Added ppc64le support (#799 )

Signed-off-by: mayurwaghmode <waghmodemayur17@gmail.com> Signed-off-by: mayurwaghmode <waghmodemayur17@gmail.com>
fix(deps): update golang.org/x/net digest to bea034e (#797 )
2026-02-27 23:43:49 +00:00 · 2022-09-12 18:49:03 +09:00 · 2022-09-09 20:37:10 +00:00 · 2022-09-09 08:38:06 +00:00 · 2022-09-09 05:51:00 +00:00 · 2022-09-08 01:56:15 +00:00
148 changed files with 5935 additions and 3453 deletions
--- a/.circleci/Makefile
+++ b/.circleci/Makefile
@@ -1,17 +0,0 @@
-.PHONY: all
-all:
-
-.PHONY: install-test-deps
-install-test-deps:
-	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(HOME)/go/bin v1.24.0
-	go get -v github.com/int128/goxzst
-
-.PHONY: install-release-deps
-install-release-deps: go
-	go get -v github.com/int128/goxzst github.com/int128/ghcp
-
-go:
-	curl -sSfL -o go.tgz "https://golang.org/dl/go`ruby go_version_from_config.rb < config.yml`.darwin-amd64.tar.gz"
-	tar -xf go.tgz
-	rm go.tgz
-	./go/bin/go version
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,60 +0,0 @@
-version: 2.1
-
-jobs:
-  test:
-    docker:
-      - image: cimg/go:1.14.6
-    steps:
-      - checkout
-      - restore_cache:
-          keys:
-            - go-sum-{{ checksum "go.sum" }}
-      - run: make -C .circleci install-test-deps
-      - run: make check
-      - run: bash <(curl -s https://codecov.io/bash)
-      - run: make dist
-      - save_cache:
-          key: go-sum-{{ checksum "go.sum" }}
-          paths:
-            - ~/go/pkg
-      - store_artifacts:
-          path: gotest.log
-
-  release:
-    macos:
-      # https://circleci.com/docs/2.0/testing-ios/
-      xcode: 11.5.0
-    steps:
-      - run: echo 'export PATH="$HOME/go/bin:$PWD/.circleci/go/bin:$PATH"' >> $BASH_ENV
-      - checkout
-      - restore_cache:
-          keys:
-            - go-macos-{{ checksum "go.sum" }}
-      - run: make -C .circleci install-release-deps
-      - run: make dist
-      - run: |
-          if [ "$CIRCLE_TAG" ]; then
-            make release
-          fi
-      - save_cache:
-          key: go-macos-{{ checksum "go.sum" }}
-          paths:
-            - ~/go/pkg
-
-workflows:
-  version: 2
-  build:
-    jobs:
-      - test:
-          filters:
-            tags:
-              only: /^v.*/
-      - release:
-          context: open-source
-          requires:
-            - test
-          filters:
-            branches:
-              only: /^release-feature.*/
-            tags:
-              only: /^v.*/
--- a/.circleci/go.mod
+++ b/.circleci/go.mod
@@ -1,3 +0,0 @@
-module github.com/int128/kubelogin/.circleci
-
-go 1.13
--- a/.circleci/go_version_from_config.rb
+++ b/.circleci/go_version_from_config.rb
@@ -1,11 +0,0 @@
-require 'yaml'
-
-config = YAML.load(STDIN)
-
-image = config["jobs"]["test"]["docker"][0]["image"]
-if !image.start_with?("cimg/go:")
-  raise "unknown image #{image} in #{configPath}"
-end
-
-goVersion = image.delete_prefix("cimg/go:")
-print(goVersion)
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -7,17 +7,14 @@ assignees: ''

 ---

-**Describe the bug**
-A clear and concise description of what the bug is.
+## Describe the issue
+A clear and concise description of what the issue is.

-**To Reproduce**
-Steps to reproduce the behavior.
+## To reproduce
+A console log or steps to reproduce the issue.

-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Environment**
- - OS: [e.g. macOS, Linux]
- - kubelogin version: [e.g. 1.19.3]
- - kubectl version: [e.g. 1.19]
- - OpenID Connect provider: [e.g. Google, Okta]
+## Your environment
+- OS: e.g. macOS
+- kubelogin version: e.g. v1.19
+- kubectl version: e.g. v1.19
+- OpenID Connect provider: e.g. Google
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -7,11 +7,9 @@ assignees: ''

 ---

-**Is your feature request related to a problem? Please describe.**
+## Purpose of the feature (why)
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
 A clear and concise description of what you want to happen.

-**Describe alternatives you've considered**
+## Your idea (how)
 A clear and concise description of any alternative solutions or features you've considered.
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@@ -0,0 +1,20 @@
+---
+name: Question
+about: Feel free to ask a question
+title: ''
+labels: question
+assignees: ''
+
+---
+
+## Describe the question
+A clear and concise description of what the issue is.
+
+## To reproduce
+A console log or steps to reproduce the issue.
+
+## Your environment
+- OS: e.g. macOS
+- kubelogin version: e.g. v1.19
+- kubectl version: e.g. v1.19
+- OpenID Connect provider: e.g. Google
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -1,8 +0,0 @@
-{
-  "extends": [
-    "config:base"
-  ],
-  "postUpdateOptions": [
-    "gomodTidy"
-  ]
-}
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -0,0 +1,6 @@
+{
+  "extends": [
+    "github>int128/renovate-base",
+    "github>int128/go-actions",
+  ],
+}
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -0,0 +1,52 @@
+name: docker
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/docker.yaml
+      - pkg/**
+      - go.*
+      - Dockerfile
+      - Makefile
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/docker.yaml
+      - pkg/**
+      - go.*
+      - Dockerfile
+      - Makefile
+    tags:
+      - v*
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: docker/metadata-action@v4
+        id: metadata
+        with:
+          images: ghcr.io/${{ github.repository }}
+      - uses: int128/docker-build-cache-config-action@v1
+        id: cache
+        with:
+          image: ghcr.io/${{ github.repository }}/cache
+      - uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
+      - uses: docker/build-push-action@v3
+        with:
+          push: ${{ github.event_name == 'push' }}
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          cache-from: ${{ steps.cache.outputs.cache-from }}
+          cache-to: ${{ steps.cache.outputs.cache-to }}
+          platforms: linux/amd64,linux/arm64,linux/ppc64le
--- a/.github/workflows/go.yaml
+++ b/.github/workflows/go.yaml
@@ -0,0 +1,42 @@
+name: go
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/go.yaml
+      - pkg/**
+      - go.*
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/go.yaml
+      - pkg/**
+      - go.*
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v3
+      - uses: int128/go-actions/setup@v1
+        with:
+          go-version: 1.18.5
+      - uses: golangci/golangci-lint-action@v3
+        with:
+          version: v1.48.0
+
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v3
+      - uses: int128/go-actions/setup@v1
+        with:
+          go-version: 1.18.5
+      - run: go test -v -race ./...
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,74 @@
+name: release
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/release.yaml
+      - pkg/**
+      - go.*
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/release.yaml
+      - pkg/**
+      - go.*
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        platform:
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: amd64
+            CGO_ENABLED: 0 # https://github.com/int128/kubelogin/issues/567
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: arm64
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: arm
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: ppc64le
+          - runs-on: macos-latest
+            GOOS: darwin
+            GOARCH: amd64
+            CGO_ENABLED: 1 # https://github.com/int128/kubelogin/issues/249
+          - runs-on: macos-latest
+            GOOS: darwin
+            GOARCH: arm64
+            CGO_ENABLED: 1 # https://github.com/int128/kubelogin/issues/762
+          - runs-on: windows-latest
+            GOOS: windows
+            GOARCH: amd64
+    runs-on: ${{ matrix.platform.runs-on }}
+    env:
+      GOOS: ${{ matrix.platform.GOOS }}
+      GOARCH: ${{ matrix.platform.GOARCH }}
+      CGO_ENABLED: ${{ matrix.platform.CGO_ENABLED }}
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v3
+      - uses: int128/go-actions/setup@v1
+        with:
+          go-version: 1.18.5
+      - run: go build -ldflags "-X main.version=${GITHUB_REF##*/}"
+      - uses: int128/go-actions/release@v1
+        with:
+          binary: kubelogin
+
+  publish:
+    if: startswith(github.ref, 'refs/tags/')
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v3
+      - uses: rajatjindal/krew-release-bot@v0.0.43
--- a/.github/workflows/system-test.yaml
+++ b/.github/workflows/system-test.yaml
@@ -1,29 +1,41 @@
-on: [push]
+name: system-test
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/system-test.yaml
+      - system_test/**
+      - pkg/**
+      - go.*
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/system-test.yaml
+      - system_test/**
+      - pkg/**
+      - go.*
+
 jobs:
  system-test:
-    # https://help.github.com/en/actions/automating-your-workflow-with-github-actions/software-installed-on-github-hosted-runners#ubuntu-1804-lts
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    steps:
-      - uses: actions/setup-go@v1
+      - uses: actions/checkout@v3
+      - uses: int128/go-actions/setup@v1
        with:
-          go-version: 1.14.1
-        id: go
-      - uses: actions/checkout@v1
-      - uses: actions/cache@v1
-        with:
-          path: ~/go/pkg/mod
-          key: go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            go-
-      # https://kind.sigs.k8s.io/docs/user/quick-start/
-      - run: |
-          wget -q -O ./kind "https://github.com/kubernetes-sigs/kind/releases/download/v0.8.1/kind-linux-amd64"
-          chmod +x ./kind
-          sudo mv ./kind /usr/local/bin/kind
-          kind version
+          go-version: 1.18.5
+
+      # for certutil
      # https://packages.ubuntu.com/xenial/libnss3-tools
      - run: sudo apt update
      - run: sudo apt install -y libnss3-tools
+      - run: mkdir -p ~/.pki/nssdb
+
      - run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
-      - run: make -C system_test -j3 setup
-      - run: make -C system_test test
+
+      - run: make -C system_test -j3
+
+      - run: make -C system_test logs
+        if: always()
--- a/.gitignore
+++ b/.gitignore
@@ -1,13 +1,10 @@
 /.idea

-/system_test/output/
 /acceptance_test/output/

-/dist/output
 /coverage.out
-/gotest.log

 /kubelogin
 /kubectl-oidc_login
-
-/.circleci/go/
+/kubelogin_*.zip
+/kubelogin_*.zip.sha256
--- a/.krew.yaml
+++ b/.krew.yaml
@@ -0,0 +1,62 @@
+apiVersion: krew.googlecontainertools.github.com/v1alpha2
+kind: Plugin
+metadata:
+  name: oidc-login
+spec:
+  homepage: https://github.com/int128/kubelogin
+  shortDescription: Log in to the OpenID Connect provider
+  description: |
+    This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
+
+    ## Credential plugin mode
+    kubectl executes oidc-login before calling the Kubernetes APIs.
+    oidc-login automatically opens the browser and you can log in to the provider.
+    After authentication, kubectl gets the token from oidc-login and you can access the cluster.
+    See https://github.com/int128/kubelogin#credential-plugin-mode for more.
+
+    ## Standalone mode
+    Run `kubectl oidc-login`.
+    It automatically opens the browser and you can log in to the provider.
+    After authentication, it writes the token to the kubeconfig and you can access the cluster.
+    See https://github.com/int128/kubelogin#standalone-mode for more.
+
+  caveats: |
+    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
+  version: {{ .TagName }}
+  platforms:
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: amd64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: arm64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_arm.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: arm
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_darwin_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: darwin
+        arch: amd64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_darwin_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
+  - bin: kubelogin.exe
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_windows_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: windows
+        arch: amd64
--- a/12
+++ b/12
@@ -0,0 +1,12 @@
+FROM golang:1.18 as builder
+
+WORKDIR /builder
+COPY go.* .
+RUN go mod download
+COPY main.go .
+COPY pkg pkg
+RUN go build
+
+FROM gcr.io/distroless/base-debian10
+COPY --from=builder /builder/kubelogin /
+ENTRYPOINT ["/kubelogin"]
--- a/49
+++ b/49
@@ -1,49 +0,0 @@
-# CircleCI specific variables
-CIRCLE_TAG ?= latest
-GITHUB_USERNAME := $(CIRCLE_PROJECT_USERNAME)
-GITHUB_REPONAME := $(CIRCLE_PROJECT_REPONAME)
-
-TARGET := kubelogin
-TARGET_OSARCH := linux_amd64 darwin_amd64 windows_amd64 linux_arm linux_arm64
-VERSION ?= $(CIRCLE_TAG)
-LDFLAGS := -X main.version=$(VERSION)
-
-all: $(TARGET)
-
-$(TARGET): $(wildcard **/*.go)
-	go build -o $@ -ldflags "$(LDFLAGS)"
-
-.PHONY: check
-check:
-	golangci-lint run
-	go test -v -race -cover -coverprofile=coverage.out ./... > gotest.log
-
-.PHONY: dist
-dist: dist/output
-dist/output:
-	# make the zip files for GitHub Releases
-	VERSION=$(VERSION) goxzst -d dist/output -i "LICENSE" -o "$(TARGET)" -osarch "$(TARGET_OSARCH)" -t "dist/kubelogin.rb dist/oidc-login.yaml dist/Dockerfile" -- -ldflags "$(LDFLAGS)"
-	# test the zip file
-	zipinfo dist/output/kubelogin_linux_amd64.zip
-	# make the krew yaml structure
-	mkdir -p dist/output/plugins
-	mv dist/output/oidc-login.yaml dist/output/plugins/oidc-login.yaml
-
-.PHONY: release
-release: dist
-	# publish the binaries
-	ghcp release -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)" -t "$(VERSION)" dist/output/
-	# publish the Homebrew formula
-	ghcp commit -u "$(GITHUB_USERNAME)" -r "homebrew-$(GITHUB_REPONAME)" -b "bump-$(VERSION)" -m "Bump the version to $(VERSION)" -C dist/output/ kubelogin.rb
-	ghcp pull-request -u "$(GITHUB_USERNAME)" -r "homebrew-$(GITHUB_REPONAME)" -b "bump-$(VERSION)" --title "Bump the version to $(VERSION)"
-	# publish the Dockerfile
-	ghcp commit -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)-docker" -b "bump-$(VERSION)" -m "Bump the version to $(VERSION)" -C dist/output/ Dockerfile
-	ghcp pull-request -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)-docker" -b "bump-$(VERSION)" --title "Bump the version to $(VERSION)"
-	# publish the Krew manifest
-	ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(VERSION)" -m "Bump oidc-login to $(VERSION)" -C dist/output/ plugins/oidc-login.yaml
-
-.PHONY: clean
-clean:
-	-rm $(TARGET)
-	-rm -r dist/output/
-	-rm coverage.out gotest.log
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
+# kubelogin [![go](https://github.com/int128/kubelogin/actions/workflows/go.yaml/badge.svg)](https://github.com/int128/kubelogin/actions/workflows/go.yaml) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)

 This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.

@@ -18,7 +18,7 @@ Take a look at the diagram:

 ### Setup

-Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew) or [GitHub Releases](https://github.com/int128/kubelogin/releases).
+Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew), [Chocolatey](https://chocolatey.org/packages/kubelogin) or [GitHub Releases](https://github.com/int128/kubelogin/releases).

 ```sh
 # Homebrew (macOS and Linux)
@@ -26,8 +26,13 @@ brew install int128/kubelogin/kubelogin

 # Krew (macOS, Linux, Windows and ARM)
 kubectl krew install oidc-login
+
+# Chocolatey (Windows)
+choco install kubelogin
 ```

+If you install via GitHub releases, you need to put the `kubelogin` binary on your path under the name `kubectl-oidc_login` so that the [kubectl plugin mechanism](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/) can find it when you invoke `kubectl oidc-login`. The other install methods do this for you.
+
 You need to set up the OIDC provider, cluster role binding, Kubernetes API server and kubeconfig.
 The kubeconfig looks like:

@@ -58,11 +63,11 @@ kubectl get pods
 ```

 Kubectl executes kubelogin before calling the Kubernetes APIs.
-Kubelogin automatically opens the browser and you can log in to the provider.
+Kubelogin automatically opens the browser, and you can log in to the provider.

 <img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">

-After authentication, kubelogin returns the credentials to kubectl and finally kubectl calls the Kubernetes APIs with the credential.
+After authentication, kubelogin returns the credentials to kubectl and kubectl then calls the Kubernetes APIs with these credentials.

 ```
 % kubectl get pods
@@ -75,22 +80,19 @@ Kubelogin writes the ID token and refresh token to the token cache file.

 If the cached ID token is valid, kubelogin just returns it.
 If the cached ID token has expired, kubelogin will refresh the token using the refresh token.
-If the refresh token has expired, kubelogin will perform reauthentication.
+If the refresh token has expired, kubelogin will perform re-authentication (you will have to login via browser again).


 ### Troubleshoot

 You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
-Kubelogin will perform authentication if the token cache file does not exist.
+Kubelogin will ask you to login via browser again if the token cache file does not exist i.e., it starts with a clean slate

 You can dump claims of an ID token by `setup` command.

 ```console
 % kubectl oidc-login setup --oidc-issuer-url https://accounts.google.com --oidc-client-id REDACTED --oidc-client-secret REDACTED
-authentication in progress...
-
-## 2. Verify authentication
-
+...
 You got a token with the following claims:

 {
@@ -101,185 +103,7 @@ You got a token with the following claims:
 }
 ```

-You can verify kubelogin works with your provider using [acceptance test](acceptance_test).
-
-
-## Usage
-
-This document is for the development version.
-If you are looking for a specific version, see [the release tags](https://github.com/int128/kubelogin/tags).
-
-Kubelogin supports the following options:
-
-```
-Usage:
-  kubelogin get-token [flags]
-
-Flags:
-      --oidc-issuer-url string                          Issuer URL of the provider (mandatory)
-      --oidc-client-id string                           Client ID of the provider (mandatory)
-      --oidc-client-secret string                       Client secret of the provider
-      --oidc-extra-scope strings                        Scopes to request to the provider
-      --token-cache-dir string                          Path to a directory for token cache (default "~/.kube/cache/oidc-login")
-      --certificate-authority string                    Path to a cert file for the certificate authority
-      --certificate-authority-data string               Base64 encoded cert for the certificate authority
-      --insecure-skip-tls-verify                        If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-      --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
-      --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
-      --skip-open-browser                               [authcode] Do not open the browser automatically
-      --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
-      --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")
-      --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard] Extra query parameters to send with an authentication request (default [])
-      --username string                                 [password] Username for resource owner password credentials grant
-      --password string                                 [password] Password for resource owner password credentials grant
-  -h, --help                                            help for get-token
-
-Global Flags:
-      --add_dir_header                   If true, adds the file directory to the header
-      --alsologtostderr                  log to standard error as well as files
-      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
-      --log_dir string                   If non-empty, write log files in this directory
-      --log_file string                  If non-empty, use this log file
-      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
-      --logtostderr                      log to standard error instead of files (default true)
-      --skip_headers                     If true, avoid header prefixes in the log messages
-      --skip_log_headers                 If true, avoid headers when opening log files
-      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
-  -v, --v Level                          number for the log level verbosity
-      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
-```
-
-See also the options of [standalone mode](docs/standalone-mode.md).
-
-### Extra scopes
-
-You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
-
-```yaml
-      - --oidc-extra-scope=email
-      - --oidc-extra-scope=profile
-```
-
-### CA Certificate
-
-You can use your self-signed certificate for the provider.
-
-```yaml
-      - --certificate-authority=/home/user/.kube/keycloak-ca.pem
-      - --certificate-authority-data=LS0t...
-```
-
-### HTTP Proxy
-
-You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
-See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
-
-### Authentication flows
-
-#### Authorization code flow
-
-Kubelogin performs the authorization code flow by default.
-
-It starts the local server at port 8000 or 18000 by default.
-You need to register the following redirect URIs to the provider:
-
- `http://localhost:8000`
- `http://localhost:18000` (used if port 8000 is already in use)
-
-You can change the listening address.
-
-```yaml
-      - --listen-address=127.0.0.1:12345
-      - --listen-address=127.0.0.1:23456
-```
-
-You can change the hostname of redirect URI from the default value `localhost`.
-
-```yaml
-      - --oidc-redirect-url-hostname=127.0.0.1
-```
-
-You can add extra parameters to the authentication request.
-
-```yaml
-      - --oidc-auth-request-extra-params=ttl=86400
-```
-
-When authentication completed, kubelogin shows a message to close the browser.
-You can change the URL to show after authentication.
-
-```yaml
-      - --open-url-after-authentication=https://example.com/success.html
-```
-
-#### Authorization code flow with keyboard interactive
-
-If you cannot access the browser, instead use the authorization code flow with keyboard interactive.
-
-```yaml
-      - --grant-type=authcode-keyboard
-```
-
-Kubelogin will show the URL and prompt.
-Open the URL in the browser and then copy the code shown.
-
-```
-% kubectl get pods
-Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=...
-Enter code: YOUR_CODE
-```
-
-Note that this flow uses the redirect URI `urn:ietf:wg:oauth:2.0:oob` and
-some OIDC providers do not support it.
-
-You can add extra parameters to the authentication request.
-
-```yaml
-      - --oidc-auth-request-extra-params=ttl=86400
-```
-
-#### Resource owner password credentials grant flow
-
-Kubelogin performs the resource owner password credentials grant flow
-when `--grant-type=password` or `--username` is set.
-
-Note that most OIDC providers do not support this flow.
-Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
-
-You can set the username and password.
-
-```yaml
-      - --username=USERNAME
-      - --password=PASSWORD
-```
-
-If the password is not set, kubelogin will show the prompt for the password.
-
-```yaml
-      - --username=USERNAME
-```
-
-```
-% kubectl get pods
-Password:
-```
-
-If the username is not set, kubelogin will show the prompt for the username and password.
-
-```yaml
-      - --grant-type=password
-```
-
-```
-% kubectl get pods
-Username: foo
-Password:
-```
-
-### Docker
-
-You can run [the Docker image](https://quay.io/repository/int128/kubelogin) instead of the binary.
-The kubeconfig looks like:
+You can increase the log level by `-v1` option.

 ```yaml
 users:
@@ -287,34 +111,23 @@ users:
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
-      command: docker
+      command: kubectl
      args:
-      - run
-      - --rm
-      - -v
-      - /tmp/.token-cache:/.token-cache
-      - -p
-      - 8000:8000
-      - quay.io/int128/kubelogin
+      - oidc-login
      - get-token
-      - --token-cache-dir=/.token-cache
-      - --listen-address=0.0.0.0:8000
-      - --oidc-issuer-url=ISSUER_URL
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
+      - -v1
 ```

-Known limitations:
-
- It cannot open the browser automatically.
- The container port and listen port must be equal for consistency of the redirect URI.
+You can verify kubelogin works with your provider using [acceptance test](acceptance_test).


-## Related works
+## Docs

-### Kubernetes Dashboard
-
-You can access the Kubernetes Dashboard using kubelogin and [kauthproxy](https://github.com/int128/kauthproxy).
+- [Setup guide](docs/setup.md)
+- [Usage and options](docs/usage.md)
+- [Standalone mode](docs/standalone-mode.md)
+- [System test](system_test)
+- [Acceptance_test for identity providers](acceptance_test)


 ## Contributions
@@ -322,17 +135,5 @@ You can access the Kubernetes Dashboard using kubelogin and [kauthproxy](https:/
 This is an open source software licensed under Apache License 2.0.
 Feel free to open issues and pull requests for improving code and documents.

