Fix

* Refactor docs

* Update --exec-api-version

* Add device authorization grant

* Fix

.github/release.yml

@@ -0,0 +1,16 @@
+# https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+changelog:
+  categories:
+    - title: Features
+      labels:
+        - '*'
+      exclude:
+        labels:
+          - renovate
+          - refactoring
+    - title: Refactoring
+      labels:
+        - refactoring
+    - title: Dependencies
+      labels:
+        - renovate

.github/renovate.json5

@@ -1,6 +1,12 @@
 {
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "github>int128/renovate-base",
-    "github>int128/go-actions",
+    "github>int128/go-renovate-config#v1.7.2",
+    "github>int128/go-renovate-config:go-directive#v1.7.2",
+    "github>int128/go-renovate-config:github-actions#v1.7.2",
+    "github>int128/go-renovate-config:kubernetes#v1.7.2",
+    "github>int128/go-renovate-config:kustomization-github-releases#v1.7.2",
+    "helpers:pinGitHubActionDigests",
   ],
 }

.github/workflows/docker.yaml

@@ -9,7 +9,6 @@ on:
       - pkg/**
       - go.*
       - Dockerfile
-      - Makefile
   push:
     branches:
       - master
@@ -18,35 +17,54 @@ on:
       - pkg/**
       - go.*
       - Dockerfile
-      - Makefile
     tags:
       - v*
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      image-uri: ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }}
     steps:
-      - uses: actions/checkout@v3
-      - uses: docker/metadata-action@v4
-        id: metadata
-        with:
-          images: ghcr.io/${{ github.repository }}
-      - uses: int128/docker-build-cache-config-action@v1
-        id: cache
-        with:
-          image: ghcr.io/${{ github.repository }}/cache
-      - uses: docker/login-action@v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
-      - uses: docker/build-push-action@v3
+      - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        id: metadata
+        with:
+          images: ghcr.io/${{ github.repository }}
+      - uses: int128/docker-build-cache-config-action@622932dfa73db7d3a65e40d5fcc094f2101e659a # v1.37.0
+        id: cache
+        with:
+          image: ghcr.io/${{ github.repository }}/cache
+      - uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
+      - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+      - uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
+        id: build
         with:
           push: ${{ github.event_name == 'push' }}
           tags: ${{ steps.metadata.outputs.tags }}
           labels: ${{ steps.metadata.outputs.labels }}
           cache-from: ${{ steps.cache.outputs.cache-from }}
           cache-to: ${{ steps.cache.outputs.cache-to }}
-          platforms: linux/amd64,linux/arm64
+          platforms: |
+            linux/amd64
+            linux/arm64
+            linux/ppc64le
+
+  test:
+    if: github.event_name == 'push'
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - run: docker run --rm "$IMAGE_URI" --help
+        env:
+          IMAGE_URI: ${{ needs.build.outputs.image-uri }}

.github/workflows/go.yaml

@@ -7,7 +7,10 @@ on:
     paths:
       - .github/workflows/go.yaml
       - pkg/**
-      - go.*
+      - integration_test/**
+      - mocks/**
+      - tools/**
+      - '**/go.*'
     tags:
       - v*
   pull_request:
@@ -16,27 +19,61 @@ on:
     paths:
       - .github/workflows/go.yaml
       - pkg/**
-      - go.*
+      - integration_test/**
+      - mocks/**
+      - tools/**
+      - '**/go.*'
 
 jobs:
-  lint:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - uses: actions/checkout@v3
-      - uses: int128/go-actions/setup@v1
-        with:
-          go-version: 1.18.4
-      - uses: golangci/golangci-lint-action@v3
-        with:
-          version: v1.47.2
-
   test:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v3
-      - uses: int128/go-actions/setup@v1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: 1.18.4
-      - run: go test -v -race ./...
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make test
+
+  integration-test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - macos-latest
+          - windows-latest
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make integration-test
+
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: tools/go.mod
+          cache-dependency-path: tools/go.sum
+      - run: make lint
+
+  generate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: tools/go.mod
+          cache-dependency-path: tools/go.sum
+      - run: go mod tidy
+      - run: make generate
+      - uses: int128/update-generated-files-action@65b9a7ae3ededc5679d78343f58fbebcf1ebd785 # v2.57.0

.github/workflows/release.yaml

@@ -33,6 +33,9 @@ jobs:
           - runs-on: ubuntu-latest
             GOOS: linux
             GOARCH: arm
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: ppc64le
           - runs-on: macos-latest
             GOOS: darwin
             GOARCH: amd64
@@ -44,6 +47,9 @@ jobs:
           - runs-on: windows-latest
             GOOS: windows
             GOARCH: amd64
+          - runs-on: windows-latest
+            GOOS: windows
+            GOARCH: arm64
     runs-on: ${{ matrix.platform.runs-on }}
     env:
       GOOS: ${{ matrix.platform.GOOS }}
@@ -51,21 +57,22 @@ jobs:
       CGO_ENABLED: ${{ matrix.platform.CGO_ENABLED }}
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v3
-      - uses: int128/go-actions/setup@v1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: 1.18.4
-      - run: go build -ldflags "-X main.version=${GITHUB_REF##*/}"
-      - uses: int128/go-actions/release@v1
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: go build -ldflags '-X main.version=${{ github.ref_name }}'
+      - uses: int128/go-release-action@2979cc5b15ceb7ae458e95b0a9467afc7ae25259 # v2.0.0
         with:
           binary: kubelogin
 
   publish:
-    if: startswith(github.ref, 'refs/tags/')
+    if: github.ref_type == 'tag'
     needs:
       - build
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v3
-      - uses: rajatjindal/krew-release-bot@v0.0.43
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47

.github/workflows/system-test.yaml

@@ -22,16 +22,18 @@ jobs:
   system-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: int128/go-actions/setup@v1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: 1.18.4
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
 
-      # for certutil
+      - run: sudo apt-get update
+      # Install certutil.
       # https://packages.ubuntu.com/xenial/libnss3-tools
-      - run: sudo apt update
-      - run: sudo apt install -y libnss3-tools
-      - run: mkdir -p ~/.pki/nssdb
+      # Install keyring related packages.
+      # https://github.com/zalando/go-keyring/issues/45
+      - run: sudo apt-get install --no-install-recommends -y libnss3-tools dbus-x11 gnome-keyring
 
       - run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
 

.gitignore

@@ -1,5 +1,7 @@
 /.idea
 
+/tools/bin
+
 /acceptance_test/output/
 
 /coverage.out

.krew.yaml

@@ -60,3 +60,9 @@ spec:
       matchLabels:
         os: windows
         arch: amd64
+  - bin: kubelogin.exe
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_windows_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: windows
+        arch: arm64

.mockery.yaml

@@ -0,0 +1,11 @@
+outpkg: "{{.PackageName}}_mock"
+dir: "mocks/{{.PackagePath}}_mock"
+
+packages:
+  github.com/int128/kubelogin:
+    config:
+      all: true
+      recursive: true
+  io:
+    interfaces:
+      Closer:

Dockerfile

@@ -1,12 +1,20 @@
-FROM golang:1.18 as builder
+FROM --platform=$BUILDPLATFORM golang:1.23 AS builder
 
 WORKDIR /builder
-COPY go.* .
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
 RUN go mod download
+
+# Copy the go source
 COPY main.go .
 COPY pkg pkg
-RUN go build
 
-FROM gcr.io/distroless/base-debian10
+ARG TARGETOS
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build
+
+FROM gcr.io/distroless/base-debian12
 COPY --from=builder /builder/kubelogin /
 ENTRYPOINT ["/kubelogin"]

Makefile

@@ -0,0 +1,22 @@
+.PHONY: all
+all:
+
+.PHONY: test
+test:
+	go test -v -race ./pkg/...
+
+.PHONY: integration-test
+integration-test:
+	go test -v -race ./integration_test/...
+
+.PHONY: generate
+generate:
+	$(MAKE) -C tools
+	./tools/bin/wire ./pkg/di
+	rm -fr mocks/
+	./tools/bin/mockery
+
+.PHONY: lint
+lint:
+	$(MAKE) -C tools
+	./tools/bin/golangci-lint run

README.md

@@ -13,7 +13,6 @@ Take a look at the diagram:
 
 ![Diagram of the credential plugin](docs/credential-plugin-diagram.svg)
 
-
 ## Getting Started
 
 ### Setup
@@ -31,28 +30,28 @@ kubectl krew install oidc-login
 choco install kubelogin
 ```
 
-If you install via GitHub releases, you need to put the `kubelogin` binary on your path under the name `kubectl-oidc_login` so that the [kubectl plugin mechanism](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/) can find it when you invoke `kubectl oidc-login`. The other install methods do this for you.
+If you install via GitHub releases, save the binary as the name `kubectl-oidc_login` on your path.
+When you invoke `kubectl oidc-login`, kubectl finds it by the [naming convention of kubectl plugins](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/).
+The other install methods do this for you.
 
 You need to set up the OIDC provider, cluster role binding, Kubernetes API server and kubeconfig.
-The kubeconfig looks like:
+Your kubeconfig looks like this:
 
 ```yaml
 users:
-- name: oidc
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubectl
-      args:
-      - oidc-login
-      - get-token
-      - --oidc-issuer-url=ISSUER_URL
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
+  - name: oidc
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1
+        command: kubectl
+        args:
+          - oidc-login
+          - get-token
+          - --oidc-issuer-url=ISSUER_URL
+          - --oidc-client-id=YOUR_CLIENT_ID
 ```
 
-See [setup guide](docs/setup.md) for more.
-
+See the [setup guide](docs/setup.md) for more.
 
 ### Run
 
@@ -65,33 +64,46 @@ kubectl get pods
 Kubectl executes kubelogin before calling the Kubernetes APIs.
 Kubelogin automatically opens the browser, and you can log in to the provider.
 
-<img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">
+After the authentication, kubelogin returns the credentials to kubectl.
+Kubectl then calls the Kubernetes APIs with the credentials.
 
-After authentication, kubelogin returns the credentials to kubectl and kubectl then calls the Kubernetes APIs with these credentials.
-
-```
+```console
 % kubectl get pods
 Open http://localhost:8000 for authentication
 NAME                          READY   STATUS    RESTARTS   AGE
 echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
 ```
 
-Kubelogin writes the ID token and refresh token to the token cache file.
+Kubelogin stores the ID token and refresh token to the cache.
+If the ID token is valid, it just returns it.
+If the ID token has expired, it will refresh the token using the refresh token.
+If the refresh token has expired, it will perform re-authentication.
 
-If the cached ID token is valid, kubelogin just returns it.
-If the cached ID token has expired, kubelogin will refresh the token using the refresh token.
-If the refresh token has expired, kubelogin will perform re-authentication (you will have to login via browser again).
+## Troubleshooting
 
+### Token cache
 
-### Troubleshoot
+If the OS keyring is available, kubelogin stores the token cache to the OS keyring.
+Otherwise, kubelogin stores the token cache to the file system.
+See the [token cache](docs/usage.md#token-cache) for details.
 
-You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
-Kubelogin will ask you to login via browser again if the token cache file does not exist i.e., it starts with a clean slate
-
-You can dump claims of an ID token by `setup` command.
+You can log out by deleting the token cache.
 
 ```console
-% kubectl oidc-login setup --oidc-issuer-url https://accounts.google.com --oidc-client-id REDACTED --oidc-client-secret REDACTED
+% kubectl oidc-login clean
+Deleted the token cache at /home/user/.kube/cache/oidc-login
+Deleted the token cache in the keyring
+```
+
+Kubelogin will ask you to log in via the browser again.
+If the browser has a cookie for the provider, you need to log out from the provider or clear the cookie.
+
+### ID token claims
+
+You can run `setup` command to dump the claims of an ID token from the provider.
+
+```console
+% kubectl oidc-login setup --oidc-issuer-url=ISSUER_URL --oidc-client-id=REDACTED
 ...
 You got a token with the following claims:
 
@@ -103,23 +115,22 @@ You got a token with the following claims:
 }
 ```
 
-You can increase the log level by `-v1` option.
+You can set `-v1` option to increase the log level.
 
 ```yaml
 users:
-- name: oidc
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubectl
-      args:
-      - oidc-login
-      - get-token
-      - -v1
+  - name: oidc
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1
+        command: kubectl
+        args:
+          - oidc-login
+          - get-token
+          - -v1
 ```
 
-You can verify kubelogin works with your provider using [acceptance test](acceptance_test).
-
+You can run the [acceptance test](acceptance_test) to verify if kubelogin works with your provider.
 
 ## Docs
 
@@ -129,11 +140,7 @@ You can verify kubelogin works with your provider using [acceptance test](accept
 - [System test](system_test)
 - [Acceptance_test for identity providers](acceptance_test)
 
-
 ## Contributions
 
 This is an open source software licensed under Apache License 2.0.
 Feel free to open issues and pull requests for improving code and documents.
-
-This software is developed with [GoLand](https://www.jetbrains.com/go/) licensed for open source development.
-Special thanks for the support.

docs/setup.md

@@ -10,9 +10,16 @@ Let's see the following steps:
 1. Set up the kubeconfig
 1. Verify cluster access
 
-
 ## 1. Set up the OIDC provider
 
+Kubelogin supports the following authentication flows:
+
+- Authorization code flow
+- Device authorization grant
+- Resource owner password credentials grant
+
+See the [usage](usage.md) for the details.
+
 ### Google Identity Platform
 
 You can log in with a Google account.
@@ -24,11 +31,10 @@ Open [Google APIs Console](https://console.developers.google.com/apis/credential
 Check the client ID and secret.
 Replace the following variables in the later sections.
 
-Variable                | Value
-------------------------|------
-`ISSUER_URL`            | `https://accounts.google.com`
-`YOUR_CLIENT_ID`        | `xxx.apps.googleusercontent.com`
-`YOUR_CLIENT_SECRET`    | random string
+| Variable         | Value                            |
+| ---------------- | -------------------------------- |
+| `ISSUER_URL`     | `https://accounts.google.com`    |
+| `YOUR_CLIENT_ID` | `xxx.apps.googleusercontent.com` |
 
 ### Keycloak
 
@@ -39,8 +45,8 @@ Open Keycloak and create an OIDC client as follows:
 
 - Client ID: `YOUR_CLIENT_ID`
 - Valid Redirect URLs:
-    - `http://localhost:8000`
-    - `http://localhost:18000` (used if the port 8000 is already in use)
+  - `http://localhost:8000`
+  - `http://localhost:18000` (used if the port 8000 is already in use)
 - Issuer URL: `https://keycloak.example.com/auth/realms/YOUR_REALM`
 
 You can associate client roles by adding the following mapper:
@@ -56,11 +62,10 @@ For example, if you have `admin` role of the client, you will get a JWT with the
 
 Replace the following variables in the later sections.
 
-Variable                | Value
-------------------------|------
-`ISSUER_URL`            | `https://keycloak.example.com/auth/realms/YOUR_REALM`
-`YOUR_CLIENT_ID`        | `YOUR_CLIENT_ID`
-`YOUR_CLIENT_SECRET`    | random string
+| Variable         | Value                                                 |
+| ---------------- | ----------------------------------------------------- |
+| `ISSUER_URL`     | `https://keycloak.example.com/auth/realms/YOUR_REALM` |
+| `YOUR_CLIENT_ID` | `YOUR_CLIENT_ID`                                      |
 
 ### Dex with GitHub
 
@@ -77,29 +82,29 @@ Deploy [Dex](https://github.com/dexidp/dex) with the following config:
 ```yaml
 issuer: https://dex.example.com
 connectors:
-- type: github
-  id: github
-  name: GitHub
-  config:
-    clientID: YOUR_GITHUB_CLIENT_ID
-    clientSecret: YOUR_GITHUB_CLIENT_SECRET
-    redirectURI: https://dex.example.com/callback
+  - type: github
+    id: github
+    name: GitHub
+    config:
+      clientID: YOUR_GITHUB_CLIENT_ID
+      clientSecret: YOUR_GITHUB_CLIENT_SECRET
+      redirectURI: https://dex.example.com/callback
 staticClients:
-- id: YOUR_CLIENT_ID
-  name: Kubernetes
-  redirectURIs:
-  - http://localhost:8000
-  - http://localhost:18000
-  secret: YOUR_DEX_CLIENT_SECRET
+  - id: YOUR_CLIENT_ID
+    name: Kubernetes
+    redirectURIs:
+      - http://localhost:8000
+      - http://localhost:18000
+    secret: YOUR_DEX_CLIENT_SECRET
 ```
 
 Replace the following variables in the later sections.
 
-Variable                | Value
-------------------------|------
-`ISSUER_URL`            | `https://dex.example.com`
-`YOUR_CLIENT_ID`        | `YOUR_CLIENT_ID`
-`YOUR_CLIENT_SECRET`    | `YOUR_DEX_CLIENT_SECRET`
+| Variable             | Value                     |
+| -------------------- | ------------------------- |
+| `ISSUER_URL`         | `https://dex.example.com` |
+| `YOUR_CLIENT_ID`     | `YOUR_CLIENT_ID`          |
+| `YOUR_CLIENT_SECRET` | `YOUR_DEX_CLIENT_SECRET`  |
 
 ### Okta
 
@@ -112,17 +117,17 @@ Open your Okta organization and create an application with the following options
 - Application type: Native
 - Initiate login URI: `http://localhost:8000`
 - Login redirect URIs:
-    - `http://localhost:8000`
-    - `http://localhost:18000` (used if the port 8000 is already in use)
+  - `http://localhost:8000`
+  - `http://localhost:18000` (used if the port 8000 is already in use)
 - Allowed grant types: Authorization Code
 - Client authentication: Use PKCE (for public clients)
 
 Replace the following variables in the later sections.
 
-Variable                | Value
-------------------------|------
-`ISSUER_URL`            | `https://YOUR_ORGANIZATION.okta.com`
-`YOUR_CLIENT_ID`        | random string
+| Variable         | Value                                |
+| ---------------- | ------------------------------------ |
+| `ISSUER_URL`     | `https://YOUR_ORGANIZATION.okta.com` |
+| `YOUR_CLIENT_ID` | random string                        |
 
 You do not need to set `YOUR_CLIENT_SECRET`.
 
@@ -135,17 +140,17 @@ Login with an account that has permissions to create applications.
 Create an OIDC application with the following configuration:
 
 - Redirect URIs:
-    - `http://localhost:8000`
-    - `http://localhost:18000` (used if the port 8000 is already in use)
+  - `http://localhost:8000`
+  - `http://localhost:18000` (used if the port 8000 is already in use)
 - Grant type: Authorization Code
 - PKCE Enforcement: Required
 
 Leverage the following variables in the next steps.
 
-Variable                | Value
-------------------------|------
-`ISSUER_URL`            | `https://auth.pingone.com/<PingOne Tenant Id>/as`
-`YOUR_CLIENT_ID`        |  random string
+| Variable         | Value                                             |
+| ---------------- | ------------------------------------------------- |
+| `ISSUER_URL`     | `https://auth.pingone.com/<PingOne Tenant Id>/as` |
+| `YOUR_CLIENT_ID` | random string                                     |
 
 `YOUR_CLIENT_SECRET` is not required for this configuration.
 
@@ -156,8 +161,7 @@ Run the following command:
 ```sh
 kubectl oidc-login setup \
   --oidc-issuer-url=ISSUER_URL \
-  --oidc-client-id=YOUR_CLIENT_ID \
-  --oidc-client-secret=YOUR_CLIENT_SECRET
+  --oidc-client-id=YOUR_CLIENT_ID
 ```
 
 It launches the browser and navigates to `http://localhost:8000`.
@@ -170,7 +174,6 @@ See also the full options.
 kubectl oidc-login setup --help
 ```
 
-
 ## 3. Bind a cluster role
 
 Here bind `cluster-admin` role to you.
@@ -181,7 +184,6 @@ kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin
 
 As well as you can create a custom cluster role and bind it.
 
-
 ## 4. Set up the Kubernetes API server
 
 Add the following flags to kube-apiserver:
@@ -193,41 +195,20 @@ Add the following flags to kube-apiserver:
 
 See [Kubernetes Authenticating: OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for the all flags.
 
-If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
-
-```yaml
-spec:
-  kubeAPIServer:
-    oidcIssuerURL: ISSUER_URL
-    oidcClientID: YOUR_CLIENT_ID
-```
-
-If you are using [kube-aws](https://github.com/kubernetes-incubator/kube-aws), append the following settings to the `cluster.yaml`:
-
-```yaml
-       oidc:
-         enabled: true
-         issuerUrl: ISSUER_URL
-         clientId: YOUR_CLIENT_ID
-```
-
-
 ## 5. Set up the kubeconfig
 
 Add `oidc` user to the kubeconfig.
 
 ```sh
 kubectl config set-credentials oidc \
-  --exec-api-version=client.authentication.k8s.io/v1beta1 \
+  --exec-api-version=client.authentication.k8s.io/v1 \
   --exec-command=kubectl \
   --exec-arg=oidc-login \
   --exec-arg=get-token \
   --exec-arg=--oidc-issuer-url=ISSUER_URL \
-  --exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
-  --exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET
+  --exec-arg=--oidc-client-id=YOUR_CLIENT_ID
 ```
 
-
 ## 6. Verify cluster access
 
 Make sure you can access the Kubernetes cluster.

docs/standalone-mode.md

@@ -3,7 +3,6 @@
 Kubelogin supports the standalone mode as well.
 It writes the token to the kubeconfig (typically `~/.kube/config`) after authentication.
 
-
 ## Getting started
 
 Configure your kubeconfig like:
@@ -53,16 +52,16 @@ Your kubeconfig looks like:
 
 ```yaml
 users:
-- name: keycloak
-  user:
-    auth-provider:
-      config:
-        client-id: YOUR_CLIENT_ID
-        client-secret: YOUR_CLIENT_SECRET
-        idp-issuer-url: https://issuer.example.com
-        id-token: ey...       # kubelogin will add or update the ID token here
-        refresh-token: ey...  # kubelogin will add or update the refresh token here
-      name: oidc
+  - name: keycloak
+    user:
+      auth-provider:
+        config:
+          client-id: YOUR_CLIENT_ID
+          client-secret: YOUR_CLIENT_SECRET
+          idp-issuer-url: https://issuer.example.com
+          id-token: ey... # kubelogin will add or update the ID token here
+          refresh-token: ey... # kubelogin will add or update the refresh token here
+        name: oidc
 ```
 
 If the ID token is valid, kubelogin does nothing.
@@ -75,7 +74,6 @@ You already have a valid token until 2019-05-18 10:28:51 +0900 JST
 If the ID token has expired, kubelogin will refresh the token using the refresh token in the kubeconfig.
 If the refresh token has expired, kubelogin will proceed the authentication.
 
-
 ## Usage
 
 You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
@@ -94,15 +92,15 @@ If you set multiple files, kubelogin will find the file which has the current au
 Kubelogin supports the following keys of `auth-provider` in a kubeconfig.
 See [kubectl authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl) for more.
 
-Key | Direction | Value
-----|-----------|------
-`idp-issuer-url`                  | Read (Mandatory) | Issuer URL of the provider.
-`client-id`                       | Read (Mandatory) | Client ID of the provider.
-`client-secret`                   | Read (Mandatory) | Client Secret of the provider.
-`idp-certificate-authority`       | Read | CA certificate path of the provider.
-`idp-certificate-authority-data`  | Read | Base64 encoded CA certificate of the provider.
-`extra-scopes`                    | Read | Scopes to request to the provider (comma separated).
-`id-token`                        | Write | ID token got from the provider.
-`refresh-token`                   | Write | Refresh token got from the provider.
+| Key                              | Direction        | Value                                                |
+| -------------------------------- | ---------------- | ---------------------------------------------------- |
+| `idp-issuer-url`                 | Read (Mandatory) | Issuer URL of the provider.                          |
+| `client-id`                      | Read (Mandatory) | Client ID of the provider.                           |
+| `client-secret`                  | Read (Mandatory) | Client Secret of the provider.                       |
+| `idp-certificate-authority`      | Read             | CA certificate path of the provider.                 |
+| `idp-certificate-authority-data` | Read             | Base64 encoded CA certificate of the provider.       |
+| `extra-scopes`                   | Read             | Scopes to request to the provider (comma separated). |
+| `id-token`                       | Write            | ID token got from the provider.                      |
+| `refresh-token`                  | Write            | Refresh token got from the provider.                 |
 
 See also [usage.md](usage.md).

docs/usage.md

@@ -11,14 +11,17 @@ Flags:
       --oidc-client-id string                           Client ID of the provider (mandatory)
       --oidc-client-secret string                       Client secret of the provider
       --oidc-extra-scope strings                        Scopes to request to the provider
-      --oidc-use-pkce                                   Force PKCE usage
-      --token-cache-dir string                          Path to a directory for token cache (default "~/.kube/cache/oidc-login")
+      --oidc-use-access-token                           Instead of using the id_token, use the access_token to authenticate to Kubernetes
+      --force-refresh                                   If set, refresh the ID token regardless of its expiration time
+      --token-cache-dir string                          Path to a directory of the token cache (default "~/.kube/cache/oidc-login")
+      --token-cache-storage string                      Storage for the token cache. One of (auto|keyring|disk) (default "auto")
       --certificate-authority stringArray               Path to a cert file for the certificate authority
       --certificate-authority-data stringArray          Base64 encoded cert for the certificate authority
-      --insecure-skip-tls-verify                        If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --insecure-skip-tls-verify                        [SECURITY RISK] If set, the server's certificate will not be checked for validity
       --tls-renegotiation-once                          If set, allow a remote server to request renegotiation once per connection
       --tls-renegotiation-freely                        If set, allow a remote server to repeatedly request renegotiation
-      --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
+      --oidc-pkce-method string                         PKCE code challenge method. Automatically determined by default. One of (auto|no|S256) (default "auto")
+      --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password|device-code) (default "auto")
       --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
       --skip-open-browser                               [authcode] Do not open the browser automatically
       --browser-command string                          [authcode] Command to open the browser
@@ -27,6 +30,7 @@ Flags:
       --local-server-key string                         [authcode] Certificate key path for the local server
       --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
       --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")
+      --oidc-redirect-url-authcode-keyboard string      [authcode-keyboard] Redirect URL (default "urn:ietf:wg:oauth:2.0:oob")
       --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard] Extra query parameters to send with an authentication request (default [])
       --username string                                 [password] Username for resource owner password credentials grant
       --password string                                 [password] Password for resource owner password credentials grant
@@ -34,20 +38,37 @@ Flags:
 
 Global Flags:
       --add_dir_header                   If true, adds the file directory to the header of the log messages
-      --alsologtostderr                  log to standard error as well as files
+      --alsologtostderr                  log to standard error as well as files (no effect when -logtostderr=true)
       --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
-      --log_dir string                   If non-empty, write log files in this directory
-      --log_file string                  If non-empty, use this log file
-      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --log_dir string                   If non-empty, write log files in this directory (no effect when -logtostderr=true)
+      --log_file string                  If non-empty, use this log file (no effect when -logtostderr=true)
+      --log_file_max_size uint           Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
       --logtostderr                      log to standard error instead of files (default true)
-      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level)
+      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
       --skip_headers                     If true, avoid header prefixes in the log messages
-      --skip_log_headers                 If true, avoid headers when opening log files
-      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
+      --skip_log_headers                 If true, avoid headers when opening log files (no effect when -logtostderr=true)
+      --stderrthreshold severity         logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2)
   -v, --v Level                          number for the log level verbosity
       --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
 ```
 
+Here is the sequence diagram of the credential plugin.
+
+```mermaid
+sequenceDiagram
+  actor User
+  User ->>+ kubectl: Run
+  kubectl ->>+ kubelogin: Run the plugin
+  kubelogin ->>+ Provider: Authentication request
+  Note over User, Provider: Browser interaction
+  Provider -->>- kubelogin: Authentication response
+  kubelogin ->>+ Provider: Token request
+  Provider -->>- kubelogin: Token response
+  kubelogin -->>- kubectl: Credential
+  kubectl ->>+ kube-apiserver: Request with the credential
+  kube-apiserver -->>- kubectl: Response
+  kubectl -->>- User: Response
+```
 
 ## Options
 
@@ -58,7 +79,7 @@ This prevents a process from remaining forever.
 You can change the timeout by the following flag:
 
 ```yaml
-      - --authentication-timeout-sec=60
+- --authentication-timeout-sec=60
 ```
 
 For now this timeout works only for the authorization code flow.
@@ -68,17 +89,31 @@ For now this timeout works only for the authorization code flow.
 You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
 
 ```yaml
-      - --oidc-extra-scope=email
-      - --oidc-extra-scope=profile
+- --oidc-extra-scope=email
+- --oidc-extra-scope=profile
 ```
 
+### PKCE
+
+Kubelogin automatically uses the PKCE if the provider supports it.
+It determines the code challenge method by the `code_challenge_methods_supported` claim of the OpenID Connect Discovery document.
+
+If your provider does not return a valid `code_challenge_methods_supported` claim,
+you can enforce the code challenge method by `--oidc-pkce-method`.
+
+```yaml
+- --oidc-pkce-method=S256
+```
+
+For the most providers, you don't need to set this option explicitly.
+
 ### CA certificate
 
 You can use your self-signed certificate for the provider.
 
 ```yaml
-      - --certificate-authority=/home/user/.kube/keycloak-ca.pem
-      - --certificate-authority-data=LS0t...
+- --certificate-authority=/home/user/.kube/keycloak-ca.pem
+- --certificate-authority-data=LS0t...
 ```
 
 ### HTTP proxy
@@ -86,6 +121,20 @@ You can use your self-signed certificate for the provider.
 You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
 See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
 
+### Token cache
+
+Kubelogin stores the token cache to the OS keyring if available.
+It depends on [zalando/go-keyring](https://github.com/zalando/go-keyring) for the keyring storage.
+
+If you encounter a problem, try `--token-cache-storage` to set the storage.
+
+```yaml
+# Force to use the OS keyring
+- --token-cache-storage=keyring
+# Force to use the file system
+- --token-cache-storage=disk
+```
+
 ### Home directory expansion
 
 If a value in the following options begins with a tilde character `~`, it is expanded to the home directory.
@@ -95,18 +144,18 @@ If a value in the following options begins with a tilde character `~`, it is exp
 - `--local-server-key`
 - `--token-cache-dir`
 
-
 ## Authentication flows
 
 Kubelogin support the following flows:
 
-- Authorization code flow
-- Authorization code flow with a keyboard
-- Resource owner password credentials grant flow
+- [Authorization code flow](#authorization-code-flow)
+- [Authorization code flow with a keyboard](#authorization-code-flow-with-a-keyboard)
+- [Device authorization grant](#device-authorization-grant)
+- [Resource owner password credentials grant](#resource-owner-password-credentials-grant)
 
 ### Authorization code flow
 
-Kubelogin performs the authorization code flow by default.
+Kubelogin performs the [authorization code flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) by default.
 
