+	_ca = append(_ca, format)
+	_ca = append(_ca, v...)
+	_m.Called(_ca...)
+}
+
+// MockgoLogger_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
+type MockgoLogger_Printf_Call struct {
+	*mock.Call
+}
+
+// Printf is a helper method to define mock.On call
+//   - format string
+//   - v ...interface{}
+func (_e *MockgoLogger_Expecter) Printf(format interface{}, v ...interface{}) *MockgoLogger_Printf_Call {
+	return &MockgoLogger_Printf_Call{Call: _e.mock.On("Printf",
+		append([]interface{}{format}, v...)...)}
+}
+
+func (_c *MockgoLogger_Printf_Call) Run(run func(format string, v ...interface{})) *MockgoLogger_Printf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]interface{}, len(args)-1)
+		for i, a := range args[1:] {
+			if a != nil {
+				variadicArgs[i] = a.(interface{})
+			}
+		}
+		run(args[0].(string), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *MockgoLogger_Printf_Call) Return() *MockgoLogger_Printf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockgoLogger_Printf_Call) RunAndReturn(run func(string, ...interface{})) *MockgoLogger_Printf_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMockgoLogger creates a new instance of MockgoLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockgoLogger(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockgoLogger {
+	mock := &MockgoLogger{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/infrastructure/reader_mock/mock_Interface.go

@@ -0,0 +1,144 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package reader_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// ReadPassword provides a mock function with given fields: prompt
+func (_m *MockInterface) ReadPassword(prompt string) (string, error) {
+	ret := _m.Called(prompt)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ReadPassword")
+	}
+
+	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (string, error)); ok {
+		return rf(prompt)
+	}
+	if rf, ok := ret.Get(0).(func(string) string); ok {
+		r0 = rf(prompt)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	if rf, ok := ret.Get(1).(func(string) error); ok {
+		r1 = rf(prompt)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_ReadPassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ReadPassword'
+type MockInterface_ReadPassword_Call struct {
+	*mock.Call
+}
+
+// ReadPassword is a helper method to define mock.On call
+//   - prompt string
+func (_e *MockInterface_Expecter) ReadPassword(prompt interface{}) *MockInterface_ReadPassword_Call {
+	return &MockInterface_ReadPassword_Call{Call: _e.mock.On("ReadPassword", prompt)}
+}
+
+func (_c *MockInterface_ReadPassword_Call) Run(run func(prompt string)) *MockInterface_ReadPassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_ReadPassword_Call) Return(_a0 string, _a1 error) *MockInterface_ReadPassword_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_ReadPassword_Call) RunAndReturn(run func(string) (string, error)) *MockInterface_ReadPassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ReadString provides a mock function with given fields: prompt
+func (_m *MockInterface) ReadString(prompt string) (string, error) {
+	ret := _m.Called(prompt)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ReadString")
+	}
+
+	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (string, error)); ok {
+		return rf(prompt)
+	}
+	if rf, ok := ret.Get(0).(func(string) string); ok {
+		r0 = rf(prompt)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	if rf, ok := ret.Get(1).(func(string) error); ok {
+		r1 = rf(prompt)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_ReadString_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ReadString'
+type MockInterface_ReadString_Call struct {
+	*mock.Call
+}
+
+// ReadString is a helper method to define mock.On call
+//   - prompt string
+func (_e *MockInterface_Expecter) ReadString(prompt interface{}) *MockInterface_ReadString_Call {
+	return &MockInterface_ReadString_Call{Call: _e.mock.On("ReadString", prompt)}
+}
+
+func (_c *MockInterface_ReadString_Call) Run(run func(prompt string)) *MockInterface_ReadString_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_ReadString_Call) Return(_a0 string, _a1 error) *MockInterface_ReadString_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_ReadString_Call) RunAndReturn(run func(string) (string, error)) *MockInterface_ReadString_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mock_Stdin.go

@@ -0,0 +1,88 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package stdio_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockStdin is an autogenerated mock type for the Stdin type
+type MockStdin struct {
+	mock.Mock
+}
+
+type MockStdin_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockStdin) EXPECT() *MockStdin_Expecter {
+	return &MockStdin_Expecter{mock: &_m.Mock}
+}
+
+// Read provides a mock function with given fields: p
+func (_m *MockStdin) Read(p []byte) (int, error) {
+	ret := _m.Called(p)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Read")
+	}
+
+	var r0 int
+	var r1 error
+	if rf, ok := ret.Get(0).(func([]byte) (int, error)); ok {
+		return rf(p)
+	}
+	if rf, ok := ret.Get(0).(func([]byte) int); ok {
+		r0 = rf(p)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+
+	if rf, ok := ret.Get(1).(func([]byte) error); ok {
+		r1 = rf(p)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockStdin_Read_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Read'
+type MockStdin_Read_Call struct {
+	*mock.Call
+}
+
+// Read is a helper method to define mock.On call
+//   - p []byte
+func (_e *MockStdin_Expecter) Read(p interface{}) *MockStdin_Read_Call {
+	return &MockStdin_Read_Call{Call: _e.mock.On("Read", p)}
+}
+
+func (_c *MockStdin_Read_Call) Run(run func(p []byte)) *MockStdin_Read_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].([]byte))
+	})
+	return _c
+}
+
+func (_c *MockStdin_Read_Call) Return(n int, err error) *MockStdin_Read_Call {
+	_c.Call.Return(n, err)
+	return _c
+}
+
+func (_c *MockStdin_Read_Call) RunAndReturn(run func([]byte) (int, error)) *MockStdin_Read_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockStdin creates a new instance of MockStdin. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockStdin(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockStdin {
+	mock := &MockStdin{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mock_Stdout.go

@@ -0,0 +1,88 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package stdio_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockStdout is an autogenerated mock type for the Stdout type
+type MockStdout struct {
+	mock.Mock
+}
+
+type MockStdout_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockStdout) EXPECT() *MockStdout_Expecter {
+	return &MockStdout_Expecter{mock: &_m.Mock}
+}
+
+// Write provides a mock function with given fields: p
+func (_m *MockStdout) Write(p []byte) (int, error) {
+	ret := _m.Called(p)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Write")
+	}
+
+	var r0 int
+	var r1 error
+	if rf, ok := ret.Get(0).(func([]byte) (int, error)); ok {
+		return rf(p)
+	}
+	if rf, ok := ret.Get(0).(func([]byte) int); ok {
+		r0 = rf(p)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+
+	if rf, ok := ret.Get(1).(func([]byte) error); ok {
+		r1 = rf(p)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockStdout_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'
+type MockStdout_Write_Call struct {
+	*mock.Call
+}
+
+// Write is a helper method to define mock.On call
+//   - p []byte
+func (_e *MockStdout_Expecter) Write(p interface{}) *MockStdout_Write_Call {
+	return &MockStdout_Write_Call{Call: _e.mock.On("Write", p)}
+}
+
+func (_c *MockStdout_Write_Call) Run(run func(p []byte)) *MockStdout_Write_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].([]byte))
+	})
+	return _c
+}
+
+func (_c *MockStdout_Write_Call) Return(n int, err error) *MockStdout_Write_Call {
+	_c.Call.Return(n, err)
+	return _c
+}
+
+func (_c *MockStdout_Write_Call) RunAndReturn(run func([]byte) (int, error)) *MockStdout_Write_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockStdout creates a new instance of MockStdout. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockStdout(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockStdout {
+	mock := &MockStdout{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/jwt_mock/mock_Clock.go

@@ -0,0 +1,81 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package jwt_mock
+
+import (
+	time "time"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockClock is an autogenerated mock type for the Clock type
+type MockClock struct {
+	mock.Mock
+}
+
+type MockClock_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockClock) EXPECT() *MockClock_Expecter {
+	return &MockClock_Expecter{mock: &_m.Mock}
+}
+
+// Now provides a mock function with no fields
+func (_m *MockClock) Now() time.Time {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Now")
+	}
+
+	var r0 time.Time
+	if rf, ok := ret.Get(0).(func() time.Time); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(time.Time)
+	}
+
+	return r0
+}
+
+// MockClock_Now_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Now'
+type MockClock_Now_Call struct {
+	*mock.Call
+}
+
+// Now is a helper method to define mock.On call
+func (_e *MockClock_Expecter) Now() *MockClock_Now_Call {
+	return &MockClock_Now_Call{Call: _e.mock.On("Now")}
+}
+
+func (_c *MockClock_Now_Call) Run(run func()) *MockClock_Now_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockClock_Now_Call) Return(_a0 time.Time) *MockClock_Now_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockClock_Now_Call) RunAndReturn(run func() time.Time) *MockClock_Now_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockClock creates a new instance of MockClock. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockClock(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockClock {
+	mock := &MockClock{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/kubeconfig/loader_mock/mock_Interface.go

@@ -0,0 +1,96 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package loader_mock
+
+import (
+	kubeconfig "github.com/int128/kubelogin/pkg/kubeconfig"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// GetCurrentAuthProvider provides a mock function with given fields: explicitFilename, contextName, userName
+func (_m *MockInterface) GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
+	ret := _m.Called(explicitFilename, contextName, userName)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCurrentAuthProvider")
+	}
+
+	var r0 *kubeconfig.AuthProvider
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string, kubeconfig.ContextName, kubeconfig.UserName) (*kubeconfig.AuthProvider, error)); ok {
+		return rf(explicitFilename, contextName, userName)
+	}
+	if rf, ok := ret.Get(0).(func(string, kubeconfig.ContextName, kubeconfig.UserName) *kubeconfig.AuthProvider); ok {
+		r0 = rf(explicitFilename, contextName, userName)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*kubeconfig.AuthProvider)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string, kubeconfig.ContextName, kubeconfig.UserName) error); ok {
+		r1 = rf(explicitFilename, contextName, userName)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetCurrentAuthProvider_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCurrentAuthProvider'
+type MockInterface_GetCurrentAuthProvider_Call struct {
+	*mock.Call
+}
+
+// GetCurrentAuthProvider is a helper method to define mock.On call
+//   - explicitFilename string
+//   - contextName kubeconfig.ContextName
+//   - userName kubeconfig.UserName
+func (_e *MockInterface_Expecter) GetCurrentAuthProvider(explicitFilename interface{}, contextName interface{}, userName interface{}) *MockInterface_GetCurrentAuthProvider_Call {
+	return &MockInterface_GetCurrentAuthProvider_Call{Call: _e.mock.On("GetCurrentAuthProvider", explicitFilename, contextName, userName)}
+}
+
+func (_c *MockInterface_GetCurrentAuthProvider_Call) Run(run func(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName)) *MockInterface_GetCurrentAuthProvider_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string), args[1].(kubeconfig.ContextName), args[2].(kubeconfig.UserName))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetCurrentAuthProvider_Call) Return(_a0 *kubeconfig.AuthProvider, _a1 error) *MockInterface_GetCurrentAuthProvider_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_GetCurrentAuthProvider_Call) RunAndReturn(run func(string, kubeconfig.ContextName, kubeconfig.UserName) (*kubeconfig.AuthProvider, error)) *MockInterface_GetCurrentAuthProvider_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/kubeconfig/writer_mock/mock_Interface.go

@@ -0,0 +1,81 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package writer_mock
+
+import (
+	kubeconfig "github.com/int128/kubelogin/pkg/kubeconfig"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// UpdateAuthProvider provides a mock function with given fields: p
+func (_m *MockInterface) UpdateAuthProvider(p kubeconfig.AuthProvider) error {
+	ret := _m.Called(p)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateAuthProvider")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(kubeconfig.AuthProvider) error); ok {
+		r0 = rf(p)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_UpdateAuthProvider_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAuthProvider'
+type MockInterface_UpdateAuthProvider_Call struct {
+	*mock.Call
+}
+
+// UpdateAuthProvider is a helper method to define mock.On call
+//   - p kubeconfig.AuthProvider
+func (_e *MockInterface_Expecter) UpdateAuthProvider(p interface{}) *MockInterface_UpdateAuthProvider_Call {
+	return &MockInterface_UpdateAuthProvider_Call{Call: _e.mock.On("UpdateAuthProvider", p)}
+}
+
+func (_c *MockInterface_UpdateAuthProvider_Call) Run(run func(p kubeconfig.AuthProvider)) *MockInterface_UpdateAuthProvider_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(kubeconfig.AuthProvider))
+	})
+	return _c
+}
+
+func (_c *MockInterface_UpdateAuthProvider_Call) Return(_a0 error) *MockInterface_UpdateAuthProvider_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_UpdateAuthProvider_Call) RunAndReturn(run func(kubeconfig.AuthProvider) error) *MockInterface_UpdateAuthProvider_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/oidc/client_mock/mock_FactoryInterface.go

@@ -0,0 +1,102 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package client_mock
+
+import (
+	context "context"
+
+	client "github.com/int128/kubelogin/pkg/oidc/client"
+
+	mock "github.com/stretchr/testify/mock"
+
+	oidc "github.com/int128/kubelogin/pkg/oidc"
+
+	tlsclientconfig "github.com/int128/kubelogin/pkg/tlsclientconfig"
+)
+
+// MockFactoryInterface is an autogenerated mock type for the FactoryInterface type
+type MockFactoryInterface struct {
+	mock.Mock
+}
+
+type MockFactoryInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockFactoryInterface) EXPECT() *MockFactoryInterface_Expecter {
+	return &MockFactoryInterface_Expecter{mock: &_m.Mock}
+}
+
+// New provides a mock function with given fields: ctx, prov, tlsClientConfig
+func (_m *MockFactoryInterface) New(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config) (client.Interface, error) {
+	ret := _m.Called(ctx, prov, tlsClientConfig)
+
+	if len(ret) == 0 {
+		panic("no return value specified for New")
+	}
+
+	var r0 client.Interface
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) (client.Interface, error)); ok {
+		return rf(ctx, prov, tlsClientConfig)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) client.Interface); ok {
+		r0 = rf(ctx, prov, tlsClientConfig)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(client.Interface)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, oidc.Provider, tlsclientconfig.Config) error); ok {
+		r1 = rf(ctx, prov, tlsClientConfig)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockFactoryInterface_New_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'New'
+type MockFactoryInterface_New_Call struct {
+	*mock.Call
+}
+
+// New is a helper method to define mock.On call
+//   - ctx context.Context
+//   - prov oidc.Provider
+//   - tlsClientConfig tlsclientconfig.Config
+func (_e *MockFactoryInterface_Expecter) New(ctx interface{}, prov interface{}, tlsClientConfig interface{}) *MockFactoryInterface_New_Call {
+	return &MockFactoryInterface_New_Call{Call: _e.mock.On("New", ctx, prov, tlsClientConfig)}
+}
+
+func (_c *MockFactoryInterface_New_Call) Run(run func(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config)) *MockFactoryInterface_New_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(oidc.Provider), args[2].(tlsclientconfig.Config))
+	})
+	return _c
+}
+
+func (_c *MockFactoryInterface_New_Call) Return(_a0 client.Interface, _a1 error) *MockFactoryInterface_New_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockFactoryInterface_New_Call) RunAndReturn(run func(context.Context, oidc.Provider, tlsclientconfig.Config) (client.Interface, error)) *MockFactoryInterface_New_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockFactoryInterface creates a new instance of MockFactoryInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockFactoryInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockFactoryInterface {
+	mock := &MockFactoryInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/oidc/client_mock/mock_Interface.go