-### Development
-
-Go 1.13 or later is required.
-
-```sh
-# Run lint and tests
-make check
-
-# Compile and run the command
-make
-./kubelogin
-```
-
-See also [the system test](system_test).
+This software is developed with [GoLand](https://www.jetbrains.com/go/) licensed for open source development.
+Special thanks for the support.
--- a/dist/Dockerfile
+++ b/dist/Dockerfile
@@ -1,13 +0,0 @@
-FROM alpine:3.12
-
-ARG KUBELOGIN_VERSION="{{ env "VERSION" }}"
-ARG KUBELOGIN_SHA256="{{ sha256 .linux_amd64_archive }}"
-
-# Download the release and test the checksum
-RUN wget -O /kubelogin.zip "https://github.com/int128/kubelogin/releases/download/$KUBELOGIN_VERSION/kubelogin_linux_amd64.zip" && \
-    echo "$KUBELOGIN_SHA256  /kubelogin.zip" | sha256sum -c - && \
-    unzip /kubelogin.zip && \
-    rm /kubelogin.zip
-
-USER daemon
-ENTRYPOINT ["/kubelogin"]
--- a/dist/kubelogin.rb
+++ b/dist/kubelogin.rb
@@ -1,27 +0,0 @@
-class Kubelogin < Formula
-  desc "A kubectl plugin for Kubernetes OpenID Connect authentication"
-  homepage "https://github.com/int128/kubelogin"
-  baseurl = "https://github.com/int128/kubelogin/releases/download"
-  version "{{ env "VERSION" }}"
-  
-  if OS.mac?
-    kernel = "darwin"
-    sha256 "{{ sha256 .darwin_amd64_archive }}"
-  elsif OS.linux?
-    kernel = "linux"
-    sha256 "{{ sha256 .linux_amd64_archive }}"
-  end 
-   
-  url baseurl + "/#{version}/kubelogin_#{kernel}_amd64.zip"
-    
-  def install
-    bin.install "kubelogin" => "kubelogin"
-    ln_s bin/"kubelogin", bin/"kubectl-oidc_login"
-  end
-  
-  test do
-    system "#{bin}/kubelogin -h"
-    system "#{bin}/kubectl-oidc_login -h"
-  end
-    
-end
--- a/dist/oidc-login.yaml
+++ b/dist/oidc-login.yaml
@@ -1,86 +0,0 @@
-apiVersion: krew.googlecontainertools.github.com/v1alpha2
-kind: Plugin
-metadata:
-  name: oidc-login
-spec:
-  homepage: https://github.com/int128/kubelogin
-  shortDescription: Log in to the OpenID Connect provider
-  description: |
-    This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
-
-    ## Credential plugin mode
-    kubectl executes oidc-login before calling the Kubernetes APIs.
-    oidc-login automatically opens the browser and you can log in to the provider.
-    After authentication, kubectl gets the token from oidc-login and you can access the cluster.
-    See https://github.com/int128/kubelogin#credential-plugin-mode for more.
-
-    ## Standalone mode
-    Run `kubectl oidc-login`.
-    It automatically opens the browser and you can log in to the provider.
-    After authentication, it writes the token to the kubeconfig and you can access the cluster.
-    See https://github.com/int128/kubelogin#standalone-mode for more.
-
-  caveats: |
-    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
-  version: {{ env "VERSION" }}
-  platforms:
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_amd64.zip
-      sha256: "{{ sha256 .linux_amd64_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: linux
-          arch: amd64
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_darwin_amd64.zip
-      sha256: "{{ sha256 .darwin_amd64_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: darwin
-          arch: amd64
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_windows_amd64.zip
-      sha256: "{{ sha256 .windows_amd64_archive }}"
-      bin: kubelogin.exe
-      files:
-        - from: kubelogin.exe
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: windows
-          arch: amd64
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm.zip
-      sha256: "{{ sha256 .linux_arm_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: linux
-          arch: arm
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm64.zip
-      sha256: "{{ sha256 .linux_arm64_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: linux
-          arch: arm64
--- a/docs/setup.md
+++ b/docs/setup.md
@@ -129,6 +129,25 @@ You do not need to set `YOUR_CLIENT_SECRET`.
 If you need `groups` claim for access control,
 see [jetstack/okta-kubectl-auth](https://github.com/jetstack/okta-kubectl-auth/blob/master/docs/okta-setup.md) and [#250](https://github.com/int128/kubelogin/issues/250).

+### Ping Identity
+
+Login with an account that has permissions to create applications.
+Create an OIDC application with the following configuration:
+
+- Redirect URIs:
+    - `http://localhost:8000`
+    - `http://localhost:18000` (used if the port 8000 is already in use)
+- Grant type: Authorization Code
+- PKCE Enforcement: Required
+
+Leverage the following variables in the next steps.
+
+Variable                | Value
+------------------------|------
+`ISSUER_URL`            | `https://auth.pingone.com/<PingOne Tenant Id>/as`
+`YOUR_CLIENT_ID`        |  random string
+
+`YOUR_CLIENT_SECRET` is not required for this configuration.

 ## 2. Verify authentication

--- a/docs/standalone-mode.md
+++ b/docs/standalone-mode.md
@@ -1,9 +1,12 @@
 # Standalone mode

-You can run kubelogin as a standalone command.
-In this mode, you need to manually run the command before running kubectl.
+Kubelogin supports the standalone mode as well.
+It writes the token to the kubeconfig (typically `~/.kube/config`) after authentication.

-Configure the kubeconfig like:
+
+## Getting started
+
+Configure your kubeconfig like:

 ```yaml
 - name: keycloak
@@ -31,7 +34,7 @@ It automatically opens the browser and you can log in to the provider.

 After authentication, kubelogin writes the ID token and refresh token to the kubeconfig.

-```
+```console
 % kubelogin
 Open http://localhost:8000 for authentication
 You got a valid token until 2019-05-18 10:28:51 +0900 JST
@@ -40,7 +43,7 @@ Updated ~/.kubeconfig

 Now you can access the cluster.

-```
+```console
 % kubectl get pods
 NAME                          READY   STATUS    RESTARTS   AGE
 echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
@@ -64,7 +67,7 @@ users:

 If the ID token is valid, kubelogin does nothing.

-```
+```console
 % kubelogin
 You already have a valid token until 2019-05-18 10:28:51 +0900 JST
 ```
@@ -75,8 +78,6 @@ If the refresh token has expired, kubelogin will proceed the authentication.

 ## Usage

-### Kubeconfig
-
 You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
 It defaults to `~/.kube/config`.

@@ -104,26 +105,4 @@ Key | Direction | Value
 `id-token`                        | Write | ID token got from the provider.
 `refresh-token`                   | Write | Refresh token got from the provider.

-### Extra scopes
-
-You can set the extra scopes to request to the provider by `extra-scopes` in the kubeconfig.
-
-```sh
-kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=email
-```
-
-Currently kubectl does not accept multiple scopes, so you need to edit the kubeconfig as like:
-
-```sh
-kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=SCOPES
-sed -i '' -e s/SCOPES/email,profile/ $KUBECONFIG
-```
-
-### CA Certificates
-
-You can use your self-signed certificates for the provider.
-
-```sh
-kubectl config set-credentials keycloak \
-  --auth-provider-arg idp-certificate-authority=$HOME/.kube/keycloak-ca.pem
-```
+See also [usage.md](usage.md).
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -0,0 +1,252 @@
+# Usage
+
+Kubelogin supports the following options:
+
+```
+Usage:
+  kubelogin get-token [flags]
+
+Flags:
+      --oidc-issuer-url string                          Issuer URL of the provider (mandatory)
+      --oidc-client-id string                           Client ID of the provider (mandatory)
+      --oidc-client-secret string                       Client secret of the provider
+      --oidc-extra-scope strings                        Scopes to request to the provider
+      --oidc-use-pkce                                   Force PKCE usage
+      --token-cache-dir string                          Path to a directory for token cache (default "~/.kube/cache/oidc-login")
+      --certificate-authority stringArray               Path to a cert file for the certificate authority
+      --certificate-authority-data stringArray          Base64 encoded cert for the certificate authority
+      --insecure-skip-tls-verify                        If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --tls-renegotiation-once                          If set, allow a remote server to request renegotiation once per connection
+      --tls-renegotiation-freely                        If set, allow a remote server to repeatedly request renegotiation
+      --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
+      --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
+      --skip-open-browser                               [authcode] Do not open the browser automatically
+      --browser-command string                          [authcode] Command to open the browser
+      --authentication-timeout-sec int                  [authcode] Timeout of authentication in seconds (default 180)
+      --local-server-cert string                        [authcode] Certificate path for the local server
+      --local-server-key string                         [authcode] Certificate key path for the local server
+      --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
+      --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")
+      --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard] Extra query parameters to send with an authentication request (default [])
+      --username string                                 [password] Username for resource owner password credentials grant
+      --password string                                 [password] Password for resource owner password credentials grant
+  -h, --help                                            help for get-token
+
+Global Flags:
+      --add_dir_header                   If true, adds the file directory to the header of the log messages
+      --alsologtostderr                  log to standard error as well as files
+      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                   If non-empty, write log files in this directory
+      --log_file string                  If non-empty, use this log file
+      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                      log to standard error instead of files (default true)
+      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level)
+      --skip_headers                     If true, avoid header prefixes in the log messages
+      --skip_log_headers                 If true, avoid headers when opening log files
+      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
+  -v, --v Level                          number for the log level verbosity
+      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
+```
+
+
+## Options
+
+### Authentication timeout
+
+By default, you need to log in to your provider in the browser within 3 minutes.
+This prevents a process from remaining forever.
+You can change the timeout by the following flag:
+
+```yaml
+      - --authentication-timeout-sec=60
+```
+
+For now this timeout works only for the authorization code flow.
+
+### Extra scopes
+
+You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
+
+```yaml
+      - --oidc-extra-scope=email
+      - --oidc-extra-scope=profile
+```
+
+### CA certificate
+
+You can use your self-signed certificate for the provider.
+
+```yaml
+      - --certificate-authority=/home/user/.kube/keycloak-ca.pem
+      - --certificate-authority-data=LS0t...
+```
+
+### HTTP proxy
+
+You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
+See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
+
+### Home directory expansion
+
+If a value in the following options begins with a tilde character `~`, it is expanded to the home directory.
+
+- `--certificate-authority`
+- `--local-server-cert`
+- `--local-server-key`
+- `--token-cache-dir`
+
+
+## Authentication flows
+
+Kubelogin support the following flows:
+
+- Authorization code flow
+- Authorization code flow with a keyboard
+- Resource owner password credentials grant flow
+
+### Authorization code flow
+
+Kubelogin performs the authorization code flow by default.
+
+It starts the local server at port 8000 or 18000 by default.
+You need to register the following redirect URIs to the provider:
+
+- `http://localhost:8000`
+- `http://localhost:18000` (used if port 8000 is already in use)
+
+You can change the listening address.
+
+```yaml
+      - --listen-address=127.0.0.1:12345
+      - --listen-address=127.0.0.1:23456
+```
+
+You can specify a certificate for the local webserver if HTTPS is required by your identity provider.
+
+```yaml
+      - --local-server-cert=localhost.crt
+      - --local-server-key=localhost.key
+```
+
+You can change the hostname of redirect URI from the default value `localhost`.
+
+```yaml
+      - --oidc-redirect-url-hostname=127.0.0.1
+```
+
+You can add extra parameters to the authentication request.
+
+```yaml
+      - --oidc-auth-request-extra-params=ttl=86400
+```
+
+When authentication completed, kubelogin shows a message to close the browser.
+You can change the URL to show after authentication.
+
+```yaml
+      - --open-url-after-authentication=https://example.com/success.html
+```
+
+You can skip opening the browser if you encounter some environment problem.
+
+```yaml
+      - --skip-open-browser
+```
+
+For Linux users, you change the default browser by `BROWSER` environment variable.
+
+### Authorization code flow with a keyboard
+
+If you cannot access the browser, instead use the authorization code flow with a keyboard.
+
+```yaml
+      - --grant-type=authcode-keyboard
+```
+
+Kubelogin will show the URL and prompt.
+Open the URL in the browser and then copy the code shown.
+
+```
+% kubectl get pods
+Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=...
+Enter code: YOUR_CODE
+```
+
+Note that this flow uses the redirect URI `urn:ietf:wg:oauth:2.0:oob` and some OIDC providers do not support it.
+
+You can add extra parameters to the authentication request.
+
+```yaml
+      - --oidc-auth-request-extra-params=ttl=86400
+```
+
+### Resource owner password credentials grant flow
+
+Kubelogin performs the resource owner password credentials grant flow
+when `--grant-type=password` or `--username` is set.
+
+Note that most OIDC providers do not support this flow.
+Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
+
+You can set the username and password.
+
+```yaml
+      - --username=USERNAME
+      - --password=PASSWORD
+```
+
+If the password is not set, kubelogin will show the prompt for the password.
+
+```yaml
+      - --username=USERNAME
+```
+
+```
+% kubectl get pods
+Password:
+```
+
+If the username is not set, kubelogin will show the prompt for the username and password.
+
+```yaml
+      - --grant-type=password
+```
+
+```
+% kubectl get pods
+Username: foo
+Password:
+```
+
+## Run in Docker
+
+You can run [the Docker image](https://ghcr.io/int128/kubelogin) instead of the binary.
+The kubeconfig looks like:
+
+```yaml
+users:
+- name: oidc
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: docker
+      args:
+      - run
+      - --rm
+      - -v
+      - /tmp/.token-cache:/.token-cache
+      - -p
+      - 8000:8000
+      - ghcr.io/int128/kubelogin
+      - get-token
+      - --token-cache-dir=/.token-cache
+      - --listen-address=0.0.0.0:8000
+      - --oidc-issuer-url=ISSUER_URL
+      - --oidc-client-id=YOUR_CLIENT_ID
+      - --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+Known limitations:
+
+- It cannot open the browser automatically.
+- The container port and listen port must be equal for consistency of the redirect URI.
--- a/go.mod
+++ b/go.mod
@@ -1,26 +1,25 @@
 module github.com/int128/kubelogin

-go 1.12
+go 1.16

 require (
-	github.com/chromedp/chromedp v0.5.3
-	github.com/coreos/go-oidc v2.2.1+incompatible
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/golang/mock v1.4.4
-	github.com/google/go-cmp v0.5.1
-	github.com/google/wire v0.4.0
-	github.com/int128/oauth2cli v1.12.1
-	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
-	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
-	github.com/spf13/cobra v1.0.0
+	github.com/alexflint/go-filemutex v1.2.0
+	github.com/chromedp/chromedp v0.8.5
+	github.com/coreos/go-oidc/v3 v3.2.0
+	github.com/golang-jwt/jwt/v4 v4.4.2
+	github.com/google/go-cmp v0.5.9
+	github.com/google/wire v0.5.0
+	github.com/int128/oauth2cli v1.14.0
+	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
+	github.com/spf13/cobra v1.5.0
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
-	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
-	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
-	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
-	gopkg.in/yaml.v2 v2.3.0
-	k8s.io/apimachinery v0.18.6
-	k8s.io/client-go v0.18.6
-	k8s.io/klog v1.0.0
+	github.com/stretchr/testify v1.8.0
+	golang.org/x/net v0.0.0-20220909164309-bea034e7d591
+	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1
+	golang.org/x/sync v0.0.0-20220907140024-f12130a52804
+	golang.org/x/term v0.0.0-20220722155259-a9ba230a4035
+	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/apimachinery v0.24.4
+	k8s.io/client-go v0.24.4
+	k8s.io/klog/v2 v2.70.1
 )
--- a/go.sum
+++ b/go.sum
--- a/integration_test/credetial_plugin_test.go
+++ b/integration_test/credetial_plugin_test.go
@@ -5,7 +5,6 @@ import (
 	"context"
 	"encoding/json"
 	"io"
-	"io/ioutil"
 	"os"
 	"testing"
 	"time"
@@ -14,8 +13,8 @@ import (
 	"github.com/int128/kubelogin/integration_test/httpdriver"
 	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/integration_test/oidcserver"
-	"github.com/int128/kubelogin/pkg/adaptors/browser"
 	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/testing/clock"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -30,17 +29,9 @@ import (
 // 4. Verify the output.
 //
 func TestCredentialPlugin(t *testing.T) {
-	timeout := 3 * time.Second
+	timeout := 10 * time.Second
 	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
-	tokenCacheDir, err := ioutil.TempDir("", "kube")
-	if err != nil {
-		t.Fatalf("could not create a cache dir: %s", err)
-	}
-	defer func() {
-		if err := os.RemoveAll(tokenCacheDir); err != nil {
-			t.Errorf("could not clean up the cache dir: %s", err)
-		}
-	}()
+	tokenCacheDir := t.TempDir()

 	for name, tc := range map[string]struct {
 		keyPair keypair.KeyPair
@@ -71,7 +62,6 @@ func TestCredentialPlugin(t *testing.T) {
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
-				defer sv.Shutdown(t, ctx)
 				var stdout bytes.Buffer
 				runGetToken(t, ctx, getTokenConfig{
 					tokenCacheDir: tokenCacheDir,
@@ -99,7 +89,6 @@ func TestCredentialPlugin(t *testing.T) {
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
-				defer sv.Shutdown(t, ctx)
 				var stdout bytes.Buffer
 				runGetToken(t, ctx, getTokenConfig{
 					tokenCacheDir: tokenCacheDir,
@@ -120,7 +109,6 @@ func TestCredentialPlugin(t *testing.T) {
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
 				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
-				defer sv.Shutdown(t, ctx)

 				t.Run("NoCache", func(t *testing.T) {
 					sv.SetConfig(oidcserver.Config{
@@ -221,7 +209,6 @@ func TestCredentialPlugin(t *testing.T) {
 				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
@@ -246,7 +233,6 @@ func TestCredentialPlugin(t *testing.T) {
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
@@ -272,7 +258,6 @@ func TestCredentialPlugin(t *testing.T) {
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
@@ -301,7 +286,6 @@ func TestCredentialPlugin(t *testing.T) {
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
@@ -327,7 +311,6 @@ func TestCredentialPlugin(t *testing.T) {
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
@@ -340,6 +323,37 @@ func TestCredentialPlugin(t *testing.T) {
 		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})

+	t.Run("RedirectURLHTTPS", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "https://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Option{
+				TLSConfig:    keypair.Server.TLSConfig,
+				BodyContains: "Authenticated",
+			}),
+			now:    now,
+			stdout: &stdout,
+			args: []string{
+				"--local-server-cert", keypair.Server.CertPath,
+				"--local-server-key", keypair.Server.KeyPath,
+			},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
 	t.Run("ExtraParams", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
@@ -357,7 +371,6 @@ func TestCredentialPlugin(t *testing.T) {
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
--- a/integration_test/httpdriver/http_driver.go
+++ b/integration_test/httpdriver/http_driver.go
@@ -60,6 +60,10 @@ func (c *client) Open(url string) error {
 	return nil
 }

+func (c *client) OpenCommand(_ context.Context, url, _ string) error {
+	return c.Open(url)
+}
+
 type zeroClient struct {
 	t *testing.T
 }
@@ -68,3 +72,7 @@ func (c *zeroClient) Open(url string) error {
 	c.t.Errorf("unexpected function call Open(%s)", url)
 	return nil
 }
+
+func (c *zeroClient) OpenCommand(_ context.Context, url, _ string) error {
+	return c.Open(url)
+}
--- a/integration_test/kubeconfig/kubeconfig.go
+++ b/integration_test/kubeconfig/kubeconfig.go
@@ -2,8 +2,8 @@ package kubeconfig

 import (
 	"html/template"
-	"io/ioutil"
 	"os"
+	"path/filepath"
 	"testing"

 	"gopkg.in/yaml.v2"
@@ -22,7 +22,8 @@ type Values struct {
 // Create creates a kubeconfig file and returns path to it.
 func Create(t *testing.T, v *Values) string {
 	t.Helper()
-	f, err := ioutil.TempFile("", "kubeconfig")
+	name := filepath.Join(t.TempDir(), "kubeconfig")
+	f, err := os.Create(name)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -34,7 +35,7 @@ func Create(t *testing.T, v *Values) string {
 	if err := tpl.Execute(f, v); err != nil {
 		t.Fatal(err)
 	}
-	return f.Name()
+	return name
 }

 type AuthProviderConfig struct {
--- a/integration_test/oidcserver/handler/handler.go
+++ b/integration_test/oidcserver/handler/handler.go
@@ -3,11 +3,10 @@ package handler

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"testing"
-
-	"golang.org/x/xerrors"
 )

 func New(t *testing.T, provider Provider) *Handler {
@@ -29,7 +28,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.t.Logf("%d %s %s", wr.statusCode, r.Method, r.RequestURI)
 		return
 	}
-	if errResp := new(ErrorResponse); xerrors.As(err, &errResp) {
+	if errResp := new(ErrorResponse); errors.As(err, &errResp) {
 		h.t.Logf("400 %s %s: %s", r.Method, r.RequestURI, err)
 		w.Header().Add("Content-Type", "application/json")
 		w.WriteHeader(400)
@@ -62,14 +61,14 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(discoveryResponse); err != nil {
-			return xerrors.Errorf("could not render json: %w", err)
+			return fmt.Errorf("could not render json: %w", err)
 		}
 	case m == "GET" && p == "/certs":
 		certificatesResponse := h.provider.GetCertificates()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(certificatesResponse); err != nil {
-			return xerrors.Errorf("could not render json: %w", err)
+			return fmt.Errorf("could not render json: %w", err)
 		}
 	case m == "GET" && p == "/auth":
 		q := r.URL.Query()
@@ -84,13 +83,13 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 			RawQuery:            q,
 		})
 		if err != nil {
-			return xerrors.Errorf("authentication error: %w", err)
+			return fmt.Errorf("authentication error: %w", err)
 		}
 		to := fmt.Sprintf("%s?state=%s&code=%s", redirectURI, state, code)
 		http.Redirect(w, r, to, 302)
 	case m == "POST" && p == "/token":
 		if err := r.ParseForm(); err != nil {
-			return xerrors.Errorf("could not parse the form: %w", err)
+			return fmt.Errorf("could not parse the form: %w", err)
 		}
 		grantType := r.Form.Get("grant_type")
 		switch grantType {
@@ -100,12 +99,12 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 				CodeVerifier: r.Form.Get("code_verifier"),
 			})
 			if err != nil {
-				return xerrors.Errorf("token request error: %w", err)
+				return fmt.Errorf("token request error: %w", err)
 			}
 			w.Header().Add("Content-Type", "application/json")
 			e := json.NewEncoder(w)
 			if err := e.Encode(tokenResponse); err != nil {
-				return xerrors.Errorf("could not render json: %w", err)
+				return fmt.Errorf("could not render json: %w", err)
 			}
 		case "password":
 			// 4.3. Resource Owner Password Credentials Grant
@@ -113,12 +112,12 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 			username, password, scope := r.Form.Get("username"), r.Form.Get("password"), r.Form.Get("scope")
 			tokenResponse, err := h.provider.AuthenticatePassword(username, password, scope)
 			if err != nil {
-				return xerrors.Errorf("authentication error: %w", err)
+				return fmt.Errorf("authentication error: %w", err)
 			}
 			w.Header().Add("Content-Type", "application/json")
 			e := json.NewEncoder(w)
 			if err := e.Encode(tokenResponse); err != nil {
-				return xerrors.Errorf("could not render json: %w", err)
+				return fmt.Errorf("could not render json: %w", err)
 			}
 		case "refresh_token":
 			// 12.1. Refresh Request
@@ -126,12 +125,12 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 			refreshToken := r.Form.Get("refresh_token")
 			tokenResponse, err := h.provider.Refresh(refreshToken)
 			if err != nil {
-				return xerrors.Errorf("token refresh error: %w", err)
+				return fmt.Errorf("token refresh error: %w", err)
 			}
 			w.Header().Add("Content-Type", "application/json")
 			e := json.NewEncoder(w)
 			if err := e.Encode(tokenResponse); err != nil {
-				return xerrors.Errorf("could not render json: %w", err)
+				return fmt.Errorf("could not render json: %w", err)
 			}
 		default:
 			// 5.2. Error Response
--- a/integration_test/oidcserver/http/http.go
+++ b/integration_test/oidcserver/http/http.go
@@ -10,28 +10,14 @@ import (
 	"github.com/int128/kubelogin/integration_test/keypair"
 )

-type Shutdowner interface {
-	Shutdown(t *testing.T, ctx context.Context)
-}
-
-type shutdowner struct {
-	s *http.Server
-}
-
-func (s *shutdowner) Shutdown(t *testing.T, ctx context.Context) {
-	if err := s.s.Shutdown(ctx); err != nil {
-		t.Errorf("could not shutdown the server: %s", err)
-	}
-}
-
-func Start(t *testing.T, h http.Handler, k keypair.KeyPair) (string, Shutdowner) {
+func Start(t *testing.T, h http.Handler, k keypair.KeyPair) string {
 	if k == keypair.None {
 		return startNoTLS(t, h)
 	}
 	return startTLS(t, h, k)
 }

