Configure automatically generated release notes (#1222)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/release.yml

@@ -0,0 +1,16 @@
+# https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+changelog:
+  categories:
+    - title: Features
+      labels:
+        - '*'
+      exclude:
+        labels:
+          - renovate
+          - refactoring
+    - title: Refactoring
+      labels:
+        - refactoring
+    - title: Dependencies
+      labels:
+        - renovate

.github/renovate.json5

@@ -1,6 +1,12 @@
 {
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "github>int128/renovate-base",
-    "github>int128/go-actions",
+    "github>int128/go-renovate-config#v1.7.2",
+    "github>int128/go-renovate-config:go-directive#v1.7.2",
+    "github>int128/go-renovate-config:github-actions#v1.7.2",
+    "github>int128/go-renovate-config:kubernetes#v1.7.2",
+    "github>int128/go-renovate-config:kustomization-github-releases#v1.7.2",
+    "helpers:pinGitHubActionDigests",
   ],
 }

.github/workflows/docker.yaml

@@ -9,7 +9,6 @@ on:
       - pkg/**
       - go.*
       - Dockerfile
-      - Makefile
   push:
     branches:
       - master
@@ -18,35 +17,53 @@ on:
       - pkg/**
       - go.*
       - Dockerfile
-      - Makefile
     tags:
       - v*
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      image-uri: ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }}
     steps:
-      - uses: actions/checkout@v3
-      - uses: docker/metadata-action@v4
-        id: metadata
-        with:
-          images: ghcr.io/${{ github.repository }}
-      - uses: int128/docker-build-cache-config-action@v1
-        id: cache
-        with:
-          image: ghcr.io/${{ github.repository }}/cache
-      - uses: docker/login-action@v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
-      - uses: docker/build-push-action@v3
+      - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        id: metadata
         with:
-          push: ${{ github.event_name == 'push' }}
+          images: ghcr.io/${{ github.repository }}
+      - uses: int128/docker-build-cache-config-action@622932dfa73db7d3a65e40d5fcc094f2101e659a # v1.37.0
+        id: cache
+        with:
+          image: ghcr.io/${{ github.repository }}/cache
+      - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+      - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+      - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        id: build
+        with:
+          push: true
           tags: ${{ steps.metadata.outputs.tags }}
           labels: ${{ steps.metadata.outputs.labels }}
           cache-from: ${{ steps.cache.outputs.cache-from }}
           cache-to: ${{ steps.cache.outputs.cache-to }}
-          platforms: linux/amd64,linux/arm64,linux/ppc64le
+          platforms: |
+            linux/amd64
+            linux/arm64
+            linux/ppc64le
+
+  test:
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - run: docker run --rm "$IMAGE_URI" --help
+        env:
+          IMAGE_URI: ${{ needs.build.outputs.image-uri }}

.github/workflows/go.yaml

@@ -7,7 +7,10 @@ on:
     paths:
       - .github/workflows/go.yaml
       - pkg/**
-      - go.*
+      - integration_test/**
+      - mocks/**
+      - tools/**
+      - '**/go.*'
     tags:
       - v*
   pull_request:
@@ -16,27 +19,61 @@ on:
     paths:
       - .github/workflows/go.yaml
       - pkg/**
-      - go.*
+      - integration_test/**
+      - mocks/**
+      - tools/**
+      - '**/go.*'
 
 jobs:
-  lint:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - uses: actions/checkout@v3
-      - uses: int128/go-actions/setup@v1
-        with:
-          go-version: 1.18.5
-      - uses: golangci/golangci-lint-action@v3
-        with:
-          version: v1.48.0
-
   test:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v3
-      - uses: int128/go-actions/setup@v1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: 1.18.5
-      - run: go test -v -race ./...
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make test
+
+  integration-test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - macos-latest
+          - windows-latest
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make integration-test
+
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: tools/go.mod
+          cache-dependency-path: tools/go.sum
+      - run: make lint
+
+  generate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: tools/go.mod
+          cache-dependency-path: tools/go.sum
+      - run: go mod tidy
+      - run: make generate
+      - uses: int128/update-generated-files-action@7eb71af1ae8e30d970ea5512d23fd2f4b0eae44c # v2.56.0

.github/workflows/release.yaml

@@ -54,21 +54,22 @@ jobs:
       CGO_ENABLED: ${{ matrix.platform.CGO_ENABLED }}
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v3
-      - uses: int128/go-actions/setup@v1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: 1.18.5
-      - run: go build -ldflags "-X main.version=${GITHUB_REF##*/}"
-      - uses: int128/go-actions/release@v1
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: go build -ldflags '-X main.version=${{ github.ref_name }}'
+      - uses: int128/go-release-action@2979cc5b15ceb7ae458e95b0a9467afc7ae25259 # v2.0.0
         with:
           binary: kubelogin
 
   publish:
-    if: startswith(github.ref, 'refs/tags/')
+    if: github.ref_type == 'tag'
     needs:
       - build
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v3
-      - uses: rajatjindal/krew-release-bot@v0.0.43
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47

.github/workflows/system-test.yaml

@@ -22,10 +22,11 @@ jobs:
   system-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: int128/go-actions/setup@v1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: 1.18.5
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
 
       # for certutil
       # https://packages.ubuntu.com/xenial/libnss3-tools

.gitignore

@@ -1,5 +1,7 @@
 /.idea
 
+/tools/bin
+
 /acceptance_test/output/
 
 /coverage.out

.mockery.yaml

@@ -0,0 +1,11 @@
+outpkg: "{{.PackageName}}_mock"
+dir: "mocks/{{.PackagePath}}_mock"
+
+packages:
+  github.com/int128/kubelogin:
+    config:
+      all: true
+      recursive: true
+  io:
+    interfaces:
+      Closer:

Dockerfile

@@ -1,12 +1,20 @@
-FROM golang:1.18 as builder
+FROM --platform=$BUILDPLATFORM golang:1.23 AS builder
 
 WORKDIR /builder
-COPY go.* .
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
 RUN go mod download
+
+# Copy the go source
 COPY main.go .
 COPY pkg pkg
-RUN go build
 
-FROM gcr.io/distroless/base-debian10
+ARG TARGETOS
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build
+
+FROM gcr.io/distroless/base-debian12
 COPY --from=builder /builder/kubelogin /
 ENTRYPOINT ["/kubelogin"]

Makefile

@@ -0,0 +1,22 @@
+.PHONY: all
+all:
+
+.PHONY: test
+test:
+	go test -v -race ./pkg/...
+
+.PHONY: integration-test
+integration-test:
+	go test -v -race ./integration_test/...
+
+.PHONY: generate
+generate:
+	$(MAKE) -C tools
+	./tools/bin/wire ./pkg/di
+	rm -fr mocks/
+	./tools/bin/mockery
+
+.PHONY: lint
+lint:
+	$(MAKE) -C tools
+	./tools/bin/golangci-lint run

docs/usage.md

@@ -12,13 +12,15 @@ Flags:
       --oidc-client-secret string                       Client secret of the provider
       --oidc-extra-scope strings                        Scopes to request to the provider
       --oidc-use-pkce                                   Force PKCE usage
+      --oidc-use-access-token                           Instead of using the id_token, use the access_token to authenticate to Kubernetes
       --token-cache-dir string                          Path to a directory for token cache (default "~/.kube/cache/oidc-login")
+      --force-refresh                                   If set, refresh the ID token regardless of its expiration time
       --certificate-authority stringArray               Path to a cert file for the certificate authority
       --certificate-authority-data stringArray          Base64 encoded cert for the certificate authority
       --insecure-skip-tls-verify                        If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
       --tls-renegotiation-once                          If set, allow a remote server to request renegotiation once per connection
       --tls-renegotiation-freely                        If set, allow a remote server to repeatedly request renegotiation
-      --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
+      --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password|device-code) (default "auto")
       --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
       --skip-open-browser                               [authcode] Do not open the browser automatically
       --browser-command string                          [authcode] Command to open the browser
@@ -27,6 +29,7 @@ Flags:
       --local-server-key string                         [authcode] Certificate key path for the local server
       --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
       --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")
+      --oidc-redirect-url-authcode-keyboard string      [authcode-keyboard] Redirect URL (default "urn:ietf:wg:oauth:2.0:oob")
       --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard] Extra query parameters to send with an authentication request (default [])
       --username string                                 [password] Username for resource owner password credentials grant
       --password string                                 [password] Password for resource owner password credentials grant
@@ -34,16 +37,16 @@ Flags:
 
