Remove deprecation of standalone mode (#680)

* Remove deprecation of standalone mode

* Update standalone-mode.md

.circleci/Makefile

@@ -1,16 +0,0 @@
-.PHONY: all
-all:
-
-.PHONY: install-test-deps
-install-test-deps:
-	go get -v github.com/int128/goxzst
-
-.PHONY: install-release-deps
-install-release-deps: go
-	go get -v github.com/int128/goxzst github.com/int128/ghcp
-
-go:
-	curl -sSfL -o go.tgz "https://golang.org/dl/go`ruby go_version_from_config.rb < config.yml`.darwin-amd64.tar.gz"
-	tar -xf go.tgz
-	rm go.tgz
-	./go/bin/go version

.circleci/config.yml

@@ -1,60 +0,0 @@
-version: 2.1
-
-jobs:
-  test:
-    docker:
-      - image: cimg/go:1.15.8
-    steps:
-      - checkout
-      - restore_cache:
-          keys:
-            - go-sum-{{ checksum "go.sum" }}
-      - run: make -C .circleci install-test-deps
-      - run: mkdir -p /tmp/gotest
-      - run: gotestsum --junitfile /tmp/gotest/gotest.xml -- -v -race -cover -coverprofile=coverage.out ./...
-      - store_test_results:
-          path: /tmp/gotest
-      - save_cache:
-          key: go-sum-{{ checksum "go.sum" }}
-          paths:
-            - ~/go/pkg
-      - run: bash <(curl -s https://codecov.io/bash)
-
-  release:
-    macos:
-      # https://circleci.com/docs/2.0/testing-ios/
-      xcode: 11.5.0
-    steps:
-      - run: echo 'export PATH="$HOME/go/bin:$PWD/.circleci/go/bin:$PATH"' >> $BASH_ENV
-      - checkout
-      - restore_cache:
-          keys:
-            - go-macos-{{ checksum "go.sum" }}
-      - run: make -C .circleci install-release-deps
-      - run: make dist
-      - run: |
-          if [ "$CIRCLE_TAG" ]; then
-            make release
-          fi
-      - save_cache:
-          key: go-macos-{{ checksum "go.sum" }}
-          paths:
-            - ~/go/pkg
-
-workflows:
-  version: 2
-  build:
-    jobs:
-      - test:
-          filters:
-            tags:
-              only: /^v.*/
-      - release:
-          context: open-source
-          requires:
-            - test
-          filters:
-            branches:
-              only: /^release-feature.*/
-            tags:
-              only: /^v.*/

.circleci/go.mod

@@ -1,3 +0,0 @@
-module github.com/int128/kubelogin/.circleci
-
-go 1.13

.circleci/go_version_from_config.rb

@@ -1,11 +0,0 @@
-require 'yaml'
-
-config = YAML.load(STDIN)
-
-image = config["jobs"]["test"]["docker"][0]["image"]
-if !image.start_with?("cimg/go:")
-  raise "unknown image #{image} in #{configPath}"
-end
-
-goVersion = image.delete_prefix("cimg/go:")
-print(goVersion)

.github/renovate.json

@@ -1,14 +0,0 @@
-{
-  "extends": [
-    "config:base"
-  ],
-  "packageRules": [
-    {
-      "updateTypes": ["minor", "patch", "digest"],
-      "automerge": true
-    }
-  ],
-  "postUpdateOptions": [
-    "gomodTidy"
-  ]
-}

.github/renovate.json5

@@ -0,0 +1,6 @@
+{
+  "extends": [
+    "config:base",
+    "github>int128/go-actions",
+  ],
+}

.github/workflows/docker.yaml

@@ -0,0 +1,52 @@
+name: docker
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/docker.yaml
+      - pkg/**
+      - go.*
+      - Dockerfile
+      - Makefile
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/docker.yaml
+      - pkg/**
+      - go.*
+      - Dockerfile
+      - Makefile
+    tags:
+      - v*
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: docker/metadata-action@v3
+        id: metadata
+        with:
+          images: ghcr.io/${{ github.repository }}
+      - uses: int128/docker-build-cache-config-action@v1
+        id: cache
+        with:
+          image: ghcr.io/${{ github.repository }}/cache
+      - uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/setup-qemu-action@v1
+      - uses: docker/setup-buildx-action@v1
+      - uses: docker/build-push-action@v2
+        with:
+          push: ${{ github.event_name == 'push' }}
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          cache-from: ${{ steps.cache.outputs.cache-from }}
+          cache-to: ${{ steps.cache.outputs.cache-to }}
+          platforms: linux/amd64,linux/arm64

.github/workflows/go.yaml

@@ -0,0 +1,45 @@
+name: go
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/go.yaml
+      - pkg/**
+      - go.*
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/go.yaml
+      - pkg/**
+      - go.*
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v2
+      - uses: int128/go-actions/setup@v1
+        with:
+          go-version: 1.16
+      - uses: golangci/golangci-lint-action@v2
+        with:
+          version: v1.43.0
+          skip-go-installation: true
+          skip-pkg-cache: true
+          skip-build-cache: true
+
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v2
+      - uses: int128/go-actions/setup@v1
+        with:
+          go-version: 1.16
+      - run: go test -v -race ./...

