Move to CircleCI macOS build

2026-03-02 17:00:20 +00:00 · 2020-06-12 14:08:51 +09:00
69 changed files with 823 additions and 1174 deletions
--- a/.circleci/Makefile
+++ b/.circleci/Makefile
@@ -1,17 +0,0 @@
-.PHONY: all
-all:
-
-.PHONY: install-test-deps
-install-test-deps:
-	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(HOME)/go/bin v1.24.0
-	go get -v github.com/int128/goxzst
-
-.PHONY: install-release-deps
-install-release-deps: go
-	go get -v github.com/int128/goxzst github.com/int128/ghcp
-
-go:
-	curl -sSfL -o go.tgz "https://golang.org/dl/go`ruby go_version_from_config.rb < config.yml`.darwin-amd64.tar.gz"
-	tar -xf go.tgz
-	rm go.tgz
-	./go/bin/go version
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -3,16 +3,15 @@ version: 2.1
 jobs:
  test:
    docker:
-      - image: cimg/go:1.14.6
+      - image: cimg/go:1.14.4
    steps:
+      - run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.24.0
      - checkout
      - restore_cache:
          keys:
            - go-sum-{{ checksum "go.sum" }}
-      - run: make -C .circleci install-test-deps
      - run: make check
      - run: bash <(curl -s https://codecov.io/bash)
-      - run: make dist
      - save_cache:
          key: go-sum-{{ checksum "go.sum" }}
          paths:
@@ -20,17 +19,20 @@ jobs:
      - store_artifacts:
          path: gotest.log

-  release:
+  crossbuild:
    macos:
-      # https://circleci.com/docs/2.0/testing-ios/
      xcode: 11.5.0
    steps:
-      - run: echo 'export PATH="$HOME/go/bin:$PWD/.circleci/go/bin:$PATH"' >> $BASH_ENV
+      - run: |
+          curl -sSfL https://dl.google.com/go/go1.14.4.darwin-amd64.tar.gz | tar -C /tmp -xz
+          echo 'export PATH="$PATH:/tmp/go/bin:$HOME/go/bin"' >> $BASH_ENV
      - checkout
      - restore_cache:
          keys:
            - go-macos-{{ checksum "go.sum" }}
-      - run: make -C .circleci install-release-deps
+      - run:
+          command: go get -v github.com/int128/goxzst github.com/int128/ghcp
+          working_directory: .circleci
      - run: make dist
      - run: |
          if [ "$CIRCLE_TAG" ]; then
@@ -48,13 +50,11 @@ workflows:
      - test:
          filters:
            tags:
-              only: /^v.*/
-      - release:
+              only: /.*/
+      - crossbuild:
          context: open-source
          requires:
            - test
          filters:
-            branches:
-              only: /^release-feature.*/
            tags:
-              only: /^v.*/
+              only: /.*/
--- a/.circleci/go_version_from_config.rb
+++ b/.circleci/go_version_from_config.rb
@@ -1,11 +0,0 @@
-require 'yaml'
-
-config = YAML.load(STDIN)
-
-image = config["jobs"]["test"]["docker"][0]["image"]
-if !image.start_with?("cimg/go:")
-  raise "unknown image #{image} in #{configPath}"
-end
-
-goVersion = image.delete_prefix("cimg/go:")
-print(goVersion)
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,23 +0,0 @@
---
-name: Bug report
-about: Create a report to help us improve
-title: ''
-labels: bug
-assignees: ''
-
---
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**To Reproduce**
-Steps to reproduce the behavior.
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Environment**
- - OS: [e.g. macOS, Linux]
- - kubelogin version: [e.g. 1.19.3]
- - kubectl version: [e.g. 1.19]
- - OpenID Connect provider: [e.g. Google, Okta]
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,17 +0,0 @@
---
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: enhancement
-assignees: ''
-
---
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -1,8 +0,0 @@
-{
-  "extends": [
-    "config:base"
-  ],
-  "postUpdateOptions": [
-    "gomodTidy"
-  ]
-}
--- a/.github/workflows/acceptance-test.yaml
+++ b/.github/workflows/acceptance-test.yaml
@@ -1,6 +1,8 @@
+name: acceptance-test
 on: [push]
 jobs:
-  system-test:
+  build:
+    name: test
    # https://help.github.com/en/actions/automating-your-workflow-with-github-actions/software-installed-on-github-hosted-runners#ubuntu-1804-lts
    runs-on: ubuntu-18.04
    steps:
@@ -22,8 +24,7 @@ jobs:
          sudo mv ./kind /usr/local/bin/kind
          kind version
      # https://packages.ubuntu.com/xenial/libnss3-tools
-      - run: sudo apt update
      - run: sudo apt install -y libnss3-tools
      - run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
-      - run: make -C system_test -j3 setup
-      - run: make -C system_test test
+      - run: make -C acceptance_test -j3 setup
+      - run: make -C acceptance_test test
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,5 @@
 /.idea

-/system_test/output/
 /acceptance_test/output/

 /dist/output
@@ -9,5 +8,3 @@

 /kubelogin
 /kubectl-oidc_login
-
-/.circleci/go/
--- a/README.md
+++ b/README.md
@@ -1,10 +1,10 @@
-# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
+# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) ![acceptance-test](https://github.com/int128/kubelogin/workflows/acceptance-test/badge.svg) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)

 This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.

 Here is an example of Kubernetes authentication with the Google Identity Platform:

-<img alt="screencast" src="https://user-images.githubusercontent.com/321266/85427290-86e43700-b5b6-11ea-9e97-ffefd736c9b7.gif" width="572" height="391">
+<img alt="screencast" src="https://user-images.githubusercontent.com/321266/70971501-7bcebc80-20e4-11ea-8afc-539dcaea0aa8.gif" width="652" height="455">

 Kubelogin is designed to run as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
 When you run kubectl, kubelogin opens the browser and you can log in to the provider.
@@ -46,7 +46,7 @@ users:
      - --oidc-client-secret=YOUR_CLIENT_SECRET
 ```

-See [setup guide](docs/setup.md) for more.
+See [the setup guide](docs/setup.md) for more.


 ### Run
@@ -83,26 +83,21 @@ If the refresh token has expired, kubelogin will perform reauthentication.
 You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
 Kubelogin will perform authentication if the token cache file does not exist.

-You can dump claims of an ID token by `setup` command.
+You can dump the claims of token by passing `-v1` option.

-```console
-% kubectl oidc-login setup --oidc-issuer-url https://accounts.google.com --oidc-client-id REDACTED --oidc-client-secret REDACTED
-authentication in progress...
-
-## 2. Verify authentication
-
-You got a token with the following claims:
-
-{
+```
+I0221 21:54:08.151850   28231 get_token.go:104] you got a token: {
  "sub": "********",
  "iss": "https://accounts.google.com",
  "aud": "********",
-  ...
+  "iat": 1582289639,
+  "exp": 1582293239,
+  "jti": "********",
+  "nonce": "********",
+  "at_hash": "********"
 }
 ```

-You can verify kubelogin works with your provider using [acceptance test](acceptance_test).
-

 ## Usage

@@ -120,18 +115,18 @@ Flags:
      --oidc-client-id string                           Client ID of the provider (mandatory)
      --oidc-client-secret string                       Client secret of the provider
      --oidc-extra-scope strings                        Scopes to request to the provider
-      --token-cache-dir string                          Path to a directory for token cache (default "~/.kube/cache/oidc-login")
      --certificate-authority string                    Path to a cert file for the certificate authority
-      --certificate-authority-data string               Base64 encoded cert for the certificate authority
-      --insecure-skip-tls-verify                        If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-      --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
-      --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
-      --skip-open-browser                               [authcode] Do not open the browser automatically
-      --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
-      --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")
-      --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard] Extra query parameters to send with an authentication request (default [])
-      --username string                                 [password] Username for resource owner password credentials grant
-      --password string                                 [password] Password for resource owner password credentials grant
+      --certificate-authority-data string               Base64 encoded data for the certificate authority
+      --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --token-cache-dir string                          Path to a directory for caching tokens (default "~/.kube/cache/oidc-login")
+      --grant-type string                               The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
+      --listen-address strings                          Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
+      --listen-port ints                                (Deprecated: use --listen-address)
+      --skip-open-browser                               If true, it does not open the browser on authentication
+      --oidc-redirect-url-hostname string               Hostname of the redirect URL (default "localhost")
+      --oidc-auth-request-extra-params stringToString   Extra query parameters to send with an authentication request (default [])
+      --username string                                 If set, perform the resource owner password credentials grant
+      --password string                                 If set, use the password instead of asking it
  -h, --help                                            help for get-token

 Global Flags:
@@ -205,13 +200,6 @@ You can add extra parameters to the authentication request.
      - --oidc-auth-request-extra-params=ttl=86400
 ```

-When authentication completed, kubelogin shows a message to close the browser.
-You can change the URL to show after authentication.
-
-```yaml
-      - --open-url-after-authentication=https://example.com/success.html
-```
-
 #### Authorization code flow with keyboard interactive

 If you cannot access the browser, instead use the authorization code flow with keyboard interactive.
@@ -335,4 +323,4 @@ make
 ./kubelogin
 ```

-See also [the system test](system_test).
+See also [the acceptance test](acceptance_test).
--- a/acceptance_test/Makefile
+++ b/acceptance_test/Makefile
@@ -1,31 +1,100 @@
 CLUSTER_NAME := kubelogin-acceptance-test
 OUTPUT_DIR := $(CURDIR)/output

+PATH := $(PATH):$(OUTPUT_DIR)/bin
+export PATH
 KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
 export KUBECONFIG

-# create a Kubernetes cluster
-.PHONY: cluster
-cluster:
-	# create a cluster
-	mkdir -p $(OUTPUT_DIR)
-	sed -e "s|OIDC_ISSUER_URL|$(OIDC_ISSUER_URL)|" -e "s|OIDC_CLIENT_ID|$(OIDC_CLIENT_ID)|" cluster.yaml > $(OUTPUT_DIR)/cluster.yaml
-	kind create cluster --name $(CLUSTER_NAME) --config $(OUTPUT_DIR)/cluster.yaml
-	# set up access control
-	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
-	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=$(YOUR_EMAIL)
-	# set up kubectl
+# run the login script instead of opening chrome
+BROWSER := $(OUTPUT_DIR)/bin/chromelogin
+export BROWSER
+
+.PHONY: test
+test: build
+	# see the setup instruction
+	kubectl oidc-login setup \
+		--oidc-issuer-url=https://dex-server:10443/dex \
+		--oidc-client-id=YOUR_CLIENT_ID \
+		--oidc-client-secret=YOUR_CLIENT_SECRET \
+		--oidc-extra-scope=email \
+		--certificate-authority=$(OUTPUT_DIR)/ca.crt
+	# set up the kubeconfig
 	kubectl config set-credentials oidc \
 		--exec-api-version=client.authentication.k8s.io/v1beta1 \
-		--exec-command=$(CURDIR)/../kubelogin \
+		--exec-command=kubectl \
+		--exec-arg=oidc-login \
 		--exec-arg=get-token \
-		--exec-arg=--token-cache-dir=$(OUTPUT_DIR)/token-cache \
-		--exec-arg=--oidc-issuer-url=$(OIDC_ISSUER_URL) \
-		--exec-arg=--oidc-client-id=$(OIDC_CLIENT_ID) \
-		--exec-arg=--oidc-client-secret=$(OIDC_CLIENT_SECRET) \
-		--exec-arg=--oidc-extra-scope=email
-	# switch the default user
+		--exec-arg=--oidc-issuer-url=https://dex-server:10443/dex \
+		--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
+		--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
+		--exec-arg=--oidc-extra-scope=email \
+		--exec-arg=--certificate-authority=$(OUTPUT_DIR)/ca.crt
+	# make sure we can access the cluster
+	kubectl --user=oidc cluster-info
+	# switch the current context
 	kubectl config set-context --current --user=oidc
+	# make sure we can access the cluster
+	kubectl cluster-info
+
+.PHONY: setup
+setup: build dex cluster setup-chrome
+
+.PHONY: setup-chrome
+setup-chrome: $(OUTPUT_DIR)/ca.crt
+	# add the dex server certificate to the trust store
+	mkdir -p ~/.pki/nssdb
+	cd ~/.pki/nssdb && certutil -A -d sql:. -n dex -i $(OUTPUT_DIR)/ca.crt -t "TC,,"
+
+# build binaries
+.PHONY: build
+build: $(OUTPUT_DIR)/bin/kubectl-oidc_login $(OUTPUT_DIR)/bin/chromelogin
+$(OUTPUT_DIR)/bin/kubectl-oidc_login:
+	go build -o $@ ..
+$(OUTPUT_DIR)/bin/chromelogin: chromelogin/main.go
+	go build -o $@ ./chromelogin
+
+# create a Dex server
+.PHONY: dex
+dex: $(OUTPUT_DIR)/server.crt $(OUTPUT_DIR)/server.key
+	docker create --name dex-server -p 10443:10443 --network kind quay.io/dexidp/dex:v2.21.0 serve /dex.yaml
+	docker cp $(OUTPUT_DIR)/server.crt dex-server:/
+	docker cp $(OUTPUT_DIR)/server.key dex-server:/
+	docker cp dex.yaml dex-server:/
+	docker start dex-server
+	docker logs dex-server
+
+$(OUTPUT_DIR)/ca.key:
+	mkdir -p $(OUTPUT_DIR)
+	openssl genrsa -out $@ 2048
+$(OUTPUT_DIR)/ca.csr: $(OUTPUT_DIR)/ca.key
+	openssl req -new -key $(OUTPUT_DIR)/ca.key -out $@ -subj "/CN=dex-ca" -config openssl.cnf
+$(OUTPUT_DIR)/ca.crt: $(OUTPUT_DIR)/ca.key $(OUTPUT_DIR)/ca.csr
+	openssl x509 -req -in $(OUTPUT_DIR)/ca.csr -signkey $(OUTPUT_DIR)/ca.key -out $@ -days 10
+$(OUTPUT_DIR)/server.key:
+	mkdir -p $(OUTPUT_DIR)
+	openssl genrsa -out $@ 2048
+$(OUTPUT_DIR)/server.csr: openssl.cnf $(OUTPUT_DIR)/server.key
+	openssl req -new -key $(OUTPUT_DIR)/server.key -out $@ -subj "/CN=dex-server" -config openssl.cnf
+$(OUTPUT_DIR)/server.crt: openssl.cnf $(OUTPUT_DIR)/server.csr $(OUTPUT_DIR)/ca.crt $(OUTPUT_DIR)/ca.key
+	openssl x509 -req -in $(OUTPUT_DIR)/server.csr -CA $(OUTPUT_DIR)/ca.crt -CAkey $(OUTPUT_DIR)/ca.key -CAcreateserial -out $@ -sha256 -days 10 -extensions v3_req -extfile openssl.cnf
+
+# create a Kubernetes cluster
+.PHONY: cluster
+cluster: dex create-cluster
+	# add the Dex container IP to /etc/hosts of kube-apiserver
+	docker inspect -f '{{.NetworkSettings.IPAddress}}' dex-server | sed -e 's,$$, dex-server,' | \
+		kubectl -n kube-system exec -i kube-apiserver-$(CLUSTER_NAME)-control-plane -- tee -a /etc/hosts
+	# wait for kube-apiserver oidc initialization
+	# (oidc authenticator will retry oidc discovery every 10s)
+	sleep 10
+
+.PHONY: create-cluster
+create-cluster: $(OUTPUT_DIR)/ca.crt
+	cp $(OUTPUT_DIR)/ca.crt /tmp/kubelogin-acceptance-test-dex-ca.crt
+	kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml
+	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
+	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com

 # clean up the resources
 .PHONY: clean
@@ -34,9 +103,7 @@ clean:
 .PHONY: delete-cluster
 delete-cluster:
 	kind delete cluster --name $(CLUSTER_NAME)
-
-.PHONY: check
-check:
-	docker version
-	kind version
-	kubectl version --client
+.PHONY: delete-dex
+delete-dex:
+	docker stop dex-server
+	docker rm dex-server
--- a/acceptance_test/README.md
+++ b/acceptance_test/README.md
@@ -1,75 +1,109 @@
 # kubelogin/acceptance_test

-This is a manual test for verifying Kubernetes OIDC authentication with your OIDC provider.
+This is an acceptance test for walkthrough of the OIDC initial setup and plugin behavior using a real Kubernetes cluster and OpenID Connect provider, running on [GitHub Actions](https://github.com/int128/kubelogin/actions?query=workflow%3Aacceptance-test).
+
+It is intended to verify the following points:
+
+- User can set up Kubernetes OIDC authentication and this plugin.
+- User can access a cluster after login.
+
+It performs the test using the following components:
+
+- Kubernetes cluster (Kind)
+- OIDC provider (Dex)
+- Browser (Chrome)
+- kubectl command


-## Purpose
+## How it works

-This test checks the following points:
+Let's take a look at the diagram.

-1. You can set up your OIDC provider using [setup guide](../docs/setup.md).
-1. The plugin works with your OIDC provider.
+![diagram](../docs/acceptance-test-diagram.svg)
+
+It prepares the following resources:
+
+1. Generate a pair of CA certificate and TLS server certificate for Dex.
+1. Run Dex on a container.
+1. Create a Kubernetes cluster using Kind.
+1. Mutate `/etc/hosts` of the CI machine to access Dex.
+1. Mutate `/etc/hosts` of the kube-apiserver pod to access Dex.
+
+It performs the test by the following steps:
+
+1. Run kubectl.
+1. kubectl automatically runs kubelogin.
+1. kubelogin automatically runs [chromelogin](chromelogin).
+1. chromelogin opens the browser, navigates to `http://localhost:8000` and enter the username and password.
+1. kubelogin gets an authorization code from the browser.
+1. kubelogin gets a token.
+1. kubectl accesses an API with the token.
+1. kube-apiserver verifies the token by Dex.
+1. Check if kubectl exited with code 0.


-## Getting Started
+## Run locally

-### Prerequisite
-
-You need to build the plugin into the parent directory.
-
-```sh
-make -C ..
-```
-
-You need to set up your provider.
-See [setup guide](../docs/setup.md) for more.
-
-You need to install the following tools:
+You need to set up the following components:

 - Docker
 - Kind
- kubectl
+- Chrome or Chromium

-You can check if the tools are available.
+You need to add the following line to `/etc/hosts` so that the browser can access the Dex.