@@ -0,0 +1,490 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package client_mock
+
+import (
+	context "context"
+
+	client "github.com/int128/kubelogin/pkg/oidc/client"
+
+	mock "github.com/stretchr/testify/mock"
+
+	oauth2dev "github.com/int128/oauth2dev"
+
+	oidc "github.com/int128/kubelogin/pkg/oidc"
+
+	pkce "github.com/int128/kubelogin/pkg/pkce"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// ExchangeAuthCode provides a mock function with given fields: ctx, in
+func (_m *MockInterface) ExchangeAuthCode(ctx context.Context, in client.ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ExchangeAuthCode")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, client.ExchangeAuthCodeInput) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, in)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, client.ExchangeAuthCodeInput) *oidc.TokenSet); ok {
+		r0 = rf(ctx, in)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, client.ExchangeAuthCodeInput) error); ok {
+		r1 = rf(ctx, in)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_ExchangeAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeAuthCode'
+type MockInterface_ExchangeAuthCode_Call struct {
+	*mock.Call
+}
+
+// ExchangeAuthCode is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in client.ExchangeAuthCodeInput
+func (_e *MockInterface_Expecter) ExchangeAuthCode(ctx interface{}, in interface{}) *MockInterface_ExchangeAuthCode_Call {
+	return &MockInterface_ExchangeAuthCode_Call{Call: _e.mock.On("ExchangeAuthCode", ctx, in)}
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) Run(run func(ctx context.Context, in client.ExchangeAuthCodeInput)) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(client.ExchangeAuthCodeInput))
+	})
+	return _c
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) RunAndReturn(run func(context.Context, client.ExchangeAuthCodeInput) (*oidc.TokenSet, error)) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ExchangeDeviceCode provides a mock function with given fields: ctx, authResponse
+func (_m *MockInterface) ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, authResponse)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ExchangeDeviceCode")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, authResponse)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *oauth2dev.AuthorizationResponse) *oidc.TokenSet); ok {
+		r0 = rf(ctx, authResponse)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *oauth2dev.AuthorizationResponse) error); ok {
+		r1 = rf(ctx, authResponse)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_ExchangeDeviceCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeDeviceCode'
+type MockInterface_ExchangeDeviceCode_Call struct {
+	*mock.Call
+}
+
+// ExchangeDeviceCode is a helper method to define mock.On call
+//   - ctx context.Context
+//   - authResponse *oauth2dev.AuthorizationResponse
+func (_e *MockInterface_Expecter) ExchangeDeviceCode(ctx interface{}, authResponse interface{}) *MockInterface_ExchangeDeviceCode_Call {
+	return &MockInterface_ExchangeDeviceCode_Call{Call: _e.mock.On("ExchangeDeviceCode", ctx, authResponse)}
+}
+
+func (_c *MockInterface_ExchangeDeviceCode_Call) Run(run func(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse)) *MockInterface_ExchangeDeviceCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(*oauth2dev.AuthorizationResponse))
+	})
+	return _c
+}
+
+func (_c *MockInterface_ExchangeDeviceCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_ExchangeDeviceCode_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_ExchangeDeviceCode_Call) RunAndReturn(run func(context.Context, *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)) *MockInterface_ExchangeDeviceCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetAuthCodeURL provides a mock function with given fields: in
+func (_m *MockInterface) GetAuthCodeURL(in client.AuthCodeURLInput) string {
+	ret := _m.Called(in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAuthCodeURL")
+	}
+
+	var r0 string
+	if rf, ok := ret.Get(0).(func(client.AuthCodeURLInput) string); ok {
+		r0 = rf(in)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	return r0
+}
+
+// MockInterface_GetAuthCodeURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAuthCodeURL'
+type MockInterface_GetAuthCodeURL_Call struct {
+	*mock.Call
+}
+
+// GetAuthCodeURL is a helper method to define mock.On call
+//   - in client.AuthCodeURLInput
+func (_e *MockInterface_Expecter) GetAuthCodeURL(in interface{}) *MockInterface_GetAuthCodeURL_Call {
+	return &MockInterface_GetAuthCodeURL_Call{Call: _e.mock.On("GetAuthCodeURL", in)}
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) Run(run func(in client.AuthCodeURLInput)) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(client.AuthCodeURLInput))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) Return(_a0 string) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) RunAndReturn(run func(client.AuthCodeURLInput) string) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetDeviceAuthorization provides a mock function with given fields: ctx
+func (_m *MockInterface) GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error) {
+	ret := _m.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetDeviceAuthorization")
+	}
+
+	var r0 *oauth2dev.AuthorizationResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context) (*oauth2dev.AuthorizationResponse, error)); ok {
+		return rf(ctx)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context) *oauth2dev.AuthorizationResponse); ok {
+		r0 = rf(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oauth2dev.AuthorizationResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = rf(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetDeviceAuthorization_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDeviceAuthorization'
+type MockInterface_GetDeviceAuthorization_Call struct {
+	*mock.Call
+}
+
+// GetDeviceAuthorization is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockInterface_Expecter) GetDeviceAuthorization(ctx interface{}) *MockInterface_GetDeviceAuthorization_Call {
+	return &MockInterface_GetDeviceAuthorization_Call{Call: _e.mock.On("GetDeviceAuthorization", ctx)}
+}
+
+func (_c *MockInterface_GetDeviceAuthorization_Call) Run(run func(ctx context.Context)) *MockInterface_GetDeviceAuthorization_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetDeviceAuthorization_Call) Return(_a0 *oauth2dev.AuthorizationResponse, _a1 error) *MockInterface_GetDeviceAuthorization_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_GetDeviceAuthorization_Call) RunAndReturn(run func(context.Context) (*oauth2dev.AuthorizationResponse, error)) *MockInterface_GetDeviceAuthorization_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetTokenByAuthCode provides a mock function with given fields: ctx, in, localServerReadyChan
+func (_m *MockInterface) GetTokenByAuthCode(ctx context.Context, in client.GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, in, localServerReadyChan)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTokenByAuthCode")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, in, localServerReadyChan)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) *oidc.TokenSet); ok {
+		r0 = rf(ctx, in, localServerReadyChan)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) error); ok {
+		r1 = rf(ctx, in, localServerReadyChan)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetTokenByAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByAuthCode'
+type MockInterface_GetTokenByAuthCode_Call struct {
+	*mock.Call
+}
+
+// GetTokenByAuthCode is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in client.GetTokenByAuthCodeInput
+//   - localServerReadyChan chan<- string
+func (_e *MockInterface_Expecter) GetTokenByAuthCode(ctx interface{}, in interface{}, localServerReadyChan interface{}) *MockInterface_GetTokenByAuthCode_Call {
+	return &MockInterface_GetTokenByAuthCode_Call{Call: _e.mock.On("GetTokenByAuthCode", ctx, in, localServerReadyChan)}
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) Run(run func(ctx context.Context, in client.GetTokenByAuthCodeInput, localServerReadyChan chan<- string)) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(client.GetTokenByAuthCodeInput), args[2].(chan<- string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) RunAndReturn(run func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) (*oidc.TokenSet, error)) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetTokenByROPC provides a mock function with given fields: ctx, username, password
+func (_m *MockInterface) GetTokenByROPC(ctx context.Context, username string, password string) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, username, password)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTokenByROPC")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, username, password)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) *oidc.TokenSet); ok {
+		r0 = rf(ctx, username, password)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
+		r1 = rf(ctx, username, password)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetTokenByROPC_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByROPC'
+type MockInterface_GetTokenByROPC_Call struct {
+	*mock.Call
+}
+
+// GetTokenByROPC is a helper method to define mock.On call
+//   - ctx context.Context
+//   - username string
+//   - password string
+func (_e *MockInterface_Expecter) GetTokenByROPC(ctx interface{}, username interface{}, password interface{}) *MockInterface_GetTokenByROPC_Call {
+	return &MockInterface_GetTokenByROPC_Call{Call: _e.mock.On("GetTokenByROPC", ctx, username, password)}
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) Run(run func(ctx context.Context, username string, password string)) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) RunAndReturn(run func(context.Context, string, string) (*oidc.TokenSet, error)) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NegotiatedPKCEMethod provides a mock function with no fields
+func (_m *MockInterface) NegotiatedPKCEMethod() pkce.Method {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for NegotiatedPKCEMethod")
+	}
+
+	var r0 pkce.Method
+	if rf, ok := ret.Get(0).(func() pkce.Method); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(pkce.Method)
+	}
+
+	return r0
+}
+
+// MockInterface_NegotiatedPKCEMethod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NegotiatedPKCEMethod'
+type MockInterface_NegotiatedPKCEMethod_Call struct {
+	*mock.Call
+}
+
+// NegotiatedPKCEMethod is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) NegotiatedPKCEMethod() *MockInterface_NegotiatedPKCEMethod_Call {
+	return &MockInterface_NegotiatedPKCEMethod_Call{Call: _e.mock.On("NegotiatedPKCEMethod")}
+}
+
+func (_c *MockInterface_NegotiatedPKCEMethod_Call) Run(run func()) *MockInterface_NegotiatedPKCEMethod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_NegotiatedPKCEMethod_Call) Return(_a0 pkce.Method) *MockInterface_NegotiatedPKCEMethod_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_NegotiatedPKCEMethod_Call) RunAndReturn(run func() pkce.Method) *MockInterface_NegotiatedPKCEMethod_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function with given fields: ctx, refreshToken
+func (_m *MockInterface) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, refreshToken)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string) *oidc.TokenSet); ok {
+		r0 = rf(ctx, refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+		r1 = rf(ctx, refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockInterface_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - ctx context.Context
+//   - refreshToken string
+func (_e *MockInterface_Expecter) Refresh(ctx interface{}, refreshToken interface{}) *MockInterface_Refresh_Call {
+	return &MockInterface_Refresh_Call{Call: _e.mock.On("Refresh", ctx, refreshToken)}
+}
+
+func (_c *MockInterface_Refresh_Call) Run(run func(ctx context.Context, refreshToken string)) *MockInterface_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Refresh_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_Refresh_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_Refresh_Call) RunAndReturn(run func(context.Context, string) (*oidc.TokenSet, error)) *MockInterface_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/testing/logger_mock/mock_testingLogger.go

@@ -0,0 +1,76 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package logger_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MocktestingLogger is an autogenerated mock type for the testingLogger type
+type MocktestingLogger struct {
+	mock.Mock
+}
+
+type MocktestingLogger_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MocktestingLogger) EXPECT() *MocktestingLogger_Expecter {
+	return &MocktestingLogger_Expecter{mock: &_m.Mock}
+}
+
+// Logf provides a mock function with given fields: format, v
+func (_m *MocktestingLogger) Logf(format string, v ...interface{}) {
+	var _ca []interface{}
+	_ca = append(_ca, format)
+	_ca = append(_ca, v...)
+	_m.Called(_ca...)
+}
+
+// MocktestingLogger_Logf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Logf'
+type MocktestingLogger_Logf_Call struct {
+	*mock.Call
+}
+
+// Logf is a helper method to define mock.On call
+//   - format string
+//   - v ...interface{}
+func (_e *MocktestingLogger_Expecter) Logf(format interface{}, v ...interface{}) *MocktestingLogger_Logf_Call {
+	return &MocktestingLogger_Logf_Call{Call: _e.mock.On("Logf",
+		append([]interface{}{format}, v...)...)}
+}
+
+func (_c *MocktestingLogger_Logf_Call) Run(run func(format string, v ...interface{})) *MocktestingLogger_Logf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]interface{}, len(args)-1)
+		for i, a := range args[1:] {
+			if a != nil {
+				variadicArgs[i] = a.(interface{})
+			}
+		}
+		run(args[0].(string), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *MocktestingLogger_Logf_Call) Return() *MocktestingLogger_Logf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MocktestingLogger_Logf_Call) RunAndReturn(run func(string, ...interface{})) *MocktestingLogger_Logf_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMocktestingLogger creates a new instance of MocktestingLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMocktestingLogger(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MocktestingLogger {
+	mock := &MocktestingLogger{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/tlsclientconfig/loader_mock/mock_Interface.go

@@ -0,0 +1,96 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package loader_mock
+
+import (
+	tls "crypto/tls"
+
+	mock "github.com/stretchr/testify/mock"
+
+	tlsclientconfig "github.com/int128/kubelogin/pkg/tlsclientconfig"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Load provides a mock function with given fields: config
+func (_m *MockInterface) Load(config tlsclientconfig.Config) (*tls.Config, error) {
+	ret := _m.Called(config)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Load")
+	}
+
+	var r0 *tls.Config
+	var r1 error
+	if rf, ok := ret.Get(0).(func(tlsclientconfig.Config) (*tls.Config, error)); ok {
+		return rf(config)
+	}
+	if rf, ok := ret.Get(0).(func(tlsclientconfig.Config) *tls.Config); ok {
+		r0 = rf(config)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*tls.Config)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(tlsclientconfig.Config) error); ok {
+		r1 = rf(config)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Load_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Load'
+type MockInterface_Load_Call struct {
+	*mock.Call
+}
+
+// Load is a helper method to define mock.On call
+//   - config tlsclientconfig.Config
+func (_e *MockInterface_Expecter) Load(config interface{}) *MockInterface_Load_Call {
+	return &MockInterface_Load_Call{Call: _e.mock.On("Load", config)}
+}
+
+func (_c *MockInterface_Load_Call) Run(run func(config tlsclientconfig.Config)) *MockInterface_Load_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(tlsclientconfig.Config))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Load_Call) Return(_a0 *tls.Config, _a1 error) *MockInterface_Load_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_Load_Call) RunAndReturn(run func(tlsclientconfig.Config) (*tls.Config, error)) *MockInterface_Load_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/tokencache/repository_mock/mock_Interface.go