-func startNoTLS(t *testing.T, h http.Handler) (string, *shutdowner) {
+func startNoTLS(t *testing.T, h http.Handler) string {
 	t.Helper()
 	l, port := newLocalhostListener(t)
 	url := "http://localhost:" + port
@@ -44,10 +30,15 @@ func startNoTLS(t *testing.T, h http.Handler) (string, *shutdowner) {
 			t.Error(err)
 		}
 	}()
-	return url, &shutdowner{s}
+	t.Cleanup(func() {
+		if err := s.Shutdown(context.TODO()); err != nil {
+			t.Errorf("could not shutdown the server: %s", err)
+		}
+	})
+	return url
 }

-func startTLS(t *testing.T, h http.Handler, k keypair.KeyPair) (string, *shutdowner) {
+func startTLS(t *testing.T, h http.Handler, k keypair.KeyPair) string {
 	t.Helper()
 	l, port := newLocalhostListener(t)
 	url := "https://localhost:" + port
@@ -60,7 +51,12 @@ func startTLS(t *testing.T, h http.Handler, k keypair.KeyPair) (string, *shutdow
 			t.Error(err)
 		}
 	}()
-	return url, &shutdowner{s}
+	t.Cleanup(func() {
+		if err := s.Shutdown(context.TODO()); err != nil {
+			t.Errorf("could not shutdown the server: %s", err)
+		}
+	})
+	return url
 }

 func newLocalhostListener(t *testing.T) (net.Listener, string) {
--- a/integration_test/oidcserver/server.go
+++ b/integration_test/oidcserver/server.go
@@ -4,6 +4,7 @@ package oidcserver
 import (
 	"crypto/sha256"
 	"encoding/base64"
+	"fmt"
 	"math/big"
 	"strings"
 	"testing"
@@ -13,11 +14,9 @@ import (
 	"github.com/int128/kubelogin/integration_test/oidcserver/handler"
 	"github.com/int128/kubelogin/integration_test/oidcserver/http"
 	"github.com/int128/kubelogin/pkg/testing/jwt"
-	"golang.org/x/xerrors"
 )

 type Server interface {
-	http.Shutdowner
 	IssuerURL() string
 	SetConfig(Config)
 	LastTokenResponse() *handler.TokenResponse
@@ -51,13 +50,12 @@ type Config struct {
 // New starts a HTTP server for the OpenID Connect provider.
 func New(t *testing.T, k keypair.KeyPair, c Config) Server {
 	sv := server{Config: c, t: t}
-	sv.issuerURL, sv.Shutdowner = http.Start(t, handler.New(t, &sv), k)
+	sv.issuerURL = http.Start(t, handler.New(t, &sv), k)
 	return &sv
 }

 type server struct {
 	Config
-	http.Shutdowner
 	t                         *testing.T
 	issuerURL                 string
 	lastAuthenticationRequest *handler.AuthenticationRequest
@@ -133,7 +131,7 @@ func (sv *server) AuthenticateCode(req handler.AuthenticationRequest) (code stri

 func (sv *server) Exchange(req handler.TokenRequest) (*handler.TokenResponse, error) {
 	if req.Code != "YOUR_AUTH_CODE" {
-		return nil, xerrors.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
+		return nil, fmt.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
 	}
 	if sv.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
 		// https://tools.ietf.org/html/rfc7636#section-4.6
--- a/integration_test/standalone_test.go
+++ b/integration_test/standalone_test.go
@@ -10,8 +10,8 @@ import (
 	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/integration_test/kubeconfig"
 	"github.com/int128/kubelogin/integration_test/oidcserver"
-	"github.com/int128/kubelogin/pkg/adaptors/browser"
 	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/testing/clock"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 )
@@ -55,12 +55,10 @@ func TestStandalone(t *testing.T) {
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
-				defer sv.Shutdown(t, ctx)
 				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 					Issuer:                  sv.IssuerURL(),
 					IDPCertificateAuthority: tc.keyPair.CACertPath,
 				})
-				defer os.Remove(kubeConfigFilename)
 				runStandalone(t, ctx, standaloneConfig{
 					issuerURL:          sv.IssuerURL(),
 					kubeConfigFilename: kubeConfigFilename,
@@ -88,12 +86,10 @@ func TestStandalone(t *testing.T) {
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
-				defer sv.Shutdown(t, ctx)
 				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 					Issuer:                  sv.IssuerURL(),
 					IDPCertificateAuthority: tc.keyPair.CACertPath,
 				})
-				defer os.Remove(kubeConfigFilename)
 				runStandalone(t, ctx, standaloneConfig{
 					issuerURL:          sv.IssuerURL(),
 					kubeConfigFilename: kubeConfigFilename,
@@ -115,12 +111,10 @@ func TestStandalone(t *testing.T) {
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
 				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
-				defer sv.Shutdown(t, ctx)
 				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 					Issuer:                  sv.IssuerURL(),
 					IDPCertificateAuthority: tc.keyPair.CACertPath,
 				})
-				defer os.Remove(kubeConfigFilename)

 				t.Run("NoToken", func(t *testing.T) {
 					sv.SetConfig(oidcserver.Config{
@@ -219,12 +213,10 @@ func TestStandalone(t *testing.T) {
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer:                      sv.IssuerURL(),
 			IDPCertificateAuthorityData: keypair.Server.CACertBase64,
 		})
-		defer os.Remove(kubeConfigFilename)
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:          sv.IssuerURL(),
 			kubeConfigFilename: kubeConfigFilename,
@@ -249,13 +241,10 @@ func TestStandalone(t *testing.T) {
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer: sv.IssuerURL(),
 		})
-		defer os.Remove(kubeConfigFilename)
-		setenv(t, "KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
-		defer unsetenv(t, "KUBECONFIG")
+		t.Setenv("KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:  sv.IssuerURL(),
 			httpDriver: httpdriver.New(ctx, t, httpdriver.Option{}),
@@ -280,12 +269,10 @@ func TestStandalone(t *testing.T) {
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
-		defer sv.Shutdown(t, ctx)
 		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 			Issuer:      sv.IssuerURL(),
 			ExtraScopes: "profile,groups",
 		})
-		defer os.Remove(kubeConfigFilename)
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:          sv.IssuerURL(),
 			kubeConfigFilename: kubeConfigFilename,
@@ -318,17 +305,3 @@ func runStandalone(t *testing.T, ctx context.Context, cfg standaloneConfig) {
 		t.Errorf("exit status wants 0 but %d", exitCode)
 	}
 }
-
-func setenv(t *testing.T, key, value string) {
-	t.Helper()
-	if err := os.Setenv(key, value); err != nil {
-		t.Fatalf("Could not set the env var %s=%s: %s", key, value, err)
-	}
-}
-
-func unsetenv(t *testing.T, key string) {
-	t.Helper()
-	if err := os.Unsetenv(key); err != nil {
-		t.Fatalf("Could not unset the env var %s: %s", key, err)
-	}
-}
--- a/pkg/adaptors/browser/mock_browser/mock_browser.go
+++ b/pkg/adaptors/browser/mock_browser/mock_browser.go
@@ -1,47 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/browser (interfaces: Interface)
-
-// Package mock_browser is a generated GoMock package.
-package mock_browser
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface.
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance.
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// Open mocks base method.
-func (m *MockInterface) Open(arg0 string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Open", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Open indicates an expected call of Open.
-func (mr *MockInterfaceMockRecorder) Open(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Open", reflect.TypeOf((*MockInterface)(nil).Open), arg0)
-}
--- a/pkg/adaptors/certpool/cert.go
+++ b/pkg/adaptors/certpool/cert.go
@@ -1,71 +0,0 @@
-// Package certpool provides loading certificates from files or base64 encoded string.
-package certpool
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"io/ioutil"
-
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_certpool/mock_certpool.go github.com/int128/kubelogin/pkg/adaptors/certpool Interface
-
-// Set provides an implementation and interface.
-var Set = wire.NewSet(
-	wire.Value(NewFunc(New)),
-	wire.Struct(new(CertPool), "*"),
-	wire.Bind(new(Interface), new(*CertPool)),
-)
-
-type NewFunc func() Interface
-
-// New returns an instance which implements the Interface.
-func New() Interface {
-	return &CertPool{pool: x509.NewCertPool()}
-}
-
-type Interface interface {
-	AddFile(filename string) error
-	AddBase64Encoded(s string) error
-	SetRootCAs(cfg *tls.Config)
-}
-
-// CertPool represents a pool of certificates.
-type CertPool struct {
-	pool *x509.CertPool
-}
-
-// SetRootCAs sets cfg.RootCAs if it has any certificate.
-// Otherwise do nothing.
-func (p *CertPool) SetRootCAs(cfg *tls.Config) {
-	if len(p.pool.Subjects()) > 0 {
-		cfg.RootCAs = p.pool
-	}
-}
-
-// AddFile loads the certificate from the file.
-func (p *CertPool) AddFile(filename string) error {
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return xerrors.Errorf("could not read %s: %w", filename, err)
-	}
-	if !p.pool.AppendCertsFromPEM(b) {
-		return xerrors.Errorf("could not append certificate from %s", filename)
-	}
-	return nil
-}
-
-// AddBase64Encoded loads the certificate from the base64 encoded string.
-func (p *CertPool) AddBase64Encoded(s string) error {
-	b, err := base64.StdEncoding.DecodeString(s)
-	if err != nil {
-		return xerrors.Errorf("could not decode base64: %w", err)
-	}
-	if !p.pool.AppendCertsFromPEM(b) {
-		return xerrors.Errorf("could not append certificate")
-	}
-	return nil
-}
--- a/pkg/adaptors/certpool/cert_test.go
+++ b/pkg/adaptors/certpool/cert_test.go
@@ -1,58 +0,0 @@
-package certpool
-
-import (
-	"crypto/tls"
-	"io/ioutil"
-	"testing"
-)
-
-func TestCertPool_AddFile(t *testing.T) {
-	t.Run("Valid", func(t *testing.T) {
-		p := New()
-		if err := p.AddFile("testdata/ca1.crt"); err != nil {
-			t.Errorf("AddFile error: %s", err)
-		}
-		var cfg tls.Config
-		p.SetRootCAs(&cfg)
-		if n := len(cfg.RootCAs.Subjects()); n != 1 {
-			t.Errorf("n wants 1 but was %d", n)
-		}
-	})
-	t.Run("Invalid", func(t *testing.T) {
-		p := New()
-		err := p.AddFile("testdata/Makefile")
-		if err == nil {
-			t.Errorf("AddFile wants an error but was nil")
-		}
-	})
-}
-
-func TestCertPool_AddBase64Encoded(t *testing.T) {
-	p := New()
-	if err := p.AddBase64Encoded(readFile(t, "testdata/ca2.crt.base64")); err != nil {
-		t.Errorf("AddBase64Encoded error: %s", err)
-	}
-	var cfg tls.Config
-	p.SetRootCAs(&cfg)
-	if n := len(cfg.RootCAs.Subjects()); n != 1 {
-		t.Errorf("n wants 1 but was %d", n)
-	}
-}
-
-func TestCertPool_SetRootCAs(t *testing.T) {
-	p := New()
-	var cfg tls.Config
-	p.SetRootCAs(&cfg)
-	if cfg.RootCAs != nil {
-		t.Errorf("cfg.RootCAs wants nil but was %+v", cfg.RootCAs)
-	}
-}
-
-func readFile(t *testing.T, filename string) string {
-	t.Helper()
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		t.Fatalf("ReadFile error: %s", err)
-	}
-	return string(b)
-}
--- a/pkg/adaptors/certpool/mock_certpool/mock_certpool.go
+++ b/pkg/adaptors/certpool/mock_certpool/mock_certpool.go
@@ -1,74 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/certpool (interfaces: Interface)
-
-// Package mock_certpool is a generated GoMock package.
-package mock_certpool
-
-import (
-	tls "crypto/tls"
-	gomock "github.com/golang/mock/gomock"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface.
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance.
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// AddBase64Encoded mocks base method.
-func (m *MockInterface) AddBase64Encoded(arg0 string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "AddBase64Encoded", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// AddBase64Encoded indicates an expected call of AddBase64Encoded.
-func (mr *MockInterfaceMockRecorder) AddBase64Encoded(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddBase64Encoded", reflect.TypeOf((*MockInterface)(nil).AddBase64Encoded), arg0)
-}
-
-// AddFile mocks base method.
-func (m *MockInterface) AddFile(arg0 string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "AddFile", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// AddFile indicates an expected call of AddFile.
-func (mr *MockInterfaceMockRecorder) AddFile(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddFile", reflect.TypeOf((*MockInterface)(nil).AddFile), arg0)
-}
-
-// SetRootCAs mocks base method.
-func (m *MockInterface) SetRootCAs(arg0 *tls.Config) {
-	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "SetRootCAs", arg0)
-}
-
-// SetRootCAs indicates an expected call of SetRootCAs.
-func (mr *MockInterfaceMockRecorder) SetRootCAs(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetRootCAs", reflect.TypeOf((*MockInterface)(nil).SetRootCAs), arg0)
-}
--- a/pkg/adaptors/cmd/cmd_test.go
+++ b/pkg/adaptors/cmd/cmd_test.go
@@ -1,382 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/pkg/testing/logger"
-	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
-	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
-	"github.com/int128/kubelogin/pkg/usecases/credentialplugin/mock_credentialplugin"
-	"github.com/int128/kubelogin/pkg/usecases/standalone"
-	"github.com/int128/kubelogin/pkg/usecases/standalone/mock_standalone"
-)
-
-func TestCmd_Run(t *testing.T) {
-	const executable = "kubelogin"
-	const version = "HEAD"
-
-	t.Run("root", func(t *testing.T) {
-		tests := map[string]struct {
-			args []string
-			in   standalone.Input
-		}{
-			"Defaults": {
-				args: []string{executable},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:         defaultListenAddress,
-							RedirectURLHostname: "localhost",
-						},
-					},
-				},
-			},
-			"when --listen-port is set, it should convert the port to address": {
-				args: []string{
-					executable,
-					"--listen-port", "10080",
-					"--listen-port", "20080",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							RedirectURLHostname: "localhost",
-						},
-					},
-				},
-			},
-			"when --listen-port is set, it should ignore --listen-address flags": {
-				args: []string{
-					executable,
-					"--listen-port", "10080",
-					"--listen-port", "20080",
-					"--listen-address", "127.0.0.1:30080",
-					"--listen-address", "127.0.0.1:40080",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							RedirectURLHostname: "localhost",
-						},
-					},
-				},
-			},
-			"FullOptions": {
-				args: []string{executable,
-					"--kubeconfig", "/path/to/kubeconfig",
-					"--context", "hello.k8s.local",
-					"--user", "google",
-					"--certificate-authority", "/path/to/cacert",
-					"--certificate-authority-data", "BASE64ENCODED",
-					"--insecure-skip-tls-verify",
-					"-v1",
-					"--grant-type", "authcode",
-					"--listen-address", "127.0.0.1:10080",
-					"--listen-address", "127.0.0.1:20080",
-					"--skip-open-browser",
-					"--open-url-after-authentication", "https://example.com/success.html",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: standalone.Input{
-					KubeconfigFilename: "/path/to/kubeconfig",
-					KubeconfigContext:  "hello.k8s.local",
-					KubeconfigUser:     "google",
-					CACertFilename:     "/path/to/cacert",
-					CACertData:         "BASE64ENCODED",
-					SkipTLSVerify:      true,
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser:            true,
-							OpenURLAfterAuthentication: "https://example.com/success.html",
-							RedirectURLHostname:        "localhost",
-						},
-					},
-				},
-			},
-			"GrantType=authcode-keyboard": {
-				args: []string{executable,
-					"--grant-type", "authcode-keyboard",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeKeyboardOption: &authcode.KeyboardOption{},
-					},
-				},
-			},
-			"GrantType=password": {
-				args: []string{executable,
-					"--grant-type", "password",
-					"--listen-address", "127.0.0.1:10080",
-					"--listen-address", "127.0.0.1:20080",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &ropc.Option{
-							Username: "USER",
-							Password: "PASS",
-						},
-					},
-				},
-			},
-			"GrantType=auto": {
-				args: []string{executable,
-					"--listen-address", "127.0.0.1:10080",
-					"--listen-address", "127.0.0.1:20080",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &ropc.Option{
-							Username: "USER",
-							Password: "PASS",
-						},
-					},
-				},
-			},
-		}
-		for name, c := range tests {
-			t.Run(name, func(t *testing.T) {
-				ctrl := gomock.NewController(t)
-				defer ctrl.Finish()
-				ctx := context.TODO()
-				mockStandalone := mock_standalone.NewMockInterface(ctrl)
-				mockStandalone.EXPECT().
-					Do(ctx, c.in)
-				cmd := Cmd{
-					Root: &Root{
-						Standalone: mockStandalone,
-						Logger:     logger.New(t),
-					},
-					Logger: logger.New(t),
-				}
-				exitCode := cmd.Run(ctx, c.args, version)
-				if exitCode != 0 {
-					t.Errorf("exitCode wants 0 but %d", exitCode)
-				}
-			})
-		}
-
-		t.Run("TooManyArgs", func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-			cmd := Cmd{
-				Root: &Root{
-					Standalone: mock_standalone.NewMockInterface(ctrl),
-					Logger:     logger.New(t),
-				},
-				Logger: logger.New(t),
-			}
-			exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
-			if exitCode != 1 {
-				t.Errorf("exitCode wants 1 but %d", exitCode)
-			}
-		})
-	})
-
-	t.Run("get-token", func(t *testing.T) {
-		tests := map[string]struct {
-			args []string
-			in   credentialplugin.Input
-		}{
-			"Defaults": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
-					IssuerURL:     "https://issuer.example.com",
-					ClientID:      "YOUR_CLIENT_ID",
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:         []string{"127.0.0.1:8000", "127.0.0.1:18000"},
-							RedirectURLHostname: "localhost",
-						},
-					},
-				},
-			},
-			"FullOptions": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--oidc-client-secret", "YOUR_CLIENT_SECRET",
-					"--oidc-extra-scope", "email",
-					"--oidc-extra-scope", "profile",
-					"--certificate-authority", "/path/to/cacert",
-					"--certificate-authority-data", "BASE64ENCODED",
-					"--insecure-skip-tls-verify",
-					"-v1",
-					"--grant-type", "authcode",
-					"--listen-address", "127.0.0.1:10080",
-					"--listen-address", "127.0.0.1:20080",
-					"--skip-open-browser",
-					"--open-url-after-authentication", "https://example.com/success.html",
-					"--oidc-auth-request-extra-params", "ttl=86400",
-					"--oidc-auth-request-extra-params", "reauth=true",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir:  defaultTokenCacheDir,
-					IssuerURL:      "https://issuer.example.com",
-					ClientID:       "YOUR_CLIENT_ID",
-					ClientSecret:   "YOUR_CLIENT_SECRET",
-					ExtraScopes:    []string{"email", "profile"},
-					CACertFilename: "/path/to/cacert",
-					CACertData:     "BASE64ENCODED",
-					SkipTLSVerify:  true,
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser:            true,
-							OpenURLAfterAuthentication: "https://example.com/success.html",
-							RedirectURLHostname:        "localhost",
-							AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},
-						},
-					},
-				},
-			},
-			"GrantType=authcode-keyboard": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--grant-type", "authcode-keyboard",
-					"--oidc-auth-request-extra-params", "ttl=86400",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
-					IssuerURL:     "https://issuer.example.com",
-					ClientID:      "YOUR_CLIENT_ID",
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeKeyboardOption: &authcode.KeyboardOption{
-							AuthRequestExtraParams: map[string]string{"ttl": "86400"},
-						},
-					},
-				},
-			},
-			"GrantType=password": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--grant-type", "password",
-					"--listen-address", "127.0.0.1:10080",
-					"--listen-address", "127.0.0.1:20080",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
-					IssuerURL:     "https://issuer.example.com",
-					ClientID:      "YOUR_CLIENT_ID",
-					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &ropc.Option{
-							Username: "USER",
-							Password: "PASS",
-						},
-					},
-				},
-			},
-			"GrantType=auto": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--listen-address", "127.0.0.1:10080",
-					"--listen-address", "127.0.0.1:20080",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
-					IssuerURL:     "https://issuer.example.com",
-					ClientID:      "YOUR_CLIENT_ID",
-					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &ropc.Option{
-							Username: "USER",
-							Password: "PASS",
-						},
-					},
-				},
-			},
-		}
-		for name, c := range tests {
-			t.Run(name, func(t *testing.T) {
-				ctrl := gomock.NewController(t)
-				defer ctrl.Finish()
-				ctx := context.TODO()
-				getToken := mock_credentialplugin.NewMockInterface(ctrl)
-				getToken.EXPECT().
-					Do(ctx, c.in)
-				cmd := Cmd{
-					Root: &Root{
-						Logger: logger.New(t),
-					},
-					GetToken: &GetToken{
-						GetToken: getToken,
-						Logger:   logger.New(t),
-					},
-					Logger: logger.New(t),
-				}
-				exitCode := cmd.Run(ctx, c.args, version)
-				if exitCode != 0 {
-					t.Errorf("exitCode wants 0 but %d", exitCode)
-				}
-			})
-		}
-
-		t.Run("MissingMandatoryOptions", func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-			ctx := context.TODO()
-			cmd := Cmd{
-				Root: &Root{
-					Logger: logger.New(t),
-				},
-				GetToken: &GetToken{
-					GetToken: mock_credentialplugin.NewMockInterface(ctrl),
-					Logger:   logger.New(t),
-				},
-				Logger: logger.New(t),
-			}
-			exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
-			if exitCode != 1 {
-				t.Errorf("exitCode wants 1 but %d", exitCode)
-			}
-		})
-
-		t.Run("TooManyArgs", func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-			ctx := context.TODO()
-			cmd := Cmd{
-				Root: &Root{
-					Logger: logger.New(t),
-				},
-				GetToken: &GetToken{
-					GetToken: mock_credentialplugin.NewMockInterface(ctrl),
-					Logger:   logger.New(t),
-				},
-				Logger: logger.New(t),
-			}
-			exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
-			if exitCode != 1 {
-				t.Errorf("exitCode wants 1 but %d", exitCode)
-			}
-		})
-	})
-}
--- a/pkg/adaptors/cmd/tls.go
+++ b/pkg/adaptors/cmd/tls.go
@@ -1,15 +0,0 @@
-package cmd
-
-import "github.com/spf13/pflag"
-
-type tlsOptions struct {
-	CACertFilename string
-	CACertData     string
-	SkipTLSVerify  bool
-}
-
-func (o *tlsOptions) addFlags(f *pflag.FlagSet) {
-	f.StringVar(&o.CACertFilename, "certificate-authority", "", "Path to a cert file for the certificate authority")
-	f.StringVar(&o.CACertData, "certificate-authority-data", "", "Base64 encoded cert for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
-}
--- a/pkg/adaptors/credentialpluginwriter/mock_credentialpluginwriter/mock_credentialpluginwriter.go
+++ b/pkg/adaptors/credentialpluginwriter/mock_credentialpluginwriter/mock_credentialpluginwriter.go
@@ -1,48 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter (interfaces: Interface)
-
-// Package mock_credentialpluginwriter is a generated GoMock package.
-package mock_credentialpluginwriter
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	credentialpluginwriter "github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface.
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance.
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// Write mocks base method.
-func (m *MockInterface) Write(arg0 credentialpluginwriter.Output) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Write", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Write indicates an expected call of Write.
-func (mr *MockInterfaceMockRecorder) Write(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockInterface)(nil).Write), arg0)
-}
--- a/pkg/adaptors/kubeconfig/mock_kubeconfig/mock_kubeconfig.go
+++ b/pkg/adaptors/kubeconfig/mock_kubeconfig/mock_kubeconfig.go
@@ -1,63 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/kubeconfig (interfaces: Interface)
-
-// Package mock_kubeconfig is a generated GoMock package.
-package mock_kubeconfig
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	kubeconfig "github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface.
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance.
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// GetCurrentAuthProvider mocks base method.
-func (m *MockInterface) GetCurrentAuthProvider(arg0 string, arg1 kubeconfig.ContextName, arg2 kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetCurrentAuthProvider", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*kubeconfig.AuthProvider)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetCurrentAuthProvider indicates an expected call of GetCurrentAuthProvider.
-func (mr *MockInterfaceMockRecorder) GetCurrentAuthProvider(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCurrentAuthProvider", reflect.TypeOf((*MockInterface)(nil).GetCurrentAuthProvider), arg0, arg1, arg2)
-}
-
-// UpdateAuthProvider mocks base method.
-func (m *MockInterface) UpdateAuthProvider(arg0 *kubeconfig.AuthProvider) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpdateAuthProvider", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// UpdateAuthProvider indicates an expected call of UpdateAuthProvider.
-func (mr *MockInterfaceMockRecorder) UpdateAuthProvider(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAuthProvider", reflect.TypeOf((*MockInterface)(nil).UpdateAuthProvider), arg0)
-}
--- a/pkg/adaptors/oidcclient/factory.go
+++ b/pkg/adaptors/oidcclient/factory.go
@@ -1,93 +0,0 @@
-// Package oidcclient provides a client of OpenID Connect.
-package oidcclient
-
-import (
-	"context"
-	"crypto/tls"
-	"fmt"
-	"net/http"
-
-	"github.com/coreos/go-oidc"
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/adaptors/certpool"
-	"github.com/int128/kubelogin/pkg/adaptors/clock"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/adaptors/oidcclient/logging"
-	"golang.org/x/oauth2"
-	"golang.org/x/xerrors"
-)
-
-var Set = wire.NewSet(
-	wire.Struct(new(Factory), "*"),
-	wire.Bind(new(FactoryInterface), new(*Factory)),
-)
-
-type FactoryInterface interface {
-	New(ctx context.Context, config Config) (Interface, error)
-}
-
-// Config represents a configuration of OpenID Connect client.
-type Config struct {
-	IssuerURL     string
-	ClientID      string
-	ClientSecret  string
-	ExtraScopes   []string // optional
-	CertPool      certpool.Interface
-	SkipTLSVerify bool
-}
-
-type Factory struct {
-	Clock  clock.Interface
-	Logger logger.Interface
-}
-
-// New returns an instance of adaptors.Interface with the given configuration.
-func (f *Factory) New(ctx context.Context, config Config) (Interface, error) {
-	var tlsConfig tls.Config
-	tlsConfig.InsecureSkipVerify = config.SkipTLSVerify
-	config.CertPool.SetRootCAs(&tlsConfig)
-	baseTransport := &http.Transport{
-		TLSClientConfig: &tlsConfig,
-		Proxy:           http.ProxyFromEnvironment,
-	}
-	loggingTransport := &logging.Transport{
-		Base:   baseTransport,
-		Logger: f.Logger,
-	}
-	httpClient := &http.Client{
-		Transport: loggingTransport,
-	}
-
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
-	provider, err := oidc.NewProvider(ctx, config.IssuerURL)
-	if err != nil {
-		return nil, xerrors.Errorf("oidc discovery error: %w", err)
-	}
-	supportedPKCEMethods, err := extractSupportedPKCEMethods(provider)
-	if err != nil {
-		return nil, xerrors.Errorf("could not determine supported PKCE methods: %w", err)
-	}
-	return &client{
-		httpClient: httpClient,
-		provider:   provider,
-		oauth2Config: oauth2.Config{
-			Endpoint:     provider.Endpoint(),
-			ClientID:     config.ClientID,
-			ClientSecret: config.ClientSecret,
-			Scopes:       append(config.ExtraScopes, oidc.ScopeOpenID),
-		},
-		clock:                f.Clock,
-		logger:               f.Logger,
-		supportedPKCEMethods: supportedPKCEMethods,
-	}, nil
-}
-
-func extractSupportedPKCEMethods(provider *oidc.Provider) ([]string, error) {
-	var d struct {
-		CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
-	}
-	if err := provider.Claims(&d); err != nil {
-		return nil, fmt.Errorf("invalid discovery document: %w", err)
-	}
-	return d.CodeChallengeMethodsSupported, nil
-}
--- a/pkg/adaptors/oidcclient/mock_oidcclient/mock_oidcclient.go
+++ b/pkg/adaptors/oidcclient/mock_oidcclient/mock_oidcclient.go
@@ -1,124 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/oidcclient (interfaces: Interface)
-
-// Package mock_oidcclient is a generated GoMock package.
-package mock_oidcclient
-
-import (
-	context "context"
-	gomock "github.com/golang/mock/gomock"
-	oidcclient "github.com/int128/kubelogin/pkg/adaptors/oidcclient"
-	oidc "github.com/int128/kubelogin/pkg/oidc"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface.
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance.
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// ExchangeAuthCode mocks base method.
-func (m *MockInterface) ExchangeAuthCode(arg0 context.Context, arg1 oidcclient.ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ExchangeAuthCode", arg0, arg1)
-	ret0, _ := ret[0].(*oidc.TokenSet)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ExchangeAuthCode indicates an expected call of ExchangeAuthCode.
-func (mr *MockInterfaceMockRecorder) ExchangeAuthCode(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExchangeAuthCode", reflect.TypeOf((*MockInterface)(nil).ExchangeAuthCode), arg0, arg1)
-}
-
-// GetAuthCodeURL mocks base method.
-func (m *MockInterface) GetAuthCodeURL(arg0 oidcclient.AuthCodeURLInput) string {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetAuthCodeURL", arg0)
-	ret0, _ := ret[0].(string)
-	return ret0
-}
-
-// GetAuthCodeURL indicates an expected call of GetAuthCodeURL.
-func (mr *MockInterfaceMockRecorder) GetAuthCodeURL(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAuthCodeURL", reflect.TypeOf((*MockInterface)(nil).GetAuthCodeURL), arg0)
-}
-
-// GetTokenByAuthCode mocks base method.
-func (m *MockInterface) GetTokenByAuthCode(arg0 context.Context, arg1 oidcclient.GetTokenByAuthCodeInput, arg2 chan<- string) (*oidc.TokenSet, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetTokenByAuthCode", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*oidc.TokenSet)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetTokenByAuthCode indicates an expected call of GetTokenByAuthCode.
-func (mr *MockInterfaceMockRecorder) GetTokenByAuthCode(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTokenByAuthCode", reflect.TypeOf((*MockInterface)(nil).GetTokenByAuthCode), arg0, arg1, arg2)
-}
-
-// GetTokenByROPC mocks base method.
-func (m *MockInterface) GetTokenByROPC(arg0 context.Context, arg1, arg2 string) (*oidc.TokenSet, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetTokenByROPC", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*oidc.TokenSet)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetTokenByROPC indicates an expected call of GetTokenByROPC.
-func (mr *MockInterfaceMockRecorder) GetTokenByROPC(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTokenByROPC", reflect.TypeOf((*MockInterface)(nil).GetTokenByROPC), arg0, arg1, arg2)
-}
-
-// Refresh mocks base method.
-func (m *MockInterface) Refresh(arg0 context.Context, arg1 string) (*oidc.TokenSet, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Refresh", arg0, arg1)
-	ret0, _ := ret[0].(*oidc.TokenSet)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Refresh indicates an expected call of Refresh.
-func (mr *MockInterfaceMockRecorder) Refresh(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockInterface)(nil).Refresh), arg0, arg1)
-}
-
-// SupportedPKCEMethods mocks base method.
-func (m *MockInterface) SupportedPKCEMethods() []string {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "SupportedPKCEMethods")
-	ret0, _ := ret[0].([]string)
-	return ret0
-}
-
-// SupportedPKCEMethods indicates an expected call of SupportedPKCEMethods.
-func (mr *MockInterfaceMockRecorder) SupportedPKCEMethods() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SupportedPKCEMethods", reflect.TypeOf((*MockInterface)(nil).SupportedPKCEMethods))
-}
--- a/pkg/adaptors/reader/mock_reader/mock_reader.go
+++ b/pkg/adaptors/reader/mock_reader/mock_reader.go
@@ -1,63 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/reader (interfaces: Interface)
-
-// Package mock_reader is a generated GoMock package.
-package mock_reader
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface.
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance.
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// ReadPassword mocks base method.
-func (m *MockInterface) ReadPassword(arg0 string) (string, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ReadPassword", arg0)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReadPassword indicates an expected call of ReadPassword.
-func (mr *MockInterfaceMockRecorder) ReadPassword(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadPassword", reflect.TypeOf((*MockInterface)(nil).ReadPassword), arg0)
-}
-
-// ReadString mocks base method.
-func (m *MockInterface) ReadString(arg0 string) (string, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ReadString", arg0)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReadString indicates an expected call of ReadString.
-func (mr *MockInterfaceMockRecorder) ReadString(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadString", reflect.TypeOf((*MockInterface)(nil).ReadString), arg0)
-}
--- a/pkg/adaptors/tokencache/mock_tokencache/mock_tokencache.go
+++ b/pkg/adaptors/tokencache/mock_tokencache/mock_tokencache.go
@@ -1,63 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/tokencache (interfaces: Interface)
-
-// Package mock_tokencache is a generated GoMock package.
-package mock_tokencache
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	tokencache "github.com/int128/kubelogin/pkg/adaptors/tokencache"
-	reflect "reflect"
-)
-
-// MockInterface is a mock of Interface interface.
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance.
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// FindByKey mocks base method.
-func (m *MockInterface) FindByKey(arg0 string, arg1 tokencache.Key) (*tokencache.Value, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "FindByKey", arg0, arg1)
-	ret0, _ := ret[0].(*tokencache.Value)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// FindByKey indicates an expected call of FindByKey.
-func (mr *MockInterfaceMockRecorder) FindByKey(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FindByKey", reflect.TypeOf((*MockInterface)(nil).FindByKey), arg0, arg1)
-}
-
-// Save mocks base method.
-func (m *MockInterface) Save(arg0 string, arg1 tokencache.Key, arg2 tokencache.Value) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Save", arg0, arg1, arg2)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Save indicates an expected call of Save.
-func (mr *MockInterfaceMockRecorder) Save(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Save", reflect.TypeOf((*MockInterface)(nil).Save), arg0, arg1, arg2)
-}
--- a/pkg/adaptors/tokencache/tokencache.go
+++ b/pkg/adaptors/tokencache/tokencache.go
@@ -1,97 +0,0 @@
-package tokencache
-
-import (
-	"crypto/sha256"
-	"encoding/gob"
-	"encoding/hex"
-	"encoding/json"
-	"os"
-	"path/filepath"
-
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_tokencache/mock_tokencache.go github.com/int128/kubelogin/pkg/adaptors/tokencache Interface
-
-// Set provides an implementation and interface for Kubeconfig.
-var Set = wire.NewSet(
-	wire.Struct(new(Repository), "*"),
-	wire.Bind(new(Interface), new(*Repository)),
-)
-
-type Interface interface {
-	FindByKey(dir string, key Key) (*Value, error)
-	Save(dir string, key Key, value Value) error
-}
-
-// Key represents a key of a token cache.
-type Key struct {
-	IssuerURL      string
-	ClientID       string
-	ClientSecret   string
-	ExtraScopes    []string
-	CACertFilename string
-	CACertData     string
-	SkipTLSVerify  bool
-}
-
-// Value represents a value of a token cache.
-type Value struct {
-	IDToken      string `json:"id_token,omitempty"`
-	RefreshToken string `json:"refresh_token,omitempty"`
-}
-
-// Repository provides access to the token cache on the local filesystem.
-// Filename of a token cache is sha256 digest of the issuer, zero-character and client ID.
-type Repository struct{}
-
-func (r *Repository) FindByKey(dir string, key Key) (*Value, error) {
-	filename, err := computeFilename(key)
-	if err != nil {
-		return nil, xerrors.Errorf("could not compute the key: %w", err)
-	}
-	p := filepath.Join(dir, filename)
-	f, err := os.Open(p)
-	if err != nil {
-		return nil, xerrors.Errorf("could not open file %s: %w", p, err)
-	}
-	defer f.Close()
-	d := json.NewDecoder(f)
-	var c Value
-	if err := d.Decode(&c); err != nil {
-		return nil, xerrors.Errorf("invalid json file %s: %w", p, err)
-	}
-	return &c, nil
-}
-
-func (r *Repository) Save(dir string, key Key, value Value) error {
-	if err := os.MkdirAll(dir, 0700); err != nil {
-		return xerrors.Errorf("could not create directory %s: %w", dir, err)
-	}
-	filename, err := computeFilename(key)
-	if err != nil {
-		return xerrors.Errorf("could not compute the key: %w", err)
-	}
-	p := filepath.Join(dir, filename)
-	f, err := os.OpenFile(p, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return xerrors.Errorf("could not create file %s: %w", p, err)
-	}
-	defer f.Close()
-	e := json.NewEncoder(f)
-	if err := e.Encode(&value); err != nil {
-		return xerrors.Errorf("json encode error: %w", err)
-	}
-	return nil
-}
-
-func computeFilename(key Key) (string, error) {
-	s := sha256.New()
-	e := gob.NewEncoder(s)
-	if err := e.Encode(&key); err != nil {
-		return "", xerrors.Errorf("could not encode the key: %w", err)
-	}
-	h := hex.EncodeToString(s.Sum(nil))
-	return h, nil
-}
--- a/pkg/adaptors/cmd/authentication.go
+++ b/pkg/adaptors/cmd/authentication.go
@@ -3,19 +3,23 @@ package cmd
 import (
 	"fmt"
 	"strings"
+	"time"