-```sh
-make check
+```
+127.0.0.1 dex-server
 ```

-### 1. Create a cluster
+Run the test.

-Create a cluster.
-For example, you can create a cluster with Google account authentication.
+```shell script
+# run the test
+make

-```sh
-make OIDC_ISSUER_URL=https://accounts.google.com \
-  OIDC_CLIENT_ID=REDACTED.apps.googleusercontent.com \
-  OIDC_CLIENT_SECRET=REDACTED \
-  YOUR_EMAIL=REDACTED@gmail.com
-```
-
-It will do the following steps:
-
-1. Create a cluster.
-1. Set up access control. It allows read-only access from your email address.
-1. Set up kubectl to enable the plugin.
-
-You can change kubectl configuration in generated `output/kubeconfig.yaml`.
-
-### 2. Run kubectl
-
-Make sure you can log in to the provider and access the cluster.
-
-```console
-% export KUBECONFIG=$PWD/output/kubeconfig.yaml
-% kubectl get pods -A
-```
-
-### Clean up
-
-To delete the cluster and generated files:
-
-```sh
+# clean up
 make delete-cluster
-make clean
+make delete-dex
 ```
+
+
+## Technical consideration
+
+### Network and DNS
+
+Consider the following issues:
+
+- kube-apiserver runs on the host network of the kind container.
+- kube-apiserver cannot resolve a service name by kube-dns.
+- kube-apiserver cannot access a cluster IP.
+- kube-apiserver can access another container via the Docker network.
+- Chrome requires exactly match of domain name between Dex URL and a server certificate.
+
+Consequently,
+
+- kube-apiserver accesses Dex by resolving `/etc/hosts` and via the Docker network.
+- kubelogin and Chrome accesses Dex by resolving `/etc/hosts` and via the Docker network.
+
+### TLS server certificate
+
+Consider the following issues:
+
+- kube-apiserver requires `--oidc-issuer` is HTTPS URL.
+- kube-apiserver requires a CA certificate at startup, if `--oidc-ca-file` is given.
+- kube-apiserver mounts `/usr/local/share/ca-certificates` from the kind container.
+- It is possible to mount a file from the CI machine.
+- It is not possible to issue a certificate using Let's Encrypt in runtime.
+- Chrome requires a valid certificate in `~/.pki/nssdb`.
+
+As a result,
+
+- kube-apiserver uses the CA certificate of `/usr/local/share/ca-certificates/dex-ca.crt`. See the `extraMounts` section of [`cluster.yaml`](cluster.yaml).
+- kubelogin uses the CA certificate in `output/ca.crt`.
+- Chrome uses the CA certificate in `~/.pki/nssdb`.
+
+### Test environment
+
+- Set the issuer URL to kubectl. See [`kubeconfig_oidc.yaml`](kubeconfig_oidc.yaml).
+- Set the issuer URL to kube-apiserver. See [`cluster.yaml`](cluster.yaml).
+- Set `BROWSER` environment variable to run [`chromelogin`](chromelogin) by `xdg-open`.
--- a/acceptance_test/chromelogin/main.go
+++ b/acceptance_test/chromelogin/main.go
--- a/acceptance_test/cluster.yaml
+++ b/acceptance_test/cluster.yaml
@@ -1,5 +1,6 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
+# https://github.com/dexidp/dex/blob/master/Documentation/kubernetes.md
 kubeadmConfigPatches:
  - |
    apiVersion: kubeadm.k8s.io/v1beta2
@@ -8,6 +9,12 @@ kubeadmConfigPatches:
      name: config
    apiServer:
      extraArgs:
-        oidc-issuer-url: OIDC_ISSUER_URL
-        oidc-client-id: OIDC_CLIENT_ID
+        oidc-issuer-url: https://dex-server:10443/dex
+        oidc-client-id: YOUR_CLIENT_ID
        oidc-username-claim: email
+        oidc-ca-file: /usr/local/share/ca-certificates/dex-ca.crt
+nodes:
+  - role: control-plane
+    extraMounts:
+      - hostPath: /tmp/kubelogin-acceptance-test-dex-ca.crt
+        containerPath: /usr/local/share/ca-certificates/dex-ca.crt
--- a/acceptance_test/dex.yaml
+++ b/acceptance_test/dex.yaml
--- a/acceptance_test/openssl.cnf
+++ b/acceptance_test/openssl.cnf
--- a/dist/Dockerfile
+++ b/dist/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.12
+FROM alpine:3.11

 ARG KUBELOGIN_VERSION="{{ env "VERSION" }}"
 ARG KUBELOGIN_SHA256="{{ sha256 .linux_amd64_archive }}"
--- a/dist/oidc-login.yaml
+++ b/dist/oidc-login.yaml
@@ -22,6 +22,8 @@ spec:

  caveats: |
    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
+    See https://github.com/int128/kubelogin for more.
+
  version: {{ env "VERSION" }}
  platforms:
    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_amd64.zip
--- a/docs/acceptance-test-diagram.svg
+++ b/docs/acceptance-test-diagram.svg
--- a/docs/setup.md
+++ b/docs/setup.md
@@ -126,9 +126,6 @@ Variable                | Value

 You do not need to set `YOUR_CLIENT_SECRET`.

-If you need `groups` claim for access control,
-see [jetstack/okta-kubectl-auth](https://github.com/jetstack/okta-kubectl-auth/blob/master/docs/okta-setup.md) and [#250](https://github.com/int128/kubelogin/issues/250).
-

 ## 2. Verify authentication

--- a/docs/standalone-mode.md
+++ b/docs/standalone-mode.md
@@ -75,6 +75,59 @@ If the refresh token has expired, kubelogin will proceed the authentication.

 ## Usage

+Kubelogin supports the following options:
+
+```
+% kubectl oidc-login -h
+Login to the OpenID Connect provider.
+
+You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
+Run the following command to show the setup instruction:
+
+	kubectl oidc-login setup
+
+See https://github.com/int128/kubelogin for more.
+
+Usage:
+  main [flags]
+  main [command]
+
+Available Commands:
+  get-token   Run as a kubectl credential plugin
+  help        Help about any command
+  setup       Show the setup instruction
+  version     Print the version information
+
+Flags:
+      --kubeconfig string                               Path to the kubeconfig file
+      --context string                                  The name of the kubeconfig context to use
+      --user string                                     The name of the kubeconfig user to use. Prior to --context
+      --certificate-authority string                    Path to a cert file for the certificate authority
+      --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --grant-type string                               The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
+      --listen-address strings                          Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
+      --listen-port ints                                (Deprecated: use --listen-address)
+      --skip-open-browser                               If true, it does not open the browser on authentication
+      --oidc-redirect-url-hostname string               Hostname of the redirect URL (default "localhost")
+      --oidc-auth-request-extra-params stringToString   Extra query parameters to send with an authentication request (default [])
+      --username string                                 If set, perform the resource owner password credentials grant
+      --password string                                 If set, use the password instead of asking it
+      --add_dir_header                                  If true, adds the file directory to the header
+      --alsologtostderr                                 log to standard error as well as files
+      --log_backtrace_at traceLocation                  when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                                  If non-empty, write log files in this directory
+      --log_file string                                 If non-empty, use this log file
+      --log_file_max_size uint                          Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                                     log to standard error instead of files (default true)
+      --skip_headers                                    If true, avoid header prefixes in the log messages
+      --skip_log_headers                                If true, avoid headers when opening log files
+      --stderrthreshold severity                        logs at or above this threshold go to stderr (default 2)
+  -v, --v Level                                         number for the log level verbosity
+      --vmodule moduleSpec                              comma-separated list of pattern=N settings for file-filtered logging
+  -h, --help                                            help for kubelogin
+      --version                                         version for kubelogin
+```
+
 ### Kubeconfig

 You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
--- a/go.mod
+++ b/go.mod
@@ -6,21 +6,21 @@ require (
 	github.com/chromedp/chromedp v0.5.3
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/golang/mock v1.4.4
-	github.com/google/go-cmp v0.5.1
+	github.com/golang/mock v1.4.3
+	github.com/google/go-cmp v0.4.1
 	github.com/google/wire v0.4.0
-	github.com/int128/oauth2cli v1.12.1
+	github.com/int128/oauth2cli v1.11.0
 	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
-	github.com/spf13/cobra v1.0.0
+	github.com/spf13/cobra v0.0.7
 	github.com/spf13/pflag v1.0.5
 	golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
+	golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
 	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
 	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
 	gopkg.in/yaml.v2 v2.3.0
-	k8s.io/apimachinery v0.18.6
-	k8s.io/client-go v0.18.6
+	k8s.io/apimachinery v0.18.3
+	k8s.io/client-go v0.18.3
 	k8s.io/klog v1.0.0
 )
--- a/go.sum
+++ b/go.sum
@@ -69,8 +69,8 @@ github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4er
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc=
-github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
+github.com/golang/mock v1.4.3 h1:GV+pQPG/EUUbkh47niozDcADz6go/dUwhVzdUQHIVRw=
+github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -82,10 +82,10 @@ github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.5.0 h1:/QaMHBdZ26BB3SSst0Iwl10Epc+xhTquomWX0oZEB6w=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.1 h1:JFrFEBb2xKufg6XkJsJr+WbKb4FQlURi5RUcBveYu9k=
-github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.4.1 h1:/exdXoGamhu5ONeUJH0deniYLWYvQwW66yvlfiiKTu0=
+github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
@@ -115,8 +115,8 @@ github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NH
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/int128/listener v1.1.0 h1:2Jb41DWLpkQ3I9bIdBzO8H/tNwMvyl/OBZWtCV5Pjuw=
 github.com/int128/listener v1.1.0/go.mod h1:68WkmTN8PQtLzc9DucIaagAKeGVyMnyyKIkW4Xn47UA=
-github.com/int128/oauth2cli v1.12.1 h1:F+6sykVdM+0rede+jAJ2RICP3GAsLLGvPjSFLlI0U9Q=
-github.com/int128/oauth2cli v1.12.1/go.mod h1:0Wf2wAxKJNzbkPkUIYNhTjeLn/pqIBDOBAGfwrxGYQw=
+github.com/int128/oauth2cli v1.11.0 h1:yohafseIxX8xESedQOxB3rpuuodDowYiPaTFMpqPP3Q=
+github.com/int128/oauth2cli v1.11.0/go.mod h1:O3Tjuj1cyQCuM11KbH2ffh0O6LRX0+O97Z3InsY0M3g=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
@@ -184,8 +184,8 @@ github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasO
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cobra v1.0.0 h1:6m/oheQuQ13N9ks4hubMG6BnvwOeaJrqSPLahSnczz8=
-github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
+github.com/spf13/cobra v0.0.7 h1:FfTH+vuMXOas8jmfb5/M7dzEYx7LpcLb7a0LPe34uOU=
+github.com/spf13/cobra v0.0.7/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
@@ -249,8 +249,6 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEha
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 h1:qwRHBd0NqMbJxfbotnDhm2ByMI1Shq4Y6oRJo21SGJA=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -264,6 +262,7 @@ golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42 h1:vEOn+mP2zCOVzKckCZy6YsCtDblrpj/w7B9nxGNELpg=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
@@ -316,12 +315,12 @@ gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.18.6 h1:osqrAXbOQjkKIWDTjrqxWQ3w0GkKb1KA1XkUGHHYpeE=
-k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI=
-k8s.io/apimachinery v0.18.6 h1:RtFHnfGNfd1N0LeSrKCUznz5xtUP1elRGvHJbL3Ntag=
-k8s.io/apimachinery v0.18.6/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
-k8s.io/client-go v0.18.6 h1:I+oWqJbibLSGsZj8Xs8F0aWVXJVIoUHWaaJV3kUN/Zw=
-k8s.io/client-go v0.18.6/go.mod h1:/fwtGLjYMS1MaM5oi+eXhKwG+1UHidUEXRh6cNsdO0Q=
+k8s.io/api v0.18.3 h1:2AJaUQdgUZLoDZHrun21PW2Nx9+ll6cUzvn3IKhSIn0=
+k8s.io/api v0.18.3/go.mod h1:UOaMwERbqJMfeeeHc8XJKawj4P9TgDRnViIqqBeH2QA=
+k8s.io/apimachinery v0.18.3 h1:pOGcbVAhxADgUYnjS08EFXs9QMl8qaH5U4fr5LGUrSk=
+k8s.io/apimachinery v0.18.3/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
+k8s.io/client-go v0.18.3 h1:QaJzz92tsN67oorwzmoB0a9r9ZVHuD5ryjbCKP0U22k=
+k8s.io/client-go v0.18.3/go.mod h1:4a/dpQEvzAhT1BbuWW09qvIaGw6Gbu1gZYiQZIi1DMw=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
@@ -330,6 +329,10 @@ k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
 k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
 k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89 h1:d4vVOjXm687F1iLSP2q3lyPPuyvTUt3aVoBpi2DqRsU=
 k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
+rsc.io/quote/v3 v3.1.0 h1:9JKUTTIUgS6kzR9mK1YuGKv6Nl+DijDNIc0ghT58FaY=
+rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+rsc.io/sampler v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/QiW4=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
 sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E=
 sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
--- a/integration_test/credetial_plugin_test.go
+++ b/integration_test/credetial_plugin_test.go
@@ -52,11 +52,6 @@ func TestCredentialPlugin(t *testing.T) {
 			args:    []string{"--certificate-authority", keypair.Server.CACertPath},
 		},
 	} {
-		httpDriverOption := httpdriver.Option{
-			TLSConfig:    tc.keyPair.TLSConfig,
-			BodyContains: "Authenticated",
-		}
-
 		t.Run(name, func(t *testing.T) {
 			t.Run("AuthCode", func(t *testing.T) {
 				t.Parallel()
@@ -76,7 +71,7 @@ func TestCredentialPlugin(t *testing.T) {
 				runGetToken(t, ctx, getTokenConfig{
 					tokenCacheDir: tokenCacheDir,
 					issuerURL:     sv.IssuerURL(),
-					httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+					httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
 					now:           now,
 					stdout:        &stdout,
 					args:          tc.args,
@@ -137,7 +132,7 @@ func TestCredentialPlugin(t *testing.T) {
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
 						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+						httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
 						now:           now,
 						stdout:        &stdout,
 						args:          tc.args,
@@ -173,7 +168,7 @@ func TestCredentialPlugin(t *testing.T) {
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
 						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+						httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
 						now:           now.Add(2 * time.Hour),
 						stdout:        &stdout,
 						args:          tc.args,
@@ -195,7 +190,7 @@ func TestCredentialPlugin(t *testing.T) {
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
 						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+						httpDriver:    httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
 						now:           now.Add(4 * time.Hour),
 						stdout:        &stdout,
 						args:          tc.args,
@@ -226,7 +221,7 @@ func TestCredentialPlugin(t *testing.T) {
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
 			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			httpDriver:    httpdriver.New(ctx, t, nil),
 			now:           now,
 			stdout:        &stdout,
 		})
@@ -251,7 +246,7 @@ func TestCredentialPlugin(t *testing.T) {
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
 			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{TLSConfig: keypair.Server.TLSConfig, BodyContains: "Authenticated"}),
+			httpDriver:    httpdriver.New(ctx, t, keypair.Server.TLSConfig),
 			now:           now,
 			stdout:        &stdout,
 			args:          []string{"--certificate-authority-data", keypair.Server.CACertBase64},
@@ -277,7 +272,7 @@ func TestCredentialPlugin(t *testing.T) {
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
 			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			httpDriver:    httpdriver.New(ctx, t, nil),
 			now:           now,
 			stdout:        &stdout,
 			args: []string{
@@ -288,32 +283,6 @@ func TestCredentialPlugin(t *testing.T) {
 		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})

-	t.Run("OpenURLAfterAuthentication", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "http://localhost:",
-			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
-			},
-		})
-		defer sv.Shutdown(t, ctx)
-		var stdout bytes.Buffer
-		runGetToken(t, ctx, getTokenConfig{
-			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "URL=https://example.com/success"}),
-			now:           now,
-			stdout:        &stdout,
-			args:          []string{"--open-url-after-authentication", "https://example.com/success"},
-		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
-	})
-
 	t.Run("RedirectURLHostname", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
@@ -332,7 +301,7 @@ func TestCredentialPlugin(t *testing.T) {
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
 			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			httpDriver:    httpdriver.New(ctx, t, nil),
 			now:           now,
 			stdout:        &stdout,
 			args:          []string{"--oidc-redirect-url-hostname", "127.0.0.1"},
@@ -362,7 +331,7 @@ func TestCredentialPlugin(t *testing.T) {
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
 			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			httpDriver:    httpdriver.New(ctx, t, nil),
 			now:           now,
 			stdout:        &stdout,
 			args: []string{
--- a/integration_test/httpdriver/http_driver.go
+++ b/integration_test/httpdriver/http_driver.go
@@ -4,20 +4,13 @@ package httpdriver
 import (
 	"context"
 	"crypto/tls"
-	"io/ioutil"
 	"net/http"
-	"strings"
 	"testing"
 )

-type Option struct {
-	TLSConfig    *tls.Config
-	BodyContains string
-}
-
 // New returns a client to simulate browser access.
-func New(ctx context.Context, t *testing.T, o Option) *client {
-	return &client{ctx, t, o}
+func New(ctx context.Context, t *testing.T, tlsConfig *tls.Config) *client {
+	return &client{ctx, t, tlsConfig}
 }

 // Zero returns a client which call is not expected.
@@ -26,13 +19,13 @@ func Zero(t *testing.T) *zeroClient {
 }

 type client struct {
-	ctx context.Context
-	t   *testing.T
-	o   Option
+	ctx       context.Context
+	t         *testing.T
+	tlsConfig *tls.Config
 }

 func (c *client) Open(url string) error {
-	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.o.TLSConfig}}
+	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.tlsConfig}}
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
 		c.t.Errorf("could not create a request: %s", err)
@@ -48,15 +41,6 @@ func (c *client) Open(url string) error {
 	if resp.StatusCode != 200 {
 		c.t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
 	}
-	b, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		c.t.Errorf("could not read body: %s", err)
-		return nil
-	}
-	body := string(b)
-	if !strings.Contains(body, c.o.BodyContains) {
-		c.t.Errorf("body should contain %s but was %s", c.o.BodyContains, body)
-	}
 	return nil
 }