@@ -0,0 +1,251 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package repository_mock
+
+import (
+	io "io"
+
+	oidc "github.com/int128/kubelogin/pkg/oidc"
+	mock "github.com/stretchr/testify/mock"
+
+	tokencache "github.com/int128/kubelogin/pkg/tokencache"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// DeleteAll provides a mock function with given fields: config
+func (_m *MockInterface) DeleteAll(config tokencache.Config) error {
+	ret := _m.Called(config)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DeleteAll")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(tokencache.Config) error); ok {
+		r0 = rf(config)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_DeleteAll_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteAll'
+type MockInterface_DeleteAll_Call struct {
+	*mock.Call
+}
+
+// DeleteAll is a helper method to define mock.On call
+//   - config tokencache.Config
+func (_e *MockInterface_Expecter) DeleteAll(config interface{}) *MockInterface_DeleteAll_Call {
+	return &MockInterface_DeleteAll_Call{Call: _e.mock.On("DeleteAll", config)}
+}
+
+func (_c *MockInterface_DeleteAll_Call) Run(run func(config tokencache.Config)) *MockInterface_DeleteAll_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(tokencache.Config))
+	})
+	return _c
+}
+
+func (_c *MockInterface_DeleteAll_Call) Return(_a0 error) *MockInterface_DeleteAll_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_DeleteAll_Call) RunAndReturn(run func(tokencache.Config) error) *MockInterface_DeleteAll_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// FindByKey provides a mock function with given fields: config, key
+func (_m *MockInterface) FindByKey(config tokencache.Config, key tokencache.Key) (*oidc.TokenSet, error) {
+	ret := _m.Called(config, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for FindByKey")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) (*oidc.TokenSet, error)); ok {
+		return rf(config, key)
+	}
+	if rf, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) *oidc.TokenSet); ok {
+		r0 = rf(config, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(tokencache.Config, tokencache.Key) error); ok {
+		r1 = rf(config, key)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_FindByKey_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'FindByKey'
+type MockInterface_FindByKey_Call struct {
+	*mock.Call
+}
+
+// FindByKey is a helper method to define mock.On call
+//   - config tokencache.Config
+//   - key tokencache.Key
+func (_e *MockInterface_Expecter) FindByKey(config interface{}, key interface{}) *MockInterface_FindByKey_Call {
+	return &MockInterface_FindByKey_Call{Call: _e.mock.On("FindByKey", config, key)}
+}
+
+func (_c *MockInterface_FindByKey_Call) Run(run func(config tokencache.Config, key tokencache.Key)) *MockInterface_FindByKey_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(tokencache.Config), args[1].(tokencache.Key))
+	})
+	return _c
+}
+
+func (_c *MockInterface_FindByKey_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_FindByKey_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_FindByKey_Call) RunAndReturn(run func(tokencache.Config, tokencache.Key) (*oidc.TokenSet, error)) *MockInterface_FindByKey_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Lock provides a mock function with given fields: config, key
+func (_m *MockInterface) Lock(config tokencache.Config, key tokencache.Key) (io.Closer, error) {
+	ret := _m.Called(config, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Lock")
+	}
+
+	var r0 io.Closer
+	var r1 error
+	if rf, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) (io.Closer, error)); ok {
+		return rf(config, key)
+	}
+	if rf, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) io.Closer); ok {
+		r0 = rf(config, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(io.Closer)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(tokencache.Config, tokencache.Key) error); ok {
+		r1 = rf(config, key)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Lock_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Lock'
+type MockInterface_Lock_Call struct {
+	*mock.Call
+}
+
+// Lock is a helper method to define mock.On call
+//   - config tokencache.Config
+//   - key tokencache.Key
+func (_e *MockInterface_Expecter) Lock(config interface{}, key interface{}) *MockInterface_Lock_Call {
+	return &MockInterface_Lock_Call{Call: _e.mock.On("Lock", config, key)}
+}
+
+func (_c *MockInterface_Lock_Call) Run(run func(config tokencache.Config, key tokencache.Key)) *MockInterface_Lock_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(tokencache.Config), args[1].(tokencache.Key))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Lock_Call) Return(_a0 io.Closer, _a1 error) *MockInterface_Lock_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_Lock_Call) RunAndReturn(run func(tokencache.Config, tokencache.Key) (io.Closer, error)) *MockInterface_Lock_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Save provides a mock function with given fields: config, key, tokenSet
+func (_m *MockInterface) Save(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet) error {
+	ret := _m.Called(config, key, tokenSet)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Save")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key, oidc.TokenSet) error); ok {
+		r0 = rf(config, key, tokenSet)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_Save_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Save'
+type MockInterface_Save_Call struct {
+	*mock.Call
+}
+
+// Save is a helper method to define mock.On call
+//   - config tokencache.Config
+//   - key tokencache.Key
+//   - tokenSet oidc.TokenSet
+func (_e *MockInterface_Expecter) Save(config interface{}, key interface{}, tokenSet interface{}) *MockInterface_Save_Call {
+	return &MockInterface_Save_Call{Call: _e.mock.On("Save", config, key, tokenSet)}
+}
+
+func (_c *MockInterface_Save_Call) Run(run func(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet)) *MockInterface_Save_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(tokencache.Config), args[1].(tokencache.Key), args[2].(oidc.TokenSet))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Save_Call) Return(_a0 error) *MockInterface_Save_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_Save_Call) RunAndReturn(run func(tokencache.Config, tokencache.Key, oidc.TokenSet) error) *MockInterface_Save_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/usecases/authentication_mock/mock_Interface.go

@@ -0,0 +1,97 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package authentication_mock
+
+import (
+	context "context"
+
+	authentication "github.com/int128/kubelogin/pkg/usecases/authentication"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Do provides a mock function with given fields: ctx, in
+func (_m *MockInterface) Do(ctx context.Context, in authentication.Input) (*authentication.Output, error) {
+	ret := _m.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
+	var r0 *authentication.Output
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, authentication.Input) (*authentication.Output, error)); ok {
+		return rf(ctx, in)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, authentication.Input) *authentication.Output); ok {
+		r0 = rf(ctx, in)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*authentication.Output)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, authentication.Input) error); ok {
+		r1 = rf(ctx, in)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
+type MockInterface_Do_Call struct {
+	*mock.Call
+}
+
+// Do is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in authentication.Input
+func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
+	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
+}
+
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in authentication.Input)) *MockInterface_Do_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(authentication.Input))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) Return(_a0 *authentication.Output, _a1 error) *MockInterface_Do_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(context.Context, authentication.Input) (*authentication.Output, error)) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/usecases/clean_mock/mock_Interface.go

@@ -0,0 +1,85 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package clean_mock
+
+import (
+	context "context"
+
+	clean "github.com/int128/kubelogin/pkg/usecases/clean"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Do provides a mock function with given fields: ctx, in
+func (_m *MockInterface) Do(ctx context.Context, in clean.Input) error {
+	ret := _m.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, clean.Input) error); ok {
+		r0 = rf(ctx, in)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
+type MockInterface_Do_Call struct {
+	*mock.Call
+}
+
+// Do is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in clean.Input
+func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
+	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
+}
+
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in clean.Input)) *MockInterface_Do_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(clean.Input))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) Return(_a0 error) *MockInterface_Do_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(context.Context, clean.Input) error) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/usecases/credentialplugin_mock/mock_Interface.go

@@ -0,0 +1,84 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package credentialplugin_mock
+
+import (
+	context "context"
+
+	credentialplugin "github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Do provides a mock function with given fields: ctx, in
+func (_m *MockInterface) Do(ctx context.Context, in credentialplugin.Input) error {
+	ret := _m.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, credentialplugin.Input) error); ok {
+		r0 = rf(ctx, in)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
+type MockInterface_Do_Call struct {
+	*mock.Call
+}
+
+// Do is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in credentialplugin.Input
+func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
+	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
+}
+
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in credentialplugin.Input)) *MockInterface_Do_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(credentialplugin.Input))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) Return(_a0 error) *MockInterface_Do_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(context.Context, credentialplugin.Input) error) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/usecases/setup_mock/mock_Interface.go

@@ -0,0 +1,116 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package setup_mock
+
+import (
+	context "context"
+
+	setup "github.com/int128/kubelogin/pkg/usecases/setup"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// DoStage1 provides a mock function with no fields
+func (_m *MockInterface) DoStage1() {
+	_m.Called()
+}
+
+// MockInterface_DoStage1_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DoStage1'
+type MockInterface_DoStage1_Call struct {
+	*mock.Call
+}
+
+// DoStage1 is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) DoStage1() *MockInterface_DoStage1_Call {
+	return &MockInterface_DoStage1_Call{Call: _e.mock.On("DoStage1")}
+}
+
+func (_c *MockInterface_DoStage1_Call) Run(run func()) *MockInterface_DoStage1_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_DoStage1_Call) Return() *MockInterface_DoStage1_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockInterface_DoStage1_Call) RunAndReturn(run func()) *MockInterface_DoStage1_Call {
+	_c.Run(run)
+	return _c
+}
+
+// DoStage2 provides a mock function with given fields: ctx, in
+func (_m *MockInterface) DoStage2(ctx context.Context, in setup.Stage2Input) error {
+	ret := _m.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DoStage2")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, setup.Stage2Input) error); ok {
+		r0 = rf(ctx, in)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_DoStage2_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DoStage2'
+type MockInterface_DoStage2_Call struct {
+	*mock.Call
+}
+
+// DoStage2 is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in setup.Stage2Input
+func (_e *MockInterface_Expecter) DoStage2(ctx interface{}, in interface{}) *MockInterface_DoStage2_Call {
+	return &MockInterface_DoStage2_Call{Call: _e.mock.On("DoStage2", ctx, in)}
+}
+
+func (_c *MockInterface_DoStage2_Call) Run(run func(ctx context.Context, in setup.Stage2Input)) *MockInterface_DoStage2_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(setup.Stage2Input))
+	})
+	return _c
+}
+
+func (_c *MockInterface_DoStage2_Call) Return(_a0 error) *MockInterface_DoStage2_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_DoStage2_Call) RunAndReturn(run func(context.Context, setup.Stage2Input) error) *MockInterface_DoStage2_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/usecases/standalone_mock/mock_Interface.go

@@ -0,0 +1,84 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package standalone_mock
+
+import (
+	context "context"
+
+	standalone "github.com/int128/kubelogin/pkg/usecases/standalone"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Do provides a mock function with given fields: ctx, in
+func (_m *MockInterface) Do(ctx context.Context, in standalone.Input) error {
+	ret := _m.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, standalone.Input) error); ok {
+		r0 = rf(ctx, in)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
+type MockInterface_Do_Call struct {
+	*mock.Call
+}
+
+// Do is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in standalone.Input
+func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
+	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
+}
+
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in standalone.Input)) *MockInterface_Do_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(standalone.Input))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) Return(_a0 error) *MockInterface_Do_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(context.Context, standalone.Input) error) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/io_mock/mock_Closer.go

@@ -0,0 +1,77 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package io_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockCloser is an autogenerated mock type for the Closer type
+type MockCloser struct {
+	mock.Mock
+}
+
+type MockCloser_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockCloser) EXPECT() *MockCloser_Expecter {
+	return &MockCloser_Expecter{mock: &_m.Mock}
+}
+
+// Close provides a mock function with no fields
+func (_m *MockCloser) Close() error {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Close")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func() error); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockCloser_Close_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Close'
+type MockCloser_Close_Call struct {
+	*mock.Call
+}
+
+// Close is a helper method to define mock.On call
+func (_e *MockCloser_Expecter) Close() *MockCloser_Close_Call {
+	return &MockCloser_Close_Call{Call: _e.mock.On("Close")}
+}
+
+func (_c *MockCloser_Close_Call) Run(run func()) *MockCloser_Close_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockCloser_Close_Call) Return(_a0 error) *MockCloser_Close_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockCloser_Close_Call) RunAndReturn(run func() error) *MockCloser_Close_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockCloser creates a new instance of MockCloser. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockCloser(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockCloser {
+	mock := &MockCloser{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

pkg/adaptors/browser/mock_browser/mock_browser.go

@@ -1,47 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/browser (interfaces: Interface)
-
-// Package mock_browser is a generated GoMock package.
-package mock_browser
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// Open mocks base method
-func (m *MockInterface) Open(arg0 string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Open", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Open indicates an expected call of Open
-func (mr *MockInterfaceMockRecorder) Open(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Open", reflect.TypeOf((*MockInterface)(nil).Open), arg0)
-}

pkg/adaptors/certpool/cert.go

@@ -1,71 +0,0 @@
-// Package certpool provides loading certificates from files or base64 encoded string.
-package certpool
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"io/ioutil"
-
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_certpool/mock_certpool.go github.com/int128/kubelogin/pkg/adaptors/certpool Interface
-
-// Set provides an implementation and interface.
-var Set = wire.NewSet(
-	wire.Value(NewFunc(New)),
-	wire.Struct(new(CertPool), "*"),
-	wire.Bind(new(Interface), new(*CertPool)),
-)
-
-type NewFunc func() Interface
-
-// New returns an instance which implements the Interface.
-func New() Interface {
-	return &CertPool{pool: x509.NewCertPool()}
-}
-
-type Interface interface {
-	AddFile(filename string) error
-	AddBase64Encoded(s string) error
-	SetRootCAs(cfg *tls.Config)
-}
-
-// CertPool represents a pool of certificates.
-type CertPool struct {
-	pool *x509.CertPool
-}
-
-// SetRootCAs sets cfg.RootCAs if it has any certificate.
-// Otherwise do nothing.
-func (p *CertPool) SetRootCAs(cfg *tls.Config) {
-	if len(p.pool.Subjects()) > 0 {
-		cfg.RootCAs = p.pool
-	}
-}
-
-// AddFile loads the certificate from the file.
-func (p *CertPool) AddFile(filename string) error {
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return xerrors.Errorf("could not read %s: %w", filename, err)
-	}
-	if !p.pool.AppendCertsFromPEM(b) {
-		return xerrors.Errorf("could not append certificate from %s", filename)
-	}
-	return nil
-}
-
-// AddBase64Encoded loads the certificate from the base64 encoded string.
-func (p *CertPool) AddBase64Encoded(s string) error {
-	b, err := base64.StdEncoding.DecodeString(s)
-	if err != nil {
-		return xerrors.Errorf("could not decode base64: %w", err)
-	}
-	if !p.pool.AppendCertsFromPEM(b) {
-		return xerrors.Errorf("could not append certificate")
-	}
-	return nil
-}