.github/workflows/golangci-lint.yaml

@@ -1,17 +0,0 @@
-name: golangci-lint
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/golangci-lint.yaml
-      - '**.go'
-
-jobs:
-  golangci:
-    name: lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: golangci/golangci-lint-action@v2
-        with:
-          version: v1.36

.github/workflows/release.yaml

@@ -0,0 +1,70 @@
+name: release
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/release.yaml
+      - pkg/**
+      - go.*
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/release.yaml
+      - pkg/**
+      - go.*
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        platform:
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: amd64
+            CGO_ENABLED: 0 # https://github.com/int128/kubelogin/issues/567
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: arm64
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: arm
+          - runs-on: macos-latest
+            GOOS: darwin
+            GOARCH: amd64
+            CGO_ENABLED: 1 # https://github.com/int128/kubelogin/issues/249
+          - runs-on: macos-latest
+            GOOS: darwin
+            GOARCH: arm64
+          - runs-on: windows-latest
+            GOOS: windows
+            GOARCH: amd64
+    runs-on: ${{ matrix.platform.runs-on }}
+    env:
+      GOOS: ${{ matrix.platform.GOOS }}
+      GOARCH: ${{ matrix.platform.GOARCH }}
+      CGO_ENABLED: ${{ matrix.platform.CGO_ENABLED }}
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v2
+      - uses: int128/go-actions/setup@v1
+        with:
+          go-version: 1.16
+      - run: go build -ldflags "-X main.version=${GITHUB_REF##*/}"
+      - uses: int128/go-actions/release@v1
+        with:
+          binary: kubelogin
+
+  publish:
+    if: startswith(github.ref, 'refs/tags/')
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v2
+      - uses: rajatjindal/krew-release-bot@v0.0.40

.github/workflows/system-test.yaml

@@ -1,14 +1,23 @@
+name: system-test
+
 on:
   pull_request:
-    paths: 
+    branches:
+      - master
+    paths:
       - .github/workflows/system-test.yaml
       - system_test/**
       - pkg/**
       - go.*
   push:
-    # for go mod tidy
-    branches: [master]
-    paths: [go.*]
+    branches:
+      - master
+    paths:
+      - .github/workflows/system-test.yaml
+      - system_test/**
+      - pkg/**
+      - go.*
+
 jobs:
   system-test:
     # https://help.github.com/en/actions/automating-your-workflow-with-github-actions/software-installed-on-github-hosted-runners#ubuntu-1804-lts
@@ -16,7 +25,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: 1.15
+          go-version: 1.16
         id: go
       - uses: actions/checkout@v2
       - uses: actions/cache@v2

.gitignore

@@ -2,10 +2,9 @@
 
 /acceptance_test/output/
 
-/dist/output
 /coverage.out
 
 /kubelogin
 /kubectl-oidc_login
-
-/.circleci/go/
+/kubelogin_*.zip
+/kubelogin_*.zip.sha256

.krew.yaml

@@ -0,0 +1,62 @@
+apiVersion: krew.googlecontainertools.github.com/v1alpha2
+kind: Plugin
+metadata:
+  name: oidc-login
+spec:
+  homepage: https://github.com/int128/kubelogin
+  shortDescription: Log in to the OpenID Connect provider
+  description: |
+    This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
+
+    ## Credential plugin mode
+    kubectl executes oidc-login before calling the Kubernetes APIs.
+    oidc-login automatically opens the browser and you can log in to the provider.
+    After authentication, kubectl gets the token from oidc-login and you can access the cluster.
+    See https://github.com/int128/kubelogin#credential-plugin-mode for more.
+
+    ## Standalone mode
+    Run `kubectl oidc-login`.
+    It automatically opens the browser and you can log in to the provider.
+    After authentication, it writes the token to the kubeconfig and you can access the cluster.
+    See https://github.com/int128/kubelogin#standalone-mode for more.
+
+  caveats: |
+    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
+  version: {{ .TagName }}
+  platforms:
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: amd64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: arm64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_arm.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: arm
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_darwin_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: darwin
+        arch: amd64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_darwin_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
+  - bin: kubelogin.exe
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_windows_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: windows
+        arch: amd64

Dockerfile

@@ -0,0 +1,12 @@
+FROM golang:1.17 as builder
+
+WORKDIR /builder
+COPY go.* .
+RUN go mod download
+COPY main.go .
+COPY pkg pkg
+RUN go build
+
+FROM gcr.io/distroless/base-debian10
+COPY --from=builder /builder/kubelogin /
+ENTRYPOINT ["/kubelogin"]

Makefile

@@ -1,44 +0,0 @@
-# CircleCI specific variables
-CIRCLE_TAG ?= latest
-GITHUB_USERNAME := $(CIRCLE_PROJECT_USERNAME)
-GITHUB_REPONAME := $(CIRCLE_PROJECT_REPONAME)
-
-TARGET := kubelogin
-TARGET_OSARCH := linux_amd64 darwin_amd64 windows_amd64 linux_arm linux_arm64
-VERSION ?= $(CIRCLE_TAG)
-LDFLAGS := -X main.version=$(VERSION)
-
-all: $(TARGET)
-
-$(TARGET): $(wildcard **/*.go)
-	go build -o $@ -ldflags "$(LDFLAGS)"
-
-.PHONY: dist
-dist: dist/output
-dist/output:
-	# make the zip files for GitHub Releases
-	VERSION=$(VERSION) goxzst -d dist/output -i "LICENSE" -o "$(TARGET)" -osarch "$(TARGET_OSARCH)" -t "dist/kubelogin.rb dist/oidc-login.yaml dist/Dockerfile" -- -ldflags "$(LDFLAGS)"
-	# test the zip file
-	zipinfo dist/output/kubelogin_linux_amd64.zip
-	# make the krew yaml structure
-	mkdir -p dist/output/plugins
-	mv dist/output/oidc-login.yaml dist/output/plugins/oidc-login.yaml
-
-.PHONY: release
-release: dist
-	# publish the binaries
-	ghcp release -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)" -t "$(VERSION)" dist/output/
-	# publish the Homebrew formula
-	ghcp commit -u "$(GITHUB_USERNAME)" -r "homebrew-$(GITHUB_REPONAME)" -b "bump-$(VERSION)" -m "Bump the version to $(VERSION)" -C dist/output/ kubelogin.rb
-	ghcp pull-request -u "$(GITHUB_USERNAME)" -r "homebrew-$(GITHUB_REPONAME)" -b "bump-$(VERSION)" --title "Bump the version to $(VERSION)"
-	# publish the Dockerfile
-	ghcp commit -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)-docker" -b "bump-$(VERSION)" -m "Bump the version to $(VERSION)" -C dist/output/ Dockerfile
-	ghcp pull-request -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)-docker" -b "bump-$(VERSION)" --title "Bump the version to $(VERSION)"
-	# publish the Krew manifest
-	ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(VERSION)" -m "Bump oidc-login to $(VERSION)" -C dist/output/ plugins/oidc-login.yaml
-
-.PHONY: clean
-clean:
-	-rm $(TARGET)
-	-rm -r dist/output/
-	-rm coverage.out gotest.log

README.md

@@ -1,4 +1,4 @@
-# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
+# kubelogin [![go](https://github.com/int128/kubelogin/actions/workflows/go.yaml/badge.svg)](https://github.com/int128/kubelogin/actions/workflows/go.yaml) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
 
 This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.
 