--- a/integration_test/standalone_test.go
+++ b/integration_test/standalone_test.go
@@ -36,11 +36,6 @@ func TestStandalone(t *testing.T) {
 			keyPair: keypair.Server,
 		},
 	} {
-		httpDriverOption := httpdriver.Option{
-			TLSConfig:    tc.keyPair.TLSConfig,
-			BodyContains: "Authenticated",
-		}
-
 		t.Run(name, func(t *testing.T) {
 			t.Run("AuthCode", func(t *testing.T) {
 				t.Parallel()
@@ -64,7 +59,7 @@ func TestStandalone(t *testing.T) {
 				runStandalone(t, ctx, standaloneConfig{
 					issuerURL:          sv.IssuerURL(),
 					kubeConfigFilename: kubeConfigFilename,
-					httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
+					httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
 					now:                now,
 				})
 				kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -136,7 +131,7 @@ func TestStandalone(t *testing.T) {
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
-						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
+						httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
 						now:                now,
 					})
 					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -172,7 +167,7 @@ func TestStandalone(t *testing.T) {
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
-						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
+						httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
 						now:                now.Add(2 * time.Hour),
 					})
 					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -194,7 +189,7 @@ func TestStandalone(t *testing.T) {
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
-						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
+						httpDriver:         httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
 						now:                now.Add(4 * time.Hour),
 					})
 					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -228,7 +223,7 @@ func TestStandalone(t *testing.T) {
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:          sv.IssuerURL(),
 			kubeConfigFilename: kubeConfigFilename,
-			httpDriver:         httpdriver.New(ctx, t, httpdriver.Option{TLSConfig: keypair.Server.TLSConfig}),
+			httpDriver:         httpdriver.New(ctx, t, keypair.Server.TLSConfig),
 			now:                now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -258,7 +253,7 @@ func TestStandalone(t *testing.T) {
 		defer unsetenv(t, "KUBECONFIG")
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:  sv.IssuerURL(),
-			httpDriver: httpdriver.New(ctx, t, httpdriver.Option{}),
+			httpDriver: httpdriver.New(ctx, t, nil),
 			now:        now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -289,7 +284,7 @@ func TestStandalone(t *testing.T) {
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:          sv.IssuerURL(),
 			kubeConfigFilename: kubeConfigFilename,
-			httpDriver:         httpdriver.New(ctx, t, httpdriver.Option{}),
+			httpDriver:         httpdriver.New(ctx, t, nil),
 			now:                now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
--- a/pkg/adaptors/browser/mock_browser/mock_browser.go
+++ b/pkg/adaptors/browser/mock_browser/mock_browser.go
@@ -9,30 +9,30 @@ import (
 	reflect "reflect"
 )

-// MockInterface is a mock of Interface interface.
+// MockInterface is a mock of Interface interface
 type MockInterface struct {
 	ctrl     *gomock.Controller
 	recorder *MockInterfaceMockRecorder
 }

-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
 type MockInterfaceMockRecorder struct {
 	mock *MockInterface
 }

-// NewMockInterface creates a new mock instance.
+// NewMockInterface creates a new mock instance
 func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
 	mock := &MockInterface{ctrl: ctrl}
 	mock.recorder = &MockInterfaceMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use.
+// EXPECT returns an object that allows the caller to indicate expected use
 func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }

-// Open mocks base method.
+// Open mocks base method
 func (m *MockInterface) Open(arg0 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Open", arg0)
@@ -40,7 +40,7 @@ func (m *MockInterface) Open(arg0 string) error {
 	return ret0
 }

-// Open indicates an expected call of Open.
+// Open indicates an expected call of Open
 func (mr *MockInterfaceMockRecorder) Open(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Open", reflect.TypeOf((*MockInterface)(nil).Open), arg0)
--- a/pkg/adaptors/certpool/mock_certpool/mock_certpool.go
+++ b/pkg/adaptors/certpool/mock_certpool/mock_certpool.go
@@ -10,30 +10,30 @@ import (
 	reflect "reflect"
 )

-// MockInterface is a mock of Interface interface.
+// MockInterface is a mock of Interface interface
 type MockInterface struct {
 	ctrl     *gomock.Controller
 	recorder *MockInterfaceMockRecorder
 }

-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
 type MockInterfaceMockRecorder struct {
 	mock *MockInterface
 }

-// NewMockInterface creates a new mock instance.
+// NewMockInterface creates a new mock instance
 func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
 	mock := &MockInterface{ctrl: ctrl}
 	mock.recorder = &MockInterfaceMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use.
+// EXPECT returns an object that allows the caller to indicate expected use
 func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }

-// AddBase64Encoded mocks base method.
+// AddBase64Encoded mocks base method
 func (m *MockInterface) AddBase64Encoded(arg0 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AddBase64Encoded", arg0)
@@ -41,13 +41,13 @@ func (m *MockInterface) AddBase64Encoded(arg0 string) error {
 	return ret0
 }

-// AddBase64Encoded indicates an expected call of AddBase64Encoded.
+// AddBase64Encoded indicates an expected call of AddBase64Encoded
 func (mr *MockInterfaceMockRecorder) AddBase64Encoded(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddBase64Encoded", reflect.TypeOf((*MockInterface)(nil).AddBase64Encoded), arg0)
 }

-// AddFile mocks base method.
+// AddFile mocks base method
 func (m *MockInterface) AddFile(arg0 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "AddFile", arg0)
@@ -55,19 +55,19 @@ func (m *MockInterface) AddFile(arg0 string) error {
 	return ret0
 }

-// AddFile indicates an expected call of AddFile.
+// AddFile indicates an expected call of AddFile
 func (mr *MockInterfaceMockRecorder) AddFile(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddFile", reflect.TypeOf((*MockInterface)(nil).AddFile), arg0)
 }

-// SetRootCAs mocks base method.
+// SetRootCAs mocks base method
 func (m *MockInterface) SetRootCAs(arg0 *tls.Config) {
 	m.ctrl.T.Helper()
 	m.ctrl.Call(m, "SetRootCAs", arg0)
 }

-// SetRootCAs indicates an expected call of SetRootCAs.
+// SetRootCAs indicates an expected call of SetRootCAs
 func (mr *MockInterfaceMockRecorder) SetRootCAs(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetRootCAs", reflect.TypeOf((*MockInterface)(nil).SetRootCAs), arg0)
--- a/pkg/adaptors/cmd/authentication.go
+++ b/pkg/adaptors/cmd/authentication.go
@@ -1,87 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
-	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
-)
-
-type authenticationOptions struct {
-	GrantType                  string
-	ListenAddress              []string
-	ListenPort                 []int // deprecated
-	SkipOpenBrowser            bool
-	OpenURLAfterAuthentication string
-	RedirectURLHostname        string
-	AuthRequestExtraParams     map[string]string
-	Username                   string
-	Password                   string
-}
-
-// determineListenAddress returns the addresses from the flags.
-// Note that --listen-address is always given due to the default value.
-// If --listen-port is not set, it returns --listen-address.
-// If --listen-port is set, it returns the strings of --listen-port.
-func (o *authenticationOptions) determineListenAddress() []string {
-	if len(o.ListenPort) == 0 {
-		return o.ListenAddress
-	}
-	var a []string
-	for _, p := range o.ListenPort {
-		a = append(a, fmt.Sprintf("127.0.0.1:%d", p))
-	}
-	return a
-}
-
-var allGrantType = strings.Join([]string{
-	"auto",
-	"authcode",
-	"authcode-keyboard",
-	"password",
-}, "|")
-
-func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
-	f.StringVar(&o.GrantType, "grant-type", "auto", fmt.Sprintf("Authorization grant type to use. One of (%s)", allGrantType))
-	f.StringSliceVar(&o.ListenAddress, "listen-address", defaultListenAddress, "[authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order")
-	//TODO: remove the deprecated flag
-	f.IntSliceVar(&o.ListenPort, "listen-port", nil, "[authcode] deprecated: port to bind to the local server")
-	if err := f.MarkDeprecated("listen-port", "use --listen-address instead"); err != nil {
-		panic(err)
-	}
-	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "[authcode] Do not open the browser automatically")
-	f.StringVar(&o.OpenURLAfterAuthentication, "open-url-after-authentication", "", "[authcode] If set, open the URL in the browser after authentication")
-	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "[authcode] Hostname of the redirect URL")
-	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "[authcode, authcode-keyboard] Extra query parameters to send with an authentication request")
-	f.StringVar(&o.Username, "username", "", "[password] Username for resource owner password credentials grant")
-	f.StringVar(&o.Password, "password", "", "[password] Password for resource owner password credentials grant")
-}
-
-func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSet, err error) {
-	switch {
-	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
-		s.AuthCodeBrowserOption = &authcode.BrowserOption{
-			BindAddress:                o.determineListenAddress(),
-			SkipOpenBrowser:            o.SkipOpenBrowser,
-			OpenURLAfterAuthentication: o.OpenURLAfterAuthentication,
-			RedirectURLHostname:        o.RedirectURLHostname,
-			AuthRequestExtraParams:     o.AuthRequestExtraParams,
-		}
-	case o.GrantType == "authcode-keyboard":
-		s.AuthCodeKeyboardOption = &authcode.KeyboardOption{
-			AuthRequestExtraParams: o.AuthRequestExtraParams,
-		}
-	case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
-		s.ROPCOption = &ropc.Option{
-			Username: o.Username,
-			Password: o.Password,
-		}
-	default:
-		err = xerrors.Errorf("grant-type must be one of (%s)", allGrantType)
-	}
-	return
-}
--- a/pkg/adaptors/cmd/cmd_test.go
+++ b/pkg/adaptors/cmd/cmd_test.go
@@ -7,8 +7,6 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin/mock_credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
@@ -28,7 +26,7 @@ func TestCmd_Run(t *testing.T) {
 				args: []string{executable},
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
+						AuthCodeOption: &authentication.AuthCodeOption{
 							BindAddress:         defaultListenAddress,
 							RedirectURLHostname: "localhost",
 						},
@@ -43,7 +41,7 @@ func TestCmd_Run(t *testing.T) {
 				},
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
+						AuthCodeOption: &authentication.AuthCodeOption{
 							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
 							RedirectURLHostname: "localhost",
 						},
@@ -60,7 +58,7 @@ func TestCmd_Run(t *testing.T) {
 				},
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
+						AuthCodeOption: &authentication.AuthCodeOption{
 							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
 							RedirectURLHostname: "localhost",
 						},
@@ -73,14 +71,12 @@ func TestCmd_Run(t *testing.T) {
 					"--context", "hello.k8s.local",
 					"--user", "google",
 					"--certificate-authority", "/path/to/cacert",
-					"--certificate-authority-data", "BASE64ENCODED",
 					"--insecure-skip-tls-verify",
 					"-v1",
 					"--grant-type", "authcode",
 					"--listen-address", "127.0.0.1:10080",
 					"--listen-address", "127.0.0.1:20080",
 					"--skip-open-browser",
-					"--open-url-after-authentication", "https://example.com/success.html",
 					"--username", "USER",
 					"--password", "PASS",
 				},
@@ -89,14 +85,12 @@ func TestCmd_Run(t *testing.T) {
 					KubeconfigContext:  "hello.k8s.local",
 					KubeconfigUser:     "google",
 					CACertFilename:     "/path/to/cacert",
-					CACertData:         "BASE64ENCODED",
 					SkipTLSVerify:      true,
 					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser:            true,
-							OpenURLAfterAuthentication: "https://example.com/success.html",
-							RedirectURLHostname:        "localhost",
+						AuthCodeOption: &authentication.AuthCodeOption{
+							BindAddress:         []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							SkipOpenBrowser:     true,
+							RedirectURLHostname: "localhost",
 						},
 					},
 				},
@@ -107,7 +101,7 @@ func TestCmd_Run(t *testing.T) {
 				},
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeKeyboardOption: &authcode.KeyboardOption{},
+						AuthCodeKeyboardOption: &authentication.AuthCodeKeyboardOption{},
 					},
 				},
 			},
@@ -121,7 +115,7 @@ func TestCmd_Run(t *testing.T) {
 				},
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &ropc.Option{
+						ROPCOption: &authentication.ROPCOption{
 							Username: "USER",
 							Password: "PASS",
 						},
@@ -137,7 +131,7 @@ func TestCmd_Run(t *testing.T) {
 				},
 				in: standalone.Input{
 					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &ropc.Option{
+						ROPCOption: &authentication.ROPCOption{
 							Username: "USER",
 							Password: "PASS",
 						},
@@ -200,7 +194,7 @@ func TestCmd_Run(t *testing.T) {
 					IssuerURL:     "https://issuer.example.com",
 					ClientID:      "YOUR_CLIENT_ID",
 					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
+						AuthCodeOption: &authentication.AuthCodeOption{
 							BindAddress:         []string{"127.0.0.1:8000", "127.0.0.1:18000"},
 							RedirectURLHostname: "localhost",
 						},
@@ -223,7 +217,6 @@ func TestCmd_Run(t *testing.T) {
 					"--listen-address", "127.0.0.1:10080",
 					"--listen-address", "127.0.0.1:20080",
 					"--skip-open-browser",
-					"--open-url-after-authentication", "https://example.com/success.html",
 					"--oidc-auth-request-extra-params", "ttl=86400",
 					"--oidc-auth-request-extra-params", "reauth=true",
 					"--username", "USER",
@@ -239,12 +232,11 @@ func TestCmd_Run(t *testing.T) {
 					CACertData:     "BASE64ENCODED",
 					SkipTLSVerify:  true,
 					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser:            true,
-							OpenURLAfterAuthentication: "https://example.com/success.html",
-							RedirectURLHostname:        "localhost",
-							AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},
+						AuthCodeOption: &authentication.AuthCodeOption{
+							BindAddress:            []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+							SkipOpenBrowser:        true,
+							RedirectURLHostname:    "localhost",
+							AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
 						},
 					},
 				},
@@ -262,7 +254,7 @@ func TestCmd_Run(t *testing.T) {
 					IssuerURL:     "https://issuer.example.com",
 					ClientID:      "YOUR_CLIENT_ID",
 					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeKeyboardOption: &authcode.KeyboardOption{
+						AuthCodeKeyboardOption: &authentication.AuthCodeKeyboardOption{
 							AuthRequestExtraParams: map[string]string{"ttl": "86400"},
 						},
 					},
@@ -284,7 +276,7 @@ func TestCmd_Run(t *testing.T) {
 					IssuerURL:     "https://issuer.example.com",
 					ClientID:      "YOUR_CLIENT_ID",
 					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &ropc.Option{
+						ROPCOption: &authentication.ROPCOption{
 							Username: "USER",
 							Password: "PASS",
 						},
@@ -306,7 +298,7 @@ func TestCmd_Run(t *testing.T) {
 					IssuerURL:     "https://issuer.example.com",
 					ClientID:      "YOUR_CLIENT_ID",
 					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &ropc.Option{
+						ROPCOption: &authentication.ROPCOption{
 							Username: "USER",
 							Password: "PASS",
 						},
--- a/pkg/adaptors/cmd/get_token.go
+++ b/pkg/adaptors/cmd/get_token.go
@@ -14,19 +14,24 @@ type getTokenOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
+	CACertFilename        string
+	CACertData            string
+	SkipTLSVerify         bool
 	TokenCacheDir         string
-	tlsOptions            tlsOptions
 	authenticationOptions authenticationOptions
 }

-func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
+func (o *getTokenOptions) register(f *pflag.FlagSet) {
+	f.SortFlags = false
 	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)")
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for token cache")
-	o.tlsOptions.addFlags(f)
-	o.authenticationOptions.addFlags(f)
+	f.StringVar(&o.CACertFilename, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.StringVar(&o.CACertData, "certificate-authority-data", "", "Base64 encoded data for the certificate authority")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for caching tokens")
+	o.authenticationOptions.register(f)
 }

 type GetToken struct {
@@ -61,9 +66,9 @@ func (cmd *GetToken) New() *cobra.Command {
 				ClientID:       o.ClientID,
 				ClientSecret:   o.ClientSecret,
 				ExtraScopes:    o.ExtraScopes,
-				CACertFilename: o.tlsOptions.CACertFilename,
-				CACertData:     o.tlsOptions.CACertData,
-				SkipTLSVerify:  o.tlsOptions.SkipTLSVerify,
+				CACertFilename: o.CACertFilename,
+				CACertData:     o.CACertData,
+				SkipTLSVerify:  o.SkipTLSVerify,
 				TokenCacheDir:  o.TokenCacheDir,
 				GrantOptionSet: grantOptionSet,
 			}
@@ -73,7 +78,6 @@ func (cmd *GetToken) New() *cobra.Command {
 			return nil
 		},
 	}
-	c.Flags().SortFlags = false
-	o.addFlags(c.Flags())
+	o.register(c.Flags())
 	return c
 }
--- a/pkg/adaptors/cmd/root.go
+++ b/pkg/adaptors/cmd/root.go
@@ -1,18 +1,22 @@
 package cmd

 import (
+	"fmt"
+	"strings"
+
 	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"golang.org/x/xerrors"
 )

-const rootDescription = `Log in to the OpenID Connect provider.
+const longDescription = `Login to the OpenID Connect provider.