pkg/adaptors/certpool/cert_test.go

@@ -1,58 +0,0 @@
-package certpool
-
-import (
-	"crypto/tls"
-	"io/ioutil"
-	"testing"
-)
-
-func TestCertPool_AddFile(t *testing.T) {
-	t.Run("Valid", func(t *testing.T) {
-		p := New()
-		if err := p.AddFile("testdata/ca1.crt"); err != nil {
-			t.Errorf("AddFile error: %s", err)
-		}
-		var cfg tls.Config
-		p.SetRootCAs(&cfg)
-		if n := len(cfg.RootCAs.Subjects()); n != 1 {
-			t.Errorf("n wants 1 but was %d", n)
-		}
-	})
-	t.Run("Invalid", func(t *testing.T) {
-		p := New()
-		err := p.AddFile("testdata/Makefile")
-		if err == nil {
-			t.Errorf("AddFile wants an error but was nil")
-		}
-	})
-}
-
-func TestCertPool_AddBase64Encoded(t *testing.T) {
-	p := New()
-	if err := p.AddBase64Encoded(readFile(t, "testdata/ca2.crt.base64")); err != nil {
-		t.Errorf("AddBase64Encoded error: %s", err)
-	}
-	var cfg tls.Config
-	p.SetRootCAs(&cfg)
-	if n := len(cfg.RootCAs.Subjects()); n != 1 {
-		t.Errorf("n wants 1 but was %d", n)
-	}
-}
-
-func TestCertPool_SetRootCAs(t *testing.T) {
-	p := New()
-	var cfg tls.Config
-	p.SetRootCAs(&cfg)
-	if cfg.RootCAs != nil {
-		t.Errorf("cfg.RootCAs wants nil but was %+v", cfg.RootCAs)
-	}
-}
-
-func readFile(t *testing.T, filename string) string {
-	t.Helper()
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		t.Fatalf("ReadFile error: %s", err)
-	}
-	return string(b)
-}

pkg/adaptors/certpool/mock_certpool/mock_certpool.go

@@ -1,74 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/certpool (interfaces: Interface)
-
-// Package mock_certpool is a generated GoMock package.
-package mock_certpool
-
-import (
-	tls "crypto/tls"
-	gomock "github.com/golang/mock/gomock"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// AddBase64Encoded mocks base method
-func (m *MockInterface) AddBase64Encoded(arg0 string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "AddBase64Encoded", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// AddBase64Encoded indicates an expected call of AddBase64Encoded
-func (mr *MockInterfaceMockRecorder) AddBase64Encoded(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddBase64Encoded", reflect.TypeOf((*MockInterface)(nil).AddBase64Encoded), arg0)
-}
-
-// AddFile mocks base method
-func (m *MockInterface) AddFile(arg0 string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "AddFile", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// AddFile indicates an expected call of AddFile
-func (mr *MockInterfaceMockRecorder) AddFile(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddFile", reflect.TypeOf((*MockInterface)(nil).AddFile), arg0)
-}
-
-// SetRootCAs mocks base method
-func (m *MockInterface) SetRootCAs(arg0 *tls.Config) {
-	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "SetRootCAs", arg0)
-}
-
-// SetRootCAs indicates an expected call of SetRootCAs
-func (mr *MockInterfaceMockRecorder) SetRootCAs(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetRootCAs", reflect.TypeOf((*MockInterface)(nil).SetRootCAs), arg0)
-}

pkg/adaptors/cmd/cmd_test.go

@@ -1,374 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/pkg/testing/logger"
-	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
-	"github.com/int128/kubelogin/pkg/usecases/credentialplugin/mock_credentialplugin"
-	"github.com/int128/kubelogin/pkg/usecases/standalone"
-	"github.com/int128/kubelogin/pkg/usecases/standalone/mock_standalone"
-)
-
-func TestCmd_Run(t *testing.T) {
-	const executable = "kubelogin"
-	const version = "HEAD"
-
-	t.Run("root", func(t *testing.T) {
-		tests := map[string]struct {
-			args []string
-			in   standalone.Input
-		}{
-			"Defaults": {
-				args: []string{executable},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress:         defaultListenAddress,
-							RedirectURLHostname: "localhost",
-						},
-					},
-				},
-			},
-			"when --listen-port is set, it should convert the port to address": {
-				args: []string{
-					executable,
-					"--listen-port", "10080",
-					"--listen-port", "20080",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							RedirectURLHostname: "localhost",
-						},
-					},
-				},
-			},
-			"when --listen-port is set, it should ignore --listen-address flags": {
-				args: []string{
-					executable,
-					"--listen-port", "10080",
-					"--listen-port", "20080",
-					"--listen-address", "127.0.0.1:30080",
-					"--listen-address", "127.0.0.1:40080",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							RedirectURLHostname: "localhost",
-						},
-					},
-				},
-			},
-			"FullOptions": {
-				args: []string{executable,
-					"--kubeconfig", "/path/to/kubeconfig",
-					"--context", "hello.k8s.local",
-					"--user", "google",
-					"--certificate-authority", "/path/to/cacert",
-					"--insecure-skip-tls-verify",
-					"-v1",
-					"--grant-type", "authcode",
-					"--listen-address", "127.0.0.1:10080",
-					"--listen-address", "127.0.0.1:20080",
-					"--skip-open-browser",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: standalone.Input{
-					KubeconfigFilename: "/path/to/kubeconfig",
-					KubeconfigContext:  "hello.k8s.local",
-					KubeconfigUser:     "google",
-					CACertFilename:     "/path/to/cacert",
-					SkipTLSVerify:      true,
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser:     true,
-							RedirectURLHostname: "localhost",
-						},
-					},
-				},
-			},
-			"GrantType=authcode-keyboard": {
-				args: []string{executable,
-					"--grant-type", "authcode-keyboard",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeKeyboardOption: &authentication.AuthCodeKeyboardOption{},
-					},
-				},
-			},
-			"GrantType=password": {
-				args: []string{executable,
-					"--grant-type", "password",
-					"--listen-address", "127.0.0.1:10080",
-					"--listen-address", "127.0.0.1:20080",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &authentication.ROPCOption{
-							Username: "USER",
-							Password: "PASS",
-						},
-					},
-				},
-			},
-			"GrantType=auto": {
-				args: []string{executable,
-					"--listen-address", "127.0.0.1:10080",
-					"--listen-address", "127.0.0.1:20080",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &authentication.ROPCOption{
-							Username: "USER",
-							Password: "PASS",
-						},
-					},
-				},
-			},
-		}
-		for name, c := range tests {
-			t.Run(name, func(t *testing.T) {
-				ctrl := gomock.NewController(t)
-				defer ctrl.Finish()
-				ctx := context.TODO()
-				mockStandalone := mock_standalone.NewMockInterface(ctrl)
-				mockStandalone.EXPECT().
-					Do(ctx, c.in)
-				cmd := Cmd{
-					Root: &Root{
-						Standalone: mockStandalone,
-						Logger:     logger.New(t),
-					},
-					Logger: logger.New(t),
-				}
-				exitCode := cmd.Run(ctx, c.args, version)
-				if exitCode != 0 {
-					t.Errorf("exitCode wants 0 but %d", exitCode)
-				}
-			})
-		}
-
-		t.Run("TooManyArgs", func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-			cmd := Cmd{
-				Root: &Root{
-					Standalone: mock_standalone.NewMockInterface(ctrl),
-					Logger:     logger.New(t),
-				},
-				Logger: logger.New(t),
-			}
-			exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
-			if exitCode != 1 {
-				t.Errorf("exitCode wants 1 but %d", exitCode)
-			}
-		})
-	})
-
-	t.Run("get-token", func(t *testing.T) {
-		tests := map[string]struct {
-			args []string
-			in   credentialplugin.Input
-		}{
-			"Defaults": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
-					IssuerURL:     "https://issuer.example.com",
-					ClientID:      "YOUR_CLIENT_ID",
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress:         []string{"127.0.0.1:8000", "127.0.0.1:18000"},
-							RedirectURLHostname: "localhost",
-						},
-					},
-				},
-			},
-			"FullOptions": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--oidc-client-secret", "YOUR_CLIENT_SECRET",
-					"--oidc-extra-scope", "email",
-					"--oidc-extra-scope", "profile",
-					"--certificate-authority", "/path/to/cacert",
-					"--certificate-authority-data", "BASE64ENCODED",
-					"--insecure-skip-tls-verify",
-					"-v1",
-					"--grant-type", "authcode",
-					"--listen-address", "127.0.0.1:10080",
-					"--listen-address", "127.0.0.1:20080",
-					"--skip-open-browser",
-					"--oidc-auth-request-extra-params", "ttl=86400",
-					"--oidc-auth-request-extra-params", "reauth=true",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir:  defaultTokenCacheDir,
-					IssuerURL:      "https://issuer.example.com",
-					ClientID:       "YOUR_CLIENT_ID",
-					ClientSecret:   "YOUR_CLIENT_SECRET",
-					ExtraScopes:    []string{"email", "profile"},
-					CACertFilename: "/path/to/cacert",
-					CACertData:     "BASE64ENCODED",
-					SkipTLSVerify:  true,
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress:            []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser:        true,
-							RedirectURLHostname:    "localhost",
-							AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
-						},
-					},
-				},
-			},
-			"GrantType=authcode-keyboard": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--grant-type", "authcode-keyboard",
-					"--oidc-auth-request-extra-params", "ttl=86400",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
-					IssuerURL:     "https://issuer.example.com",
-					ClientID:      "YOUR_CLIENT_ID",
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeKeyboardOption: &authentication.AuthCodeKeyboardOption{
-							AuthRequestExtraParams: map[string]string{"ttl": "86400"},
-						},
-					},
-				},
-			},
-			"GrantType=password": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--grant-type", "password",
-					"--listen-address", "127.0.0.1:10080",
-					"--listen-address", "127.0.0.1:20080",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
-					IssuerURL:     "https://issuer.example.com",
-					ClientID:      "YOUR_CLIENT_ID",
-					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &authentication.ROPCOption{
-							Username: "USER",
-							Password: "PASS",
-						},
-					},
-				},
-			},
-			"GrantType=auto": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--listen-address", "127.0.0.1:10080",
-					"--listen-address", "127.0.0.1:20080",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
-					IssuerURL:     "https://issuer.example.com",
-					ClientID:      "YOUR_CLIENT_ID",
-					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &authentication.ROPCOption{
-							Username: "USER",
-							Password: "PASS",
-						},
-					},
-				},
-			},
-		}
-		for name, c := range tests {
-			t.Run(name, func(t *testing.T) {
-				ctrl := gomock.NewController(t)
-				defer ctrl.Finish()
-				ctx := context.TODO()
-				getToken := mock_credentialplugin.NewMockInterface(ctrl)
-				getToken.EXPECT().
-					Do(ctx, c.in)
-				cmd := Cmd{
-					Root: &Root{
-						Logger: logger.New(t),
-					},
-					GetToken: &GetToken{
-						GetToken: getToken,
-						Logger:   logger.New(t),
-					},
-					Logger: logger.New(t),
-				}
-				exitCode := cmd.Run(ctx, c.args, version)
-				if exitCode != 0 {
-					t.Errorf("exitCode wants 0 but %d", exitCode)
-				}
-			})
-		}
-
-		t.Run("MissingMandatoryOptions", func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-			ctx := context.TODO()
-			cmd := Cmd{
-				Root: &Root{
-					Logger: logger.New(t),
-				},
-				GetToken: &GetToken{
-					GetToken: mock_credentialplugin.NewMockInterface(ctrl),
-					Logger:   logger.New(t),
-				},
-				Logger: logger.New(t),
-			}
-			exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
-			if exitCode != 1 {
-				t.Errorf("exitCode wants 1 but %d", exitCode)
-			}
-		})
-
-		t.Run("TooManyArgs", func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-			ctx := context.TODO()
-			cmd := Cmd{
-				Root: &Root{
-					Logger: logger.New(t),
-				},
-				GetToken: &GetToken{
-					GetToken: mock_credentialplugin.NewMockInterface(ctrl),
-					Logger:   logger.New(t),
-				},
-				Logger: logger.New(t),
-			}
-			exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
-			if exitCode != 1 {
-				t.Errorf("exitCode wants 1 but %d", exitCode)
-			}
-		})
-	})
-}

pkg/adaptors/cmd/get_token.go

@@ -1,83 +0,0 @@
-package cmd
-
-import (
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
-)
-
-// getTokenOptions represents the options for get-token command.
-type getTokenOptions struct {
-	IssuerURL             string
-	ClientID              string
-	ClientSecret          string
-	ExtraScopes           []string
-	CACertFilename        string
-	CACertData            string
-	SkipTLSVerify         bool
-	TokenCacheDir         string
-	authenticationOptions authenticationOptions
-}
-
-func (o *getTokenOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
-	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)")
-	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
-	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
-	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.StringVar(&o.CACertFilename, "certificate-authority", "", "Path to a cert file for the certificate authority")
-	f.StringVar(&o.CACertData, "certificate-authority-data", "", "Base64 encoded data for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
-	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for caching tokens")
-	o.authenticationOptions.register(f)
-}
-
-type GetToken struct {
-	GetToken credentialplugin.Interface
-	Logger   logger.Interface
-}
-
-func (cmd *GetToken) New() *cobra.Command {
-	var o getTokenOptions
-	c := &cobra.Command{
-		Use:   "get-token [flags]",
-		Short: "Run as a kubectl credential plugin",
-		Args: func(c *cobra.Command, args []string) error {
-			if err := cobra.NoArgs(c, args); err != nil {
-				return err
-			}
-			if o.IssuerURL == "" {
-				return xerrors.New("--oidc-issuer-url is missing")
-			}
-			if o.ClientID == "" {
-				return xerrors.New("--oidc-client-id is missing")
-			}
-			return nil
-		},
-		RunE: func(c *cobra.Command, _ []string) error {
-			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
-			if err != nil {
-				return xerrors.Errorf("get-token: %w", err)
-			}
-			in := credentialplugin.Input{
-				IssuerURL:      o.IssuerURL,
-				ClientID:       o.ClientID,
-				ClientSecret:   o.ClientSecret,
-				ExtraScopes:    o.ExtraScopes,
-				CACertFilename: o.CACertFilename,
-				CACertData:     o.CACertData,
-				SkipTLSVerify:  o.SkipTLSVerify,
-				TokenCacheDir:  o.TokenCacheDir,
-				GrantOptionSet: grantOptionSet,
-			}
-			if err := cmd.GetToken.Do(c.Context(), in); err != nil {
-				return xerrors.Errorf("get-token: %w", err)
-			}
-			return nil
-		},
-	}
-	o.register(c.Flags())
-	return c
-}