 Global Flags:
       --add_dir_header                   If true, adds the file directory to the header of the log messages
-      --alsologtostderr                  log to standard error as well as files
+      --alsologtostderr                  log to standard error as well as files (no effect when -logtostderr=true)
       --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
-      --log_dir string                   If non-empty, write log files in this directory
-      --log_file string                  If non-empty, use this log file
-      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --log_dir string                   If non-empty, write log files in this directory (no effect when -logtostderr=true)
+      --log_file string                  If non-empty, use this log file (no effect when -logtostderr=true)
+      --log_file_max_size uint           Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
       --logtostderr                      log to standard error instead of files (default true)
-      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level)
+      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
       --skip_headers                     If true, avoid header prefixes in the log messages
-      --skip_log_headers                 If true, avoid headers when opening log files
-      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
+      --skip_log_headers                 If true, avoid headers when opening log files (no effect when -logtostderr=true)
+      --stderrthreshold severity         logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2)
   -v, --v Level                          number for the log level verbosity
       --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
 ```
@@ -172,7 +175,12 @@ Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=
 Enter code: YOUR_CODE
 ```
 
-Note that this flow uses the redirect URI `urn:ietf:wg:oauth:2.0:oob` and some OIDC providers do not support it.
+The default of redirect URI is `urn:ietf:wg:oauth:2.0:oob`.
+You can overwrite it.
+
+```yaml
+      - oidc-redirect-url-authcode-keyboard=http://localhost
+```
 
 You can add extra parameters to the authentication request.
 

go.mod

@@ -1,25 +1,62 @@
 module github.com/int128/kubelogin
 
-go 1.16
+go 1.23.4
 
 require (
-	github.com/alexflint/go-filemutex v1.2.0
-	github.com/chromedp/chromedp v0.8.5
-	github.com/coreos/go-oidc/v3 v3.2.0
-	github.com/golang-jwt/jwt/v4 v4.4.2
-	github.com/google/go-cmp v0.5.9
-	github.com/google/wire v0.5.0
-	github.com/int128/oauth2cli v1.14.0
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
-	github.com/spf13/cobra v1.5.0
+	github.com/chromedp/chromedp v0.11.2
+	github.com/coreos/go-oidc/v3 v3.12.0
+	github.com/gofrs/flock v0.12.1
+	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/google/go-cmp v0.6.0
+	github.com/google/wire v0.6.0
+	github.com/int128/oauth2cli v1.14.1
+	github.com/int128/oauth2dev v1.0.1
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
+	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.8.0
-	golang.org/x/net v0.0.0-20220909164309-bea034e7d591
-	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1
-	golang.org/x/sync v0.0.0-20220907140024-f12130a52804
-	golang.org/x/term v0.0.0-20220722155259-a9ba230a4035
-	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/apimachinery v0.24.4
-	k8s.io/client-go v0.24.4
-	k8s.io/klog/v2 v2.70.1
+	github.com/stretchr/testify v1.10.0
+	golang.org/x/oauth2 v0.25.0
+	golang.org/x/sync v0.10.0
+	golang.org/x/term v0.28.0
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/apimachinery v0.32.0
+	k8s.io/client-go v0.32.0
+	k8s.io/klog/v2 v2.130.1
+)
+
+require (
+	github.com/chromedp/cdproto v0.0.0-20241022234722-4d5d5faf59fb // indirect
+	github.com/chromedp/sysutil v1.1.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/gobwas/httphead v0.1.0 // indirect
+	github.com/gobwas/pool v0.2.1 // indirect
+	github.com/gobwas/ws v1.4.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/int128/listener v1.1.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

integration_test/credetial_plugin_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/int128/kubelogin/integration_test/httpdriver"
 	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/integration_test/oidcserver"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
 	"github.com/int128/kubelogin/pkg/di"
 	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/testing/clock"
@@ -27,7 +28,6 @@ import (
 // 2. Run the Cmd.
 // 3. Open a request for the local server.
 // 4. Verify the output.
-//
 func TestCredentialPlugin(t *testing.T) {
 	timeout := 10 * time.Second
 	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
@@ -53,12 +53,12 @@ func TestCredentialPlugin(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				sv := oidcserver.New(t, tc.keyPair, testconfig.TestConfig{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 					},
-					Response: oidcserver.Response{
+					Response: testconfig.Response{
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
@@ -78,14 +78,14 @@ func TestCredentialPlugin(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				sv := oidcserver.New(t, tc.keyPair, testconfig.TestConfig{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 						Username:          "USER1",
 						Password:          "PASS1",
 					},
-					Response: oidcserver.Response{
+					Response: testconfig.Response{
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
@@ -108,15 +108,15 @@ func TestCredentialPlugin(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
+				sv := oidcserver.New(t, tc.keyPair, testconfig.TestConfig{})
 
 				t.Run("NoCache", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.TestConfig{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(time.Hour),
 							RefreshToken:  "REFRESH_TOKEN_1",
 						},
@@ -133,7 +133,7 @@ func TestCredentialPlugin(t *testing.T) {
 					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
 				})
 				t.Run("Valid", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{})
+					sv.SetConfig(testconfig.TestConfig{})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
@@ -146,13 +146,13 @@ func TestCredentialPlugin(t *testing.T) {
 					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
 				})
 				t.Run("Refresh", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.TestConfig{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_1",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(3 * time.Hour),
 							RefreshToken:  "REFRESH_TOKEN_2",
 						},
@@ -169,13 +169,13 @@ func TestCredentialPlugin(t *testing.T) {
 					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(3*time.Hour))
 				})
 				t.Run("RefreshAgain", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.TestConfig{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_2",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(5 * time.Hour),
 						},
 					})
@@ -198,13 +198,13 @@ func TestCredentialPlugin(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.TestConfig{
+			Want: testconfig.Want{
 				Scope:               "openid",
 				RedirectURIPrefix:   "http://localhost:",
 				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry:                 now.Add(time.Hour),
 				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
@@ -224,12 +224,12 @@ func TestCredentialPlugin(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.Server, testconfig.TestConfig{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -249,12 +249,12 @@ func TestCredentialPlugin(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.TestConfig{
+			Want: testconfig.Want{
 				Scope:             "email profile openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -277,12 +277,12 @@ func TestCredentialPlugin(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.TestConfig{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -302,12 +302,12 @@ func TestCredentialPlugin(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.TestConfig{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "http://127.0.0.1:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -327,12 +327,12 @@ func TestCredentialPlugin(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.TestConfig{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "https://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -358,8 +358,8 @@ func TestCredentialPlugin(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.TestConfig{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "http://localhost:",
 				ExtraParams: map[string]string{
@@ -367,7 +367,7 @@ func TestCredentialPlugin(t *testing.T) {
 					"reauth": "false",
 				},
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})

integration_test/httpdriver/http_driver.go

@@ -4,7 +4,7 @@ package httpdriver
 import (
 	"context"
 	"crypto/tls"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strings"
 	"testing"
@@ -48,7 +48,7 @@ func (c *client) Open(url string) error {
 	if resp.StatusCode != 200 {
 		c.t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
 	}
-	b, err := ioutil.ReadAll(resp.Body)
+	b, err := io.ReadAll(resp.Body)
 	if err != nil {
 		c.t.Errorf("could not read body: %s", err)
 		return nil

integration_test/keypair/keypair.go

@@ -5,7 +5,6 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"io"
-	"io/ioutil"
 	"os"
 	"strings"
 )
@@ -50,7 +49,7 @@ func readAsBase64(name string) string {
 }
 
 func newTLSConfig(name string) *tls.Config {
-	b, err := ioutil.ReadFile(name)
+	b, err := os.ReadFile(name)
 	if err != nil {
 		panic(err)
 	}

integration_test/kubeconfig/kubeconfig.go

@@ -6,7 +6,7 @@ import (
 	"path/filepath"
 	"testing"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 // Values represents values in .kubeconfig template.