 You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
-To show the setup instruction:
+Run the following command to show the setup instruction:

 	kubectl oidc-login setup

@@ -24,16 +28,88 @@ type rootOptions struct {
 	Kubeconfig            string
 	Context               string
 	User                  string
-	tlsOptions            tlsOptions
+	CertificateAuthority  string
+	SkipTLSVerify         bool
 	authenticationOptions authenticationOptions
 }

-func (o *rootOptions) addFlags(f *pflag.FlagSet) {
+func (o *rootOptions) register(f *pflag.FlagSet) {
+	f.SortFlags = false
 	f.StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to the kubeconfig file")
-	f.StringVar(&o.Context, "context", "", "Name of the kubeconfig context to use")
-	f.StringVar(&o.User, "user", "", "Name of the kubeconfig user to use. Prior to --context")
-	o.tlsOptions.addFlags(f)
-	o.authenticationOptions.addFlags(f)
+	f.StringVar(&o.Context, "context", "", "The name of the kubeconfig context to use")
+	f.StringVar(&o.User, "user", "", "The name of the kubeconfig user to use. Prior to --context")
+	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	o.authenticationOptions.register(f)
+}
+
+type authenticationOptions struct {
+	GrantType              string
+	ListenAddress          []string
+	ListenPort             []int // deprecated
+	SkipOpenBrowser        bool
+	RedirectURLHostname    string
+	AuthRequestExtraParams map[string]string
+	Username               string
+	Password               string
+}
+
+// determineListenAddress returns the addresses from the flags.
+// Note that --listen-address is always given due to the default value.
+// If --listen-port is not set, it returns --listen-address.
+// If --listen-port is set, it returns the strings of --listen-port.
+func (o *authenticationOptions) determineListenAddress() []string {
+	if len(o.ListenPort) == 0 {
+		return o.ListenAddress
+	}
+	var a []string
+	for _, p := range o.ListenPort {
+		a = append(a, fmt.Sprintf("127.0.0.1:%d", p))
+	}
+	return a
+}
+
+var allGrantType = strings.Join([]string{
+	"auto",
+	"authcode",
+	"authcode-keyboard",
+	"password",
+}, "|")
+
+func (o *authenticationOptions) register(f *pflag.FlagSet) {
+	f.StringVar(&o.GrantType, "grant-type", "auto", fmt.Sprintf("The authorization grant type to use. One of (%s)", allGrantType))
+	f.StringSliceVar(&o.ListenAddress, "listen-address", defaultListenAddress, "Address to bind to the local server. If multiple addresses are given, it will try binding in order")
+	//TODO: remove the deprecated flag
+	f.IntSliceVar(&o.ListenPort, "listen-port", nil, "(Deprecated: use --listen-address)")
+	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
+	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "Hostname of the redirect URL")
+	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "Extra query parameters to send with an authentication request")
+	f.StringVar(&o.Username, "username", "", "If set, perform the resource owner password credentials grant")
+	f.StringVar(&o.Password, "password", "", "If set, use the password instead of asking it")
+}
+
+func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSet, err error) {
+	switch {
+	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
+		s.AuthCodeOption = &authentication.AuthCodeOption{
+			BindAddress:            o.determineListenAddress(),
+			SkipOpenBrowser:        o.SkipOpenBrowser,
+			RedirectURLHostname:    o.RedirectURLHostname,
+			AuthRequestExtraParams: o.AuthRequestExtraParams,
+		}
+	case o.GrantType == "authcode-keyboard":
+		s.AuthCodeKeyboardOption = &authentication.AuthCodeKeyboardOption{
+			AuthRequestExtraParams: o.AuthRequestExtraParams,
+		}
+	case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
+		s.ROPCOption = &authentication.ROPCOption{
+			Username: o.Username,
+			Password: o.Password,
+		}
+	default:
+		err = xerrors.Errorf("grant-type must be one of (%s)", allGrantType)
+	}
+	return
 }

 type Root struct {
@@ -43,10 +119,10 @@ type Root struct {

 func (cmd *Root) New() *cobra.Command {
 	var o rootOptions
-	c := &cobra.Command{
+	rootCmd := &cobra.Command{
 		Use:   "kubelogin",
-		Short: "Log in to the OpenID Connect provider",
-		Long:  rootDescription,
+		Short: "Login to the OpenID Connect provider",
+		Long:  longDescription,
 		Args:  cobra.NoArgs,
 		RunE: func(c *cobra.Command, _ []string) error {
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
@@ -57,9 +133,8 @@ func (cmd *Root) New() *cobra.Command {
 				KubeconfigFilename: o.Kubeconfig,
 				KubeconfigContext:  kubeconfig.ContextName(o.Context),
 				KubeconfigUser:     kubeconfig.UserName(o.User),
-				CACertFilename:     o.tlsOptions.CACertFilename,
-				CACertData:         o.tlsOptions.CACertData,
-				SkipTLSVerify:      o.tlsOptions.SkipTLSVerify,
+				CACertFilename:     o.CertificateAuthority,
+				SkipTLSVerify:      o.SkipTLSVerify,
 				GrantOptionSet:     grantOptionSet,
 			}
 			if err := cmd.Standalone.Do(c.Context(), in); err != nil {
@@ -68,8 +143,7 @@ func (cmd *Root) New() *cobra.Command {
 			return nil
 		},
 	}
-	c.Flags().SortFlags = false
-	o.addFlags(c.Flags())
-	cmd.Logger.AddFlags(c.PersistentFlags())
-	return c
+	o.register(rootCmd.Flags())
+	cmd.Logger.AddFlags(rootCmd.PersistentFlags())
+	return rootCmd
 }
--- a/pkg/adaptors/cmd/setup.go
+++ b/pkg/adaptors/cmd/setup.go
@@ -13,17 +13,22 @@ type setupOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
-	tlsOptions            tlsOptions
+	CACertFilename        string
+	CACertData            string
+	SkipTLSVerify         bool
 	authenticationOptions authenticationOptions
 }

-func (o *setupOptions) addFlags(f *pflag.FlagSet) {
+func (o *setupOptions) register(f *pflag.FlagSet) {
+	f.SortFlags = false
 	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider")
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	o.tlsOptions.addFlags(f)
-	o.authenticationOptions.addFlags(f)
+	f.StringVar(&o.CACertFilename, "certificate-authority", "", "Path to a cert file for the certificate authority")
+	f.StringVar(&o.CACertData, "certificate-authority-data", "", "Base64 encoded data for the certificate authority")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	o.authenticationOptions.register(f)
 }

 type Setup struct {
@@ -46,9 +51,9 @@ func (cmd *Setup) New() *cobra.Command {
 				ClientID:       o.ClientID,
 				ClientSecret:   o.ClientSecret,
 				ExtraScopes:    o.ExtraScopes,
-				CACertFilename: o.tlsOptions.CACertFilename,
-				CACertData:     o.tlsOptions.CACertData,
-				SkipTLSVerify:  o.tlsOptions.SkipTLSVerify,
+				CACertFilename: o.CACertFilename,
+				CACertData:     o.CACertData,
+				SkipTLSVerify:  o.SkipTLSVerify,
 				GrantOptionSet: grantOptionSet,
 			}
 			if c.Flags().Lookup("listen-address").Changed {
@@ -64,7 +69,6 @@ func (cmd *Setup) New() *cobra.Command {
 			return nil
 		},
 	}
-	c.Flags().SortFlags = false
-	o.addFlags(c.Flags())
+	o.register(c.Flags())
 	return c
 }
--- a/pkg/adaptors/cmd/tls.go
+++ b/pkg/adaptors/cmd/tls.go
@@ -1,15 +0,0 @@
-package cmd
-
-import "github.com/spf13/pflag"
-
-type tlsOptions struct {
-	CACertFilename string
-	CACertData     string
-	SkipTLSVerify  bool
-}
-
-func (o *tlsOptions) addFlags(f *pflag.FlagSet) {
-	f.StringVar(&o.CACertFilename, "certificate-authority", "", "Path to a cert file for the certificate authority")
-	f.StringVar(&o.CACertData, "certificate-authority-data", "", "Base64 encoded cert for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
-}
--- a/pkg/adaptors/credentialpluginwriter/mock_credentialpluginwriter/mock_credentialpluginwriter.go
+++ b/pkg/adaptors/credentialpluginwriter/mock_credentialpluginwriter/mock_credentialpluginwriter.go
@@ -10,30 +10,30 @@ import (
 	reflect "reflect"
 )

-// MockInterface is a mock of Interface interface.
+// MockInterface is a mock of Interface interface
 type MockInterface struct {
 	ctrl     *gomock.Controller
 	recorder *MockInterfaceMockRecorder
 }

-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
 type MockInterfaceMockRecorder struct {
 	mock *MockInterface
 }

-// NewMockInterface creates a new mock instance.
+// NewMockInterface creates a new mock instance
 func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
 	mock := &MockInterface{ctrl: ctrl}
 	mock.recorder = &MockInterfaceMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use.
+// EXPECT returns an object that allows the caller to indicate expected use
 func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }

-// Write mocks base method.
+// Write mocks base method
 func (m *MockInterface) Write(arg0 credentialpluginwriter.Output) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Write", arg0)
@@ -41,7 +41,7 @@ func (m *MockInterface) Write(arg0 credentialpluginwriter.Output) error {
 	return ret0
 }

-// Write indicates an expected call of Write.
+// Write indicates an expected call of Write
 func (mr *MockInterfaceMockRecorder) Write(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockInterface)(nil).Write), arg0)
--- a/pkg/adaptors/kubeconfig/mock_kubeconfig/mock_kubeconfig.go
+++ b/pkg/adaptors/kubeconfig/mock_kubeconfig/mock_kubeconfig.go
@@ -10,30 +10,30 @@ import (
 	reflect "reflect"
 )

-// MockInterface is a mock of Interface interface.
+// MockInterface is a mock of Interface interface
 type MockInterface struct {
 	ctrl     *gomock.Controller
 	recorder *MockInterfaceMockRecorder
 }

-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
 type MockInterfaceMockRecorder struct {
 	mock *MockInterface
 }

-// NewMockInterface creates a new mock instance.
+// NewMockInterface creates a new mock instance
 func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
 	mock := &MockInterface{ctrl: ctrl}
 	mock.recorder = &MockInterfaceMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use.
+// EXPECT returns an object that allows the caller to indicate expected use
 func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }

-// GetCurrentAuthProvider mocks base method.
+// GetCurrentAuthProvider mocks base method
 func (m *MockInterface) GetCurrentAuthProvider(arg0 string, arg1 kubeconfig.ContextName, arg2 kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetCurrentAuthProvider", arg0, arg1, arg2)
@@ -42,13 +42,13 @@ func (m *MockInterface) GetCurrentAuthProvider(arg0 string, arg1 kubeconfig.Cont
 	return ret0, ret1
 }

-// GetCurrentAuthProvider indicates an expected call of GetCurrentAuthProvider.
+// GetCurrentAuthProvider indicates an expected call of GetCurrentAuthProvider
 func (mr *MockInterfaceMockRecorder) GetCurrentAuthProvider(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCurrentAuthProvider", reflect.TypeOf((*MockInterface)(nil).GetCurrentAuthProvider), arg0, arg1, arg2)
 }

-// UpdateAuthProvider mocks base method.
+// UpdateAuthProvider mocks base method
 func (m *MockInterface) UpdateAuthProvider(arg0 *kubeconfig.AuthProvider) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "UpdateAuthProvider", arg0)
@@ -56,7 +56,7 @@ func (m *MockInterface) UpdateAuthProvider(arg0 *kubeconfig.AuthProvider) error
 	return ret0
 }

-// UpdateAuthProvider indicates an expected call of UpdateAuthProvider.
+// UpdateAuthProvider indicates an expected call of UpdateAuthProvider
 func (mr *MockInterfaceMockRecorder) UpdateAuthProvider(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAuthProvider", reflect.TypeOf((*MockInterface)(nil).UpdateAuthProvider), arg0)
--- a/pkg/adaptors/oidcclient/mock_oidcclient/mock_oidcclient.go
+++ b/pkg/adaptors/oidcclient/mock_oidcclient/mock_oidcclient.go
@@ -8,7 +8,6 @@ import (
 	context "context"
 	gomock "github.com/golang/mock/gomock"
 	oidcclient "github.com/int128/kubelogin/pkg/adaptors/oidcclient"
-	oidc "github.com/int128/kubelogin/pkg/oidc"
 	reflect "reflect"
 )

@@ -36,10 +35,10 @@ func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 }

 // ExchangeAuthCode mocks base method.
-func (m *MockInterface) ExchangeAuthCode(arg0 context.Context, arg1 oidcclient.ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
+func (m *MockInterface) ExchangeAuthCode(arg0 context.Context, arg1 oidcclient.ExchangeAuthCodeInput) (*oidcclient.TokenSet, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ExchangeAuthCode", arg0, arg1)
-	ret0, _ := ret[0].(*oidc.TokenSet)
+	ret0, _ := ret[0].(*oidcclient.TokenSet)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
@@ -65,10 +64,10 @@ func (mr *MockInterfaceMockRecorder) GetAuthCodeURL(arg0 interface{}) *gomock.Ca
 }

 // GetTokenByAuthCode mocks base method.
-func (m *MockInterface) GetTokenByAuthCode(arg0 context.Context, arg1 oidcclient.GetTokenByAuthCodeInput, arg2 chan<- string) (*oidc.TokenSet, error) {
+func (m *MockInterface) GetTokenByAuthCode(arg0 context.Context, arg1 oidcclient.GetTokenByAuthCodeInput, arg2 chan<- string) (*oidcclient.TokenSet, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetTokenByAuthCode", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*oidc.TokenSet)
+	ret0, _ := ret[0].(*oidcclient.TokenSet)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
@@ -80,10 +79,10 @@ func (mr *MockInterfaceMockRecorder) GetTokenByAuthCode(arg0, arg1, arg2 interfa
 }

 // GetTokenByROPC mocks base method.
-func (m *MockInterface) GetTokenByROPC(arg0 context.Context, arg1, arg2 string) (*oidc.TokenSet, error) {
+func (m *MockInterface) GetTokenByROPC(arg0 context.Context, arg1, arg2 string) (*oidcclient.TokenSet, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetTokenByROPC", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*oidc.TokenSet)
+	ret0, _ := ret[0].(*oidcclient.TokenSet)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
@@ -95,10 +94,10 @@ func (mr *MockInterfaceMockRecorder) GetTokenByROPC(arg0, arg1, arg2 interface{}
 }

 // Refresh mocks base method.
-func (m *MockInterface) Refresh(arg0 context.Context, arg1 string) (*oidc.TokenSet, error) {
+func (m *MockInterface) Refresh(arg0 context.Context, arg1 string) (*oidcclient.TokenSet, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Refresh", arg0, arg1)
-	ret0, _ := ret[0].(*oidc.TokenSet)
+	ret0, _ := ret[0].(*oidcclient.TokenSet)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
--- a/pkg/adaptors/oidcclient/oidcclient.go
+++ b/pkg/adaptors/oidcclient/oidcclient.go
@@ -5,12 +5,11 @@ import (
 	"net/http"
 	"time"

-	gooidc "github.com/coreos/go-oidc"
+	"github.com/coreos/go-oidc"
 	"github.com/int128/kubelogin/pkg/adaptors/clock"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/jwt"
-	"github.com/int128/kubelogin/pkg/oidc"
-	"github.com/int128/kubelogin/pkg/pkce"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
+	"github.com/int128/kubelogin/pkg/domain/pkce"
 	"github.com/int128/oauth2cli"
 	"golang.org/x/oauth2"
 	"golang.org/x/xerrors"
@@ -20,10 +19,10 @@ import (

 type Interface interface {
 	GetAuthCodeURL(in AuthCodeURLInput) string
-	ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error)
-	GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error)
-	GetTokenByROPC(ctx context.Context, username, password string) (*oidc.TokenSet, error)
-	Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error)
+	ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*TokenSet, error)
+	GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*TokenSet, error)
+	GetTokenByROPC(ctx context.Context, username, password string) (*TokenSet, error)
+	Refresh(ctx context.Context, refreshToken string) (*TokenSet, error)
 	SupportedPKCEMethods() []string
 }

@@ -49,12 +48,19 @@ type GetTokenByAuthCodeInput struct {
 	PKCEParams             pkce.Params
 	RedirectURLHostname    string
 	AuthRequestExtraParams map[string]string
-	LocalServerSuccessHTML string
+}
+
+// TokenSet represents an output DTO of
+// Interface.GetTokenByAuthCode, Interface.GetTokenByROPC and Interface.Refresh.
+type TokenSet struct {
+	IDToken       string
+	RefreshToken  string
+	IDTokenClaims jwt.Claims
 }

 type client struct {
 	httpClient           *http.Client
-	provider             *gooidc.Provider
+	provider             *oidc.Provider
 	oauth2Config         oauth2.Config
 	clock                clock.Interface
 	logger               logger.Interface
@@ -69,7 +75,7 @@ func (c *client) wrapContext(ctx context.Context) context.Context {
 }

 // GetTokenByAuthCode performs the authorization code flow.
-func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
+func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*TokenSet, error) {
 	ctx = c.wrapContext(ctx)
 	config := oauth2cli.Config{
 		OAuth2Config:           c.oauth2Config,
@@ -79,8 +85,6 @@ func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeIn
 		LocalServerBindAddress: in.BindAddress,
 		LocalServerReadyChan:   localServerReadyChan,
 		RedirectURLHostname:    in.RedirectURLHostname,
-		LocalServerSuccessHTML: in.LocalServerSuccessHTML,
-		Logf:                   c.logger.V(1).Infof,
 	}
 	token, err := oauth2cli.GetToken(ctx, config)
 	if err != nil {
@@ -98,7 +102,7 @@ func (c *client) GetAuthCodeURL(in AuthCodeURLInput) string {
 }

 // ExchangeAuthCode exchanges the authorization code and token.
-func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
+func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*TokenSet, error) {
 	ctx = c.wrapContext(ctx)
 	cfg := c.oauth2Config
 	cfg.RedirectURL = in.RedirectURI
@@ -113,7 +117,7 @@ func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput)
 func authorizationRequestOptions(n string, p pkce.Params, e map[string]string) []oauth2.AuthCodeOption {
 	o := []oauth2.AuthCodeOption{
 		oauth2.AccessTypeOffline,
-		gooidc.Nonce(n),
+		oidc.Nonce(n),
 	}
 	if !p.IsZero() {
 		o = append(o,
@@ -141,7 +145,7 @@ func (c *client) SupportedPKCEMethods() []string {
 }

 // GetTokenByROPC performs the resource owner password credentials flow.
-func (c *client) GetTokenByROPC(ctx context.Context, username, password string) (*oidc.TokenSet, error) {
+func (c *client) GetTokenByROPC(ctx context.Context, username, password string) (*TokenSet, error) {
 	ctx = c.wrapContext(ctx)
 	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, username, password)
 	if err != nil {
@@ -151,7 +155,7 @@ func (c *client) GetTokenByROPC(ctx context.Context, username, password string)
 }

 // Refresh sends a refresh token request and returns a token set.
-func (c *client) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
+func (c *client) Refresh(ctx context.Context, refreshToken string) (*TokenSet, error) {
 	ctx = c.wrapContext(ctx)
 	currentToken := &oauth2.Token{
 		Expiry:       time.Now(),
@@ -167,12 +171,12 @@ func (c *client) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenS

 // verifyToken verifies the token with the certificates of the provider and the nonce.
 // If the nonce is an empty string, it does not verify the nonce.
-func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce string) (*oidc.TokenSet, error) {
+func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce string) (*TokenSet, error) {
 	idToken, ok := token.Extra("id_token").(string)
 	if !ok {
 		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
 	}
-	verifier := c.provider.Verifier(&gooidc.Config{ClientID: c.oauth2Config.ClientID, Now: c.clock.Now})
+	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID, Now: c.clock.Now})
 	verifiedIDToken, err := verifier.Verify(ctx, idToken)
 	if err != nil {
 		return nil, xerrors.Errorf("could not verify the ID token: %w", err)
@@ -184,7 +188,7 @@ func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce str
 	if err != nil {
 		return nil, xerrors.Errorf("could not decode the token: %w", err)
 	}
-	return &oidc.TokenSet{
+	return &TokenSet{
 		IDToken: idToken,
 		IDTokenClaims: jwt.Claims{
 			Subject: verifiedIDToken.Subject,
--- a/pkg/adaptors/reader/mock_reader/mock_reader.go
+++ b/pkg/adaptors/reader/mock_reader/mock_reader.go
@@ -9,30 +9,30 @@ import (
 	reflect "reflect"
 )