pkg/adaptors/cmd/root.go

@@ -1,149 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	"github.com/int128/kubelogin/pkg/usecases/standalone"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
-)
-
-const longDescription = `Login to the OpenID Connect provider.
-
-You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
-Run the following command to show the setup instruction:
-
-	kubectl oidc-login setup
-
-See https://github.com/int128/kubelogin for more.
-`
-
-// rootOptions represents the options for the root command.
-type rootOptions struct {
-	Kubeconfig            string
-	Context               string
-	User                  string
-	CertificateAuthority  string
-	SkipTLSVerify         bool
-	authenticationOptions authenticationOptions
-}
-
-func (o *rootOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
-	f.StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to the kubeconfig file")
-	f.StringVar(&o.Context, "context", "", "The name of the kubeconfig context to use")
-	f.StringVar(&o.User, "user", "", "The name of the kubeconfig user to use. Prior to --context")
-	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
-	o.authenticationOptions.register(f)
-}
-
-type authenticationOptions struct {
-	GrantType              string
-	ListenAddress          []string
-	ListenPort             []int // deprecated
-	SkipOpenBrowser        bool
-	RedirectURLHostname    string
-	AuthRequestExtraParams map[string]string
-	Username               string
-	Password               string
-}
-
-// determineListenAddress returns the addresses from the flags.
-// Note that --listen-address is always given due to the default value.
-// If --listen-port is not set, it returns --listen-address.
-// If --listen-port is set, it returns the strings of --listen-port.
-func (o *authenticationOptions) determineListenAddress() []string {
-	if len(o.ListenPort) == 0 {
-		return o.ListenAddress
-	}
-	var a []string
-	for _, p := range o.ListenPort {
-		a = append(a, fmt.Sprintf("127.0.0.1:%d", p))
-	}
-	return a
-}
-
-var allGrantType = strings.Join([]string{
-	"auto",
-	"authcode",
-	"authcode-keyboard",
-	"password",
-}, "|")
-
-func (o *authenticationOptions) register(f *pflag.FlagSet) {
-	f.StringVar(&o.GrantType, "grant-type", "auto", fmt.Sprintf("The authorization grant type to use. One of (%s)", allGrantType))
-	f.StringSliceVar(&o.ListenAddress, "listen-address", defaultListenAddress, "Address to bind to the local server. If multiple addresses are given, it will try binding in order")
-	//TODO: remove the deprecated flag
-	f.IntSliceVar(&o.ListenPort, "listen-port", nil, "(Deprecated: use --listen-address)")
-	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
-	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "Hostname of the redirect URL")
-	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "Extra query parameters to send with an authentication request")
-	f.StringVar(&o.Username, "username", "", "If set, perform the resource owner password credentials grant")
-	f.StringVar(&o.Password, "password", "", "If set, use the password instead of asking it")
-}
-
-func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSet, err error) {
-	switch {
-	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
-		s.AuthCodeOption = &authentication.AuthCodeOption{
-			BindAddress:            o.determineListenAddress(),
-			SkipOpenBrowser:        o.SkipOpenBrowser,
-			RedirectURLHostname:    o.RedirectURLHostname,
-			AuthRequestExtraParams: o.AuthRequestExtraParams,
-		}
-	case o.GrantType == "authcode-keyboard":
-		s.AuthCodeKeyboardOption = &authentication.AuthCodeKeyboardOption{
-			AuthRequestExtraParams: o.AuthRequestExtraParams,
-		}
-	case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
-		s.ROPCOption = &authentication.ROPCOption{
-			Username: o.Username,
-			Password: o.Password,
-		}
-	default:
-		err = xerrors.Errorf("grant-type must be one of (%s)", allGrantType)
-	}
-	return
-}
-
-type Root struct {
-	Standalone standalone.Interface
-	Logger     logger.Interface
-}
-
-func (cmd *Root) New() *cobra.Command {
-	var o rootOptions
-	rootCmd := &cobra.Command{
-		Use:   "kubelogin",
-		Short: "Login to the OpenID Connect provider",
-		Long:  longDescription,
-		Args:  cobra.NoArgs,
-		RunE: func(c *cobra.Command, _ []string) error {
-			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
-			if err != nil {
-				return xerrors.Errorf("invalid option: %w", err)
-			}
-			in := standalone.Input{
-				KubeconfigFilename: o.Kubeconfig,
-				KubeconfigContext:  kubeconfig.ContextName(o.Context),
-				KubeconfigUser:     kubeconfig.UserName(o.User),
-				CACertFilename:     o.CertificateAuthority,
-				SkipTLSVerify:      o.SkipTLSVerify,
-				GrantOptionSet:     grantOptionSet,
-			}
-			if err := cmd.Standalone.Do(c.Context(), in); err != nil {
-				return xerrors.Errorf("login: %w", err)
-			}
-			return nil
-		},
-	}
-	o.register(rootCmd.Flags())
-	cmd.Logger.AddFlags(rootCmd.PersistentFlags())
-	return rootCmd
-}

pkg/adaptors/credentialpluginwriter/credential_plugin.go

@@ -1,53 +0,0 @@
-// Package credentialpluginwriter provides a writer for a credential plugin.
-package credentialpluginwriter
-
-import (
-	"encoding/json"
-	"time"
-
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/adaptors/stdio"
-	"golang.org/x/xerrors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
-)
-
-//go:generate mockgen -destination mock_credentialpluginwriter/mock_credentialpluginwriter.go github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter Interface
-
-var Set = wire.NewSet(
-	wire.Struct(new(Writer), "*"),
-	wire.Bind(new(Interface), new(*Writer)),
-)
-
-type Interface interface {
-	Write(out Output) error
-}
-
-// Output represents an output object of the credential plugin.
-type Output struct {
-	Token  string
-	Expiry time.Time
-}
-
-type Writer struct {
-	Stdout stdio.Stdout
-}
-
-// Write writes the ExecCredential to standard output for kubectl.
-func (w *Writer) Write(out Output) error {
-	ec := &clientauthenticationv1beta1.ExecCredential{
-		TypeMeta: metav1.TypeMeta{
-			APIVersion: "client.authentication.k8s.io/v1beta1",
-			Kind:       "ExecCredential",
-		},
-		Status: &clientauthenticationv1beta1.ExecCredentialStatus{
-			Token:               out.Token,
-			ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
-		},
-	}
-	e := json.NewEncoder(w.Stdout)
-	if err := e.Encode(ec); err != nil {
-		return xerrors.Errorf("could not write the ExecCredential: %w", err)
-	}
-	return nil
-}

pkg/adaptors/credentialpluginwriter/mock_credentialpluginwriter/mock_credentialpluginwriter.go

@@ -1,48 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter (interfaces: Interface)
-
-// Package mock_credentialpluginwriter is a generated GoMock package.
-package mock_credentialpluginwriter
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	credentialpluginwriter "github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// Write mocks base method
-func (m *MockInterface) Write(arg0 credentialpluginwriter.Output) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Write", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Write indicates an expected call of Write
-func (mr *MockInterfaceMockRecorder) Write(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockInterface)(nil).Write), arg0)
-}

pkg/adaptors/kubeconfig/mock_kubeconfig/mock_kubeconfig.go

@@ -1,63 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/kubeconfig (interfaces: Interface)
-
-// Package mock_kubeconfig is a generated GoMock package.
-package mock_kubeconfig
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	kubeconfig "github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// GetCurrentAuthProvider mocks base method
-func (m *MockInterface) GetCurrentAuthProvider(arg0 string, arg1 kubeconfig.ContextName, arg2 kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetCurrentAuthProvider", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*kubeconfig.AuthProvider)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetCurrentAuthProvider indicates an expected call of GetCurrentAuthProvider
-func (mr *MockInterfaceMockRecorder) GetCurrentAuthProvider(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCurrentAuthProvider", reflect.TypeOf((*MockInterface)(nil).GetCurrentAuthProvider), arg0, arg1, arg2)
-}
-
-// UpdateAuthProvider mocks base method
-func (m *MockInterface) UpdateAuthProvider(arg0 *kubeconfig.AuthProvider) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpdateAuthProvider", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// UpdateAuthProvider indicates an expected call of UpdateAuthProvider
-func (mr *MockInterfaceMockRecorder) UpdateAuthProvider(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAuthProvider", reflect.TypeOf((*MockInterface)(nil).UpdateAuthProvider), arg0)
-}

pkg/adaptors/oidcclient/factory.go

@@ -1,93 +0,0 @@
-// Package oidcclient provides a client of OpenID Connect.
-package oidcclient
-
-import (
-	"context"
-	"crypto/tls"
-	"fmt"
-	"net/http"
-
-	"github.com/coreos/go-oidc"
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/adaptors/certpool"
-	"github.com/int128/kubelogin/pkg/adaptors/clock"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/adaptors/oidcclient/logging"
-	"golang.org/x/oauth2"
-	"golang.org/x/xerrors"
-)
-
-var Set = wire.NewSet(
-	wire.Struct(new(Factory), "*"),
-	wire.Bind(new(FactoryInterface), new(*Factory)),
-)
-
-type FactoryInterface interface {
-	New(ctx context.Context, config Config) (Interface, error)
-}
-
-// Config represents a configuration of OpenID Connect client.
-type Config struct {
-	IssuerURL     string
-	ClientID      string
-	ClientSecret  string
-	ExtraScopes   []string // optional
-	CertPool      certpool.Interface
-	SkipTLSVerify bool
-}
-
-type Factory struct {
-	Clock  clock.Interface
-	Logger logger.Interface
-}
-
-// New returns an instance of adaptors.Interface with the given configuration.
-func (f *Factory) New(ctx context.Context, config Config) (Interface, error) {
-	var tlsConfig tls.Config
-	tlsConfig.InsecureSkipVerify = config.SkipTLSVerify
-	config.CertPool.SetRootCAs(&tlsConfig)
-	baseTransport := &http.Transport{
-		TLSClientConfig: &tlsConfig,
-		Proxy:           http.ProxyFromEnvironment,
-	}
-	loggingTransport := &logging.Transport{
-		Base:   baseTransport,
-		Logger: f.Logger,
-	}
-	httpClient := &http.Client{
-		Transport: loggingTransport,
-	}
-
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
-	provider, err := oidc.NewProvider(ctx, config.IssuerURL)
-	if err != nil {
-		return nil, xerrors.Errorf("oidc discovery error: %w", err)
-	}
-	supportedPKCEMethods, err := extractSupportedPKCEMethods(provider)
-	if err != nil {
-		return nil, xerrors.Errorf("could not determine supported PKCE methods: %w", err)
-	}
-	return &client{
-		httpClient: httpClient,
-		provider:   provider,
-		oauth2Config: oauth2.Config{
-			Endpoint:     provider.Endpoint(),
-			ClientID:     config.ClientID,
-			ClientSecret: config.ClientSecret,
-			Scopes:       append(config.ExtraScopes, oidc.ScopeOpenID),
-		},
-		clock:                f.Clock,
-		logger:               f.Logger,
-		supportedPKCEMethods: supportedPKCEMethods,
-	}, nil
-}
-
-func extractSupportedPKCEMethods(provider *oidc.Provider) ([]string, error) {
-	var d struct {
-		CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
-	}
-	if err := provider.Claims(&d); err != nil {
-		return nil, fmt.Errorf("invalid discovery document: %w", err)
-	}
-	return d.CodeChallengeMethodsSupported, nil
-}

pkg/adaptors/oidcclient/mock_oidcclient/mock_oidcclient.go

@@ -1,123 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/oidcclient (interfaces: Interface)
-
-// Package mock_oidcclient is a generated GoMock package.
-package mock_oidcclient
-
-import (
-	context "context"
-	gomock "github.com/golang/mock/gomock"
-	oidcclient "github.com/int128/kubelogin/pkg/adaptors/oidcclient"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface.
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance.
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// ExchangeAuthCode mocks base method.
-func (m *MockInterface) ExchangeAuthCode(arg0 context.Context, arg1 oidcclient.ExchangeAuthCodeInput) (*oidcclient.TokenSet, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ExchangeAuthCode", arg0, arg1)
-	ret0, _ := ret[0].(*oidcclient.TokenSet)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ExchangeAuthCode indicates an expected call of ExchangeAuthCode.
-func (mr *MockInterfaceMockRecorder) ExchangeAuthCode(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExchangeAuthCode", reflect.TypeOf((*MockInterface)(nil).ExchangeAuthCode), arg0, arg1)
-}
-
-// GetAuthCodeURL mocks base method.
-func (m *MockInterface) GetAuthCodeURL(arg0 oidcclient.AuthCodeURLInput) string {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetAuthCodeURL", arg0)
-	ret0, _ := ret[0].(string)
-	return ret0
-}
-
-// GetAuthCodeURL indicates an expected call of GetAuthCodeURL.
-func (mr *MockInterfaceMockRecorder) GetAuthCodeURL(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAuthCodeURL", reflect.TypeOf((*MockInterface)(nil).GetAuthCodeURL), arg0)
-}
-
-// GetTokenByAuthCode mocks base method.
-func (m *MockInterface) GetTokenByAuthCode(arg0 context.Context, arg1 oidcclient.GetTokenByAuthCodeInput, arg2 chan<- string) (*oidcclient.TokenSet, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetTokenByAuthCode", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*oidcclient.TokenSet)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetTokenByAuthCode indicates an expected call of GetTokenByAuthCode.
-func (mr *MockInterfaceMockRecorder) GetTokenByAuthCode(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTokenByAuthCode", reflect.TypeOf((*MockInterface)(nil).GetTokenByAuthCode), arg0, arg1, arg2)
-}
-
-// GetTokenByROPC mocks base method.
-func (m *MockInterface) GetTokenByROPC(arg0 context.Context, arg1, arg2 string) (*oidcclient.TokenSet, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetTokenByROPC", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*oidcclient.TokenSet)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetTokenByROPC indicates an expected call of GetTokenByROPC.
-func (mr *MockInterfaceMockRecorder) GetTokenByROPC(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTokenByROPC", reflect.TypeOf((*MockInterface)(nil).GetTokenByROPC), arg0, arg1, arg2)
-}
-
-// Refresh mocks base method.
-func (m *MockInterface) Refresh(arg0 context.Context, arg1 string) (*oidcclient.TokenSet, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Refresh", arg0, arg1)
-	ret0, _ := ret[0].(*oidcclient.TokenSet)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Refresh indicates an expected call of Refresh.
-func (mr *MockInterfaceMockRecorder) Refresh(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockInterface)(nil).Refresh), arg0, arg1)
-}
-
-// SupportedPKCEMethods mocks base method.
-func (m *MockInterface) SupportedPKCEMethods() []string {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "SupportedPKCEMethods")
-	ret0, _ := ret[0].([]string)
-	return ret0
-}
-
-// SupportedPKCEMethods indicates an expected call of SupportedPKCEMethods.
-func (mr *MockInterfaceMockRecorder) SupportedPKCEMethods() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SupportedPKCEMethods", reflect.TypeOf((*MockInterface)(nil).SupportedPKCEMethods))
-}