 It starts the local server at port 8000 or 18000 by default.
 You need to register the following redirect URIs to the provider:
@@ -117,50 +166,51 @@ You need to register the following redirect URIs to the provider:
 You can change the listening address.
 
 ```yaml
-      - --listen-address=127.0.0.1:12345
-      - --listen-address=127.0.0.1:23456
+- --listen-address=127.0.0.1:12345
+- --listen-address=127.0.0.1:23456
 ```
 
 You can specify a certificate for the local webserver if HTTPS is required by your identity provider.
 
 ```yaml
-      - --local-server-cert=localhost.crt
-      - --local-server-key=localhost.key
+- --local-server-cert=localhost.crt
+- --local-server-key=localhost.key
 ```
 
 You can change the hostname of redirect URI from the default value `localhost`.
 
 ```yaml
-      - --oidc-redirect-url-hostname=127.0.0.1
+- --oidc-redirect-url-hostname=127.0.0.1
 ```
 
 You can add extra parameters to the authentication request.
 
 ```yaml
-      - --oidc-auth-request-extra-params=ttl=86400
+- --oidc-auth-request-extra-params=ttl=86400
 ```
 
 When authentication completed, kubelogin shows a message to close the browser.
 You can change the URL to show after authentication.
 
 ```yaml
-      - --open-url-after-authentication=https://example.com/success.html
+- --open-url-after-authentication=https://example.com/success.html
 ```
 
-You can skip opening the browser if you encounter some environment problem.
+If you encounter a problem with the browser, you can change the browser command or skip opening the browser.
 
 ```yaml
-      - --skip-open-browser
+# Change the browser command
+- --browser-command=google-chrome
+# Do not open the browser
+- --skip-open-browser
 ```
 
-For Linux users, you change the default browser by `BROWSER` environment variable.
-
 ### Authorization code flow with a keyboard
 
 If you cannot access the browser, instead use the authorization code flow with a keyboard.
 
 ```yaml
-      - --grant-type=authcode-keyboard
+- --grant-type=authcode-keyboard
 ```
 
 Kubelogin will show the URL and prompt.
@@ -172,33 +222,59 @@ Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=
 Enter code: YOUR_CODE
 ```
 
-Note that this flow uses the redirect URI `urn:ietf:wg:oauth:2.0:oob` and some OIDC providers do not support it.
+The default of redirect URI is `urn:ietf:wg:oauth:2.0:oob`.
+You can overwrite it.
+
+```yaml
+- oidc-redirect-url-authcode-keyboard=http://localhost
+```
 
 You can add extra parameters to the authentication request.
 
 ```yaml
-      - --oidc-auth-request-extra-params=ttl=86400
+- --oidc-auth-request-extra-params=ttl=86400
 ```
 
-### Resource owner password credentials grant flow
+### Device authorization grant
 
-Kubelogin performs the resource owner password credentials grant flow
+Kubelogin performs the [device authorization grant](https://tools.ietf.org/html/rfc8628) when `--grant-type=device-code` is set.
+
+```yaml
+- --grant-type=device-code
+```
+
+It automatically opens the browser.
+If the provider returns the `verification_uri_complete` parameter, you don't need to enter the code.
+Otherwise, you need to enter the code shown.
+
+If you encounter a problem with the browser, you can change the browser command or skip opening the browser.
+
+```yaml
+# Change the browser command
+- --browser-command=google-chrome
+# Do not open the browser
+- --skip-open-browser
+```
+
+### Resource owner password credentials grant
+
+Kubelogin performs the resource owner password credentials grant
 when `--grant-type=password` or `--username` is set.
 
-Note that most OIDC providers do not support this flow.
-Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
+Note that most OIDC providers do not support this grant.
+Keycloak supports this grant but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
 
 You can set the username and password.
 
 ```yaml
-      - --username=USERNAME
-      - --password=PASSWORD
+- --username=USERNAME
+- --password=PASSWORD
 ```
 
 If the password is not set, kubelogin will show the prompt for the password.
 
 ```yaml
-      - --username=USERNAME
+- --username=USERNAME
 ```
 
 ```
@@ -209,7 +285,7 @@ Password:
 If the username is not set, kubelogin will show the prompt for the username and password.
 
 ```yaml
-      - --grant-type=password
+- --grant-type=password
 ```
 
 ```
@@ -225,25 +301,25 @@ The kubeconfig looks like:
 