-// MockInterface is a mock of Interface interface.
+// MockInterface is a mock of Interface interface
 type MockInterface struct {
 	ctrl     *gomock.Controller
 	recorder *MockInterfaceMockRecorder
 }

-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
 type MockInterfaceMockRecorder struct {
 	mock *MockInterface
 }

-// NewMockInterface creates a new mock instance.
+// NewMockInterface creates a new mock instance
 func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
 	mock := &MockInterface{ctrl: ctrl}
 	mock.recorder = &MockInterfaceMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use.
+// EXPECT returns an object that allows the caller to indicate expected use
 func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }

-// ReadPassword mocks base method.
+// ReadPassword mocks base method
 func (m *MockInterface) ReadPassword(arg0 string) (string, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ReadPassword", arg0)
@@ -41,13 +41,13 @@ func (m *MockInterface) ReadPassword(arg0 string) (string, error) {
 	return ret0, ret1
 }

-// ReadPassword indicates an expected call of ReadPassword.
+// ReadPassword indicates an expected call of ReadPassword
 func (mr *MockInterfaceMockRecorder) ReadPassword(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadPassword", reflect.TypeOf((*MockInterface)(nil).ReadPassword), arg0)
 }

-// ReadString mocks base method.
+// ReadString mocks base method
 func (m *MockInterface) ReadString(arg0 string) (string, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ReadString", arg0)
@@ -56,7 +56,7 @@ func (m *MockInterface) ReadString(arg0 string) (string, error) {
 	return ret0, ret1
 }

-// ReadString indicates an expected call of ReadString.
+// ReadString indicates an expected call of ReadString
 func (mr *MockInterfaceMockRecorder) ReadString(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReadString", reflect.TypeOf((*MockInterface)(nil).ReadString), arg0)
--- a/pkg/adaptors/tokencache/mock_tokencache/mock_tokencache.go
+++ b/pkg/adaptors/tokencache/mock_tokencache/mock_tokencache.go
@@ -10,30 +10,30 @@ import (
 	reflect "reflect"
 )

-// MockInterface is a mock of Interface interface.
+// MockInterface is a mock of Interface interface
 type MockInterface struct {
 	ctrl     *gomock.Controller
 	recorder *MockInterfaceMockRecorder
 }

-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
 type MockInterfaceMockRecorder struct {
 	mock *MockInterface
 }

-// NewMockInterface creates a new mock instance.
+// NewMockInterface creates a new mock instance
 func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
 	mock := &MockInterface{ctrl: ctrl}
 	mock.recorder = &MockInterfaceMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use.
+// EXPECT returns an object that allows the caller to indicate expected use
 func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }

-// FindByKey mocks base method.
+// FindByKey mocks base method
 func (m *MockInterface) FindByKey(arg0 string, arg1 tokencache.Key) (*tokencache.Value, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "FindByKey", arg0, arg1)
@@ -42,13 +42,13 @@ func (m *MockInterface) FindByKey(arg0 string, arg1 tokencache.Key) (*tokencache
 	return ret0, ret1
 }

-// FindByKey indicates an expected call of FindByKey.
+// FindByKey indicates an expected call of FindByKey
 func (mr *MockInterfaceMockRecorder) FindByKey(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FindByKey", reflect.TypeOf((*MockInterface)(nil).FindByKey), arg0, arg1)
 }

-// Save mocks base method.
+// Save mocks base method
 func (m *MockInterface) Save(arg0 string, arg1 tokencache.Key, arg2 tokencache.Value) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Save", arg0, arg1, arg2)
@@ -56,7 +56,7 @@ func (m *MockInterface) Save(arg0 string, arg1 tokencache.Key, arg2 tokencache.V
 	return ret0
 }

-// Save indicates an expected call of Save.
+// Save indicates an expected call of Save
 func (mr *MockInterfaceMockRecorder) Save(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Save", reflect.TypeOf((*MockInterface)(nil).Save), arg0, arg1, arg2)
--- a/pkg/di/wire_gen.go
+++ b/pkg/di/wire_gen.go
@@ -18,8 +18,6 @@ import (
 	"github.com/int128/kubelogin/pkg/adaptors/stdio"
 	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
@@ -28,7 +26,6 @@ import (

 // Injectors from di.go:

-// NewCmd returns an instance of adaptors.Cmd.
 func NewCmd() cmd.Interface {
 	clockReal := &clock.Real{}
 	stdin := _wireFileValue
@@ -44,24 +41,23 @@ var (
 	_wireOsFileValue = os.Stdout
 )

-// NewCmdForHeadless returns an instance of adaptors.Cmd for headless testing.
 func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout stdio.Stdout, loggerInterface logger.Interface, browserInterface browser.Interface) cmd.Interface {
 	factory := &oidcclient.Factory{
 		Clock:  clockInterface,
 		Logger: loggerInterface,
 	}
-	authcodeBrowser := &authcode.Browser{
+	authCode := &authentication.AuthCode{
 		Browser: browserInterface,
 		Logger:  loggerInterface,
 	}
 	readerReader := &reader.Reader{
 		Stdin: stdin,
 	}
-	keyboard := &authcode.Keyboard{
+	authCodeKeyboard := &authentication.AuthCodeKeyboard{
 		Reader: readerReader,
 		Logger: loggerInterface,
 	}
-	ropcROPC := &ropc.ROPC{
+	ropc := &authentication.ROPC{
 		Reader: readerReader,
 		Logger: loggerInterface,
 	}
@@ -69,9 +65,9 @@ func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout
 		OIDCClient:       factory,
 		Logger:           loggerInterface,
 		Clock:            clockInterface,
-		AuthCodeBrowser:  authcodeBrowser,
-		AuthCodeKeyboard: keyboard,
-		ROPC:             ropcROPC,
+		AuthCode:         authCode,
+		AuthCodeKeyboard: authCodeKeyboard,
+		ROPC:             ropc,
 	}
 	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{
 		Logger: loggerInterface,
--- a/pkg/domain/jwt/decode.go
+++ b/pkg/domain/jwt/decode.go
--- a/pkg/domain/jwt/decode_test.go
+++ b/pkg/domain/jwt/decode_test.go
--- a/pkg/domain/jwt/token.go
+++ b/pkg/domain/jwt/token.go
--- a/pkg/domain/jwt/token_test.go
+++ b/pkg/domain/jwt/token_test.go
@@ -4,7 +4,7 @@ import (
 	"testing"
 	"time"

-	"github.com/int128/kubelogin/pkg/jwt"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
 )

 type timeProvider time.Time
--- a/pkg/domain/oidc/oidc.go
+++ b/pkg/domain/oidc/oidc.go
@@ -5,18 +5,9 @@ import (
 	"encoding/base64"
 	"encoding/binary"

-	"github.com/int128/kubelogin/pkg/jwt"
 	"golang.org/x/xerrors"
 )

-// TokenSet represents an output DTO of
-// Interface.GetTokenByAuthCode, Interface.GetTokenByROPC and Interface.Refresh.
-type TokenSet struct {
-	IDToken       string
-	RefreshToken  string
-	IDTokenClaims jwt.Claims
-}
-
 func NewState() (string, error) {
 	b, err := random32()
 	if err != nil {
--- a/pkg/domain/pkce/pkce.go
+++ b/pkg/domain/pkce/pkce.go
--- a/pkg/domain/pkce/pkce_test.go
+++ b/pkg/domain/pkce/pkce_test.go
--- a/pkg/testing/httpserver/httpserver.go
+++ b/pkg/testing/httpserver/httpserver.go
@@ -1,29 +0,0 @@
-package main
-
-import (
-	"log"
-	"net/http"
-
-	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
-)
-
-func main() {
-	http.HandleFunc("/BrowserSuccessHTML", func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Add("content-type", "text/html")
-		_, _ = w.Write([]byte(authcode.BrowserSuccessHTML))
-	})
-	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Add("content-type", "text/html")
-		_, _ = w.Write([]byte(`
-<html>
-<body>
-<ul>
-<li><a href="BrowserSuccessHTML">BrowserSuccessHTML</a></li>
-</ul>
-</body>
-</html>
-`))
-	})
-	log.Printf("http://localhost:8000")
-	log.Fatal(http.ListenAndServe("127.0.0.1:8000", nil))
-}
--- a/pkg/usecases/authentication/authcode/browser.go
+++ b/pkg/usecases/authentication/authcode/browser.go
@@ -1,4 +1,4 @@
-package authcode
+package authentication

 import (
 	"context"
@@ -6,28 +6,20 @@ import (
 	"github.com/int128/kubelogin/pkg/adaptors/browser"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
-	"github.com/int128/kubelogin/pkg/oidc"
-	"github.com/int128/kubelogin/pkg/pkce"
+	"github.com/int128/kubelogin/pkg/domain/oidc"
+	"github.com/int128/kubelogin/pkg/domain/pkce"
 	"golang.org/x/sync/errgroup"
 	"golang.org/x/xerrors"
 )

-type BrowserOption struct {
-	SkipOpenBrowser        bool
-	BindAddress            []string
-	OpenURLAfterAuthentication string
-	RedirectURLHostname    string
-	AuthRequestExtraParams map[string]string
-}
-
-// Browser provides the authentication code flow using the browser.
-type Browser struct {
+// AuthCode provides the authentication code flow.
+type AuthCode struct {
 	Browser browser.Interface
 	Logger  logger.Interface
 }

-func (u *Browser) Do(ctx context.Context, o *BrowserOption, client oidcclient.Interface) (*oidc.TokenSet, error) {
-	u.Logger.V(1).Infof("starting the authentication code flow using the browser")
+func (u *AuthCode) Do(ctx context.Context, o *AuthCodeOption, client oidcclient.Interface) (*Output, error) {
+	u.Logger.V(1).Infof("performing the authentication code flow")
 	state, err := oidc.NewState()
 	if err != nil {
 		return nil, xerrors.Errorf("could not generate a state: %w", err)
@@ -40,10 +32,6 @@ func (u *Browser) Do(ctx context.Context, o *BrowserOption, client oidcclient.In
 	if err != nil {
 		return nil, xerrors.Errorf("could not generate PKCE parameters: %w", err)
 	}
-	successHTML := BrowserSuccessHTML
-	if o.OpenURLAfterAuthentication != "" {
-		successHTML = BrowserRedirectHTML(o.OpenURLAfterAuthentication)
-	}
 	in := oidcclient.GetTokenByAuthCodeInput{
 		BindAddress:            o.BindAddress,
 		State:                  state,
@@ -51,11 +39,10 @@ func (u *Browser) Do(ctx context.Context, o *BrowserOption, client oidcclient.In
 		PKCEParams:             p,
 		RedirectURLHostname:    o.RedirectURLHostname,
 		AuthRequestExtraParams: o.AuthRequestExtraParams,
-		LocalServerSuccessHTML: successHTML,
 	}
 	readyChan := make(chan string, 1)
 	defer close(readyChan)
-	var out *oidc.TokenSet
+	var out Output
 	eg, ctx := errgroup.WithContext(ctx)
 	eg.Go(func() error {
 		select {
@@ -67,7 +54,6 @@ func (u *Browser) Do(ctx context.Context, o *BrowserOption, client oidcclient.In
 				u.Logger.Printf("Please visit the following URL in your browser: %s", url)
 				return nil
 			}
-			u.Logger.V(1).Infof("opening %s in the browser", url)
 			if err := u.Browser.Open(url); err != nil {
 				u.Logger.Printf(`error: could not open the browser: %s

@@ -84,13 +70,15 @@ Please visit the following URL in your browser manually: %s`, err, url)
 		if err != nil {
 			return xerrors.Errorf("authorization code flow error: %w", err)
 		}
-		out = tokenSet
-		u.Logger.V(1).Infof("got a token set by the authorization code flow")
+		out = Output{
+			IDToken:       tokenSet.IDToken,
+			IDTokenClaims: tokenSet.IDTokenClaims,
+			RefreshToken:  tokenSet.RefreshToken,
+		}
 		return nil
 	})
 	if err := eg.Wait(); err != nil {
 		return nil, xerrors.Errorf("authentication error: %w", err)
 	}
-	u.Logger.V(1).Infof("finished the authorization code flow via the browser")
-	return out, nil
+	return &out, nil
 }
--- a/pkg/usecases/authentication/authcode/browser_html.go
+++ b/pkg/usecases/authentication/authcode/browser_html.go
@@ -1,60 +0,0 @@
-package authcode
-
-import (
-	"fmt"
-	"net/url"
-)
-
-// BrowserSuccessHTML is the success page on browser based authentication.
-const BrowserSuccessHTML = `
-<!DOCTYPE html>
-<html lang="en">
-<head>
-	<meta charset="UTF-8">
-	<title>Authenticated</title>
-	<script>
-		window.close()
-	</script>
-	<style>
-		body {
-			background-color: #eee;
-			margin: 0;
-			padding: 0;
-			font-family: sans-serif;
-		}
-		.placeholder {
-			margin: 2em;
-			padding: 2em;
-			background-color: #fff;
-			border-radius: 1em;
-		}
-	</style>
-</head>
-<body>
-	<div class="placeholder">
-		<h1>Authenticated</h1>
-		<p>You have logged in to the cluster. You can close this window.</p>
-	</div>
-</body>
-</html>
-`
-
-func BrowserRedirectHTML(target string) string {
-	targetURL, err := url.Parse(target)
-	if err != nil {
-		return fmt.Sprintf(`invalid URL is set: %s`, err)
-	}
-	return fmt.Sprintf(`
-<!DOCTYPE html>
-<html lang="en">
-<head>
-	<meta http-equiv="refresh" content="0;URL=%s">
-	<meta charset="UTF-8">
-	<title>Authenticated</title>
-</head>
-<body>
-	<a href="%s">redirecting...</a>
-</body>
-</html>
-`, targetURL, targetURL)
-}
--- a/pkg/usecases/authentication/authcode_keyboard.go
+++ b/pkg/usecases/authentication/authcode_keyboard.go
@@ -1,4 +1,4 @@
-package authcode
+package authentication

 import (
 	"context"
@@ -6,26 +6,22 @@ import (
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
 	"github.com/int128/kubelogin/pkg/adaptors/reader"
-	"github.com/int128/kubelogin/pkg/oidc"
-	"github.com/int128/kubelogin/pkg/pkce"
+	"github.com/int128/kubelogin/pkg/domain/oidc"
+	"github.com/int128/kubelogin/pkg/domain/pkce"
 	"golang.org/x/xerrors"
 )

-const keyboardPrompt = "Enter code: "
+const authCodeKeyboardPrompt = "Enter code: "
 const oobRedirectURI = "urn:ietf:wg:oauth:2.0:oob"

-type KeyboardOption struct {
-	AuthRequestExtraParams map[string]string
-}
-
-// Keyboard provides the authorization code flow with keyboard interactive.
-type Keyboard struct {
+// AuthCodeKeyboard provides the authorization code flow with keyboard interactive.
+type AuthCodeKeyboard struct {
 	Reader reader.Interface
 	Logger logger.Interface
 }

-func (u *Keyboard) Do(ctx context.Context, o *KeyboardOption, client oidcclient.Interface) (*oidc.TokenSet, error) {
-	u.Logger.V(1).Infof("starting the authorization code flow with keyboard interactive")
+func (u *AuthCodeKeyboard) Do(ctx context.Context, o *AuthCodeKeyboardOption, client oidcclient.Interface) (*Output, error) {
+	u.Logger.V(1).Infof("performing the authorization code flow with keyboard interactive")
 	state, err := oidc.NewState()
 	if err != nil {
 		return nil, xerrors.Errorf("could not generate a state: %w", err)
@@ -45,13 +41,12 @@ func (u *Keyboard) Do(ctx context.Context, o *KeyboardOption, client oidcclient.
 		RedirectURI:            oobRedirectURI,
 		AuthRequestExtraParams: o.AuthRequestExtraParams,
 	})
-	u.Logger.Printf("Please visit the following URL in your browser: %s", authCodeURL)
-	code, err := u.Reader.ReadString(keyboardPrompt)
+	u.Logger.Printf("Open %s", authCodeURL)
+	code, err := u.Reader.ReadString(authCodeKeyboardPrompt)
 	if err != nil {
 		return nil, xerrors.Errorf("could not read an authorization code: %w", err)
 	}

-	u.Logger.V(1).Infof("exchanging the code and token")
 	tokenSet, err := client.ExchangeAuthCode(ctx, oidcclient.ExchangeAuthCodeInput{
 		Code:        code,
 		PKCEParams:  p,
@@ -61,6 +56,9 @@ func (u *Keyboard) Do(ctx context.Context, o *KeyboardOption, client oidcclient.
 	if err != nil {
 		return nil, xerrors.Errorf("could not exchange the authorization code: %w", err)
 	}
-	u.Logger.V(1).Infof("finished the authorization code flow with keyboard interactive")
-	return tokenSet, nil
+	return &Output{
+		IDToken:       tokenSet.IDToken,
+		IDTokenClaims: tokenSet.IDTokenClaims,
+		RefreshToken:  tokenSet.RefreshToken,
+	}, nil
 }
--- a/pkg/usecases/authentication/authcode_keyboard_test.go
+++ b/pkg/usecases/authentication/authcode_keyboard_test.go
@@ -1,4 +1,4 @@
-package authcode
+package authentication

 import (
 	"context"
@@ -10,14 +10,13 @@ import (
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient/mock_oidcclient"
 	"github.com/int128/kubelogin/pkg/adaptors/reader/mock_reader"
-	"github.com/int128/kubelogin/pkg/jwt"
-	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 )

 var nonNil = gomock.Not(gomock.Nil())