integration_test/oidcserver/handler/handler.go

@@ -1,4 +1,4 @@
-// Package handler provides a HTTP handler for the OpenID Connect Provider.
+// Package handler provides HTTP handlers for the OpenID Connect Provider.
 package handler
 
 import (
@@ -7,28 +7,34 @@ import (
 	"fmt"
 	"net/http"
 	"testing"
+
+	"github.com/int128/kubelogin/integration_test/oidcserver/service"
 )
 
-func New(t *testing.T, provider Provider) *Handler {
-	return &Handler{t, provider}
+func Register(t *testing.T, mux *http.ServeMux, provider service.Provider) {
+	h := &Handlers{t, provider}
+	mux.HandleFunc("GET /.well-known/openid-configuration", h.Discovery)
+	mux.HandleFunc("GET /certs", h.GetCertificates)
+	mux.HandleFunc("GET /auth", h.AuthenticateCode)
+	mux.HandleFunc("POST /token", h.Exchange)
 }
 
-// Handler provides a HTTP handler for the OpenID Connect Provider.
+// Handlers provides HTTP handlers for the OpenID Connect Provider.
 // You need to implement the Provider interface.
 // Note that this skips some security checks and is only for testing.
-type Handler struct {
+type Handlers struct {
 	t        *testing.T
-	provider Provider
+	provider service.Provider
 }
 
-func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+func (h *Handlers) handleError(w http.ResponseWriter, r *http.Request, f func() error) {
 	wr := &responseWriterRecorder{w, 200}
-	err := h.serveHTTP(wr, r)
+	err := f()
 	if err == nil {
 		h.t.Logf("%d %s %s", wr.statusCode, r.Method, r.RequestURI)
 		return
 	}
-	if errResp := new(ErrorResponse); errors.As(err, &errResp) {
+	if errResp := new(service.ErrorResponse); errors.As(err, &errResp) {
 		h.t.Logf("400 %s %s: %s", r.Method, r.RequestURI, err)
 		w.Header().Add("Content-Type", "application/json")
 		w.WriteHeader(400)
@@ -52,28 +58,35 @@ func (w *responseWriterRecorder) WriteHeader(statusCode int) {
 	w.statusCode = statusCode
 }
 
-func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
-	m := r.Method
-	p := r.URL.Path
-	switch {
-	case m == "GET" && p == "/.well-known/openid-configuration":
+func (h *Handlers) Discovery(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		discoveryResponse := h.provider.Discovery()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(discoveryResponse); err != nil {
 			return fmt.Errorf("could not render json: %w", err)
 		}
-	case m == "GET" && p == "/certs":
+		return nil
+	})
+}
+
+func (h *Handlers) GetCertificates(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		certificatesResponse := h.provider.GetCertificates()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(certificatesResponse); err != nil {
 			return fmt.Errorf("could not render json: %w", err)
 		}
-	case m == "GET" && p == "/auth":
+		return nil
+	})
+}
+
+func (h *Handlers) AuthenticateCode(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		q := r.URL.Query()
 		redirectURI, state := q.Get("redirect_uri"), q.Get("state")
-		code, err := h.provider.AuthenticateCode(AuthenticationRequest{
+		code, err := h.provider.AuthenticateCode(service.AuthenticationRequest{
 			RedirectURI:         redirectURI,
 			State:               state,
 			Scope:               q.Get("scope"),
@@ -87,14 +100,19 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 		}
 		to := fmt.Sprintf("%s?state=%s&code=%s", redirectURI, state, code)
 		http.Redirect(w, r, to, 302)
-	case m == "POST" && p == "/token":
+		return nil
+	})
+}
+
+func (h *Handlers) Exchange(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		if err := r.ParseForm(); err != nil {
 			return fmt.Errorf("could not parse the form: %w", err)
 		}
 		grantType := r.Form.Get("grant_type")
 		switch grantType {
 		case "authorization_code":
-			tokenResponse, err := h.provider.Exchange(TokenRequest{
+			tokenResponse, err := h.provider.Exchange(service.TokenRequest{
 				Code:         r.Form.Get("code"),
 				CodeVerifier: r.Form.Get("code_verifier"),
 			})
@@ -135,13 +153,11 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 		default:
 			// 5.2. Error Response
 			// https://tools.ietf.org/html/rfc6749#section-5.2
-			return &ErrorResponse{
+			return &service.ErrorResponse{
 				Code:        "invalid_grant",
 				Description: fmt.Sprintf("unknown grant_type %s", grantType),
 			}
 		}
-	default:
-		http.NotFound(w, r)
-	}
-	return nil
+		return nil
+	})
 }

integration_test/oidcserver/http/http.go

@@ -1,74 +0,0 @@
-// Package http provides a http server running on localhost for testing.
-package http
-
-import (
-	"context"
-	"net"
-	"net/http"
-	"testing"
-
-	"github.com/int128/kubelogin/integration_test/keypair"
-)
-
-func Start(t *testing.T, h http.Handler, k keypair.KeyPair) string {
-	if k == keypair.None {
-		return startNoTLS(t, h)
-	}
-	return startTLS(t, h, k)
-}
-
-func startNoTLS(t *testing.T, h http.Handler) string {
-	t.Helper()
-	l, port := newLocalhostListener(t)
-	url := "http://localhost:" + port
-	s := &http.Server{
-		Handler: h,
-	}
-	go func() {
-		err := s.Serve(l)
-		if err != nil && err != http.ErrServerClosed {
-			t.Error(err)
-		}
-	}()
-	t.Cleanup(func() {
-		if err := s.Shutdown(context.TODO()); err != nil {
-			t.Errorf("could not shutdown the server: %s", err)
-		}
-	})
-	return url
-}
-
-func startTLS(t *testing.T, h http.Handler, k keypair.KeyPair) string {
-	t.Helper()
-	l, port := newLocalhostListener(t)
-	url := "https://localhost:" + port
-	s := &http.Server{
-		Handler: h,
-	}
-	go func() {
-		err := s.ServeTLS(l, k.CertPath, k.KeyPath)
-		if err != nil && err != http.ErrServerClosed {
-			t.Error(err)
-		}
-	}()
-	t.Cleanup(func() {
-		if err := s.Shutdown(context.TODO()); err != nil {
-			t.Errorf("could not shutdown the server: %s", err)
-		}
-	})
-	return url
-}
-
-func newLocalhostListener(t *testing.T) (net.Listener, string) {
-	t.Helper()
-	l, err := net.Listen("tcp", "localhost:0")
-	if err != nil {
-		t.Fatalf("Could not create a listener: %s", err)
-	}
-	addr := l.Addr().String()
-	_, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		t.Fatalf("Could not parse the address %s: %s", addr, err)
-	}
-	return l, port
-}

integration_test/oidcserver/oidcserver.go

@@ -0,0 +1,54 @@
+// Package oidcserver provides a stub of OpenID Connect provider.
+package oidcserver
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/oidcserver/handler"
+	"github.com/int128/kubelogin/integration_test/oidcserver/service"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+)
+
+// New starts a server for the OpenID Connect provider.
+func New(t *testing.T, k keypair.KeyPair, c testconfig.TestConfig) service.Service {
+	mux := http.NewServeMux()
+	serverURL := startServer(t, mux, k)
+
+	svc := service.New(t, serverURL, c)
+	handler.Register(t, mux, svc)
+	return svc
+}
+
+func startServer(t *testing.T, h http.Handler, k keypair.KeyPair) string {
+	if k == keypair.None {
+		sv := httptest.NewServer(h)
+		t.Cleanup(sv.Close)
+		return sv.URL
+	}
+
+	// Unfortunately, httptest package did not work with keypair.KeyPair.
+	// We use httptest package only for allocating a new port.
+	portAllocator := httptest.NewUnstartedServer(h)
+	t.Cleanup(portAllocator.Close)
+	serverURL := fmt.Sprintf("https://localhost:%d", portAllocator.Listener.Addr().(*net.TCPAddr).Port)
+	sv := &http.Server{Handler: h}
+	go func() {
+		err := sv.ServeTLS(portAllocator.Listener, k.CertPath, k.KeyPath)
+		if err != nil && !errors.Is(err, http.ErrServerClosed) {
+			t.Error(err)
+		}
+	}()
+	t.Cleanup(func() {
+		if err := sv.Shutdown(context.TODO()); err != nil {
+			t.Errorf("could not shutdown the server: %s", err)
+		}
+	})
+	return serverURL
+}