 ```yaml
 users:
-- name: oidc
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: docker
-      args:
-      - run
-      - --rm
-      - -v
-      - /tmp/.token-cache:/.token-cache
-      - -p
-      - 8000:8000
-      - ghcr.io/int128/kubelogin
-      - get-token
-      - --token-cache-dir=/.token-cache
-      - --listen-address=0.0.0.0:8000
-      - --oidc-issuer-url=ISSUER_URL
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
+  - name: oidc
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1
+        command: docker
+        args:
+          - run
+          - --rm
+          - -v
+          - /tmp/.token-cache:/.token-cache
+          - -p
+          - 8000:8000
+          - ghcr.io/int128/kubelogin
+          - get-token
+          - --token-cache-dir=/.token-cache
+          - --listen-address=0.0.0.0:8000
+          - --oidc-issuer-url=ISSUER_URL
+          - --oidc-client-id=YOUR_CLIENT_ID
+          - --oidc-client-secret=YOUR_CLIENT_SECRET
 ```
 
 Known limitations:

go.mod

@@ -1,25 +1,66 @@
 module github.com/int128/kubelogin
 
-go 1.16
+go 1.23.5
 
 require (
-	github.com/alexflint/go-filemutex v1.2.0
-	github.com/chromedp/chromedp v0.8.3
-	github.com/coreos/go-oidc/v3 v3.2.0
-	github.com/golang-jwt/jwt/v4 v4.4.2
-	github.com/google/go-cmp v0.5.8
-	github.com/google/wire v0.5.0
-	github.com/int128/oauth2cli v1.14.0
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
-	github.com/spf13/cobra v1.5.0
+	github.com/chromedp/chromedp v0.11.2
+	github.com/coreos/go-oidc/v3 v3.12.0
+	github.com/gofrs/flock v0.12.1
+	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/google/go-cmp v0.6.0
+	github.com/google/wire v0.6.0
+	github.com/int128/oauth2cli v1.14.1
+	github.com/int128/oauth2dev v1.0.1
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
+	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.8.0
-	golang.org/x/net v0.0.0-20220728211354-c7608f3a8462
-	golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
-	golang.org/x/term v0.0.0-20220722155259-a9ba230a4035
-	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/apimachinery v0.24.3
-	k8s.io/client-go v0.24.3
-	k8s.io/klog/v2 v2.70.1
+	github.com/stretchr/testify v1.10.0
+	github.com/zalando/go-keyring v0.2.6
+	golang.org/x/oauth2 v0.25.0
+	golang.org/x/sync v0.10.0
+	golang.org/x/term v0.28.0
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/apimachinery v0.32.1
+	k8s.io/client-go v0.32.1
+	k8s.io/klog/v2 v2.130.1
+)
+
+require (
+	al.essio.dev/pkg/shellescape v1.5.1 // indirect
+	github.com/chromedp/cdproto v0.0.0-20241022234722-4d5d5faf59fb // indirect
+	github.com/chromedp/sysutil v1.1.0 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/gobwas/httphead v0.1.0 // indirect
+	github.com/gobwas/pool v0.2.1 // indirect
+	github.com/gobwas/ws v1.4.0 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/int128/listener v1.1.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

integration_test/clean_test.go

@@ -0,0 +1,28 @@
+package integration_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/integration_test/httpdriver"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/testing/clock"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+)
+
+func TestClean(t *testing.T) {
+	tokenCacheDir := t.TempDir()
+
+	cmd := di.NewCmdForHeadless(clock.Fake(time.Now()), os.Stdin, os.Stdout, logger.New(t), httpdriver.Zero(t))
+	exitCode := cmd.Run(context.TODO(), []string{
+		"kubelogin",
+		"clean",
+		"--token-cache-dir", tokenCacheDir,
+		"--token-cache-storage", "disk",
+	}, "HEAD")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}

integration_test/credetial_plugin_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/int128/kubelogin/integration_test/httpdriver"
 	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/integration_test/oidcserver"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
 	"github.com/int128/kubelogin/pkg/di"
 	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/testing/clock"
@@ -27,7 +28,6 @@ import (
 // 2. Run the Cmd.
 // 3. Open a request for the local server.
 // 4. Verify the output.
-//
 func TestCredentialPlugin(t *testing.T) {
 	timeout := 10 * time.Second
 	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
@@ -43,7 +43,7 @@ func TestCredentialPlugin(t *testing.T) {
 			args:    []string{"--certificate-authority", keypair.Server.CACertPath},
 		},
 	} {
-		httpDriverOption := httpdriver.Option{
+		httpDriverConfig := httpdriver.Config{
 			TLSConfig:    tc.keyPair.TLSConfig,
 			BodyContains: "Authenticated",
 		}
@@ -53,46 +53,49 @@ func TestCredentialPlugin(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
-						Scope:             "openid",
-						RedirectURIPrefix: "http://localhost:",
+				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
+						Scope:               "openid",
+						RedirectURIPrefix:   "http://localhost:",
+						CodeChallengeMethod: "S256",
 					},
-					Response: oidcserver.Response{
-						IDTokenExpiry: now.Add(time.Hour),
+					Response: testconfig.Response{
+						IDTokenExpiry:                 now.Add(time.Hour),
+						CodeChallengeMethodsSupported: []string{"plain", "S256"},
 					},
 				})
 				var stdout bytes.Buffer
 				runGetToken(t, ctx, getTokenConfig{
 					tokenCacheDir: tokenCacheDir,
-					issuerURL:     sv.IssuerURL(),
-					httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+					issuerURL:     svc.IssuerURL(),
+					httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
 					now:           now,
 					stdout:        &stdout,
 					args:          tc.args,
 				})
-				assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+				assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 			})
 
 			t.Run("ROPC", func(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 						Username:          "USER1",
 						Password:          "PASS1",
 					},
-					Response: oidcserver.Response{
-						IDTokenExpiry: now.Add(time.Hour),
+					Response: testconfig.Response{
+						IDTokenExpiry:                 now.Add(time.Hour),
+						CodeChallengeMethodsSupported: []string{"plain", "S256"},
 					},
 				})
 				var stdout bytes.Buffer
 				runGetToken(t, ctx, getTokenConfig{
 					tokenCacheDir: tokenCacheDir,
-					issuerURL:     sv.IssuerURL(),
+					issuerURL:     svc.IssuerURL(),
 					httpDriver:    httpdriver.Zero(t),
 					now:           now,
 					stdout:        &stdout,
@@ -101,110 +104,169 @@ func TestCredentialPlugin(t *testing.T) {
 						"--password", "PASS1",
 					}, tc.args...),
 				})
-				assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+				assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 			})
 
 			t.Run("TokenCacheLifecycle", func(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
+				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{})
 
 				t.Run("NoCache", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
-							Scope:             "openid",
-							RedirectURIPrefix: "http://localhost:",
+					svc.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
+							Scope:               "openid",
+							RedirectURIPrefix:   "http://localhost:",
+							CodeChallengeMethod: "S256",
 						},
-						Response: oidcserver.Response{
-							IDTokenExpiry: now.Add(time.Hour),
-							RefreshToken:  "REFRESH_TOKEN_1",
+						Response: testconfig.Response{
+							IDTokenExpiry:                 now.Add(time.Hour),
+							RefreshToken:                  "REFRESH_TOKEN_1",
+							CodeChallengeMethodsSupported: []string{"plain", "S256"},
 						},
 					})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
-						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
 						now:           now,
 						stdout:        &stdout,
 						args:          tc.args,
 					})
-					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 				})
 				t.Run("Valid", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{})
+					svc.SetConfig(testconfig.Config{})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
-						issuerURL:     sv.IssuerURL(),
+						issuerURL:     svc.IssuerURL(),
 						httpDriver:    httpdriver.Zero(t),
 						now:           now,
 						stdout:        &stdout,
 						args:          tc.args,
 					})
-					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 				})
 				t.Run("Refresh", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					svc.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_1",
 						},
-						Response: oidcserver.Response{
-							IDTokenExpiry: now.Add(3 * time.Hour),
-							RefreshToken:  "REFRESH_TOKEN_2",
+						Response: testconfig.Response{
+							IDTokenExpiry:                 now.Add(3 * time.Hour),
+							RefreshToken:                  "REFRESH_TOKEN_2",
+							CodeChallengeMethodsSupported: []string{"plain", "S256"},
 						},
 					})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
-						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
 						now:           now.Add(2 * time.Hour),
 						stdout:        &stdout,
 						args:          tc.args,
 					})
-					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(3*time.Hour))
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(3*time.Hour))
 				})
 				t.Run("RefreshAgain", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					svc.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_2",
 						},
-						Response: oidcserver.Response{
-							IDTokenExpiry: now.Add(5 * time.Hour),
+						Response: testconfig.Response{
+							IDTokenExpiry:                 now.Add(5 * time.Hour),
+							CodeChallengeMethodsSupported: []string{"plain", "S256"},
 						},
 					})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
-						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
 						now:           now.Add(4 * time.Hour),
 						stdout:        &stdout,
 						args:          tc.args,
 					})
-					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(5*time.Hour))
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(5*time.Hour))
 				})
 			})
 		})
 	}
 
 	t.Run("PKCE", func(t *testing.T) {
+		t.Run("Not supported by provider", func(t *testing.T) {
+			t.Parallel()
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+			defer cancel()
+			svc := oidcserver.New(t, keypair.None, testconfig.Config{
+				Want: testconfig.Want{
+					Scope:               "openid",
+					RedirectURIPrefix:   "http://localhost:",
+					CodeChallengeMethod: "",
+				},
+				Response: testconfig.Response{
+					IDTokenExpiry:                 now.Add(time.Hour),
+					CodeChallengeMethodsSupported: nil,
+				},
+			})
+			var stdout bytes.Buffer
+			runGetToken(t, ctx, getTokenConfig{
+				tokenCacheDir: tokenCacheDir,
+				issuerURL:     svc.IssuerURL(),
+				httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
+				now:           now,
+				stdout:        &stdout,
+			})
+			assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+		})
+
+		t.Run("Enforce", func(t *testing.T) {
+			t.Parallel()
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+			defer cancel()
+			svc := oidcserver.New(t, keypair.None, testconfig.Config{
+				Want: testconfig.Want{
+					Scope:               "openid",
+					RedirectURIPrefix:   "http://localhost:",
+					CodeChallengeMethod: "S256",
+				},
+				Response: testconfig.Response{
+					IDTokenExpiry:                 now.Add(time.Hour),
+					CodeChallengeMethodsSupported: nil,
+				},
+			})
+			var stdout bytes.Buffer
+			runGetToken(t, ctx, getTokenConfig{
+				tokenCacheDir: tokenCacheDir,
+				issuerURL:     svc.IssuerURL(),
+				httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
+				now:           now,
+				stdout:        &stdout,
+				args:          []string{"--oidc-use-pkce"},
+			})
+			assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+		})
+	})
+
+	t.Run("TLSData", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		svc := oidcserver.New(t, keypair.Server, testconfig.Config{
+			Want: testconfig.Want{
 				Scope:               "openid",
 				RedirectURIPrefix:   "http://localhost:",
 				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry:                 now.Add(time.Hour),
 				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
@@ -212,57 +274,35 @@ func TestCredentialPlugin(t *testing.T) {
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
-			now:           now,
-			stdout:        &stdout,
-		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
-	})
-
-	t.Run("TLSData", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "http://localhost:",
-			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
-			},
-		})
-		var stdout bytes.Buffer
-		runGetToken(t, ctx, getTokenConfig{
-			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{TLSConfig: keypair.Server.TLSConfig, BodyContains: "Authenticated"}),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{TLSConfig: keypair.Server.TLSConfig, BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args:          []string{"--certificate-authority-data", keypair.Server.CACertBase64},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 
 	t.Run("ExtraScopes", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "email profile openid",
-				RedirectURIPrefix: "http://localhost:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "email profile openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args: []string{
@@ -270,77 +310,83 @@ func TestCredentialPlugin(t *testing.T) {
 				"--oidc-extra-scope", "profile",
 			},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 
 	t.Run("OpenURLAfterAuthentication", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "http://localhost:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "URL=https://example.com/success"}),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "URL=https://example.com/success"}),
 			now:           now,
 			stdout:        &stdout,
 			args:          []string{"--open-url-after-authentication", "https://example.com/success"},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 
 	t.Run("RedirectURLHostname", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "http://127.0.0.1:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://127.0.0.1:",
+				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args:          []string{"--oidc-redirect-url-hostname", "127.0.0.1"},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 
 	t.Run("RedirectURLHTTPS", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "https://localhost:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "https://localhost:",
+				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver: httpdriver.New(ctx, t, httpdriver.Option{
+			issuerURL:     svc.IssuerURL(),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Config{
 				TLSConfig:    keypair.Server.TLSConfig,
 				BodyContains: "Authenticated",
 			}),
@@ -351,31 +397,33 @@ func TestCredentialPlugin(t *testing.T) {
 				"--local-server-key", keypair.Server.KeyPath,
 			},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 
 	t.Run("ExtraParams", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "http://localhost:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
 				ExtraParams: map[string]string{
 					"ttl":    "86400",
 					"reauth": "false",
 				},
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args: []string{
@@ -383,7 +431,7 @@ func TestCredentialPlugin(t *testing.T) {
 				"--oidc-auth-request-extra-params", "reauth=false",
 			},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 }
 
@@ -402,6 +450,7 @@ func runGetToken(t *testing.T, ctx context.Context, cfg getTokenConfig) {
 		"kubelogin",
 		"get-token",
 		"--token-cache-dir", cfg.tokenCacheDir,
+		"--token-cache-storage", "disk",
 		"--oidc-issuer-url", cfg.issuerURL,
 		"--oidc-client-id", "kubernetes",
 		"--listen-address", "127.0.0.1:0",

integration_test/httpdriver/http_driver.go

@@ -4,20 +4,20 @@ package httpdriver
 import (
 	"context"
 	"crypto/tls"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strings"
 	"testing"
 )
 
-type Option struct {
+type Config struct {
 	TLSConfig    *tls.Config
 	BodyContains string
 }
 
 // New returns a client to simulate browser access.
-func New(ctx context.Context, t *testing.T, o Option) *client {
-	return &client{ctx, t, o}
+func New(ctx context.Context, t *testing.T, config Config) *client {
+	return &client{ctx, t, config}
 }
 
 // Zero returns a client which call is not expected.
@@ -26,13 +26,13 @@ func Zero(t *testing.T) *zeroClient {
 }
 
 type client struct {
-	ctx context.Context
-	t   *testing.T
-	o   Option
+	ctx    context.Context
+	t      *testing.T
+	config Config
 }
 
 func (c *client) Open(url string) error {
-	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.o.TLSConfig}}
+	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.config.TLSConfig}}
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
 		c.t.Errorf("could not create a request: %s", err)
@@ -48,14 +48,14 @@ func (c *client) Open(url string) error {
 	if resp.StatusCode != 200 {
 		c.t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
 	}
-	b, err := ioutil.ReadAll(resp.Body)
+	b, err := io.ReadAll(resp.Body)
 	if err != nil {
 		c.t.Errorf("could not read body: %s", err)
 		return nil
 	}
 	body := string(b)
-	if !strings.Contains(body, c.o.BodyContains) {
-		c.t.Errorf("body should contain %s but was %s", c.o.BodyContains, body)
+	if !strings.Contains(body, c.config.BodyContains) {
+		c.t.Errorf("body should contain %s but was %s", c.config.BodyContains, body)
 	}
 	return nil
 }

integration_test/keypair/keypair.go

@@ -5,7 +5,6 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"io"
-	"io/ioutil"
 	"os"
 	"strings"
 )
@@ -50,7 +49,7 @@ func readAsBase64(name string) string {
 }
 
 func newTLSConfig(name string) *tls.Config {
-	b, err := ioutil.ReadFile(name)
+	b, err := os.ReadFile(name)
 	if err != nil {
 		panic(err)
 	}

integration_test/kubeconfig/kubeconfig.go

@@ -6,7 +6,7 @@ import (
 	"path/filepath"
 	"testing"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 // Values represents values in .kubeconfig template.

integration_test/oidcserver/handler/handler.go

@@ -1,4 +1,4 @@
-// Package handler provides a HTTP handler for the OpenID Connect Provider.
+// Package handler provides HTTP handlers for the OpenID Connect Provider.
 package handler
 
 import (
@@ -6,29 +6,34 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 	"testing"
+
+	"github.com/int128/kubelogin/integration_test/oidcserver/service"
 )
 
-func New(t *testing.T, provider Provider) *Handler {
-	return &Handler{t, provider}
+func Register(t *testing.T, mux *http.ServeMux, provider service.Provider) {
+	h := &Handlers{t, provider}
+	mux.HandleFunc("GET /.well-known/openid-configuration", h.Discovery)
+	mux.HandleFunc("GET /certs", h.GetCertificates)
+	mux.HandleFunc("GET /auth", h.AuthenticateCode)
+	mux.HandleFunc("POST /token", h.Exchange)
 }
 
-// Handler provides a HTTP handler for the OpenID Connect Provider.
+// Handlers provides HTTP handlers for the OpenID Connect Provider.
 // You need to implement the Provider interface.
 // Note that this skips some security checks and is only for testing.
-type Handler struct {
+type Handlers struct {
 	t        *testing.T
-	provider Provider
+	provider service.Provider
 }
 
-func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	wr := &responseWriterRecorder{w, 200}
-	err := h.serveHTTP(wr, r)
+func (h *Handlers) handleError(w http.ResponseWriter, r *http.Request, f func() error) {
+	err := f()
 	if err == nil {
-		h.t.Logf("%d %s %s", wr.statusCode, r.Method, r.RequestURI)
 		return
 	}
-	if errResp := new(ErrorResponse); errors.As(err, &errResp) {
+	if errResp := new(service.ErrorResponse); errors.As(err, &errResp) {
 		h.t.Logf("400 %s %s: %s", r.Method, r.RequestURI, err)
 		w.Header().Add("Content-Type", "application/json")
 		w.WriteHeader(400)
@@ -42,38 +47,35 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	http.Error(w, err.Error(), 500)
 }
 
-type responseWriterRecorder struct {
-	http.ResponseWriter
-	statusCode int
-}
-
-func (w *responseWriterRecorder) WriteHeader(statusCode int) {
-	w.ResponseWriter.WriteHeader(statusCode)
-	w.statusCode = statusCode
-}
-
-func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
-	m := r.Method
-	p := r.URL.Path
-	switch {
-	case m == "GET" && p == "/.well-known/openid-configuration":
+func (h *Handlers) Discovery(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		discoveryResponse := h.provider.Discovery()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(discoveryResponse); err != nil {
 			return fmt.Errorf("could not render json: %w", err)
 		}
-	case m == "GET" && p == "/certs":
+		return nil
+	})
+}
+
+func (h *Handlers) GetCertificates(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		certificatesResponse := h.provider.GetCertificates()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(certificatesResponse); err != nil {
 			return fmt.Errorf("could not render json: %w", err)
 		}
-	case m == "GET" && p == "/auth":
+		return nil
+	})
+}
+
+func (h *Handlers) AuthenticateCode(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		q := r.URL.Query()
 		redirectURI, state := q.Get("redirect_uri"), q.Get("state")
-		code, err := h.provider.AuthenticateCode(AuthenticationRequest{
+		code, err := h.provider.AuthenticateCode(service.AuthenticationRequest{
 			RedirectURI:         redirectURI,
 			State:               state,
 			Scope:               q.Get("scope"),
@@ -85,16 +87,25 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 		if err != nil {
 			return fmt.Errorf("authentication error: %w", err)
 		}
-		to := fmt.Sprintf("%s?state=%s&code=%s", redirectURI, state, code)
-		http.Redirect(w, r, to, 302)
-	case m == "POST" && p == "/token":
+		redirectTo, err := url.Parse(redirectURI)
+		if err != nil {
+			return fmt.Errorf("invalid redirect_uri: %w", err)
+		}
+		redirectTo.RawQuery = url.Values{"state": {state}, "code": {code}}.Encode()
+		http.Redirect(w, r, redirectTo.String(), http.StatusFound)
+		return nil
+	})
+}
+
+func (h *Handlers) Exchange(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		if err := r.ParseForm(); err != nil {
 			return fmt.Errorf("could not parse the form: %w", err)
 		}
 		grantType := r.Form.Get("grant_type")
 		switch grantType {
 		case "authorization_code":
-			tokenResponse, err := h.provider.Exchange(TokenRequest{
+			tokenResponse, err := h.provider.Exchange(service.TokenRequest{
 				Code:         r.Form.Get("code"),
 				CodeVerifier: r.Form.Get("code_verifier"),
 			})
@@ -135,13 +146,11 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 		default:
 			// 5.2. Error Response
 			// https://tools.ietf.org/html/rfc6749#section-5.2
-			return &ErrorResponse{
+			return &service.ErrorResponse{
 				Code:        "invalid_grant",
 				Description: fmt.Sprintf("unknown grant_type %s", grantType),
 			}
 		}
-	default:
-		http.NotFound(w, r)
-	}
-	return nil
+		return nil
+	})
 }

integration_test/oidcserver/http/http.go

@@ -1,74 +0,0 @@
-// Package http provides a http server running on localhost for testing.
-package http
-
-import (
-	"context"
-	"net"
-	"net/http"
-	"testing"
-
-	"github.com/int128/kubelogin/integration_test/keypair"
-)
-
-func Start(t *testing.T, h http.Handler, k keypair.KeyPair) string {
-	if k == keypair.None {
-		return startNoTLS(t, h)
-	}
-	return startTLS(t, h, k)
-}
-
-func startNoTLS(t *testing.T, h http.Handler) string {
-	t.Helper()
-	l, port := newLocalhostListener(t)
-	url := "http://localhost:" + port
-	s := &http.Server{
-		Handler: h,
-	}
-	go func() {
-		err := s.Serve(l)
-		if err != nil && err != http.ErrServerClosed {
-			t.Error(err)
-		}
-	}()
-	t.Cleanup(func() {
-		if err := s.Shutdown(context.TODO()); err != nil {
-			t.Errorf("could not shutdown the server: %s", err)
-		}
-	})
-	return url
-}
-
-func startTLS(t *testing.T, h http.Handler, k keypair.KeyPair) string {
-	t.Helper()
-	l, port := newLocalhostListener(t)
-	url := "https://localhost:" + port
-	s := &http.Server{
-		Handler: h,
-	}
-	go func() {
-		err := s.ServeTLS(l, k.CertPath, k.KeyPath)
-		if err != nil && err != http.ErrServerClosed {
-			t.Error(err)
-		}
-	}()
-	t.Cleanup(func() {
-		if err := s.Shutdown(context.TODO()); err != nil {
-			t.Errorf("could not shutdown the server: %s", err)
-		}
-	})
-	return url
-}
-
-func newLocalhostListener(t *testing.T) (net.Listener, string) {
-	t.Helper()
-	l, err := net.Listen("tcp", "localhost:0")
-	if err != nil {
-		t.Fatalf("Could not create a listener: %s", err)
-	}
-	addr := l.Addr().String()
-	_, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		t.Fatalf("Could not parse the address %s: %s", addr, err)
-	}
-	return l, port
-}

integration_test/oidcserver/oidcserver.go

@@ -0,0 +1,54 @@
+// Package oidcserver provides a stub of OpenID Connect provider.
+package oidcserver
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/oidcserver/handler"
+	"github.com/int128/kubelogin/integration_test/oidcserver/service"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+)
+
+// New starts a server for the OpenID Connect provider.
+func New(t *testing.T, kp keypair.KeyPair, config testconfig.Config) service.Service {
+	mux := http.NewServeMux()
+	serverURL := startServer(t, mux, kp)
+
+	svc := service.New(t, serverURL, config)
+	handler.Register(t, mux, svc)
+	return svc
+}
+
+func startServer(t *testing.T, h http.Handler, kp keypair.KeyPair) string {
+	if kp == keypair.None {
+		srv := httptest.NewServer(h)
+		t.Cleanup(srv.Close)
+		return srv.URL
+	}
+
+	// Unfortunately, httptest package did not work with keypair.KeyPair.
+	// We use httptest package only for allocating a new port.
+	portAllocator := httptest.NewUnstartedServer(h)
+	t.Cleanup(portAllocator.Close)
+	serverURL := fmt.Sprintf("https://localhost:%d", portAllocator.Listener.Addr().(*net.TCPAddr).Port)
+	srv := &http.Server{Handler: h}
+	go func() {
+		err := srv.ServeTLS(portAllocator.Listener, kp.CertPath, kp.KeyPath)
+		if err != nil && !errors.Is(err, http.ErrServerClosed) {
+			t.Error(err)
+		}
+	}()
+	t.Cleanup(func() {
+		if err := srv.Shutdown(context.TODO()); err != nil {
+			t.Errorf("could not shutdown the server: %s", err)
+		}
+	})
+	return serverURL
+}

integration_test/oidcserver/server.go

@@ -1,215 +0,0 @@
-// Package oidcserver provides a stub of OpenID Connect provider.
-package oidcserver
-
-import (
-	"crypto/sha256"
-	"encoding/base64"
-	"fmt"
-	"math/big"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/int128/kubelogin/integration_test/keypair"
-	"github.com/int128/kubelogin/integration_test/oidcserver/handler"
-	"github.com/int128/kubelogin/integration_test/oidcserver/http"
-	"github.com/int128/kubelogin/pkg/testing/jwt"
-)
-
-type Server interface {
-	IssuerURL() string
-	SetConfig(Config)
-	LastTokenResponse() *handler.TokenResponse
-}
-
-// Want represents a set of expected values.
-type Want struct {
-	Scope               string
-	RedirectURIPrefix   string
-	CodeChallengeMethod string            // optional
-	ExtraParams         map[string]string // optional
-	Username            string            // optional
-	Password            string            // optional
-	RefreshToken        string            // optional
-}
-
-// Response represents a set of response values.
-type Response struct {
-	IDTokenExpiry                 time.Time
-	RefreshToken                  string
-	RefreshError                  string   // if set, Refresh() will return the error
-	CodeChallengeMethodsSupported []string // optional
-}
-
-// Config represents a configuration of the OpenID Connect provider.
-type Config struct {
-	Want     Want
-	Response Response
-}
-
-// New starts a HTTP server for the OpenID Connect provider.
-func New(t *testing.T, k keypair.KeyPair, c Config) Server {
-	sv := server{Config: c, t: t}
-	sv.issuerURL = http.Start(t, handler.New(t, &sv), k)
-	return &sv
-}
-
-type server struct {
-	Config
-	t                         *testing.T
-	issuerURL                 string
-	lastAuthenticationRequest *handler.AuthenticationRequest
-	lastTokenResponse         *handler.TokenResponse
-}
-
-func (sv *server) IssuerURL() string {
-	return sv.issuerURL
-}
-
-func (sv *server) SetConfig(cfg Config) {
-	sv.Config = cfg
-}
-
-func (sv *server) LastTokenResponse() *handler.TokenResponse {
-	return sv.lastTokenResponse
-}
-
-func (sv *server) Discovery() *handler.DiscoveryResponse {
-	// based on https://accounts.google.com/.well-known/openid-configuration
-	return &handler.DiscoveryResponse{
-		Issuer:                            sv.issuerURL,
-		AuthorizationEndpoint:             sv.issuerURL + "/auth",
-		TokenEndpoint:                     sv.issuerURL + "/token",
-		JwksURI:                           sv.issuerURL + "/certs",
-		UserinfoEndpoint:                  sv.issuerURL + "/userinfo",
-		RevocationEndpoint:                sv.issuerURL + "/revoke",
-		ResponseTypesSupported:            []string{"code id_token"},
-		SubjectTypesSupported:             []string{"public"},
-		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
-		ScopesSupported:                   []string{"openid", "email", "profile"},
-		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
-		CodeChallengeMethodsSupported:     sv.Config.Response.CodeChallengeMethodsSupported,
-		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
-	}
-}
-
-func (sv *server) GetCertificates() *handler.CertificatesResponse {
-	idTokenKeyPair := jwt.PrivateKey
-	return &handler.CertificatesResponse{
-		Keys: []*handler.CertificatesResponseKey{
-			{
-				Kty: "RSA",
-				Alg: "RS256",
-				Use: "sig",
-				Kid: "dummy",
-				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
-				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
-			},
-		},
-	}
-}
-
-func (sv *server) AuthenticateCode(req handler.AuthenticationRequest) (code string, err error) {
-	if req.Scope != sv.Want.Scope {
-		sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, req.Scope)
-	}
-	if !strings.HasPrefix(req.RedirectURI, sv.Want.RedirectURIPrefix) {
-		sv.t.Errorf("redirectURI wants prefix `%s` but was `%s`", sv.Want.RedirectURIPrefix, req.RedirectURI)
-	}
-	if req.CodeChallengeMethod != sv.Want.CodeChallengeMethod {
-		sv.t.Errorf("code_challenge_method wants `%s` but was `%s`", sv.Want.CodeChallengeMethod, req.CodeChallengeMethod)
-	}
-	for k, v := range sv.Want.ExtraParams {
-		got := req.RawQuery.Get(k)
-		if got != v {
-			sv.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
-		}
-	}
-	sv.lastAuthenticationRequest = &req
-	return "YOUR_AUTH_CODE", nil
-}
-
-func (sv *server) Exchange(req handler.TokenRequest) (*handler.TokenResponse, error) {
-	if req.Code != "YOUR_AUTH_CODE" {
-		return nil, fmt.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
-	}
-	if sv.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
-		// https://tools.ietf.org/html/rfc7636#section-4.6
-		challenge := computeS256Challenge(req.CodeVerifier)
-		if challenge != sv.lastAuthenticationRequest.CodeChallenge {
-			sv.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", sv.lastAuthenticationRequest.CodeChallenge, challenge)
-		}
-	}
-	resp := &handler.TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		RefreshToken: sv.Response.RefreshToken,
-		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
-			claims.Issuer = sv.issuerURL
-			claims.Subject = "SUBJECT"
-			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
-			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
-			claims.Audience = []string{"kubernetes"}
-			claims.Nonce = sv.lastAuthenticationRequest.Nonce
-		}),
-	}
-	sv.lastTokenResponse = resp
-	return resp, nil
-}
-
-func computeS256Challenge(verifier string) string {
-	c := sha256.Sum256([]byte(verifier))
-	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
-}
-
-func (sv *server) AuthenticatePassword(username, password, scope string) (*handler.TokenResponse, error) {
-	if scope != sv.Want.Scope {
-		sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, scope)
-	}
-	if username != sv.Want.Username {
-		sv.t.Errorf("username wants `%s` but was `%s`", sv.Want.Username, username)
-	}
-	if password != sv.Want.Password {
-		sv.t.Errorf("password wants `%s` but was `%s`", sv.Want.Password, password)
-	}
-	resp := &handler.TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		RefreshToken: sv.Response.RefreshToken,
-		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
-			claims.Issuer = sv.issuerURL
-			claims.Subject = "SUBJECT"
-			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
-			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
-			claims.Audience = []string{"kubernetes"}
-		}),
-	}
-	sv.lastTokenResponse = resp
-	return resp, nil
-}
-
-func (sv *server) Refresh(refreshToken string) (*handler.TokenResponse, error) {
-	if refreshToken != sv.Want.RefreshToken {
-		sv.t.Errorf("refreshToken wants %s but was %s", sv.Want.RefreshToken, refreshToken)
-	}
-	if sv.Response.RefreshError != "" {
-		return nil, &handler.ErrorResponse{Code: "invalid_request", Description: sv.Response.RefreshError}
-	}
-	resp := &handler.TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		RefreshToken: sv.Response.RefreshToken,
-		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
-			claims.Issuer = sv.issuerURL
-			claims.Subject = "SUBJECT"
-			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
-			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
-			claims.Audience = []string{"kubernetes"}
-		}),
-	}
-	sv.lastTokenResponse = resp
-	return resp, nil
-}

integration_test/oidcserver/service/service.go

@@ -0,0 +1,184 @@
+package service
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"math/big"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+	testingJWT "github.com/int128/kubelogin/pkg/testing/jwt"
+)
+
+func New(t *testing.T, issuerURL string, config testconfig.Config) Service {
+	return &service{
+		config:    config,
+		t:         t,
+		issuerURL: issuerURL,
+	}
+}
+
+type service struct {
+	config                    testconfig.Config
+	t                         *testing.T
+	issuerURL                 string
+	lastAuthenticationRequest *AuthenticationRequest
+	lastTokenResponse         *TokenResponse
+}
+
+func (svc *service) IssuerURL() string {
+	return svc.issuerURL
+}
+
+func (svc *service) SetConfig(cfg testconfig.Config) {
+	svc.config = cfg
+}
+
+func (svc *service) LastTokenResponse() *TokenResponse {
+	return svc.lastTokenResponse
+}
+
+func (svc *service) Discovery() *DiscoveryResponse {
+	// based on https://accounts.google.com/.well-known/openid-configuration
+	return &DiscoveryResponse{
+		Issuer:                            svc.issuerURL,
+		AuthorizationEndpoint:             svc.issuerURL + "/auth",
+		TokenEndpoint:                     svc.issuerURL + "/token",
+		JwksURI:                           svc.issuerURL + "/certs",
+		UserinfoEndpoint:                  svc.issuerURL + "/userinfo",
+		RevocationEndpoint:                svc.issuerURL + "/revoke",
+		ResponseTypesSupported:            []string{"code id_token"},
+		SubjectTypesSupported:             []string{"public"},
+		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+		ScopesSupported:                   []string{"openid", "email", "profile"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
+		CodeChallengeMethodsSupported:     svc.config.Response.CodeChallengeMethodsSupported,
+		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
+	}
+}
+
+func (svc *service) GetCertificates() *CertificatesResponse {
+	idTokenKeyPair := testingJWT.PrivateKey
+	return &CertificatesResponse{
+		Keys: []*CertificatesResponseKey{
+			{
+				Kty: "RSA",
+				Alg: "RS256",
+				Use: "sig",
+				Kid: "dummy",
+				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
+				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
+			},
+		},
+	}
+}
+
+func (svc *service) AuthenticateCode(req AuthenticationRequest) (code string, err error) {
+	if req.Scope != svc.config.Want.Scope {
+		svc.t.Errorf("scope wants `%s` but was `%s`", svc.config.Want.Scope, req.Scope)
+	}
+	if !strings.HasPrefix(req.RedirectURI, svc.config.Want.RedirectURIPrefix) {
+		svc.t.Errorf("redirectURI wants prefix `%s` but was `%s`", svc.config.Want.RedirectURIPrefix, req.RedirectURI)
+	}
+	if diff := cmp.Diff(svc.config.Want.CodeChallengeMethod, req.CodeChallengeMethod); diff != "" {
+		svc.t.Errorf("code_challenge_method mismatch (-want +got):\n%s", diff)
+	}
+	for k, v := range svc.config.Want.ExtraParams {
+		got := req.RawQuery.Get(k)
+		if got != v {
+			svc.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
+		}
+	}
+	svc.lastAuthenticationRequest = &req
+	return "YOUR_AUTH_CODE", nil
+}
+
+func (svc *service) Exchange(req TokenRequest) (*TokenResponse, error) {
+	if req.Code != "YOUR_AUTH_CODE" {
+		return nil, fmt.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
+	}
+	if svc.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
+		// https://tools.ietf.org/html/rfc7636#section-4.6
+		challenge := computeS256Challenge(req.CodeVerifier)
+		if challenge != svc.lastAuthenticationRequest.CodeChallenge {
+			svc.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", svc.lastAuthenticationRequest.CodeChallenge, challenge)
+		}
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+			claims.Nonce = svc.lastAuthenticationRequest.Nonce