@@ -31,6 +31,8 @@ kubectl krew install oidc-login
 choco install kubelogin
 ```
 
+If you install via GitHub releases, you need to put the `kubelogin` binary on your path under the name `kubectl-oidc_login` so that the [kubectl plugin mechanism](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/) can find it when you invoke `kubectl oidc-login`. The other install methods do this for you.
+
 You need to set up the OIDC provider, cluster role binding, Kubernetes API server and kubeconfig.
 The kubeconfig looks like:
 
@@ -65,7 +67,7 @@ Kubelogin automatically opens the browser, and you can log in to the provider.
 
 <img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">
 
-After authentication, kubelogin returns the credentials to kubectl and finally kubectl calls the Kubernetes APIs with the credential.
+After authentication, kubelogin returns the credentials to kubectl and kubectl then calls the Kubernetes APIs with these credentials.
 
 ```
 % kubectl get pods
@@ -78,13 +80,13 @@ Kubelogin writes the ID token and refresh token to the token cache file.
 
 If the cached ID token is valid, kubelogin just returns it.
 If the cached ID token has expired, kubelogin will refresh the token using the refresh token.
-If the refresh token has expired, kubelogin will perform reauthentication.
+If the refresh token has expired, kubelogin will perform re-authentication (you will have to login via browser again).
 
 
 ### Troubleshoot
 
 You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
-Kubelogin will perform authentication if the token cache file does not exist.
+Kubelogin will ask you to login via browser again if the token cache file does not exist i.e., it starts with a clean slate
 
 You can dump claims of an ID token by `setup` command.
 
@@ -123,7 +125,7 @@ You can verify kubelogin works with your provider using [acceptance test](accept
 
 - [Setup guide](docs/setup.md)
 - [Usage and options](docs/usage.md)
-- [Standalone mode](docs/standalone-mode.md) (deprecated)
+- [Standalone mode](docs/standalone-mode.md)
 
 
 ## Related works
@@ -142,7 +144,7 @@ Your pull request will be merged into master with squash.
 
 ### Development
 
-Go 1.15+ is required.
+Go 1.16+ is required.
 
 ```sh
 make

dist/Dockerfile

@@ -1,13 +0,0 @@
-FROM alpine:3.13
-
-ARG KUBELOGIN_VERSION="{{ env "VERSION" }}"
-ARG KUBELOGIN_SHA256="{{ sha256 .linux_amd64_archive }}"
-
-# Download the release and test the checksum
-RUN wget -O /kubelogin.zip "https://github.com/int128/kubelogin/releases/download/$KUBELOGIN_VERSION/kubelogin_linux_amd64.zip" && \
-    echo "$KUBELOGIN_SHA256  /kubelogin.zip" | sha256sum -c - && \
-    unzip /kubelogin.zip && \
-    rm /kubelogin.zip
-
-USER daemon
-ENTRYPOINT ["/kubelogin"]

dist/kubelogin.rb

@@ -1,24 +0,0 @@
-class Kubelogin < Formula
-  desc "A kubectl plugin for Kubernetes OpenID Connect authentication"
-  homepage "https://github.com/int128/kubelogin"
-  version "{{ env "VERSION" }}"
-
-  on_macos do
-    url "https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_darwin_amd64.zip"
-    sha256 "{{ sha256 .darwin_amd64_archive }}"
-  end
-  on_linux do
-    url "https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_amd64.zip"
-    sha256 "{{ sha256 .linux_amd64_archive }}"
-  end
-
-  def install
-    bin.install "kubelogin" => "kubelogin"
-    ln_s bin/"kubelogin", bin/"kubectl-oidc_login"
-  end
-
-  test do
-    system "#{bin}/kubelogin -h"
-    system "#{bin}/kubectl-oidc_login -h"
-  end
-end

dist/oidc-login.yaml

@@ -1,86 +0,0 @@
-apiVersion: krew.googlecontainertools.github.com/v1alpha2
-kind: Plugin
-metadata:
-  name: oidc-login
-spec:
-  homepage: https://github.com/int128/kubelogin
-  shortDescription: Log in to the OpenID Connect provider
-  description: |
-    This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
-
-    ## Credential plugin mode
-    kubectl executes oidc-login before calling the Kubernetes APIs.
-    oidc-login automatically opens the browser and you can log in to the provider.
-    After authentication, kubectl gets the token from oidc-login and you can access the cluster.
-    See https://github.com/int128/kubelogin#credential-plugin-mode for more.
-
-    ## Standalone mode
-    Run `kubectl oidc-login`.
-    It automatically opens the browser and you can log in to the provider.
-    After authentication, it writes the token to the kubeconfig and you can access the cluster.
-    See https://github.com/int128/kubelogin#standalone-mode for more.
-
-  caveats: |
-    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
-  version: {{ env "VERSION" }}
-  platforms:
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_amd64.zip
-      sha256: "{{ sha256 .linux_amd64_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: linux
-          arch: amd64
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_darwin_amd64.zip
-      sha256: "{{ sha256 .darwin_amd64_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: darwin
-          arch: amd64
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_windows_amd64.zip
-      sha256: "{{ sha256 .windows_amd64_archive }}"
-      bin: kubelogin.exe
-      files:
-        - from: kubelogin.exe
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: windows
-          arch: amd64
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm.zip
-      sha256: "{{ sha256 .linux_arm_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: linux
-          arch: arm
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm64.zip
-      sha256: "{{ sha256 .linux_arm64_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: linux
-          arch: arm64

docs/setup.md

@@ -129,6 +129,25 @@ You do not need to set `YOUR_CLIENT_SECRET`.
 If you need `groups` claim for access control,
 see [jetstack/okta-kubectl-auth](https://github.com/jetstack/okta-kubectl-auth/blob/master/docs/okta-setup.md) and [#250](https://github.com/int128/kubelogin/issues/250).
 
+### Ping Identity
+
+Login with an account that has permissions to create applications.
+Create an OIDC application with the following configuration:
+
+- Redirect URIs:
+    - `http://localhost:8000`
+    - `http://localhost:18000` (used if the port 8000 is already in use)
+- Grant type: Authorization Code
+- PKCE Enforcement: Required
+
+Leverage the following variables in the next steps.
+
+Variable                | Value
+------------------------|------
+`ISSUER_URL`            | `https://auth.pingone.com/<PingOne Tenant Id>/as`
+`YOUR_CLIENT_ID`        |  random string
+
+`YOUR_CLIENT_SECRET` is not required for this configuration.
 
 ## 2. Verify authentication
 

docs/standalone-mode.md

@@ -1,9 +1,12 @@
 # Standalone mode
 
-You can run kubelogin as a standalone command.
-In this mode, you need to manually run the command before running kubectl.
+Kubelogin supports the standalone mode as well.
+It writes the token to the kubeconfig (typically `~/.kube/config`) after authentication.
 
-Configure the kubeconfig like:
+
+## Getting started
+
+Configure your kubeconfig like:
 