-func TestKeyboard_Do(t *testing.T) {
+func TestAuthCodeKeyboard_Do(t *testing.T) {
 	dummyTokenClaims := jwt.Claims{
 		Subject: "YOUR_SUBJECT",
 		Expiry:  time.Date(2019, 1, 2, 3, 4, 5, 0, time.UTC),
@@ -30,7 +29,7 @@ func TestKeyboard_Do(t *testing.T) {
 		defer ctrl.Finish()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		o := &KeyboardOption{
+		o := &AuthCodeKeyboardOption{
 			AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
 		}
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
@@ -50,16 +49,16 @@ func TestKeyboard_Do(t *testing.T) {
 					t.Errorf("Code wants YOUR_AUTH_CODE but was %s", in.Code)
 				}
 			}).
-			Return(&oidc.TokenSet{
+			Return(&oidcclient.TokenSet{
 				IDToken:       "YOUR_ID_TOKEN",
 				IDTokenClaims: dummyTokenClaims,
 				RefreshToken:  "YOUR_REFRESH_TOKEN",
 			}, nil)
 		mockReader := mock_reader.NewMockInterface(ctrl)
 		mockReader.EXPECT().
-			ReadString(keyboardPrompt).
+			ReadString(authCodeKeyboardPrompt).
 			Return("YOUR_AUTH_CODE", nil)
-		u := Keyboard{
+		u := AuthCodeKeyboard{
 			Reader: mockReader,
 			Logger: logger.New(t),
 		}
@@ -67,7 +66,7 @@ func TestKeyboard_Do(t *testing.T) {
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
-		want := &oidc.TokenSet{
+		want := &Output{
 			IDToken:       "YOUR_ID_TOKEN",
 			IDTokenClaims: dummyTokenClaims,
 			RefreshToken:  "YOUR_REFRESH_TOKEN",
--- a/pkg/usecases/authentication/authcode/browser_test.go
+++ b/pkg/usecases/authentication/authcode/browser_test.go
@@ -1,4 +1,4 @@
-package authcode
+package authentication

 import (
 	"context"
@@ -10,12 +10,11 @@ import (
 	"github.com/int128/kubelogin/pkg/adaptors/browser/mock_browser"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient/mock_oidcclient"
-	"github.com/int128/kubelogin/pkg/jwt"
-	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 )

-func TestBrowser_Do(t *testing.T) {
+func TestAuthCode_Do(t *testing.T) {
 	dummyTokenClaims := jwt.Claims{
 		Subject: "YOUR_SUBJECT",
 		Expiry:  time.Date(2019, 1, 2, 3, 4, 5, 0, time.UTC),
@@ -28,12 +27,11 @@ func TestBrowser_Do(t *testing.T) {
 		defer ctrl.Finish()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		o := &BrowserOption{
-			BindAddress:                []string{"127.0.0.1:8000"},
-			SkipOpenBrowser:            true,
-			OpenURLAfterAuthentication: "https://example.com/success.html",
-			RedirectURLHostname:        "localhost",
-			AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},
+		o := &AuthCodeOption{
+			BindAddress:            []string{"127.0.0.1:8000"},
+			SkipOpenBrowser:        true,
+			RedirectURLHostname:    "localhost",
+			AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
 		}
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
 		mockOIDCClient.EXPECT().SupportedPKCEMethods()
@@ -43,9 +41,6 @@ func TestBrowser_Do(t *testing.T) {
 				if diff := cmp.Diff(o.BindAddress, in.BindAddress); diff != "" {
 					t.Errorf("BindAddress mismatch (-want +got):\n%s", diff)
 				}
-				if diff := cmp.Diff(BrowserRedirectHTML("https://example.com/success.html"), in.LocalServerSuccessHTML); diff != "" {
-					t.Errorf("LocalServerSuccessHTML mismatch (-want +got):\n%s", diff)
-				}
 				if diff := cmp.Diff(o.RedirectURLHostname, in.RedirectURLHostname); diff != "" {
 					t.Errorf("RedirectURLHostname mismatch (-want +got):\n%s", diff)
 				}
@@ -54,19 +49,19 @@ func TestBrowser_Do(t *testing.T) {
 				}
 				readyChan <- "LOCAL_SERVER_URL"
 			}).
-			Return(&oidc.TokenSet{
+			Return(&oidcclient.TokenSet{
 				IDToken:       "YOUR_ID_TOKEN",
 				RefreshToken:  "YOUR_REFRESH_TOKEN",
 				IDTokenClaims: dummyTokenClaims,
 			}, nil)
-		u := Browser{
+		u := AuthCode{
 			Logger: logger.New(t),
 		}
 		got, err := u.Do(ctx, o, mockOIDCClient)
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
-		want := &oidc.TokenSet{
+		want := &Output{
 			IDToken:       "YOUR_ID_TOKEN",
 			RefreshToken:  "YOUR_REFRESH_TOKEN",
 			IDTokenClaims: dummyTokenClaims,
@@ -81,7 +76,7 @@ func TestBrowser_Do(t *testing.T) {
 		defer ctrl.Finish()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		o := &BrowserOption{
+		o := &AuthCodeOption{
 			BindAddress: []string{"127.0.0.1:8000"},
 		}
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
@@ -91,7 +86,7 @@ func TestBrowser_Do(t *testing.T) {
 			Do(func(_ context.Context, _ oidcclient.GetTokenByAuthCodeInput, readyChan chan<- string) {
 				readyChan <- "LOCAL_SERVER_URL"
 			}).
-			Return(&oidc.TokenSet{
+			Return(&oidcclient.TokenSet{
 				IDToken:       "YOUR_ID_TOKEN",
 				RefreshToken:  "YOUR_REFRESH_TOKEN",
 				IDTokenClaims: dummyTokenClaims,
@@ -99,7 +94,7 @@ func TestBrowser_Do(t *testing.T) {
 		mockBrowser := mock_browser.NewMockInterface(ctrl)
 		mockBrowser.EXPECT().
 			Open("LOCAL_SERVER_URL")
-		u := Browser{
+		u := AuthCode{
 			Logger:  logger.New(t),
 			Browser: mockBrowser,
 		}
@@ -107,7 +102,7 @@ func TestBrowser_Do(t *testing.T) {
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
-		want := &oidc.TokenSet{
+		want := &Output{
 			IDToken:       "YOUR_ID_TOKEN",
 			RefreshToken:  "YOUR_REFRESH_TOKEN",
 			IDTokenClaims: dummyTokenClaims,
--- a/pkg/usecases/authentication/authentication.go
+++ b/pkg/usecases/authentication/authentication.go
@@ -8,10 +8,7 @@ import (
 	"github.com/int128/kubelogin/pkg/adaptors/clock"
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
-	"github.com/int128/kubelogin/pkg/jwt"
-	"github.com/int128/kubelogin/pkg/oidc"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
 	"golang.org/x/xerrors"
 )

@@ -21,9 +18,9 @@ import (
 var Set = wire.NewSet(
 	wire.Struct(new(Authentication), "*"),
 	wire.Bind(new(Interface), new(*Authentication)),
-	wire.Struct(new(authcode.Browser), "*"),
-	wire.Struct(new(authcode.Keyboard), "*"),
-	wire.Struct(new(ropc.ROPC), "*"),
+	wire.Struct(new(AuthCode), "*"),
+	wire.Struct(new(AuthCodeKeyboard), "*"),
+	wire.Struct(new(ROPC), "*"),
 )

 type Interface interface {
@@ -44,17 +41,38 @@ type Input struct {
 }

 type GrantOptionSet struct {
-	AuthCodeBrowserOption  *authcode.BrowserOption
-	AuthCodeKeyboardOption *authcode.KeyboardOption
-	ROPCOption             *ropc.Option
+	AuthCodeOption         *AuthCodeOption
+	AuthCodeKeyboardOption *AuthCodeKeyboardOption
+	ROPCOption             *ROPCOption
+}
+
+type AuthCodeOption struct {
+	SkipOpenBrowser        bool
+	BindAddress            []string
+	RedirectURLHostname    string
+	AuthRequestExtraParams map[string]string
+}
+
+type AuthCodeKeyboardOption struct {
+	AuthRequestExtraParams map[string]string
+}
+
+type ROPCOption struct {
+	Username string
+	Password string // If empty, read a password using Reader.ReadPassword()
 }

 // Output represents an output DTO of the Authentication use-case.
 type Output struct {
 	AlreadyHasValidIDToken bool
-	TokenSet               oidc.TokenSet
+	IDToken                string
+	IDTokenClaims          jwt.Claims
+	RefreshToken           string
 }

+const usernamePrompt = "Username: "
+const passwordPrompt = "Password: "
+
 // Authentication provides the internal use-case of authentication.
 //
 // If the IDToken is not set, it performs the authentication flow.
@@ -72,9 +90,9 @@ type Authentication struct {
 	OIDCClient       oidcclient.FactoryInterface
 	Logger           logger.Interface
 	Clock            clock.Interface
-	AuthCodeBrowser  *authcode.Browser
-	AuthCodeKeyboard *authcode.Keyboard
-	ROPC             *ropc.ROPC
+	AuthCode         *AuthCode
+	AuthCodeKeyboard *AuthCodeKeyboard
+	ROPC             *ROPC
 }

 func (u *Authentication) Do(ctx context.Context, in Input) (*Output, error) {
@@ -91,11 +109,9 @@ func (u *Authentication) Do(ctx context.Context, in Input) (*Output, error) {
 			u.Logger.V(1).Infof("you already have a valid token until %s", claims.Expiry)
 			return &Output{
 				AlreadyHasValidIDToken: true,
-				TokenSet: oidc.TokenSet{
-					IDToken:       in.IDToken,
-					RefreshToken:  in.RefreshToken,
-					IDTokenClaims: *claims,
-				},
+				IDToken:                in.IDToken,
+				RefreshToken:           in.RefreshToken,
+				IDTokenClaims:          *claims,
 			}, nil
 		}
 		u.Logger.V(1).Infof("you have an expired token at %s", claims.Expiry)
@@ -119,36 +135,22 @@ func (u *Authentication) Do(ctx context.Context, in Input) (*Output, error) {
 		out, err := client.Refresh(ctx, in.RefreshToken)
 		if err == nil {
 			return &Output{
-				TokenSet: oidc.TokenSet{
-					IDToken:       out.IDToken,
-					IDTokenClaims: out.IDTokenClaims,
-					RefreshToken:  out.RefreshToken,
-				},
+				IDToken:       out.IDToken,
+				IDTokenClaims: out.IDTokenClaims,
+				RefreshToken:  out.RefreshToken,
 			}, nil
 		}
 		u.Logger.V(1).Infof("could not refresh the token: %s", err)
 	}

-	if in.GrantOptionSet.AuthCodeBrowserOption != nil {
-		tokenSet, err := u.AuthCodeBrowser.Do(ctx, in.GrantOptionSet.AuthCodeBrowserOption, client)
-		if err != nil {
-			return nil, xerrors.Errorf("authcode-browser error: %w", err)
-		}
-		return &Output{TokenSet: *tokenSet}, nil
+	if in.GrantOptionSet.AuthCodeOption != nil {
+		return u.AuthCode.Do(ctx, in.GrantOptionSet.AuthCodeOption, client)
 	}
 	if in.GrantOptionSet.AuthCodeKeyboardOption != nil {
-		tokenSet, err := u.AuthCodeKeyboard.Do(ctx, in.GrantOptionSet.AuthCodeKeyboardOption, client)
-		if err != nil {
-			return nil, xerrors.Errorf("authcode-keyboard error: %w", err)
-		}
-		return &Output{TokenSet: *tokenSet}, nil
+		return u.AuthCodeKeyboard.Do(ctx, in.GrantOptionSet.AuthCodeKeyboardOption, client)
 	}
 	if in.GrantOptionSet.ROPCOption != nil {
-		tokenSet, err := u.ROPC.Do(ctx, in.GrantOptionSet.ROPCOption, client)
-		if err != nil {
-			return nil, xerrors.Errorf("ropc error: %w", err)
-		}
-		return &Output{TokenSet: *tokenSet}, nil
+		return u.ROPC.Do(ctx, in.GrantOptionSet.ROPCOption, client)
 	}
 	return nil, xerrors.Errorf("any authorization grant must be set")
 }
--- a/pkg/usecases/authentication/authentication_test.go
+++ b/pkg/usecases/authentication/authentication_test.go
@@ -9,13 +9,10 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient/mock_oidcclient"
-	"github.com/int128/kubelogin/pkg/jwt"
-	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
 	"github.com/int128/kubelogin/pkg/testing/clock"
 	testingJWT "github.com/int128/kubelogin/pkg/testing/jwt"
 	testingLogger "github.com/int128/kubelogin/pkg/testing/logger"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
 	"golang.org/x/xerrors"
 )

@@ -54,17 +51,15 @@ func TestAuthentication_Do(t *testing.T) {
 		}
 		want := &Output{
 			AlreadyHasValidIDToken: true,
-			TokenSet: oidc.TokenSet{
-				IDToken: cachedIDToken,
-				IDTokenClaims: jwt.Claims{
-					Subject: "SUBJECT",
-					Expiry:  expiryTime,
-					Pretty: `{
+			IDToken:                cachedIDToken,
+			IDTokenClaims: jwt.Claims{
+				Subject: "SUBJECT",
+				Expiry:  expiryTime,
+				Pretty: `{
  "exp": 1577934245,
  "iss": "https://issuer.example.com",
  "sub": "SUBJECT"
 }`,
-				},
 			},
 		}
 		if diff := cmp.Diff(want, got); diff != "" {
@@ -87,7 +82,7 @@ func TestAuthentication_Do(t *testing.T) {
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
 		mockOIDCClient.EXPECT().
 			Refresh(ctx, "VALID_REFRESH_TOKEN").
-			Return(&oidc.TokenSet{
+			Return(&oidcclient.TokenSet{
 				IDToken:       "NEW_ID_TOKEN",
 				RefreshToken:  "NEW_REFRESH_TOKEN",
 				IDTokenClaims: dummyClaims,
@@ -110,25 +105,23 @@ func TestAuthentication_Do(t *testing.T) {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
-			TokenSet: oidc.TokenSet{
-				IDToken:       "NEW_ID_TOKEN",
-				RefreshToken:  "NEW_REFRESH_TOKEN",
-				IDTokenClaims: dummyClaims,
-			},
+			IDToken:       "NEW_ID_TOKEN",
+			RefreshToken:  "NEW_REFRESH_TOKEN",
+			IDTokenClaims: dummyClaims,
 		}
 		if diff := cmp.Diff(want, got); diff != "" {
 			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})

-	t.Run("HasExpiredRefreshToken/Browser", func(t *testing.T) {
+	t.Run("HasExpiredRefreshToken/AuthCode", func(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		in := Input{
 			GrantOptionSet: GrantOptionSet{
-				AuthCodeBrowserOption: &authcode.BrowserOption{
+				AuthCodeOption: &AuthCodeOption{
 					BindAddress:     []string{"127.0.0.1:8000"},
 					SkipOpenBrowser: true,
 				},
@@ -149,7 +142,7 @@ func TestAuthentication_Do(t *testing.T) {
 			Do(func(_ context.Context, _ oidcclient.GetTokenByAuthCodeInput, readyChan chan<- string) {
 				readyChan <- "LOCAL_SERVER_URL"
 			}).
-			Return(&oidc.TokenSet{
+			Return(&oidcclient.TokenSet{
 				IDToken:       "NEW_ID_TOKEN",
 				RefreshToken:  "NEW_REFRESH_TOKEN",
 				IDTokenClaims: dummyClaims,
@@ -166,7 +159,7 @@ func TestAuthentication_Do(t *testing.T) {
 			},
 			Logger: testingLogger.New(t),
 			Clock:  clock.Fake(expiryTime.Add(+time.Hour)),
-			AuthCodeBrowser: &authcode.Browser{
+			AuthCode: &AuthCode{
 				Logger: testingLogger.New(t),
 			},
 		}
@@ -175,11 +168,9 @@ func TestAuthentication_Do(t *testing.T) {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
-			TokenSet: oidc.TokenSet{
-				IDToken:       "NEW_ID_TOKEN",
-				RefreshToken:  "NEW_REFRESH_TOKEN",
-				IDTokenClaims: dummyClaims,
-			},
+			IDToken:       "NEW_ID_TOKEN",
+			RefreshToken:  "NEW_REFRESH_TOKEN",
+			IDTokenClaims: dummyClaims,
 		}
 		if diff := cmp.Diff(want, got); diff != "" {
 			t.Errorf("mismatch (-want +got):\n%s", diff)
@@ -193,7 +184,7 @@ func TestAuthentication_Do(t *testing.T) {
 		defer cancel()
 		in := Input{
 			GrantOptionSet: GrantOptionSet{
-				ROPCOption: &ropc.Option{
+				ROPCOption: &ROPCOption{
 					Username: "USER",
 					Password: "PASS",
 				},
@@ -205,7 +196,7 @@ func TestAuthentication_Do(t *testing.T) {
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
 		mockOIDCClient.EXPECT().
 			GetTokenByROPC(gomock.Any(), "USER", "PASS").
-			Return(&oidc.TokenSet{
+			Return(&oidcclient.TokenSet{
 				IDToken:       "YOUR_ID_TOKEN",
 				RefreshToken:  "YOUR_REFRESH_TOKEN",
 				IDTokenClaims: dummyClaims,
@@ -221,7 +212,7 @@ func TestAuthentication_Do(t *testing.T) {
 				},
 			},
 			Logger: testingLogger.New(t),
-			ROPC: &ropc.ROPC{
+			ROPC: &ROPC{
 				Logger: testingLogger.New(t),
 			},
 		}
@@ -230,11 +221,9 @@ func TestAuthentication_Do(t *testing.T) {
 			t.Errorf("Do returned error: %+v", err)
 		}
 		want := &Output{
-			TokenSet: oidc.TokenSet{
-				IDToken:       "YOUR_ID_TOKEN",
-				RefreshToken:  "YOUR_REFRESH_TOKEN",
-				IDTokenClaims: dummyClaims,
-			},
+			IDToken:       "YOUR_ID_TOKEN",
+			RefreshToken:  "YOUR_REFRESH_TOKEN",
+			IDTokenClaims: dummyClaims,
 		}
 		if diff := cmp.Diff(want, got); diff != "" {
 			t.Errorf("mismatch (-want +got):\n%s", diff)
--- a/pkg/usecases/authentication/mock_authentication/mock_authentication.go
+++ b/pkg/usecases/authentication/mock_authentication/mock_authentication.go
@@ -11,30 +11,30 @@ import (
 	reflect "reflect"
 )

-// MockInterface is a mock of Interface interface.
+// MockInterface is a mock of Interface interface
 type MockInterface struct {
 	ctrl     *gomock.Controller
 	recorder *MockInterfaceMockRecorder
 }

-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
 type MockInterfaceMockRecorder struct {
 	mock *MockInterface
 }

-// NewMockInterface creates a new mock instance.
+// NewMockInterface creates a new mock instance
 func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
 	mock := &MockInterface{ctrl: ctrl}
 	mock.recorder = &MockInterfaceMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use.
+// EXPECT returns an object that allows the caller to indicate expected use
 func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }