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}
+
+func computeS256Challenge(verifier string) string {
+	c := sha256.Sum256([]byte(verifier))
+	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
+}
+
+func (svc *service) AuthenticatePassword(username, password, scope string) (*TokenResponse, error) {
+	if scope != svc.config.Want.Scope {
+		svc.t.Errorf("scope wants `%s` but was `%s`", svc.config.Want.Scope, scope)
+	}
+	if username != svc.config.Want.Username {
+		svc.t.Errorf("username wants `%s` but was `%s`", svc.config.Want.Username, username)
+	}
+	if password != svc.config.Want.Password {
+		svc.t.Errorf("password wants `%s` but was `%s`", svc.config.Want.Password, password)
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}
+
+func (svc *service) Refresh(refreshToken string) (*TokenResponse, error) {
+	if refreshToken != svc.config.Want.RefreshToken {
+		svc.t.Errorf("refreshToken wants %s but was %s", svc.config.Want.RefreshToken, refreshToken)
+	}
+	if svc.config.Response.RefreshError != "" {
+		return nil, &ErrorResponse{Code: "invalid_request", Description: svc.config.Response.RefreshError}
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}

integration_test/oidcserver/service/types.go

@@ -1,11 +1,24 @@
-package handler
+package service
 
 import (
 	"fmt"
 	"net/url"
+
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
 )
 
-// Provider provides discovery and authentication methods.
+// Service represents the test service of OpenID Connect Provider.
+// It provides the feature of Provider and additional methods for testing.
+type Service interface {
+	Provider
+
+	IssuerURL() string
+	SetConfig(config testconfig.Config)
+	LastTokenResponse() *TokenResponse
+}
+
+// Provider represents an OpenID Connect Provider.
+//
 // If an implemented method returns an ErrorResponse,
 // the handler will respond 400 and corresponding json of the ErrorResponse.
 // Otherwise, the handler will respond 500 and fail the current test.
@@ -18,6 +31,8 @@ type Provider interface {
 	Refresh(refreshToken string) (*TokenResponse, error)
 }
 
+// DiscoveryResponse represents the type of:
+// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
 type DiscoveryResponse struct {
 	Issuer                            string   `json:"issuer"`
 	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
@@ -34,10 +49,14 @@ type DiscoveryResponse struct {
 	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`
 }
 
+// CertificatesResponse represents the type of:
+// https://datatracker.ietf.org/doc/html/rfc7517#section-5
 type CertificatesResponse struct {
 	Keys []*CertificatesResponseKey `json:"keys"`
 }
 
+// CertificatesResponseKey represents the type of:
+// https://datatracker.ietf.org/doc/html/rfc7517#section-4
 type CertificatesResponseKey struct {
 	Kty string `json:"kty"`
 	Alg string `json:"alg"`
@@ -47,7 +66,7 @@ type CertificatesResponseKey struct {
 	E   string `json:"e"`
 }
 
-// AuthenticationRequest represents a type of:
+// AuthenticationRequest represents the type of:
 // https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 type AuthenticationRequest struct {
 	RedirectURI         string
@@ -59,13 +78,15 @@ type AuthenticationRequest struct {
 	RawQuery            url.Values
 }
 
-// TokenRequest represents a type of:
+// TokenRequest represents the type of:
 // https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
 type TokenRequest struct {
 	Code         string
 	CodeVerifier string
 }
 
+// TokenResponse represents the type of:
+// https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
 type TokenResponse struct {
 	AccessToken  string `json:"access_token"`
 	TokenType    string `json:"token_type"`
@@ -74,7 +95,7 @@ type TokenResponse struct {
 	IDToken      string `json:"id_token"`
 }
 
-// ErrorResponse represents an error response described in the following section:
+// ErrorResponse represents the error response described in the following section:
 // 5.2 Error Response
 // https://tools.ietf.org/html/rfc6749#section-5.2
 type ErrorResponse struct {

integration_test/oidcserver/testconfig/types.go

@@ -0,0 +1,28 @@
+package testconfig
+
+import "time"
+
+// Want represents a set of expected values.
+type Want struct {
+	Scope               string
+	RedirectURIPrefix   string
+	CodeChallengeMethod string
+	ExtraParams         map[string]string // optional
+	Username            string            // optional
+	Password            string            // optional
+	RefreshToken        string            // optional
+}
+
+// Response represents a set of response values.
+type Response struct {
+	IDTokenExpiry                 time.Time
+	RefreshToken                  string
+	RefreshError                  string // if set, Refresh() will return the error
+	CodeChallengeMethodsSupported []string
+}
+
+// Config represents a configuration of the OpenID Connect provider.
+type Config struct {
+	Want     Want
+	Response Response
+}

integration_test/standalone_test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/integration_test/kubeconfig"
 	"github.com/int128/kubelogin/integration_test/oidcserver"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
 	"github.com/int128/kubelogin/pkg/di"
 	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/testing/clock"
@@ -22,7 +23,6 @@ import (
 // 2. Run the Cmd.
 // 3. Open a request for the local server.
 // 4. Verify the kubeconfig.
-//
 func TestStandalone(t *testing.T) {
 	timeout := 3 * time.Second
 	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
@@ -36,7 +36,7 @@ func TestStandalone(t *testing.T) {
 			keyPair: keypair.Server,
 		},
 	} {
-		httpDriverOption := httpdriver.Option{
+		httpDriverOption := httpdriver.Config{
 			TLSConfig:    tc.keyPair.TLSConfig,
 			BodyContains: "Authenticated",
 		}
@@ -46,12 +46,12 @@ func TestStandalone(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				sv := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 					},
-					Response: oidcserver.Response{
+					Response: testconfig.Response{
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
@@ -75,14 +75,14 @@ func TestStandalone(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				sv := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 						Username:          "USER1",
 						Password:          "PASS1",
 					},
-					Response: oidcserver.Response{
+					Response: testconfig.Response{
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
@@ -110,19 +110,19 @@ func TestStandalone(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
+				sv := oidcserver.New(t, tc.keyPair, testconfig.Config{})
 				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 					Issuer:                  sv.IssuerURL(),
 					IDPCertificateAuthority: tc.keyPair.CACertPath,
 				})
 
 				t.Run("NoToken", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(time.Hour),
 							RefreshToken:  "REFRESH_TOKEN_1",
 						},
@@ -139,7 +139,7 @@ func TestStandalone(t *testing.T) {
 					})
 				})
 				t.Run("Valid", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{})
+					sv.SetConfig(testconfig.Config{})
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
@@ -152,13 +152,13 @@ func TestStandalone(t *testing.T) {
 					})
 				})
 				t.Run("Refresh", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_1",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(3 * time.Hour),
 							RefreshToken:  "REFRESH_TOKEN_2",
 						},
@@ -175,13 +175,13 @@ func TestStandalone(t *testing.T) {
 					})
 				})
 				t.Run("RefreshAgain", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_2",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(5 * time.Hour),
 						},
 					})
@@ -204,12 +204,12 @@ func TestStandalone(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.Server, testconfig.Config{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -220,7 +220,7 @@ func TestStandalone(t *testing.T) {
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:          sv.IssuerURL(),
 			kubeConfigFilename: kubeConfigFilename,
-			httpDriver:         httpdriver.New(ctx, t, httpdriver.Option{TLSConfig: keypair.Server.TLSConfig}),
+			httpDriver:         httpdriver.New(ctx, t, httpdriver.Config{TLSConfig: keypair.Server.TLSConfig}),
 			now:                now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -232,12 +232,12 @@ func TestStandalone(t *testing.T) {
 	t.Run("env_KUBECONFIG", func(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -247,7 +247,7 @@ func TestStandalone(t *testing.T) {
 		t.Setenv("KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:  sv.IssuerURL(),
-			httpDriver: httpdriver.New(ctx, t, httpdriver.Option{}),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Config{}),
 			now:        now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -260,12 +260,12 @@ func TestStandalone(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
 				Scope:             "profile groups openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -276,7 +276,7 @@ func TestStandalone(t *testing.T) {
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:          sv.IssuerURL(),
 			kubeConfigFilename: kubeConfigFilename,
-			httpDriver:         httpdriver.New(ctx, t, httpdriver.Option{}),
+			httpDriver:         httpdriver.New(ctx, t, httpdriver.Config{}),
 			now:                now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{

main.go

@@ -3,6 +3,8 @@ package main
 import (
 	"context"
 	"os"
+	"os/signal"
+	"syscall"
 
 	"github.com/int128/kubelogin/pkg/di"
 )
@@ -10,5 +12,8 @@ import (
 var version = "HEAD"
 
 func main() {
-	os.Exit(di.NewCmd().Run(context.Background(), os.Args, version))
+	ctx := context.Background()
+	ctx, stop := signal.NotifyContext(ctx, os.Interrupt, syscall.SIGTERM)
+	defer stop()
+	os.Exit(di.NewCmd().Run(ctx, os.Args, version))
 }

mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mock_Provider.go

@@ -0,0 +1,361 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package service_mock
+
+import (
+	service "github.com/int128/kubelogin/integration_test/oidcserver/service"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockProvider is an autogenerated mock type for the Provider type
+type MockProvider struct {
+	mock.Mock
+}
+
+type MockProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockProvider) EXPECT() *MockProvider_Expecter {
+	return &MockProvider_Expecter{mock: &_m.Mock}
+}
+
+// AuthenticateCode provides a mock function with given fields: req
+func (_m *MockProvider) AuthenticateCode(req service.AuthenticationRequest) (string, error) {
+	ret := _m.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticateCode")
+	}
+
+	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(service.AuthenticationRequest) (string, error)); ok {
+		return rf(req)
+	}
+	if rf, ok := ret.Get(0).(func(service.AuthenticationRequest) string); ok {
+		r0 = rf(req)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	if rf, ok := ret.Get(1).(func(service.AuthenticationRequest) error); ok {
+		r1 = rf(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockProvider_AuthenticateCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticateCode'
+type MockProvider_AuthenticateCode_Call struct {
+	*mock.Call
+}
+
+// AuthenticateCode is a helper method to define mock.On call
+//   - req service.AuthenticationRequest
+func (_e *MockProvider_Expecter) AuthenticateCode(req interface{}) *MockProvider_AuthenticateCode_Call {
+	return &MockProvider_AuthenticateCode_Call{Call: _e.mock.On("AuthenticateCode", req)}
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) Run(run func(req service.AuthenticationRequest)) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(service.AuthenticationRequest))
+	})
+	return _c
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) Return(code string, err error) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Return(code, err)
+	return _c
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) RunAndReturn(run func(service.AuthenticationRequest) (string, error)) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// AuthenticatePassword provides a mock function with given fields: username, password, scope
+func (_m *MockProvider) AuthenticatePassword(username string, password string, scope string) (*service.TokenResponse, error) {
+	ret := _m.Called(username, password, scope)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticatePassword")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string, string, string) (*service.TokenResponse, error)); ok {
+		return rf(username, password, scope)
+	}
+	if rf, ok := ret.Get(0).(func(string, string, string) *service.TokenResponse); ok {
+		r0 = rf(username, password, scope)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string, string, string) error); ok {
+		r1 = rf(username, password, scope)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockProvider_AuthenticatePassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticatePassword'
+type MockProvider_AuthenticatePassword_Call struct {
+	*mock.Call
+}
+
+// AuthenticatePassword is a helper method to define mock.On call
+//   - username string
+//   - password string
+//   - scope string
+func (_e *MockProvider_Expecter) AuthenticatePassword(username interface{}, password interface{}, scope interface{}) *MockProvider_AuthenticatePassword_Call {
+	return &MockProvider_AuthenticatePassword_Call{Call: _e.mock.On("AuthenticatePassword", username, password, scope)}
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) Run(run func(username string, password string, scope string)) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string), args[1].(string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) RunAndReturn(run func(string, string, string) (*service.TokenResponse, error)) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Discovery provides a mock function with no fields
+func (_m *MockProvider) Discovery() *service.DiscoveryResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Discovery")
+	}
+
+	var r0 *service.DiscoveryResponse
+	if rf, ok := ret.Get(0).(func() *service.DiscoveryResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.DiscoveryResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockProvider_Discovery_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discovery'
+type MockProvider_Discovery_Call struct {
+	*mock.Call
+}
+
+// Discovery is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) Discovery() *MockProvider_Discovery_Call {
+	return &MockProvider_Discovery_Call{Call: _e.mock.On("Discovery")}
+}
+
+func (_c *MockProvider_Discovery_Call) Run(run func()) *MockProvider_Discovery_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_Discovery_Call) Return(_a0 *service.DiscoveryResponse) *MockProvider_Discovery_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockProvider_Discovery_Call) RunAndReturn(run func() *service.DiscoveryResponse) *MockProvider_Discovery_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Exchange provides a mock function with given fields: req
+func (_m *MockProvider) Exchange(req service.TokenRequest) (*service.TokenResponse, error) {
+	ret := _m.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Exchange")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(service.TokenRequest) (*service.TokenResponse, error)); ok {
+		return rf(req)
+	}
+	if rf, ok := ret.Get(0).(func(service.TokenRequest) *service.TokenResponse); ok {
+		r0 = rf(req)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(service.TokenRequest) error); ok {
+		r1 = rf(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockProvider_Exchange_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exchange'
+type MockProvider_Exchange_Call struct {
+	*mock.Call
+}
+
+// Exchange is a helper method to define mock.On call
+//   - req service.TokenRequest
+func (_e *MockProvider_Expecter) Exchange(req interface{}) *MockProvider_Exchange_Call {
+	return &MockProvider_Exchange_Call{Call: _e.mock.On("Exchange", req)}
+}
+
+func (_c *MockProvider_Exchange_Call) Run(run func(req service.TokenRequest)) *MockProvider_Exchange_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(service.TokenRequest))
+	})
+	return _c
+}
+
+func (_c *MockProvider_Exchange_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockProvider_Exchange_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockProvider_Exchange_Call) RunAndReturn(run func(service.TokenRequest) (*service.TokenResponse, error)) *MockProvider_Exchange_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCertificates provides a mock function with no fields
+func (_m *MockProvider) GetCertificates() *service.CertificatesResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCertificates")
+	}
+
+	var r0 *service.CertificatesResponse
+	if rf, ok := ret.Get(0).(func() *service.CertificatesResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.CertificatesResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockProvider_GetCertificates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCertificates'
+type MockProvider_GetCertificates_Call struct {
+	*mock.Call
+}
+
+// GetCertificates is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) GetCertificates() *MockProvider_GetCertificates_Call {
+	return &MockProvider_GetCertificates_Call{Call: _e.mock.On("GetCertificates")}
+}
+
+func (_c *MockProvider_GetCertificates_Call) Run(run func()) *MockProvider_GetCertificates_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetCertificates_Call) Return(_a0 *service.CertificatesResponse) *MockProvider_GetCertificates_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockProvider_GetCertificates_Call) RunAndReturn(run func() *service.CertificatesResponse) *MockProvider_GetCertificates_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function with given fields: refreshToken
+func (_m *MockProvider) Refresh(refreshToken string) (*service.TokenResponse, error) {
+	ret := _m.Called(refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (*service.TokenResponse, error)); ok {
+		return rf(refreshToken)
+	}
+	if rf, ok := ret.Get(0).(func(string) *service.TokenResponse); ok {
+		r0 = rf(refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string) error); ok {
+		r1 = rf(refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockProvider_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockProvider_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - refreshToken string
+func (_e *MockProvider_Expecter) Refresh(refreshToken interface{}) *MockProvider_Refresh_Call {
+	return &MockProvider_Refresh_Call{Call: _e.mock.On("Refresh", refreshToken)}
+}
+
+func (_c *MockProvider_Refresh_Call) Run(run func(refreshToken string)) *MockProvider_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string))
+	})
+	return _c
+}
+
+func (_c *MockProvider_Refresh_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockProvider_Refresh_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockProvider_Refresh_Call) RunAndReturn(run func(string) (*service.TokenResponse, error)) *MockProvider_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockProvider creates a new instance of MockProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockProvider {
+	mock := &MockProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mock_Service.go

@@ -0,0 +1,487 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package service_mock
+
+import (
+	service "github.com/int128/kubelogin/integration_test/oidcserver/service"
+	testconfig "github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockService is an autogenerated mock type for the Service type
+type MockService struct {
+	mock.Mock
+}
+
+type MockService_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockService) EXPECT() *MockService_Expecter {
+	return &MockService_Expecter{mock: &_m.Mock}
+}
+
+// AuthenticateCode provides a mock function with given fields: req
+func (_m *MockService) AuthenticateCode(req service.AuthenticationRequest) (string, error) {
+	ret := _m.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticateCode")
+	}
+
+	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(service.AuthenticationRequest) (string, error)); ok {
+		return rf(req)
+	}
+	if rf, ok := ret.Get(0).(func(service.AuthenticationRequest) string); ok {
+		r0 = rf(req)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	if rf, ok := ret.Get(1).(func(service.AuthenticationRequest) error); ok {
+		r1 = rf(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockService_AuthenticateCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticateCode'
+type MockService_AuthenticateCode_Call struct {
+	*mock.Call
+}
+
+// AuthenticateCode is a helper method to define mock.On call
+//   - req service.AuthenticationRequest
+func (_e *MockService_Expecter) AuthenticateCode(req interface{}) *MockService_AuthenticateCode_Call {
+	return &MockService_AuthenticateCode_Call{Call: _e.mock.On("AuthenticateCode", req)}
+}
+
+func (_c *MockService_AuthenticateCode_Call) Run(run func(req service.AuthenticationRequest)) *MockService_AuthenticateCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(service.AuthenticationRequest))
+	})
+	return _c
+}
+
+func (_c *MockService_AuthenticateCode_Call) Return(code string, err error) *MockService_AuthenticateCode_Call {
+	_c.Call.Return(code, err)
+	return _c
+}
+
+func (_c *MockService_AuthenticateCode_Call) RunAndReturn(run func(service.AuthenticationRequest) (string, error)) *MockService_AuthenticateCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// AuthenticatePassword provides a mock function with given fields: username, password, scope
+func (_m *MockService) AuthenticatePassword(username string, password string, scope string) (*service.TokenResponse, error) {
+	ret := _m.Called(username, password, scope)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticatePassword")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string, string, string) (*service.TokenResponse, error)); ok {
+		return rf(username, password, scope)
+	}
+	if rf, ok := ret.Get(0).(func(string, string, string) *service.TokenResponse); ok {
+		r0 = rf(username, password, scope)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string, string, string) error); ok {
+		r1 = rf(username, password, scope)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockService_AuthenticatePassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticatePassword'
+type MockService_AuthenticatePassword_Call struct {
+	*mock.Call
+}
+
+// AuthenticatePassword is a helper method to define mock.On call
+//   - username string
+//   - password string
+//   - scope string
+func (_e *MockService_Expecter) AuthenticatePassword(username interface{}, password interface{}, scope interface{}) *MockService_AuthenticatePassword_Call {
+	return &MockService_AuthenticatePassword_Call{Call: _e.mock.On("AuthenticatePassword", username, password, scope)}
+}
+
+func (_c *MockService_AuthenticatePassword_Call) Run(run func(username string, password string, scope string)) *MockService_AuthenticatePassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string), args[1].(string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockService_AuthenticatePassword_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockService_AuthenticatePassword_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockService_AuthenticatePassword_Call) RunAndReturn(run func(string, string, string) (*service.TokenResponse, error)) *MockService_AuthenticatePassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Discovery provides a mock function with no fields
+func (_m *MockService) Discovery() *service.DiscoveryResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Discovery")
+	}
+
+	var r0 *service.DiscoveryResponse
+	if rf, ok := ret.Get(0).(func() *service.DiscoveryResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.DiscoveryResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockService_Discovery_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discovery'
+type MockService_Discovery_Call struct {
+	*mock.Call
+}
+
+// Discovery is a helper method to define mock.On call
+func (_e *MockService_Expecter) Discovery() *MockService_Discovery_Call {
+	return &MockService_Discovery_Call{Call: _e.mock.On("Discovery")}
+}
+
+func (_c *MockService_Discovery_Call) Run(run func()) *MockService_Discovery_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_Discovery_Call) Return(_a0 *service.DiscoveryResponse) *MockService_Discovery_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockService_Discovery_Call) RunAndReturn(run func() *service.DiscoveryResponse) *MockService_Discovery_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Exchange provides a mock function with given fields: req
+func (_m *MockService) Exchange(req service.TokenRequest) (*service.TokenResponse, error) {
+	ret := _m.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Exchange")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(service.TokenRequest) (*service.TokenResponse, error)); ok {
+		return rf(req)
+	}
+	if rf, ok := ret.Get(0).(func(service.TokenRequest) *service.TokenResponse); ok {
+		r0 = rf(req)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(service.TokenRequest) error); ok {
+		r1 = rf(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockService_Exchange_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exchange'
+type MockService_Exchange_Call struct {
+	*mock.Call
+}
+
+// Exchange is a helper method to define mock.On call
+//   - req service.TokenRequest
+func (_e *MockService_Expecter) Exchange(req interface{}) *MockService_Exchange_Call {
+	return &MockService_Exchange_Call{Call: _e.mock.On("Exchange", req)}
+}
+
+func (_c *MockService_Exchange_Call) Run(run func(req service.TokenRequest)) *MockService_Exchange_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(service.TokenRequest))
+	})
+	return _c
+}
+
+func (_c *MockService_Exchange_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockService_Exchange_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockService_Exchange_Call) RunAndReturn(run func(service.TokenRequest) (*service.TokenResponse, error)) *MockService_Exchange_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCertificates provides a mock function with no fields
+func (_m *MockService) GetCertificates() *service.CertificatesResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCertificates")
+	}
+
+	var r0 *service.CertificatesResponse
+	if rf, ok := ret.Get(0).(func() *service.CertificatesResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.CertificatesResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockService_GetCertificates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCertificates'
+type MockService_GetCertificates_Call struct {
+	*mock.Call
+}
+
+// GetCertificates is a helper method to define mock.On call
+func (_e *MockService_Expecter) GetCertificates() *MockService_GetCertificates_Call {
+	return &MockService_GetCertificates_Call{Call: _e.mock.On("GetCertificates")}
+}
+
+func (_c *MockService_GetCertificates_Call) Run(run func()) *MockService_GetCertificates_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_GetCertificates_Call) Return(_a0 *service.CertificatesResponse) *MockService_GetCertificates_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockService_GetCertificates_Call) RunAndReturn(run func() *service.CertificatesResponse) *MockService_GetCertificates_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// IssuerURL provides a mock function with no fields
+func (_m *MockService) IssuerURL() string {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for IssuerURL")
+	}
+
+	var r0 string
+	if rf, ok := ret.Get(0).(func() string); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	return r0
+}
+
+// MockService_IssuerURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IssuerURL'
+type MockService_IssuerURL_Call struct {
+	*mock.Call
+}
+
+// IssuerURL is a helper method to define mock.On call
+func (_e *MockService_Expecter) IssuerURL() *MockService_IssuerURL_Call {
+	return &MockService_IssuerURL_Call{Call: _e.mock.On("IssuerURL")}
+}
+
+func (_c *MockService_IssuerURL_Call) Run(run func()) *MockService_IssuerURL_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_IssuerURL_Call) Return(_a0 string) *MockService_IssuerURL_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockService_IssuerURL_Call) RunAndReturn(run func() string) *MockService_IssuerURL_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// LastTokenResponse provides a mock function with no fields
+func (_m *MockService) LastTokenResponse() *service.TokenResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for LastTokenResponse")
+	}
+
+	var r0 *service.TokenResponse
+	if rf, ok := ret.Get(0).(func() *service.TokenResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockService_LastTokenResponse_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'LastTokenResponse'
+type MockService_LastTokenResponse_Call struct {
+	*mock.Call
+}
+
+// LastTokenResponse is a helper method to define mock.On call
+func (_e *MockService_Expecter) LastTokenResponse() *MockService_LastTokenResponse_Call {
+	return &MockService_LastTokenResponse_Call{Call: _e.mock.On("LastTokenResponse")}
+}
+
+func (_c *MockService_LastTokenResponse_Call) Run(run func()) *MockService_LastTokenResponse_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_LastTokenResponse_Call) Return(_a0 *service.TokenResponse) *MockService_LastTokenResponse_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockService_LastTokenResponse_Call) RunAndReturn(run func() *service.TokenResponse) *MockService_LastTokenResponse_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function with given fields: refreshToken
+func (_m *MockService) Refresh(refreshToken string) (*service.TokenResponse, error) {
+	ret := _m.Called(refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (*service.TokenResponse, error)); ok {
+		return rf(refreshToken)
+	}
+	if rf, ok := ret.Get(0).(func(string) *service.TokenResponse); ok {
+		r0 = rf(refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string) error); ok {
+		r1 = rf(refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockService_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockService_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - refreshToken string
+func (_e *MockService_Expecter) Refresh(refreshToken interface{}) *MockService_Refresh_Call {
+	return &MockService_Refresh_Call{Call: _e.mock.On("Refresh", refreshToken)}
+}
+
+func (_c *MockService_Refresh_Call) Run(run func(refreshToken string)) *MockService_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string))
+	})
+	return _c
+}
+
+func (_c *MockService_Refresh_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockService_Refresh_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockService_Refresh_Call) RunAndReturn(run func(string) (*service.TokenResponse, error)) *MockService_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SetConfig provides a mock function with given fields: config
+func (_m *MockService) SetConfig(config testconfig.Config) {
+	_m.Called(config)
+}
+
+// MockService_SetConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SetConfig'
+type MockService_SetConfig_Call struct {
+	*mock.Call
+}
+
+// SetConfig is a helper method to define mock.On call
+//   - config testconfig.Config
+func (_e *MockService_Expecter) SetConfig(config interface{}) *MockService_SetConfig_Call {
+	return &MockService_SetConfig_Call{Call: _e.mock.On("SetConfig", config)}
+}
+
+func (_c *MockService_SetConfig_Call) Run(run func(config testconfig.Config)) *MockService_SetConfig_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(testconfig.Config))
+	})
+	return _c
+}
+
+func (_c *MockService_SetConfig_Call) Return() *MockService_SetConfig_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockService_SetConfig_Call) RunAndReturn(run func(testconfig.Config)) *MockService_SetConfig_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMockService creates a new instance of MockService. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockService(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockService {
+	mock := &MockService{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/cmd_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package cmd
+package cmd_mock
 
 import (
 	context "context"
@@ -25,6 +25,10 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) Run(ctx context.Context, args []string, version string) int {
 	ret := _m.Called(ctx, args, version)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Run")
+	}
+
 	var r0 int
 	if rf, ok := ret.Get(0).(func(context.Context, []string, string) int); ok {
 		r0 = rf(ctx, args, version)
@@ -41,9 +45,9 @@ type MockInterface_Run_Call struct {
 }
 
 // Run is a helper method to define mock.On call
-//  - ctx context.Context
-//  - args []string
-//  - version string
+//   - ctx context.Context
+//   - args []string
+//   - version string
 func (_e *MockInterface_Expecter) Run(ctx interface{}, args interface{}, version interface{}) *MockInterface_Run_Call {
 	return &MockInterface_Run_Call{Call: _e.mock.On("Run", ctx, args, version)}
 }
@@ -60,13 +64,17 @@ func (_c *MockInterface_Run_Call) Return(_a0 int) *MockInterface_Run_Call {
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Run_Call) RunAndReturn(run func(context.Context, []string, string) int) *MockInterface_Run_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/credentialplugin/reader_mock/mock_Interface.go

@@ -0,0 +1,90 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package reader_mock
+
+import (
+	credentialplugin "github.com/int128/kubelogin/pkg/credentialplugin"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Read provides a mock function with no fields
+func (_m *MockInterface) Read() (credentialplugin.Input, error) {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Read")
+	}
+
+	var r0 credentialplugin.Input
+	var r1 error
+	if rf, ok := ret.Get(0).(func() (credentialplugin.Input, error)); ok {
+		return rf()
+	}
+	if rf, ok := ret.Get(0).(func() credentialplugin.Input); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(credentialplugin.Input)
+	}
+
+	if rf, ok := ret.Get(1).(func() error); ok {
+		r1 = rf()
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Read_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Read'
+type MockInterface_Read_Call struct {
+	*mock.Call
+}
+
+// Read is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) Read() *MockInterface_Read_Call {
+	return &MockInterface_Read_Call{Call: _e.mock.On("Read")}
+}
+
+func (_c *MockInterface_Read_Call) Run(run func()) *MockInterface_Read_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_Read_Call) Return(_a0 credentialplugin.Input, _a1 error) *MockInterface_Read_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_Read_Call) RunAndReturn(run func() (credentialplugin.Input, error)) *MockInterface_Read_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/credentialplugin/writer_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package writer
+package writer_mock
 
 import (
 	credentialplugin "github.com/int128/kubelogin/pkg/credentialplugin"
@@ -24,6 +24,10 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) Write(out credentialplugin.Output) error {
 	ret := _m.Called(out)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Write")
+	}
+
 	var r0 error
 	if rf, ok := ret.Get(0).(func(credentialplugin.Output) error); ok {
 		r0 = rf(out)
@@ -40,7 +44,7 @@ type MockInterface_Write_Call struct {
 }
 
 // Write is a helper method to define mock.On call
-//  - out credentialplugin.Output
+//   - out credentialplugin.Output
 func (_e *MockInterface_Expecter) Write(out interface{}) *MockInterface_Write_Call {
 	return &MockInterface_Write_Call{Call: _e.mock.On("Write", out)}
 }
@@ -57,13 +61,17 @@ func (_c *MockInterface_Write_Call) Return(_a0 error) *MockInterface_Write_Call
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Write_Call) RunAndReturn(run func(credentialplugin.Output) error) *MockInterface_Write_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/browser_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package browser
+package browser_mock
 
 import (
 	context "context"
@@ -25,6 +25,10 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) Open(url string) error {
 	ret := _m.Called(url)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Open")
+	}
+
 	var r0 error
 	if rf, ok := ret.Get(0).(func(string) error); ok {
 		r0 = rf(url)
@@ -41,7 +45,7 @@ type MockInterface_Open_Call struct {
 }
 
 // Open is a helper method to define mock.On call
-//  - url string
+//   - url string
 func (_e *MockInterface_Expecter) Open(url interface{}) *MockInterface_Open_Call {
 	return &MockInterface_Open_Call{Call: _e.mock.On("Open", url)}
 }
@@ -58,10 +62,19 @@ func (_c *MockInterface_Open_Call) Return(_a0 error) *MockInterface_Open_Call {
 	return _c
 }
 
+func (_c *MockInterface_Open_Call) RunAndReturn(run func(string) error) *MockInterface_Open_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // OpenCommand provides a mock function with given fields: ctx, url, command