integration_test/oidcserver/server.go

@@ -1,215 +0,0 @@
-// Package oidcserver provides a stub of OpenID Connect provider.
-package oidcserver
-
-import (
-	"crypto/sha256"
-	"encoding/base64"
-	"fmt"
-	"math/big"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/int128/kubelogin/integration_test/keypair"
-	"github.com/int128/kubelogin/integration_test/oidcserver/handler"
-	"github.com/int128/kubelogin/integration_test/oidcserver/http"
-	"github.com/int128/kubelogin/pkg/testing/jwt"
-)
-
-type Server interface {
-	IssuerURL() string
-	SetConfig(Config)
-	LastTokenResponse() *handler.TokenResponse
-}
-
-// Want represents a set of expected values.
-type Want struct {
-	Scope               string
-	RedirectURIPrefix   string
-	CodeChallengeMethod string            // optional
-	ExtraParams         map[string]string // optional
-	Username            string            // optional
-	Password            string            // optional
-	RefreshToken        string            // optional
-}
-
-// Response represents a set of response values.
-type Response struct {
-	IDTokenExpiry                 time.Time
-	RefreshToken                  string
-	RefreshError                  string   // if set, Refresh() will return the error
-	CodeChallengeMethodsSupported []string // optional
-}
-
-// Config represents a configuration of the OpenID Connect provider.
-type Config struct {
-	Want     Want
-	Response Response
-}
-
-// New starts a HTTP server for the OpenID Connect provider.
-func New(t *testing.T, k keypair.KeyPair, c Config) Server {
-	sv := server{Config: c, t: t}
-	sv.issuerURL = http.Start(t, handler.New(t, &sv), k)
-	return &sv
-}
-
-type server struct {
-	Config
-	t                         *testing.T
-	issuerURL                 string
-	lastAuthenticationRequest *handler.AuthenticationRequest
-	lastTokenResponse         *handler.TokenResponse
-}
-
-func (sv *server) IssuerURL() string {
-	return sv.issuerURL
-}
-
-func (sv *server) SetConfig(cfg Config) {
-	sv.Config = cfg
-}
-
-func (sv *server) LastTokenResponse() *handler.TokenResponse {
-	return sv.lastTokenResponse
-}
-
-func (sv *server) Discovery() *handler.DiscoveryResponse {
-	// based on https://accounts.google.com/.well-known/openid-configuration
-	return &handler.DiscoveryResponse{
-		Issuer:                            sv.issuerURL,
-		AuthorizationEndpoint:             sv.issuerURL + "/auth",
-		TokenEndpoint:                     sv.issuerURL + "/token",
-		JwksURI:                           sv.issuerURL + "/certs",
-		UserinfoEndpoint:                  sv.issuerURL + "/userinfo",
-		RevocationEndpoint:                sv.issuerURL + "/revoke",
-		ResponseTypesSupported:            []string{"code id_token"},
-		SubjectTypesSupported:             []string{"public"},
-		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
-		ScopesSupported:                   []string{"openid", "email", "profile"},
-		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
-		CodeChallengeMethodsSupported:     sv.Config.Response.CodeChallengeMethodsSupported,
-		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
-	}
-}
-
-func (sv *server) GetCertificates() *handler.CertificatesResponse {
-	idTokenKeyPair := jwt.PrivateKey
-	return &handler.CertificatesResponse{
-		Keys: []*handler.CertificatesResponseKey{
-			{
-				Kty: "RSA",
-				Alg: "RS256",
-				Use: "sig",
-				Kid: "dummy",
-				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
-				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
-			},
-		},
-	}
-}
-
-func (sv *server) AuthenticateCode(req handler.AuthenticationRequest) (code string, err error) {
-	if req.Scope != sv.Want.Scope {
-		sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, req.Scope)
-	}
-	if !strings.HasPrefix(req.RedirectURI, sv.Want.RedirectURIPrefix) {
-		sv.t.Errorf("redirectURI wants prefix `%s` but was `%s`", sv.Want.RedirectURIPrefix, req.RedirectURI)
-	}
-	if req.CodeChallengeMethod != sv.Want.CodeChallengeMethod {
-		sv.t.Errorf("code_challenge_method wants `%s` but was `%s`", sv.Want.CodeChallengeMethod, req.CodeChallengeMethod)
-	}
-	for k, v := range sv.Want.ExtraParams {
-		got := req.RawQuery.Get(k)
-		if got != v {
-			sv.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
-		}
-	}
-	sv.lastAuthenticationRequest = &req
-	return "YOUR_AUTH_CODE", nil
-}
-
-func (sv *server) Exchange(req handler.TokenRequest) (*handler.TokenResponse, error) {
-	if req.Code != "YOUR_AUTH_CODE" {
-		return nil, fmt.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
-	}
-	if sv.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
-		// https://tools.ietf.org/html/rfc7636#section-4.6
-		challenge := computeS256Challenge(req.CodeVerifier)
-		if challenge != sv.lastAuthenticationRequest.CodeChallenge {
-			sv.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", sv.lastAuthenticationRequest.CodeChallenge, challenge)
-		}
-	}
-	resp := &handler.TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		RefreshToken: sv.Response.RefreshToken,
-		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
-			claims.Issuer = sv.issuerURL
-			claims.Subject = "SUBJECT"
-			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
-			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
-			claims.Audience = []string{"kubernetes"}
-			claims.Nonce = sv.lastAuthenticationRequest.Nonce
-		}),
-	}
-	sv.lastTokenResponse = resp
-	return resp, nil
-}
-
-func computeS256Challenge(verifier string) string {
-	c := sha256.Sum256([]byte(verifier))
-	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
-}
-
-func (sv *server) AuthenticatePassword(username, password, scope string) (*handler.TokenResponse, error) {
-	if scope != sv.Want.Scope {
-		sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, scope)
-	}
-	if username != sv.Want.Username {
-		sv.t.Errorf("username wants `%s` but was `%s`", sv.Want.Username, username)
-	}
-	if password != sv.Want.Password {
-		sv.t.Errorf("password wants `%s` but was `%s`", sv.Want.Password, password)
-	}
-	resp := &handler.TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		RefreshToken: sv.Response.RefreshToken,
-		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
-			claims.Issuer = sv.issuerURL
-			claims.Subject = "SUBJECT"
-			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
-			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
-			claims.Audience = []string{"kubernetes"}
-		}),
-	}
-	sv.lastTokenResponse = resp
-	return resp, nil
-}
-
-func (sv *server) Refresh(refreshToken string) (*handler.TokenResponse, error) {
-	if refreshToken != sv.Want.RefreshToken {
-		sv.t.Errorf("refreshToken wants %s but was %s", sv.Want.RefreshToken, refreshToken)
-	}
-	if sv.Response.RefreshError != "" {
-		return nil, &handler.ErrorResponse{Code: "invalid_request", Description: sv.Response.RefreshError}
-	}
-	resp := &handler.TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		RefreshToken: sv.Response.RefreshToken,
-		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
-			claims.Issuer = sv.issuerURL
-			claims.Subject = "SUBJECT"
-			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
-			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
-			claims.Audience = []string{"kubernetes"}
-		}),
-	}
-	sv.lastTokenResponse = resp
-	return resp, nil
-}