 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
 	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
 )

 type authenticationOptions struct {
 	GrantType                  string
 	ListenAddress              []string
 	ListenPort                 []int // deprecated
+	AuthenticationTimeoutSec   int
 	SkipOpenBrowser            bool
+	BrowserCommand             string
+	LocalServerCertFile        string
+	LocalServerKeyFile         string
 	OpenURLAfterAuthentication string
 	RedirectURLHostname        string
 	AuthRequestExtraParams     map[string]string
@@ -54,6 +58,10 @@ func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 		panic(err)
 	}
 	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "[authcode] Do not open the browser automatically")
+	f.StringVar(&o.BrowserCommand, "browser-command", "", "[authcode] Command to open the browser")
+	f.IntVar(&o.AuthenticationTimeoutSec, "authentication-timeout-sec", defaultAuthenticationTimeoutSec, "[authcode] Timeout of authentication in seconds")
+	f.StringVar(&o.LocalServerCertFile, "local-server-cert", "", "[authcode] Certificate path for the local server")
+	f.StringVar(&o.LocalServerKeyFile, "local-server-key", "", "[authcode] Certificate key path for the local server")
 	f.StringVar(&o.OpenURLAfterAuthentication, "open-url-after-authentication", "", "[authcode] If set, open the URL in the browser after authentication")
 	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "[authcode] Hostname of the redirect URL")
 	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "[authcode, authcode-keyboard] Extra query parameters to send with an authentication request")
@@ -61,12 +69,21 @@ func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.Password, "password", "", "[password] Password for resource owner password credentials grant")
 }

+func (o *authenticationOptions) expandHomedir() {
+	o.LocalServerCertFile = expandHomedir(o.LocalServerCertFile)
+	o.LocalServerKeyFile = expandHomedir(o.LocalServerKeyFile)
+}
+
 func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSet, err error) {
 	switch {
 	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
 		s.AuthCodeBrowserOption = &authcode.BrowserOption{
 			BindAddress:                o.determineListenAddress(),
 			SkipOpenBrowser:            o.SkipOpenBrowser,
+			BrowserCommand:             o.BrowserCommand,
+			AuthenticationTimeout:      time.Duration(o.AuthenticationTimeoutSec) * time.Second,
+			LocalServerCertFile:        o.LocalServerCertFile,
+			LocalServerKeyFile:         o.LocalServerKeyFile,
 			OpenURLAfterAuthentication: o.OpenURLAfterAuthentication,
 			RedirectURLHostname:        o.RedirectURLHostname,
 			AuthRequestExtraParams:     o.AuthRequestExtraParams,
@@ -81,7 +98,7 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 			Password: o.Password,
 		}
 	default:
-		err = xerrors.Errorf("grant-type must be one of (%s)", allGrantType)
+		err = fmt.Errorf("grant-type must be one of (%s)", allGrantType)
 	}
 	return
 }
--- a/pkg/cmd/authentication_test.go
+++ b/pkg/cmd/authentication_test.go
@@ -0,0 +1,143 @@
+package cmd
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
+	"github.com/spf13/pflag"
+)
+
+func Test_authenticationOptions_grantOptionSet(t *testing.T) {
+	tests := map[string]struct {
+		args []string
+		want authentication.GrantOptionSet
+	}{
+		"NoFlag": {
+			want: authentication.GrantOptionSet{
+				AuthCodeBrowserOption: &authcode.BrowserOption{
+					BindAddress:           defaultListenAddress,
+					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+					RedirectURLHostname:   "localhost",
+				},
+			},
+		},
+		"FullOptions": {
+			args: []string{
+				"--grant-type", "authcode",
+				"--listen-address", "127.0.0.1:10080",
+				"--listen-address", "127.0.0.1:20080",
+				"--skip-open-browser",
+				"--browser-command", "firefox",
+				"--authentication-timeout-sec", "10",
+				"--local-server-cert", "/path/to/local-server-cert",
+				"--local-server-key", "/path/to/local-server-key",
+				"--open-url-after-authentication", "https://example.com/success.html",
+				"--oidc-redirect-url-hostname", "example",
+				"--oidc-auth-request-extra-params", "ttl=86400",
+				"--oidc-auth-request-extra-params", "reauth=true",
+				"--username", "USER",
+				"--password", "PASS",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeBrowserOption: &authcode.BrowserOption{
+					BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+					SkipOpenBrowser:            true,
+					BrowserCommand:             "firefox",
+					AuthenticationTimeout:      10 * time.Second,
+					LocalServerCertFile:        "/path/to/local-server-cert",
+					LocalServerKeyFile:         "/path/to/local-server-key",
+					OpenURLAfterAuthentication: "https://example.com/success.html",
+					RedirectURLHostname:        "example",
+					AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},
+				},
+			},
+		},
+		"when --listen-port is set, it should convert the port to address": {
+			args: []string{
+				"--listen-port", "10080",
+				"--listen-port", "20080",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeBrowserOption: &authcode.BrowserOption{
+					BindAddress:           []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+					RedirectURLHostname:   "localhost",
+				},
+			},
+		},
+		"when --listen-port is set, it should ignore --listen-address flags": {
+			args: []string{
+				"--listen-port", "10080",
+				"--listen-port", "20080",
+				"--listen-address", "127.0.0.1:30080",
+				"--listen-address", "127.0.0.1:40080",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeBrowserOption: &authcode.BrowserOption{
+					BindAddress:           []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+					RedirectURLHostname:   "localhost",
+				},
+			},
+		},
+		"GrantType=authcode-keyboard": {
+			args: []string{
+				"--grant-type", "authcode-keyboard",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeKeyboardOption: &authcode.KeyboardOption{},
+			},
+		},
+		"GrantType=password": {
+			args: []string{
+				"--grant-type", "password",
+				"--listen-address", "127.0.0.1:10080",
+				"--listen-address", "127.0.0.1:20080",
+				"--username", "USER",
+				"--password", "PASS",
+			},
+			want: authentication.GrantOptionSet{
+				ROPCOption: &ropc.Option{
+					Username: "USER",
+					Password: "PASS",
+				},
+			},
+		},
+		"GrantType=auto": {
+			args: []string{
+				"--listen-address", "127.0.0.1:10080",
+				"--listen-address", "127.0.0.1:20080",
+				"--username", "USER",
+				"--password", "PASS",
+			},
+			want: authentication.GrantOptionSet{
+				ROPCOption: &ropc.Option{
+					Username: "USER",
+					Password: "PASS",
+				},
+			},
+		},
+	}
+
+	for name, c := range tests {
+		t.Run(name, func(t *testing.T) {
+			var o authenticationOptions
+			f := pflag.NewFlagSet("", pflag.ContinueOnError)
+			o.addFlags(f)
+			if err := f.Parse(c.args); err != nil {
+				t.Fatalf("Parse error: %s", err)
+			}
+			got, err := o.grantOptionSet()
+			if err != nil {
+				t.Fatalf("grantOptionSet error: %s", err)
+			}
+			if diff := cmp.Diff(c.want, got); diff != "" {
+				t.Errorf("mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}
--- a/pkg/adaptors/cmd/cmd.go
+++ b/pkg/adaptors/cmd/cmd.go
@@ -2,12 +2,12 @@ package cmd

 import (
 	"context"
+	"path/filepath"
 	"runtime"

 	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/spf13/cobra"
-	"k8s.io/client-go/util/homedir"
 )

 // Set provides an implementation and interface for Cmd.
@@ -24,7 +24,9 @@ type Interface interface {
 }

 var defaultListenAddress = []string{"127.0.0.1:8000", "127.0.0.1:18000"}
-var defaultTokenCacheDir = homedir.HomeDir() + "/.kube/cache/oidc-login"
+var defaultTokenCacheDir = filepath.Join("~", ".kube", "cache", "oidc-login")
+
+const defaultAuthenticationTimeoutSec = 180

 // Cmd provides interaction with command line interface (CLI).
 type Cmd struct {
--- a/pkg/cmd/cmd_test.go
+++ b/pkg/cmd/cmd_test.go
@@ -0,0 +1,246 @@
+package cmd
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/standalone"
+)
+
+func TestCmd_Run(t *testing.T) {
+	const executable = "kubelogin"
+	const version = "HEAD"
+
+	t.Run("root", func(t *testing.T) {
+		tests := map[string]struct {
+			args []string
+			in   standalone.Input
+		}{
+			"Defaults": {
+				args: []string{executable},
+				in: standalone.Input{
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+			"FullOptions": {
+				args: []string{executable,
+					"--kubeconfig", "/path/to/kubeconfig",
+					"--context", "hello.k8s.local",
+					"--user", "google",
+					"-v1",
+				},
+				in: standalone.Input{
+					KubeconfigFilename: "/path/to/kubeconfig",
+					KubeconfigContext:  "hello.k8s.local",
+					KubeconfigUser:     "google",
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+		}
+		for name, c := range tests {
+			t.Run(name, func(t *testing.T) {
+				ctx := context.TODO()
+				mockStandalone := standalone.NewMockInterface(t)
+				mockStandalone.EXPECT().
+					Do(ctx, c.in).
+					Return(nil)
+				cmd := Cmd{
+					Root: &Root{
+						Standalone: mockStandalone,
+						Logger:     logger.New(t),
+					},
+					Logger: logger.New(t),
+				}
+				exitCode := cmd.Run(ctx, c.args, version)
+				if exitCode != 0 {
+					t.Errorf("exitCode wants 0 but %d", exitCode)
+				}
+			})
+		}
+
+		t.Run("TooManyArgs", func(t *testing.T) {
+			cmd := Cmd{
+				Root: &Root{
+					Standalone: standalone.NewMockInterface(t),
+					Logger:     logger.New(t),
+				},
+				Logger: logger.New(t),
+			}
+			exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
+			if exitCode != 1 {
+				t.Errorf("exitCode wants 1 but %d", exitCode)
+			}
+		})
+	})
+
+	t.Run("get-token", func(t *testing.T) {
+		userHomeDir, err := os.UserHomeDir()
+		if err != nil {
+			t.Fatalf("os.UserHomeDir error: %s", err)
+		}
+
+		tests := map[string]struct {
+			args []string
+			in   credentialplugin.Input
+		}{
+			"Defaults": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+					Provider: oidc.Provider{
+						IssuerURL: "https://issuer.example.com",
+						ClientID:  "YOUR_CLIENT_ID",
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+			"FullOptions": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--oidc-client-secret", "YOUR_CLIENT_SECRET",
+					"--oidc-extra-scope", "email",
+					"--oidc-extra-scope", "profile",
+					"-v1",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+					Provider: oidc.Provider{
+						IssuerURL:    "https://issuer.example.com",
+						ClientID:     "YOUR_CLIENT_ID",
+						ClientSecret: "YOUR_CLIENT_SECRET",
+						ExtraScopes:  []string{"email", "profile"},
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+			"HomedirExpansion": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--certificate-authority", "~/.kube/ca.crt",
+					"--local-server-cert", "~/.kube/oidc-server.crt",
+					"--local-server-key", "~/.kube/oidc-server.key",
+					"--token-cache-dir", "~/.kube/oidc-cache",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: filepath.Join(userHomeDir, ".kube/oidc-cache"),
+					Provider: oidc.Provider{
+						IssuerURL: "https://issuer.example.com",
+						ClientID:  "YOUR_CLIENT_ID",
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+							LocalServerCertFile:   filepath.Join(userHomeDir, ".kube/oidc-server.crt"),
+							LocalServerKeyFile:    filepath.Join(userHomeDir, ".kube/oidc-server.key"),
+						},
+					},
+					TLSClientConfig: tlsclientconfig.Config{
+						CACertFilename: []string{filepath.Join(userHomeDir, ".kube/ca.crt")},
+					},
+				},
+			},
+		}
+		for name, c := range tests {
+			t.Run(name, func(t *testing.T) {
+				ctx := context.TODO()
+				getToken := credentialplugin.NewMockInterface(t)
+				getToken.EXPECT().
+					Do(ctx, c.in).
+					Return(nil)
+				cmd := Cmd{
+					Root: &Root{
+						Logger: logger.New(t),
+					},
+					GetToken: &GetToken{
+						GetToken: getToken,
+						Logger:   logger.New(t),
+					},
+					Logger: logger.New(t),
+				}
+				exitCode := cmd.Run(ctx, c.args, version)
+				if exitCode != 0 {
+					t.Errorf("exitCode wants 0 but %d", exitCode)
+				}
+			})
+		}
+
+		t.Run("MissingMandatoryOptions", func(t *testing.T) {
+			ctx := context.TODO()
+			cmd := Cmd{
+				Root: &Root{
+					Logger: logger.New(t),
+				},
+				GetToken: &GetToken{
+					GetToken: credentialplugin.NewMockInterface(t),
+					Logger:   logger.New(t),
+				},
+				Logger: logger.New(t),
+			}
+			exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
+			if exitCode != 1 {
+				t.Errorf("exitCode wants 1 but %d", exitCode)
+			}
+		})
+
+		t.Run("TooManyArgs", func(t *testing.T) {
+			ctx := context.TODO()
+			cmd := Cmd{
+				Root: &Root{
+					Logger: logger.New(t),
+				},
+				GetToken: &GetToken{
+					GetToken: credentialplugin.NewMockInterface(t),
+					Logger:   logger.New(t),
+				},
+				Logger: logger.New(t),
+			}
+			exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
+			if exitCode != 1 {
+				t.Errorf("exitCode wants 1 but %d", exitCode)
+			}
+		})
+	})
+}
--- a/pkg/adaptors/cmd/get_token.go
+++ b/pkg/adaptors/cmd/get_token.go
@@ -1,11 +1,14 @@
 package cmd

 import (
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"errors"
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
 )