 func (_m *MockInterface) OpenCommand(ctx context.Context, url string, command string) error {
 	ret := _m.Called(ctx, url, command)
 
+	if len(ret) == 0 {
+		panic("no return value specified for OpenCommand")
+	}
+
 	var r0 error
 	if rf, ok := ret.Get(0).(func(context.Context, string, string) error); ok {
 		r0 = rf(ctx, url, command)
@@ -78,9 +91,9 @@ type MockInterface_OpenCommand_Call struct {
 }
 
 // OpenCommand is a helper method to define mock.On call
-//  - ctx context.Context
-//  - url string
-//  - command string
+//   - ctx context.Context
+//   - url string
+//   - command string
 func (_e *MockInterface_Expecter) OpenCommand(ctx interface{}, url interface{}, command interface{}) *MockInterface_OpenCommand_Call {
 	return &MockInterface_OpenCommand_Call{Call: _e.mock.On("OpenCommand", ctx, url, command)}
 }
@@ -97,13 +110,17 @@ func (_c *MockInterface_OpenCommand_Call) Return(_a0 error) *MockInterface_OpenC
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_OpenCommand_Call) RunAndReturn(run func(context.Context, string, string) error) *MockInterface_OpenCommand_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/clock_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package clock
+package clock_mock
 
 import (
 	time "time"
@@ -21,10 +21,14 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }
 
-// Now provides a mock function with given fields:
+// Now provides a mock function with no fields
 func (_m *MockInterface) Now() time.Time {
 	ret := _m.Called()
 
+	if len(ret) == 0 {
+		panic("no return value specified for Now")
+	}
+
 	var r0 time.Time
 	if rf, ok := ret.Get(0).(func() time.Time); ok {
 		r0 = rf()
@@ -57,13 +61,17 @@ func (_c *MockInterface_Now_Call) Return(_a0 time.Time) *MockInterface_Now_Call
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Now_Call) RunAndReturn(run func() time.Time) *MockInterface_Now_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mock_Interface.go

@@ -1,10 +1,12 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package logger
+package logger_mock
 
 import (
-	pflag "github.com/spf13/pflag"
+	logger "github.com/int128/kubelogin/pkg/infrastructure/logger"
 	mock "github.com/stretchr/testify/mock"
+
+	pflag "github.com/spf13/pflag"
 )
 
 // MockInterface is an autogenerated mock type for the Interface type
@@ -31,7 +33,7 @@ type MockInterface_AddFlags_Call struct {
 }
 
 // AddFlags is a helper method to define mock.On call
-//  - f *pflag.FlagSet
+//   - f *pflag.FlagSet
 func (_e *MockInterface_Expecter) AddFlags(f interface{}) *MockInterface_AddFlags_Call {
 	return &MockInterface_AddFlags_Call{Call: _e.mock.On("AddFlags", f)}
 }
@@ -48,10 +50,19 @@ func (_c *MockInterface_AddFlags_Call) Return() *MockInterface_AddFlags_Call {
 	return _c
 }
 
+func (_c *MockInterface_AddFlags_Call) RunAndReturn(run func(*pflag.FlagSet)) *MockInterface_AddFlags_Call {
+	_c.Run(run)
+	return _c
+}
+
 // IsEnabled provides a mock function with given fields: level
 func (_m *MockInterface) IsEnabled(level int) bool {
 	ret := _m.Called(level)
 
+	if len(ret) == 0 {
+		panic("no return value specified for IsEnabled")
+	}
+
 	var r0 bool
 	if rf, ok := ret.Get(0).(func(int) bool); ok {
 		r0 = rf(level)
@@ -68,7 +79,7 @@ type MockInterface_IsEnabled_Call struct {
 }
 
 // IsEnabled is a helper method to define mock.On call
-//  - level int
+//   - level int
 func (_e *MockInterface_Expecter) IsEnabled(level interface{}) *MockInterface_IsEnabled_Call {
 	return &MockInterface_IsEnabled_Call{Call: _e.mock.On("IsEnabled", level)}
 }
@@ -85,6 +96,11 @@ func (_c *MockInterface_IsEnabled_Call) Return(_a0 bool) *MockInterface_IsEnable
 	return _c
 }
 
+func (_c *MockInterface_IsEnabled_Call) RunAndReturn(run func(int) bool) *MockInterface_IsEnabled_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // Printf provides a mock function with given fields: format, args
 func (_m *MockInterface) Printf(format string, args ...interface{}) {
 	var _ca []interface{}
@@ -99,8 +115,8 @@ type MockInterface_Printf_Call struct {
 }
 
 // Printf is a helper method to define mock.On call
-//  - format string
-//  - args ...interface{}
+//   - format string
+//   - args ...interface{}
 func (_e *MockInterface_Expecter) Printf(format interface{}, args ...interface{}) *MockInterface_Printf_Call {
 	return &MockInterface_Printf_Call{Call: _e.mock.On("Printf",
 		append([]interface{}{format}, args...)...)}
@@ -124,16 +140,25 @@ func (_c *MockInterface_Printf_Call) Return() *MockInterface_Printf_Call {
 	return _c
 }
 
+func (_c *MockInterface_Printf_Call) RunAndReturn(run func(string, ...interface{})) *MockInterface_Printf_Call {
+	_c.Run(run)
+	return _c
+}
+
 // V provides a mock function with given fields: level
-func (_m *MockInterface) V(level int) Verbose {
+func (_m *MockInterface) V(level int) logger.Verbose {
 	ret := _m.Called(level)
 
-	var r0 Verbose
-	if rf, ok := ret.Get(0).(func(int) Verbose); ok {
+	if len(ret) == 0 {
+		panic("no return value specified for V")
+	}
+
+	var r0 logger.Verbose
+	if rf, ok := ret.Get(0).(func(int) logger.Verbose); ok {
 		r0 = rf(level)
 	} else {
 		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(Verbose)
+			r0 = ret.Get(0).(logger.Verbose)
 		}
 	}
 
@@ -146,7 +171,7 @@ type MockInterface_V_Call struct {
 }
 
 // V is a helper method to define mock.On call
-//  - level int
+//   - level int
 func (_e *MockInterface_Expecter) V(level interface{}) *MockInterface_V_Call {
 	return &MockInterface_V_Call{Call: _e.mock.On("V", level)}
 }
@@ -158,18 +183,22 @@ func (_c *MockInterface_V_Call) Run(run func(level int)) *MockInterface_V_Call {
 	return _c
 }
 
-func (_c *MockInterface_V_Call) Return(_a0 Verbose) *MockInterface_V_Call {
+func (_c *MockInterface_V_Call) Return(_a0 logger.Verbose) *MockInterface_V_Call {
 	_c.Call.Return(_a0)
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_V_Call) RunAndReturn(run func(int) logger.Verbose) *MockInterface_V_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mock_Verbose.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package logger
+package logger_mock
 
 import mock "github.com/stretchr/testify/mock"
 
@@ -31,8 +31,8 @@ type MockVerbose_Infof_Call struct {
 }
 
 // Infof is a helper method to define mock.On call
-//  - format string
-//  - args ...interface{}
+//   - format string
+//   - args ...interface{}
 func (_e *MockVerbose_Expecter) Infof(format interface{}, args ...interface{}) *MockVerbose_Infof_Call {
 	return &MockVerbose_Infof_Call{Call: _e.mock.On("Infof",
 		append([]interface{}{format}, args...)...)}
@@ -56,13 +56,17 @@ func (_c *MockVerbose_Infof_Call) Return() *MockVerbose_Infof_Call {
 	return _c
 }
 
-type mockConstructorTestingTNewMockVerbose interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockVerbose_Infof_Call) RunAndReturn(run func(string, ...interface{})) *MockVerbose_Infof_Call {
+	_c.Run(run)
+	return _c
 }
 
 // NewMockVerbose creates a new instance of MockVerbose. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockVerbose(t mockConstructorTestingTNewMockVerbose) *MockVerbose {
+// The first argument is typically a *testing.T value.
+func NewMockVerbose(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockVerbose {
 	mock := &MockVerbose{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mock_goLogger.go

@@ -0,0 +1,76 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package logger_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockgoLogger is an autogenerated mock type for the goLogger type
+type MockgoLogger struct {
+	mock.Mock
+}
+
+type MockgoLogger_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockgoLogger) EXPECT() *MockgoLogger_Expecter {
+	return &MockgoLogger_Expecter{mock: &_m.Mock}
+}
+
+// Printf provides a mock function with given fields: format, v
+func (_m *MockgoLogger) Printf(format string, v ...interface{}) {
+	var _ca []interface{}
+	_ca = append(_ca, format)
+	_ca = append(_ca, v...)
+	_m.Called(_ca...)
+}
+
+// MockgoLogger_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
+type MockgoLogger_Printf_Call struct {
+	*mock.Call
+}
+
+// Printf is a helper method to define mock.On call
+//   - format string
+//   - v ...interface{}
+func (_e *MockgoLogger_Expecter) Printf(format interface{}, v ...interface{}) *MockgoLogger_Printf_Call {
+	return &MockgoLogger_Printf_Call{Call: _e.mock.On("Printf",
+		append([]interface{}{format}, v...)...)}
+}
+
+func (_c *MockgoLogger_Printf_Call) Run(run func(format string, v ...interface{})) *MockgoLogger_Printf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]interface{}, len(args)-1)
+		for i, a := range args[1:] {
+			if a != nil {
+				variadicArgs[i] = a.(interface{})
+			}
+		}
+		run(args[0].(string), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *MockgoLogger_Printf_Call) Return() *MockgoLogger_Printf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockgoLogger_Printf_Call) RunAndReturn(run func(string, ...interface{})) *MockgoLogger_Printf_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMockgoLogger creates a new instance of MockgoLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockgoLogger(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockgoLogger {
+	mock := &MockgoLogger{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/infrastructure/reader_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package reader
+package reader_mock
 
 import mock "github.com/stretchr/testify/mock"
 
@@ -21,14 +21,21 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) ReadPassword(prompt string) (string, error) {
 	ret := _m.Called(prompt)
 
+	if len(ret) == 0 {
+		panic("no return value specified for ReadPassword")
+	}
+
 	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (string, error)); ok {
+		return rf(prompt)
+	}
 	if rf, ok := ret.Get(0).(func(string) string); ok {
 		r0 = rf(prompt)
 	} else {
 		r0 = ret.Get(0).(string)
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func(string) error); ok {
 		r1 = rf(prompt)
 	} else {
@@ -44,7 +51,7 @@ type MockInterface_ReadPassword_Call struct {
 }
 
 // ReadPassword is a helper method to define mock.On call
-//  - prompt string
+//   - prompt string
 func (_e *MockInterface_Expecter) ReadPassword(prompt interface{}) *MockInterface_ReadPassword_Call {
 	return &MockInterface_ReadPassword_Call{Call: _e.mock.On("ReadPassword", prompt)}
 }
@@ -61,18 +68,30 @@ func (_c *MockInterface_ReadPassword_Call) Return(_a0 string, _a1 error) *MockIn
 	return _c
 }
 
+func (_c *MockInterface_ReadPassword_Call) RunAndReturn(run func(string) (string, error)) *MockInterface_ReadPassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // ReadString provides a mock function with given fields: prompt
 func (_m *MockInterface) ReadString(prompt string) (string, error) {
 	ret := _m.Called(prompt)
 
+	if len(ret) == 0 {
+		panic("no return value specified for ReadString")
+	}
+
 	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (string, error)); ok {
+		return rf(prompt)
+	}
 	if rf, ok := ret.Get(0).(func(string) string); ok {
 		r0 = rf(prompt)
 	} else {
 		r0 = ret.Get(0).(string)
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func(string) error); ok {
 		r1 = rf(prompt)
 	} else {
@@ -88,7 +107,7 @@ type MockInterface_ReadString_Call struct {
 }
 
 // ReadString is a helper method to define mock.On call
-//  - prompt string
+//   - prompt string
 func (_e *MockInterface_Expecter) ReadString(prompt interface{}) *MockInterface_ReadString_Call {
 	return &MockInterface_ReadString_Call{Call: _e.mock.On("ReadString", prompt)}
 }
@@ -105,13 +124,17 @@ func (_c *MockInterface_ReadString_Call) Return(_a0 string, _a1 error) *MockInte
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_ReadString_Call) RunAndReturn(run func(string) (string, error)) *MockInterface_ReadString_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mock_Stdin.go

@@ -0,0 +1,88 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package stdio_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockStdin is an autogenerated mock type for the Stdin type
+type MockStdin struct {
+	mock.Mock
+}
+
+type MockStdin_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockStdin) EXPECT() *MockStdin_Expecter {
+	return &MockStdin_Expecter{mock: &_m.Mock}
+}
+
+// Read provides a mock function with given fields: p
+func (_m *MockStdin) Read(p []byte) (int, error) {
+	ret := _m.Called(p)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Read")
+	}
+
+	var r0 int
+	var r1 error
+	if rf, ok := ret.Get(0).(func([]byte) (int, error)); ok {
+		return rf(p)
+	}
+	if rf, ok := ret.Get(0).(func([]byte) int); ok {
+		r0 = rf(p)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+
+	if rf, ok := ret.Get(1).(func([]byte) error); ok {
+		r1 = rf(p)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockStdin_Read_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Read'
+type MockStdin_Read_Call struct {
+	*mock.Call
+}
+
+// Read is a helper method to define mock.On call
+//   - p []byte
+func (_e *MockStdin_Expecter) Read(p interface{}) *MockStdin_Read_Call {
+	return &MockStdin_Read_Call{Call: _e.mock.On("Read", p)}
+}
+
+func (_c *MockStdin_Read_Call) Run(run func(p []byte)) *MockStdin_Read_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].([]byte))
+	})
+	return _c
+}
+
+func (_c *MockStdin_Read_Call) Return(n int, err error) *MockStdin_Read_Call {
+	_c.Call.Return(n, err)
+	return _c
+}
+
+func (_c *MockStdin_Read_Call) RunAndReturn(run func([]byte) (int, error)) *MockStdin_Read_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockStdin creates a new instance of MockStdin. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockStdin(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockStdin {
+	mock := &MockStdin{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mock_Stdout.go

@@ -0,0 +1,88 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package stdio_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockStdout is an autogenerated mock type for the Stdout type
+type MockStdout struct {
+	mock.Mock
+}
+
+type MockStdout_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockStdout) EXPECT() *MockStdout_Expecter {
+	return &MockStdout_Expecter{mock: &_m.Mock}
+}
+
+// Write provides a mock function with given fields: p
+func (_m *MockStdout) Write(p []byte) (int, error) {
+	ret := _m.Called(p)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Write")
+	}
+
+	var r0 int
+	var r1 error
+	if rf, ok := ret.Get(0).(func([]byte) (int, error)); ok {
+		return rf(p)
+	}
+	if rf, ok := ret.Get(0).(func([]byte) int); ok {
+		r0 = rf(p)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+
+	if rf, ok := ret.Get(1).(func([]byte) error); ok {
+		r1 = rf(p)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockStdout_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'
+type MockStdout_Write_Call struct {
+	*mock.Call
+}
+
+// Write is a helper method to define mock.On call
+//   - p []byte
+func (_e *MockStdout_Expecter) Write(p interface{}) *MockStdout_Write_Call {
+	return &MockStdout_Write_Call{Call: _e.mock.On("Write", p)}
+}
+
+func (_c *MockStdout_Write_Call) Run(run func(p []byte)) *MockStdout_Write_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].([]byte))
+	})
+	return _c
+}
+
+func (_c *MockStdout_Write_Call) Return(n int, err error) *MockStdout_Write_Call {
+	_c.Call.Return(n, err)
+	return _c
+}
+
+func (_c *MockStdout_Write_Call) RunAndReturn(run func([]byte) (int, error)) *MockStdout_Write_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockStdout creates a new instance of MockStdout. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockStdout(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockStdout {
+	mock := &MockStdout{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/jwt_mock/mock_Clock.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package jwt
+package jwt_mock
 
 import (
 	time "time"
@@ -21,10 +21,14 @@ func (_m *MockClock) EXPECT() *MockClock_Expecter {
 	return &MockClock_Expecter{mock: &_m.Mock}
 }
 
-// Now provides a mock function with given fields:
+// Now provides a mock function with no fields
 func (_m *MockClock) Now() time.Time {
 	ret := _m.Called()
 
+	if len(ret) == 0 {
+		panic("no return value specified for Now")
+	}
+
 	var r0 time.Time
 	if rf, ok := ret.Get(0).(func() time.Time); ok {
 		r0 = rf()
@@ -57,13 +61,17 @@ func (_c *MockClock_Now_Call) Return(_a0 time.Time) *MockClock_Now_Call {
 	return _c
 }
 
-type mockConstructorTestingTNewMockClock interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockClock_Now_Call) RunAndReturn(run func() time.Time) *MockClock_Now_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockClock creates a new instance of MockClock. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockClock(t mockConstructorTestingTNewMockClock) *MockClock {
+// The first argument is typically a *testing.T value.
+func NewMockClock(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockClock {
 	mock := &MockClock{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/kubeconfig/loader_mock/mock_Interface.go

@@ -1,9 +1,10 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package loader
+package loader_mock
 
 import (
 	kubeconfig "github.com/int128/kubelogin/pkg/kubeconfig"
+
 	mock "github.com/stretchr/testify/mock"
 )
 
@@ -24,7 +25,15 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
 	ret := _m.Called(explicitFilename, contextName, userName)
 
+	if len(ret) == 0 {
+		panic("no return value specified for GetCurrentAuthProvider")
+	}
+
 	var r0 *kubeconfig.AuthProvider
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string, kubeconfig.ContextName, kubeconfig.UserName) (*kubeconfig.AuthProvider, error)); ok {
+		return rf(explicitFilename, contextName, userName)
+	}
 	if rf, ok := ret.Get(0).(func(string, kubeconfig.ContextName, kubeconfig.UserName) *kubeconfig.AuthProvider); ok {
 		r0 = rf(explicitFilename, contextName, userName)
 	} else {
@@ -33,7 +42,6 @@ func (_m *MockInterface) GetCurrentAuthProvider(explicitFilename string, context
 		}
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func(string, kubeconfig.ContextName, kubeconfig.UserName) error); ok {
 		r1 = rf(explicitFilename, contextName, userName)
 	} else {
@@ -49,9 +57,9 @@ type MockInterface_GetCurrentAuthProvider_Call struct {
 }
 
 // GetCurrentAuthProvider is a helper method to define mock.On call
-//  - explicitFilename string
-//  - contextName kubeconfig.ContextName
-//  - userName kubeconfig.UserName
+//   - explicitFilename string
+//   - contextName kubeconfig.ContextName
+//   - userName kubeconfig.UserName
 func (_e *MockInterface_Expecter) GetCurrentAuthProvider(explicitFilename interface{}, contextName interface{}, userName interface{}) *MockInterface_GetCurrentAuthProvider_Call {
 	return &MockInterface_GetCurrentAuthProvider_Call{Call: _e.mock.On("GetCurrentAuthProvider", explicitFilename, contextName, userName)}
 }
@@ -68,13 +76,17 @@ func (_c *MockInterface_GetCurrentAuthProvider_Call) Return(_a0 *kubeconfig.Auth
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_GetCurrentAuthProvider_Call) RunAndReturn(run func(string, kubeconfig.ContextName, kubeconfig.UserName) (*kubeconfig.AuthProvider, error)) *MockInterface_GetCurrentAuthProvider_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/kubeconfig/writer_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package writer
+package writer_mock
 
 import (
 	kubeconfig "github.com/int128/kubelogin/pkg/kubeconfig"
@@ -24,6 +24,10 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) UpdateAuthProvider(p kubeconfig.AuthProvider) error {
 	ret := _m.Called(p)
 
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateAuthProvider")
+	}
+
 	var r0 error
 	if rf, ok := ret.Get(0).(func(kubeconfig.AuthProvider) error); ok {
 		r0 = rf(p)
@@ -40,7 +44,7 @@ type MockInterface_UpdateAuthProvider_Call struct {
 }
 
 // UpdateAuthProvider is a helper method to define mock.On call
-//  - p kubeconfig.AuthProvider
+//   - p kubeconfig.AuthProvider
 func (_e *MockInterface_Expecter) UpdateAuthProvider(p interface{}) *MockInterface_UpdateAuthProvider_Call {
 	return &MockInterface_UpdateAuthProvider_Call{Call: _e.mock.On("UpdateAuthProvider", p)}
 }
@@ -57,13 +61,17 @@ func (_c *MockInterface_UpdateAuthProvider_Call) Return(_a0 error) *MockInterfac
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_UpdateAuthProvider_Call) RunAndReturn(run func(kubeconfig.AuthProvider) error) *MockInterface_UpdateAuthProvider_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/oidc/client_mock/mock_FactoryInterface.go

@@ -1,13 +1,16 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package client
+package client_mock
 
 import (
 	context "context"
 
-	oidc "github.com/int128/kubelogin/pkg/oidc"
+	client "github.com/int128/kubelogin/pkg/oidc/client"
+
 	mock "github.com/stretchr/testify/mock"
 
+	oidc "github.com/int128/kubelogin/pkg/oidc"
+
 	tlsclientconfig "github.com/int128/kubelogin/pkg/tlsclientconfig"
 )
 
@@ -24,22 +27,29 @@ func (_m *MockFactoryInterface) EXPECT() *MockFactoryInterface_Expecter {
 	return &MockFactoryInterface_Expecter{mock: &_m.Mock}
 }
 
-// New provides a mock function with given fields: ctx, p, tlsClientConfig
-func (_m *MockFactoryInterface) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error) {
-	ret := _m.Called(ctx, p, tlsClientConfig)
+// New provides a mock function with given fields: ctx, prov, tlsClientConfig
+func (_m *MockFactoryInterface) New(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config) (client.Interface, error) {
+	ret := _m.Called(ctx, prov, tlsClientConfig)
 
-	var r0 Interface
-	if rf, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) Interface); ok {
-		r0 = rf(ctx, p, tlsClientConfig)
+	if len(ret) == 0 {
+		panic("no return value specified for New")
+	}
+
+	var r0 client.Interface
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) (client.Interface, error)); ok {
+		return rf(ctx, prov, tlsClientConfig)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) client.Interface); ok {
+		r0 = rf(ctx, prov, tlsClientConfig)
 	} else {
 		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(Interface)
+			r0 = ret.Get(0).(client.Interface)
 		}
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func(context.Context, oidc.Provider, tlsclientconfig.Config) error); ok {
-		r1 = rf(ctx, p, tlsClientConfig)
+		r1 = rf(ctx, prov, tlsClientConfig)
 	} else {
 		r1 = ret.Error(1)
 	}
@@ -53,32 +63,36 @@ type MockFactoryInterface_New_Call struct {
 }
 
 // New is a helper method to define mock.On call
-//  - ctx context.Context
-//  - p oidc.Provider
-//  - tlsClientConfig tlsclientconfig.Config
-func (_e *MockFactoryInterface_Expecter) New(ctx interface{}, p interface{}, tlsClientConfig interface{}) *MockFactoryInterface_New_Call {
-	return &MockFactoryInterface_New_Call{Call: _e.mock.On("New", ctx, p, tlsClientConfig)}
+//   - ctx context.Context
+//   - prov oidc.Provider
+//   - tlsClientConfig tlsclientconfig.Config
+func (_e *MockFactoryInterface_Expecter) New(ctx interface{}, prov interface{}, tlsClientConfig interface{}) *MockFactoryInterface_New_Call {
+	return &MockFactoryInterface_New_Call{Call: _e.mock.On("New", ctx, prov, tlsClientConfig)}
 }
 
-func (_c *MockFactoryInterface_New_Call) Run(run func(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config)) *MockFactoryInterface_New_Call {
+func (_c *MockFactoryInterface_New_Call) Run(run func(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config)) *MockFactoryInterface_New_Call {
 	_c.Call.Run(func(args mock.Arguments) {
 		run(args[0].(context.Context), args[1].(oidc.Provider), args[2].(tlsclientconfig.Config))
 	})
 	return _c
 }
 
-func (_c *MockFactoryInterface_New_Call) Return(_a0 Interface, _a1 error) *MockFactoryInterface_New_Call {
+func (_c *MockFactoryInterface_New_Call) Return(_a0 client.Interface, _a1 error) *MockFactoryInterface_New_Call {
 	_c.Call.Return(_a0, _a1)
 	return _c
 }
 
-type mockConstructorTestingTNewMockFactoryInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockFactoryInterface_New_Call) RunAndReturn(run func(context.Context, oidc.Provider, tlsclientconfig.Config) (client.Interface, error)) *MockFactoryInterface_New_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockFactoryInterface creates a new instance of MockFactoryInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockFactoryInterface(t mockConstructorTestingTNewMockFactoryInterface) *MockFactoryInterface {
+// The first argument is typically a *testing.T value.
+func NewMockFactoryInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockFactoryInterface {
 	mock := &MockFactoryInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/oidc/client_mock/mock_Interface.go

@@ -0,0 +1,490 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package client_mock
+
+import (
+	context "context"
+
+	client "github.com/int128/kubelogin/pkg/oidc/client"
+
+	mock "github.com/stretchr/testify/mock"
+
+	oauth2dev "github.com/int128/oauth2dev"
+
+	oidc "github.com/int128/kubelogin/pkg/oidc"
+
+	pkce "github.com/int128/kubelogin/pkg/pkce"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// ExchangeAuthCode provides a mock function with given fields: ctx, in
+func (_m *MockInterface) ExchangeAuthCode(ctx context.Context, in client.ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ExchangeAuthCode")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, client.ExchangeAuthCodeInput) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, in)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, client.ExchangeAuthCodeInput) *oidc.TokenSet); ok {
+		r0 = rf(ctx, in)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, client.ExchangeAuthCodeInput) error); ok {
+		r1 = rf(ctx, in)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_ExchangeAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeAuthCode'
+type MockInterface_ExchangeAuthCode_Call struct {
+	*mock.Call
+}
+
+// ExchangeAuthCode is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in client.ExchangeAuthCodeInput
+func (_e *MockInterface_Expecter) ExchangeAuthCode(ctx interface{}, in interface{}) *MockInterface_ExchangeAuthCode_Call {
+	return &MockInterface_ExchangeAuthCode_Call{Call: _e.mock.On("ExchangeAuthCode", ctx, in)}
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) Run(run func(ctx context.Context, in client.ExchangeAuthCodeInput)) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(client.ExchangeAuthCodeInput))
+	})
+	return _c
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) RunAndReturn(run func(context.Context, client.ExchangeAuthCodeInput) (*oidc.TokenSet, error)) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ExchangeDeviceCode provides a mock function with given fields: ctx, authResponse
+func (_m *MockInterface) ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, authResponse)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ExchangeDeviceCode")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, authResponse)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *oauth2dev.AuthorizationResponse) *oidc.TokenSet); ok {
+		r0 = rf(ctx, authResponse)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *oauth2dev.AuthorizationResponse) error); ok {
+		r1 = rf(ctx, authResponse)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_ExchangeDeviceCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeDeviceCode'
+type MockInterface_ExchangeDeviceCode_Call struct {
+	*mock.Call
+}
+
+// ExchangeDeviceCode is a helper method to define mock.On call
+//   - ctx context.Context
+//   - authResponse *oauth2dev.AuthorizationResponse
+func (_e *MockInterface_Expecter) ExchangeDeviceCode(ctx interface{}, authResponse interface{}) *MockInterface_ExchangeDeviceCode_Call {
+	return &MockInterface_ExchangeDeviceCode_Call{Call: _e.mock.On("ExchangeDeviceCode", ctx, authResponse)}
+}
+
+func (_c *MockInterface_ExchangeDeviceCode_Call) Run(run func(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse)) *MockInterface_ExchangeDeviceCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(*oauth2dev.AuthorizationResponse))
+	})
+	return _c
+}
+
+func (_c *MockInterface_ExchangeDeviceCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_ExchangeDeviceCode_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_ExchangeDeviceCode_Call) RunAndReturn(run func(context.Context, *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)) *MockInterface_ExchangeDeviceCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetAuthCodeURL provides a mock function with given fields: in
+func (_m *MockInterface) GetAuthCodeURL(in client.AuthCodeURLInput) string {
+	ret := _m.Called(in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAuthCodeURL")
+	}
+
+	var r0 string
+	if rf, ok := ret.Get(0).(func(client.AuthCodeURLInput) string); ok {
+		r0 = rf(in)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	return r0
+}
+
+// MockInterface_GetAuthCodeURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAuthCodeURL'
+type MockInterface_GetAuthCodeURL_Call struct {
+	*mock.Call
+}
+
+// GetAuthCodeURL is a helper method to define mock.On call
+//   - in client.AuthCodeURLInput
+func (_e *MockInterface_Expecter) GetAuthCodeURL(in interface{}) *MockInterface_GetAuthCodeURL_Call {
+	return &MockInterface_GetAuthCodeURL_Call{Call: _e.mock.On("GetAuthCodeURL", in)}
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) Run(run func(in client.AuthCodeURLInput)) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(client.AuthCodeURLInput))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) Return(_a0 string) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) RunAndReturn(run func(client.AuthCodeURLInput) string) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetDeviceAuthorization provides a mock function with given fields: ctx
+func (_m *MockInterface) GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error) {
+	ret := _m.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetDeviceAuthorization")
+	}
+
+	var r0 *oauth2dev.AuthorizationResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context) (*oauth2dev.AuthorizationResponse, error)); ok {
+		return rf(ctx)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context) *oauth2dev.AuthorizationResponse); ok {
+		r0 = rf(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oauth2dev.AuthorizationResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = rf(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetDeviceAuthorization_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDeviceAuthorization'
+type MockInterface_GetDeviceAuthorization_Call struct {
+	*mock.Call
+}
+
+// GetDeviceAuthorization is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockInterface_Expecter) GetDeviceAuthorization(ctx interface{}) *MockInterface_GetDeviceAuthorization_Call {
+	return &MockInterface_GetDeviceAuthorization_Call{Call: _e.mock.On("GetDeviceAuthorization", ctx)}
+}
+
+func (_c *MockInterface_GetDeviceAuthorization_Call) Run(run func(ctx context.Context)) *MockInterface_GetDeviceAuthorization_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetDeviceAuthorization_Call) Return(_a0 *oauth2dev.AuthorizationResponse, _a1 error) *MockInterface_GetDeviceAuthorization_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_GetDeviceAuthorization_Call) RunAndReturn(run func(context.Context) (*oauth2dev.AuthorizationResponse, error)) *MockInterface_GetDeviceAuthorization_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetTokenByAuthCode provides a mock function with given fields: ctx, in, localServerReadyChan
+func (_m *MockInterface) GetTokenByAuthCode(ctx context.Context, in client.GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, in, localServerReadyChan)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTokenByAuthCode")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, in, localServerReadyChan)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) *oidc.TokenSet); ok {
+		r0 = rf(ctx, in, localServerReadyChan)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) error); ok {
+		r1 = rf(ctx, in, localServerReadyChan)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetTokenByAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByAuthCode'
+type MockInterface_GetTokenByAuthCode_Call struct {
+	*mock.Call
+}
+
+// GetTokenByAuthCode is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in client.GetTokenByAuthCodeInput
+//   - localServerReadyChan chan<- string
+func (_e *MockInterface_Expecter) GetTokenByAuthCode(ctx interface{}, in interface{}, localServerReadyChan interface{}) *MockInterface_GetTokenByAuthCode_Call {
+	return &MockInterface_GetTokenByAuthCode_Call{Call: _e.mock.On("GetTokenByAuthCode", ctx, in, localServerReadyChan)}
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) Run(run func(ctx context.Context, in client.GetTokenByAuthCodeInput, localServerReadyChan chan<- string)) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(client.GetTokenByAuthCodeInput), args[2].(chan<- string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) RunAndReturn(run func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) (*oidc.TokenSet, error)) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetTokenByROPC provides a mock function with given fields: ctx, username, password
+func (_m *MockInterface) GetTokenByROPC(ctx context.Context, username string, password string) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, username, password)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTokenByROPC")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, username, password)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) *oidc.TokenSet); ok {
+		r0 = rf(ctx, username, password)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
+		r1 = rf(ctx, username, password)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetTokenByROPC_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByROPC'
+type MockInterface_GetTokenByROPC_Call struct {
+	*mock.Call
+}
+
+// GetTokenByROPC is a helper method to define mock.On call
+//   - ctx context.Context
+//   - username string
+//   - password string
+func (_e *MockInterface_Expecter) GetTokenByROPC(ctx interface{}, username interface{}, password interface{}) *MockInterface_GetTokenByROPC_Call {
+	return &MockInterface_GetTokenByROPC_Call{Call: _e.mock.On("GetTokenByROPC", ctx, username, password)}
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) Run(run func(ctx context.Context, username string, password string)) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) RunAndReturn(run func(context.Context, string, string) (*oidc.TokenSet, error)) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NegotiatedPKCEMethod provides a mock function with no fields
+func (_m *MockInterface) NegotiatedPKCEMethod() pkce.Method {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for NegotiatedPKCEMethod")
+	}
+
+	var r0 pkce.Method
+	if rf, ok := ret.Get(0).(func() pkce.Method); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(pkce.Method)
+	}
+
+	return r0
+}
+
+// MockInterface_NegotiatedPKCEMethod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NegotiatedPKCEMethod'
+type MockInterface_NegotiatedPKCEMethod_Call struct {
+	*mock.Call
+}
+
+// NegotiatedPKCEMethod is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) NegotiatedPKCEMethod() *MockInterface_NegotiatedPKCEMethod_Call {
+	return &MockInterface_NegotiatedPKCEMethod_Call{Call: _e.mock.On("NegotiatedPKCEMethod")}
+}
+
+func (_c *MockInterface_NegotiatedPKCEMethod_Call) Run(run func()) *MockInterface_NegotiatedPKCEMethod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_NegotiatedPKCEMethod_Call) Return(_a0 pkce.Method) *MockInterface_NegotiatedPKCEMethod_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_NegotiatedPKCEMethod_Call) RunAndReturn(run func() pkce.Method) *MockInterface_NegotiatedPKCEMethod_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function with given fields: ctx, refreshToken
+func (_m *MockInterface) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, refreshToken)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string) *oidc.TokenSet); ok {
+		r0 = rf(ctx, refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+		r1 = rf(ctx, refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockInterface_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - ctx context.Context
+//   - refreshToken string
+func (_e *MockInterface_Expecter) Refresh(ctx interface{}, refreshToken interface{}) *MockInterface_Refresh_Call {
+	return &MockInterface_Refresh_Call{Call: _e.mock.On("Refresh", ctx, refreshToken)}
+}
+
+func (_c *MockInterface_Refresh_Call) Run(run func(ctx context.Context, refreshToken string)) *MockInterface_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Refresh_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_Refresh_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_Refresh_Call) RunAndReturn(run func(context.Context, string) (*oidc.TokenSet, error)) *MockInterface_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/testing/logger_mock/mock_testingLogger.go