 ```yaml
 - name: keycloak
@@ -31,7 +34,7 @@ It automatically opens the browser and you can log in to the provider.
 
 After authentication, kubelogin writes the ID token and refresh token to the kubeconfig.
 
-```
+```console
 % kubelogin
 Open http://localhost:8000 for authentication
 You got a valid token until 2019-05-18 10:28:51 +0900 JST
@@ -40,7 +43,7 @@ Updated ~/.kubeconfig
 
 Now you can access the cluster.
 
-```
+```console
 % kubectl get pods
 NAME                          READY   STATUS    RESTARTS   AGE
 echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
@@ -64,7 +67,7 @@ users:
 
 If the ID token is valid, kubelogin does nothing.
 
-```
+```console
 % kubelogin
 You already have a valid token until 2019-05-18 10:28:51 +0900 JST
 ```
@@ -75,8 +78,6 @@ If the refresh token has expired, kubelogin will proceed the authentication.
 
 ## Usage
 
-### Kubeconfig
-
 You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
 It defaults to `~/.kube/config`.
 
@@ -104,26 +105,4 @@ Key | Direction | Value
 `id-token`                        | Write | ID token got from the provider.
 `refresh-token`                   | Write | Refresh token got from the provider.
 
-### Extra scopes
-
-You can set the extra scopes to request to the provider by `extra-scopes` in the kubeconfig.
-
-```sh
-kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=email
-```
-
-Currently kubectl does not accept multiple scopes, so you need to edit the kubeconfig as like:
-
-```sh
-kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=SCOPES
-sed -i '' -e s/SCOPES/email,profile/ $KUBECONFIG
-```
-
-### CA Certificates
-
-You can use your self-signed certificates for the provider.
-
-```sh
-kubectl config set-credentials keycloak \
-  --auth-provider-arg idp-certificate-authority=$HOME/.kube/keycloak-ca.pem
-```
+See also [usage.md](usage.md).

docs/usage.md

@@ -11,6 +11,7 @@ Flags:
       --oidc-client-id string                           Client ID of the provider (mandatory)
       --oidc-client-secret string                       Client secret of the provider
       --oidc-extra-scope strings                        Scopes to request to the provider
+      --oidc-use-pkce                                   Force PKCE usage
       --token-cache-dir string                          Path to a directory for token cache (default "~/.kube/cache/oidc-login")
       --certificate-authority stringArray               Path to a cert file for the certificate authority
       --certificate-authority-data stringArray          Base64 encoded cert for the certificate authority
@@ -20,6 +21,7 @@ Flags:
       --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
       --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
       --skip-open-browser                               [authcode] Do not open the browser automatically
+      --browser-command string                          [authcode] Command to open the browser
       --authentication-timeout-sec int                  [authcode] Timeout of authentication in seconds (default 180)
       --local-server-cert string                        [authcode] Certificate path for the local server
       --local-server-key string                         [authcode] Certificate key path for the local server
@@ -31,13 +33,14 @@ Flags:
   -h, --help                                            help for get-token
 
 Global Flags:
-      --add_dir_header                   If true, adds the file directory to the header
+      --add_dir_header                   If true, adds the file directory to the header of the log messages
       --alsologtostderr                  log to standard error as well as files
       --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
       --log_dir string                   If non-empty, write log files in this directory
       --log_file string                  If non-empty, use this log file
       --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
       --logtostderr                      log to standard error instead of files (default true)
+      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level)
       --skip_headers                     If true, avoid header prefixes in the log messages
       --skip_log_headers                 If true, avoid headers when opening log files
       --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
@@ -83,6 +86,16 @@ You can use your self-signed certificate for the provider.
 You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
 See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
 
+### Home directory expansion
+
+If a value in the following options begins with a tilde character `~`, it is expanded to the home directory.
+
+- `--certificate-authority`
+- `--local-server-cert`
+- `--local-server-key`
+- `--token-cache-dir`
+
+
 ## Authentication flows
 
 Kubelogin support the following flows:
@@ -207,7 +220,7 @@ Password:
 
 ## Run in Docker
 
-You can run [the Docker image](https://quay.io/repository/int128/kubelogin) instead of the binary.
+You can run [the Docker image](https://ghcr.io/int128/kubelogin) instead of the binary.
 The kubeconfig looks like:
 