 // getTokenOptions represents the options for get-token command.
@@ -14,6 +17,7 @@ type getTokenOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
+	UsePKCE               bool
 	TokenCacheDir         string
 	tlsOptions            tlsOptions
 	authenticationOptions authenticationOptions
@@ -24,11 +28,19 @@ func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
+	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
 	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for token cache")
 	o.tlsOptions.addFlags(f)
 	o.authenticationOptions.addFlags(f)
 }

+func (o *getTokenOptions) expandHomedir() error {
+	o.TokenCacheDir = expandHomedir(o.TokenCacheDir)
+	o.authenticationOptions.expandHomedir()
+	o.tlsOptions.expandHomedir()
+	return nil
+}
+
 type GetToken struct {
 	GetToken credentialplugin.Interface
 	Logger   logger.Interface
@@ -44,31 +56,35 @@ func (cmd *GetToken) New() *cobra.Command {
 				return err
 			}
 			if o.IssuerURL == "" {
-				return xerrors.New("--oidc-issuer-url is missing")
+				return errors.New("--oidc-issuer-url is missing")
 			}
 			if o.ClientID == "" {
-				return xerrors.New("--oidc-client-id is missing")
+				return errors.New("--oidc-client-id is missing")
 			}
 			return nil
 		},
 		RunE: func(c *cobra.Command, _ []string) error {
+			if err := o.expandHomedir(); err != nil {
+				return err
+			}
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
-				return xerrors.Errorf("get-token: %w", err)
+				return fmt.Errorf("get-token: %w", err)
 			}
 			in := credentialplugin.Input{
-				IssuerURL:      o.IssuerURL,
-				ClientID:       o.ClientID,
-				ClientSecret:   o.ClientSecret,
-				ExtraScopes:    o.ExtraScopes,
-				CACertFilename: o.tlsOptions.CACertFilename,
-				CACertData:     o.tlsOptions.CACertData,
-				SkipTLSVerify:  o.tlsOptions.SkipTLSVerify,
-				TokenCacheDir:  o.TokenCacheDir,
-				GrantOptionSet: grantOptionSet,
+				Provider: oidc.Provider{
+					IssuerURL:    o.IssuerURL,
+					ClientID:     o.ClientID,
+					ClientSecret: o.ClientSecret,
+					UsePKCE:      o.UsePKCE,
+					ExtraScopes:  o.ExtraScopes,
+				},
+				TokenCacheDir:   o.TokenCacheDir,
+				GrantOptionSet:  grantOptionSet,
+				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
 			}
 			if err := cmd.GetToken.Do(c.Context(), in); err != nil {
-				return xerrors.Errorf("get-token: %w", err)
+				return fmt.Errorf("get-token: %w", err)
 			}
 			return nil
 		},
--- a/pkg/cmd/homedir.go
+++ b/pkg/cmd/homedir.go
@@ -0,0 +1,15 @@
+package cmd
+
+import (
+	"path/filepath"
+	"strings"
+
+	"k8s.io/client-go/util/homedir"
+)
+
+func expandHomedir(s string) string {
+	if !strings.HasPrefix(s, "~") {
+		return s
+	}
+	return filepath.Join(homedir.HomeDir(), strings.TrimPrefix(s, "~"))
+}
--- a/pkg/cmd/mock_Interface.go
+++ b/pkg/cmd/mock_Interface.go
@@ -0,0 +1,76 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package cmd
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Run provides a mock function with given fields: ctx, args, version
+func (_m *MockInterface) Run(ctx context.Context, args []string, version string) int {
+	ret := _m.Called(ctx, args, version)
+
+	var r0 int
+	if rf, ok := ret.Get(0).(func(context.Context, []string, string) int); ok {
+		r0 = rf(ctx, args, version)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+
+	return r0
+}
+
+// MockInterface_Run_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Run'
+type MockInterface_Run_Call struct {
+	*mock.Call
+}
+
+// Run is a helper method to define mock.On call
+//  - ctx context.Context
+//  - args []string
+//  - version string
+func (_e *MockInterface_Expecter) Run(ctx interface{}, args interface{}, version interface{}) *MockInterface_Run_Call {
+	return &MockInterface_Run_Call{Call: _e.mock.On("Run", ctx, args, version)}
+}
+
+func (_c *MockInterface_Run_Call) Run(run func(ctx context.Context, args []string, version string)) *MockInterface_Run_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].([]string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Run_Call) Return(_a0 int) *MockInterface_Run_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+type mockConstructorTestingTNewMockInterface interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/adaptors/cmd/root.go
+++ b/pkg/adaptors/cmd/root.go
@@ -1,12 +1,12 @@
 package cmd

 import (
-	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"fmt"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/int128/kubelogin/pkg/kubeconfig"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
 )

 const rootDescription = `Log in to the OpenID Connect provider.
@@ -51,19 +51,17 @@ func (cmd *Root) New() *cobra.Command {
 		RunE: func(c *cobra.Command, _ []string) error {
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
-				return xerrors.Errorf("invalid option: %w", err)
+				return fmt.Errorf("invalid option: %w", err)
 			}
 			in := standalone.Input{
 				KubeconfigFilename: o.Kubeconfig,
 				KubeconfigContext:  kubeconfig.ContextName(o.Context),
 				KubeconfigUser:     kubeconfig.UserName(o.User),
-				CACertFilename:     o.tlsOptions.CACertFilename,
-				CACertData:         o.tlsOptions.CACertData,
-				SkipTLSVerify:      o.tlsOptions.SkipTLSVerify,
 				GrantOptionSet:     grantOptionSet,
+				TLSClientConfig:    o.tlsOptions.tlsClientConfig(),
 			}
 			if err := cmd.Standalone.Do(c.Context(), in); err != nil {
-				return xerrors.Errorf("login: %w", err)
+				return fmt.Errorf("login: %w", err)
 			}
 			return nil
 		},
--- a/pkg/adaptors/cmd/setup.go
+++ b/pkg/adaptors/cmd/setup.go
@@ -1,10 +1,11 @@
 package cmd

 import (
+	"fmt"
+
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
 )

 // setupOptions represents the options for setup command.
@@ -13,6 +14,7 @@ type setupOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
+	UsePKCE               bool
 	tlsOptions            tlsOptions
 	authenticationOptions authenticationOptions
 }
@@ -22,6 +24,7 @@ func (o *setupOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
+	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
 	o.tlsOptions.addFlags(f)
 	o.authenticationOptions.addFlags(f)
 }
@@ -39,17 +42,16 @@ func (cmd *Setup) New() *cobra.Command {
 		RunE: func(c *cobra.Command, _ []string) error {
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
-				return xerrors.Errorf("setup: %w", err)
+				return fmt.Errorf("setup: %w", err)
 			}
 			in := setup.Stage2Input{
-				IssuerURL:      o.IssuerURL,
-				ClientID:       o.ClientID,
-				ClientSecret:   o.ClientSecret,
-				ExtraScopes:    o.ExtraScopes,
-				CACertFilename: o.tlsOptions.CACertFilename,
-				CACertData:     o.tlsOptions.CACertData,
-				SkipTLSVerify:  o.tlsOptions.SkipTLSVerify,
-				GrantOptionSet: grantOptionSet,
+				IssuerURL:       o.IssuerURL,
+				ClientID:        o.ClientID,
+				ClientSecret:    o.ClientSecret,
+				ExtraScopes:     o.ExtraScopes,
+				UsePKCE:         o.UsePKCE,
+				GrantOptionSet:  grantOptionSet,
+				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
 			}
 			if c.Flags().Lookup("listen-address").Changed {
 				in.ListenAddressArgs = o.authenticationOptions.ListenAddress
@@ -59,7 +61,7 @@ func (cmd *Setup) New() *cobra.Command {
 				return nil
 			}
 			if err := cmd.Setup.DoStage2(c.Context(), in); err != nil {
-				return xerrors.Errorf("setup: %w", err)
+				return fmt.Errorf("setup: %w", err)
 			}
 			return nil
 		},
--- a/pkg/cmd/tls.go
+++ b/pkg/cmd/tls.go
@@ -0,0 +1,52 @@
+package cmd
+
+import (
+	"crypto/tls"
+
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+	"github.com/spf13/pflag"
+)
+
+type tlsOptions struct {
+	CACertFilename            []string
+	CACertData                []string
+	SkipTLSVerify             bool
+	RenegotiateOnceAsClient   bool
+	RenegotiateFreelyAsClient bool
+}
+
+func (o *tlsOptions) addFlags(f *pflag.FlagSet) {
+	f.StringArrayVar(&o.CACertFilename, "certificate-authority", nil, "Path to a cert file for the certificate authority")
+	f.StringArrayVar(&o.CACertData, "certificate-authority-data", nil, "Base64 encoded cert for the certificate authority")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	f.BoolVar(&o.RenegotiateOnceAsClient, "tls-renegotiation-once", false, "If set, allow a remote server to request renegotiation once per connection")
+	f.BoolVar(&o.RenegotiateFreelyAsClient, "tls-renegotiation-freely", false, "If set, allow a remote server to repeatedly request renegotiation")
+}
+
+func (o *tlsOptions) expandHomedir() {
+	var caCertFilenames []string
+	for _, caCertFilename := range o.CACertFilename {
+		expanded := expandHomedir(caCertFilename)
+		caCertFilenames = append(caCertFilenames, expanded)
+	}
+	o.CACertFilename = caCertFilenames
+}
+
+func (o tlsOptions) tlsClientConfig() tlsclientconfig.Config {
+	return tlsclientconfig.Config{
+		CACertFilename: o.CACertFilename,
+		CACertData:     o.CACertData,
+		SkipTLSVerify:  o.SkipTLSVerify,
+		Renegotiation:  o.renegotiationSupport(),
+	}
+}
+
+func (o tlsOptions) renegotiationSupport() tls.RenegotiationSupport {
+	if o.RenegotiateOnceAsClient {
+		return tls.RenegotiateOnceAsClient
+	}
+	if o.RenegotiateFreelyAsClient {
+		return tls.RenegotiateFreelyAsClient
+	}
+	return tls.RenegotiateNever
+}
--- a/pkg/cmd/tls_test.go
+++ b/pkg/cmd/tls_test.go
@@ -0,0 +1,92 @@
+package cmd
+
+import (
+	"crypto/tls"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+	"github.com/spf13/pflag"
+)
+
+func Test_tlsOptions_tlsClientConfig(t *testing.T) {
+	tests := map[string]struct {
+		args []string
+		want tlsclientconfig.Config
+	}{
+		"NoFlag": {},
+		"SkipTLSVerify": {
+			args: []string{
+				"--insecure-skip-tls-verify",
+			},
+			want: tlsclientconfig.Config{
+				SkipTLSVerify: true,
+			},
+		},
+		"CACertFilename1": {
+			args: []string{
+				"--certificate-authority", "/path/to/cert1",
+			},
+			want: tlsclientconfig.Config{
+				CACertFilename: []string{"/path/to/cert1"},
+			},
+		},
+		"CACertFilename2": {
+			args: []string{
+				"--certificate-authority", "/path/to/cert1",
+				"--certificate-authority", "/path/to/cert2",
+			},
+			want: tlsclientconfig.Config{
+				CACertFilename: []string{"/path/to/cert1", "/path/to/cert2"},
+			},
+		},
+		"CACertData1": {
+			args: []string{
+				"--certificate-authority-data", "base64encoded1",
+			},
+			want: tlsclientconfig.Config{
+				CACertData: []string{"base64encoded1"},
+			},
+		},
+		"CACertData2": {
+			args: []string{
+				"--certificate-authority-data", "base64encoded1",
+				"--certificate-authority-data", "base64encoded2",
+			},
+			want: tlsclientconfig.Config{
+				CACertData: []string{"base64encoded1", "base64encoded2"},
+			},
+		},
+		"RenegotiateOnceAsClient": {
+			args: []string{
+				"--tls-renegotiation-once",
+			},
+			want: tlsclientconfig.Config{
+				Renegotiation: tls.RenegotiateOnceAsClient,
+			},
+		},
+		"RenegotiateFreelyAsClient": {
+			args: []string{
+				"--tls-renegotiation-freely",
+			},
+			want: tlsclientconfig.Config{
+				Renegotiation: tls.RenegotiateFreelyAsClient,
+			},
+		},
+	}
+
+	for name, c := range tests {
+		t.Run(name, func(t *testing.T) {
+			var o tlsOptions
+			f := pflag.NewFlagSet("", pflag.ContinueOnError)
+			o.addFlags(f)
+			if err := f.Parse(c.args); err != nil {
+				t.Fatalf("Parse error: %s", err)
+			}
+			got := o.tlsClientConfig()
+			if diff := cmp.Diff(c.want, got); diff != "" {
+				t.Errorf("mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}
--- a/pkg/credentialplugin/types.go
+++ b/pkg/credentialplugin/types.go
@@ -0,0 +1,10 @@
+// Package credentialplugin provides the types for client-go credential plugins.
+package credentialplugin
+
+import "time"
+
+// Output represents an output object of the credential plugin.
+type Output struct {
+	Token  string
+	Expiry time.Time
+}
--- a/pkg/adaptors/credentialpluginwriter/credential_plugin.go
+++ b/pkg/adaptors/credentialpluginwriter/credential_plugin.go
@@ -1,32 +1,24 @@
-// Package credentialpluginwriter provides a writer for a credential plugin.
-package credentialpluginwriter
+// Package writer provides a writer for a credential plugin.
+package writer

 import (
 	"encoding/json"
-	"time"
+	"fmt"

 	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/adaptors/stdio"
-	"golang.org/x/xerrors"
+	"github.com/int128/kubelogin/pkg/credentialplugin"
+	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 )

-//go:generate mockgen -destination mock_credentialpluginwriter/mock_credentialpluginwriter.go github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter Interface
-
 var Set = wire.NewSet(
 	wire.Struct(new(Writer), "*"),
 	wire.Bind(new(Interface), new(*Writer)),
 )

 type Interface interface {
-	Write(out Output) error
-}
-
-// Output represents an output object of the credential plugin.
-type Output struct {
-	Token  string
-	Expiry time.Time
+	Write(out credentialplugin.Output) error
 }

 type Writer struct {
@@ -34,7 +26,7 @@ type Writer struct {
 }

 // Write writes the ExecCredential to standard output for kubectl.
-func (w *Writer) Write(out Output) error {
+func (w *Writer) Write(out credentialplugin.Output) error {
 	ec := &clientauthenticationv1beta1.ExecCredential{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "client.authentication.k8s.io/v1beta1",
@@ -47,7 +39,7 @@ func (w *Writer) Write(out Output) error {
 	}
 	e := json.NewEncoder(w.Stdout)
 	if err := e.Encode(ec); err != nil {
-		return xerrors.Errorf("could not write the ExecCredential: %w", err)
+		return fmt.Errorf("could not write the ExecCredential: %w", err)
 	}
 	return nil
 }
--- a/pkg/credentialplugin/writer/mock_Interface.go
+++ b/pkg/credentialplugin/writer/mock_Interface.go
@@ -0,0 +1,73 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package writer
+
+import (
+	credentialplugin "github.com/int128/kubelogin/pkg/credentialplugin"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Write provides a mock function with given fields: out
+func (_m *MockInterface) Write(out credentialplugin.Output) error {
+	ret := _m.Called(out)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(credentialplugin.Output) error); ok {
+		r0 = rf(out)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'
+type MockInterface_Write_Call struct {
+	*mock.Call
+}
+
+// Write is a helper method to define mock.On call
+//  - out credentialplugin.Output
+func (_e *MockInterface_Expecter) Write(out interface{}) *MockInterface_Write_Call {
+	return &MockInterface_Write_Call{Call: _e.mock.On("Write", out)}
+}
+
+func (_c *MockInterface_Write_Call) Run(run func(out credentialplugin.Output)) *MockInterface_Write_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(credentialplugin.Output))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Write_Call) Return(_a0 error) *MockInterface_Write_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+type mockConstructorTestingTNewMockInterface interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/di/di.go
+++ b/pkg/di/di.go
@@ -5,24 +5,26 @@ package di

 import (
 	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/adaptors/browser"
-	"github.com/int128/kubelogin/pkg/adaptors/certpool"
-	"github.com/int128/kubelogin/pkg/adaptors/clock"
-	"github.com/int128/kubelogin/pkg/adaptors/cmd"
-	"github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter"
-	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
-	"github.com/int128/kubelogin/pkg/adaptors/reader"
-	"github.com/int128/kubelogin/pkg/adaptors/stdio"
-	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
+	"github.com/int128/kubelogin/pkg/cmd"
+	"github.com/int128/kubelogin/pkg/credentialplugin/writer"
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
+	"github.com/int128/kubelogin/pkg/infrastructure/clock"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/int128/kubelogin/pkg/infrastructure/mutex"
+	"github.com/int128/kubelogin/pkg/infrastructure/reader"
+	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
+	kubeconfigLoader "github.com/int128/kubelogin/pkg/kubeconfig/loader"
+	kubeconfigWriter "github.com/int128/kubelogin/pkg/kubeconfig/writer"
+	"github.com/int128/kubelogin/pkg/oidc/client"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig/loader"
+	"github.com/int128/kubelogin/pkg/tokencache/repository"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
 )

-// NewCmd returns an instance of adaptors.Cmd.
+// NewCmd returns an instance of infrastructure.Cmd.
 func NewCmd() cmd.Interface {
 	wire.Build(
 		NewCmdForHeadless,
@@ -36,7 +38,7 @@ func NewCmd() cmd.Interface {
 	return nil
 }

-// NewCmdForHeadless returns an instance of adaptors.Cmd for headless testing.
+// NewCmdForHeadless returns an instance of infrastructure.Cmd for headless testing.
 func NewCmdForHeadless(clock.Interface, stdio.Stdin, stdio.Stdout, logger.Interface, browser.Interface) cmd.Interface {
 	wire.Build(
 		// use-cases
@@ -45,14 +47,16 @@ func NewCmdForHeadless(clock.Interface, stdio.Stdin, stdio.Stdout, logger.Interf
 		credentialplugin.Set,
 		setup.Set,

-		// adaptors
+		// infrastructure
 		cmd.Set,
 		reader.Set,
-		kubeconfig.Set,
-		tokencache.Set,
-		oidcclient.Set,
-		certpool.Set,
-		credentialpluginwriter.Set,
+		kubeconfigLoader.Set,
+		kubeconfigWriter.Set,
+		repository.Set,
+		client.Set,
+		loader.Set,
+		writer.Set,
+		mutex.Set,
 	)
 	return nil
 }
--- a/pkg/di/wire_gen.go
+++ b/pkg/di/wire_gen.go
@@ -6,17 +6,19 @@
 package di

 import (
-	"github.com/int128/kubelogin/pkg/adaptors/browser"
-	"github.com/int128/kubelogin/pkg/adaptors/certpool"
-	"github.com/int128/kubelogin/pkg/adaptors/clock"
-	"github.com/int128/kubelogin/pkg/adaptors/cmd"
-	"github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter"
-	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
-	"github.com/int128/kubelogin/pkg/adaptors/reader"
-	"github.com/int128/kubelogin/pkg/adaptors/stdio"
-	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
+	"github.com/int128/kubelogin/pkg/cmd"
+	writer2 "github.com/int128/kubelogin/pkg/credentialplugin/writer"
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
+	"github.com/int128/kubelogin/pkg/infrastructure/clock"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/int128/kubelogin/pkg/infrastructure/mutex"
+	"github.com/int128/kubelogin/pkg/infrastructure/reader"
+	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
+	loader2 "github.com/int128/kubelogin/pkg/kubeconfig/loader"
+	"github.com/int128/kubelogin/pkg/kubeconfig/writer"
+	"github.com/int128/kubelogin/pkg/oidc/client"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig/loader"
+	"github.com/int128/kubelogin/pkg/tokencache/repository"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
@@ -28,7 +30,6 @@ import (

 // Injectors from di.go:

-// NewCmd returns an instance of adaptors.Cmd.
 func NewCmd() cmd.Interface {
 	clockReal := &clock.Real{}
 	stdin := _wireFileValue
@@ -44,9 +45,10 @@ var (
 	_wireOsFileValue = os.Stdout
 )