@@ -0,0 +1,76 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package logger_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MocktestingLogger is an autogenerated mock type for the testingLogger type
+type MocktestingLogger struct {
+	mock.Mock
+}
+
+type MocktestingLogger_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MocktestingLogger) EXPECT() *MocktestingLogger_Expecter {
+	return &MocktestingLogger_Expecter{mock: &_m.Mock}
+}
+
+// Logf provides a mock function with given fields: format, v
+func (_m *MocktestingLogger) Logf(format string, v ...interface{}) {
+	var _ca []interface{}
+	_ca = append(_ca, format)
+	_ca = append(_ca, v...)
+	_m.Called(_ca...)
+}
+
+// MocktestingLogger_Logf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Logf'
+type MocktestingLogger_Logf_Call struct {
+	*mock.Call
+}
+
+// Logf is a helper method to define mock.On call
+//   - format string
+//   - v ...interface{}
+func (_e *MocktestingLogger_Expecter) Logf(format interface{}, v ...interface{}) *MocktestingLogger_Logf_Call {
+	return &MocktestingLogger_Logf_Call{Call: _e.mock.On("Logf",
+		append([]interface{}{format}, v...)...)}
+}
+
+func (_c *MocktestingLogger_Logf_Call) Run(run func(format string, v ...interface{})) *MocktestingLogger_Logf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]interface{}, len(args)-1)
+		for i, a := range args[1:] {
+			if a != nil {
+				variadicArgs[i] = a.(interface{})
+			}
+		}
+		run(args[0].(string), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *MocktestingLogger_Logf_Call) Return() *MocktestingLogger_Logf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MocktestingLogger_Logf_Call) RunAndReturn(run func(string, ...interface{})) *MocktestingLogger_Logf_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMocktestingLogger creates a new instance of MocktestingLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMocktestingLogger(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MocktestingLogger {
+	mock := &MocktestingLogger{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/tlsclientconfig/loader_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package loader
+package loader_mock
 
 import (
 	tls "crypto/tls"
@@ -27,7 +27,15 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) Load(config tlsclientconfig.Config) (*tls.Config, error) {
 	ret := _m.Called(config)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Load")
+	}
+
 	var r0 *tls.Config
+	var r1 error
+	if rf, ok := ret.Get(0).(func(tlsclientconfig.Config) (*tls.Config, error)); ok {
+		return rf(config)
+	}
 	if rf, ok := ret.Get(0).(func(tlsclientconfig.Config) *tls.Config); ok {
 		r0 = rf(config)
 	} else {
@@ -36,7 +44,6 @@ func (_m *MockInterface) Load(config tlsclientconfig.Config) (*tls.Config, error
 		}
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func(tlsclientconfig.Config) error); ok {
 		r1 = rf(config)
 	} else {
@@ -52,7 +59,7 @@ type MockInterface_Load_Call struct {
 }
 
 // Load is a helper method to define mock.On call
-//  - config tlsclientconfig.Config
+//   - config tlsclientconfig.Config
 func (_e *MockInterface_Expecter) Load(config interface{}) *MockInterface_Load_Call {
 	return &MockInterface_Load_Call{Call: _e.mock.On("Load", config)}
 }
@@ -69,13 +76,17 @@ func (_c *MockInterface_Load_Call) Return(_a0 *tls.Config, _a1 error) *MockInter
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Load_Call) RunAndReturn(run func(tlsclientconfig.Config) (*tls.Config, error)) *MockInterface_Load_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/tokencache/repository_mock/mock_Interface.go

@@ -0,0 +1,251 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package repository_mock
+
+import (
+	io "io"
+
+	oidc "github.com/int128/kubelogin/pkg/oidc"
+	mock "github.com/stretchr/testify/mock"
+
+	tokencache "github.com/int128/kubelogin/pkg/tokencache"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// DeleteAll provides a mock function with given fields: config
+func (_m *MockInterface) DeleteAll(config tokencache.Config) error {
+	ret := _m.Called(config)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DeleteAll")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(tokencache.Config) error); ok {
+		r0 = rf(config)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_DeleteAll_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteAll'
+type MockInterface_DeleteAll_Call struct {
+	*mock.Call
+}
+
+// DeleteAll is a helper method to define mock.On call
+//   - config tokencache.Config
+func (_e *MockInterface_Expecter) DeleteAll(config interface{}) *MockInterface_DeleteAll_Call {
+	return &MockInterface_DeleteAll_Call{Call: _e.mock.On("DeleteAll", config)}
+}
+
+func (_c *MockInterface_DeleteAll_Call) Run(run func(config tokencache.Config)) *MockInterface_DeleteAll_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(tokencache.Config))
+	})
+	return _c
+}
+
+func (_c *MockInterface_DeleteAll_Call) Return(_a0 error) *MockInterface_DeleteAll_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_DeleteAll_Call) RunAndReturn(run func(tokencache.Config) error) *MockInterface_DeleteAll_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// FindByKey provides a mock function with given fields: config, key
+func (_m *MockInterface) FindByKey(config tokencache.Config, key tokencache.Key) (*oidc.TokenSet, error) {
+	ret := _m.Called(config, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for FindByKey")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) (*oidc.TokenSet, error)); ok {
+		return rf(config, key)
+	}
+	if rf, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) *oidc.TokenSet); ok {
+		r0 = rf(config, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(tokencache.Config, tokencache.Key) error); ok {
+		r1 = rf(config, key)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_FindByKey_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'FindByKey'
+type MockInterface_FindByKey_Call struct {
+	*mock.Call
+}
+
+// FindByKey is a helper method to define mock.On call
+//   - config tokencache.Config
+//   - key tokencache.Key
+func (_e *MockInterface_Expecter) FindByKey(config interface{}, key interface{}) *MockInterface_FindByKey_Call {
+	return &MockInterface_FindByKey_Call{Call: _e.mock.On("FindByKey", config, key)}
+}
+
+func (_c *MockInterface_FindByKey_Call) Run(run func(config tokencache.Config, key tokencache.Key)) *MockInterface_FindByKey_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(tokencache.Config), args[1].(tokencache.Key))
+	})
+	return _c
+}
+
+func (_c *MockInterface_FindByKey_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_FindByKey_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_FindByKey_Call) RunAndReturn(run func(tokencache.Config, tokencache.Key) (*oidc.TokenSet, error)) *MockInterface_FindByKey_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Lock provides a mock function with given fields: config, key
+func (_m *MockInterface) Lock(config tokencache.Config, key tokencache.Key) (io.Closer, error) {
+	ret := _m.Called(config, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Lock")
+	}
+
+	var r0 io.Closer
+	var r1 error
+	if rf, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) (io.Closer, error)); ok {
+		return rf(config, key)
+	}
+	if rf, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) io.Closer); ok {
+		r0 = rf(config, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(io.Closer)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(tokencache.Config, tokencache.Key) error); ok {
+		r1 = rf(config, key)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Lock_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Lock'
+type MockInterface_Lock_Call struct {
+	*mock.Call
+}
+
+// Lock is a helper method to define mock.On call
+//   - config tokencache.Config
+//   - key tokencache.Key
+func (_e *MockInterface_Expecter) Lock(config interface{}, key interface{}) *MockInterface_Lock_Call {
+	return &MockInterface_Lock_Call{Call: _e.mock.On("Lock", config, key)}
+}
+
+func (_c *MockInterface_Lock_Call) Run(run func(config tokencache.Config, key tokencache.Key)) *MockInterface_Lock_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(tokencache.Config), args[1].(tokencache.Key))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Lock_Call) Return(_a0 io.Closer, _a1 error) *MockInterface_Lock_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_Lock_Call) RunAndReturn(run func(tokencache.Config, tokencache.Key) (io.Closer, error)) *MockInterface_Lock_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Save provides a mock function with given fields: config, key, tokenSet
+func (_m *MockInterface) Save(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet) error {
+	ret := _m.Called(config, key, tokenSet)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Save")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key, oidc.TokenSet) error); ok {
+		r0 = rf(config, key, tokenSet)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockInterface_Save_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Save'
+type MockInterface_Save_Call struct {
+	*mock.Call
+}
+
+// Save is a helper method to define mock.On call
+//   - config tokencache.Config
+//   - key tokencache.Key
+//   - tokenSet oidc.TokenSet
+func (_e *MockInterface_Expecter) Save(config interface{}, key interface{}, tokenSet interface{}) *MockInterface_Save_Call {
+	return &MockInterface_Save_Call{Call: _e.mock.On("Save", config, key, tokenSet)}
+}
+
+func (_c *MockInterface_Save_Call) Run(run func(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet)) *MockInterface_Save_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(tokencache.Config), args[1].(tokencache.Key), args[2].(oidc.TokenSet))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Save_Call) Return(_a0 error) *MockInterface_Save_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_Save_Call) RunAndReturn(run func(tokencache.Config, tokencache.Key, oidc.TokenSet) error) *MockInterface_Save_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/usecases/authentication_mock/mock_Interface.go

@@ -0,0 +1,97 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package authentication_mock
+
+import (
+	context "context"
+
+	authentication "github.com/int128/kubelogin/pkg/usecases/authentication"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Do provides a mock function with given fields: ctx, in
+func (_m *MockInterface) Do(ctx context.Context, in authentication.Input) (*authentication.Output, error) {
+	ret := _m.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
+	var r0 *authentication.Output
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, authentication.Input) (*authentication.Output, error)); ok {
+		return rf(ctx, in)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, authentication.Input) *authentication.Output); ok {
+		r0 = rf(ctx, in)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*authentication.Output)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, authentication.Input) error); ok {
+		r1 = rf(ctx, in)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
+type MockInterface_Do_Call struct {
+	*mock.Call
+}
+
+// Do is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in authentication.Input
+func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
+	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
+}
+
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in authentication.Input)) *MockInterface_Do_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(authentication.Input))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) Return(_a0 *authentication.Output, _a1 error) *MockInterface_Do_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(context.Context, authentication.Input) (*authentication.Output, error)) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/usecases/clean_mock/mock_Interface.go

@@ -1,10 +1,12 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package credentialplugin
+package clean_mock
 
 import (
 	context "context"
 
+	clean "github.com/int128/kubelogin/pkg/usecases/clean"
+
 	mock "github.com/stretchr/testify/mock"
 )
 
@@ -22,11 +24,15 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 }
 
 // Do provides a mock function with given fields: ctx, in
-func (_m *MockInterface) Do(ctx context.Context, in Input) error {
+func (_m *MockInterface) Do(ctx context.Context, in clean.Input) error {
 	ret := _m.Called(ctx, in)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
 	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, Input) error); ok {
+	if rf, ok := ret.Get(0).(func(context.Context, clean.Input) error); ok {
 		r0 = rf(ctx, in)
 	} else {
 		r0 = ret.Error(0)
@@ -41,15 +47,15 @@ type MockInterface_Do_Call struct {
 }
 
 // Do is a helper method to define mock.On call
-//  - ctx context.Context
-//  - in Input
+//   - ctx context.Context
+//   - in clean.Input
 func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
 	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
 }
 
-func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in Input)) *MockInterface_Do_Call {
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in clean.Input)) *MockInterface_Do_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(Input))
+		run(args[0].(context.Context), args[1].(clean.Input))
 	})
 	return _c
 }
@@ -59,13 +65,17 @@ func (_c *MockInterface_Do_Call) Return(_a0 error) *MockInterface_Do_Call {
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(context.Context, clean.Input) error) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/usecases/credentialplugin_mock/mock_Interface.go

@@ -1,10 +1,11 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package authentication
+package credentialplugin_mock
 
 import (
 	context "context"
 
+	credentialplugin "github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	mock "github.com/stretchr/testify/mock"
 )
 
@@ -22,26 +23,21 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 }
 
 // Do provides a mock function with given fields: ctx, in
-func (_m *MockInterface) Do(ctx context.Context, in Input) (*Output, error) {
+func (_m *MockInterface) Do(ctx context.Context, in credentialplugin.Input) error {
 	ret := _m.Called(ctx, in)
 
-	var r0 *Output
-	if rf, ok := ret.Get(0).(func(context.Context, Input) *Output); ok {
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, credentialplugin.Input) error); ok {
 		r0 = rf(ctx, in)
 	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*Output)
-		}
+		r0 = ret.Error(0)
 	}
 
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, Input) error); ok {
-		r1 = rf(ctx, in)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
+	return r0
 }
 
 // MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
@@ -50,31 +46,35 @@ type MockInterface_Do_Call struct {
 }
 
 // Do is a helper method to define mock.On call
-//  - ctx context.Context
-//  - in Input
+//   - ctx context.Context
+//   - in credentialplugin.Input
 func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
 	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
 }
 
-func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in Input)) *MockInterface_Do_Call {
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in credentialplugin.Input)) *MockInterface_Do_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(Input))
+		run(args[0].(context.Context), args[1].(credentialplugin.Input))
 	})
 	return _c
 }
 
-func (_c *MockInterface_Do_Call) Return(_a0 *Output, _a1 error) *MockInterface_Do_Call {
-	_c.Call.Return(_a0, _a1)
+func (_c *MockInterface_Do_Call) Return(_a0 error) *MockInterface_Do_Call {
+	_c.Call.Return(_a0)
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(context.Context, credentialplugin.Input) error) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/usecases/setup_mock/mock_Interface.go

@@ -1,10 +1,11 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package setup
+package setup_mock
 
 import (
 	context "context"
 
+	setup "github.com/int128/kubelogin/pkg/usecases/setup"
 	mock "github.com/stretchr/testify/mock"
 )
 
@@ -21,7 +22,7 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }
 
-// DoStage1 provides a mock function with given fields:
+// DoStage1 provides a mock function with no fields
 func (_m *MockInterface) DoStage1() {
 	_m.Called()
 }
@@ -48,12 +49,21 @@ func (_c *MockInterface_DoStage1_Call) Return() *MockInterface_DoStage1_Call {
 	return _c
 }
 
+func (_c *MockInterface_DoStage1_Call) RunAndReturn(run func()) *MockInterface_DoStage1_Call {
+	_c.Run(run)
+	return _c
+}
+
 // DoStage2 provides a mock function with given fields: ctx, in
-func (_m *MockInterface) DoStage2(ctx context.Context, in Stage2Input) error {
+func (_m *MockInterface) DoStage2(ctx context.Context, in setup.Stage2Input) error {
 	ret := _m.Called(ctx, in)
 
+	if len(ret) == 0 {
+		panic("no return value specified for DoStage2")
+	}
+
 	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, Stage2Input) error); ok {
+	if rf, ok := ret.Get(0).(func(context.Context, setup.Stage2Input) error); ok {
 		r0 = rf(ctx, in)
 	} else {
 		r0 = ret.Error(0)
@@ -68,15 +78,15 @@ type MockInterface_DoStage2_Call struct {
 }
 
 // DoStage2 is a helper method to define mock.On call
-//  - ctx context.Context
-//  - in Stage2Input
+//   - ctx context.Context
+//   - in setup.Stage2Input
 func (_e *MockInterface_Expecter) DoStage2(ctx interface{}, in interface{}) *MockInterface_DoStage2_Call {
 	return &MockInterface_DoStage2_Call{Call: _e.mock.On("DoStage2", ctx, in)}
 }
 
-func (_c *MockInterface_DoStage2_Call) Run(run func(ctx context.Context, in Stage2Input)) *MockInterface_DoStage2_Call {
+func (_c *MockInterface_DoStage2_Call) Run(run func(ctx context.Context, in setup.Stage2Input)) *MockInterface_DoStage2_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(Stage2Input))
+		run(args[0].(context.Context), args[1].(setup.Stage2Input))
 	})
 	return _c
 }
@@ -86,13 +96,17 @@ func (_c *MockInterface_DoStage2_Call) Return(_a0 error) *MockInterface_DoStage2
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_DoStage2_Call) RunAndReturn(run func(context.Context, setup.Stage2Input) error) *MockInterface_DoStage2_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/usecases/standalone_mock/mock_Interface.go

@@ -1,10 +1,11 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.51.0. DO NOT EDIT.
 
-package standalone
+package standalone_mock
 
 import (
 	context "context"
 
+	standalone "github.com/int128/kubelogin/pkg/usecases/standalone"
 	mock "github.com/stretchr/testify/mock"
 )
 
@@ -22,11 +23,15 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 }
 
 // Do provides a mock function with given fields: ctx, in
-func (_m *MockInterface) Do(ctx context.Context, in Input) error {
+func (_m *MockInterface) Do(ctx context.Context, in standalone.Input) error {
 	ret := _m.Called(ctx, in)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
 	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, Input) error); ok {
+	if rf, ok := ret.Get(0).(func(context.Context, standalone.Input) error); ok {
 		r0 = rf(ctx, in)
 	} else {
 		r0 = ret.Error(0)
@@ -41,15 +46,15 @@ type MockInterface_Do_Call struct {
 }
 
 // Do is a helper method to define mock.On call
-//  - ctx context.Context
-//  - in Input
+//   - ctx context.Context
+//   - in standalone.Input
 func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
 	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
 }
 
-func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in Input)) *MockInterface_Do_Call {
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in standalone.Input)) *MockInterface_Do_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(Input))
+		run(args[0].(context.Context), args[1].(standalone.Input))
 	})
 	return _c
 }
@@ -59,13 +64,17 @@ func (_c *MockInterface_Do_Call) Return(_a0 error) *MockInterface_Do_Call {
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(context.Context, standalone.Input) error) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/io_mock/mock_Closer.go

@@ -0,0 +1,77 @@
+// Code generated by mockery v2.51.0. DO NOT EDIT.
+
+package io_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockCloser is an autogenerated mock type for the Closer type
+type MockCloser struct {
+	mock.Mock
+}
+
+type MockCloser_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockCloser) EXPECT() *MockCloser_Expecter {
+	return &MockCloser_Expecter{mock: &_m.Mock}
+}
+
+// Close provides a mock function with no fields
+func (_m *MockCloser) Close() error {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Close")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func() error); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockCloser_Close_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Close'
+type MockCloser_Close_Call struct {
+	*mock.Call
+}
+
+// Close is a helper method to define mock.On call
+func (_e *MockCloser_Expecter) Close() *MockCloser_Close_Call {
+	return &MockCloser_Close_Call{Call: _e.mock.On("Close")}
+}
+
+func (_c *MockCloser_Close_Call) Run(run func()) *MockCloser_Close_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockCloser_Close_Call) Return(_a0 error) *MockCloser_Close_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockCloser_Close_Call) RunAndReturn(run func() error) *MockCloser_Close_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockCloser creates a new instance of MockCloser. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockCloser(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockCloser {
+	mock := &MockCloser{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

pkg/cmd/authentication.go

@@ -7,39 +7,27 @@ import (
 
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/devicecode"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
 	"github.com/spf13/pflag"
 )
 
-type authenticationOptions struct {
-	GrantType                  string
-	ListenAddress              []string
-	ListenPort                 []int // deprecated
-	AuthenticationTimeoutSec   int
-	SkipOpenBrowser            bool
-	BrowserCommand             string
-	LocalServerCertFile        string
-	LocalServerKeyFile         string
-	OpenURLAfterAuthentication string
-	RedirectURLHostname        string
-	AuthRequestExtraParams     map[string]string
-	Username                   string
-	Password                   string
-}
+const oobRedirectURI = "urn:ietf:wg:oauth:2.0:oob"
 
-// determineListenAddress returns the addresses from the flags.
-// Note that --listen-address is always given due to the default value.
-// If --listen-port is not set, it returns --listen-address.
-// If --listen-port is set, it returns the strings of --listen-port.
-func (o *authenticationOptions) determineListenAddress() []string {
-	if len(o.ListenPort) == 0 {
-		return o.ListenAddress
-	}
-	var a []string
-	for _, p := range o.ListenPort {
-		a = append(a, fmt.Sprintf("127.0.0.1:%d", p))
-	}
-	return a
+type authenticationOptions struct {
+	GrantType                   string
+	ListenAddress               []string
+	AuthenticationTimeoutSec    int
+	SkipOpenBrowser             bool
+	BrowserCommand              string
+	LocalServerCertFile         string
+	LocalServerKeyFile          string
+	OpenURLAfterAuthentication  string
+	RedirectURLHostname         string
+	RedirectURLAuthCodeKeyboard string
+	AuthRequestExtraParams      map[string]string
+	Username                    string
+	Password                    string
 }
 
 var allGrantType = strings.Join([]string{
@@ -47,16 +35,12 @@ var allGrantType = strings.Join([]string{
 	"authcode",
 	"authcode-keyboard",
 	"password",
+	"device-code",
 }, "|")
 
 func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.GrantType, "grant-type", "auto", fmt.Sprintf("Authorization grant type to use. One of (%s)", allGrantType))
 	f.StringSliceVar(&o.ListenAddress, "listen-address", defaultListenAddress, "[authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order")
-	//TODO: remove the deprecated flag
-	f.IntSliceVar(&o.ListenPort, "listen-port", nil, "[authcode] deprecated: port to bind to the local server")
-	if err := f.MarkDeprecated("listen-port", "use --listen-address instead"); err != nil {
-		panic(err)
-	}
 	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "[authcode] Do not open the browser automatically")
 	f.StringVar(&o.BrowserCommand, "browser-command", "", "[authcode] Command to open the browser")
 	f.IntVar(&o.AuthenticationTimeoutSec, "authentication-timeout-sec", defaultAuthenticationTimeoutSec, "[authcode] Timeout of authentication in seconds")
@@ -64,6 +48,7 @@ func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.LocalServerKeyFile, "local-server-key", "", "[authcode] Certificate key path for the local server")
 	f.StringVar(&o.OpenURLAfterAuthentication, "open-url-after-authentication", "", "[authcode] If set, open the URL in the browser after authentication")
 	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "[authcode] Hostname of the redirect URL")
+	f.StringVar(&o.RedirectURLAuthCodeKeyboard, "oidc-redirect-url-authcode-keyboard", oobRedirectURI, "[authcode-keyboard] Redirect URL")
 	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "[authcode, authcode-keyboard] Extra query parameters to send with an authentication request")
 	f.StringVar(&o.Username, "username", "", "[password] Username for resource owner password credentials grant")
 	f.StringVar(&o.Password, "password", "", "[password] Password for resource owner password credentials grant")
@@ -78,7 +63,7 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 	switch {
 	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
 		s.AuthCodeBrowserOption = &authcode.BrowserOption{
-			BindAddress:                o.determineListenAddress(),
+			BindAddress:                o.ListenAddress,
 			SkipOpenBrowser:            o.SkipOpenBrowser,
 			BrowserCommand:             o.BrowserCommand,
 			AuthenticationTimeout:      time.Duration(o.AuthenticationTimeoutSec) * time.Second,
@@ -91,12 +76,18 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 	case o.GrantType == "authcode-keyboard":
 		s.AuthCodeKeyboardOption = &authcode.KeyboardOption{
 			AuthRequestExtraParams: o.AuthRequestExtraParams,
+			RedirectURL:            o.RedirectURLAuthCodeKeyboard,
 		}
 	case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
 		s.ROPCOption = &ropc.Option{
 			Username: o.Username,
 			Password: o.Password,
 		}
+	case o.GrantType == "device-code":
+		s.DeviceCodeOption = &devicecode.Option{
+			SkipOpenBrowser: o.SkipOpenBrowser,
+			BrowserCommand:  o.BrowserCommand,
+		}
 	default:
 		err = fmt.Errorf("grant-type must be one of (%s)", allGrantType)
 	}

pkg/cmd/authentication_test.go

@@ -56,40 +56,25 @@ func Test_authenticationOptions_grantOptionSet(t *testing.T) {
 				},
 			},
 		},
-		"when --listen-port is set, it should convert the port to address": {
-			args: []string{
-				"--listen-port", "10080",
-				"--listen-port", "20080",
-			},
-			want: authentication.GrantOptionSet{
-				AuthCodeBrowserOption: &authcode.BrowserOption{
-					BindAddress:           []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
-					RedirectURLHostname:   "localhost",
-				},
-			},
-		},
-		"when --listen-port is set, it should ignore --listen-address flags": {
-			args: []string{
-				"--listen-port", "10080",
-				"--listen-port", "20080",
-				"--listen-address", "127.0.0.1:30080",
-				"--listen-address", "127.0.0.1:40080",
-			},
-			want: authentication.GrantOptionSet{
-				AuthCodeBrowserOption: &authcode.BrowserOption{
-					BindAddress:           []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
-					RedirectURLHostname:   "localhost",
-				},
-			},
-		},
 		"GrantType=authcode-keyboard": {
 			args: []string{
 				"--grant-type", "authcode-keyboard",
 			},
 			want: authentication.GrantOptionSet{
-				AuthCodeKeyboardOption: &authcode.KeyboardOption{},
+				AuthCodeKeyboardOption: &authcode.KeyboardOption{
+					RedirectURL: oobRedirectURI,
+				},
+			},
+		},
+		"GrantType=authcode-keyboard with full options": {
+			args: []string{
+				"--grant-type", "authcode-keyboard",
+				"--oidc-redirect-url-authcode-keyboard", "http://localhost",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeKeyboardOption: &authcode.KeyboardOption{
+					RedirectURL: "http://localhost",
+				},
 			},
 		},
 		"GrantType=password": {

pkg/cmd/clean.go

@@ -0,0 +1,56 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/usecases/clean"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type cleanOptions struct {
+	tokenCacheOptions tokenCacheOptions
+}
+
+func (o *cleanOptions) addFlags(f *pflag.FlagSet) {
+	o.tokenCacheOptions.addFlags(f)
+}
+
+func (o *cleanOptions) expandHomedir() {
+	o.tokenCacheOptions.expandHomedir()
+}
+
+type Clean struct {
+	Clean clean.Interface
+}
+
+func (cmd *Clean) New() *cobra.Command {
+	var o cleanOptions
+	c := &cobra.Command{
+		Use:   "clean [flags]",
+		Short: "Delete the token cache",
+		Long: `Delete the token cache.
+
+This deletes both the OS keyring and the directory by default.
+If you encounter an error of keyring, try --token-cache-storage=disk.
+`,
+		Args: cobra.NoArgs,
+		RunE: func(c *cobra.Command, _ []string) error {
+			o.expandHomedir()
+			tokenCacheConfig, err := o.tokenCacheOptions.tokenCacheConfig()
+			if err != nil {
+				return fmt.Errorf("clean: %w", err)
+			}
+			in := clean.Input{
+				TokenCacheConfig: tokenCacheConfig,
+			}
+			if err := cmd.Clean.Do(c.Context(), in); err != nil {
+				return fmt.Errorf("clean: %w", err)
+			}
+			return nil
+		},
+	}
+	c.Flags().SortFlags = false
+	o.addFlags(c.Flags())
+	return c
+}

pkg/cmd/cmd.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"context"
-	"path/filepath"
 	"runtime"
 
 	"github.com/google/wire"
@@ -17,6 +16,7 @@ var Set = wire.NewSet(
 	wire.Struct(new(Root), "*"),
 	wire.Struct(new(GetToken), "*"),
 	wire.Struct(new(Setup), "*"),
+	wire.Struct(new(Clean), "*"),
 )
 
 type Interface interface {
@@ -24,7 +24,6 @@ type Interface interface {
 }
 
 var defaultListenAddress = []string{"127.0.0.1:8000", "127.0.0.1:18000"}
-var defaultTokenCacheDir = filepath.Join("~", ".kube", "cache", "oidc-login")
 
 const defaultAuthenticationTimeoutSec = 180
 
@@ -33,6 +32,7 @@ type Cmd struct {
 	Root     *Root
 	GetToken *GetToken
 	Setup    *Setup
+	Clean    *Clean
 	Logger   logger.Interface
 }
 
@@ -50,6 +50,9 @@ func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
 	setupCmd := cmd.Setup.New()
 	rootCmd.AddCommand(setupCmd)
 
+	cleanCmd := cmd.Clean.New()
+	rootCmd.AddCommand(cleanCmd)
+
 	versionCmd := &cobra.Command{
 		Use:   "version",
 		Short: "Print the version information",

pkg/cmd/cmd_test.go

@@ -7,9 +7,12 @@ import (
 	"testing"
 	"time"
 
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/usecases/credentialplugin_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/usecases/standalone_mock"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+	"github.com/int128/kubelogin/pkg/tokencache"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
@@ -61,7 +64,7 @@ func TestCmd_Run(t *testing.T) {
 		for name, c := range tests {
 			t.Run(name, func(t *testing.T) {
 				ctx := context.TODO()
-				mockStandalone := standalone.NewMockInterface(t)
+				mockStandalone := standalone_mock.NewMockInterface(t)
 				mockStandalone.EXPECT().
 					Do(ctx, c.in).
 					Return(nil)
@@ -82,7 +85,7 @@ func TestCmd_Run(t *testing.T) {
 		t.Run("TooManyArgs", func(t *testing.T) {
 			cmd := Cmd{
 				Root: &Root{
-					Standalone: standalone.NewMockInterface(t),
+					Standalone: standalone_mock.NewMockInterface(t),
 					Logger:     logger.New(t),
 				},
 				Logger: logger.New(t),
@@ -111,11 +114,14 @@ func TestCmd_Run(t *testing.T) {
 					"--oidc-client-id", "YOUR_CLIENT_ID",
 				},
 				in: credentialplugin.Input{
-					TokenCacheDir: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
 					Provider: oidc.Provider{
 						IssuerURL: "https://issuer.example.com",
 						ClientID:  "YOUR_CLIENT_ID",
 					},
+					TokenCacheConfig: tokencache.Config{
+						Directory: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+						Storage:   tokencache.StorageAuto,
+					},
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeBrowserOption: &authcode.BrowserOption{
 							BindAddress:           defaultListenAddress,
@@ -133,16 +139,46 @@ func TestCmd_Run(t *testing.T) {
 					"--oidc-client-secret", "YOUR_CLIENT_SECRET",
 					"--oidc-extra-scope", "email",
 					"--oidc-extra-scope", "profile",
+					"--token-cache-storage", "disk",
 					"-v1",
 				},
 				in: credentialplugin.Input{
-					TokenCacheDir: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
 					Provider: oidc.Provider{
 						IssuerURL:    "https://issuer.example.com",
 						ClientID:     "YOUR_CLIENT_ID",
 						ClientSecret: "YOUR_CLIENT_SECRET",
 						ExtraScopes:  []string{"email", "profile"},
 					},
+					TokenCacheConfig: tokencache.Config{
+						Directory: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+						Storage:   tokencache.StorageDisk,
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+			"AccessToken": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--oidc-use-access-token=true",
+				},
+				in: credentialplugin.Input{
+					Provider: oidc.Provider{
+						IssuerURL:      "https://issuer.example.com",
+						ClientID:       "YOUR_CLIENT_ID",
+						UseAccessToken: true,
+					},
+					TokenCacheConfig: tokencache.Config{
+						Directory: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+						Storage:   tokencache.StorageAuto,
+					},
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeBrowserOption: &authcode.BrowserOption{
 							BindAddress:           defaultListenAddress,
@@ -163,11 +199,14 @@ func TestCmd_Run(t *testing.T) {
 					"--token-cache-dir", "~/.kube/oidc-cache",
 				},
 				in: credentialplugin.Input{
-					TokenCacheDir: filepath.Join(userHomeDir, ".kube/oidc-cache"),
 					Provider: oidc.Provider{
 						IssuerURL: "https://issuer.example.com",
 						ClientID:  "YOUR_CLIENT_ID",
 					},
+					TokenCacheConfig: tokencache.Config{
+						Directory: filepath.Join(userHomeDir, ".kube/oidc-cache"),
+						Storage:   tokencache.StorageAuto,
+					},
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeBrowserOption: &authcode.BrowserOption{
 							BindAddress:           defaultListenAddress,
@@ -186,7 +225,7 @@ func TestCmd_Run(t *testing.T) {
 		for name, c := range tests {
 			t.Run(name, func(t *testing.T) {
 				ctx := context.TODO()
-				getToken := credentialplugin.NewMockInterface(t)
+				getToken := credentialplugin_mock.NewMockInterface(t)
 				getToken.EXPECT().
 					Do(ctx, c.in).
 					Return(nil)
@@ -214,7 +253,7 @@ func TestCmd_Run(t *testing.T) {
 					Logger: logger.New(t),
 				},
 				GetToken: &GetToken{
-					GetToken: credentialplugin.NewMockInterface(t),
+					GetToken: credentialplugin_mock.NewMockInterface(t),
 					Logger:   logger.New(t),
 				},
 				Logger: logger.New(t),
@@ -232,7 +271,7 @@ func TestCmd_Run(t *testing.T) {
 					Logger: logger.New(t),
 				},
 				GetToken: &GetToken{
-					GetToken: credentialplugin.NewMockInterface(t),
+					GetToken: credentialplugin_mock.NewMockInterface(t),
 					Logger:   logger.New(t),
 				},
 				Logger: logger.New(t),

pkg/cmd/get_token.go

@@ -17,10 +17,12 @@ type getTokenOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
-	UsePKCE               bool
-	TokenCacheDir         string
+	UseAccessToken        bool
+	tokenCacheOptions     tokenCacheOptions
 	tlsOptions            tlsOptions
+	pkceOptions           pkceOptions
 	authenticationOptions authenticationOptions
+	ForceRefresh          bool
 }
 
 func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
@@ -28,17 +30,18 @@ func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
-	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for token cache")
+	f.BoolVar(&o.UseAccessToken, "oidc-use-access-token", false, "Instead of using the id_token, use the access_token to authenticate to Kubernetes")
+	f.BoolVar(&o.ForceRefresh, "force-refresh", false, "If set, refresh the ID token regardless of its expiration time")
+	o.tokenCacheOptions.addFlags(f)
 	o.tlsOptions.addFlags(f)
+	o.pkceOptions.addFlags(f)
 	o.authenticationOptions.addFlags(f)
 }
 
-func (o *getTokenOptions) expandHomedir() error {
-	o.TokenCacheDir = expandHomedir(o.TokenCacheDir)
+func (o *getTokenOptions) expandHomedir() {
+	o.tokenCacheOptions.expandHomedir()
 	o.authenticationOptions.expandHomedir()
 	o.tlsOptions.expandHomedir()
-	return nil
 }
 
 type GetToken struct {
@@ -64,24 +67,32 @@ func (cmd *GetToken) New() *cobra.Command {
 			return nil
 		},
 		RunE: func(c *cobra.Command, _ []string) error {
-			if err := o.expandHomedir(); err != nil {
-				return err
-			}
+			o.expandHomedir()
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
 				return fmt.Errorf("get-token: %w", err)
 			}
+			tokenCacheConfig, err := o.tokenCacheOptions.tokenCacheConfig()
+			if err != nil {
+				return fmt.Errorf("get-token: %w", err)
+			}
+			pkceMethod, err := o.pkceOptions.pkceMethod()
+			if err != nil {
+				return fmt.Errorf("get-token: %w", err)
+			}