-// Do mocks base method.
+// Do mocks base method
 func (m *MockInterface) Do(arg0 context.Context, arg1 authentication.Input) (*authentication.Output, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Do", arg0, arg1)
@@ -43,7 +43,7 @@ func (m *MockInterface) Do(arg0 context.Context, arg1 authentication.Input) (*au
 	return ret0, ret1
 }

-// Do indicates an expected call of Do.
+// Do indicates an expected call of Do
 func (mr *MockInterfaceMockRecorder) Do(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Do", reflect.TypeOf((*MockInterface)(nil).Do), arg0, arg1)
--- a/pkg/usecases/authentication/ropc/ropc.go
+++ b/pkg/usecases/authentication/ropc/ropc.go
@@ -1,4 +1,4 @@
-package ropc
+package authentication

 import (
 	"context"
@@ -6,26 +6,17 @@ import (
 	"github.com/int128/kubelogin/pkg/adaptors/logger"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
 	"github.com/int128/kubelogin/pkg/adaptors/reader"
-	"github.com/int128/kubelogin/pkg/oidc"
 	"golang.org/x/xerrors"
 )

-const usernamePrompt = "Username: "
-const passwordPrompt = "Password: "
-
-type Option struct {
-	Username string
-	Password string // If empty, read a password using Reader.ReadPassword()
-}
-
 // ROPC provides the resource owner password credentials flow.
 type ROPC struct {
 	Reader reader.Interface
 	Logger logger.Interface
 }

-func (u *ROPC) Do(ctx context.Context, in *Option, client oidcclient.Interface) (*oidc.TokenSet, error) {
-	u.Logger.V(1).Infof("starting the resource owner password credentials flow")
+func (u *ROPC) Do(ctx context.Context, in *ROPCOption, client oidcclient.Interface) (*Output, error) {
+	u.Logger.V(1).Infof("performing the resource owner password credentials flow")
 	if in.Username == "" {
 		var err error
 		in.Username, err = u.Reader.ReadString(usernamePrompt)
@@ -44,6 +35,9 @@ func (u *ROPC) Do(ctx context.Context, in *Option, client oidcclient.Interface)
 	if err != nil {
 		return nil, xerrors.Errorf("resource owner password credentials flow error: %w", err)
 	}
-	u.Logger.V(1).Infof("finished the resource owner password credentials flow")
-	return tokenSet, nil
+	return &Output{
+		IDToken:       tokenSet.IDToken,
+		IDTokenClaims: tokenSet.IDTokenClaims,
+		RefreshToken:  tokenSet.RefreshToken,
+	}, nil
 }
--- a/pkg/usecases/authentication/ropc/ropc_test.go
+++ b/pkg/usecases/authentication/ropc/ropc_test.go
@@ -1,4 +1,4 @@
-package ropc
+package authentication

 import (
 	"context"
@@ -7,10 +7,10 @@ import (

 	"github.com/golang/mock/gomock"
 	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
 	"github.com/int128/kubelogin/pkg/adaptors/oidcclient/mock_oidcclient"
 	"github.com/int128/kubelogin/pkg/adaptors/reader/mock_reader"
-	"github.com/int128/kubelogin/pkg/jwt"
-	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"golang.org/x/xerrors"
 )
@@ -28,11 +28,11 @@ func TestROPC_Do(t *testing.T) {
 		defer ctrl.Finish()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		o := &Option{}
+		o := &ROPCOption{}
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
 		mockOIDCClient.EXPECT().
 			GetTokenByROPC(gomock.Any(), "USER", "PASS").
-			Return(&oidc.TokenSet{
+			Return(&oidcclient.TokenSet{
 				IDToken:       "YOUR_ID_TOKEN",
 				IDTokenClaims: dummyTokenClaims,
 				RefreshToken:  "YOUR_REFRESH_TOKEN",
@@ -48,7 +48,7 @@ func TestROPC_Do(t *testing.T) {
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
-		want := &oidc.TokenSet{
+		want := &Output{
 			IDToken:       "YOUR_ID_TOKEN",
 			RefreshToken:  "YOUR_REFRESH_TOKEN",
 			IDTokenClaims: dummyTokenClaims,
@@ -63,14 +63,14 @@ func TestROPC_Do(t *testing.T) {
 		defer ctrl.Finish()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		o := &Option{
+		o := &ROPCOption{
 			Username: "USER",
 			Password: "PASS",
 		}
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
 		mockOIDCClient.EXPECT().
 			GetTokenByROPC(gomock.Any(), "USER", "PASS").
-			Return(&oidc.TokenSet{
+			Return(&oidcclient.TokenSet{
 				IDToken:       "YOUR_ID_TOKEN",
 				RefreshToken:  "YOUR_REFRESH_TOKEN",
 				IDTokenClaims: dummyTokenClaims,
@@ -82,7 +82,7 @@ func TestROPC_Do(t *testing.T) {
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
-		want := &oidc.TokenSet{
+		want := &Output{
 			IDToken:       "YOUR_ID_TOKEN",
 			RefreshToken:  "YOUR_REFRESH_TOKEN",
 			IDTokenClaims: dummyTokenClaims,
@@ -97,13 +97,13 @@ func TestROPC_Do(t *testing.T) {
 		defer ctrl.Finish()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		o := &Option{
+		o := &ROPCOption{
 			Username: "USER",
 		}
 		mockOIDCClient := mock_oidcclient.NewMockInterface(ctrl)
 		mockOIDCClient.EXPECT().
 			GetTokenByROPC(gomock.Any(), "USER", "PASS").
-			Return(&oidc.TokenSet{
+			Return(&oidcclient.TokenSet{
 				IDToken:       "YOUR_ID_TOKEN",
 				RefreshToken:  "YOUR_REFRESH_TOKEN",
 				IDTokenClaims: dummyTokenClaims,
@@ -118,7 +118,7 @@ func TestROPC_Do(t *testing.T) {
 		if err != nil {
 			t.Errorf("Do returned error: %+v", err)
 		}
-		want := &oidc.TokenSet{
+		want := &Output{
 			IDToken:       "YOUR_ID_TOKEN",
 			RefreshToken:  "YOUR_REFRESH_TOKEN",
 			IDTokenClaims: dummyTokenClaims,
@@ -133,7 +133,7 @@ func TestROPC_Do(t *testing.T) {
 		defer ctrl.Finish()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		o := &Option{
+		o := &ROPCOption{
 			Username: "USER",
 		}
 		mockEnv := mock_reader.NewMockInterface(ctrl)
--- a/pkg/usecases/credentialplugin/get_token.go
+++ b/pkg/usecases/credentialplugin/get_token.go
@@ -54,7 +54,7 @@ func (u *GetToken) Do(ctx context.Context, in Input) error {
 		return xerrors.Errorf("could not get a token: %w", err)
 	}
 	u.Logger.V(1).Infof("writing the token to client-go")
-	if err := u.Writer.Write(credentialpluginwriter.Output{Token: out.TokenSet.IDToken, Expiry: out.TokenSet.IDTokenClaims.Expiry}); err != nil {
+	if err := u.Writer.Write(credentialpluginwriter.Output{Token: out.IDToken, Expiry: out.IDTokenClaims.Expiry}); err != nil {
 		return xerrors.Errorf("could not write the token to client-go: %w", err)
 	}
 	return nil
@@ -101,16 +101,16 @@ func (u *GetToken) getTokenFromCacheOrProvider(ctx context.Context, in Input) (*
 	if err != nil {
 		return nil, xerrors.Errorf("authentication error: %w", err)
 	}
-	u.Logger.V(1).Infof("you got a token: %s", out.TokenSet.IDTokenClaims.Pretty)
+	u.Logger.V(1).Infof("you got a token: %s", out.IDTokenClaims.Pretty)
 	if out.AlreadyHasValidIDToken {
-		u.Logger.V(1).Infof("you already have a valid token until %s", out.TokenSet.IDTokenClaims.Expiry)
+		u.Logger.V(1).Infof("you already have a valid token until %s", out.IDTokenClaims.Expiry)
 		return out, nil
 	}

-	u.Logger.V(1).Infof("you got a valid token until %s", out.TokenSet.IDTokenClaims.Expiry)
+	u.Logger.V(1).Infof("you got a valid token until %s", out.IDTokenClaims.Expiry)
 	newTokenCacheValue := tokencache.Value{
-		IDToken:      out.TokenSet.IDToken,
-		RefreshToken: out.TokenSet.RefreshToken,
+		IDToken:      out.IDToken,
+		RefreshToken: out.RefreshToken,
 	}
 	if err := u.TokenCacheRepository.Save(in.TokenCacheDir, tokenCacheKey, newTokenCacheValue); err != nil {
 		return nil, xerrors.Errorf("could not write the token cache: %w", err)
--- a/pkg/usecases/credentialplugin/get_token_test.go
+++ b/pkg/usecases/credentialplugin/get_token_test.go
@@ -12,8 +12,7 @@ import (
 	"github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter/mock_credentialpluginwriter"
 	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
 	"github.com/int128/kubelogin/pkg/adaptors/tokencache/mock_tokencache"
-	"github.com/int128/kubelogin/pkg/jwt"
-	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/mock_authentication"
@@ -58,11 +57,9 @@ func TestGetToken_Do(t *testing.T) {
 				GrantOptionSet: grantOptionSet,
 			}).
 			Return(&authentication.Output{
-				TokenSet: oidc.TokenSet{
-					IDToken:       "YOUR_ID_TOKEN",
-					RefreshToken:  "YOUR_REFRESH_TOKEN",
-					IDTokenClaims: dummyTokenClaims,
-				},
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenClaims: dummyTokenClaims,
 			}, nil)
 		tokenCacheRepository := mock_tokencache.NewMockInterface(ctrl)
 		tokenCacheRepository.EXPECT().
@@ -130,10 +127,8 @@ func TestGetToken_Do(t *testing.T) {
 			}).
 			Return(&authentication.Output{
 				AlreadyHasValidIDToken: true,
-				TokenSet: oidc.TokenSet{
-					IDToken:       "VALID_ID_TOKEN",
-					IDTokenClaims: dummyTokenClaims,
-				},
+				IDToken:                "VALID_ID_TOKEN",
+				IDTokenClaims:          dummyTokenClaims,
 			}, nil)
 		tokenCacheRepository := mock_tokencache.NewMockInterface(ctrl)
 		tokenCacheRepository.EXPECT().
--- a/pkg/usecases/credentialplugin/mock_credentialplugin/mock_credentialplugin.go
+++ b/pkg/usecases/credentialplugin/mock_credentialplugin/mock_credentialplugin.go
@@ -11,30 +11,30 @@ import (
 	reflect "reflect"
 )

-// MockInterface is a mock of Interface interface.
+// MockInterface is a mock of Interface interface
 type MockInterface struct {
 	ctrl     *gomock.Controller
 	recorder *MockInterfaceMockRecorder
 }

-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
 type MockInterfaceMockRecorder struct {
 	mock *MockInterface
 }

-// NewMockInterface creates a new mock instance.
+// NewMockInterface creates a new mock instance
 func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
 	mock := &MockInterface{ctrl: ctrl}
 	mock.recorder = &MockInterfaceMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use.
+// EXPECT returns an object that allows the caller to indicate expected use
 func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }

-// Do mocks base method.
+// Do mocks base method
 func (m *MockInterface) Do(arg0 context.Context, arg1 credentialplugin.Input) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Do", arg0, arg1)
@@ -42,7 +42,7 @@ func (m *MockInterface) Do(arg0 context.Context, arg1 credentialplugin.Input) er
 	return ret0
 }

-// Do indicates an expected call of Do.
+// Do indicates an expected call of Do
 func (mr *MockInterfaceMockRecorder) Do(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Do", reflect.TypeOf((*MockInterface)(nil).Do), arg0, arg1)
--- a/pkg/usecases/setup/stage2.go
+++ b/pkg/usecases/setup/stage2.go
@@ -103,11 +103,11 @@ func (u *Setup) DoStage2(ctx context.Context, in Stage2Input) error {
 	}

 	v := stage2Vars{
-		IDTokenPrettyJSON: out.TokenSet.IDTokenClaims.Pretty,
+		IDTokenPrettyJSON: out.IDTokenClaims.Pretty,
 		IssuerURL:         in.IssuerURL,
 		ClientID:          in.ClientID,
 		Args:              makeCredentialPluginArgs(in),
-		Subject:           out.TokenSet.IDTokenClaims.Subject,
+		Subject:           out.IDTokenClaims.Subject,
 	}
 	var b strings.Builder
 	if err := stage2Tpl.Execute(&b, &v); err != nil {
@@ -137,8 +137,8 @@ func makeCredentialPluginArgs(in Stage2Input) []string {
 		args = append(args, "--insecure-skip-tls-verify")
 	}

-	if in.GrantOptionSet.AuthCodeBrowserOption != nil {
-		if in.GrantOptionSet.AuthCodeBrowserOption.SkipOpenBrowser {
+	if in.GrantOptionSet.AuthCodeOption != nil {
+		if in.GrantOptionSet.AuthCodeOption.SkipOpenBrowser {
 			args = append(args, "--skip-open-browser")
 		}
 	}
--- a/pkg/usecases/setup/stage2_test.go
+++ b/pkg/usecases/setup/stage2_test.go
@@ -8,8 +8,7 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/int128/kubelogin/pkg/adaptors/certpool"
 	"github.com/int128/kubelogin/pkg/adaptors/certpool/mock_certpool"
-	"github.com/int128/kubelogin/pkg/jwt"
-	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/mock_authentication"
@@ -46,14 +45,12 @@ func TestSetup_DoStage2(t *testing.T) {
 			GrantOptionSet: grantOptionSet,
 		}).
 		Return(&authentication.Output{
-			TokenSet: oidc.TokenSet{
-				IDToken:      "YOUR_ID_TOKEN",
-				RefreshToken: "YOUR_REFRESH_TOKEN",
-				IDTokenClaims: jwt.Claims{
-					Subject: "YOUR_SUBJECT",
-					Expiry:  time.Date(2019, 1, 2, 3, 4, 5, 0, time.UTC),
-					Pretty:  "PRETTY_JSON",
-				},
+			IDToken:      "YOUR_ID_TOKEN",
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+			IDTokenClaims: jwt.Claims{
+				Subject: "YOUR_SUBJECT",
+				Expiry:  time.Date(2019, 1, 2, 3, 4, 5, 0, time.UTC),
+				Pretty:  "PRETTY_JSON",
 			},
 		}, nil)
 	u := Setup{
--- a/pkg/usecases/standalone/mock_standalone/mock_standalone.go
+++ b/pkg/usecases/standalone/mock_standalone/mock_standalone.go
@@ -11,30 +11,30 @@ import (
 	reflect "reflect"
 )

-// MockInterface is a mock of Interface interface.
+// MockInterface is a mock of Interface interface
 type MockInterface struct {
 	ctrl     *gomock.Controller
 	recorder *MockInterfaceMockRecorder
 }

-// MockInterfaceMockRecorder is the mock recorder for MockInterface.
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
 type MockInterfaceMockRecorder struct {
 	mock *MockInterface
 }

-// NewMockInterface creates a new mock instance.
+// NewMockInterface creates a new mock instance
 func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
 	mock := &MockInterface{ctrl: ctrl}
 	mock.recorder = &MockInterfaceMockRecorder{mock}
 	return mock
 }

-// EXPECT returns an object that allows the caller to indicate expected use.
+// EXPECT returns an object that allows the caller to indicate expected use
 func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }

-// Do mocks base method.
+// Do mocks base method
 func (m *MockInterface) Do(arg0 context.Context, arg1 standalone.Input) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Do", arg0, arg1)
@@ -42,7 +42,7 @@ func (m *MockInterface) Do(arg0 context.Context, arg1 standalone.Input) error {
 	return ret0
 }

-// Do indicates an expected call of Do.
+// Do indicates an expected call of Do
 func (mr *MockInterfaceMockRecorder) Do(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Do", reflect.TypeOf((*MockInterface)(nil).Do), arg0, arg1)
--- a/pkg/usecases/standalone/standalone.go
+++ b/pkg/usecases/standalone/standalone.go
@@ -2,6 +2,8 @@ package standalone

 import (
 	"context"
+	"strings"
+	"text/template"

 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/adaptors/certpool"
@@ -28,23 +30,12 @@ type Input struct {
 	KubeconfigFilename string                 // Default to the environment variable or global config as kubectl
 	KubeconfigContext  kubeconfig.ContextName // Default to the current context but ignored if KubeconfigUser is set
 	KubeconfigUser     kubeconfig.UserName    // Default to the user of the context
-	CACertFilename     string                 // optional
-	CACertData         string                 // optional
+	CACertFilename     string                 // If set, use the CA cert
 	SkipTLSVerify      bool
 	GrantOptionSet     authentication.GrantOptionSet
 }

-const oidcConfigErrorMessage = `No configuration found.
-You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
-To show the setup instruction:
-
-	kubectl oidc-login setup
-
-See https://github.com/int128/kubelogin for more.
-`
-
-const deprecationMessage = `NOTE: You can use the credential plugin mode for better user experience.
-Kubectl automatically runs kubelogin and you do not need to run kubelogin explicitly.
+const oidcConfigErrorMessage = `You need to set up the kubeconfig for OpenID Connect authentication.
 See https://github.com/int128/kubelogin for more.
 `

@@ -69,7 +60,9 @@ func (u *Standalone) Do(ctx context.Context, in Input) error {
 		u.Logger.Printf(oidcConfigErrorMessage)
 		return xerrors.Errorf("could not find the current authentication provider: %w", err)
 	}
-	u.Logger.Printf(deprecationMessage)
+	if err := u.showDeprecation(in, authProvider); err != nil {
+		return xerrors.Errorf("could not show deprecation message: %w", err)
+	}
 	u.Logger.V(1).Infof("using the authentication provider of the user %s", authProvider.UserName)
 	u.Logger.V(1).Infof("a token will be written to %s", authProvider.LocationOfOrigin)
 	certPool := u.NewCertPool()
@@ -85,12 +78,7 @@ func (u *Standalone) Do(ctx context.Context, in Input) error {
 	}
 	if in.CACertFilename != "" {
 		if err := certPool.AddFile(in.CACertFilename); err != nil {
-			return xerrors.Errorf("could not load the certificate file: %w", err)
-		}
-	}
-	if in.CACertData != "" {
-		if err := certPool.AddBase64Encoded(in.CACertData); err != nil {
-			return xerrors.Errorf("could not load the certificate data: %w", err)
+			return xerrors.Errorf("could not load the certificate: %w", err)
 		}
 	}
 	out, err := u.Authentication.Do(ctx, authentication.Input{
@@ -107,18 +95,79 @@ func (u *Standalone) Do(ctx context.Context, in Input) error {
 	if err != nil {
 		return xerrors.Errorf("authentication error: %w", err)
 	}
-	u.Logger.V(1).Infof("you got a token: %s", out.TokenSet.IDTokenClaims.Pretty)
+	u.Logger.V(1).Infof("you got a token: %s", out.IDTokenClaims.Pretty)
 	if out.AlreadyHasValidIDToken {
-		u.Logger.Printf("You already have a valid token until %s", out.TokenSet.IDTokenClaims.Expiry)
+		u.Logger.Printf("You already have a valid token until %s", out.IDTokenClaims.Expiry)
 		return nil
 	}