-// NewCmdForHeadless returns an instance of adaptors.Cmd for headless testing.
 func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout stdio.Stdout, loggerInterface logger.Interface, browserInterface browser.Interface) cmd.Interface {
-	factory := &oidcclient.Factory{
+	loaderLoader := loader.Loader{}
+	factory := &client.Factory{
+		Loader: loaderLoader,
 		Clock:  clockInterface,
 		Logger: loggerInterface,
 	}
@@ -66,36 +68,37 @@ func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout
 		Logger: loggerInterface,
 	}
 	authenticationAuthentication := &authentication.Authentication{
-		OIDCClient:       factory,
+		ClientFactory:    factory,
 		Logger:           loggerInterface,
 		Clock:            clockInterface,
 		AuthCodeBrowser:  authcodeBrowser,
 		AuthCodeKeyboard: keyboard,
 		ROPC:             ropcROPC,
 	}
-	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{
-		Logger: loggerInterface,
-	}
-	newFunc := _wireNewFuncValue
+	loader3 := &loader2.Loader{}
+	writerWriter := &writer.Writer{}
 	standaloneStandalone := &standalone.Standalone{
-		Authentication: authenticationAuthentication,
-		Kubeconfig:     kubeconfigKubeconfig,
-		NewCertPool:    newFunc,
-		Logger:         loggerInterface,
+		Authentication:   authenticationAuthentication,
+		KubeconfigLoader: loader3,
+		KubeconfigWriter: writerWriter,
+		Logger:           loggerInterface,
 	}
 	root := &cmd.Root{
 		Standalone: standaloneStandalone,
 		Logger:     loggerInterface,
 	}
-	repository := &tokencache.Repository{}
-	writer := &credentialpluginwriter.Writer{
+	repositoryRepository := &repository.Repository{}
+	writer3 := &writer2.Writer{
 		Stdout: stdout,
 	}
+	mutexMutex := &mutex.Mutex{
+		Logger: loggerInterface,
+	}
 	getToken := &credentialplugin.GetToken{
 		Authentication:       authenticationAuthentication,
-		TokenCacheRepository: repository,
-		NewCertPool:          newFunc,
-		Writer:               writer,
+		TokenCacheRepository: repositoryRepository,
+		Writer:               writer3,
+		Mutex:                mutexMutex,
 		Logger:               loggerInterface,
 	}
 	cmdGetToken := &cmd.GetToken{
@@ -104,7 +107,6 @@ func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout
 	}
 	setupSetup := &setup.Setup{
 		Authentication: authenticationAuthentication,
-		NewCertPool:    newFunc,
 		Logger:         loggerInterface,
 	}
 	cmdSetup := &cmd.Setup{
@@ -118,7 +120,3 @@ func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout
 	}
 	return cmdCmd
 }
-
-var (
-	_wireNewFuncValue = certpool.NewFunc(certpool.New)
-)
--- a/pkg/infrastructure/browser/browser.go
+++ b/pkg/infrastructure/browser/browser.go
@@ -1,14 +1,14 @@
 package browser

 import (
+	"context"
 	"os"
+	"os/exec"

 	"github.com/google/wire"
 	"github.com/pkg/browser"
 )

-//go:generate mockgen -destination mock_browser/mock_browser.go github.com/int128/kubelogin/pkg/adaptors/browser Interface
-
 func init() {
 	// In credential plugin mode, some browser launcher writes a message to stdout
 	// and it may break the credential json for client-go.
@@ -23,6 +23,7 @@ var Set = wire.NewSet(

 type Interface interface {
 	Open(url string) error
+	OpenCommand(ctx context.Context, url, command string) error
 }

 type Browser struct{}
@@ -31,3 +32,11 @@ type Browser struct{}
 func (*Browser) Open(url string) error {
 	return browser.OpenURL(url)
 }
+
+// OpenCommand opens the browser using the command.
+func (*Browser) OpenCommand(ctx context.Context, url, command string) error {
+	c := exec.CommandContext(ctx, command, url)
+	c.Stdout = os.Stderr // see above
+	c.Stderr = os.Stderr
+	return c.Run()
+}
--- a/pkg/infrastructure/browser/mock_Interface.go
+++ b/pkg/infrastructure/browser/mock_Interface.go
@@ -0,0 +1,113 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package browser
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Open provides a mock function with given fields: url
+func (_m *MockInterface) Open(url string) error {
+	ret := _m.Called(url)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(string) error); ok {
+		r0 = rf(url)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_Open_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Open'
+type MockInterface_Open_Call struct {
+	*mock.Call
+}
+
+// Open is a helper method to define mock.On call
+//  - url string
+func (_e *MockInterface_Expecter) Open(url interface{}) *MockInterface_Open_Call {
+	return &MockInterface_Open_Call{Call: _e.mock.On("Open", url)}
+}
+
+func (_c *MockInterface_Open_Call) Run(run func(url string)) *MockInterface_Open_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Open_Call) Return(_a0 error) *MockInterface_Open_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+// OpenCommand provides a mock function with given fields: ctx, url, command
+func (_m *MockInterface) OpenCommand(ctx context.Context, url string, command string) error {
+	ret := _m.Called(ctx, url, command)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) error); ok {
+		r0 = rf(ctx, url, command)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_OpenCommand_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'OpenCommand'
+type MockInterface_OpenCommand_Call struct {
+	*mock.Call
+}
+
+// OpenCommand is a helper method to define mock.On call
+//  - ctx context.Context
+//  - url string
+//  - command string
+func (_e *MockInterface_Expecter) OpenCommand(ctx interface{}, url interface{}, command interface{}) *MockInterface_OpenCommand_Call {
+	return &MockInterface_OpenCommand_Call{Call: _e.mock.On("OpenCommand", ctx, url, command)}
+}
+
+func (_c *MockInterface_OpenCommand_Call) Run(run func(ctx context.Context, url string, command string)) *MockInterface_OpenCommand_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_OpenCommand_Call) Return(_a0 error) *MockInterface_OpenCommand_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+type mockConstructorTestingTNewMockInterface interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/infrastructure/clock/clock.go
+++ b/pkg/infrastructure/clock/clock.go
--- a/pkg/infrastructure/clock/mock_Interface.go
+++ b/pkg/infrastructure/clock/mock_Interface.go
@@ -0,0 +1,73 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package clock
+
+import (
+	time "time"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Now provides a mock function with given fields:
+func (_m *MockInterface) Now() time.Time {
+	ret := _m.Called()
+
+	var r0 time.Time
+	if rf, ok := ret.Get(0).(func() time.Time); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(time.Time)
+	}
+
+	return r0
+}
+
+// MockInterface_Now_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Now'
+type MockInterface_Now_Call struct {
+	*mock.Call
+}
+
+// Now is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) Now() *MockInterface_Now_Call {
+	return &MockInterface_Now_Call{Call: _e.mock.On("Now")}
+}
+
+func (_c *MockInterface_Now_Call) Run(run func()) *MockInterface_Now_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_Now_Call) Return(_a0 time.Time) *MockInterface_Now_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+type mockConstructorTestingTNewMockInterface interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/infrastructure/logger/logger.go
+++ b/pkg/infrastructure/logger/logger.go
@@ -7,7 +7,7 @@ import (

 	"github.com/google/wire"
 	"github.com/spf13/pflag"
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 )

 // Set provides an implementation and interface for Logger.
@@ -56,5 +56,5 @@ func (*Logger) V(level int) Verbose {

 // IsEnabled returns true if the level is enabled.
 func (*Logger) IsEnabled(level int) bool {
-	return bool(klog.V(klog.Level(level)))
+	return klog.V(klog.Level(level)).Enabled()
 }
--- a/pkg/infrastructure/logger/mock_Interface.go
+++ b/pkg/infrastructure/logger/mock_Interface.go
@@ -0,0 +1,179 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package logger
+
+import (
+	pflag "github.com/spf13/pflag"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// AddFlags provides a mock function with given fields: f
+func (_m *MockInterface) AddFlags(f *pflag.FlagSet) {
+	_m.Called(f)
+}
+
+// MockInterface_AddFlags_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AddFlags'
+type MockInterface_AddFlags_Call struct {
+	*mock.Call
+}
+
+// AddFlags is a helper method to define mock.On call
+//  - f *pflag.FlagSet
+func (_e *MockInterface_Expecter) AddFlags(f interface{}) *MockInterface_AddFlags_Call {
+	return &MockInterface_AddFlags_Call{Call: _e.mock.On("AddFlags", f)}
+}
+
+func (_c *MockInterface_AddFlags_Call) Run(run func(f *pflag.FlagSet)) *MockInterface_AddFlags_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(*pflag.FlagSet))
+	})
+	return _c
+}
+
+func (_c *MockInterface_AddFlags_Call) Return() *MockInterface_AddFlags_Call {
+	_c.Call.Return()
+	return _c
+}
+
+// IsEnabled provides a mock function with given fields: level
+func (_m *MockInterface) IsEnabled(level int) bool {
+	ret := _m.Called(level)
+
+	var r0 bool
+	if rf, ok := ret.Get(0).(func(int) bool); ok {
+		r0 = rf(level)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+
+	return r0
+}
+
+// MockInterface_IsEnabled_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IsEnabled'
+type MockInterface_IsEnabled_Call struct {
+	*mock.Call
+}
+
+// IsEnabled is a helper method to define mock.On call
+//  - level int
+func (_e *MockInterface_Expecter) IsEnabled(level interface{}) *MockInterface_IsEnabled_Call {
+	return &MockInterface_IsEnabled_Call{Call: _e.mock.On("IsEnabled", level)}
+}
+
+func (_c *MockInterface_IsEnabled_Call) Run(run func(level int)) *MockInterface_IsEnabled_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(int))
+	})
+	return _c
+}
+
+func (_c *MockInterface_IsEnabled_Call) Return(_a0 bool) *MockInterface_IsEnabled_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+// Printf provides a mock function with given fields: format, args
+func (_m *MockInterface) Printf(format string, args ...interface{}) {
+	var _ca []interface{}
+	_ca = append(_ca, format)
+	_ca = append(_ca, args...)
+	_m.Called(_ca...)
+}
+
+// MockInterface_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
+type MockInterface_Printf_Call struct {
+	*mock.Call
+}
+
+// Printf is a helper method to define mock.On call
+//  - format string
+//  - args ...interface{}
+func (_e *MockInterface_Expecter) Printf(format interface{}, args ...interface{}) *MockInterface_Printf_Call {
+	return &MockInterface_Printf_Call{Call: _e.mock.On("Printf",
+		append([]interface{}{format}, args...)...)}
+}
+
+func (_c *MockInterface_Printf_Call) Run(run func(format string, args ...interface{})) *MockInterface_Printf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]interface{}, len(args)-1)
+		for i, a := range args[1:] {
+			if a != nil {
+				variadicArgs[i] = a.(interface{})
+			}
+		}
+		run(args[0].(string), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Printf_Call) Return() *MockInterface_Printf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+// V provides a mock function with given fields: level
+func (_m *MockInterface) V(level int) Verbose {
+	ret := _m.Called(level)
+
+	var r0 Verbose
+	if rf, ok := ret.Get(0).(func(int) Verbose); ok {
+		r0 = rf(level)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(Verbose)
+		}
+	}
+
+	return r0
+}
+
+// MockInterface_V_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'V'
+type MockInterface_V_Call struct {
+	*mock.Call
+}
+
+// V is a helper method to define mock.On call
+//  - level int
+func (_e *MockInterface_Expecter) V(level interface{}) *MockInterface_V_Call {
+	return &MockInterface_V_Call{Call: _e.mock.On("V", level)}
+}
+
+func (_c *MockInterface_V_Call) Run(run func(level int)) *MockInterface_V_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(int))
+	})
+	return _c
+}
+
+func (_c *MockInterface_V_Call) Return(_a0 Verbose) *MockInterface_V_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+type mockConstructorTestingTNewMockInterface interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/infrastructure/logger/mock_Verbose.go
+++ b/pkg/infrastructure/logger/mock_Verbose.go
@@ -0,0 +1,72 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package logger
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockVerbose is an autogenerated mock type for the Verbose type
+type MockVerbose struct {
+	mock.Mock
+}
+
+type MockVerbose_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockVerbose) EXPECT() *MockVerbose_Expecter {
+	return &MockVerbose_Expecter{mock: &_m.Mock}
+}
+
+// Infof provides a mock function with given fields: format, args
+func (_m *MockVerbose) Infof(format string, args ...interface{}) {
+	var _ca []interface{}
+	_ca = append(_ca, format)
+	_ca = append(_ca, args...)
+	_m.Called(_ca...)
+}
+
+// MockVerbose_Infof_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Infof'
+type MockVerbose_Infof_Call struct {
+	*mock.Call
+}
+
+// Infof is a helper method to define mock.On call
+//  - format string
+//  - args ...interface{}
+func (_e *MockVerbose_Expecter) Infof(format interface{}, args ...interface{}) *MockVerbose_Infof_Call {
+	return &MockVerbose_Infof_Call{Call: _e.mock.On("Infof",
+		append([]interface{}{format}, args...)...)}
+}
+
+func (_c *MockVerbose_Infof_Call) Run(run func(format string, args ...interface{})) *MockVerbose_Infof_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]interface{}, len(args)-1)
+		for i, a := range args[1:] {
+			if a != nil {
+				variadicArgs[i] = a.(interface{})
+			}
+		}
+		run(args[0].(string), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *MockVerbose_Infof_Call) Return() *MockVerbose_Infof_Call {
+	_c.Call.Return()
+	return _c
+}
+
+type mockConstructorTestingTNewMockVerbose interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockVerbose creates a new instance of MockVerbose. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockVerbose(t mockConstructorTestingTNewMockVerbose) *MockVerbose {
+	mock := &MockVerbose{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/infrastructure/logger/mock_goLogger.go
+++ b/pkg/infrastructure/logger/mock_goLogger.go
@@ -0,0 +1,72 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package logger
+
+import mock "github.com/stretchr/testify/mock"
+
+// mockGoLogger is an autogenerated mock type for the goLogger type
+type mockGoLogger struct {
+	mock.Mock
+}
+
+type mockGoLogger_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *mockGoLogger) EXPECT() *mockGoLogger_Expecter {
+	return &mockGoLogger_Expecter{mock: &_m.Mock}
+}
+
+// Printf provides a mock function with given fields: format, v
+func (_m *mockGoLogger) Printf(format string, v ...interface{}) {
+	var _ca []interface{}
+	_ca = append(_ca, format)
+	_ca = append(_ca, v...)
+	_m.Called(_ca...)
+}
+
+// mockGoLogger_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
+type mockGoLogger_Printf_Call struct {
+	*mock.Call
+}
+
+// Printf is a helper method to define mock.On call
+//  - format string
+//  - v ...interface{}
+func (_e *mockGoLogger_Expecter) Printf(format interface{}, v ...interface{}) *mockGoLogger_Printf_Call {
+	return &mockGoLogger_Printf_Call{Call: _e.mock.On("Printf",
+		append([]interface{}{format}, v...)...)}
+}
+
+func (_c *mockGoLogger_Printf_Call) Run(run func(format string, v ...interface{})) *mockGoLogger_Printf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]interface{}, len(args)-1)
+		for i, a := range args[1:] {
+			if a != nil {
+				variadicArgs[i] = a.(interface{})
+			}
+		}
+		run(args[0].(string), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *mockGoLogger_Printf_Call) Return() *mockGoLogger_Printf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+type mockConstructorTestingTnewMockGoLogger interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// newMockGoLogger creates a new instance of mockGoLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func newMockGoLogger(t mockConstructorTestingTnewMockGoLogger) *mockGoLogger {
+	mock := &mockGoLogger{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/infrastructure/mutex/mock_Interface.go
+++ b/pkg/infrastructure/mutex/mock_Interface.go
@@ -0,0 +1,121 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package mutex
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Acquire provides a mock function with given fields: ctx, name
+func (_m *MockInterface) Acquire(ctx context.Context, name string) (*Lock, error) {
+	ret := _m.Called(ctx, name)
+
+	var r0 *Lock
+	if rf, ok := ret.Get(0).(func(context.Context, string) *Lock); ok {
+		r0 = rf(ctx, name)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*Lock)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+		r1 = rf(ctx, name)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Acquire_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Acquire'
+type MockInterface_Acquire_Call struct {
+	*mock.Call
+}
+
+// Acquire is a helper method to define mock.On call
+//  - ctx context.Context
+//  - name string
+func (_e *MockInterface_Expecter) Acquire(ctx interface{}, name interface{}) *MockInterface_Acquire_Call {
+	return &MockInterface_Acquire_Call{Call: _e.mock.On("Acquire", ctx, name)}
+}
+
+func (_c *MockInterface_Acquire_Call) Run(run func(ctx context.Context, name string)) *MockInterface_Acquire_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Acquire_Call) Return(_a0 *Lock, _a1 error) *MockInterface_Acquire_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+// Release provides a mock function with given fields: lock
+func (_m *MockInterface) Release(lock *Lock) error {
+	ret := _m.Called(lock)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(*Lock) error); ok {
+		r0 = rf(lock)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_Release_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Release'
+type MockInterface_Release_Call struct {
+	*mock.Call
+}
+
+// Release is a helper method to define mock.On call
+//  - lock *Lock
+func (_e *MockInterface_Expecter) Release(lock interface{}) *MockInterface_Release_Call {
+	return &MockInterface_Release_Call{Call: _e.mock.On("Release", lock)}
+}
+
+func (_c *MockInterface_Release_Call) Run(run func(lock *Lock)) *MockInterface_Release_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(*Lock))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Release_Call) Return(_a0 error) *MockInterface_Release_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+type mockConstructorTestingTNewMockInterface interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/infrastructure/mutex/mutex.go
+++ b/pkg/infrastructure/mutex/mutex.go
@@ -0,0 +1,87 @@
+package mutex
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path"
+
+	"github.com/alexflint/go-filemutex"
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+)
+
+var Set = wire.NewSet(
+	wire.Struct(new(Mutex), "*"),
+	wire.Bind(new(Interface), new(*Mutex)),
+)
+
+type Interface interface {
+	Acquire(ctx context.Context, name string) (*Lock, error)
+	Release(lock *Lock) error
+}
+
+// Lock holds the lock data.
+type Lock struct {
+	Data interface{}
+	Name string
+}
+
+type Mutex struct {
+	Logger logger.Interface
+}
+
+// internalAcquire wait for acquisition of the lock
+func internalAcquire(fm *filemutex.FileMutex) chan error {
+	result := make(chan error)
+	go func() {
+		if err := fm.Lock(); err != nil {
+			result <- err
+		}
+		close(result)
+	}()
+	return result
+}
+
+// internalRelease disposes of resources associated with a lock
+func internalRelease(fm *filemutex.FileMutex, lfn string, log logger.Interface) error {
+	err := fm.Close()
+	if err != nil {
+		log.V(1).Infof("Error closing lock file %s: %s", lfn, err)
+	}
+	return err
+}
+
+// LockFileName get the lock file name from the lock name.
+func LockFileName(name string) string {
+	return path.Join(os.TempDir(), fmt.Sprintf(".kubelogin.%s.lock", name))
+}
+
+// Acquire acquire a lock for the specified name. The context could be used to set a timeout.
+func (m *Mutex) Acquire(ctx context.Context, name string) (*Lock, error) {
+	lfn := LockFileName(name)
+	fm, err := filemutex.New(lfn)
+	if err != nil {
+		return nil, fmt.Errorf("error creating mutex file %s: %w", lfn, err)
+	}
+
+	lockChan := internalAcquire(fm)
+	select {
+	case <-ctx.Done():
+		_ = internalRelease(fm, lfn, m.Logger)
+		return nil, ctx.Err()
+	case err := <-lockChan:
+		if err != nil {
+			_ = internalRelease(fm, lfn, m.Logger)
+			return nil, fmt.Errorf("error acquiring lock on file %s: %w", lfn, err)
+		}
+		return &Lock{Data: fm, Name: name}, nil
+	}
+}
+
+// Release release the specified lock
+func (m *Mutex) Release(lock *Lock) error {
+	fm := lock.Data.(*filemutex.FileMutex)
+	lfn := LockFileName(lock.Name)
+	return internalRelease(fm, lfn, m.Logger)
+}
--- a/pkg/infrastructure/mutex/mutex_test.go
+++ b/pkg/infrastructure/mutex/mutex_test.go
@@ -0,0 +1,64 @@
+package mutex
+
+import (
+	"fmt"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"golang.org/x/net/context"
+	"math/rand"
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestMutex(t *testing.T) {
+
+	t.Run("Test successful parallel acquisition with no reentry allowed", func(t *testing.T) {
+
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+
+		nbConcurrency := 20
+		wg := sync.WaitGroup{}
+		events := make(chan int, nbConcurrency*2)
+		errors := make(chan error, nbConcurrency)
+		doLockUnlock := func() {
+			defer wg.Done()
+
+			m := Mutex{
+				Logger: logger.New(),
+			}
+			if mutex, err := m.Acquire(ctx, "test"); err == nil {
+				events <- 1
+				var dur = time.Duration(rand.Intn(5000))
+				time.Sleep(dur * time.Microsecond)
+				events <- -1
+				if err := m.Release(mutex); err != nil {
+					errors <- fmt.Errorf("Release error: %w", err)
+				}
+			} else {
+				errors <- fmt.Errorf("Acquire error: %w", err)
+			}
+		}
+
+		for i := 0; i < nbConcurrency; i++ {
+			wg.Add(1)
+			go doLockUnlock()
+		}
+
+		wg.Wait()
+		close(events)
+		close(errors)
+
+		countConcurrent := 0
+		for delta := range events {
+			countConcurrent += delta
+			if countConcurrent > 1 {
+				t.Errorf("The mutex did not prevented reentry: %d", countConcurrent)
+			}
+		}
+
+		for anError := range errors {
+			t.Errorf("The gorouting returned an error: %s", anError)
+		}
+	})
+}
--- a/pkg/infrastructure/reader/mock_Interface.go
+++ b/pkg/infrastructure/reader/mock_Interface.go
@@ -0,0 +1,121 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package reader
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// ReadPassword provides a mock function with given fields: prompt
+func (_m *MockInterface) ReadPassword(prompt string) (string, error) {
+	ret := _m.Called(prompt)
+
+	var r0 string
+	if rf, ok := ret.Get(0).(func(string) string); ok {
+		r0 = rf(prompt)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(string) error); ok {
+		r1 = rf(prompt)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_ReadPassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ReadPassword'
+type MockInterface_ReadPassword_Call struct {
+	*mock.Call
+}
+
+// ReadPassword is a helper method to define mock.On call
+//  - prompt string
+func (_e *MockInterface_Expecter) ReadPassword(prompt interface{}) *MockInterface_ReadPassword_Call {
+	return &MockInterface_ReadPassword_Call{Call: _e.mock.On("ReadPassword", prompt)}
+}
+
+func (_c *MockInterface_ReadPassword_Call) Run(run func(prompt string)) *MockInterface_ReadPassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_ReadPassword_Call) Return(_a0 string, _a1 error) *MockInterface_ReadPassword_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+// ReadString provides a mock function with given fields: prompt
+func (_m *MockInterface) ReadString(prompt string) (string, error) {
+	ret := _m.Called(prompt)
+
+	var r0 string
+	if rf, ok := ret.Get(0).(func(string) string); ok {
+		r0 = rf(prompt)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(string) error); ok {
+		r1 = rf(prompt)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_ReadString_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ReadString'
+type MockInterface_ReadString_Call struct {
+	*mock.Call
+}
+
+// ReadString is a helper method to define mock.On call
+//  - prompt string
+func (_e *MockInterface_Expecter) ReadString(prompt interface{}) *MockInterface_ReadString_Call {
+	return &MockInterface_ReadString_Call{Call: _e.mock.On("ReadString", prompt)}
+}
+
+func (_c *MockInterface_ReadString_Call) Run(run func(prompt string)) *MockInterface_ReadString_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_ReadString_Call) Return(_a0 string, _a1 error) *MockInterface_ReadString_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+type mockConstructorTestingTNewMockInterface interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/infrastructure/reader/reader.go
+++ b/pkg/infrastructure/reader/reader.go
@@ -9,13 +9,10 @@ import (
 	"syscall"

 	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/adaptors/stdio"
-	"golang.org/x/crypto/ssh/terminal"
-	"golang.org/x/xerrors"
+	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
+	"golang.org/x/term"
 )

-//go:generate mockgen -destination mock_reader/mock_reader.go github.com/int128/kubelogin/pkg/adaptors/reader Interface
-
 // Set provides an implementation and interface for Reader.
 var Set = wire.NewSet(
 	wire.Struct(new(Reader), "*"),
@@ -34,12 +31,12 @@ type Reader struct {
 // ReadString reads a string from the stdin.
 func (x *Reader) ReadString(prompt string) (string, error) {
 	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
-		return "", xerrors.Errorf("write error: %w", err)
+		return "", fmt.Errorf("write error: %w", err)
 	}
 	r := bufio.NewReader(x.Stdin)
 	s, err := r.ReadString('\n')
 	if err != nil {
-		return "", xerrors.Errorf("read error: %w", err)
+		return "", fmt.Errorf("read error: %w", err)
 	}
 	s = strings.TrimRight(s, "\r\n")
 	return s, nil
@@ -48,14 +45,14 @@ func (x *Reader) ReadString(prompt string) (string, error) {
 // ReadPassword reads a password from the stdin without echo back.
 func (*Reader) ReadPassword(prompt string) (string, error) {
 	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
-		return "", xerrors.Errorf("write error: %w", err)
+		return "", fmt.Errorf("write error: %w", err)
 	}
-	b, err := terminal.ReadPassword(int(syscall.Stdin))
+	b, err := term.ReadPassword(int(syscall.Stdin))
 	if err != nil {
-		return "", xerrors.Errorf("read error: %w", err)
+		return "", fmt.Errorf("read error: %w", err)
 	}
 	if _, err := fmt.Fprintln(os.Stderr); err != nil {
-		return "", xerrors.Errorf("write error: %w", err)
+		return "", fmt.Errorf("write error: %w", err)
 	}
 	return string(b), nil
 }
--- a/pkg/infrastructure/stdio/stdio.go
+++ b/pkg/infrastructure/stdio/stdio.go
--- a/pkg/jwt/decode.go
+++ b/pkg/jwt/decode.go
@@ -6,10 +6,9 @@ import (
 	"bytes"
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"strings"
 	"time"
-
-	"golang.org/x/xerrors"
 )