integration_test/oidcserver/service/service.go

@@ -0,0 +1,183 @@
+package service
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"math/big"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+	testingJWT "github.com/int128/kubelogin/pkg/testing/jwt"
+)
+
+func New(t *testing.T, issuerURL string, config testconfig.TestConfig) Service {
+	return &service{
+		config:    config,
+		t:         t,
+		issuerURL: issuerURL,
+	}
+}
+
+type service struct {
+	config                    testconfig.TestConfig
+	t                         *testing.T
+	issuerURL                 string
+	lastAuthenticationRequest *AuthenticationRequest
+	lastTokenResponse         *TokenResponse
+}
+
+func (svc *service) IssuerURL() string {
+	return svc.issuerURL
+}
+
+func (svc *service) SetConfig(cfg testconfig.TestConfig) {
+	svc.config = cfg
+}
+
+func (svc *service) LastTokenResponse() *TokenResponse {
+	return svc.lastTokenResponse
+}
+
+func (svc *service) Discovery() *DiscoveryResponse {
+	// based on https://accounts.google.com/.well-known/openid-configuration
+	return &DiscoveryResponse{
+		Issuer:                            svc.issuerURL,
+		AuthorizationEndpoint:             svc.issuerURL + "/auth",
+		TokenEndpoint:                     svc.issuerURL + "/token",
+		JwksURI:                           svc.issuerURL + "/certs",
+		UserinfoEndpoint:                  svc.issuerURL + "/userinfo",
+		RevocationEndpoint:                svc.issuerURL + "/revoke",
+		ResponseTypesSupported:            []string{"code id_token"},
+		SubjectTypesSupported:             []string{"public"},
+		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+		ScopesSupported:                   []string{"openid", "email", "profile"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
+		CodeChallengeMethodsSupported:     svc.config.Response.CodeChallengeMethodsSupported,
+		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
+	}
+}
+
+func (svc *service) GetCertificates() *CertificatesResponse {
+	idTokenKeyPair := testingJWT.PrivateKey
+	return &CertificatesResponse{
+		Keys: []*CertificatesResponseKey{
+			{
+				Kty: "RSA",
+				Alg: "RS256",
+				Use: "sig",
+				Kid: "dummy",
+				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
+				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
+			},
+		},
+	}
+}
+
+func (svc *service) AuthenticateCode(req AuthenticationRequest) (code string, err error) {
+	if req.Scope != svc.config.Want.Scope {
+		svc.t.Errorf("scope wants `%s` but was `%s`", svc.config.Want.Scope, req.Scope)
+	}
+	if !strings.HasPrefix(req.RedirectURI, svc.config.Want.RedirectURIPrefix) {
+		svc.t.Errorf("redirectURI wants prefix `%s` but was `%s`", svc.config.Want.RedirectURIPrefix, req.RedirectURI)
+	}
+	if req.CodeChallengeMethod != svc.config.Want.CodeChallengeMethod {
+		svc.t.Errorf("code_challenge_method wants `%s` but was `%s`", svc.config.Want.CodeChallengeMethod, req.CodeChallengeMethod)
+	}
+	for k, v := range svc.config.Want.ExtraParams {
+		got := req.RawQuery.Get(k)
+		if got != v {
+			svc.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
+		}
+	}
+	svc.lastAuthenticationRequest = &req
+	return "YOUR_AUTH_CODE", nil
+}
+
+func (svc *service) Exchange(req TokenRequest) (*TokenResponse, error) {
+	if req.Code != "YOUR_AUTH_CODE" {
+		return nil, fmt.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
+	}
+	if svc.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
+		// https://tools.ietf.org/html/rfc7636#section-4.6
+		challenge := computeS256Challenge(req.CodeVerifier)
+		if challenge != svc.lastAuthenticationRequest.CodeChallenge {
+			svc.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", svc.lastAuthenticationRequest.CodeChallenge, challenge)
+		}
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+			claims.Nonce = svc.lastAuthenticationRequest.Nonce
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}
+
+func computeS256Challenge(verifier string) string {
+	c := sha256.Sum256([]byte(verifier))
+	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
+}
+
+func (svc *service) AuthenticatePassword(username, password, scope string) (*TokenResponse, error) {
+	if scope != svc.config.Want.Scope {
+		svc.t.Errorf("scope wants `%s` but was `%s`", svc.config.Want.Scope, scope)
+	}
+	if username != svc.config.Want.Username {
+		svc.t.Errorf("username wants `%s` but was `%s`", svc.config.Want.Username, username)
+	}
+	if password != svc.config.Want.Password {
+		svc.t.Errorf("password wants `%s` but was `%s`", svc.config.Want.Password, password)
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}
+
+func (svc *service) Refresh(refreshToken string) (*TokenResponse, error) {
+	if refreshToken != svc.config.Want.RefreshToken {
+		svc.t.Errorf("refreshToken wants %s but was %s", svc.config.Want.RefreshToken, refreshToken)
+	}
+	if svc.config.Response.RefreshError != "" {
+		return nil, &ErrorResponse{Code: "invalid_request", Description: svc.config.Response.RefreshError}
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}

integration_test/oidcserver/service/types.go

@@ -1,11 +1,24 @@
-package handler
+package service
 
 import (
 	"fmt"
 	"net/url"
+
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
 )
 
-// Provider provides discovery and authentication methods.
+// Service represents the test service of OpenID Connect Provider.
+// It provides the feature of Provider and additional methods for testing.
+type Service interface {
+	Provider
+
+	IssuerURL() string
+	SetConfig(config testconfig.TestConfig)
+	LastTokenResponse() *TokenResponse
+}
+
+// Provider represents an OpenID Connect Provider.
+//
 // If an implemented method returns an ErrorResponse,
 // the handler will respond 400 and corresponding json of the ErrorResponse.
 // Otherwise, the handler will respond 500 and fail the current test.
@@ -18,6 +31,8 @@ type Provider interface {
 	Refresh(refreshToken string) (*TokenResponse, error)
 }
 
+// DiscoveryResponse represents the type of:
+// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
 type DiscoveryResponse struct {
 	Issuer                            string   `json:"issuer"`
 	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
@@ -34,10 +49,14 @@ type DiscoveryResponse struct {
 	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`
 }
 
+// CertificatesResponse represents the type of:
+// https://datatracker.ietf.org/doc/html/rfc7517#section-5
 type CertificatesResponse struct {
 	Keys []*CertificatesResponseKey `json:"keys"`
 }
 
+// CertificatesResponseKey represents the type of:
+// https://datatracker.ietf.org/doc/html/rfc7517#section-4
 type CertificatesResponseKey struct {
 	Kty string `json:"kty"`
 	Alg string `json:"alg"`
@@ -47,7 +66,7 @@ type CertificatesResponseKey struct {
 	E   string `json:"e"`
 }
 
-// AuthenticationRequest represents a type of:
+// AuthenticationRequest represents the type of:
 // https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 type AuthenticationRequest struct {
 	RedirectURI         string
@@ -59,13 +78,15 @@ type AuthenticationRequest struct {
 	RawQuery            url.Values
 }
 
-// TokenRequest represents a type of:
+// TokenRequest represents the type of:
 // https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
 type TokenRequest struct {
 	Code         string
 	CodeVerifier string
 }
 
+// TokenResponse represents the type of:
+// https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
 type TokenResponse struct {
 	AccessToken  string `json:"access_token"`
 	TokenType    string `json:"token_type"`
@@ -74,7 +95,7 @@ type TokenResponse struct {
 	IDToken      string `json:"id_token"`
 }
 