 ```yaml
@@ -224,7 +237,7 @@ users:
       - /tmp/.token-cache:/.token-cache
       - -p
       - 8000:8000
-      - quay.io/int128/kubelogin
+      - ghcr.io/int128/kubelogin
       - get-token
       - --token-cache-dir=/.token-cache
       - --listen-address=0.0.0.0:8000

go.mod

@@ -1,26 +1,25 @@
 module github.com/int128/kubelogin
 
-go 1.13
+go 1.16
 
 require (
 	github.com/alexflint/go-filemutex v1.1.0
-	github.com/chromedp/chromedp v0.6.5
-	github.com/coreos/go-oidc/v3 v3.0.0
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/golang/mock v1.4.4
-	github.com/google/go-cmp v0.5.4
+	github.com/chromedp/chromedp v0.7.6
+	github.com/coreos/go-oidc/v3 v3.1.0
+	github.com/golang-jwt/jwt/v4 v4.2.0
+	github.com/golang/mock v1.6.0
+	github.com/google/go-cmp v0.5.6
 	github.com/google/wire v0.5.0
-	github.com/int128/oauth2cli v1.13.0
-	github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4
-	github.com/spf13/cobra v1.1.3
+	github.com/int128/oauth2cli v1.14.0
+	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
+	github.com/spf13/cobra v1.3.0
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad // indirect
-	golang.org/x/net v0.0.0-20210119194325-5f4716e94777
-	golang.org/x/oauth2 v0.0.0-20210210192628-66670185b0cd
-	golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
-	golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf
+	golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/apimachinery v0.20.2
-	k8s.io/client-go v0.20.2
-	k8s.io/klog/v2 v2.5.0
+	k8s.io/apimachinery v0.22.4
+	k8s.io/client-go v0.22.4
+	k8s.io/klog/v2 v2.40.1
 )

integration_test/httpdriver/http_driver.go

@@ -60,6 +60,10 @@ func (c *client) Open(url string) error {
 	return nil
 }
 
+func (c *client) OpenCommand(_ context.Context, url, _ string) error {
+	return c.Open(url)
+}
+
 type zeroClient struct {
 	t *testing.T
 }
@@ -68,3 +72,7 @@ func (c *zeroClient) Open(url string) error {
 	c.t.Errorf("unexpected function call Open(%s)", url)
 	return nil
 }
+
+func (c *zeroClient) OpenCommand(_ context.Context, url, _ string) error {
+	return c.Open(url)
+}

pkg/cmd/authentication.go

@@ -17,6 +17,7 @@ type authenticationOptions struct {
 	ListenPort                 []int // deprecated
 	AuthenticationTimeoutSec   int
 	SkipOpenBrowser            bool
+	BrowserCommand             string
 	LocalServerCertFile        string
 	LocalServerKeyFile         string
 	OpenURLAfterAuthentication string
@@ -57,6 +58,7 @@ func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 		panic(err)
 	}
 	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "[authcode] Do not open the browser automatically")
+	f.StringVar(&o.BrowserCommand, "browser-command", "", "[authcode] Command to open the browser")
 	f.IntVar(&o.AuthenticationTimeoutSec, "authentication-timeout-sec", defaultAuthenticationTimeoutSec, "[authcode] Timeout of authentication in seconds")
 	f.StringVar(&o.LocalServerCertFile, "local-server-cert", "", "[authcode] Certificate path for the local server")
 	f.StringVar(&o.LocalServerKeyFile, "local-server-key", "", "[authcode] Certificate key path for the local server")
@@ -67,12 +69,18 @@ func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.Password, "password", "", "[password] Password for resource owner password credentials grant")
 }
 
+func (o *authenticationOptions) expandHomedir() {
+	o.LocalServerCertFile = expandHomedir(o.LocalServerCertFile)
+	o.LocalServerKeyFile = expandHomedir(o.LocalServerKeyFile)
+}
+
 func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSet, err error) {
 	switch {
 	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
 		s.AuthCodeBrowserOption = &authcode.BrowserOption{
 			BindAddress:                o.determineListenAddress(),
 			SkipOpenBrowser:            o.SkipOpenBrowser,
+			BrowserCommand:             o.BrowserCommand,
 			AuthenticationTimeout:      time.Duration(o.AuthenticationTimeoutSec) * time.Second,
 			LocalServerCertFile:        o.LocalServerCertFile,
 			LocalServerKeyFile:         o.LocalServerKeyFile,

pkg/cmd/authentication_test.go

@@ -31,6 +31,7 @@ func Test_authenticationOptions_grantOptionSet(t *testing.T) {
 				"--listen-address", "127.0.0.1:10080",
 				"--listen-address", "127.0.0.1:20080",
 				"--skip-open-browser",
+				"--browser-command", "firefox",
 				"--authentication-timeout-sec", "10",
 				"--local-server-cert", "/path/to/local-server-cert",
 				"--local-server-key", "/path/to/local-server-key",
@@ -45,6 +46,7 @@ func Test_authenticationOptions_grantOptionSet(t *testing.T) {
 				AuthCodeBrowserOption: &authcode.BrowserOption{
 					BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
 					SkipOpenBrowser:            true,
+					BrowserCommand:             "firefox",
 					AuthenticationTimeout:      10 * time.Second,
 					LocalServerCertFile:        "/path/to/local-server-cert",
 					LocalServerKeyFile:         "/path/to/local-server-key",

pkg/cmd/cmd.go

@@ -2,12 +2,12 @@ package cmd
 
 import (
 	"context"
+	"path/filepath"
 	"runtime"
 
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/spf13/cobra"
-	"k8s.io/client-go/util/homedir"
 )
 