 			in := credentialplugin.Input{
 				Provider: oidc.Provider{
-					IssuerURL:    o.IssuerURL,
-					ClientID:     o.ClientID,
-					ClientSecret: o.ClientSecret,
-					UsePKCE:      o.UsePKCE,
-					ExtraScopes:  o.ExtraScopes,
+					IssuerURL:      o.IssuerURL,
+					ClientID:       o.ClientID,
+					ClientSecret:   o.ClientSecret,
+					PKCEMethod:     pkceMethod,
+					UseAccessToken: o.UseAccessToken,
+					ExtraScopes:    o.ExtraScopes,
 				},
-				TokenCacheDir:   o.TokenCacheDir,
-				GrantOptionSet:  grantOptionSet,
-				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
+				ForceRefresh:     o.ForceRefresh,
+				TokenCacheConfig: tokenCacheConfig,
+				GrantOptionSet:   grantOptionSet,
+				TLSClientConfig:  o.tlsOptions.tlsClientConfig(),
 			}
 			if err := cmd.GetToken.Do(c.Context(), in); err != nil {
 				return fmt.Errorf("get-token: %w", err)

pkg/cmd/pkce.go

@@ -0,0 +1,40 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/spf13/pflag"
+)
+
+var allPKCEMethods = strings.Join([]string{"auto", "no", "S256"}, "|")
+
+type pkceOptions struct {
+	UsePKCE    bool
+	PKCEMethod string
+}
+
+func (o *pkceOptions) addFlags(f *pflag.FlagSet) {
+	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE S256 code challenge method")
+	if err := f.MarkDeprecated("oidc-use-pkce", "use --oidc-pkce-method instead. For the most providers, you don't need to set the flag."); err != nil {
+		panic(err)
+	}
+	f.StringVar(&o.PKCEMethod, "oidc-pkce-method", "auto", fmt.Sprintf("PKCE code challenge method. Automatically determined by default. One of (%s)", allPKCEMethods))
+}
+
+func (o *pkceOptions) pkceMethod() (oidc.PKCEMethod, error) {
+	if o.UsePKCE {
+		return oidc.PKCEMethodS256, nil
+	}
+	switch o.PKCEMethod {
+	case "auto":
+		return oidc.PKCEMethodAuto, nil
+	case "no":
+		return oidc.PKCEMethodNo, nil
+	case "S256":
+		return oidc.PKCEMethodS256, nil
+	default:
+		return 0, fmt.Errorf("oidc-pkce-method must be one of (%s)", allPKCEMethods)
+	}
+}

pkg/cmd/root.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"fmt"
+
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/int128/kubelogin/pkg/kubeconfig"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"

pkg/cmd/setup.go

@@ -14,8 +14,9 @@ type setupOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
-	UsePKCE               bool
+	UseAccessToken        bool
 	tlsOptions            tlsOptions
+	pkceOptions           pkceOptions
 	authenticationOptions authenticationOptions
 }
 
@@ -24,8 +25,9 @@ func (o *setupOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
+	f.BoolVar(&o.UseAccessToken, "oidc-use-access-token", false, "Instead of using the id_token, use the access_token to authenticate to Kubernetes")
 	o.tlsOptions.addFlags(f)
+	o.pkceOptions.addFlags(f)
 	o.authenticationOptions.addFlags(f)
 }
 
@@ -44,18 +46,26 @@ func (cmd *Setup) New() *cobra.Command {
 			if err != nil {
 				return fmt.Errorf("setup: %w", err)
 			}
+			pkceMethod, err := o.pkceOptions.pkceMethod()
+			if err != nil {
+				return fmt.Errorf("setup: %w", err)
+			}
 			in := setup.Stage2Input{
 				IssuerURL:       o.IssuerURL,
 				ClientID:        o.ClientID,
 				ClientSecret:    o.ClientSecret,
 				ExtraScopes:     o.ExtraScopes,
-				UsePKCE:         o.UsePKCE,
+				UseAccessToken:  o.UseAccessToken,
+				PKCEMethod:      pkceMethod,
 				GrantOptionSet:  grantOptionSet,
 				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
 			}
 			if c.Flags().Lookup("listen-address").Changed {
 				in.ListenAddressArgs = o.authenticationOptions.ListenAddress
 			}
+			if c.Flags().Lookup("oidc-pkce-method").Changed {
+				in.PKCEMethodArg = o.pkceOptions.PKCEMethod
+			}
 			if in.IssuerURL == "" || in.ClientID == "" {
 				cmd.Setup.DoStage1()
 				return nil

pkg/cmd/tls.go

@@ -18,7 +18,7 @@ type tlsOptions struct {
 func (o *tlsOptions) addFlags(f *pflag.FlagSet) {
 	f.StringArrayVar(&o.CACertFilename, "certificate-authority", nil, "Path to a cert file for the certificate authority")
 	f.StringArrayVar(&o.CACertData, "certificate-authority-data", nil, "Base64 encoded cert for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "[SECURITY RISK] If set, the server's certificate will not be checked for validity")
 	f.BoolVar(&o.RenegotiateOnceAsClient, "tls-renegotiation-once", false, "If set, allow a remote server to request renegotiation once per connection")
 	f.BoolVar(&o.RenegotiateFreelyAsClient, "tls-renegotiation-freely", false, "If set, allow a remote server to repeatedly request renegotiation")
 }

pkg/cmd/tokencache.go

@@ -0,0 +1,52 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/int128/kubelogin/pkg/tokencache"
+	"github.com/spf13/pflag"
+)
+
+func getDefaultTokenCacheDir() string {
+	// https://github.com/int128/kubelogin/pull/975
+	if kubeCacheDir, ok := os.LookupEnv("KUBECACHEDIR"); ok {
+		return filepath.Join(kubeCacheDir, "oidc-login")
+	}
+	return filepath.Join("~", ".kube", "cache", "oidc-login")
+}
+
+var allTokenCacheStorage = strings.Join([]string{"auto", "keyring", "disk"}, "|")
+
+type tokenCacheOptions struct {
+	TokenCacheDir     string
+	TokenCacheStorage string
+}
+
+func (o *tokenCacheOptions) addFlags(f *pflag.FlagSet) {
+	f.StringVar(&o.TokenCacheDir, "token-cache-dir", getDefaultTokenCacheDir(), "Path to a directory of the token cache")
+	f.StringVar(&o.TokenCacheStorage, "token-cache-storage", "auto", fmt.Sprintf("Storage for the token cache. One of (%s)", allTokenCacheStorage))
+}
+
+func (o *tokenCacheOptions) expandHomedir() {
+	o.TokenCacheDir = expandHomedir(o.TokenCacheDir)
+}
+
+func (o *tokenCacheOptions) tokenCacheConfig() (tokencache.Config, error) {
+	config := tokencache.Config{
+		Directory: o.TokenCacheDir,
+	}
+	switch o.TokenCacheStorage {
+	case "auto":
+		config.Storage = tokencache.StorageAuto
+	case "keyring":
+		config.Storage = tokencache.StorageKeyring
+	case "disk":
+		config.Storage = tokencache.StorageDisk
+	default:
+		return tokencache.Config{}, fmt.Errorf("token-cache-storage must be one of (%s)", allTokenCacheStorage)
+	}
+	return config, nil
+}

pkg/credentialplugin/reader/reader.go

@@ -0,0 +1,39 @@
+// Package reader provides a loader for the credential plugin.
+package reader
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/credentialplugin"
+	"k8s.io/client-go/pkg/apis/clientauthentication"
+)
+
+var Set = wire.NewSet(
+	wire.Struct(new(Reader), "*"),
+	wire.Bind(new(Interface), new(*Reader)),
+)
+
+type Interface interface {
+	Read() (credentialplugin.Input, error)
+}
+
+type Reader struct{}
+
+// Read parses the environment variable KUBERNETES_EXEC_INFO.
+// If the environment variable is not given by kubectl, Read returns a zero value.
+func (r Reader) Read() (credentialplugin.Input, error) {
+	execInfo := os.Getenv("KUBERNETES_EXEC_INFO")
+	if execInfo == "" {
+		return credentialplugin.Input{}, nil
+	}
+	var execCredential clientauthentication.ExecCredential
+	if err := json.Unmarshal([]byte(execInfo), &execCredential); err != nil {
+		return credentialplugin.Input{}, fmt.Errorf("invalid KUBERNETES_EXEC_INFO: %w", err)
+	}
+	return credentialplugin.Input{
+		ClientAuthenticationAPIVersion: execCredential.APIVersion,
+	}, nil
+}

pkg/credentialplugin/reader/reader_test.go

@@ -0,0 +1,44 @@
+package reader
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/credentialplugin"
+)
+
+func TestReader_Read(t *testing.T) {
+	var reader Reader
+
+	t.Run("KUBERNETES_EXEC_INFO is empty", func(t *testing.T) {
+		input, err := reader.Read()
+		if err != nil {
+			t.Errorf("Read returned error: %v", err)
+		}
+		want := credentialplugin.Input{}
+		if diff := cmp.Diff(want, input); diff != "" {
+			t.Errorf("input mismatch (-want +got):\n%s", diff)
+		}
+	})
+	t.Run("KUBERNETES_EXEC_INFO is invalid JSON", func(t *testing.T) {
+		t.Setenv("KUBERNETES_EXEC_INFO", "invalid")
+		_, err := reader.Read()
+		if err == nil {
+			t.Errorf("Read wants error but no error")
+		}
+	})
+	t.Run("KUBERNETES_EXEC_INFO is v1", func(t *testing.T) {
+		t.Setenv(
+			"KUBERNETES_EXEC_INFO",
+			`{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1","spec":{"interactive":true}}`,
+		)
+		input, err := reader.Read()
+		if err != nil {
+			t.Errorf("Read returned error: %v", err)
+		}
+		want := credentialplugin.Input{ClientAuthenticationAPIVersion: "client.authentication.k8s.io/v1"}
+		if diff := cmp.Diff(want, input); diff != "" {
+			t.Errorf("input mismatch (-want +got):\n%s", diff)
+		}
+	})
+}

pkg/credentialplugin/types.go

@@ -3,8 +3,15 @@ package credentialplugin
 
 import "time"
 
+// Input represents an input object of the credential plugin.
+// This may be a zero value if the input is not available.
+type Input struct {
+	ClientAuthenticationAPIVersion string
+}
+
 // Output represents an output object of the credential plugin.
 type Output struct {
-	Token  string
-	Expiry time.Time
+	Token                          string
+	Expiry                         time.Time
+	ClientAuthenticationAPIVersion string
 }

pkg/credentialplugin/writer/credential_plugin.go

@@ -1,4 +1,4 @@
-// Package writer provides a writer for a credential plugin.
+// Package writer provides a writer for the credential plugin.
 package writer
 
 import (
@@ -9,6 +9,7 @@ import (
 	"github.com/int128/kubelogin/pkg/credentialplugin"
 	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 )
 
@@ -27,19 +28,44 @@ type Writer struct {
 
 // Write writes the ExecCredential to standard output for kubectl.
 func (w *Writer) Write(out credentialplugin.Output) error {
-	ec := &clientauthenticationv1beta1.ExecCredential{
-		TypeMeta: metav1.TypeMeta{
-			APIVersion: "client.authentication.k8s.io/v1beta1",
-			Kind:       "ExecCredential",
-		},
-		Status: &clientauthenticationv1beta1.ExecCredentialStatus{
-			Token:               out.Token,
-			ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
-		},
+	execCredential, err := generateExecCredential(out)
+	if err != nil {
+		return fmt.Errorf("generate ExecCredential: %w", err)
 	}
-	e := json.NewEncoder(w.Stdout)
-	if err := e.Encode(ec); err != nil {
-		return fmt.Errorf("could not write the ExecCredential: %w", err)
+	if err := json.NewEncoder(w.Stdout).Encode(execCredential); err != nil {
+		return fmt.Errorf("write ExecCredential: %w", err)
 	}
 	return nil
 }
+
+func generateExecCredential(out credentialplugin.Output) (any, error) {
+	switch out.ClientAuthenticationAPIVersion {
+	// If the API version is not available, fall back to v1beta1.
+	case clientauthenticationv1beta1.SchemeGroupVersion.String(), "":
+		return &clientauthenticationv1beta1.ExecCredential{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(),
+				Kind:       "ExecCredential",
+			},
+			Status: &clientauthenticationv1beta1.ExecCredentialStatus{
+				Token:               out.Token,
+				ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
+			},
+		}, nil
+
+	case clientauthenticationv1.SchemeGroupVersion.String():
+		return &clientauthenticationv1.ExecCredential{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: clientauthenticationv1.SchemeGroupVersion.String(),
+				Kind:       "ExecCredential",
+			},
+			Status: &clientauthenticationv1.ExecCredentialStatus{
+				Token:               out.Token,
+				ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
+			},
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unknown apiVersion: %s", out.ClientAuthenticationAPIVersion)
+	}
+}

pkg/di/di.go

@@ -1,4 +1,5 @@
-//+build wireinject
+//go:build wireinject
+// +build wireinject
 
 // Package di provides dependency injection.
 package di
@@ -6,11 +7,11 @@ package di
 import (
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/cmd"
-	"github.com/int128/kubelogin/pkg/credentialplugin/writer"
+	credentialpluginreader "github.com/int128/kubelogin/pkg/credentialplugin/reader"
+	credentialpluginwriter "github.com/int128/kubelogin/pkg/credentialplugin/writer"
 	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/infrastructure/clock"
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-	"github.com/int128/kubelogin/pkg/infrastructure/mutex"
 	"github.com/int128/kubelogin/pkg/infrastructure/reader"
 	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
 	kubeconfigLoader "github.com/int128/kubelogin/pkg/kubeconfig/loader"
@@ -19,6 +20,7 @@ import (
 	"github.com/int128/kubelogin/pkg/tlsclientconfig/loader"
 	"github.com/int128/kubelogin/pkg/tokencache/repository"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	"github.com/int128/kubelogin/pkg/usecases/clean"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
@@ -46,6 +48,7 @@ func NewCmdForHeadless(clock.Interface, stdio.Stdin, stdio.Stdout, logger.Interf
 		standalone.Set,
 		credentialplugin.Set,
 		setup.Set,
+		clean.Set,
 
 		// infrastructure
 		cmd.Set,
@@ -55,8 +58,8 @@ func NewCmdForHeadless(clock.Interface, stdio.Stdin, stdio.Stdout, logger.Interf
 		repository.Set,
 		client.Set,
 		loader.Set,
-		writer.Set,
-		mutex.Set,
+		credentialpluginreader.Set,
+		credentialpluginwriter.Set,
 	)
 	return nil
 }

pkg/di/wire_gen.go

@@ -1,17 +1,18 @@
 // Code generated by Wire. DO NOT EDIT.
 
-//go:generate wire
-//+build !wireinject
+//go:generate go run -mod=mod github.com/google/wire/cmd/wire
+//go:build !wireinject
+// +build !wireinject
 
 package di
 
 import (
 	"github.com/int128/kubelogin/pkg/cmd"
+	reader2 "github.com/int128/kubelogin/pkg/credentialplugin/reader"
 	writer2 "github.com/int128/kubelogin/pkg/credentialplugin/writer"
 	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/infrastructure/clock"
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-	"github.com/int128/kubelogin/pkg/infrastructure/mutex"
 	"github.com/int128/kubelogin/pkg/infrastructure/reader"
 	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
 	loader2 "github.com/int128/kubelogin/pkg/kubeconfig/loader"
@@ -21,7 +22,9 @@ import (
 	"github.com/int128/kubelogin/pkg/tokencache/repository"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/devicecode"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
+	"github.com/int128/kubelogin/pkg/usecases/clean"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
@@ -30,6 +33,7 @@ import (
 
 // Injectors from di.go:
 
+// NewCmd returns an instance of infrastructure.Cmd.
 func NewCmd() cmd.Interface {
 	clockReal := &clock.Real{}
 	stdin := _wireFileValue
@@ -45,6 +49,7 @@ var (
 	_wireOsFileValue = os.Stdout
 )
 
+// NewCmdForHeadless returns an instance of infrastructure.Cmd for headless testing.
 func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout stdio.Stdout, loggerInterface logger.Interface, browserInterface browser.Interface) cmd.Interface {
 	loaderLoader := loader.Loader{}
 	factory := &client.Factory{
@@ -67,13 +72,17 @@ func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout
 		Reader: readerReader,
 		Logger: loggerInterface,
 	}
+	deviceCode := &devicecode.DeviceCode{
+		Browser: browserInterface,
+		Logger:  loggerInterface,
+	}
 	authenticationAuthentication := &authentication.Authentication{
 		ClientFactory:    factory,
 		Logger:           loggerInterface,
-		Clock:            clockInterface,
 		AuthCodeBrowser:  authcodeBrowser,
 		AuthCodeKeyboard: keyboard,
 		ROPC:             ropcROPC,
+		DeviceCode:       deviceCode,
 	}
 	loader3 := &loader2.Loader{}
 	writerWriter := &writer.Writer{}
@@ -82,24 +91,26 @@ func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout
 		KubeconfigLoader: loader3,
 		KubeconfigWriter: writerWriter,
 		Logger:           loggerInterface,
+		Clock:            clockInterface,
 	}
 	root := &cmd.Root{
 		Standalone: standaloneStandalone,
 		Logger:     loggerInterface,
 	}
-	repositoryRepository := &repository.Repository{}
+	repositoryRepository := &repository.Repository{
+		Logger: loggerInterface,
+	}
+	reader3 := &reader2.Reader{}
 	writer3 := &writer2.Writer{
 		Stdout: stdout,
 	}
-	mutexMutex := &mutex.Mutex{
-		Logger: loggerInterface,
-	}
 	getToken := &credentialplugin.GetToken{
-		Authentication:       authenticationAuthentication,
-		TokenCacheRepository: repositoryRepository,
-		Writer:               writer3,
-		Mutex:                mutexMutex,
-		Logger:               loggerInterface,
+		Authentication:         authenticationAuthentication,
+		TokenCacheRepository:   repositoryRepository,
+		CredentialPluginReader: reader3,
+		CredentialPluginWriter: writer3,
+		Logger:                 loggerInterface,
+		Clock:                  clockInterface,
 	}
 	cmdGetToken := &cmd.GetToken{
 		GetToken: getToken,
@@ -112,10 +123,18 @@ func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout
 	cmdSetup := &cmd.Setup{
 		Setup: setupSetup,
 	}
+	cleanClean := &clean.Clean{
+		TokenCacheRepository: repositoryRepository,
+		Logger:               loggerInterface,
+	}
+	cmdClean := &cmd.Clean{
+		Clean: cleanClean,
+	}
 	cmdCmd := &cmd.Cmd{
 		Root:     root,
 		GetToken: cmdGetToken,
 		Setup:    cmdSetup,
+		Clean:    cmdClean,
 		Logger:   loggerInterface,
 	}
 	return cmdCmd

pkg/infrastructure/logger/mock_goLogger.go

@@ -1,72 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package logger
-
-import mock "github.com/stretchr/testify/mock"
-
-// mockGoLogger is an autogenerated mock type for the goLogger type
-type mockGoLogger struct {
-	mock.Mock
-}
-
-type mockGoLogger_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *mockGoLogger) EXPECT() *mockGoLogger_Expecter {
-	return &mockGoLogger_Expecter{mock: &_m.Mock}
-}
-
-// Printf provides a mock function with given fields: format, v
-func (_m *mockGoLogger) Printf(format string, v ...interface{}) {
-	var _ca []interface{}
-	_ca = append(_ca, format)
-	_ca = append(_ca, v...)
-	_m.Called(_ca...)
-}
-
-// mockGoLogger_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
-type mockGoLogger_Printf_Call struct {
-	*mock.Call
-}
-
-// Printf is a helper method to define mock.On call
-//  - format string
-//  - v ...interface{}
-func (_e *mockGoLogger_Expecter) Printf(format interface{}, v ...interface{}) *mockGoLogger_Printf_Call {
-	return &mockGoLogger_Printf_Call{Call: _e.mock.On("Printf",
-		append([]interface{}{format}, v...)...)}
-}
-
-func (_c *mockGoLogger_Printf_Call) Run(run func(format string, v ...interface{})) *mockGoLogger_Printf_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]interface{}, len(args)-1)
-		for i, a := range args[1:] {
-			if a != nil {
-				variadicArgs[i] = a.(interface{})
-			}
-		}
-		run(args[0].(string), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *mockGoLogger_Printf_Call) Return() *mockGoLogger_Printf_Call {
-	_c.Call.Return()
-	return _c
-}
-
-type mockConstructorTestingTnewMockGoLogger interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// newMockGoLogger creates a new instance of mockGoLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func newMockGoLogger(t mockConstructorTestingTnewMockGoLogger) *mockGoLogger {
-	mock := &mockGoLogger{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

pkg/infrastructure/mutex/mock_Interface.go

@@ -1,121 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package mutex
-
-import (
-	context "context"
-
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockInterface is an autogenerated mock type for the Interface type
-type MockInterface struct {
-	mock.Mock
-}
-
-type MockInterface_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
-	return &MockInterface_Expecter{mock: &_m.Mock}
-}
-
-// Acquire provides a mock function with given fields: ctx, name
-func (_m *MockInterface) Acquire(ctx context.Context, name string) (*Lock, error) {
-	ret := _m.Called(ctx, name)
-
-	var r0 *Lock
-	if rf, ok := ret.Get(0).(func(context.Context, string) *Lock); ok {
-		r0 = rf(ctx, name)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*Lock)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
-		r1 = rf(ctx, name)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_Acquire_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Acquire'
-type MockInterface_Acquire_Call struct {
-	*mock.Call
-}
-
-// Acquire is a helper method to define mock.On call
-//  - ctx context.Context
-//  - name string
-func (_e *MockInterface_Expecter) Acquire(ctx interface{}, name interface{}) *MockInterface_Acquire_Call {
-	return &MockInterface_Acquire_Call{Call: _e.mock.On("Acquire", ctx, name)}
-}
-
-func (_c *MockInterface_Acquire_Call) Run(run func(ctx context.Context, name string)) *MockInterface_Acquire_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_Acquire_Call) Return(_a0 *Lock, _a1 error) *MockInterface_Acquire_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// Release provides a mock function with given fields: lock
-func (_m *MockInterface) Release(lock *Lock) error {
-	ret := _m.Called(lock)
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(*Lock) error); ok {
-		r0 = rf(lock)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockInterface_Release_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Release'
-type MockInterface_Release_Call struct {
-	*mock.Call
-}
-
-// Release is a helper method to define mock.On call
-//  - lock *Lock
-func (_e *MockInterface_Expecter) Release(lock interface{}) *MockInterface_Release_Call {
-	return &MockInterface_Release_Call{Call: _e.mock.On("Release", lock)}
-}
-
-func (_c *MockInterface_Release_Call) Run(run func(lock *Lock)) *MockInterface_Release_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*Lock))
-	})
-	return _c
-}
-
-func (_c *MockInterface_Release_Call) Return(_a0 error) *MockInterface_Release_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

pkg/infrastructure/mutex/mutex.go

@@ -1,87 +0,0 @@
-package mutex
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path"
-
-	"github.com/alexflint/go-filemutex"
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-)
-
-var Set = wire.NewSet(
-	wire.Struct(new(Mutex), "*"),
-	wire.Bind(new(Interface), new(*Mutex)),
-)
-
-type Interface interface {
-	Acquire(ctx context.Context, name string) (*Lock, error)
-	Release(lock *Lock) error
-}
-
-// Lock holds the lock data.
-type Lock struct {
-	Data interface{}
-	Name string
-}
-
-type Mutex struct {
-	Logger logger.Interface
-}
-
-// internalAcquire wait for acquisition of the lock
-func internalAcquire(fm *filemutex.FileMutex) chan error {
-	result := make(chan error)
-	go func() {
-		if err := fm.Lock(); err != nil {
-			result <- err
-		}
-		close(result)
-	}()
-	return result
-}
-
-// internalRelease disposes of resources associated with a lock
-func internalRelease(fm *filemutex.FileMutex, lfn string, log logger.Interface) error {
-	err := fm.Close()
-	if err != nil {
-		log.V(1).Infof("Error closing lock file %s: %s", lfn, err)
-	}
-	return err
-}
-
-// LockFileName get the lock file name from the lock name.
-func LockFileName(name string) string {
-	return path.Join(os.TempDir(), fmt.Sprintf(".kubelogin.%s.lock", name))
-}
-
-// Acquire acquire a lock for the specified name. The context could be used to set a timeout.
-func (m *Mutex) Acquire(ctx context.Context, name string) (*Lock, error) {
-	lfn := LockFileName(name)
-	fm, err := filemutex.New(lfn)
-	if err != nil {
-		return nil, fmt.Errorf("error creating mutex file %s: %w", lfn, err)
-	}
-
-	lockChan := internalAcquire(fm)
-	select {
-	case <-ctx.Done():
-		_ = internalRelease(fm, lfn, m.Logger)
-		return nil, ctx.Err()
-	case err := <-lockChan:
-		if err != nil {
-			_ = internalRelease(fm, lfn, m.Logger)
-			return nil, fmt.Errorf("error acquiring lock on file %s: %w", lfn, err)
-		}
-		return &Lock{Data: fm, Name: name}, nil
-	}
-}
-
-// Release release the specified lock
-func (m *Mutex) Release(lock *Lock) error {
-	fm := lock.Data.(*filemutex.FileMutex)
-	lfn := LockFileName(lock.Name)
-	return internalRelease(fm, lfn, m.Logger)
-}

pkg/infrastructure/mutex/mutex_test.go

@@ -1,64 +0,0 @@
-package mutex
-
-import (
-	"fmt"
-	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-	"golang.org/x/net/context"
-	"math/rand"
-	"sync"
-	"testing"
-	"time"
-)
-
-func TestMutex(t *testing.T) {
-
-	t.Run("Test successful parallel acquisition with no reentry allowed", func(t *testing.T) {
-
-		ctx, cancel := context.WithCancel(context.Background())
-		defer cancel()
-
-		nbConcurrency := 20
-		wg := sync.WaitGroup{}
-		events := make(chan int, nbConcurrency*2)
-		errors := make(chan error, nbConcurrency)
-		doLockUnlock := func() {
-			defer wg.Done()
-
-			m := Mutex{
-				Logger: logger.New(),
-			}
-			if mutex, err := m.Acquire(ctx, "test"); err == nil {
-				events <- 1
-				var dur = time.Duration(rand.Intn(5000))
-				time.Sleep(dur * time.Microsecond)
-				events <- -1
-				if err := m.Release(mutex); err != nil {
-					errors <- fmt.Errorf("Release error: %w", err)
-				}
-			} else {
-				errors <- fmt.Errorf("Acquire error: %w", err)
-			}
-		}
-
-		for i := 0; i < nbConcurrency; i++ {
-			wg.Add(1)
-			go doLockUnlock()
-		}
-
-		wg.Wait()
-		close(events)
-		close(errors)
-
-		countConcurrent := 0
-		for delta := range events {
-			countConcurrent += delta
-			if countConcurrent > 1 {
-				t.Errorf("The mutex did not prevented reentry: %d", countConcurrent)
-			}
-		}
-
-		for anError := range errors {
-			t.Errorf("The gorouting returned an error: %s", anError)
-		}
-	})
-}

pkg/kubeconfig/writer/write_test.go

@@ -1,7 +1,6 @@
 package writer
 
 import (
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
@@ -26,7 +25,7 @@ func TestKubeconfig_UpdateAuth(t *testing.T) {
 		}); err != nil {
 			t.Fatalf("Could not update auth: %s", err)
 		}
-		b, err := ioutil.ReadFile(f)
+		b, err := os.ReadFile(f)
 		if err != nil {
 			t.Fatalf("Could not read kubeconfig: %s", err)
 		}
@@ -71,7 +70,7 @@ users:
 		}); err != nil {
 			t.Fatalf("Could not update auth: %s", err)
 		}
-		b, err := ioutil.ReadFile(f)
+		b, err := os.ReadFile(f)
 		if err != nil {
 			t.Fatalf("Could not read kubeconfig: %s", err)
 		}

pkg/mocks.go

@@ -1,3 +0,0 @@
-package pkg
-
-//go:generate mockery --all --inpackage --with-expecter

pkg/oidc/client/client.go

@@ -12,6 +12,7 @@ import (
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/pkce"
 	"github.com/int128/oauth2cli"
+	"github.com/int128/oauth2dev"
 	"golang.org/x/oauth2"
 )
 
@@ -19,9 +20,11 @@ type Interface interface {
 	GetAuthCodeURL(in AuthCodeURLInput) string
 	ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error)
 	GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error)
+	NegotiatedPKCEMethod() pkce.Method
 	GetTokenByROPC(ctx context.Context, username, password string) (*oidc.TokenSet, error)
+	GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error)
+	ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)
 	Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error)
-	SupportedPKCEMethods() []string
 }
 
 type AuthCodeURLInput struct {
@@ -52,12 +55,14 @@ type GetTokenByAuthCodeInput struct {
 }
 
 type client struct {
-	httpClient           *http.Client
-	provider             *gooidc.Provider
-	oauth2Config         oauth2.Config
-	clock                clock.Interface
-	logger               logger.Interface
-	supportedPKCEMethods []string
+	httpClient                  *http.Client
+	provider                    *gooidc.Provider
+	oauth2Config                oauth2.Config
+	clock                       clock.Interface
+	logger                      logger.Interface
+	negotiatedPKCEMethod        pkce.Method
+	deviceAuthorizationEndpoint string
+	useAccessToken              bool
 }
 
 func (c *client) wrapContext(ctx context.Context) context.Context {
@@ -111,34 +116,33 @@ func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput)
 	return c.verifyToken(ctx, token, in.Nonce)
 }
 
-func authorizationRequestOptions(n string, p pkce.Params, e map[string]string) []oauth2.AuthCodeOption {
-	o := []oauth2.AuthCodeOption{
+func authorizationRequestOptions(nonce string, pkceParams pkce.Params, extraParams map[string]string) []oauth2.AuthCodeOption {
+	opts := []oauth2.AuthCodeOption{
 		oauth2.AccessTypeOffline,
-		gooidc.Nonce(n),
+		gooidc.Nonce(nonce),
 	}
-	if !p.IsZero() {
-		o = append(o,
-			oauth2.SetAuthURLParam("code_challenge", p.CodeChallenge),
-			oauth2.SetAuthURLParam("code_challenge_method", p.CodeChallengeMethod),
-		)
+	if pkceParams.CodeChallenge != "" {
+		opts = append(opts, oauth2.SetAuthURLParam("code_challenge", pkceParams.CodeChallenge))
 	}
-	for key, value := range e {
-		o = append(o, oauth2.SetAuthURLParam(key, value))
+	if pkceParams.CodeChallengeMethod != "" {
+		opts = append(opts, oauth2.SetAuthURLParam("code_challenge_method", pkceParams.CodeChallengeMethod))
 	}
-	return o
+	for key, value := range extraParams {
+		opts = append(opts, oauth2.SetAuthURLParam(key, value))
+	}
+	return opts
 }
 
-func tokenRequestOptions(p pkce.Params) (o []oauth2.AuthCodeOption) {
-	if !p.IsZero() {
-		o = append(o, oauth2.SetAuthURLParam("code_verifier", p.CodeVerifier))
+func tokenRequestOptions(pkceParams pkce.Params) []oauth2.AuthCodeOption {
+	var opts []oauth2.AuthCodeOption
+	if pkceParams.CodeVerifier != "" {
+		opts = append(opts, oauth2.SetAuthURLParam("code_verifier", pkceParams.CodeVerifier))
 	}
-	return
+	return opts
 }
 
-// SupportedPKCEMethods returns the PKCE methods supported by the provider.
-// This may return nil if PKCE is not supported.
-func (c *client) SupportedPKCEMethods() []string {
-	return c.supportedPKCEMethods
+func (c *client) NegotiatedPKCEMethod() pkce.Method {
+	return c.negotiatedPKCEMethod
 }
 
 // GetTokenByROPC performs the resource owner password credentials flow.
@@ -151,6 +155,26 @@ func (c *client) GetTokenByROPC(ctx context.Context, username, password string)
 	return c.verifyToken(ctx, token, "")
 }
 
+// GetDeviceAuthorization initializes the device authorization code challenge
+func (c *client) GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error) {
+	ctx = c.wrapContext(ctx)
+	config := c.oauth2Config
+	config.Endpoint = oauth2.Endpoint{
+		AuthURL: c.deviceAuthorizationEndpoint,
+	}
+	return oauth2dev.RetrieveCode(ctx, config)
+}
+
+// ExchangeDeviceCode exchanges the device to an oidc.TokenSet
+func (c *client) ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	tokenResponse, err := oauth2dev.PollToken(ctx, c.oauth2Config, *authResponse)
+	if err != nil {
+		return nil, fmt.Errorf("device-code: exchange failed: %w", err)
+	}
+	return c.verifyToken(ctx, tokenResponse, "")
+}
+
 // Refresh sends a refresh token request and returns a token set.
 func (c *client) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
 	ctx = c.wrapContext(ctx)
@@ -171,7 +195,7 @@ func (c *client) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenS
 func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce string) (*oidc.TokenSet, error) {
 	idToken, ok := token.Extra("id_token").(string)
 	if !ok {
-		return nil, fmt.Errorf("id_token is missing in the token response: %s", token)
+		return nil, fmt.Errorf("id_token is missing in the token response: %#v", token)
 	}
 	verifier := c.provider.Verifier(&gooidc.Config{ClientID: c.oauth2Config.ClientID, Now: c.clock.Now})
 	verifiedIDToken, err := verifier.Verify(ctx, idToken)
@@ -181,6 +205,32 @@ func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce str
 	if nonce != "" && nonce != verifiedIDToken.Nonce {
 		return nil, fmt.Errorf("nonce did not match (wants %s but got %s)", nonce, verifiedIDToken.Nonce)
 	}
+
+	if c.useAccessToken {
+		accessToken, ok := token.Extra("access_token").(string)
+		if !ok {
+			return nil, fmt.Errorf("access_token is missing in the token response: %#v", accessToken)
+		}
+
+		// We intentionally do not perform a ClientID check here because there
+		// are some use cases in access_tokens where we *expect* the audience
+		// to differ. For example, one can explicitly set
+		// `audience=CLUSTER_CLIENT_ID` as an extra auth parameter.
+		verifier = c.provider.Verifier(&gooidc.Config{ClientID: "", Now: c.clock.Now, SkipClientIDCheck: true})
+
+		_, err := verifier.Verify(ctx, accessToken)
+		if err != nil {
+			return nil, fmt.Errorf("could not verify the access token: %w", err)
+		}
+
+		// There is no `nonce` to check on the `access_token`. We rely on the
+		// above `nonce` check on the `id_token`.
+
+		return &oidc.TokenSet{
+			IDToken:      accessToken,
+			RefreshToken: token.RefreshToken,
+		}, nil
+	}
 	return &oidc.TokenSet{
 		IDToken:      idToken,
 		RefreshToken: token.RefreshToken,

pkg/oidc/client/factory.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"slices"
 
 	gooidc "github.com/coreos/go-oidc/v3/oidc"
 	"github.com/google/wire"
@@ -24,7 +25,7 @@ var Set = wire.NewSet(
 )
 
 type FactoryInterface interface {
-	New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error)
+	New(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error)
 }
 
 type Factory struct {
@@ -34,7 +35,7 @@ type Factory struct {
 }
 
 // New returns an instance of infrastructure.Interface with the given configuration.
-func (f *Factory) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error) {
+func (f *Factory) New(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error) {
 	rawTLSClientConfig, err := f.Loader.Load(tlsClientConfig)
 	if err != nil {
 		return nil, fmt.Errorf("could not load the TLS client config: %w", err)
@@ -52,7 +53,7 @@ func (f *Factory) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsc
 	}
 
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
-	provider, err := gooidc.NewProvider(ctx, p.IssuerURL)
+	provider, err := gooidc.NewProvider(ctx, prov.IssuerURL)
 	if err != nil {
 		return nil, fmt.Errorf("oidc discovery error: %w", err)
 	}
@@ -60,30 +61,57 @@ func (f *Factory) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsc
 	if err != nil {
 		return nil, fmt.Errorf("could not determine supported PKCE methods: %w", err)
 	}
-	if len(supportedPKCEMethods) == 0 && p.UsePKCE {
-		supportedPKCEMethods = []string{pkce.MethodS256}
+	deviceAuthorizationEndpoint, err := extractDeviceAuthorizationEndpoint(provider)
+	if err != nil {
+		return nil, fmt.Errorf("could not determine device authorization endpoint: %w", err)
 	}
 	return &client{
 		httpClient: httpClient,
 		provider:   provider,
 		oauth2Config: oauth2.Config{
 			Endpoint:     provider.Endpoint(),
-			ClientID:     p.ClientID,
-			ClientSecret: p.ClientSecret,
-			Scopes:       append(p.ExtraScopes, gooidc.ScopeOpenID),
+			ClientID:     prov.ClientID,
+			ClientSecret: prov.ClientSecret,
+			Scopes:       append(prov.ExtraScopes, gooidc.ScopeOpenID),
 		},
-		clock:                f.Clock,
-		logger:               f.Logger,
-		supportedPKCEMethods: supportedPKCEMethods,
+		clock:                       f.Clock,
+		logger:                      f.Logger,
+		negotiatedPKCEMethod:        determinePKCEMethod(supportedPKCEMethods, prov.PKCEMethod),
+		deviceAuthorizationEndpoint: deviceAuthorizationEndpoint,
+		useAccessToken:              prov.UseAccessToken,
 	}, nil
 }
 
+func determinePKCEMethod(supportedMethods []string, preferredMethod oidc.PKCEMethod) pkce.Method {
+	switch preferredMethod {
+	case oidc.PKCEMethodNo:
+		return pkce.NoMethod
+	case oidc.PKCEMethodS256:
+		return pkce.MethodS256
+	default:
+		if slices.Contains(supportedMethods, "S256") {
+			return pkce.MethodS256
+		}
+		return pkce.NoMethod
+	}
+}
+
 func extractSupportedPKCEMethods(provider *gooidc.Provider) ([]string, error) {
-	var d struct {
+	var claims struct {
 		CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
 	}
-	if err := provider.Claims(&d); err != nil {
+	if err := provider.Claims(&claims); err != nil {
 		return nil, fmt.Errorf("invalid discovery document: %w", err)
 	}
-	return d.CodeChallengeMethodsSupported, nil
+	return claims.CodeChallengeMethodsSupported, nil
+}
+
+func extractDeviceAuthorizationEndpoint(provider *gooidc.Provider) (string, error) {
+	var claims struct {
+		DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint"`
+	}
+	if err := provider.Claims(&claims); err != nil {
+		return "", fmt.Errorf("invalid discovery document: %w", err)
+	}
+	return claims.DeviceAuthorizationEndpoint, nil
 }

pkg/oidc/client/mock_Interface.go

@@ -1,303 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package client
-
-import (
-	context "context"
-
-	oidc "github.com/int128/kubelogin/pkg/oidc"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockInterface is an autogenerated mock type for the Interface type
-type MockInterface struct {
-	mock.Mock
-}
-
-type MockInterface_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
-	return &MockInterface_Expecter{mock: &_m.Mock}
-}
-
-// ExchangeAuthCode provides a mock function with given fields: ctx, in
-func (_m *MockInterface) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, in)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, ExchangeAuthCodeInput) *oidc.TokenSet); ok {
-		r0 = rf(ctx, in)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, ExchangeAuthCodeInput) error); ok {
-		r1 = rf(ctx, in)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_ExchangeAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeAuthCode'
-type MockInterface_ExchangeAuthCode_Call struct {
-	*mock.Call
-}
-
-// ExchangeAuthCode is a helper method to define mock.On call
-//  - ctx context.Context
-//  - in ExchangeAuthCodeInput
-func (_e *MockInterface_Expecter) ExchangeAuthCode(ctx interface{}, in interface{}) *MockInterface_ExchangeAuthCode_Call {