-	u.Logger.Printf("You got a valid token until %s", out.TokenSet.IDTokenClaims.Expiry)
-	authProvider.IDToken = out.TokenSet.IDToken
-	authProvider.RefreshToken = out.TokenSet.RefreshToken
+	u.Logger.Printf("You got a valid token until %s", out.IDTokenClaims.Expiry)
+	authProvider.IDToken = out.IDToken
+	authProvider.RefreshToken = out.RefreshToken
 	u.Logger.V(1).Infof("writing the ID token and refresh token to %s", authProvider.LocationOfOrigin)
 	if err := u.Kubeconfig.UpdateAuthProvider(authProvider); err != nil {
 		return xerrors.Errorf("could not update the kubeconfig: %w", err)
 	}
 	return nil
 }
+
+var deprecationTpl = template.Must(template.New("").Parse(
+	`IMPORTANT NOTICE:
+The credential plugin mode is available since v1.14.0.
+Kubectl will automatically run kubelogin and you do not need to run kubelogin explicitly.
+
+You can switch to the credential plugin mode by the following command:
+
+	kubectl config set-credentials oidc \
+	  --exec-api-version=client.authentication.k8s.io/v1beta1 \
+	  --exec-command=kubectl \
+	  --exec-arg=oidc-login \
+	  --exec-arg=get-token \
+{{- range .Args }}
+	  --exec-arg={{ . }}
+{{- end }}
+	kubectl config set-context --current --user=oidc
+
+See https://github.com/int128/kubelogin for more.
+
+`))
+
+type deprecationVars struct {
+	Args []string
+}
+
+func (u *Standalone) showDeprecation(in Input, p *kubeconfig.AuthProvider) error {
+	var args []string
+	args = append(args, "--oidc-issuer-url="+p.IDPIssuerURL)
+	args = append(args, "--oidc-client-id="+p.ClientID)
+	if p.ClientSecret != "" {
+		args = append(args, "--oidc-client-secret="+p.ClientSecret)
+	}
+	for _, extraScope := range p.ExtraScopes {
+		args = append(args, "--oidc-extra-scope="+extraScope)
+	}
+	if p.IDPCertificateAuthority != "" {
+		args = append(args, "--certificate-authority="+p.IDPCertificateAuthority)
+	}
+	if p.IDPCertificateAuthorityData != "" {
+		args = append(args, "--certificate-authority-data="+p.IDPCertificateAuthorityData)
+	}
+	if in.CACertFilename != "" {
+		args = append(args, "--certificate-authority="+in.CACertFilename)
+	}
+	if in.GrantOptionSet.ROPCOption != nil {
+		if in.GrantOptionSet.ROPCOption.Username != "" {
+			args = append(args, "--username="+in.GrantOptionSet.ROPCOption.Username)
+		}
+	}
+
+	v := deprecationVars{
+		Args: args,
+	}
+	var b strings.Builder
+	if err := deprecationTpl.Execute(&b, &v); err != nil {
+		return xerrors.Errorf("template error: %w", err)
+	}
+	u.Logger.Printf("%s", b.String())
+	return nil
+}
--- a/pkg/usecases/standalone/standalone_test.go
+++ b/pkg/usecases/standalone/standalone_test.go
@@ -10,8 +10,7 @@ import (
 	"github.com/int128/kubelogin/pkg/adaptors/certpool/mock_certpool"
 	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
 	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig/mock_kubeconfig"
-	"github.com/int128/kubelogin/pkg/jwt"
-	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/domain/jwt"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/mock_authentication"
@@ -35,7 +34,6 @@ func TestStandalone_Do(t *testing.T) {
 			KubeconfigContext:  "theContext",
 			KubeconfigUser:     "theUser",
 			CACertFilename:     "/path/to/cert1",
-			CACertData:         "BASE64ENCODED1",
 			SkipTLSVerify:      true,
 			GrantOptionSet:     grantOptionSet,
 		}
@@ -46,7 +44,7 @@ func TestStandalone_Do(t *testing.T) {
 			ClientID:                    "YOUR_CLIENT_ID",
 			ClientSecret:                "YOUR_CLIENT_SECRET",
 			IDPCertificateAuthority:     "/path/to/cert2",
-			IDPCertificateAuthorityData: "BASE64ENCODED2",
+			IDPCertificateAuthorityData: "BASE64ENCODED",
 		}
 		mockCertPool := mock_certpool.NewMockInterface(ctrl)
 		mockCertPool.EXPECT().
@@ -54,9 +52,7 @@ func TestStandalone_Do(t *testing.T) {
 		mockCertPool.EXPECT().
 			AddFile("/path/to/cert2")
 		mockCertPool.EXPECT().
-			AddBase64Encoded("BASE64ENCODED1")
-		mockCertPool.EXPECT().
-			AddBase64Encoded("BASE64ENCODED2")
+			AddBase64Encoded("BASE64ENCODED")
 		mockKubeconfig := mock_kubeconfig.NewMockInterface(ctrl)
 		mockKubeconfig.EXPECT().
 			GetCurrentAuthProvider("/path/to/kubeconfig", kubeconfig.ContextName("theContext"), kubeconfig.UserName("theUser")).
@@ -69,7 +65,7 @@ func TestStandalone_Do(t *testing.T) {
 				ClientID:                    "YOUR_CLIENT_ID",
 				ClientSecret:                "YOUR_CLIENT_SECRET",
 				IDPCertificateAuthority:     "/path/to/cert2",
-				IDPCertificateAuthorityData: "BASE64ENCODED2",
+				IDPCertificateAuthorityData: "BASE64ENCODED",
 				IDToken:                     "YOUR_ID_TOKEN",
 				RefreshToken:                "YOUR_REFRESH_TOKEN",
 			})
@@ -84,11 +80,9 @@ func TestStandalone_Do(t *testing.T) {
 				GrantOptionSet: grantOptionSet,
 			}).
 			Return(&authentication.Output{
-				TokenSet: oidc.TokenSet{
-					IDToken:       "YOUR_ID_TOKEN",
-					RefreshToken:  "YOUR_REFRESH_TOKEN",
-					IDTokenClaims: dummyTokenClaims,
-				},
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenClaims: dummyTokenClaims,
 			}, nil)
 		u := Standalone{
 			Authentication: mockAuthentication,
@@ -130,10 +124,8 @@ func TestStandalone_Do(t *testing.T) {
 			}).
 			Return(&authentication.Output{
 				AlreadyHasValidIDToken: true,
-				TokenSet: oidc.TokenSet{
-					IDToken:       "VALID_ID_TOKEN",
-					IDTokenClaims: dummyTokenClaims,
-				},
+				IDToken:                "VALID_ID_TOKEN",
+				IDTokenClaims:          dummyTokenClaims,
 			}, nil)
 		u := Standalone{
 			Authentication: mockAuthentication,
@@ -240,11 +232,9 @@ func TestStandalone_Do(t *testing.T) {
 				CertPool:     mockCertPool,
 			}).
 			Return(&authentication.Output{
-				TokenSet: oidc.TokenSet{
-					IDToken:       "YOUR_ID_TOKEN",
-					RefreshToken:  "YOUR_REFRESH_TOKEN",
-					IDTokenClaims: dummyTokenClaims,
-				},
+				IDToken:       "YOUR_ID_TOKEN",
+				RefreshToken:  "YOUR_REFRESH_TOKEN",
+				IDTokenClaims: dummyTokenClaims,
 			}, nil)
 		u := Standalone{
 			Authentication: mockAuthentication,
--- a/system_test/Makefile
+++ b/system_test/Makefile
@@ -1,109 +0,0 @@
-CLUSTER_NAME := kubelogin-system-test
-OUTPUT_DIR := $(CURDIR)/output
-
-PATH := $(PATH):$(OUTPUT_DIR)/bin
-export PATH
-KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
-export KUBECONFIG
-
-# run the login script instead of opening chrome
-BROWSER := $(OUTPUT_DIR)/bin/chromelogin
-export BROWSER
-
-.PHONY: test
-test: build
-	# see the setup instruction
-	kubectl oidc-login setup \
-		--oidc-issuer-url=https://dex-server:10443/dex \
-		--oidc-client-id=YOUR_CLIENT_ID \
-		--oidc-client-secret=YOUR_CLIENT_SECRET \
-		--oidc-extra-scope=email \
-		--certificate-authority=$(OUTPUT_DIR)/ca.crt
-	# set up the kubeconfig
-	kubectl config set-credentials oidc \
-		--exec-api-version=client.authentication.k8s.io/v1beta1 \
-		--exec-command=kubectl \
-		--exec-arg=oidc-login \
-		--exec-arg=get-token \
-		--exec-arg=--oidc-issuer-url=https://dex-server:10443/dex \
-		--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
-		--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
-		--exec-arg=--oidc-extra-scope=email \
-		--exec-arg=--certificate-authority=$(OUTPUT_DIR)/ca.crt
-	# make sure we can access the cluster
-	kubectl --user=oidc cluster-info
-	# switch the current context
-	kubectl config set-context --current --user=oidc
-	# make sure we can access the cluster
-	kubectl cluster-info
-
-.PHONY: setup
-setup: build dex cluster setup-chrome
-
-.PHONY: setup-chrome
-setup-chrome: $(OUTPUT_DIR)/ca.crt
-	# add the dex server certificate to the trust store
-	mkdir -p ~/.pki/nssdb
-	cd ~/.pki/nssdb && certutil -A -d sql:. -n dex -i $(OUTPUT_DIR)/ca.crt -t "TC,,"
-
-# build binaries
-.PHONY: build
-build: $(OUTPUT_DIR)/bin/kubectl-oidc_login $(OUTPUT_DIR)/bin/chromelogin
-$(OUTPUT_DIR)/bin/kubectl-oidc_login:
-	go build -o $@ ..
-$(OUTPUT_DIR)/bin/chromelogin: chromelogin/main.go
-	go build -o $@ ./chromelogin
-
-# create a Dex server
-.PHONY: dex
-dex: $(OUTPUT_DIR)/server.crt $(OUTPUT_DIR)/server.key
-	docker create --name dex-server -p 10443:10443 --network kind quay.io/dexidp/dex:v2.21.0 serve /dex.yaml
-	docker cp $(OUTPUT_DIR)/server.crt dex-server:/
-	docker cp $(OUTPUT_DIR)/server.key dex-server:/
-	docker cp dex.yaml dex-server:/
-	docker start dex-server
-	docker logs dex-server
-
-$(OUTPUT_DIR)/ca.key:
-	mkdir -p $(OUTPUT_DIR)
-	openssl genrsa -out $@ 2048
-$(OUTPUT_DIR)/ca.csr: $(OUTPUT_DIR)/ca.key
-	openssl req -new -key $(OUTPUT_DIR)/ca.key -out $@ -subj "/CN=dex-ca" -config openssl.cnf
-$(OUTPUT_DIR)/ca.crt: $(OUTPUT_DIR)/ca.key $(OUTPUT_DIR)/ca.csr
-	openssl x509 -req -in $(OUTPUT_DIR)/ca.csr -signkey $(OUTPUT_DIR)/ca.key -out $@ -days 10
-$(OUTPUT_DIR)/server.key:
-	mkdir -p $(OUTPUT_DIR)
-	openssl genrsa -out $@ 2048
-$(OUTPUT_DIR)/server.csr: openssl.cnf $(OUTPUT_DIR)/server.key
-	openssl req -new -key $(OUTPUT_DIR)/server.key -out $@ -subj "/CN=dex-server" -config openssl.cnf
-$(OUTPUT_DIR)/server.crt: openssl.cnf $(OUTPUT_DIR)/server.csr $(OUTPUT_DIR)/ca.crt $(OUTPUT_DIR)/ca.key
-	openssl x509 -req -in $(OUTPUT_DIR)/server.csr -CA $(OUTPUT_DIR)/ca.crt -CAkey $(OUTPUT_DIR)/ca.key -CAcreateserial -out $@ -sha256 -days 10 -extensions v3_req -extfile openssl.cnf
-
-# create a Kubernetes cluster
-.PHONY: cluster
-cluster: dex create-cluster
-	# add the Dex container IP to /etc/hosts of kube-apiserver
-	docker inspect -f '{{.NetworkSettings.IPAddress}}' dex-server | sed -e 's,$$, dex-server,' | \
-		kubectl -n kube-system exec -i kube-apiserver-$(CLUSTER_NAME)-control-plane -- tee -a /etc/hosts
-	# wait for kube-apiserver oidc initialization
-	# (oidc authenticator will retry oidc discovery every 10s)
-	sleep 10
-
-.PHONY: create-cluster
-create-cluster: $(OUTPUT_DIR)/ca.crt
-	cp $(OUTPUT_DIR)/ca.crt /tmp/kubelogin-system-test-dex-ca.crt
-	kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml
-	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
-	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com
-
-# clean up the resources
-.PHONY: clean
-clean:
-	-rm -r $(OUTPUT_DIR)
-.PHONY: delete-cluster
-delete-cluster:
-	kind delete cluster --name $(CLUSTER_NAME)
-.PHONY: delete-dex
-delete-dex:
-	docker stop dex-server
-	docker rm dex-server
--- a/system_test/README.md
+++ b/system_test/README.md
@@ -1,112 +0,0 @@
-# kubelogin/system_test
-
-This is an automated test for verifying behavior of the plugin with a real Kubernetes cluster and OIDC provider.
-
-
-## Purpose
-
-This test checks the following points:
-
-1. User can set up Kubernetes OIDC authentication using [setup guide](../docs/setup.md).
-1. User can log in to an OIDC provider on a browser.
-1. User can access the cluster using a token returned from the plugin.
-
-It depends on the following components:
-
- Kubernetes cluster (Kind)
- OIDC provider (Dex)
- Browser (Chrome)
- kubectl command
-
-
-## How it works
-
-Let's take a look at the diagram.
-
-![diagram](../docs/system-test-diagram.svg)
-
-It prepares the following resources:
-
-1. Generate a pair of CA certificate and TLS server certificate for Dex.
-1. Run Dex on a container.
-1. Create a Kubernetes cluster using Kind.
-1. Mutate `/etc/hosts` of the CI machine to access Dex.
-1. Mutate `/etc/hosts` of the kube-apiserver pod to access Dex.
-
-It performs the test by the following steps:
-
-1. Run kubectl.
-1. kubectl automatically runs kubelogin.
-1. kubelogin automatically runs [chromelogin](chromelogin).
-1. chromelogin opens the browser, navigates to `http://localhost:8000` and enter the username and password.
-1. kubelogin gets an authorization code from the browser.
-1. kubelogin gets a token.
-1. kubectl accesses an API with the token.
-1. kube-apiserver verifies the token by Dex.
-1. Check if kubectl exited with code 0.
-
-
-## Run locally
-
-You need to set up the following components:
-
- Docker
- Kind
- Chrome or Chromium
-
-You need to add the following line to `/etc/hosts` so that the browser can access the Dex.
-
-```
-127.0.0.1 dex-server
-```
-
-Run the test.
-
-```shell script
-# run the test
-make
-
-# clean up
-make delete-cluster
-make delete-dex
-```
-
-
-## Technical consideration
-
-### Network and DNS
-
-Consider the following issues:
-
- kube-apiserver runs on the host network of the kind container.
- kube-apiserver cannot resolve a service name by kube-dns.
- kube-apiserver cannot access a cluster IP.
- kube-apiserver can access another container via the Docker network.
- Chrome requires exactly match of domain name between Dex URL and a server certificate.
-
-Consequently,
-
- kube-apiserver accesses Dex by resolving `/etc/hosts` and via the Docker network.
- kubelogin and Chrome accesses Dex by resolving `/etc/hosts` and via the Docker network.
-
-### TLS server certificate
-
-Consider the following issues:
-
- kube-apiserver requires `--oidc-issuer` is HTTPS URL.
- kube-apiserver requires a CA certificate at startup, if `--oidc-ca-file` is given.
- kube-apiserver mounts `/usr/local/share/ca-certificates` from the kind container.
- It is possible to mount a file from the CI machine.
- It is not possible to issue a certificate using Let's Encrypt in runtime.
- Chrome requires a valid certificate in `~/.pki/nssdb`.
-
-As a result,
-
- kube-apiserver uses the CA certificate of `/usr/local/share/ca-certificates/dex-ca.crt`. See the `extraMounts` section of [`cluster.yaml`](cluster.yaml).
- kubelogin uses the CA certificate in `output/ca.crt`.
- Chrome uses the CA certificate in `~/.pki/nssdb`.
-
-### Test environment
-
- Set the issuer URL to kube-apiserver. See [`cluster.yaml`](cluster.yaml).
- Set `BROWSER` environment variable to run [`chromelogin`](chromelogin) by `xdg-open`.
--- a/system_test/cluster.yaml
+++ b/system_test/cluster.yaml
@@ -1,20 +0,0 @@
-kind: Cluster
-apiVersion: kind.x-k8s.io/v1alpha4
-# https://github.com/dexidp/dex/blob/master/Documentation/kubernetes.md
-kubeadmConfigPatches:
-  - |
-    apiVersion: kubeadm.k8s.io/v1beta2
-    kind: ClusterConfiguration
-    metadata:
-      name: config
-    apiServer:
-      extraArgs:
-        oidc-issuer-url: https://dex-server:10443/dex
-        oidc-client-id: YOUR_CLIENT_ID
-        oidc-username-claim: email
-        oidc-ca-file: /usr/local/share/ca-certificates/dex-ca.crt
-nodes:
-  - role: control-plane
-    extraMounts:
-      - hostPath: /tmp/kubelogin-system-test-dex-ca.crt
-        containerPath: /usr/local/share/ca-certificates/dex-ca.crt