 // Set provides an implementation and interface for Cmd.
@@ -24,7 +24,7 @@ type Interface interface {
 }
 
 var defaultListenAddress = []string{"127.0.0.1:8000", "127.0.0.1:18000"}
-var defaultTokenCacheDir = homedir.HomeDir() + "/.kube/cache/oidc-login"
+var defaultTokenCacheDir = filepath.Join("~", ".kube", "cache", "oidc-login")
 
 const defaultAuthenticationTimeoutSec = 180
 

pkg/cmd/cmd_test.go

@@ -2,12 +2,15 @@ package cmd
 
 import (
 	"context"
+	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
 	"github.com/golang/mock/gomock"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/testing/logger"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
@@ -98,6 +101,11 @@ func TestCmd_Run(t *testing.T) {
 	})
 
 	t.Run("get-token", func(t *testing.T) {
+		userHomeDir, err := os.UserHomeDir()
+		if err != nil {
+			t.Fatalf("os.UserHomeDir error: %s", err)
+		}
+
 		tests := map[string]struct {
 			args []string
 			in   credentialplugin.Input
@@ -109,7 +117,7 @@ func TestCmd_Run(t *testing.T) {
 					"--oidc-client-id", "YOUR_CLIENT_ID",
 				},
 				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
+					TokenCacheDir: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
 					Provider: oidc.Provider{
 						IssuerURL: "https://issuer.example.com",
 						ClientID:  "YOUR_CLIENT_ID",
@@ -134,7 +142,7 @@ func TestCmd_Run(t *testing.T) {
 					"-v1",
 				},
 				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
+					TokenCacheDir: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
 					Provider: oidc.Provider{
 						IssuerURL:    "https://issuer.example.com",
 						ClientID:     "YOUR_CLIENT_ID",
@@ -150,6 +158,36 @@ func TestCmd_Run(t *testing.T) {
 					},
 				},
 			},
+			"HomedirExpansion": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--certificate-authority", "~/.kube/ca.crt",
+					"--local-server-cert", "~/.kube/oidc-server.crt",
+					"--local-server-key", "~/.kube/oidc-server.key",
+					"--token-cache-dir", "~/.kube/oidc-cache",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: filepath.Join(userHomeDir, ".kube/oidc-cache"),
+					Provider: oidc.Provider{
+						IssuerURL: "https://issuer.example.com",
+						ClientID:  "YOUR_CLIENT_ID",
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+							LocalServerCertFile:   filepath.Join(userHomeDir, ".kube/oidc-server.crt"),
+							LocalServerKeyFile:    filepath.Join(userHomeDir, ".kube/oidc-server.key"),
+						},
+					},
+					TLSClientConfig: tlsclientconfig.Config{
+						CACertFilename: []string{filepath.Join(userHomeDir, ".kube/ca.crt")},
+					},
+				},
+			},
 		}
 		for name, c := range tests {
 			t.Run(name, func(t *testing.T) {

pkg/cmd/get_token.go

@@ -17,6 +17,7 @@ type getTokenOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
+	UsePKCE               bool
 	TokenCacheDir         string
 	tlsOptions            tlsOptions
 	authenticationOptions authenticationOptions
@@ -27,11 +28,19 @@ func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
+	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
 	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for token cache")
 	o.tlsOptions.addFlags(f)
 	o.authenticationOptions.addFlags(f)
 }
 
+func (o *getTokenOptions) expandHomedir() error {
+	o.TokenCacheDir = expandHomedir(o.TokenCacheDir)
+	o.authenticationOptions.expandHomedir()
+	o.tlsOptions.expandHomedir()
+	return nil
+}
+
 type GetToken struct {
 	GetToken credentialplugin.Interface
 	Logger   logger.Interface
@@ -55,6 +64,9 @@ func (cmd *GetToken) New() *cobra.Command {
 			return nil
 		},
 		RunE: func(c *cobra.Command, _ []string) error {
+			if err := o.expandHomedir(); err != nil {
+				return err
+			}
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
 				return fmt.Errorf("get-token: %w", err)
@@ -64,6 +76,7 @@ func (cmd *GetToken) New() *cobra.Command {
 					IssuerURL:    o.IssuerURL,
 					ClientID:     o.ClientID,
 					ClientSecret: o.ClientSecret,
+					UsePKCE:      o.UsePKCE,
 					ExtraScopes:  o.ExtraScopes,
 				},
 				TokenCacheDir:   o.TokenCacheDir,

pkg/cmd/homedir.go

@@ -0,0 +1,15 @@
+package cmd
+
+import (
+	"path/filepath"
+	"strings"
+
+	"k8s.io/client-go/util/homedir"
+)
+
+func expandHomedir(s string) string {
+	if !strings.HasPrefix(s, "~") {
+		return s
+	}
+	return filepath.Join(homedir.HomeDir(), strings.TrimPrefix(s, "~"))
+}

pkg/cmd/setup.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"fmt"
+
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -13,6 +14,7 @@ type setupOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
+	UsePKCE               bool
 	tlsOptions            tlsOptions
 	authenticationOptions authenticationOptions
 }
@@ -22,6 +24,7 @@ func (o *setupOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
+	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
 	o.tlsOptions.addFlags(f)
 	o.authenticationOptions.addFlags(f)
 }
@@ -46,6 +49,7 @@ func (cmd *Setup) New() *cobra.Command {
 				ClientID:        o.ClientID,
 				ClientSecret:    o.ClientSecret,
 				ExtraScopes:     o.ExtraScopes,
+				UsePKCE:         o.UsePKCE,
 				GrantOptionSet:  grantOptionSet,
 				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
 			}

pkg/cmd/tls.go

@@ -23,6 +23,15 @@ func (o *tlsOptions) addFlags(f *pflag.FlagSet) {
 	f.BoolVar(&o.RenegotiateFreelyAsClient, "tls-renegotiation-freely", false, "If set, allow a remote server to repeatedly request renegotiation")
 }
 
+func (o *tlsOptions) expandHomedir() {
+	var caCertFilenames []string
+	for _, caCertFilename := range o.CACertFilename {
+		expanded := expandHomedir(caCertFilename)
+		caCertFilenames = append(caCertFilenames, expanded)
+	}
+	o.CACertFilename = caCertFilenames
+}
+
 func (o tlsOptions) tlsClientConfig() tlsclientconfig.Config {
 	return tlsclientconfig.Config{
 		CACertFilename: o.CACertFilename,

pkg/infrastructure/browser/browser.go

@@ -1,7 +1,9 @@
 package browser
 
 import (
+	"context"
 	"os"
+	"os/exec"
 