 // DecodeWithoutVerify decodes the JWT string and returns the claims.
@@ -17,18 +16,18 @@ import (
 func DecodeWithoutVerify(s string) (*Claims, error) {
 	payload, err := DecodePayloadAsRawJSON(s)
 	if err != nil {
-		return nil, xerrors.Errorf("could not decode the payload: %w", err)
+		return nil, fmt.Errorf("could not decode the payload: %w", err)
 	}
 	var claims struct {
 		Subject   string `json:"sub,omitempty"`
 		ExpiresAt int64  `json:"exp,omitempty"`
 	}
 	if err := json.NewDecoder(bytes.NewReader(payload)).Decode(&claims); err != nil {
-		return nil, xerrors.Errorf("could not decode the json of token: %w", err)
+		return nil, fmt.Errorf("could not decode the json of token: %w", err)
 	}
 	var prettyJson bytes.Buffer
 	if err := json.Indent(&prettyJson, payload, "", "  "); err != nil {
-		return nil, xerrors.Errorf("could not indent the json of token: %w", err)
+		return nil, fmt.Errorf("could not indent the json of token: %w", err)
 	}
 	return &Claims{
 		Subject: claims.Subject,
@@ -41,11 +40,11 @@ func DecodeWithoutVerify(s string) (*Claims, error) {
 func DecodePayloadAsPrettyJSON(s string) (string, error) {
 	payload, err := DecodePayloadAsRawJSON(s)
 	if err != nil {
-		return "", xerrors.Errorf("could not decode the payload: %w", err)
+		return "", fmt.Errorf("could not decode the payload: %w", err)
 	}
 	var prettyJson bytes.Buffer
 	if err := json.Indent(&prettyJson, payload, "", "  "); err != nil {
-		return "", xerrors.Errorf("could not indent the json of token: %w", err)
+		return "", fmt.Errorf("could not indent the json of token: %w", err)
 	}
 	return prettyJson.String(), nil
 }
@@ -54,11 +53,11 @@ func DecodePayloadAsPrettyJSON(s string) (string, error) {
 func DecodePayloadAsRawJSON(s string) ([]byte, error) {
 	parts := strings.SplitN(s, ".", 3)
 	if len(parts) != 3 {
-		return nil, xerrors.Errorf("wants %d segments but got %d segments", 3, len(parts))
+		return nil, fmt.Errorf("wants %d segments but got %d segments", 3, len(parts))
 	}
 	payloadJSON, err := decodePayload(parts[1])
 	if err != nil {
-		return nil, xerrors.Errorf("could not decode the payload: %w", err)
+		return nil, fmt.Errorf("could not decode the payload: %w", err)
 	}
 	return payloadJSON, nil
 }
@@ -66,7 +65,7 @@ func DecodePayloadAsRawJSON(s string) ([]byte, error) {
 func decodePayload(payload string) ([]byte, error) {
 	b, err := base64.URLEncoding.WithPadding(base64.NoPadding).DecodeString(payload)
 	if err != nil {
-		return nil, xerrors.Errorf("invalid base64: %w", err)
+		return nil, fmt.Errorf("invalid base64: %w", err)
 	}
 	return b, nil
 }
--- a/pkg/jwt/mock_Clock.go
+++ b/pkg/jwt/mock_Clock.go
@@ -0,0 +1,73 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package jwt
+
+import (
+	time "time"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockClock is an autogenerated mock type for the Clock type
+type MockClock struct {
+	mock.Mock
+}
+
+type MockClock_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockClock) EXPECT() *MockClock_Expecter {
+	return &MockClock_Expecter{mock: &_m.Mock}
+}
+
+// Now provides a mock function with given fields:
+func (_m *MockClock) Now() time.Time {
+	ret := _m.Called()
+
+	var r0 time.Time
+	if rf, ok := ret.Get(0).(func() time.Time); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(time.Time)
+	}
+
+	return r0
+}
+
+// MockClock_Now_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Now'
+type MockClock_Now_Call struct {
+	*mock.Call
+}
+
+// Now is a helper method to define mock.On call
+func (_e *MockClock_Expecter) Now() *MockClock_Now_Call {
+	return &MockClock_Now_Call{Call: _e.mock.On("Now")}
+}
+
+func (_c *MockClock_Now_Call) Run(run func()) *MockClock_Now_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockClock_Now_Call) Return(_a0 time.Time) *MockClock_Now_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+type mockConstructorTestingTNewMockClock interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockClock creates a new instance of MockClock. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockClock(t mockConstructorTestingTNewMockClock) *MockClock {
+	mock := &MockClock{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/adaptors/kubeconfig/load.go
+++ b/pkg/adaptors/kubeconfig/load.go
@@ -1,21 +1,35 @@
-package kubeconfig
+package loader

 import (
+	"errors"
+	"fmt"
 	"strings"

-	"golang.org/x/xerrors"
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/kubeconfig"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/clientcmd/api"
 )

-func (*Kubeconfig) GetCurrentAuthProvider(explicitFilename string, contextName ContextName, userName UserName) (*AuthProvider, error) {
+var Set = wire.NewSet(
+	wire.Struct(new(Loader), "*"),
+	wire.Bind(new(Interface), new(*Loader)),
+)
+
+type Interface interface {
+	GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error)
+}
+
+type Loader struct{}
+
+func (Loader) GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
 	config, err := loadByDefaultRules(explicitFilename)
 	if err != nil {
-		return nil, xerrors.Errorf("could not load the kubeconfig: %w", err)
+		return nil, fmt.Errorf("could not load the kubeconfig: %w", err)
 	}
 	auth, err := findCurrentAuthProvider(config, contextName, userName)
 	if err != nil {
-		return nil, xerrors.Errorf("could not find the current auth provider: %w", err)
+		return nil, fmt.Errorf("could not find the current auth provider: %w", err)
 	}
 	return auth, nil
 }
@@ -25,7 +39,7 @@ func loadByDefaultRules(explicitFilename string) (*api.Config, error) {
 	rules.ExplicitPath = explicitFilename
 	config, err := rules.Load()
 	if err != nil {
-		return nil, xerrors.Errorf("load error: %w", err)
+		return nil, fmt.Errorf("load error: %w", err)
 	}
 	return config, err
 }
@@ -34,29 +48,29 @@ func loadByDefaultRules(explicitFilename string) (*api.Config, error) {
 // If contextName is given, this returns the user of the context.
 // If userName is given, this ignores the context and returns the user.
 // If any context or user is not found, this returns an error.
-func findCurrentAuthProvider(config *api.Config, contextName ContextName, userName UserName) (*AuthProvider, error) {
+func findCurrentAuthProvider(config *api.Config, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
 	if userName == "" {
 		if contextName == "" {
-			contextName = ContextName(config.CurrentContext)
+			contextName = kubeconfig.ContextName(config.CurrentContext)
 		}
 		contextNode, ok := config.Contexts[string(contextName)]
 		if !ok {
-			return nil, xerrors.Errorf("context %s does not exist", contextName)
+			return nil, fmt.Errorf("context %s does not exist", contextName)
 		}
-		userName = UserName(contextNode.AuthInfo)
+		userName = kubeconfig.UserName(contextNode.AuthInfo)
 	}
 	userNode, ok := config.AuthInfos[string(userName)]
 	if !ok {
-		return nil, xerrors.Errorf("user %s does not exist", userName)
+		return nil, fmt.Errorf("user %s does not exist", userName)
 	}
 	if userNode.AuthProvider == nil {
-		return nil, xerrors.New("auth-provider is missing")
+		return nil, errors.New("auth-provider is missing")
 	}
 	if userNode.AuthProvider.Name != "oidc" {
-		return nil, xerrors.Errorf("auth-provider.name must be oidc but is %s", userNode.AuthProvider.Name)
+		return nil, fmt.Errorf("auth-provider.name must be oidc but is %s", userNode.AuthProvider.Name)
 	}
 	if userNode.AuthProvider.Config == nil {
-		return nil, xerrors.New("auth-provider.config is missing")
+		return nil, errors.New("auth-provider.config is missing")
 	}

 	m := userNode.AuthProvider.Config
@@ -64,7 +78,7 @@ func findCurrentAuthProvider(config *api.Config, contextName ContextName, userNa
 	if m["extra-scopes"] != "" {
 		extraScopes = strings.Split(m["extra-scopes"], ",")
 	}
-	return &AuthProvider{
+	return &kubeconfig.AuthProvider{
 		LocationOfOrigin:            userNode.LocationOfOrigin,
 		UserName:                    userName,
 		ContextName:                 contextName,
--- a/pkg/adaptors/kubeconfig/load_test.go
+++ b/pkg/adaptors/kubeconfig/load_test.go
@@ -1,17 +1,17 @@
-package kubeconfig
+package loader

 import (
 	"os"
 	"testing"

 	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/kubeconfig"
 	"k8s.io/client-go/tools/clientcmd/api"
 )

 func Test_loadByDefaultRules(t *testing.T) {
 	t.Run("google.yaml>keycloak.yaml", func(t *testing.T) {
-		setenv(t, "KUBECONFIG", "testdata/kubeconfig.google.yaml"+string(os.PathListSeparator)+"testdata/kubeconfig.keycloak.yaml")
-		defer unsetenv(t, "KUBECONFIG")
+		t.Setenv("KUBECONFIG", "testdata/kubeconfig.google.yaml"+string(os.PathListSeparator)+"testdata/kubeconfig.keycloak.yaml")

 		config, err := loadByDefaultRules("")
 		if err != nil {
@@ -35,8 +35,7 @@ func Test_loadByDefaultRules(t *testing.T) {
 	})

 	t.Run("keycloak.yaml>google.yaml", func(t *testing.T) {
-		setenv(t, "KUBECONFIG", "testdata/kubeconfig.keycloak.yaml"+string(os.PathListSeparator)+"testdata/kubeconfig.google.yaml")
-		defer unsetenv(t, "KUBECONFIG")
+		t.Setenv("KUBECONFIG", "testdata/kubeconfig.keycloak.yaml"+string(os.PathListSeparator)+"testdata/kubeconfig.google.yaml")

 		config, err := loadByDefaultRules("")
 		if err != nil {
@@ -60,20 +59,6 @@ func Test_loadByDefaultRules(t *testing.T) {
 	})
 }

-func setenv(t *testing.T, key, value string) {
-	t.Helper()
-	if err := os.Setenv(key, value); err != nil {
-		t.Fatalf("Could not set the env var %s=%s: %s", key, value, err)
-	}
-}
-
-func unsetenv(t *testing.T, key string) {
-	t.Helper()
-	if err := os.Unsetenv(key); err != nil {
-		t.Fatalf("Could not unset the env var %s: %s", key, err)
-	}
-}
-
 func Test_findCurrentAuthProvider(t *testing.T) {
 	t.Run("CurrentContext", func(t *testing.T) {
 		got, err := findCurrentAuthProvider(&api.Config{
@@ -105,7 +90,7 @@ func Test_findCurrentAuthProvider(t *testing.T) {
 		if err != nil {
 			t.Fatalf("Could not find the current auth: %s", err)
 		}
-		want := &AuthProvider{
+		want := &kubeconfig.AuthProvider{
 			LocationOfOrigin:            "/path/to/kubeconfig",
 			UserName:                    "theUser",
 			ContextName:                 "theContext",
@@ -145,7 +130,7 @@ func Test_findCurrentAuthProvider(t *testing.T) {
 		if err != nil {
 			t.Fatalf("Could not find the current auth: %s", err)
 		}
-		want := &AuthProvider{
+		want := &kubeconfig.AuthProvider{
 			LocationOfOrigin: "/path/to/kubeconfig",
 			UserName:         "theUser",
 			ContextName:      "theContext",
@@ -173,7 +158,7 @@ func Test_findCurrentAuthProvider(t *testing.T) {
 		if err != nil {
 			t.Fatalf("Could not find the current auth: %s", err)
 		}
-		want := &AuthProvider{
+		want := &kubeconfig.AuthProvider{
 			LocationOfOrigin: "/path/to/kubeconfig",
 			UserName:         "theUser",
 			IDPIssuerURL:     "https://accounts.google.com",
--- a/pkg/kubeconfig/loader/mock_Interface.go
+++ b/pkg/kubeconfig/loader/mock_Interface.go
@@ -0,0 +1,84 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package loader
+
+import (
+	kubeconfig "github.com/int128/kubelogin/pkg/kubeconfig"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// GetCurrentAuthProvider provides a mock function with given fields: explicitFilename, contextName, userName
+func (_m *MockInterface) GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
+	ret := _m.Called(explicitFilename, contextName, userName)
+
+	var r0 *kubeconfig.AuthProvider
+	if rf, ok := ret.Get(0).(func(string, kubeconfig.ContextName, kubeconfig.UserName) *kubeconfig.AuthProvider); ok {
+		r0 = rf(explicitFilename, contextName, userName)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*kubeconfig.AuthProvider)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(string, kubeconfig.ContextName, kubeconfig.UserName) error); ok {
+		r1 = rf(explicitFilename, contextName, userName)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetCurrentAuthProvider_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCurrentAuthProvider'
+type MockInterface_GetCurrentAuthProvider_Call struct {
+	*mock.Call
+}
+
+// GetCurrentAuthProvider is a helper method to define mock.On call
+//  - explicitFilename string
+//  - contextName kubeconfig.ContextName
+//  - userName kubeconfig.UserName
+func (_e *MockInterface_Expecter) GetCurrentAuthProvider(explicitFilename interface{}, contextName interface{}, userName interface{}) *MockInterface_GetCurrentAuthProvider_Call {
+	return &MockInterface_GetCurrentAuthProvider_Call{Call: _e.mock.On("GetCurrentAuthProvider", explicitFilename, contextName, userName)}
+}
+
+func (_c *MockInterface_GetCurrentAuthProvider_Call) Run(run func(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName)) *MockInterface_GetCurrentAuthProvider_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string), args[1].(kubeconfig.ContextName), args[2].(kubeconfig.UserName))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetCurrentAuthProvider_Call) Return(_a0 *kubeconfig.AuthProvider, _a1 error) *MockInterface_GetCurrentAuthProvider_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+type mockConstructorTestingTNewMockInterface interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/adaptors/kubeconfig/testdata/kubeconfig.google.yaml
+++ b/pkg/adaptors/kubeconfig/testdata/kubeconfig.google.yaml
--- a/pkg/adaptors/kubeconfig/testdata/kubeconfig.keycloak.yaml
+++ b/pkg/adaptors/kubeconfig/testdata/kubeconfig.keycloak.yaml
--- a/pkg/adaptors/kubeconfig/kubeconfig.go
+++ b/pkg/adaptors/kubeconfig/kubeconfig.go
@@ -1,23 +1,5 @@
 package kubeconfig

-import (
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-)
-
-//go:generate mockgen -destination mock_kubeconfig/mock_kubeconfig.go github.com/int128/kubelogin/pkg/adaptors/kubeconfig Interface
-
-// Set provides an implementation and interface for Kubeconfig.
-var Set = wire.NewSet(
-	wire.Struct(new(Kubeconfig), "*"),
-	wire.Bind(new(Interface), new(*Kubeconfig)),
-)
-
-type Interface interface {
-	GetCurrentAuthProvider(explicitFilename string, contextName ContextName, userName UserName) (*AuthProvider, error)
-	UpdateAuthProvider(auth *AuthProvider) error
-}
-
 // ContextName represents name of a context.
 type ContextName string

@@ -39,7 +21,3 @@ type AuthProvider struct {
 	IDToken                     string      // (optional) id-token
 	RefreshToken                string      // (optional) refresh-token
 }
-
-type Kubeconfig struct {
-	Logger logger.Interface
-}
--- a/pkg/kubeconfig/writer/mock_Interface.go
+++ b/pkg/kubeconfig/writer/mock_Interface.go
@@ -0,0 +1,73 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package writer
+
+import (
+	kubeconfig "github.com/int128/kubelogin/pkg/kubeconfig"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// UpdateAuthProvider provides a mock function with given fields: p
+func (_m *MockInterface) UpdateAuthProvider(p kubeconfig.AuthProvider) error {
+	ret := _m.Called(p)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(kubeconfig.AuthProvider) error); ok {
+		r0 = rf(p)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_UpdateAuthProvider_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAuthProvider'
+type MockInterface_UpdateAuthProvider_Call struct {
+	*mock.Call
+}
+
+// UpdateAuthProvider is a helper method to define mock.On call
+//  - p kubeconfig.AuthProvider
+func (_e *MockInterface_Expecter) UpdateAuthProvider(p interface{}) *MockInterface_UpdateAuthProvider_Call {
+	return &MockInterface_UpdateAuthProvider_Call{Call: _e.mock.On("UpdateAuthProvider", p)}
+}
+
+func (_c *MockInterface_UpdateAuthProvider_Call) Run(run func(p kubeconfig.AuthProvider)) *MockInterface_UpdateAuthProvider_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(kubeconfig.AuthProvider))
+	})
+	return _c
+}
+
+func (_c *MockInterface_UpdateAuthProvider_Call) Return(_a0 error) *MockInterface_UpdateAuthProvider_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+type mockConstructorTestingTNewMockInterface interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/adaptors/kubeconfig/write.go
+++ b/pkg/adaptors/kubeconfig/write.go
@@ -1,35 +1,48 @@
-package kubeconfig
+package writer

 import (
+	"fmt"
 	"strings"

-	"golang.org/x/xerrors"
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/kubeconfig"
 	"k8s.io/client-go/tools/clientcmd"
 )

-func (*Kubeconfig) UpdateAuthProvider(p *AuthProvider) error {
+var Set = wire.NewSet(
+	wire.Struct(new(Writer), "*"),
+	wire.Bind(new(Interface), new(*Writer)),
+)
+
+type Interface interface {
+	UpdateAuthProvider(p kubeconfig.AuthProvider) error
+}
+
+type Writer struct{}
+
+func (Writer) UpdateAuthProvider(p kubeconfig.AuthProvider) error {
 	config, err := clientcmd.LoadFromFile(p.LocationOfOrigin)
 	if err != nil {
-		return xerrors.Errorf("could not load %s: %w", p.LocationOfOrigin, err)
+		return fmt.Errorf("could not load %s: %w", p.LocationOfOrigin, err)
 	}
 	userNode, ok := config.AuthInfos[string(p.UserName)]
 	if !ok {
-		return xerrors.Errorf("user %s does not exist", p.UserName)
+		return fmt.Errorf("user %s does not exist", p.UserName)
 	}
 	if userNode.AuthProvider == nil {
-		return xerrors.Errorf("auth-provider is missing")
+		return fmt.Errorf("auth-provider is missing")
 	}
 	if userNode.AuthProvider.Name != "oidc" {
-		return xerrors.Errorf("auth-provider must be oidc but is %s", userNode.AuthProvider.Name)
+		return fmt.Errorf("auth-provider must be oidc but is %s", userNode.AuthProvider.Name)
 	}
 	copyAuthProviderConfig(p, userNode.AuthProvider.Config)
 	if err := clientcmd.WriteToFile(*config, p.LocationOfOrigin); err != nil {
-		return xerrors.Errorf("could not update %s: %w", p.LocationOfOrigin, err)
+		return fmt.Errorf("could not update %s: %w", p.LocationOfOrigin, err)
 	}
 	return nil
 }

-func copyAuthProviderConfig(p *AuthProvider, m map[string]string) {
+func copyAuthProviderConfig(p kubeconfig.AuthProvider, m map[string]string) {
 	setOrDeleteKey(m, "idp-issuer-url", p.IDPIssuerURL)
 	setOrDeleteKey(m, "client-id", p.ClientID)
 	setOrDeleteKey(m, "client-secret", p.ClientSecret)
--- a/pkg/adaptors/kubeconfig/write_test.go
+++ b/pkg/adaptors/kubeconfig/write_test.go
@@ -1,25 +1,22 @@
-package kubeconfig
+package writer

 import (
 	"io/ioutil"
 	"os"
+	"path/filepath"
 	"testing"

 	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/kubeconfig"
 )

 func TestKubeconfig_UpdateAuth(t *testing.T) {
-	var k Kubeconfig
+	var w Writer

 	t.Run("MinimumKeys", func(t *testing.T) {
 		f := newKubeconfigFile(t)
-		defer func() {
-			if err := os.Remove(f.Name()); err != nil {
-				t.Errorf("Could not remove the temp file: %s", err)
-			}
-		}()
-		if err := k.UpdateAuthProvider(&AuthProvider{
-			LocationOfOrigin: f.Name(),
+		if err := w.UpdateAuthProvider(kubeconfig.AuthProvider{
+			LocationOfOrigin: f,
 			UserName:         "google",
 			IDPIssuerURL:     "https://accounts.google.com",
 			ClientID:         "GOOGLE_CLIENT_ID",
@@ -29,7 +26,7 @@ func TestKubeconfig_UpdateAuth(t *testing.T) {
 		}); err != nil {
 			t.Fatalf("Could not update auth: %s", err)
 		}
-		b, err := ioutil.ReadFile(f.Name())
+		b, err := ioutil.ReadFile(f)
 		if err != nil {
 			t.Fatalf("Could not read kubeconfig: %s", err)
 		}
@@ -60,13 +57,8 @@ users:

 	t.Run("FullKeys", func(t *testing.T) {
 		f := newKubeconfigFile(t)
-		defer func() {
-			if err := os.Remove(f.Name()); err != nil {
-				t.Errorf("Could not remove the temp file: %s", err)
-			}
-		}()
-		if err := k.UpdateAuthProvider(&AuthProvider{
-			LocationOfOrigin:            f.Name(),
+		if err := w.UpdateAuthProvider(kubeconfig.AuthProvider{
+			LocationOfOrigin:            f,
 			UserName:                    "google",
 			IDPIssuerURL:                "https://accounts.google.com",
 			ClientID:                    "GOOGLE_CLIENT_ID",
@@ -79,7 +71,7 @@ users:
 		}); err != nil {
 			t.Fatalf("Could not update auth: %s", err)
 		}
-		b, err := ioutil.ReadFile(f.Name())
+		b, err := ioutil.ReadFile(f)
 		if err != nil {
 			t.Fatalf("Could not read kubeconfig: %s", err)
 		}
@@ -112,8 +104,8 @@ users:
 	})
 }

-func newKubeconfigFile(t *testing.T) *os.File {
-	content := `apiVersion: v1
+const kubeconfigContent = `
+apiVersion: v1
 clusters: []
 kind: Config
 preferences: {}
@@ -123,13 +115,12 @@ users:
      auth-provider:
        config:
          idp-issuer-url: https://accounts.google.com
-        name: oidc`
-	f, err := ioutil.TempFile("", "kubeconfig")
-	if err != nil {
-		t.Fatalf("Could not create a file: %s", err)
-	}
-	defer f.Close()
-	if _, err := f.Write([]byte(content)); err != nil {
+        name: oidc
+`
+
+func newKubeconfigFile(t *testing.T) string {
+	f := filepath.Join(t.TempDir(), "kubeconfig")
+	if err := os.WriteFile(f, []byte(kubeconfigContent), 0644); err != nil {
 		t.Fatalf("Could not write kubeconfig: %s", err)
 	}
 	return f
--- a/pkg/mocks.go
+++ b/pkg/mocks.go
@@ -0,0 +1,3 @@
+package pkg
+
+//go:generate mockery --all --inpackage --with-expecter
--- a/pkg/adaptors/oidcclient/oidcclient.go
+++ b/pkg/adaptors/oidcclient/oidcclient.go
@@ -1,23 +1,20 @@
-package oidcclient
+package client

 import (
 	"context"
+	"fmt"
 	"net/http"
 	"time"