pkg/adaptors/oidcclient/oidcclient.go

@@ -1,200 +0,0 @@
-package oidcclient
-
-import (
-	"context"
-	"net/http"
-	"time"
-
-	"github.com/coreos/go-oidc"
-	"github.com/int128/kubelogin/pkg/adaptors/clock"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/domain/jwt"
-	"github.com/int128/kubelogin/pkg/domain/pkce"
-	"github.com/int128/oauth2cli"
-	"golang.org/x/oauth2"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_oidcclient/mock_oidcclient.go github.com/int128/kubelogin/pkg/adaptors/oidcclient Interface
-
-type Interface interface {
-	GetAuthCodeURL(in AuthCodeURLInput) string
-	ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*TokenSet, error)
-	GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*TokenSet, error)
-	GetTokenByROPC(ctx context.Context, username, password string) (*TokenSet, error)
-	Refresh(ctx context.Context, refreshToken string) (*TokenSet, error)
-	SupportedPKCEMethods() []string
-}
-
-type AuthCodeURLInput struct {
-	State                  string
-	Nonce                  string
-	PKCEParams             pkce.Params
-	RedirectURI            string
-	AuthRequestExtraParams map[string]string
-}
-
-type ExchangeAuthCodeInput struct {
-	Code        string
-	PKCEParams  pkce.Params
-	Nonce       string
-	RedirectURI string
-}
-
-type GetTokenByAuthCodeInput struct {
-	BindAddress            []string
-	State                  string
-	Nonce                  string
-	PKCEParams             pkce.Params
-	RedirectURLHostname    string
-	AuthRequestExtraParams map[string]string
-}
-
-// TokenSet represents an output DTO of
-// Interface.GetTokenByAuthCode, Interface.GetTokenByROPC and Interface.Refresh.
-type TokenSet struct {
-	IDToken       string
-	RefreshToken  string
-	IDTokenClaims jwt.Claims
-}
-
-type client struct {
-	httpClient           *http.Client
-	provider             *oidc.Provider
-	oauth2Config         oauth2.Config
-	clock                clock.Interface
-	logger               logger.Interface
-	supportedPKCEMethods []string
-}
-
-func (c *client) wrapContext(ctx context.Context) context.Context {
-	if c.httpClient != nil {
-		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.httpClient)
-	}
-	return ctx
-}
-
-// GetTokenByAuthCode performs the authorization code flow.
-func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	config := oauth2cli.Config{
-		OAuth2Config:           c.oauth2Config,
-		State:                  in.State,
-		AuthCodeOptions:        authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams),
-		TokenRequestOptions:    tokenRequestOptions(in.PKCEParams),
-		LocalServerBindAddress: in.BindAddress,
-		LocalServerReadyChan:   localServerReadyChan,
-		RedirectURLHostname:    in.RedirectURLHostname,
-	}
-	token, err := oauth2cli.GetToken(ctx, config)
-	if err != nil {
-		return nil, xerrors.Errorf("oauth2 error: %w", err)
-	}
-	return c.verifyToken(ctx, token, in.Nonce)
-}
-
-// GetAuthCodeURL returns the URL of authentication request for the authorization code flow.
-func (c *client) GetAuthCodeURL(in AuthCodeURLInput) string {
-	cfg := c.oauth2Config
-	cfg.RedirectURL = in.RedirectURI
-	opts := authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams)
-	return cfg.AuthCodeURL(in.State, opts...)
-}
-
-// ExchangeAuthCode exchanges the authorization code and token.
-func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	cfg := c.oauth2Config
-	cfg.RedirectURL = in.RedirectURI
-	opts := tokenRequestOptions(in.PKCEParams)
-	token, err := cfg.Exchange(ctx, in.Code, opts...)
-	if err != nil {
-		return nil, xerrors.Errorf("exchange error: %w", err)
-	}
-	return c.verifyToken(ctx, token, in.Nonce)
-}
-
-func authorizationRequestOptions(n string, p pkce.Params, e map[string]string) []oauth2.AuthCodeOption {
-	o := []oauth2.AuthCodeOption{
-		oauth2.AccessTypeOffline,
-		oidc.Nonce(n),
-	}
-	if !p.IsZero() {
-		o = append(o,
-			oauth2.SetAuthURLParam("code_challenge", p.CodeChallenge),
-			oauth2.SetAuthURLParam("code_challenge_method", p.CodeChallengeMethod),
-		)
-	}
-	for key, value := range e {
-		o = append(o, oauth2.SetAuthURLParam(key, value))
-	}
-	return o
-}
-
-func tokenRequestOptions(p pkce.Params) (o []oauth2.AuthCodeOption) {
-	if !p.IsZero() {
-		o = append(o, oauth2.SetAuthURLParam("code_verifier", p.CodeVerifier))
-	}
-	return
-}
-
-// SupportedPKCEMethods returns the PKCE methods supported by the provider.
-// This may return nil if PKCE is not supported.
-func (c *client) SupportedPKCEMethods() []string {
-	return c.supportedPKCEMethods
-}
-
-// GetTokenByROPC performs the resource owner password credentials flow.
-func (c *client) GetTokenByROPC(ctx context.Context, username, password string) (*TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, username, password)
-	if err != nil {
-		return nil, xerrors.Errorf("resource owner password credentials flow error: %w", err)
-	}
-	return c.verifyToken(ctx, token, "")
-}
-
-// Refresh sends a refresh token request and returns a token set.
-func (c *client) Refresh(ctx context.Context, refreshToken string) (*TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	currentToken := &oauth2.Token{
-		Expiry:       time.Now(),
-		RefreshToken: refreshToken,
-	}
-	source := c.oauth2Config.TokenSource(ctx, currentToken)
-	token, err := source.Token()
-	if err != nil {
-		return nil, xerrors.Errorf("could not refresh the token: %w", err)
-	}
-	return c.verifyToken(ctx, token, "")
-}
-
-// verifyToken verifies the token with the certificates of the provider and the nonce.
-// If the nonce is an empty string, it does not verify the nonce.
-func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce string) (*TokenSet, error) {
-	idToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
-	}
-	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID, Now: c.clock.Now})
-	verifiedIDToken, err := verifier.Verify(ctx, idToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the ID token: %w", err)
-	}
-	if nonce != "" && nonce != verifiedIDToken.Nonce {
-		return nil, xerrors.Errorf("nonce did not match (wants %s but got %s)", nonce, verifiedIDToken.Nonce)
-	}
-	pretty, err := jwt.DecodePayloadAsPrettyJSON(idToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not decode the token: %w", err)
-	}
-	return &TokenSet{
-		IDToken: idToken,
-		IDTokenClaims: jwt.Claims{
-			Subject: verifiedIDToken.Subject,
-			Expiry:  verifiedIDToken.Expiry,
-			Pretty:  pretty,
-		},
-		RefreshToken: token.RefreshToken,
-	}, nil
-}

pkg/adaptors/reader/mock_reader/mock_reader.go

@@ -1,63 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/reader (interfaces: Interface)
-
-// Package mock_reader is a generated GoMock package.
-package mock_reader
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// ReadPassword mocks base method
-func (m *MockInterface) ReadPassword(arg0 string) (string, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ReadPassword", arg0)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReadPassword indicates an expected call of ReadPassword
-func (mr *MockInterfaceMockRecorder) ReadPassword(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadPassword", reflect.TypeOf((*MockInterface)(nil).ReadPassword), arg0)
-}
-
-// ReadString mocks base method
-func (m *MockInterface) ReadString(arg0 string) (string, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ReadString", arg0)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReadString indicates an expected call of ReadString
-func (mr *MockInterfaceMockRecorder) ReadString(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadString", reflect.TypeOf((*MockInterface)(nil).ReadString), arg0)
-}

pkg/adaptors/tokencache/mock_tokencache/mock_tokencache.go

@@ -1,63 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/tokencache (interfaces: Interface)
-
-// Package mock_tokencache is a generated GoMock package.
-package mock_tokencache
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	tokencache "github.com/int128/kubelogin/pkg/adaptors/tokencache"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// FindByKey mocks base method
-func (m *MockInterface) FindByKey(arg0 string, arg1 tokencache.Key) (*tokencache.Value, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "FindByKey", arg0, arg1)
-	ret0, _ := ret[0].(*tokencache.Value)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// FindByKey indicates an expected call of FindByKey
-func (mr *MockInterfaceMockRecorder) FindByKey(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FindByKey", reflect.TypeOf((*MockInterface)(nil).FindByKey), arg0, arg1)
-}
-
-// Save mocks base method
-func (m *MockInterface) Save(arg0 string, arg1 tokencache.Key, arg2 tokencache.Value) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Save", arg0, arg1, arg2)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Save indicates an expected call of Save
-func (mr *MockInterfaceMockRecorder) Save(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Save", reflect.TypeOf((*MockInterface)(nil).Save), arg0, arg1, arg2)
-}

pkg/adaptors/tokencache/tokencache.go

@@ -1,97 +0,0 @@
-package tokencache
-
-import (
-	"crypto/sha256"
-	"encoding/gob"
-	"encoding/hex"
-	"encoding/json"
-	"os"
-	"path/filepath"
-
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_tokencache/mock_tokencache.go github.com/int128/kubelogin/pkg/adaptors/tokencache Interface
-
-// Set provides an implementation and interface for Kubeconfig.
-var Set = wire.NewSet(
-	wire.Struct(new(Repository), "*"),
-	wire.Bind(new(Interface), new(*Repository)),
-)
-
-type Interface interface {
-	FindByKey(dir string, key Key) (*Value, error)
-	Save(dir string, key Key, value Value) error
-}
-
-// Key represents a key of a token cache.
-type Key struct {
-	IssuerURL      string
-	ClientID       string
-	ClientSecret   string
-	ExtraScopes    []string
-	CACertFilename string
-	CACertData     string
-	SkipTLSVerify  bool
-}
-
-// Value represents a value of a token cache.
-type Value struct {
-	IDToken      string `json:"id_token,omitempty"`
-	RefreshToken string `json:"refresh_token,omitempty"`
-}
-
-// Repository provides access to the token cache on the local filesystem.
-// Filename of a token cache is sha256 digest of the issuer, zero-character and client ID.
-type Repository struct{}
-
-func (r *Repository) FindByKey(dir string, key Key) (*Value, error) {
-	filename, err := computeFilename(key)
-	if err != nil {
-		return nil, xerrors.Errorf("could not compute the key: %w", err)
-	}
-	p := filepath.Join(dir, filename)
-	f, err := os.Open(p)
-	if err != nil {
-		return nil, xerrors.Errorf("could not open file %s: %w", p, err)
-	}
-	defer f.Close()
-	d := json.NewDecoder(f)
-	var c Value
-	if err := d.Decode(&c); err != nil {
-		return nil, xerrors.Errorf("invalid json file %s: %w", p, err)
-	}
-	return &c, nil
-}
-
-func (r *Repository) Save(dir string, key Key, value Value) error {
-	if err := os.MkdirAll(dir, 0700); err != nil {
-		return xerrors.Errorf("could not create directory %s: %w", dir, err)
-	}
-	filename, err := computeFilename(key)
-	if err != nil {
-		return xerrors.Errorf("could not compute the key: %w", err)
-	}
-	p := filepath.Join(dir, filename)
-	f, err := os.OpenFile(p, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return xerrors.Errorf("could not create file %s: %w", p, err)
-	}
-	defer f.Close()
-	e := json.NewEncoder(f)
-	if err := e.Encode(&value); err != nil {
-		return xerrors.Errorf("json encode error: %w", err)
-	}
-	return nil
-}
-
-func computeFilename(key Key) (string, error) {
-	s := sha256.New()
-	e := gob.NewEncoder(s)
-	if err := e.Encode(&key); err != nil {
-		return "", xerrors.Errorf("could not encode the key: %w", err)
-	}
-	h := hex.EncodeToString(s.Sum(nil))
-	return h, nil
-}

pkg/adaptors/tokencache/tokencache_test.go

@@ -1,97 +0,0 @@
-package tokencache
-
-import (
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-)
-
-func TestRepository_FindByKey(t *testing.T) {
-	var r Repository
-
-	t.Run("Success", func(t *testing.T) {
-		dir, err := ioutil.TempDir("", "kube")
-		if err != nil {
-			t.Fatalf("could not create a temp dir: %s", err)
-		}
-		defer func() {
-			if err := os.RemoveAll(dir); err != nil {
-				t.Errorf("could not clean up the temp dir: %s", err)
-			}
-		}()
-		key := Key{
-			IssuerURL:      "YOUR_ISSUER",
-			ClientID:       "YOUR_CLIENT_ID",
-			ClientSecret:   "YOUR_CLIENT_SECRET",
-			ExtraScopes:    []string{"openid", "email"},
-			CACertFilename: "/path/to/cert",
-			SkipTLSVerify:  false,
-		}
-		json := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}`
-		filename, err := computeFilename(key)
-		if err != nil {
-			t.Errorf("could not compute the key: %s", err)
-		}
-		p := filepath.Join(dir, filename)
-		if err := ioutil.WriteFile(p, []byte(json), 0600); err != nil {
-			t.Fatalf("could not write to the temp file: %s", err)
-		}
-
-		value, err := r.FindByKey(dir, key)
-		if err != nil {
-			t.Errorf("err wants nil but %+v", err)
-		}
-		want := &Value{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
-		if diff := cmp.Diff(want, value); diff != "" {
-			t.Errorf("mismatch (-want +got):\n%s", diff)
-		}
-	})
-}
-
-func TestRepository_Save(t *testing.T) {
-	var r Repository
-
-	t.Run("Success", func(t *testing.T) {
-		dir, err := ioutil.TempDir("", "kube")
-		if err != nil {
-			t.Fatalf("could not create a temp dir: %s", err)
-		}
-		defer func() {
-			if err := os.RemoveAll(dir); err != nil {
-				t.Errorf("could not clean up the temp dir: %s", err)
-			}
-		}()
-
-		key := Key{
-			IssuerURL:      "YOUR_ISSUER",
-			ClientID:       "YOUR_CLIENT_ID",
-			ClientSecret:   "YOUR_CLIENT_SECRET",
-			ExtraScopes:    []string{"openid", "email"},
-			CACertFilename: "/path/to/cert",
-			SkipTLSVerify:  false,
-		}
-		value := Value{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
-		if err := r.Save(dir, key, value); err != nil {
-			t.Errorf("err wants nil but %+v", err)
-		}
-
-		filename, err := computeFilename(key)
-		if err != nil {
-			t.Errorf("could not compute the key: %s", err)
-		}
-		p := filepath.Join(dir, filename)
-		b, err := ioutil.ReadFile(p)
-		if err != nil {
-			t.Fatalf("could not read the token cache file: %s", err)
-		}
-		want := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}
-`
-		got := string(b)
-		if diff := cmp.Diff(want, got); diff != "" {
-			t.Errorf("mismatch (-want +got):\n%s", diff)
-		}
-	})
-}