 	"github.com/google/wire"
 	"github.com/pkg/browser"
@@ -23,6 +25,7 @@ var Set = wire.NewSet(
 
 type Interface interface {
 	Open(url string) error
+	OpenCommand(ctx context.Context, url, command string) error
 }
 
 type Browser struct{}
@@ -31,3 +34,11 @@ type Browser struct{}
 func (*Browser) Open(url string) error {
 	return browser.OpenURL(url)
 }
+
+// OpenCommand opens the browser using the command.
+func (*Browser) OpenCommand(ctx context.Context, url, command string) error {
+	c := exec.CommandContext(ctx, command, url)
+	c.Stdout = os.Stderr // see above
+	c.Stderr = os.Stderr
+	return c.Run()
+}

pkg/infrastructure/browser/mock_browser/mock_browser.go

@@ -5,6 +5,7 @@
 package mock_browser
 
 import (
+	context "context"
 	gomock "github.com/golang/mock/gomock"
 	reflect "reflect"
 )
@@ -45,3 +46,17 @@ func (mr *MockInterfaceMockRecorder) Open(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Open", reflect.TypeOf((*MockInterface)(nil).Open), arg0)
 }
+
+// OpenCommand mocks base method
+func (m *MockInterface) OpenCommand(arg0 context.Context, arg1, arg2 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "OpenCommand", arg0, arg1, arg2)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// OpenCommand indicates an expected call of OpenCommand
+func (mr *MockInterfaceMockRecorder) OpenCommand(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OpenCommand", reflect.TypeOf((*MockInterface)(nil).OpenCommand), arg0, arg1, arg2)
+}

pkg/oidc/client/factory.go

@@ -12,6 +12,7 @@ import (
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/oidc/client/logging"
+	"github.com/int128/kubelogin/pkg/pkce"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig/loader"
 	"golang.org/x/oauth2"
@@ -61,6 +62,9 @@ func (f *Factory) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsc
 	if err != nil {
 		return nil, fmt.Errorf("could not determine supported PKCE methods: %w", err)
 	}
+	if len(supportedPKCEMethods) == 0 && p.UsePKCE {
+		supportedPKCEMethods = []string{pkce.MethodS256}
+	}
 	return &client{
 		httpClient: httpClient,
 		provider:   provider,

pkg/oidc/oidc.go

@@ -15,6 +15,7 @@ type Provider struct {
 	ClientID     string
 	ClientSecret string   // optional
 	ExtraScopes  []string // optional
+	UsePKCE      bool     // optional
 }
 
 // TokenSet represents a set of ID token and refresh token.

pkg/pkce/pkce.go

@@ -14,7 +14,7 @@ var Plain Params
 
 const (
 	// code challenge methods defined as https://tools.ietf.org/html/rfc7636#section-4.3
-	methodS256 = "S256"
+	MethodS256 = "S256"
 )
 
 // Params represents a set of the PKCE parameters.
@@ -33,7 +33,7 @@ func (p Params) IsZero() bool {
 // It returns Plain if no method is available.
 func New(methods []string) (Params, error) {
 	for _, method := range methods {
-		if method == methodS256 {
+		if method == MethodS256 {
 			return NewS256()
 		}
 	}
@@ -63,7 +63,7 @@ func computeS256(b []byte) Params {
 	_, _ = s.Write([]byte(v))
 	return Params{
 		CodeChallenge:       base64URLEncode(s.Sum(nil)),
-		CodeChallengeMethod: methodS256,
+		CodeChallengeMethod: MethodS256,
 		CodeVerifier:        v,
 	}
 }

pkg/testing/jwt/encode.go

@@ -5,7 +5,7 @@ import (
 	"crypto/rsa"
 	"testing"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 )
 
 var PrivateKey = generateKey(1024)

pkg/usecases/authentication/authcode/browser.go

@@ -15,6 +15,7 @@ import (
 
 type BrowserOption struct {
 	SkipOpenBrowser            bool
+	BrowserCommand             string
 	BindAddress                []string
 	AuthenticationTimeout      time.Duration
 	OpenURLAfterAuthentication string
@@ -71,17 +72,7 @@ func (u *Browser) Do(ctx context.Context, o *BrowserOption, oidcClient client.In
 			if !ok {
 				return nil
 			}
-			if o.SkipOpenBrowser {
-				u.Logger.Printf("Please visit the following URL in your browser: %s", url)
-				return nil
-			}
-			u.Logger.V(1).Infof("opening %s in the browser", url)
-			if err := u.Browser.Open(url); err != nil {
-				u.Logger.Printf(`error: could not open the browser: %s
-
-Please visit the following URL in your browser manually: %s`, err, url)
-				return nil
-			}
+			u.openURL(ctx, o, url)
 			return nil
 		case <-ctx.Done():
 			return fmt.Errorf("context cancelled while waiting for the local server: %w", ctx.Err())
@@ -103,3 +94,25 @@ Please visit the following URL in your browser manually: %s`, err, url)
 	u.Logger.V(1).Infof("finished the authorization code flow via the browser")
 	return out, nil
 }
+
+func (u *Browser) openURL(ctx context.Context, o *BrowserOption, url string) {
+	if o.SkipOpenBrowser {
+		u.Logger.Printf("Please visit the following URL in your browser: %s", url)
+		return
+	}
+
+	u.Logger.V(1).Infof("opening %s in the browser", url)
+	if o.BrowserCommand != "" {
+		if err := u.Browser.OpenCommand(ctx, url, o.BrowserCommand); err != nil {
+			u.Logger.Printf(`error: could not open the browser: %s
+
+Please visit the following URL in your browser manually: %s`, err, url)
+		}
+		return
+	}
+	if err := u.Browser.Open(url); err != nil {
+		u.Logger.Printf(`error: could not open the browser: %s
+
+Please visit the following URL in your browser manually: %s`, err, url)
+	}
+}