-// ErrorResponse represents an error response described in the following section:
+// ErrorResponse represents the error response described in the following section:
 // 5.2 Error Response
 // https://tools.ietf.org/html/rfc6749#section-5.2
 type ErrorResponse struct {

integration_test/oidcserver/testconfig/types.go

@@ -0,0 +1,28 @@
+package testconfig
+
+import "time"
+
+// Want represents a set of expected values.
+type Want struct {
+	Scope               string
+	RedirectURIPrefix   string
+	CodeChallengeMethod string            // optional
+	ExtraParams         map[string]string // optional
+	Username            string            // optional
+	Password            string            // optional
+	RefreshToken        string            // optional
+}
+
+// Response represents a set of response values.
+type Response struct {
+	IDTokenExpiry                 time.Time
+	RefreshToken                  string
+	RefreshError                  string   // if set, Refresh() will return the error
+	CodeChallengeMethodsSupported []string // optional
+}
+
+// TestConfig represents a configuration of the OpenID Connect provider.
+type TestConfig struct {
+	Want     Want
+	Response Response
+}

integration_test/standalone_test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/integration_test/kubeconfig"
 	"github.com/int128/kubelogin/integration_test/oidcserver"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
 	"github.com/int128/kubelogin/pkg/di"
 	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/testing/clock"
@@ -22,7 +23,6 @@ import (
 // 2. Run the Cmd.
 // 3. Open a request for the local server.
 // 4. Verify the kubeconfig.
-//
 func TestStandalone(t *testing.T) {
 	timeout := 3 * time.Second
 	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
@@ -46,12 +46,12 @@ func TestStandalone(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				sv := oidcserver.New(t, tc.keyPair, testconfig.TestConfig{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 					},
-					Response: oidcserver.Response{
+					Response: testconfig.Response{
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
@@ -75,14 +75,14 @@ func TestStandalone(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				sv := oidcserver.New(t, tc.keyPair, testconfig.TestConfig{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 						Username:          "USER1",
 						Password:          "PASS1",
 					},
-					Response: oidcserver.Response{
+					Response: testconfig.Response{
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
@@ -110,19 +110,19 @@ func TestStandalone(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
+				sv := oidcserver.New(t, tc.keyPair, testconfig.TestConfig{})
 				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 					Issuer:                  sv.IssuerURL(),
 					IDPCertificateAuthority: tc.keyPair.CACertPath,
 				})
 
 				t.Run("NoToken", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.TestConfig{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(time.Hour),
 							RefreshToken:  "REFRESH_TOKEN_1",
 						},
@@ -139,7 +139,7 @@ func TestStandalone(t *testing.T) {
 					})
 				})
 				t.Run("Valid", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{})
+					sv.SetConfig(testconfig.TestConfig{})
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
@@ -152,13 +152,13 @@ func TestStandalone(t *testing.T) {
 					})
 				})
 				t.Run("Refresh", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.TestConfig{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_1",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(3 * time.Hour),
 							RefreshToken:  "REFRESH_TOKEN_2",
 						},
@@ -175,13 +175,13 @@ func TestStandalone(t *testing.T) {
 					})
 				})
 				t.Run("RefreshAgain", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.TestConfig{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_2",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(5 * time.Hour),
 						},
 					})
@@ -204,12 +204,12 @@ func TestStandalone(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.Server, testconfig.TestConfig{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -232,12 +232,12 @@ func TestStandalone(t *testing.T) {
 	t.Run("env_KUBECONFIG", func(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.TestConfig{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -260,12 +260,12 @@ func TestStandalone(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.TestConfig{
+			Want: testconfig.Want{
 				Scope:             "profile groups openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})

main.go

@@ -3,6 +3,8 @@ package main
 import (
 	"context"
 	"os"
+	"os/signal"
+	"syscall"
 
 	"github.com/int128/kubelogin/pkg/di"
 )
@@ -10,5 +12,8 @@ import (
 var version = "HEAD"
 
 func main() {
-	os.Exit(di.NewCmd().Run(context.Background(), os.Args, version))
+	ctx := context.Background()
+	ctx, stop := signal.NotifyContext(ctx, os.Interrupt, syscall.SIGTERM)
+	defer stop()
+	os.Exit(di.NewCmd().Run(ctx, os.Args, version))
 }

mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mock_Provider.go

@@ -0,0 +1,361 @@
+// Code generated by mockery v2.50.4. DO NOT EDIT.
+
+package service_mock
+
+import (
+	service "github.com/int128/kubelogin/integration_test/oidcserver/service"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockProvider is an autogenerated mock type for the Provider type
+type MockProvider struct {
+	mock.Mock
+}
+
+type MockProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockProvider) EXPECT() *MockProvider_Expecter {
+	return &MockProvider_Expecter{mock: &_m.Mock}
+}
+
+// AuthenticateCode provides a mock function with given fields: req
+func (_m *MockProvider) AuthenticateCode(req service.AuthenticationRequest) (string, error) {
+	ret := _m.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticateCode")
+	}
+
+	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(service.AuthenticationRequest) (string, error)); ok {
+		return rf(req)
+	}
+	if rf, ok := ret.Get(0).(func(service.AuthenticationRequest) string); ok {
+		r0 = rf(req)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	if rf, ok := ret.Get(1).(func(service.AuthenticationRequest) error); ok {
+		r1 = rf(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockProvider_AuthenticateCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticateCode'
+type MockProvider_AuthenticateCode_Call struct {
+	*mock.Call
+}
+
+// AuthenticateCode is a helper method to define mock.On call
+//   - req service.AuthenticationRequest
+func (_e *MockProvider_Expecter) AuthenticateCode(req interface{}) *MockProvider_AuthenticateCode_Call {
+	return &MockProvider_AuthenticateCode_Call{Call: _e.mock.On("AuthenticateCode", req)}
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) Run(run func(req service.AuthenticationRequest)) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(service.AuthenticationRequest))
+	})
+	return _c
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) Return(code string, err error) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Return(code, err)
+	return _c
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) RunAndReturn(run func(service.AuthenticationRequest) (string, error)) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// AuthenticatePassword provides a mock function with given fields: username, password, scope
+func (_m *MockProvider) AuthenticatePassword(username string, password string, scope string) (*service.TokenResponse, error) {
+	ret := _m.Called(username, password, scope)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticatePassword")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string, string, string) (*service.TokenResponse, error)); ok {
+		return rf(username, password, scope)
+	}
+	if rf, ok := ret.Get(0).(func(string, string, string) *service.TokenResponse); ok {
+		r0 = rf(username, password, scope)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string, string, string) error); ok {
+		r1 = rf(username, password, scope)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockProvider_AuthenticatePassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticatePassword'
+type MockProvider_AuthenticatePassword_Call struct {
+	*mock.Call
+}
+
+// AuthenticatePassword is a helper method to define mock.On call
+//   - username string
+//   - password string
+//   - scope string
+func (_e *MockProvider_Expecter) AuthenticatePassword(username interface{}, password interface{}, scope interface{}) *MockProvider_AuthenticatePassword_Call {
+	return &MockProvider_AuthenticatePassword_Call{Call: _e.mock.On("AuthenticatePassword", username, password, scope)}
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) Run(run func(username string, password string, scope string)) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string), args[1].(string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) RunAndReturn(run func(string, string, string) (*service.TokenResponse, error)) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Discovery provides a mock function with no fields
+func (_m *MockProvider) Discovery() *service.DiscoveryResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Discovery")
+	}
+
+	var r0 *service.DiscoveryResponse
+	if rf, ok := ret.Get(0).(func() *service.DiscoveryResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.DiscoveryResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockProvider_Discovery_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discovery'
+type MockProvider_Discovery_Call struct {
+	*mock.Call
+}
+
+// Discovery is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) Discovery() *MockProvider_Discovery_Call {
+	return &MockProvider_Discovery_Call{Call: _e.mock.On("Discovery")}
+}
+
+func (_c *MockProvider_Discovery_Call) Run(run func()) *MockProvider_Discovery_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_Discovery_Call) Return(_a0 *service.DiscoveryResponse) *MockProvider_Discovery_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockProvider_Discovery_Call) RunAndReturn(run func() *service.DiscoveryResponse) *MockProvider_Discovery_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Exchange provides a mock function with given fields: req
+func (_m *MockProvider) Exchange(req service.TokenRequest) (*service.TokenResponse, error) {
+	ret := _m.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Exchange")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(service.TokenRequest) (*service.TokenResponse, error)); ok {
+		return rf(req)
+	}
+	if rf, ok := ret.Get(0).(func(service.TokenRequest) *service.TokenResponse); ok {
+		r0 = rf(req)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(service.TokenRequest) error); ok {
+		r1 = rf(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockProvider_Exchange_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exchange'
+type MockProvider_Exchange_Call struct {
+	*mock.Call
+}
+
+// Exchange is a helper method to define mock.On call
+//   - req service.TokenRequest
+func (_e *MockProvider_Expecter) Exchange(req interface{}) *MockProvider_Exchange_Call {
+	return &MockProvider_Exchange_Call{Call: _e.mock.On("Exchange", req)}
+}
+
+func (_c *MockProvider_Exchange_Call) Run(run func(req service.TokenRequest)) *MockProvider_Exchange_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(service.TokenRequest))
+	})
+	return _c
+}
+
+func (_c *MockProvider_Exchange_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockProvider_Exchange_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockProvider_Exchange_Call) RunAndReturn(run func(service.TokenRequest) (*service.TokenResponse, error)) *MockProvider_Exchange_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCertificates provides a mock function with no fields
+func (_m *MockProvider) GetCertificates() *service.CertificatesResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCertificates")
+	}
+
+	var r0 *service.CertificatesResponse
+	if rf, ok := ret.Get(0).(func() *service.CertificatesResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.CertificatesResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockProvider_GetCertificates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCertificates'
+type MockProvider_GetCertificates_Call struct {
+	*mock.Call
+}
+
+// GetCertificates is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) GetCertificates() *MockProvider_GetCertificates_Call {
+	return &MockProvider_GetCertificates_Call{Call: _e.mock.On("GetCertificates")}
+}
+
+func (_c *MockProvider_GetCertificates_Call) Run(run func()) *MockProvider_GetCertificates_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetCertificates_Call) Return(_a0 *service.CertificatesResponse) *MockProvider_GetCertificates_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockProvider_GetCertificates_Call) RunAndReturn(run func() *service.CertificatesResponse) *MockProvider_GetCertificates_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function with given fields: refreshToken
+func (_m *MockProvider) Refresh(refreshToken string) (*service.TokenResponse, error) {
+	ret := _m.Called(refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (*service.TokenResponse, error)); ok {
+		return rf(refreshToken)
+	}
+	if rf, ok := ret.Get(0).(func(string) *service.TokenResponse); ok {
+		r0 = rf(refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string) error); ok {
+		r1 = rf(refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockProvider_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockProvider_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - refreshToken string
+func (_e *MockProvider_Expecter) Refresh(refreshToken interface{}) *MockProvider_Refresh_Call {
+	return &MockProvider_Refresh_Call{Call: _e.mock.On("Refresh", refreshToken)}
+}
+
+func (_c *MockProvider_Refresh_Call) Run(run func(refreshToken string)) *MockProvider_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string))
+	})
+	return _c
+}
+
+func (_c *MockProvider_Refresh_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockProvider_Refresh_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockProvider_Refresh_Call) RunAndReturn(run func(string) (*service.TokenResponse, error)) *MockProvider_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockProvider creates a new instance of MockProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockProvider {
+	mock := &MockProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mock_Service.go