pkg/cmd/authentication.go

@@ -0,0 +1,95 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/devicecode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
+	"github.com/spf13/pflag"
+)
+
+const oobRedirectURI = "urn:ietf:wg:oauth:2.0:oob"
+
+type authenticationOptions struct {
+	GrantType                   string
+	ListenAddress               []string
+	AuthenticationTimeoutSec    int
+	SkipOpenBrowser             bool
+	BrowserCommand              string
+	LocalServerCertFile         string
+	LocalServerKeyFile          string
+	OpenURLAfterAuthentication  string
+	RedirectURLHostname         string
+	RedirectURLAuthCodeKeyboard string
+	AuthRequestExtraParams      map[string]string
+	Username                    string
+	Password                    string
+}
+
+var allGrantType = strings.Join([]string{
+	"auto",
+	"authcode",
+	"authcode-keyboard",
+	"password",
+	"device-code",
+}, "|")
+
+func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
+	f.StringVar(&o.GrantType, "grant-type", "auto", fmt.Sprintf("Authorization grant type to use. One of (%s)", allGrantType))
+	f.StringSliceVar(&o.ListenAddress, "listen-address", defaultListenAddress, "[authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order")
+	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "[authcode] Do not open the browser automatically")
+	f.StringVar(&o.BrowserCommand, "browser-command", "", "[authcode] Command to open the browser")
+	f.IntVar(&o.AuthenticationTimeoutSec, "authentication-timeout-sec", defaultAuthenticationTimeoutSec, "[authcode] Timeout of authentication in seconds")
+	f.StringVar(&o.LocalServerCertFile, "local-server-cert", "", "[authcode] Certificate path for the local server")
+	f.StringVar(&o.LocalServerKeyFile, "local-server-key", "", "[authcode] Certificate key path for the local server")
+	f.StringVar(&o.OpenURLAfterAuthentication, "open-url-after-authentication", "", "[authcode] If set, open the URL in the browser after authentication")
+	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "[authcode] Hostname of the redirect URL")
+	f.StringVar(&o.RedirectURLAuthCodeKeyboard, "oidc-redirect-url-authcode-keyboard", oobRedirectURI, "[authcode-keyboard] Redirect URL")
+	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "[authcode, authcode-keyboard] Extra query parameters to send with an authentication request")
+	f.StringVar(&o.Username, "username", "", "[password] Username for resource owner password credentials grant")
+	f.StringVar(&o.Password, "password", "", "[password] Password for resource owner password credentials grant")
+}
+
+func (o *authenticationOptions) expandHomedir() {
+	o.LocalServerCertFile = expandHomedir(o.LocalServerCertFile)
+	o.LocalServerKeyFile = expandHomedir(o.LocalServerKeyFile)
+}
+
+func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSet, err error) {
+	switch {
+	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
+		s.AuthCodeBrowserOption = &authcode.BrowserOption{
+			BindAddress:                o.ListenAddress,
+			SkipOpenBrowser:            o.SkipOpenBrowser,
+			BrowserCommand:             o.BrowserCommand,
+			AuthenticationTimeout:      time.Duration(o.AuthenticationTimeoutSec) * time.Second,
+			LocalServerCertFile:        o.LocalServerCertFile,
+			LocalServerKeyFile:         o.LocalServerKeyFile,
+			OpenURLAfterAuthentication: o.OpenURLAfterAuthentication,
+			RedirectURLHostname:        o.RedirectURLHostname,
+			AuthRequestExtraParams:     o.AuthRequestExtraParams,
+		}
+	case o.GrantType == "authcode-keyboard":
+		s.AuthCodeKeyboardOption = &authcode.KeyboardOption{
+			AuthRequestExtraParams: o.AuthRequestExtraParams,
+			RedirectURL:            o.RedirectURLAuthCodeKeyboard,
+		}
+	case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
+		s.ROPCOption = &ropc.Option{
+			Username: o.Username,
+			Password: o.Password,
+		}
+	case o.GrantType == "device-code":
+		s.DeviceCodeOption = &devicecode.Option{
+			SkipOpenBrowser: o.SkipOpenBrowser,
+			BrowserCommand:  o.BrowserCommand,
+		}
+	default:
+		err = fmt.Errorf("grant-type must be one of (%s)", allGrantType)
+	}
+	return
+}

pkg/cmd/authentication_test.go

@@ -0,0 +1,128 @@
+package cmd
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
+	"github.com/spf13/pflag"
+)
+
+func Test_authenticationOptions_grantOptionSet(t *testing.T) {
+	tests := map[string]struct {
+		args []string
+		want authentication.GrantOptionSet
+	}{
+		"NoFlag": {
+			want: authentication.GrantOptionSet{
+				AuthCodeBrowserOption: &authcode.BrowserOption{
+					BindAddress:           defaultListenAddress,
+					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+					RedirectURLHostname:   "localhost",
+				},
+			},
+		},
+		"FullOptions": {
+			args: []string{
+				"--grant-type", "authcode",
+				"--listen-address", "127.0.0.1:10080",
+				"--listen-address", "127.0.0.1:20080",
+				"--skip-open-browser",
+				"--browser-command", "firefox",
+				"--authentication-timeout-sec", "10",
+				"--local-server-cert", "/path/to/local-server-cert",
+				"--local-server-key", "/path/to/local-server-key",
+				"--open-url-after-authentication", "https://example.com/success.html",
+				"--oidc-redirect-url-hostname", "example",
+				"--oidc-auth-request-extra-params", "ttl=86400",
+				"--oidc-auth-request-extra-params", "reauth=true",
+				"--username", "USER",
+				"--password", "PASS",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeBrowserOption: &authcode.BrowserOption{
+					BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+					SkipOpenBrowser:            true,
+					BrowserCommand:             "firefox",
+					AuthenticationTimeout:      10 * time.Second,
+					LocalServerCertFile:        "/path/to/local-server-cert",
+					LocalServerKeyFile:         "/path/to/local-server-key",
+					OpenURLAfterAuthentication: "https://example.com/success.html",
+					RedirectURLHostname:        "example",
+					AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},
+				},
+			},
+		},
+		"GrantType=authcode-keyboard": {
+			args: []string{
+				"--grant-type", "authcode-keyboard",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeKeyboardOption: &authcode.KeyboardOption{
+					RedirectURL: oobRedirectURI,
+				},
+			},
+		},
+		"GrantType=authcode-keyboard with full options": {
+			args: []string{
+				"--grant-type", "authcode-keyboard",
+				"--oidc-redirect-url-authcode-keyboard", "http://localhost",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeKeyboardOption: &authcode.KeyboardOption{
+					RedirectURL: "http://localhost",
+				},
+			},
+		},
+		"GrantType=password": {
+			args: []string{
+				"--grant-type", "password",
+				"--listen-address", "127.0.0.1:10080",
+				"--listen-address", "127.0.0.1:20080",
+				"--username", "USER",
+				"--password", "PASS",
+			},
+			want: authentication.GrantOptionSet{
+				ROPCOption: &ropc.Option{
+					Username: "USER",
+					Password: "PASS",
+				},
+			},
+		},
+		"GrantType=auto": {
+			args: []string{
+				"--listen-address", "127.0.0.1:10080",
+				"--listen-address", "127.0.0.1:20080",
+				"--username", "USER",
+				"--password", "PASS",
+			},
+			want: authentication.GrantOptionSet{
+				ROPCOption: &ropc.Option{
+					Username: "USER",
+					Password: "PASS",
+				},
+			},
+		},
+	}
+
+	for name, c := range tests {
+		t.Run(name, func(t *testing.T) {
+			var o authenticationOptions
+			f := pflag.NewFlagSet("", pflag.ContinueOnError)
+			o.addFlags(f)
+			if err := f.Parse(c.args); err != nil {
+				t.Fatalf("Parse error: %s", err)
+			}
+			got, err := o.grantOptionSet()
+			if err != nil {
+				t.Fatalf("grantOptionSet error: %s", err)
+			}
+			if diff := cmp.Diff(c.want, got); diff != "" {
+				t.Errorf("mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

pkg/cmd/clean.go

@@ -0,0 +1,56 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/usecases/clean"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type cleanOptions struct {
+	tokenCacheOptions tokenCacheOptions
+}
+
+func (o *cleanOptions) addFlags(f *pflag.FlagSet) {
+	o.tokenCacheOptions.addFlags(f)
+}
+
+func (o *cleanOptions) expandHomedir() {
+	o.tokenCacheOptions.expandHomedir()
+}
+
+type Clean struct {
+	Clean clean.Interface
+}
+
+func (cmd *Clean) New() *cobra.Command {
+	var o cleanOptions
+	c := &cobra.Command{
+		Use:   "clean [flags]",
+		Short: "Delete the token cache",
+		Long: `Delete the token cache.
+
+This deletes both the OS keyring and the directory by default.
+If you encounter an error of keyring, try --token-cache-storage=disk.
+`,
+		Args: cobra.NoArgs,
+		RunE: func(c *cobra.Command, _ []string) error {
+			o.expandHomedir()
+			tokenCacheConfig, err := o.tokenCacheOptions.tokenCacheConfig()
+			if err != nil {
+				return fmt.Errorf("clean: %w", err)
+			}
+			in := clean.Input{
+				TokenCacheConfig: tokenCacheConfig,
+			}
+			if err := cmd.Clean.Do(c.Context(), in); err != nil {
+				return fmt.Errorf("clean: %w", err)
+			}
+			return nil
+		},
+	}
+	c.Flags().SortFlags = false
+	o.addFlags(c.Flags())
+	return c
+}

pkg/cmd/cmd.go

@@ -5,9 +5,8 @@ import (
 	"runtime"
 
 	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/spf13/cobra"
-	"k8s.io/client-go/util/homedir"
 )
 
 // Set provides an implementation and interface for Cmd.
@@ -17,6 +16,7 @@ var Set = wire.NewSet(
 	wire.Struct(new(Root), "*"),
 	wire.Struct(new(GetToken), "*"),
 	wire.Struct(new(Setup), "*"),
+	wire.Struct(new(Clean), "*"),
 )
 
 type Interface interface {
@@ -24,13 +24,15 @@ type Interface interface {
 }
 
 var defaultListenAddress = []string{"127.0.0.1:8000", "127.0.0.1:18000"}
-var defaultTokenCacheDir = homedir.HomeDir() + "/.kube/cache/oidc-login"
+
+const defaultAuthenticationTimeoutSec = 180
 
 // Cmd provides interaction with command line interface (CLI).
 type Cmd struct {
 	Root     *Root
 	GetToken *GetToken
 	Setup    *Setup
+	Clean    *Clean
 	Logger   logger.Interface
 }
 
@@ -48,6 +50,9 @@ func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
 	setupCmd := cmd.Setup.New()
 	rootCmd.AddCommand(setupCmd)
 
+	cleanCmd := cmd.Clean.New()
+	rootCmd.AddCommand(cleanCmd)
+
 	versionCmd := &cobra.Command{
 		Use:   "version",
 		Short: "Print the version information",

pkg/cmd/cmd_test.go

@@ -0,0 +1,285 @@
+package cmd
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/usecases/credentialplugin_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/usecases/standalone_mock"
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+	"github.com/int128/kubelogin/pkg/tokencache"
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/standalone"
+)
+
+func TestCmd_Run(t *testing.T) {
+	const executable = "kubelogin"
+	const version = "HEAD"
+
+	t.Run("root", func(t *testing.T) {
+		tests := map[string]struct {
+			args []string
+			in   standalone.Input
+		}{
+			"Defaults": {
+				args: []string{executable},
+				in: standalone.Input{
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+			"FullOptions": {
+				args: []string{executable,
+					"--kubeconfig", "/path/to/kubeconfig",
+					"--context", "hello.k8s.local",
+					"--user", "google",
+					"-v1",
+				},
+				in: standalone.Input{
+					KubeconfigFilename: "/path/to/kubeconfig",
+					KubeconfigContext:  "hello.k8s.local",
+					KubeconfigUser:     "google",
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+		}
+		for name, c := range tests {
+			t.Run(name, func(t *testing.T) {
+				ctx := context.TODO()
+				mockStandalone := standalone_mock.NewMockInterface(t)
+				mockStandalone.EXPECT().
+					Do(ctx, c.in).
+					Return(nil)
+				cmd := Cmd{
+					Root: &Root{
+						Standalone: mockStandalone,
+						Logger:     logger.New(t),
+					},
+					Logger: logger.New(t),
+				}
+				exitCode := cmd.Run(ctx, c.args, version)
+				if exitCode != 0 {
+					t.Errorf("exitCode wants 0 but %d", exitCode)
+				}
+			})
+		}
+
+		t.Run("TooManyArgs", func(t *testing.T) {
+			cmd := Cmd{
+				Root: &Root{
+					Standalone: standalone_mock.NewMockInterface(t),
+					Logger:     logger.New(t),
+				},
+				Logger: logger.New(t),
+			}
+			exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
+			if exitCode != 1 {
+				t.Errorf("exitCode wants 1 but %d", exitCode)
+			}
+		})
+	})
+
+	t.Run("get-token", func(t *testing.T) {
+		userHomeDir, err := os.UserHomeDir()
+		if err != nil {
+			t.Fatalf("os.UserHomeDir error: %s", err)
+		}
+
+		tests := map[string]struct {
+			args []string
+			in   credentialplugin.Input
+		}{
+			"Defaults": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+				},
+				in: credentialplugin.Input{
+					Provider: oidc.Provider{
+						IssuerURL: "https://issuer.example.com",
+						ClientID:  "YOUR_CLIENT_ID",
+					},
+					TokenCacheConfig: tokencache.Config{
+						Directory: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+						Storage:   tokencache.StorageAuto,
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+			"FullOptions": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--oidc-client-secret", "YOUR_CLIENT_SECRET",
+					"--oidc-extra-scope", "email",
+					"--oidc-extra-scope", "profile",
+					"--token-cache-storage", "disk",
+					"-v1",
+				},
+				in: credentialplugin.Input{
+					Provider: oidc.Provider{
+						IssuerURL:    "https://issuer.example.com",
+						ClientID:     "YOUR_CLIENT_ID",
+						ClientSecret: "YOUR_CLIENT_SECRET",
+						ExtraScopes:  []string{"email", "profile"},
+					},
+					TokenCacheConfig: tokencache.Config{
+						Directory: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+						Storage:   tokencache.StorageDisk,
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+			"AccessToken": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--oidc-use-access-token=true",
+				},
+				in: credentialplugin.Input{
+					Provider: oidc.Provider{
+						IssuerURL:      "https://issuer.example.com",
+						ClientID:       "YOUR_CLIENT_ID",
+						UseAccessToken: true,
+					},
+					TokenCacheConfig: tokencache.Config{
+						Directory: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+						Storage:   tokencache.StorageAuto,
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+			"HomedirExpansion": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--certificate-authority", "~/.kube/ca.crt",
+					"--local-server-cert", "~/.kube/oidc-server.crt",
+					"--local-server-key", "~/.kube/oidc-server.key",
+					"--token-cache-dir", "~/.kube/oidc-cache",
+				},
+				in: credentialplugin.Input{
+					Provider: oidc.Provider{
+						IssuerURL: "https://issuer.example.com",
+						ClientID:  "YOUR_CLIENT_ID",
+					},
+					TokenCacheConfig: tokencache.Config{
+						Directory: filepath.Join(userHomeDir, ".kube/oidc-cache"),
+						Storage:   tokencache.StorageAuto,
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+							LocalServerCertFile:   filepath.Join(userHomeDir, ".kube/oidc-server.crt"),
+							LocalServerKeyFile:    filepath.Join(userHomeDir, ".kube/oidc-server.key"),
+						},
+					},
+					TLSClientConfig: tlsclientconfig.Config{
+						CACertFilename: []string{filepath.Join(userHomeDir, ".kube/ca.crt")},
+					},
+				},
+			},
+		}
+		for name, c := range tests {
+			t.Run(name, func(t *testing.T) {
+				ctx := context.TODO()
+				getToken := credentialplugin_mock.NewMockInterface(t)
+				getToken.EXPECT().
+					Do(ctx, c.in).
+					Return(nil)
+				cmd := Cmd{
+					Root: &Root{
+						Logger: logger.New(t),
+					},
+					GetToken: &GetToken{
+						GetToken: getToken,
+						Logger:   logger.New(t),
+					},
+					Logger: logger.New(t),
+				}
+				exitCode := cmd.Run(ctx, c.args, version)
+				if exitCode != 0 {
+					t.Errorf("exitCode wants 0 but %d", exitCode)
+				}
+			})
+		}
+
+		t.Run("MissingMandatoryOptions", func(t *testing.T) {
+			ctx := context.TODO()
+			cmd := Cmd{
+				Root: &Root{
+					Logger: logger.New(t),
+				},
+				GetToken: &GetToken{
+					GetToken: credentialplugin_mock.NewMockInterface(t),
+					Logger:   logger.New(t),
+				},
+				Logger: logger.New(t),
+			}
+			exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
+			if exitCode != 1 {
+				t.Errorf("exitCode wants 1 but %d", exitCode)
+			}
+		})
+
+		t.Run("TooManyArgs", func(t *testing.T) {
+			ctx := context.TODO()
+			cmd := Cmd{
+				Root: &Root{
+					Logger: logger.New(t),
+				},
+				GetToken: &GetToken{
+					GetToken: credentialplugin_mock.NewMockInterface(t),
+					Logger:   logger.New(t),
+				},
+				Logger: logger.New(t),
+			}
+			exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
+			if exitCode != 1 {
+				t.Errorf("exitCode wants 1 but %d", exitCode)
+			}
+		})
+	})
+}