-	return &MockInterface_ExchangeAuthCode_Call{Call: _e.mock.On("ExchangeAuthCode", ctx, in)}
-}
-
-func (_c *MockInterface_ExchangeAuthCode_Call) Run(run func(ctx context.Context, in ExchangeAuthCodeInput)) *MockInterface_ExchangeAuthCode_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(ExchangeAuthCodeInput))
-	})
-	return _c
-}
-
-func (_c *MockInterface_ExchangeAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_ExchangeAuthCode_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// GetAuthCodeURL provides a mock function with given fields: in
-func (_m *MockInterface) GetAuthCodeURL(in AuthCodeURLInput) string {
-	ret := _m.Called(in)
-
-	var r0 string
-	if rf, ok := ret.Get(0).(func(AuthCodeURLInput) string); ok {
-		r0 = rf(in)
-	} else {
-		r0 = ret.Get(0).(string)
-	}
-
-	return r0
-}
-
-// MockInterface_GetAuthCodeURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAuthCodeURL'
-type MockInterface_GetAuthCodeURL_Call struct {
-	*mock.Call
-}
-
-// GetAuthCodeURL is a helper method to define mock.On call
-//  - in AuthCodeURLInput
-func (_e *MockInterface_Expecter) GetAuthCodeURL(in interface{}) *MockInterface_GetAuthCodeURL_Call {
-	return &MockInterface_GetAuthCodeURL_Call{Call: _e.mock.On("GetAuthCodeURL", in)}
-}
-
-func (_c *MockInterface_GetAuthCodeURL_Call) Run(run func(in AuthCodeURLInput)) *MockInterface_GetAuthCodeURL_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(AuthCodeURLInput))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetAuthCodeURL_Call) Return(_a0 string) *MockInterface_GetAuthCodeURL_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-// GetTokenByAuthCode provides a mock function with given fields: ctx, in, localServerReadyChan
-func (_m *MockInterface) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, in, localServerReadyChan)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, GetTokenByAuthCodeInput, chan<- string) *oidc.TokenSet); ok {
-		r0 = rf(ctx, in, localServerReadyChan)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, GetTokenByAuthCodeInput, chan<- string) error); ok {
-		r1 = rf(ctx, in, localServerReadyChan)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_GetTokenByAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByAuthCode'
-type MockInterface_GetTokenByAuthCode_Call struct {
-	*mock.Call
-}
-
-// GetTokenByAuthCode is a helper method to define mock.On call
-//  - ctx context.Context
-//  - in GetTokenByAuthCodeInput
-//  - localServerReadyChan chan<- string
-func (_e *MockInterface_Expecter) GetTokenByAuthCode(ctx interface{}, in interface{}, localServerReadyChan interface{}) *MockInterface_GetTokenByAuthCode_Call {
-	return &MockInterface_GetTokenByAuthCode_Call{Call: _e.mock.On("GetTokenByAuthCode", ctx, in, localServerReadyChan)}
-}
-
-func (_c *MockInterface_GetTokenByAuthCode_Call) Run(run func(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string)) *MockInterface_GetTokenByAuthCode_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(GetTokenByAuthCodeInput), args[2].(chan<- string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetTokenByAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByAuthCode_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// GetTokenByROPC provides a mock function with given fields: ctx, username, password
-func (_m *MockInterface) GetTokenByROPC(ctx context.Context, username string, password string) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, username, password)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, string, string) *oidc.TokenSet); ok {
-		r0 = rf(ctx, username, password)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
-		r1 = rf(ctx, username, password)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_GetTokenByROPC_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByROPC'
-type MockInterface_GetTokenByROPC_Call struct {
-	*mock.Call
-}
-
-// GetTokenByROPC is a helper method to define mock.On call
-//  - ctx context.Context
-//  - username string
-//  - password string
-func (_e *MockInterface_Expecter) GetTokenByROPC(ctx interface{}, username interface{}, password interface{}) *MockInterface_GetTokenByROPC_Call {
-	return &MockInterface_GetTokenByROPC_Call{Call: _e.mock.On("GetTokenByROPC", ctx, username, password)}
-}
-
-func (_c *MockInterface_GetTokenByROPC_Call) Run(run func(ctx context.Context, username string, password string)) *MockInterface_GetTokenByROPC_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(string), args[2].(string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetTokenByROPC_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByROPC_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// Refresh provides a mock function with given fields: ctx, refreshToken
-func (_m *MockInterface) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, refreshToken)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, string) *oidc.TokenSet); ok {
-		r0 = rf(ctx, refreshToken)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
-		r1 = rf(ctx, refreshToken)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
-type MockInterface_Refresh_Call struct {
-	*mock.Call
-}
-
-// Refresh is a helper method to define mock.On call
-//  - ctx context.Context
-//  - refreshToken string
-func (_e *MockInterface_Expecter) Refresh(ctx interface{}, refreshToken interface{}) *MockInterface_Refresh_Call {
-	return &MockInterface_Refresh_Call{Call: _e.mock.On("Refresh", ctx, refreshToken)}
-}
-
-func (_c *MockInterface_Refresh_Call) Run(run func(ctx context.Context, refreshToken string)) *MockInterface_Refresh_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_Refresh_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_Refresh_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// SupportedPKCEMethods provides a mock function with given fields:
-func (_m *MockInterface) SupportedPKCEMethods() []string {
-	ret := _m.Called()
-
-	var r0 []string
-	if rf, ok := ret.Get(0).(func() []string); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]string)
-		}
-	}
-
-	return r0
-}
-
-// MockInterface_SupportedPKCEMethods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SupportedPKCEMethods'
-type MockInterface_SupportedPKCEMethods_Call struct {
-	*mock.Call
-}
-
-// SupportedPKCEMethods is a helper method to define mock.On call
-func (_e *MockInterface_Expecter) SupportedPKCEMethods() *MockInterface_SupportedPKCEMethods_Call {
-	return &MockInterface_SupportedPKCEMethods_Call{Call: _e.mock.On("SupportedPKCEMethods")}
-}
-
-func (_c *MockInterface_SupportedPKCEMethods_Call) Run(run func()) *MockInterface_SupportedPKCEMethods_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockInterface_SupportedPKCEMethods_Call) Return(_a0 []string) *MockInterface_SupportedPKCEMethods_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

pkg/oidc/oidc.go

@@ -11,13 +11,23 @@ import (
 
 // Provider represents an OIDC provider.
 type Provider struct {
-	IssuerURL    string
-	ClientID     string
-	ClientSecret string   // optional
-	ExtraScopes  []string // optional
-	UsePKCE      bool     // optional
+	IssuerURL      string
+	ClientID       string
+	ClientSecret   string   // optional
+	ExtraScopes    []string // optional
+	PKCEMethod     PKCEMethod
+	UseAccessToken bool
 }
 
+// PKCEMethod represents a preferred method of PKCE.
+type PKCEMethod int
+
+const (
+	PKCEMethodAuto PKCEMethod = iota
+	PKCEMethodNo
+	PKCEMethodS256
+)
+
 // TokenSet represents a set of ID token and refresh token.
 type TokenSet struct {
 	IDToken      string

pkg/pkce/pkce.go

@@ -10,11 +10,12 @@ import (
 	"fmt"
 )
 
-var Plain Params
+type Method int
 
 const (
-	// code challenge methods defined as https://tools.ietf.org/html/rfc7636#section-4.3
-	MethodS256 = "S256"
+	// Code challenge methods defined as https://tools.ietf.org/html/rfc7636#section-4.3
+	NoMethod Method = iota
+	MethodS256
 )
 
 // Params represents a set of the PKCE parameters.
@@ -24,27 +25,21 @@ type Params struct {
 	CodeVerifier        string
 }
 
-func (p Params) IsZero() bool {
-	return p == Params{}
-}
-
 // New returns a parameters supported by the provider.
 // You need to pass the code challenge methods defined in RFC7636.
-// It returns Plain if no method is available.
-func New(methods []string) (Params, error) {
-	for _, method := range methods {
-		if method == MethodS256 {
-			return NewS256()
-		}
+// It returns a zero value if no method is available.
+func New(method Method) (Params, error) {
+	if method == MethodS256 {
+		return NewS256()
 	}
-	return Plain, nil
+	return Params{}, nil
 }
 
 // NewS256 generates a parameters for S256.
 func NewS256() (Params, error) {
 	b, err := random32()
 	if err != nil {
-		return Plain, fmt.Errorf("could not generate a random: %w", err)
+		return Params{}, fmt.Errorf("could not generate a random: %w", err)
 	}
 	return computeS256(b), nil
 }
@@ -63,7 +58,7 @@ func computeS256(b []byte) Params {
 	_, _ = s.Write([]byte(v))
 	return Params{
 		CodeChallenge:       base64URLEncode(s.Sum(nil)),
-		CodeChallengeMethod: MethodS256,
+		CodeChallengeMethod: "S256",
 		CodeVerifier:        v,
 	}
 }

pkg/pkce/pkce_test.go

@@ -2,40 +2,33 @@ package pkce
 
 import (
 	"testing"
+
+	"github.com/google/go-cmp/cmp"
 )
 
 func TestNew(t *testing.T) {
 	t.Run("S256", func(t *testing.T) {
-		p, err := New([]string{"plain", "S256"})
+		params, err := New(MethodS256)
 		if err != nil {
 			t.Fatalf("New error: %s", err)
 		}
-		if p.CodeChallengeMethod != "S256" {
-			t.Errorf("CodeChallengeMethod wants S256 but was %s", p.CodeChallengeMethod)
+		if params.CodeChallengeMethod != "S256" {
+			t.Errorf("CodeChallengeMethod wants S256 but was %s", params.CodeChallengeMethod)
 		}
-		if p.CodeChallenge == "" {
+		if params.CodeChallenge == "" {
 			t.Errorf("CodeChallenge wants non-empty but was empty")
 		}
-		if p.CodeVerifier == "" {
+		if params.CodeVerifier == "" {
 			t.Errorf("CodeVerifier wants non-empty but was empty")
 		}
 	})
-	t.Run("plain", func(t *testing.T) {
-		p, err := New([]string{"plain"})
+	t.Run("NoMethod", func(t *testing.T) {
+		params, err := New(NoMethod)
 		if err != nil {
 			t.Fatalf("New error: %s", err)
 		}
-		if !p.IsZero() {
-			t.Errorf("IsZero wants true but was false")
-		}
-	})
-	t.Run("nil", func(t *testing.T) {
-		p, err := New(nil)
-		if err != nil {
-			t.Fatalf("New error: %s", err)
-		}
-		if !p.IsZero() {
-			t.Errorf("IsZero wants true but was false")
+		if diff := cmp.Diff(Params{}, params); diff != "" {
+			t.Errorf("mismatch (-want +got):\n%s", diff)
 		}
 	})
 }

pkg/testing/jwt/encode.go

@@ -5,7 +5,7 @@ import (
 	"crypto/rsa"
 	"testing"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 var PrivateKey = generateKey(1024)
@@ -19,7 +19,7 @@ func generateKey(b int) *rsa.PrivateKey {
 }
 
 type Claims struct {
-	jwt.StandardClaims
+	jwt.RegisteredClaims
 	// aud claim is either a string or an array of strings.
 	// https://tools.ietf.org/html/rfc7519#section-4.1.3
 	Audience      []string `json:"aud,omitempty"`

pkg/testing/logger/mock_testingLogger.go

@@ -1,72 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package logger
-
-import mock "github.com/stretchr/testify/mock"
-
-// mockTestingLogger is an autogenerated mock type for the testingLogger type
-type mockTestingLogger struct {
-	mock.Mock
-}
-
-type mockTestingLogger_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *mockTestingLogger) EXPECT() *mockTestingLogger_Expecter {
-	return &mockTestingLogger_Expecter{mock: &_m.Mock}
-}
-
-// Logf provides a mock function with given fields: format, v
-func (_m *mockTestingLogger) Logf(format string, v ...interface{}) {
-	var _ca []interface{}
-	_ca = append(_ca, format)
-	_ca = append(_ca, v...)
-	_m.Called(_ca...)
-}
-
-// mockTestingLogger_Logf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Logf'
-type mockTestingLogger_Logf_Call struct {
-	*mock.Call
-}
-
-// Logf is a helper method to define mock.On call
-//  - format string
-//  - v ...interface{}
-func (_e *mockTestingLogger_Expecter) Logf(format interface{}, v ...interface{}) *mockTestingLogger_Logf_Call {
-	return &mockTestingLogger_Logf_Call{Call: _e.mock.On("Logf",
-		append([]interface{}{format}, v...)...)}
-}
-
-func (_c *mockTestingLogger_Logf_Call) Run(run func(format string, v ...interface{})) *mockTestingLogger_Logf_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]interface{}, len(args)-1)
-		for i, a := range args[1:] {
-			if a != nil {
-				variadicArgs[i] = a.(interface{})
-			}
-		}
-		run(args[0].(string), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *mockTestingLogger_Logf_Call) Return() *mockTestingLogger_Logf_Call {
-	_c.Call.Return()
-	return _c
-}
-
-type mockConstructorTestingTnewMockTestingLogger interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// newMockTestingLogger creates a new instance of mockTestingLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func newMockTestingLogger(t mockConstructorTestingTnewMockTestingLogger) *mockTestingLogger {
-	mock := &mockTestingLogger{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

pkg/tlsclientconfig/loader/load.go

@@ -7,7 +7,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"os"
 
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
@@ -38,8 +38,8 @@ func (l *Loader) Load(config tlsclientconfig.Config) (*tls.Config, error) {
 			return nil, fmt.Errorf("could not load the certificate: %w", err)
 		}
 	}
-	if len(rootCAs.Subjects()) == 0 {
-		// use the host's root CA set
+	if rootCAs.Equal(x509.NewCertPool()) {
+		// if empty, use the host's root CA set
 		rootCAs = nil
 	}
 	return &tls.Config{
@@ -50,7 +50,7 @@ func (l *Loader) Load(config tlsclientconfig.Config) (*tls.Config, error) {
 }
 
 func addFile(p *x509.CertPool, filename string) error {
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		return fmt.Errorf("could not read: %w", err)
 	}

pkg/tlsclientconfig/loader/load_test.go

@@ -1,7 +1,7 @@
 package loader
 
 import (
-	"io/ioutil"
+	"os"
 	"testing"
 
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
@@ -25,8 +25,8 @@ func TestLoader_Load(t *testing.T) {
 		if err != nil {
 			t.Errorf("Load error: %s", err)
 		}
-		if n := len(cfg.RootCAs.Subjects()); n != 1 {
-			t.Errorf("n wants 1 but was %d", n)
+		if cfg.RootCAs == nil {
+			t.Errorf("RootCAs wants non-nil but was nil")
 		}
 	})
 	t.Run("InvalidFile", func(t *testing.T) {
@@ -44,15 +44,15 @@ func TestLoader_Load(t *testing.T) {
 		if err != nil {
 			t.Errorf("Load error: %s", err)
 		}
-		if n := len(cfg.RootCAs.Subjects()); n != 1 {
-			t.Errorf("n wants 1 but was %d", n)
+		if cfg.RootCAs == nil {
+			t.Errorf("RootCAs wants non-nil but was nil")
 		}
 	})
 }
 
 func readFile(t *testing.T, filename string) string {
 	t.Helper()
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		t.Fatalf("ReadFile error: %s", err)
 	}

pkg/tokencache/repository/mock_Interface.go

@@ -1,124 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package repository
-
-import (
-	oidc "github.com/int128/kubelogin/pkg/oidc"
-	mock "github.com/stretchr/testify/mock"
-
-	tokencache "github.com/int128/kubelogin/pkg/tokencache"
-)
-
-// MockInterface is an autogenerated mock type for the Interface type
-type MockInterface struct {
-	mock.Mock
-}
-
-type MockInterface_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
-	return &MockInterface_Expecter{mock: &_m.Mock}
-}
-
-// FindByKey provides a mock function with given fields: dir, key
-func (_m *MockInterface) FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet, error) {
-	ret := _m.Called(dir, key)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(string, tokencache.Key) *oidc.TokenSet); ok {
-		r0 = rf(dir, key)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(string, tokencache.Key) error); ok {
-		r1 = rf(dir, key)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_FindByKey_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'FindByKey'
-type MockInterface_FindByKey_Call struct {
-	*mock.Call
-}
-
-// FindByKey is a helper method to define mock.On call
-//  - dir string
-//  - key tokencache.Key
-func (_e *MockInterface_Expecter) FindByKey(dir interface{}, key interface{}) *MockInterface_FindByKey_Call {
-	return &MockInterface_FindByKey_Call{Call: _e.mock.On("FindByKey", dir, key)}
-}
-
-func (_c *MockInterface_FindByKey_Call) Run(run func(dir string, key tokencache.Key)) *MockInterface_FindByKey_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(tokencache.Key))
-	})
-	return _c
-}
-
-func (_c *MockInterface_FindByKey_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_FindByKey_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// Save provides a mock function with given fields: dir, key, tokenSet
-func (_m *MockInterface) Save(dir string, key tokencache.Key, tokenSet oidc.TokenSet) error {
-	ret := _m.Called(dir, key, tokenSet)
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(string, tokencache.Key, oidc.TokenSet) error); ok {
-		r0 = rf(dir, key, tokenSet)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockInterface_Save_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Save'
-type MockInterface_Save_Call struct {
-	*mock.Call
-}
-
-// Save is a helper method to define mock.On call
-//  - dir string
-//  - key tokencache.Key
-//  - tokenSet oidc.TokenSet
-func (_e *MockInterface_Expecter) Save(dir interface{}, key interface{}, tokenSet interface{}) *MockInterface_Save_Call {
-	return &MockInterface_Save_Call{Call: _e.mock.On("Save", dir, key, tokenSet)}
-}
-
-func (_c *MockInterface_Save_Call) Run(run func(dir string, key tokencache.Key, tokenSet oidc.TokenSet)) *MockInterface_Save_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(tokencache.Key), args[2].(oidc.TokenSet))
-	})
-	return _c
-}
-
-func (_c *MockInterface_Save_Call) Return(_a0 error) *MockInterface_Save_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

pkg/tokencache/repository/repository.go

@@ -5,13 +5,18 @@ import (
 	"encoding/gob"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 
+	"github.com/gofrs/flock"
 	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/tokencache"
+	"github.com/zalando/go-keyring"
 )
 
 // Set provides an implementation and interface for Kubeconfig.
@@ -21,8 +26,10 @@ var Set = wire.NewSet(
 )
 
 type Interface interface {
-	FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet, error)
-	Save(dir string, key tokencache.Key, tokenSet oidc.TokenSet) error
+	FindByKey(config tokencache.Config, key tokencache.Key) (*oidc.TokenSet, error)
+	Save(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet) error
+	Lock(config tokencache.Config, key tokencache.Key) (io.Closer, error)
+	DeleteAll(config tokencache.Config) error
 }
 
 type entity struct {
@@ -32,23 +39,74 @@ type entity struct {
 
 // Repository provides access to the token cache on the local filesystem.
 // Filename of a token cache is sha256 digest of the issuer, zero-character and client ID.
-type Repository struct{}
+type Repository struct {
+	Logger logger.Interface
+}
 
-func (r *Repository) FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet, error) {
-	filename, err := computeFilename(key)
+// keyringService is used to namespace the keyring access.
+// Some implementations may also display this string when prompting the user
+// for allowing access.
+const keyringService = "kubelogin"
+
+// keyringItemPrefix is used as the prefix in the keyring items.
+const keyringItemPrefix = "kubelogin/tokencache/"
+
+func (r *Repository) FindByKey(config tokencache.Config, key tokencache.Key) (*oidc.TokenSet, error) {
+	checksum, err := computeChecksum(key)
 	if err != nil {
 		return nil, fmt.Errorf("could not compute the key: %w", err)
 	}
-	p := filepath.Join(dir, filename)
-	f, err := os.Open(p)
+	switch config.Storage {
+	case tokencache.StorageAuto:
+		t, err := readFromKeyring(checksum)
+		if errors.Is(err, keyring.ErrUnsupportedPlatform) ||
+			errors.Is(err, keyring.ErrNotFound) {
+			return readFromFile(config, checksum)
+		}
+		if err != nil {
+			return nil, err
+		}
+		return t, nil
+	case tokencache.StorageDisk:
+		return readFromFile(config, checksum)
+	case tokencache.StorageKeyring:
+		return readFromKeyring(checksum)
+	default:
+		return nil, fmt.Errorf("unknown storage mode: %v", config.Storage)
+	}
+}
+
+func readFromFile(config tokencache.Config, checksum string) (*oidc.TokenSet, error) {
+	p := filepath.Join(config.Directory, checksum)
+	b, err := os.ReadFile(p)
 	if err != nil {
 		return nil, fmt.Errorf("could not open file %s: %w", p, err)
 	}
-	defer f.Close()
-	d := json.NewDecoder(f)
+	t, err := decodeKey(b)
+	if err != nil {
+		return nil, fmt.Errorf("file %s: %w", p, err)
+	}
+	return t, nil
+}
+
+func readFromKeyring(checksum string) (*oidc.TokenSet, error) {
+	p := keyringItemPrefix + checksum
+	s, err := keyring.Get(keyringService, p)
+	if err != nil {
+		return nil, fmt.Errorf("could not get keyring secret %s: %w", p, err)
+	}
+	t, err := decodeKey([]byte(s))
+	if err != nil {
+		return nil, fmt.Errorf("keyring %s: %w", p, err)
+	}
+	return t, nil
+}
+
+func decodeKey(b []byte) (*oidc.TokenSet, error) {
 	var e entity
-	if err := d.Decode(&e); err != nil {
-		return nil, fmt.Errorf("invalid json file %s: %w", p, err)
+	err := json.Unmarshal(b, &e)
+	if err != nil {
+		return nil, fmt.Errorf("invalid token cache json: %w", err)
 	}
 	return &oidc.TokenSet{
 		IDToken:      e.IDToken,
@@ -56,31 +114,118 @@ func (r *Repository) FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet,
 	}, nil
 }
 
-func (r *Repository) Save(dir string, key tokencache.Key, tokenSet oidc.TokenSet) error {
-	if err := os.MkdirAll(dir, 0700); err != nil {
-		return fmt.Errorf("could not create directory %s: %w", dir, err)
-	}
-	filename, err := computeFilename(key)
+func (r *Repository) Save(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet) error {
+	checksum, err := computeChecksum(key)
 	if err != nil {
 		return fmt.Errorf("could not compute the key: %w", err)
 	}
-	p := filepath.Join(dir, filename)
-	f, err := os.OpenFile(p, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	switch config.Storage {
+	case tokencache.StorageAuto:
+		if err := writeToKeyring(checksum, tokenSet); err != nil {
+			if errors.Is(err, keyring.ErrUnsupportedPlatform) {
+				return writeToFile(config, checksum, tokenSet)
+			}
+			return err
+		}
+		return nil
+	case tokencache.StorageDisk:
+		return writeToFile(config, checksum, tokenSet)
+	case tokencache.StorageKeyring:
+		return writeToKeyring(checksum, tokenSet)
+	default:
+		return fmt.Errorf("unknown storage mode: %v", config.Storage)
+	}
+}
+
+func writeToFile(config tokencache.Config, checksum string, tokenSet oidc.TokenSet) error {
+	p := filepath.Join(config.Directory, checksum)
+	b, err := encodeKey(tokenSet)
 	if err != nil {
+		return fmt.Errorf("file %s: %w", p, err)
+	}
+	if err := os.MkdirAll(config.Directory, 0700); err != nil {
+		return fmt.Errorf("could not create directory %s: %w", config.Directory, err)
+	}
+	if err := os.WriteFile(p, b, 0600); err != nil {
 		return fmt.Errorf("could not create file %s: %w", p, err)
 	}
-	defer f.Close()
-	e := entity{
-		IDToken:      tokenSet.IDToken,
-		RefreshToken: tokenSet.RefreshToken,
-	}
-	if err := json.NewEncoder(f).Encode(&e); err != nil {
-		return fmt.Errorf("json encode error: %w", err)
-	}
 	return nil
 }
 
-func computeFilename(key tokencache.Key) (string, error) {
+func writeToKeyring(checksum string, tokenSet oidc.TokenSet) error {
+	p := keyringItemPrefix + checksum
+	b, err := encodeKey(tokenSet)
+	if err != nil {
+		return fmt.Errorf("keyring %s: %w", p, err)
+	}
+	if err := keyring.Set(keyringService, p, string(b)); err != nil {
+		return fmt.Errorf("keyring write %s: %w", p, err)
+	}
+	return nil
+}
+
+func (r *Repository) Lock(config tokencache.Config, key tokencache.Key) (io.Closer, error) {
+	checksum, err := computeChecksum(key)
+	if err != nil {
+		return nil, fmt.Errorf("could not compute the key: %w", err)
+	}
+	// NOTE: Both keyring and disk storage types use files for locking
+	// No sensitive data is stored in the lock file
+	if err := os.MkdirAll(config.Directory, 0700); err != nil {
+		return nil, fmt.Errorf("could not create directory %s: %w", config.Directory, err)
+	}
+	// Do not lock the token cache file.
+	// https://github.com/int128/kubelogin/issues/1144
+	lockFilepath := filepath.Join(config.Directory, checksum+".lock")
+	lockFile := flock.New(lockFilepath)
+	if err := lockFile.Lock(); err != nil {
+		return nil, fmt.Errorf("could not lock the cache file %s: %w", lockFilepath, err)
+	}
+	return lockFile, nil
+}
+
+func (r *Repository) DeleteAll(config tokencache.Config) error {
+	return errors.Join(
+		func() error {
+			if err := os.RemoveAll(config.Directory); err != nil {
+				return fmt.Errorf("remove the directory %s: %w", config.Directory, err)
+			}
+			r.Logger.Printf("Deleted the token cache at %s", config.Directory)
+			return nil
+		}(),
+		func() error {
+			switch config.Storage {
+			case tokencache.StorageAuto:
+				if err := keyring.DeleteAll(keyringService); err != nil {
+					if errors.Is(err, keyring.ErrUnsupportedPlatform) {
+						return nil
+					}
+					return fmt.Errorf("keyring delete: %w", err)
+				}
+				r.Logger.Printf("Deleted the token cache in the keyring")
+				return nil
+			case tokencache.StorageKeyring:
+				if err := keyring.DeleteAll(keyringService); err != nil {
+					return fmt.Errorf("keyring delete: %w", err)
+				}
+				r.Logger.Printf("Deleted the token cache in the keyring")
+				return nil
+			default:
+				return nil
+			}
+		}(),
+	)
+}
+
+func encodeKey(tokenSet oidc.TokenSet) ([]byte, error) {
+	e := entity{
+		IDToken:      tokenSet.IDToken,
+		RefreshToken: tokenSet.RefreshToken,
+	}
+	return json.Marshal(&e)
+}
+
+func computeChecksum(key tokencache.Key) (string, error) {
 	s := sha256.New()
 	e := gob.NewEncoder(s)
 	if err := e.Encode(&key); err != nil {

pkg/tokencache/repository/repository_test.go

@@ -1,12 +1,13 @@
 package repository
 
 import (
-	"io/ioutil"
+	"os"
 	"path/filepath"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
 	"github.com/int128/kubelogin/pkg/tokencache"
 )
 
@@ -15,25 +16,33 @@ func TestRepository_FindByKey(t *testing.T) {
 
 	t.Run("Success", func(t *testing.T) {
 		dir := t.TempDir()
-		key := tokencache.Key{
-			IssuerURL:      "YOUR_ISSUER",
-			ClientID:       "YOUR_CLIENT_ID",
-			ClientSecret:   "YOUR_CLIENT_SECRET",
-			ExtraScopes:    []string{"openid", "email"},
-			CACertFilename: "/path/to/cert",
-			SkipTLSVerify:  false,
+		config := tokencache.Config{
+			Directory: dir,
+			Storage:   tokencache.StorageDisk,
 		}
+		key := tokencache.Key{
+			Provider: oidc.Provider{
+				IssuerURL:    "YOUR_ISSUER",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				ExtraScopes:  []string{"openid", "email"},
+			},
+			TLSClientConfig: tlsclientconfig.Config{
+				CACertFilename: []string{"/path/to/cert"},
+			},
+		}
+
 		json := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}`
-		filename, err := computeFilename(key)
+		filename, err := computeChecksum(key)
 		if err != nil {
 			t.Errorf("could not compute the key: %s", err)
 		}
 		p := filepath.Join(dir, filename)
-		if err := ioutil.WriteFile(p, []byte(json), 0600); err != nil {
+		if err := os.WriteFile(p, []byte(json), 0600); err != nil {
 			t.Fatalf("could not write to the temp file: %s", err)
 		}
 
-		got, err := r.FindByKey(dir, key)
+		got, err := r.FindByKey(config, key)
 		if err != nil {
 			t.Errorf("err wants nil but %+v", err)
 		}
@@ -49,30 +58,36 @@ func TestRepository_Save(t *testing.T) {
 
 	t.Run("Success", func(t *testing.T) {
 		dir := t.TempDir()
+		config := tokencache.Config{
+			Directory: dir,
+			Storage:   tokencache.StorageDisk,
+		}
 		key := tokencache.Key{
-			IssuerURL:      "YOUR_ISSUER",
-			ClientID:       "YOUR_CLIENT_ID",
-			ClientSecret:   "YOUR_CLIENT_SECRET",
-			ExtraScopes:    []string{"openid", "email"},
-			CACertFilename: "/path/to/cert",
-			SkipTLSVerify:  false,
+			Provider: oidc.Provider{
+				IssuerURL:    "YOUR_ISSUER",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				ExtraScopes:  []string{"openid", "email"},
+			},
+			TLSClientConfig: tlsclientconfig.Config{
+				CACertFilename: []string{"/path/to/cert"},
+			},
 		}
 		tokenSet := oidc.TokenSet{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
-		if err := r.Save(dir, key, tokenSet); err != nil {
+		if err := r.Save(config, key, tokenSet); err != nil {
 			t.Errorf("err wants nil but %+v", err)
 		}
 
-		filename, err := computeFilename(key)
+		filename, err := computeChecksum(key)
 		if err != nil {
 			t.Errorf("could not compute the key: %s", err)
 		}
 		p := filepath.Join(dir, filename)
-		b, err := ioutil.ReadFile(p)
+		b, err := os.ReadFile(p)
 		if err != nil {
 			t.Fatalf("could not read the token cache file: %s", err)
 		}
-		want := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}
-`
+		want := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}`
 		got := string(b)
 		if diff := cmp.Diff(want, got); diff != "" {
 			t.Errorf("mismatch (-want +got):\n%s", diff)

pkg/tokencache/types.go

@@ -1,13 +1,34 @@
 package tokencache
 
+import (
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+)
+
 // Key represents a key of a token cache.
 type Key struct {
-	IssuerURL      string
-	ClientID       string
-	ClientSecret   string
-	Username       string
-	ExtraScopes    []string
-	CACertFilename string
-	CACertData     string
-	SkipTLSVerify  bool
+	Provider        oidc.Provider
+	TLSClientConfig tlsclientconfig.Config
+	Username        string
 }
+
+// Config represents a configuration for the token cache.
+type Config struct {
+	// Directory is a path to the directory to store a token cache.
+	// Note that a lock file is created into this directory even if the keyring is used.
+	Directory string
+
+	Storage Storage
+}
+
+// Storage is an enum of different storage strategies.
+type Storage byte
+
+const (
+	// StorageAuto will prefer keyring when available, and fallback to disk when not.
+	StorageAuto Storage = iota
+	// StorageDisk will only store cached keys on disk.
+	StorageDisk
+	// StorageDisk will only store cached keys in the OS keyring.
+	StorageKeyring
+)

pkg/usecases/authentication/authcode/browser.go

@@ -41,9 +41,9 @@ func (u *Browser) Do(ctx context.Context, o *BrowserOption, oidcClient client.In
 	if err != nil {
 		return nil, fmt.Errorf("could not generate a nonce: %w", err)
 	}
-	p, err := pkce.New(oidcClient.SupportedPKCEMethods())
+	pkceParams, err := pkce.New(oidcClient.NegotiatedPKCEMethod())
 	if err != nil {
-		return nil, fmt.Errorf("could not generate PKCE parameters: %w", err)
+		return nil, fmt.Errorf("could not generate the PKCE parameters: %w", err)
 	}
 	successHTML := BrowserSuccessHTML
 	if o.OpenURLAfterAuthentication != "" {
@@ -53,7 +53,7 @@ func (u *Browser) Do(ctx context.Context, o *BrowserOption, oidcClient client.In
 		BindAddress:            o.BindAddress,
 		State:                  state,
 		Nonce:                  nonce,
-		PKCEParams:             p,
+		PKCEParams:             pkceParams,
 		RedirectURLHostname:    o.RedirectURLHostname,
 		AuthRequestExtraParams: o.AuthRequestExtraParams,
 		LocalServerSuccessHTML: successHTML,

pkg/usecases/authentication/authcode/browser_test.go

@@ -6,9 +6,11 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/int128/kubelogin/pkg/infrastructure/browser"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/infrastructure/browser_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/oidc/client_mock"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/oidc/client"
+	"github.com/int128/kubelogin/pkg/pkce"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/stretchr/testify/mock"
 )
@@ -29,10 +31,8 @@ func TestBrowser_Do(t *testing.T) {
 			RedirectURLHostname:        "localhost",
 			AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},
 		}
-		mockClient := client.NewMockInterface(t)
-		mockClient.EXPECT().
-			SupportedPKCEMethods().
-			Return(nil)
+		mockClient := client_mock.NewMockInterface(t)
+		mockClient.EXPECT().NegotiatedPKCEMethod().Return(pkce.NoMethod)
 		mockClient.EXPECT().
 			GetTokenByAuthCode(mock.Anything, mock.Anything, mock.Anything).
 			Run(func(_ context.Context, in client.GetTokenByAuthCodeInput, readyChan chan<- string) {
@@ -83,10 +83,8 @@ func TestBrowser_Do(t *testing.T) {
 			BindAddress:           []string{"127.0.0.1:8000"},
 			AuthenticationTimeout: 10 * time.Second,
 		}
-		mockClient := client.NewMockInterface(t)
-		mockClient.EXPECT().
-			SupportedPKCEMethods().
-			Return(nil)
+		mockClient := client_mock.NewMockInterface(t)
+		mockClient.EXPECT().NegotiatedPKCEMethod().Return(pkce.NoMethod)
 		mockClient.EXPECT().
 			GetTokenByAuthCode(mock.Anything, mock.Anything, mock.Anything).
 			Run(func(_ context.Context, _ client.GetTokenByAuthCodeInput, readyChan chan<- string) {
@@ -96,7 +94,7 @@ func TestBrowser_Do(t *testing.T) {
 				IDToken:      "YOUR_ID_TOKEN",
 				RefreshToken: "YOUR_REFRESH_TOKEN",
 			}, nil)
-		mockBrowser := browser.NewMockInterface(t)
+		mockBrowser := browser_mock.NewMockInterface(t)
 		mockBrowser.EXPECT().
 			Open("LOCAL_SERVER_URL").
 			Return(nil)
@@ -125,10 +123,8 @@ func TestBrowser_Do(t *testing.T) {
 			BrowserCommand:        "firefox",
 			AuthenticationTimeout: 10 * time.Second,
 		}
-		mockClient := client.NewMockInterface(t)
-		mockClient.EXPECT().
-			SupportedPKCEMethods().
-			Return(nil)
+		mockClient := client_mock.NewMockInterface(t)
+		mockClient.EXPECT().NegotiatedPKCEMethod().Return(pkce.NoMethod)
 		mockClient.EXPECT().
 			GetTokenByAuthCode(mock.Anything, mock.Anything, mock.Anything).
 			Run(func(_ context.Context, _ client.GetTokenByAuthCodeInput, readyChan chan<- string) {
@@ -138,7 +134,7 @@ func TestBrowser_Do(t *testing.T) {
 				IDToken:      "YOUR_ID_TOKEN",
 				RefreshToken: "YOUR_REFRESH_TOKEN",
 			}, nil)
-		mockBrowser := browser.NewMockInterface(t)
+		mockBrowser := browser_mock.NewMockInterface(t)
 		mockBrowser.EXPECT().
 			OpenCommand(mock.Anything, "LOCAL_SERVER_URL", "firefox").
 			Return(nil)

pkg/usecases/authentication/authcode/keyboard.go

@@ -12,10 +12,10 @@ import (
 )
 
 const keyboardPrompt = "Enter code: "
-const oobRedirectURI = "urn:ietf:wg:oauth:2.0:oob"
 
 type KeyboardOption struct {
 	AuthRequestExtraParams map[string]string
+	RedirectURL            string
 }
 
 // Keyboard provides the authorization code flow with keyboard interactive.
@@ -34,15 +34,15 @@ func (u *Keyboard) Do(ctx context.Context, o *KeyboardOption, oidcClient client.
 	if err != nil {
 		return nil, fmt.Errorf("could not generate a nonce: %w", err)
 	}
-	p, err := pkce.New(oidcClient.SupportedPKCEMethods())
+	pkceParams, err := pkce.New(oidcClient.NegotiatedPKCEMethod())
 	if err != nil {
-		return nil, fmt.Errorf("could not generate PKCE parameters: %w", err)
+		return nil, fmt.Errorf("could not generate the PKCE parameters: %w", err)
 	}
 	authCodeURL := oidcClient.GetAuthCodeURL(client.AuthCodeURLInput{
 		State:                  state,
 		Nonce:                  nonce,
-		PKCEParams:             p,
-		RedirectURI:            oobRedirectURI,
+		PKCEParams:             pkceParams,
+		RedirectURI:            o.RedirectURL,
 		AuthRequestExtraParams: o.AuthRequestExtraParams,
 	})
 	u.Logger.Printf("Please visit the following URL in your browser: %s", authCodeURL)
@@ -54,9 +54,9 @@ func (u *Keyboard) Do(ctx context.Context, o *KeyboardOption, oidcClient client.
 	u.Logger.V(1).Infof("exchanging the code and token")
 	tokenSet, err := oidcClient.ExchangeAuthCode(ctx, client.ExchangeAuthCodeInput{
 		Code:        code,
-		PKCEParams:  p,
+		PKCEParams:  pkceParams,
 		Nonce:       nonce,
-		RedirectURI: oobRedirectURI,
+		RedirectURI: o.RedirectURL,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("could not exchange the authorization code: %w", err)

pkg/usecases/authentication/authcode/keyboard_test.go

@@ -6,9 +6,11 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/int128/kubelogin/pkg/infrastructure/reader"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/infrastructure/reader_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/oidc/client_mock"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/oidc/client"
+	"github.com/int128/kubelogin/pkg/pkce"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/stretchr/testify/mock"
 )
@@ -22,10 +24,8 @@ func TestKeyboard_Do(t *testing.T) {
 		o := &KeyboardOption{
 			AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
 		}
-		mockClient := client.NewMockInterface(t)
-		mockClient.EXPECT().
-			SupportedPKCEMethods().
-			Return(nil)
+		mockClient := client_mock.NewMockInterface(t)
+		mockClient.EXPECT().NegotiatedPKCEMethod().Return(pkce.NoMethod)
 		mockClient.EXPECT().
 			GetAuthCodeURL(mock.Anything).
 			Run(func(in client.AuthCodeURLInput) {
@@ -45,7 +45,7 @@ func TestKeyboard_Do(t *testing.T) {
 				IDToken:      "YOUR_ID_TOKEN",
 				RefreshToken: "YOUR_REFRESH_TOKEN",
 			}, nil)
-		mockReader := reader.NewMockInterface(t)
+		mockReader := reader_mock.NewMockInterface(t)
 		mockReader.EXPECT().
 			ReadString(keyboardPrompt).
 			Return("YOUR_AUTH_CODE", nil)