@@ -0,0 +1,487 @@
+// Code generated by mockery v2.50.4. DO NOT EDIT.
+
+package service_mock
+
+import (
+	service "github.com/int128/kubelogin/integration_test/oidcserver/service"
+	testconfig "github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockService is an autogenerated mock type for the Service type
+type MockService struct {
+	mock.Mock
+}
+
+type MockService_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockService) EXPECT() *MockService_Expecter {
+	return &MockService_Expecter{mock: &_m.Mock}
+}
+
+// AuthenticateCode provides a mock function with given fields: req
+func (_m *MockService) AuthenticateCode(req service.AuthenticationRequest) (string, error) {
+	ret := _m.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticateCode")
+	}
+
+	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(service.AuthenticationRequest) (string, error)); ok {
+		return rf(req)
+	}
+	if rf, ok := ret.Get(0).(func(service.AuthenticationRequest) string); ok {
+		r0 = rf(req)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	if rf, ok := ret.Get(1).(func(service.AuthenticationRequest) error); ok {
+		r1 = rf(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockService_AuthenticateCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticateCode'
+type MockService_AuthenticateCode_Call struct {
+	*mock.Call
+}
+
+// AuthenticateCode is a helper method to define mock.On call
+//   - req service.AuthenticationRequest
+func (_e *MockService_Expecter) AuthenticateCode(req interface{}) *MockService_AuthenticateCode_Call {
+	return &MockService_AuthenticateCode_Call{Call: _e.mock.On("AuthenticateCode", req)}
+}
+
+func (_c *MockService_AuthenticateCode_Call) Run(run func(req service.AuthenticationRequest)) *MockService_AuthenticateCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(service.AuthenticationRequest))
+	})
+	return _c
+}
+
+func (_c *MockService_AuthenticateCode_Call) Return(code string, err error) *MockService_AuthenticateCode_Call {
+	_c.Call.Return(code, err)
+	return _c
+}
+
+func (_c *MockService_AuthenticateCode_Call) RunAndReturn(run func(service.AuthenticationRequest) (string, error)) *MockService_AuthenticateCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// AuthenticatePassword provides a mock function with given fields: username, password, scope
+func (_m *MockService) AuthenticatePassword(username string, password string, scope string) (*service.TokenResponse, error) {
+	ret := _m.Called(username, password, scope)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticatePassword")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string, string, string) (*service.TokenResponse, error)); ok {
+		return rf(username, password, scope)
+	}
+	if rf, ok := ret.Get(0).(func(string, string, string) *service.TokenResponse); ok {
+		r0 = rf(username, password, scope)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string, string, string) error); ok {
+		r1 = rf(username, password, scope)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockService_AuthenticatePassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticatePassword'
+type MockService_AuthenticatePassword_Call struct {
+	*mock.Call
+}
+
+// AuthenticatePassword is a helper method to define mock.On call
+//   - username string
+//   - password string
+//   - scope string
+func (_e *MockService_Expecter) AuthenticatePassword(username interface{}, password interface{}, scope interface{}) *MockService_AuthenticatePassword_Call {
+	return &MockService_AuthenticatePassword_Call{Call: _e.mock.On("AuthenticatePassword", username, password, scope)}
+}
+
+func (_c *MockService_AuthenticatePassword_Call) Run(run func(username string, password string, scope string)) *MockService_AuthenticatePassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string), args[1].(string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockService_AuthenticatePassword_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockService_AuthenticatePassword_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockService_AuthenticatePassword_Call) RunAndReturn(run func(string, string, string) (*service.TokenResponse, error)) *MockService_AuthenticatePassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Discovery provides a mock function with no fields
+func (_m *MockService) Discovery() *service.DiscoveryResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Discovery")
+	}
+
+	var r0 *service.DiscoveryResponse
+	if rf, ok := ret.Get(0).(func() *service.DiscoveryResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.DiscoveryResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockService_Discovery_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discovery'
+type MockService_Discovery_Call struct {
+	*mock.Call
+}
+
+// Discovery is a helper method to define mock.On call
+func (_e *MockService_Expecter) Discovery() *MockService_Discovery_Call {
+	return &MockService_Discovery_Call{Call: _e.mock.On("Discovery")}
+}
+
+func (_c *MockService_Discovery_Call) Run(run func()) *MockService_Discovery_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_Discovery_Call) Return(_a0 *service.DiscoveryResponse) *MockService_Discovery_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockService_Discovery_Call) RunAndReturn(run func() *service.DiscoveryResponse) *MockService_Discovery_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Exchange provides a mock function with given fields: req
+func (_m *MockService) Exchange(req service.TokenRequest) (*service.TokenResponse, error) {
+	ret := _m.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Exchange")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(service.TokenRequest) (*service.TokenResponse, error)); ok {
+		return rf(req)
+	}
+	if rf, ok := ret.Get(0).(func(service.TokenRequest) *service.TokenResponse); ok {
+		r0 = rf(req)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(service.TokenRequest) error); ok {
+		r1 = rf(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockService_Exchange_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exchange'
+type MockService_Exchange_Call struct {
+	*mock.Call
+}
+
+// Exchange is a helper method to define mock.On call
+//   - req service.TokenRequest
+func (_e *MockService_Expecter) Exchange(req interface{}) *MockService_Exchange_Call {
+	return &MockService_Exchange_Call{Call: _e.mock.On("Exchange", req)}
+}
+
+func (_c *MockService_Exchange_Call) Run(run func(req service.TokenRequest)) *MockService_Exchange_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(service.TokenRequest))
+	})
+	return _c
+}
+
+func (_c *MockService_Exchange_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockService_Exchange_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockService_Exchange_Call) RunAndReturn(run func(service.TokenRequest) (*service.TokenResponse, error)) *MockService_Exchange_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCertificates provides a mock function with no fields
+func (_m *MockService) GetCertificates() *service.CertificatesResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCertificates")
+	}
+
+	var r0 *service.CertificatesResponse
+	if rf, ok := ret.Get(0).(func() *service.CertificatesResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.CertificatesResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockService_GetCertificates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCertificates'
+type MockService_GetCertificates_Call struct {
+	*mock.Call
+}
+
+// GetCertificates is a helper method to define mock.On call
+func (_e *MockService_Expecter) GetCertificates() *MockService_GetCertificates_Call {
+	return &MockService_GetCertificates_Call{Call: _e.mock.On("GetCertificates")}
+}
+
+func (_c *MockService_GetCertificates_Call) Run(run func()) *MockService_GetCertificates_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_GetCertificates_Call) Return(_a0 *service.CertificatesResponse) *MockService_GetCertificates_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockService_GetCertificates_Call) RunAndReturn(run func() *service.CertificatesResponse) *MockService_GetCertificates_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// IssuerURL provides a mock function with no fields
+func (_m *MockService) IssuerURL() string {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for IssuerURL")
+	}
+
+	var r0 string
+	if rf, ok := ret.Get(0).(func() string); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	return r0
+}
+
+// MockService_IssuerURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IssuerURL'
+type MockService_IssuerURL_Call struct {
+	*mock.Call
+}
+
+// IssuerURL is a helper method to define mock.On call
+func (_e *MockService_Expecter) IssuerURL() *MockService_IssuerURL_Call {
+	return &MockService_IssuerURL_Call{Call: _e.mock.On("IssuerURL")}
+}
+
+func (_c *MockService_IssuerURL_Call) Run(run func()) *MockService_IssuerURL_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_IssuerURL_Call) Return(_a0 string) *MockService_IssuerURL_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockService_IssuerURL_Call) RunAndReturn(run func() string) *MockService_IssuerURL_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// LastTokenResponse provides a mock function with no fields
+func (_m *MockService) LastTokenResponse() *service.TokenResponse {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for LastTokenResponse")
+	}
+
+	var r0 *service.TokenResponse
+	if rf, ok := ret.Get(0).(func() *service.TokenResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	return r0
+}
+
+// MockService_LastTokenResponse_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'LastTokenResponse'
+type MockService_LastTokenResponse_Call struct {
+	*mock.Call
+}
+
+// LastTokenResponse is a helper method to define mock.On call
+func (_e *MockService_Expecter) LastTokenResponse() *MockService_LastTokenResponse_Call {
+	return &MockService_LastTokenResponse_Call{Call: _e.mock.On("LastTokenResponse")}
+}
+
+func (_c *MockService_LastTokenResponse_Call) Run(run func()) *MockService_LastTokenResponse_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_LastTokenResponse_Call) Return(_a0 *service.TokenResponse) *MockService_LastTokenResponse_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockService_LastTokenResponse_Call) RunAndReturn(run func() *service.TokenResponse) *MockService_LastTokenResponse_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function with given fields: refreshToken
+func (_m *MockService) Refresh(refreshToken string) (*service.TokenResponse, error) {
+	ret := _m.Called(refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (*service.TokenResponse, error)); ok {
+		return rf(refreshToken)
+	}
+	if rf, ok := ret.Get(0).(func(string) *service.TokenResponse); ok {
+		r0 = rf(refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string) error); ok {
+		r1 = rf(refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockService_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockService_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - refreshToken string
+func (_e *MockService_Expecter) Refresh(refreshToken interface{}) *MockService_Refresh_Call {
+	return &MockService_Refresh_Call{Call: _e.mock.On("Refresh", refreshToken)}
+}
+
+func (_c *MockService_Refresh_Call) Run(run func(refreshToken string)) *MockService_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string))
+	})
+	return _c
+}
+
+func (_c *MockService_Refresh_Call) Return(_a0 *service.TokenResponse, _a1 error) *MockService_Refresh_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockService_Refresh_Call) RunAndReturn(run func(string) (*service.TokenResponse, error)) *MockService_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SetConfig provides a mock function with given fields: config
+func (_m *MockService) SetConfig(config testconfig.TestConfig) {
+	_m.Called(config)
+}
+
+// MockService_SetConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SetConfig'
+type MockService_SetConfig_Call struct {
+	*mock.Call
+}
+
+// SetConfig is a helper method to define mock.On call
+//   - config testconfig.TestConfig
+func (_e *MockService_Expecter) SetConfig(config interface{}) *MockService_SetConfig_Call {
+	return &MockService_SetConfig_Call{Call: _e.mock.On("SetConfig", config)}
+}
+
+func (_c *MockService_SetConfig_Call) Run(run func(config testconfig.TestConfig)) *MockService_SetConfig_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(testconfig.TestConfig))
+	})
+	return _c
+}
+
+func (_c *MockService_SetConfig_Call) Return() *MockService_SetConfig_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockService_SetConfig_Call) RunAndReturn(run func(testconfig.TestConfig)) *MockService_SetConfig_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMockService creates a new instance of MockService. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockService(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockService {
+	mock := &MockService{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/cmd_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package cmd
+package cmd_mock
 