-	gooidc "github.com/coreos/go-oidc"
-	"github.com/int128/kubelogin/pkg/adaptors/clock"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/jwt"
+	gooidc "github.com/coreos/go-oidc/v3/oidc"
+	"github.com/int128/kubelogin/pkg/infrastructure/clock"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/pkce"
 	"github.com/int128/oauth2cli"
 	"golang.org/x/oauth2"
-	"golang.org/x/xerrors"
 )

-//go:generate mockgen -destination mock_oidcclient/mock_oidcclient.go github.com/int128/kubelogin/pkg/adaptors/oidcclient Interface
-
 type Interface interface {
 	GetAuthCodeURL(in AuthCodeURLInput) string
 	ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error)
@@ -50,6 +47,8 @@ type GetTokenByAuthCodeInput struct {
 	RedirectURLHostname    string
 	AuthRequestExtraParams map[string]string
 	LocalServerSuccessHTML string
+	LocalServerCertFile    string
+	LocalServerKeyFile     string
 }

 type client struct {
@@ -80,11 +79,13 @@ func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeIn
 		LocalServerReadyChan:   localServerReadyChan,
 		RedirectURLHostname:    in.RedirectURLHostname,
 		LocalServerSuccessHTML: in.LocalServerSuccessHTML,
+		LocalServerCertFile:    in.LocalServerCertFile,
+		LocalServerKeyFile:     in.LocalServerKeyFile,
 		Logf:                   c.logger.V(1).Infof,
 	}
 	token, err := oauth2cli.GetToken(ctx, config)
 	if err != nil {
-		return nil, xerrors.Errorf("oauth2 error: %w", err)
+		return nil, fmt.Errorf("oauth2 error: %w", err)
 	}
 	return c.verifyToken(ctx, token, in.Nonce)
 }
@@ -105,7 +106,7 @@ func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput)
 	opts := tokenRequestOptions(in.PKCEParams)
 	token, err := cfg.Exchange(ctx, in.Code, opts...)
 	if err != nil {
-		return nil, xerrors.Errorf("exchange error: %w", err)
+		return nil, fmt.Errorf("exchange error: %w", err)
 	}
 	return c.verifyToken(ctx, token, in.Nonce)
 }
@@ -145,7 +146,7 @@ func (c *client) GetTokenByROPC(ctx context.Context, username, password string)
 	ctx = c.wrapContext(ctx)
 	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, username, password)
 	if err != nil {
-		return nil, xerrors.Errorf("resource owner password credentials flow error: %w", err)
+		return nil, fmt.Errorf("resource owner password credentials flow error: %w", err)
 	}
 	return c.verifyToken(ctx, token, "")
 }
@@ -160,7 +161,7 @@ func (c *client) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenS
 	source := c.oauth2Config.TokenSource(ctx, currentToken)
 	token, err := source.Token()
 	if err != nil {
-		return nil, xerrors.Errorf("could not refresh the token: %w", err)
+		return nil, fmt.Errorf("could not refresh the token: %w", err)
 	}
 	return c.verifyToken(ctx, token, "")
 }
@@ -170,27 +171,18 @@ func (c *client) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenS
 func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce string) (*oidc.TokenSet, error) {
 	idToken, ok := token.Extra("id_token").(string)
 	if !ok {
-		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
+		return nil, fmt.Errorf("id_token is missing in the token response: %s", token)
 	}
 	verifier := c.provider.Verifier(&gooidc.Config{ClientID: c.oauth2Config.ClientID, Now: c.clock.Now})
 	verifiedIDToken, err := verifier.Verify(ctx, idToken)
 	if err != nil {
-		return nil, xerrors.Errorf("could not verify the ID token: %w", err)
+		return nil, fmt.Errorf("could not verify the ID token: %w", err)
 	}
 	if nonce != "" && nonce != verifiedIDToken.Nonce {
-		return nil, xerrors.Errorf("nonce did not match (wants %s but got %s)", nonce, verifiedIDToken.Nonce)
-	}
-	pretty, err := jwt.DecodePayloadAsPrettyJSON(idToken)
-	if err != nil {
-		return nil, xerrors.Errorf("could not decode the token: %w", err)
+		return nil, fmt.Errorf("nonce did not match (wants %s but got %s)", nonce, verifiedIDToken.Nonce)
 	}
 	return &oidc.TokenSet{
-		IDToken: idToken,
-		IDTokenClaims: jwt.Claims{
-			Subject: verifiedIDToken.Subject,
-			Expiry:  verifiedIDToken.Expiry,
-			Pretty:  pretty,
-		},
+		IDToken:      idToken,
 		RefreshToken: token.RefreshToken,
 	}, nil
 }
--- a/pkg/oidc/client/factory.go
+++ b/pkg/oidc/client/factory.go
@@ -0,0 +1,89 @@
+// Package client provides a client of OpenID Connect.
+package client
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	gooidc "github.com/coreos/go-oidc/v3/oidc"
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/infrastructure/clock"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/oidc/client/logging"
+	"github.com/int128/kubelogin/pkg/pkce"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig/loader"
+	"golang.org/x/oauth2"
+)
+
+var Set = wire.NewSet(
+	wire.Struct(new(Factory), "*"),
+	wire.Bind(new(FactoryInterface), new(*Factory)),
+)
+
+type FactoryInterface interface {
+	New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error)
+}
+
+type Factory struct {
+	Loader loader.Loader
+	Clock  clock.Interface
+	Logger logger.Interface
+}
+
+// New returns an instance of infrastructure.Interface with the given configuration.
+func (f *Factory) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error) {
+	rawTLSClientConfig, err := f.Loader.Load(tlsClientConfig)
+	if err != nil {
+		return nil, fmt.Errorf("could not load the TLS client config: %w", err)
+	}
+	baseTransport := &http.Transport{
+		TLSClientConfig: rawTLSClientConfig,
+		Proxy:           http.ProxyFromEnvironment,
+	}
+	loggingTransport := &logging.Transport{
+		Base:   baseTransport,
+		Logger: f.Logger,
+	}
+	httpClient := &http.Client{
+		Transport: loggingTransport,
+	}
+
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
+	provider, err := gooidc.NewProvider(ctx, p.IssuerURL)
+	if err != nil {
+		return nil, fmt.Errorf("oidc discovery error: %w", err)
+	}
+	supportedPKCEMethods, err := extractSupportedPKCEMethods(provider)
+	if err != nil {
+		return nil, fmt.Errorf("could not determine supported PKCE methods: %w", err)
+	}
+	if len(supportedPKCEMethods) == 0 && p.UsePKCE {
+		supportedPKCEMethods = []string{pkce.MethodS256}
+	}
+	return &client{
+		httpClient: httpClient,
+		provider:   provider,
+		oauth2Config: oauth2.Config{
+			Endpoint:     provider.Endpoint(),
+			ClientID:     p.ClientID,
+			ClientSecret: p.ClientSecret,
+			Scopes:       append(p.ExtraScopes, gooidc.ScopeOpenID),
+		},
+		clock:                f.Clock,
+		logger:               f.Logger,
+		supportedPKCEMethods: supportedPKCEMethods,
+	}, nil
+}
+
+func extractSupportedPKCEMethods(provider *gooidc.Provider) ([]string, error) {
+	var d struct {
+		CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
+	}
+	if err := provider.Claims(&d); err != nil {
+		return nil, fmt.Errorf("invalid discovery document: %w", err)
+	}
+	return d.CodeChallengeMethodsSupported, nil
+}
--- a/pkg/adaptors/oidcclient/logging/transport.go
+++ b/pkg/adaptors/oidcclient/logging/transport.go
@@ -4,7 +4,7 @@ import (
 	"net/http"
 	"net/http/httputil"

-	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 )

 const (
--- a/pkg/adaptors/oidcclient/logging/transport_test.go
+++ b/pkg/adaptors/oidcclient/logging/transport_test.go
@@ -7,7 +7,6 @@ import (
 	"strings"
 	"testing"

-	"github.com/golang/mock/gomock"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 )

@@ -22,9 +21,6 @@ func (t *mockTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 }

 func TestLoggingTransport_RoundTrip(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
 	req := httptest.NewRequest("GET", "http://example.com/hello", nil)
 	resp, err := http.ReadResponse(bufio.NewReader(strings.NewReader(`HTTP/1.1 200 OK
 Host: example.com
--- a/pkg/oidc/client/mock_FactoryInterface.go
+++ b/pkg/oidc/client/mock_FactoryInterface.go
@@ -0,0 +1,88 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package client
+
+import (
+	context "context"
+
+	oidc "github.com/int128/kubelogin/pkg/oidc"
+	mock "github.com/stretchr/testify/mock"
+
+	tlsclientconfig "github.com/int128/kubelogin/pkg/tlsclientconfig"
+)
+
+// MockFactoryInterface is an autogenerated mock type for the FactoryInterface type
+type MockFactoryInterface struct {
+	mock.Mock
+}
+
+type MockFactoryInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockFactoryInterface) EXPECT() *MockFactoryInterface_Expecter {
+	return &MockFactoryInterface_Expecter{mock: &_m.Mock}
+}
+
+// New provides a mock function with given fields: ctx, p, tlsClientConfig
+func (_m *MockFactoryInterface) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error) {
+	ret := _m.Called(ctx, p, tlsClientConfig)
+
+	var r0 Interface
+	if rf, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) Interface); ok {
+		r0 = rf(ctx, p, tlsClientConfig)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(Interface)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, oidc.Provider, tlsclientconfig.Config) error); ok {
+		r1 = rf(ctx, p, tlsClientConfig)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockFactoryInterface_New_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'New'
+type MockFactoryInterface_New_Call struct {
+	*mock.Call
+}
+
+// New is a helper method to define mock.On call
+//  - ctx context.Context
+//  - p oidc.Provider
+//  - tlsClientConfig tlsclientconfig.Config
+func (_e *MockFactoryInterface_Expecter) New(ctx interface{}, p interface{}, tlsClientConfig interface{}) *MockFactoryInterface_New_Call {
+	return &MockFactoryInterface_New_Call{Call: _e.mock.On("New", ctx, p, tlsClientConfig)}
+}
+
+func (_c *MockFactoryInterface_New_Call) Run(run func(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config)) *MockFactoryInterface_New_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(oidc.Provider), args[2].(tlsclientconfig.Config))
+	})
+	return _c
+}
+
+func (_c *MockFactoryInterface_New_Call) Return(_a0 Interface, _a1 error) *MockFactoryInterface_New_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+type mockConstructorTestingTNewMockFactoryInterface interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockFactoryInterface creates a new instance of MockFactoryInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockFactoryInterface(t mockConstructorTestingTNewMockFactoryInterface) *MockFactoryInterface {
+	mock := &MockFactoryInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/oidc/client/mock_Interface.go
+++ b/pkg/oidc/client/mock_Interface.go
@@ -0,0 +1,303 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package client
+
+import (
+	context "context"
+
+	oidc "github.com/int128/kubelogin/pkg/oidc"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// ExchangeAuthCode provides a mock function with given fields: ctx, in
+func (_m *MockInterface) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, in)
+
+	var r0 *oidc.TokenSet
+	if rf, ok := ret.Get(0).(func(context.Context, ExchangeAuthCodeInput) *oidc.TokenSet); ok {
+		r0 = rf(ctx, in)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, ExchangeAuthCodeInput) error); ok {
+		r1 = rf(ctx, in)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_ExchangeAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeAuthCode'
+type MockInterface_ExchangeAuthCode_Call struct {
+	*mock.Call
+}
+
+// ExchangeAuthCode is a helper method to define mock.On call
+//  - ctx context.Context
+//  - in ExchangeAuthCodeInput
+func (_e *MockInterface_Expecter) ExchangeAuthCode(ctx interface{}, in interface{}) *MockInterface_ExchangeAuthCode_Call {
+	return &MockInterface_ExchangeAuthCode_Call{Call: _e.mock.On("ExchangeAuthCode", ctx, in)}
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) Run(run func(ctx context.Context, in ExchangeAuthCodeInput)) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(ExchangeAuthCodeInput))
+	})
+	return _c
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+// GetAuthCodeURL provides a mock function with given fields: in
+func (_m *MockInterface) GetAuthCodeURL(in AuthCodeURLInput) string {
+	ret := _m.Called(in)
+
+	var r0 string
+	if rf, ok := ret.Get(0).(func(AuthCodeURLInput) string); ok {
+		r0 = rf(in)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	return r0
+}
+
+// MockInterface_GetAuthCodeURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAuthCodeURL'
+type MockInterface_GetAuthCodeURL_Call struct {
+	*mock.Call
+}
+
+// GetAuthCodeURL is a helper method to define mock.On call
+//  - in AuthCodeURLInput
+func (_e *MockInterface_Expecter) GetAuthCodeURL(in interface{}) *MockInterface_GetAuthCodeURL_Call {
+	return &MockInterface_GetAuthCodeURL_Call{Call: _e.mock.On("GetAuthCodeURL", in)}
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) Run(run func(in AuthCodeURLInput)) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(AuthCodeURLInput))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) Return(_a0 string) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+// GetTokenByAuthCode provides a mock function with given fields: ctx, in, localServerReadyChan
+func (_m *MockInterface) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, in, localServerReadyChan)
+
+	var r0 *oidc.TokenSet
+	if rf, ok := ret.Get(0).(func(context.Context, GetTokenByAuthCodeInput, chan<- string) *oidc.TokenSet); ok {
+		r0 = rf(ctx, in, localServerReadyChan)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, GetTokenByAuthCodeInput, chan<- string) error); ok {
+		r1 = rf(ctx, in, localServerReadyChan)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetTokenByAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByAuthCode'
+type MockInterface_GetTokenByAuthCode_Call struct {
+	*mock.Call
+}
+
+// GetTokenByAuthCode is a helper method to define mock.On call
+//  - ctx context.Context
+//  - in GetTokenByAuthCodeInput
+//  - localServerReadyChan chan<- string
+func (_e *MockInterface_Expecter) GetTokenByAuthCode(ctx interface{}, in interface{}, localServerReadyChan interface{}) *MockInterface_GetTokenByAuthCode_Call {
+	return &MockInterface_GetTokenByAuthCode_Call{Call: _e.mock.On("GetTokenByAuthCode", ctx, in, localServerReadyChan)}
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) Run(run func(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string)) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(GetTokenByAuthCodeInput), args[2].(chan<- string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+// GetTokenByROPC provides a mock function with given fields: ctx, username, password
+func (_m *MockInterface) GetTokenByROPC(ctx context.Context, username string, password string) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, username, password)
+
+	var r0 *oidc.TokenSet
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) *oidc.TokenSet); ok {
+		r0 = rf(ctx, username, password)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
+		r1 = rf(ctx, username, password)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetTokenByROPC_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByROPC'
+type MockInterface_GetTokenByROPC_Call struct {
+	*mock.Call
+}
+
+// GetTokenByROPC is a helper method to define mock.On call
+//  - ctx context.Context
+//  - username string
+//  - password string
+func (_e *MockInterface_Expecter) GetTokenByROPC(ctx interface{}, username interface{}, password interface{}) *MockInterface_GetTokenByROPC_Call {
+	return &MockInterface_GetTokenByROPC_Call{Call: _e.mock.On("GetTokenByROPC", ctx, username, password)}
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) Run(run func(ctx context.Context, username string, password string)) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+// Refresh provides a mock function with given fields: ctx, refreshToken
+func (_m *MockInterface) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, refreshToken)
+
+	var r0 *oidc.TokenSet
+	if rf, ok := ret.Get(0).(func(context.Context, string) *oidc.TokenSet); ok {
+		r0 = rf(ctx, refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+		r1 = rf(ctx, refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockInterface_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//  - ctx context.Context
+//  - refreshToken string
+func (_e *MockInterface_Expecter) Refresh(ctx interface{}, refreshToken interface{}) *MockInterface_Refresh_Call {
+	return &MockInterface_Refresh_Call{Call: _e.mock.On("Refresh", ctx, refreshToken)}
+}
+
+func (_c *MockInterface_Refresh_Call) Run(run func(ctx context.Context, refreshToken string)) *MockInterface_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Refresh_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_Refresh_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+// SupportedPKCEMethods provides a mock function with given fields:
+func (_m *MockInterface) SupportedPKCEMethods() []string {
+	ret := _m.Called()
+
+	var r0 []string
+	if rf, ok := ret.Get(0).(func() []string); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]string)
+		}
+	}
+
+	return r0
+}
+
+// MockInterface_SupportedPKCEMethods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SupportedPKCEMethods'
+type MockInterface_SupportedPKCEMethods_Call struct {
+	*mock.Call
+}
+
+// SupportedPKCEMethods is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) SupportedPKCEMethods() *MockInterface_SupportedPKCEMethods_Call {
+	return &MockInterface_SupportedPKCEMethods_Call{Call: _e.mock.On("SupportedPKCEMethods")}
+}
+
+func (_c *MockInterface_SupportedPKCEMethods_Call) Run(run func()) *MockInterface_SupportedPKCEMethods_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_SupportedPKCEMethods_Call) Return(_a0 []string) *MockInterface_SupportedPKCEMethods_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+type mockConstructorTestingTNewMockInterface interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/oidc/oidc.go
+++ b/pkg/oidc/oidc.go
@@ -4,23 +4,34 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/binary"
+	"fmt"

 	"github.com/int128/kubelogin/pkg/jwt"
-	"golang.org/x/xerrors"
 )

-// TokenSet represents an output DTO of
-// Interface.GetTokenByAuthCode, Interface.GetTokenByROPC and Interface.Refresh.
+// Provider represents an OIDC provider.
+type Provider struct {
+	IssuerURL    string
+	ClientID     string
+	ClientSecret string   // optional
+	ExtraScopes  []string // optional
+	UsePKCE      bool     // optional
+}
+
+// TokenSet represents a set of ID token and refresh token.
 type TokenSet struct {
-	IDToken       string
-	RefreshToken  string
-	IDTokenClaims jwt.Claims
+	IDToken      string
+	RefreshToken string
+}
+
+func (ts TokenSet) DecodeWithoutVerify() (*jwt.Claims, error) {
+	return jwt.DecodeWithoutVerify(ts.IDToken)
 }

 func NewState() (string, error) {
 	b, err := random32()
 	if err != nil {
-		return "", xerrors.Errorf("could not generate a random: %w", err)
+		return "", fmt.Errorf("could not generate a random: %w", err)
 	}
 	return base64URLEncode(b), nil
 }
@@ -28,7 +39,7 @@ func NewState() (string, error) {
 func NewNonce() (string, error) {
 	b, err := random32()
 	if err != nil {
-		return "", xerrors.Errorf("could not generate a random: %w", err)
+		return "", fmt.Errorf("could not generate a random: %w", err)
 	}
 	return base64URLEncode(b), nil
 }
@@ -36,7 +47,7 @@ func NewNonce() (string, error) {
 func random32() ([]byte, error) {
 	b := make([]byte, 32)
 	if err := binary.Read(rand.Reader, binary.LittleEndian, b); err != nil {
-		return nil, xerrors.Errorf("read error: %w", err)
+		return nil, fmt.Errorf("read error: %w", err)
 	}
 	return b, nil
 }
--- a/pkg/pkce/pkce.go
+++ b/pkg/pkce/pkce.go
@@ -7,15 +7,14 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/binary"
-
-	"golang.org/x/xerrors"
+	"fmt"
 )

 var Plain Params

 const (
 	// code challenge methods defined as https://tools.ietf.org/html/rfc7636#section-4.3
-	methodS256 = "S256"
+	MethodS256 = "S256"
 )

 // Params represents a set of the PKCE parameters.
@@ -34,7 +33,7 @@ func (p Params) IsZero() bool {
 // It returns Plain if no method is available.
 func New(methods []string) (Params, error) {
 	for _, method := range methods {
-		if method == methodS256 {
+		if method == MethodS256 {
 			return NewS256()
 		}
 	}
@@ -45,7 +44,7 @@ func New(methods []string) (Params, error) {
 func NewS256() (Params, error) {
 	b, err := random32()
 	if err != nil {
-		return Plain, xerrors.Errorf("could not generate a random: %w", err)
+		return Plain, fmt.Errorf("could not generate a random: %w", err)
 	}
 	return computeS256(b), nil
 }
@@ -53,7 +52,7 @@ func NewS256() (Params, error) {
 func random32() ([]byte, error) {
 	b := make([]byte, 32)
 	if err := binary.Read(rand.Reader, binary.LittleEndian, b); err != nil {
-		return nil, xerrors.Errorf("read error: %w", err)
+		return nil, fmt.Errorf("read error: %w", err)
 	}
 	return b, nil
 }
@@ -64,7 +63,7 @@ func computeS256(b []byte) Params {
 	_, _ = s.Write([]byte(v))
 	return Params{
 		CodeChallenge:       base64URLEncode(s.Sum(nil)),
-		CodeChallengeMethod: methodS256,
+		CodeChallengeMethod: MethodS256,
 		CodeVerifier:        v,
 	}
 }
--- a/pkg/testing/jwt/encode.go
+++ b/pkg/testing/jwt/encode.go
@@ -5,7 +5,7 @@ import (
 	"crypto/rsa"
 	"testing"

-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 )

 var PrivateKey = generateKey(1024)
--- a/pkg/testing/logger/logger.go
+++ b/pkg/testing/logger/logger.go
@@ -3,7 +3,7 @@ package logger
 import (
 	"fmt"

-	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/spf13/pflag"
 )

--- a/pkg/testing/logger/mock_testingLogger.go
+++ b/pkg/testing/logger/mock_testingLogger.go
@@ -0,0 +1,72 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package logger
+
+import mock "github.com/stretchr/testify/mock"
+
+// mockTestingLogger is an autogenerated mock type for the testingLogger type
+type mockTestingLogger struct {
+	mock.Mock
+}
+
+type mockTestingLogger_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *mockTestingLogger) EXPECT() *mockTestingLogger_Expecter {
+	return &mockTestingLogger_Expecter{mock: &_m.Mock}
+}
+
+// Logf provides a mock function with given fields: format, v
+func (_m *mockTestingLogger) Logf(format string, v ...interface{}) {
+	var _ca []interface{}
+	_ca = append(_ca, format)
+	_ca = append(_ca, v...)
+	_m.Called(_ca...)
+}
+
+// mockTestingLogger_Logf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Logf'
+type mockTestingLogger_Logf_Call struct {
+	*mock.Call
+}
+
+// Logf is a helper method to define mock.On call
+//  - format string
+//  - v ...interface{}
+func (_e *mockTestingLogger_Expecter) Logf(format interface{}, v ...interface{}) *mockTestingLogger_Logf_Call {
+	return &mockTestingLogger_Logf_Call{Call: _e.mock.On("Logf",
+		append([]interface{}{format}, v...)...)}
+}
+
+func (_c *mockTestingLogger_Logf_Call) Run(run func(format string, v ...interface{})) *mockTestingLogger_Logf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]interface{}, len(args)-1)
+		for i, a := range args[1:] {
+			if a != nil {
+				variadicArgs[i] = a.(interface{})
+			}
+		}
+		run(args[0].(string), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *mockTestingLogger_Logf_Call) Return() *mockTestingLogger_Logf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+type mockConstructorTestingTnewMockTestingLogger interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// newMockTestingLogger creates a new instance of mockTestingLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func newMockTestingLogger(t mockConstructorTestingTnewMockTestingLogger) *mockTestingLogger {
+	mock := &mockTestingLogger{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/pkg/tlsclientconfig/config.go
+++ b/pkg/tlsclientconfig/config.go
@@ -0,0 +1,11 @@
+package tlsclientconfig
+
+import "crypto/tls"
+
+// Config represents a config for TLS client.
+type Config struct {
+	CACertFilename []string
+	CACertData     []string
+	SkipTLSVerify  bool
+	Renegotiation  tls.RenegotiationSupport
+}
--- a/Show More
+++ b/Show More