pkg/usecases/authentication/authcode/browser_test.go

@@ -116,4 +116,45 @@ func TestBrowser_Do(t *testing.T) {
 			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
+
+	t.Run("OpenBrowserCommand", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		o := &BrowserOption{
+			BindAddress:           []string{"127.0.0.1:8000"},
+			BrowserCommand:        "firefox",
+			AuthenticationTimeout: 10 * time.Second,
+		}
+		mockClient := mock_client.NewMockInterface(ctrl)
+		mockClient.EXPECT().SupportedPKCEMethods()
+		mockClient.EXPECT().
+			GetTokenByAuthCode(gomock.Any(), gomock.Any(), gomock.Any()).
+			Do(func(_ context.Context, _ client.GetTokenByAuthCodeInput, readyChan chan<- string) {
+				readyChan <- "LOCAL_SERVER_URL"
+			}).
+			Return(&oidc.TokenSet{
+				IDToken:      "YOUR_ID_TOKEN",
+				RefreshToken: "YOUR_REFRESH_TOKEN",
+			}, nil)
+		mockBrowser := mock_browser.NewMockInterface(ctrl)
+		mockBrowser.EXPECT().
+			OpenCommand(gomock.Any(), "LOCAL_SERVER_URL", "firefox")
+		u := Browser{
+			Logger:  logger.New(t),
+			Browser: mockBrowser,
+		}
+		got, err := u.Do(ctx, o, mockClient)
+		if err != nil {
+			t.Errorf("Do returned error: %+v", err)
+		}
+		want := &oidc.TokenSet{
+			IDToken:      "YOUR_ID_TOKEN",
+			RefreshToken: "YOUR_REFRESH_TOKEN",
+		}
+		if diff := cmp.Diff(want, got); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
+		}
+	})
 }

pkg/usecases/setup/stage2.go

@@ -73,6 +73,7 @@ type Stage2Input struct {
 	ClientID          string
 	ClientSecret      string
 	ExtraScopes       []string // optional
+	UsePKCE           bool     // optional
 	ListenAddressArgs []string // non-nil if set by the command arg
 	GrantOptionSet    authentication.GrantOptionSet
 	TLSClientConfig   tlsclientconfig.Config
@@ -86,6 +87,7 @@ func (u *Setup) DoStage2(ctx context.Context, in Stage2Input) error {
 			ClientID:     in.ClientID,
 			ClientSecret: in.ClientSecret,
 			ExtraScopes:  in.ExtraScopes,
+			UsePKCE:      in.UsePKCE,
 		},
 		GrantOptionSet:  in.GrantOptionSet,
 		TLSClientConfig: in.TLSClientConfig,
@@ -123,6 +125,9 @@ func makeCredentialPluginArgs(in Stage2Input) []string {
 	for _, extraScope := range in.ExtraScopes {
 		args = append(args, "--oidc-extra-scope="+extraScope)
 	}
+	if in.UsePKCE {
+		args = append(args, "--oidc-use-pkce")
+	}
 	for _, f := range in.TLSClientConfig.CACertFilename {
 		args = append(args, "--certificate-authority="+f)
 	}
@@ -137,6 +142,9 @@ func makeCredentialPluginArgs(in Stage2Input) []string {
 		if in.GrantOptionSet.AuthCodeBrowserOption.SkipOpenBrowser {
 			args = append(args, "--skip-open-browser")
 		}
+		if in.GrantOptionSet.AuthCodeBrowserOption.BrowserCommand != "" {
+			args = append(args, "--browser-command="+in.GrantOptionSet.AuthCodeBrowserOption.BrowserCommand)
+		}
 		if in.GrantOptionSet.AuthCodeBrowserOption.LocalServerCertFile != "" {
 			// Resolve the absolute path for the cert files so the user doesn't have to know
 			// to use one when running setup.

pkg/usecases/standalone/standalone.go

@@ -44,11 +44,6 @@ To show the setup instruction:
 See https://github.com/int128/kubelogin for more.
 `
 
-const deprecationMessage = `NOTE: You can use the credential plugin mode for better user experience.
-Kubectl automatically runs kubelogin and you do not need to run kubelogin explicitly.
-See https://github.com/int128/kubelogin for more.
-`
-
 // Standalone provides the use case of explicit login.
 //
 // If the current auth provider is not oidc, show the error.
@@ -70,7 +65,6 @@ func (u *Standalone) Do(ctx context.Context, in Input) error {
 		u.Logger.Printf(oidcConfigErrorMessage)
 		return fmt.Errorf("could not find the current authentication provider: %w", err)
 	}
-	u.Logger.Printf(deprecationMessage)
 	u.Logger.V(1).Infof("using the authentication provider of the user %s", authProvider.UserName)
 	u.Logger.V(1).Infof("a token will be written to %s", authProvider.LocationOfOrigin)
 	if authProvider.IDPCertificateAuthority != "" {

system_test/login/Makefile

@@ -7,10 +7,6 @@ export PATH
 KUBECONFIG := ../cluster/kubeconfig.yaml
 export KUBECONFIG
 
-# run the login script instead of opening chrome
-BROWSER := $(BIN_DIR)/chromelogin
-export BROWSER
-
 .PHONY: test
 test: build
 	# see the setup instruction
@@ -19,7 +15,8 @@ test: build
 		--oidc-client-id=YOUR_CLIENT_ID \
 		--oidc-client-secret=YOUR_CLIENT_SECRET \
 		--oidc-extra-scope=email \
-		--certificate-authority=$(CERT_DIR)/ca.crt
+		--certificate-authority=$(CERT_DIR)/ca.crt \
+		--browser-command=$(BIN_DIR)/chromelogin
 	# set up the kubeconfig
 	kubectl config set-credentials oidc \
 		--exec-api-version=client.authentication.k8s.io/v1beta1 \
@@ -30,7 +27,8 @@ test: build
 		--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
 		--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
 		--exec-arg=--oidc-extra-scope=email \
-		--exec-arg=--certificate-authority=$(CERT_DIR)/ca.crt
+		--exec-arg=--certificate-authority=$(CERT_DIR)/ca.crt \
+		--exec-arg=--browser-command=$(BIN_DIR)/chromelogin
 	# make sure we can access the cluster
 	kubectl --user=oidc cluster-info
 	# switch the current context