pkg/cmd/get_token.go

@@ -0,0 +1,106 @@
+package cmd
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+// getTokenOptions represents the options for get-token command.
+type getTokenOptions struct {
+	IssuerURL             string
+	ClientID              string
+	ClientSecret          string
+	ExtraScopes           []string
+	UseAccessToken        bool
+	tokenCacheOptions     tokenCacheOptions
+	tlsOptions            tlsOptions
+	pkceOptions           pkceOptions
+	authenticationOptions authenticationOptions
+	ForceRefresh          bool
+}
+
+func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
+	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)")
+	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
+	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
+	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
+	f.BoolVar(&o.UseAccessToken, "oidc-use-access-token", false, "Instead of using the id_token, use the access_token to authenticate to Kubernetes")
+	f.BoolVar(&o.ForceRefresh, "force-refresh", false, "If set, refresh the ID token regardless of its expiration time")
+	o.tokenCacheOptions.addFlags(f)
+	o.tlsOptions.addFlags(f)
+	o.pkceOptions.addFlags(f)
+	o.authenticationOptions.addFlags(f)
+}
+
+func (o *getTokenOptions) expandHomedir() {
+	o.tokenCacheOptions.expandHomedir()
+	o.authenticationOptions.expandHomedir()
+	o.tlsOptions.expandHomedir()
+}
+
+type GetToken struct {
+	GetToken credentialplugin.Interface
+	Logger   logger.Interface
+}
+
+func (cmd *GetToken) New() *cobra.Command {
+	var o getTokenOptions
+	c := &cobra.Command{
+		Use:   "get-token [flags]",
+		Short: "Run as a kubectl credential plugin",
+		Args: func(c *cobra.Command, args []string) error {
+			if err := cobra.NoArgs(c, args); err != nil {
+				return err
+			}
+			if o.IssuerURL == "" {
+				return errors.New("--oidc-issuer-url is missing")
+			}
+			if o.ClientID == "" {
+				return errors.New("--oidc-client-id is missing")
+			}
+			return nil
+		},
+		RunE: func(c *cobra.Command, _ []string) error {
+			o.expandHomedir()
+			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
+			if err != nil {
+				return fmt.Errorf("get-token: %w", err)
+			}
+			tokenCacheConfig, err := o.tokenCacheOptions.tokenCacheConfig()
+			if err != nil {
+				return fmt.Errorf("get-token: %w", err)
+			}
+			pkceMethod, err := o.pkceOptions.pkceMethod()
+			if err != nil {
+				return fmt.Errorf("get-token: %w", err)
+			}
+			in := credentialplugin.Input{
+				Provider: oidc.Provider{
+					IssuerURL:      o.IssuerURL,
+					ClientID:       o.ClientID,
+					ClientSecret:   o.ClientSecret,
+					PKCEMethod:     pkceMethod,
+					UseAccessToken: o.UseAccessToken,
+					ExtraScopes:    o.ExtraScopes,
+				},
+				ForceRefresh:     o.ForceRefresh,
+				TokenCacheConfig: tokenCacheConfig,
+				GrantOptionSet:   grantOptionSet,
+				TLSClientConfig:  o.tlsOptions.tlsClientConfig(),
+			}
+			if err := cmd.GetToken.Do(c.Context(), in); err != nil {
+				return fmt.Errorf("get-token: %w", err)
+			}
+			return nil
+		},
+	}
+	c.Flags().SortFlags = false
+	o.addFlags(c.Flags())
+	return c
+}

pkg/cmd/homedir.go

@@ -0,0 +1,15 @@
+package cmd
+
+import (
+	"path/filepath"
+	"strings"
+
+	"k8s.io/client-go/util/homedir"
+)
+
+func expandHomedir(s string) string {
+	if !strings.HasPrefix(s, "~") {
+		return s
+	}
+	return filepath.Join(homedir.HomeDir(), strings.TrimPrefix(s, "~"))
+}

pkg/cmd/pkce.go

@@ -0,0 +1,40 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/spf13/pflag"
+)
+
+var allPKCEMethods = strings.Join([]string{"auto", "no", "S256"}, "|")
+
+type pkceOptions struct {
+	UsePKCE    bool
+	PKCEMethod string
+}
+
+func (o *pkceOptions) addFlags(f *pflag.FlagSet) {
+	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE S256 code challenge method")
+	if err := f.MarkDeprecated("oidc-use-pkce", "use --oidc-pkce-method instead. For the most providers, you don't need to set the flag."); err != nil {
+		panic(err)
+	}
+	f.StringVar(&o.PKCEMethod, "oidc-pkce-method", "auto", fmt.Sprintf("PKCE code challenge method. Automatically determined by default. One of (%s)", allPKCEMethods))
+}
+
+func (o *pkceOptions) pkceMethod() (oidc.PKCEMethod, error) {
+	if o.UsePKCE {
+		return oidc.PKCEMethodS256, nil
+	}
+	switch o.PKCEMethod {
+	case "auto":
+		return oidc.PKCEMethodAuto, nil
+	case "no":
+		return oidc.PKCEMethodNo, nil
+	case "S256":
+		return oidc.PKCEMethodS256, nil
+	default:
+		return 0, fmt.Errorf("oidc-pkce-method must be one of (%s)", allPKCEMethods)
+	}
+}

pkg/cmd/root.go

@@ -0,0 +1,74 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/int128/kubelogin/pkg/kubeconfig"
+	"github.com/int128/kubelogin/pkg/usecases/standalone"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+const rootDescription = `Log in to the OpenID Connect provider.
+
+You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
+To show the setup instruction:
+
+	kubectl oidc-login setup
+
+See https://github.com/int128/kubelogin for more.
+`
+
+// rootOptions represents the options for the root command.
+type rootOptions struct {
+	Kubeconfig            string
+	Context               string
+	User                  string
+	tlsOptions            tlsOptions
+	authenticationOptions authenticationOptions
+}
+
+func (o *rootOptions) addFlags(f *pflag.FlagSet) {
+	f.StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to the kubeconfig file")
+	f.StringVar(&o.Context, "context", "", "Name of the kubeconfig context to use")
+	f.StringVar(&o.User, "user", "", "Name of the kubeconfig user to use. Prior to --context")
+	o.tlsOptions.addFlags(f)
+	o.authenticationOptions.addFlags(f)
+}
+
+type Root struct {
+	Standalone standalone.Interface
+	Logger     logger.Interface
+}
+
+func (cmd *Root) New() *cobra.Command {
+	var o rootOptions
+	c := &cobra.Command{
+		Use:   "kubelogin",
+		Short: "Log in to the OpenID Connect provider",
+		Long:  rootDescription,
+		Args:  cobra.NoArgs,
+		RunE: func(c *cobra.Command, _ []string) error {
+			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
+			if err != nil {
+				return fmt.Errorf("invalid option: %w", err)
+			}
+			in := standalone.Input{
+				KubeconfigFilename: o.Kubeconfig,
+				KubeconfigContext:  kubeconfig.ContextName(o.Context),
+				KubeconfigUser:     kubeconfig.UserName(o.User),
+				GrantOptionSet:     grantOptionSet,
+				TLSClientConfig:    o.tlsOptions.tlsClientConfig(),
+			}
+			if err := cmd.Standalone.Do(c.Context(), in); err != nil {
+				return fmt.Errorf("login: %w", err)
+			}
+			return nil
+		},
+	}
+	c.Flags().SortFlags = false
+	o.addFlags(c.Flags())
+	cmd.Logger.AddFlags(c.PersistentFlags())
+	return c
+}

pkg/cmd/setup.go

@@ -1,10 +1,11 @@
 package cmd
 
 import (
+	"fmt"
+
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
 )
 
 // setupOptions represents the options for setup command.
@@ -13,22 +14,21 @@ type setupOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
-	CACertFilename        string
-	CACertData            string
-	SkipTLSVerify         bool
+	UseAccessToken        bool
+	tlsOptions            tlsOptions
+	pkceOptions           pkceOptions
 	authenticationOptions authenticationOptions
 }
 
-func (o *setupOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
+func (o *setupOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider")
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.StringVar(&o.CACertFilename, "certificate-authority", "", "Path to a cert file for the certificate authority")
-	f.StringVar(&o.CACertData, "certificate-authority-data", "", "Base64 encoded data for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
-	o.authenticationOptions.register(f)
+	f.BoolVar(&o.UseAccessToken, "oidc-use-access-token", false, "Instead of using the id_token, use the access_token to authenticate to Kubernetes")
+	o.tlsOptions.addFlags(f)
+	o.pkceOptions.addFlags(f)
+	o.authenticationOptions.addFlags(f)
 }
 
 type Setup struct {
@@ -44,31 +44,39 @@ func (cmd *Setup) New() *cobra.Command {
 		RunE: func(c *cobra.Command, _ []string) error {
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
-				return xerrors.Errorf("setup: %w", err)
+				return fmt.Errorf("setup: %w", err)
+			}
+			pkceMethod, err := o.pkceOptions.pkceMethod()
+			if err != nil {
+				return fmt.Errorf("setup: %w", err)
 			}
 			in := setup.Stage2Input{
-				IssuerURL:      o.IssuerURL,
-				ClientID:       o.ClientID,
-				ClientSecret:   o.ClientSecret,
-				ExtraScopes:    o.ExtraScopes,
-				CACertFilename: o.CACertFilename,
-				CACertData:     o.CACertData,
-				SkipTLSVerify:  o.SkipTLSVerify,
-				GrantOptionSet: grantOptionSet,
+				IssuerURL:       o.IssuerURL,
+				ClientID:        o.ClientID,
+				ClientSecret:    o.ClientSecret,
+				ExtraScopes:     o.ExtraScopes,
+				UseAccessToken:  o.UseAccessToken,
+				PKCEMethod:      pkceMethod,
+				GrantOptionSet:  grantOptionSet,
+				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
 			}
 			if c.Flags().Lookup("listen-address").Changed {
 				in.ListenAddressArgs = o.authenticationOptions.ListenAddress
 			}
+			if c.Flags().Lookup("oidc-pkce-method").Changed {
+				in.PKCEMethodArg = o.pkceOptions.PKCEMethod
+			}
 			if in.IssuerURL == "" || in.ClientID == "" {
 				cmd.Setup.DoStage1()
 				return nil
 			}
 			if err := cmd.Setup.DoStage2(c.Context(), in); err != nil {
-				return xerrors.Errorf("setup: %w", err)
+				return fmt.Errorf("setup: %w", err)
 			}
 			return nil
 		},
 	}
-	o.register(c.Flags())
+	c.Flags().SortFlags = false
+	o.addFlags(c.Flags())
 	return c
 }

pkg/cmd/tls.go

@@ -0,0 +1,52 @@
+package cmd
+
+import (
+	"crypto/tls"
+
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+	"github.com/spf13/pflag"
+)
+
+type tlsOptions struct {
+	CACertFilename            []string
+	CACertData                []string
+	SkipTLSVerify             bool
+	RenegotiateOnceAsClient   bool
+	RenegotiateFreelyAsClient bool
+}
+
+func (o *tlsOptions) addFlags(f *pflag.FlagSet) {
+	f.StringArrayVar(&o.CACertFilename, "certificate-authority", nil, "Path to a cert file for the certificate authority")
+	f.StringArrayVar(&o.CACertData, "certificate-authority-data", nil, "Base64 encoded cert for the certificate authority")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "[SECURITY RISK] If set, the server's certificate will not be checked for validity")
+	f.BoolVar(&o.RenegotiateOnceAsClient, "tls-renegotiation-once", false, "If set, allow a remote server to request renegotiation once per connection")
+	f.BoolVar(&o.RenegotiateFreelyAsClient, "tls-renegotiation-freely", false, "If set, allow a remote server to repeatedly request renegotiation")
+}
+
+func (o *tlsOptions) expandHomedir() {
+	var caCertFilenames []string
+	for _, caCertFilename := range o.CACertFilename {
+		expanded := expandHomedir(caCertFilename)
+		caCertFilenames = append(caCertFilenames, expanded)
+	}
+	o.CACertFilename = caCertFilenames
+}
+
+func (o tlsOptions) tlsClientConfig() tlsclientconfig.Config {
+	return tlsclientconfig.Config{
+		CACertFilename: o.CACertFilename,
+		CACertData:     o.CACertData,
+		SkipTLSVerify:  o.SkipTLSVerify,
+		Renegotiation:  o.renegotiationSupport(),
+	}
+}
+
+func (o tlsOptions) renegotiationSupport() tls.RenegotiationSupport {
+	if o.RenegotiateOnceAsClient {
+		return tls.RenegotiateOnceAsClient
+	}
+	if o.RenegotiateFreelyAsClient {
+		return tls.RenegotiateFreelyAsClient
+	}
+	return tls.RenegotiateNever
+}