 import (
 	context "context"
@@ -25,6 +25,10 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) Run(ctx context.Context, args []string, version string) int {
 	ret := _m.Called(ctx, args, version)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Run")
+	}
+
 	var r0 int
 	if rf, ok := ret.Get(0).(func(context.Context, []string, string) int); ok {
 		r0 = rf(ctx, args, version)
@@ -41,9 +45,9 @@ type MockInterface_Run_Call struct {
 }
 
 // Run is a helper method to define mock.On call
-//  - ctx context.Context
-//  - args []string
-//  - version string
+//   - ctx context.Context
+//   - args []string
+//   - version string
 func (_e *MockInterface_Expecter) Run(ctx interface{}, args interface{}, version interface{}) *MockInterface_Run_Call {
 	return &MockInterface_Run_Call{Call: _e.mock.On("Run", ctx, args, version)}
 }
@@ -60,13 +64,17 @@ func (_c *MockInterface_Run_Call) Return(_a0 int) *MockInterface_Run_Call {
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Run_Call) RunAndReturn(run func(context.Context, []string, string) int) *MockInterface_Run_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/credentialplugin/reader_mock/mock_Interface.go

@@ -0,0 +1,90 @@
+// Code generated by mockery v2.50.4. DO NOT EDIT.
+
+package reader_mock
+
+import (
+	credentialplugin "github.com/int128/kubelogin/pkg/credentialplugin"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Read provides a mock function with no fields
+func (_m *MockInterface) Read() (credentialplugin.Input, error) {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Read")
+	}
+
+	var r0 credentialplugin.Input
+	var r1 error
+	if rf, ok := ret.Get(0).(func() (credentialplugin.Input, error)); ok {
+		return rf()
+	}
+	if rf, ok := ret.Get(0).(func() credentialplugin.Input); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(credentialplugin.Input)
+	}
+
+	if rf, ok := ret.Get(1).(func() error); ok {
+		r1 = rf()
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Read_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Read'
+type MockInterface_Read_Call struct {
+	*mock.Call
+}
+
+// Read is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) Read() *MockInterface_Read_Call {
+	return &MockInterface_Read_Call{Call: _e.mock.On("Read")}
+}
+
+func (_c *MockInterface_Read_Call) Run(run func()) *MockInterface_Read_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_Read_Call) Return(_a0 credentialplugin.Input, _a1 error) *MockInterface_Read_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_Read_Call) RunAndReturn(run func() (credentialplugin.Input, error)) *MockInterface_Read_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/credentialplugin/writer_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package writer
+package writer_mock
 
 import (
 	credentialplugin "github.com/int128/kubelogin/pkg/credentialplugin"
@@ -24,6 +24,10 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) Write(out credentialplugin.Output) error {
 	ret := _m.Called(out)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Write")
+	}
+
 	var r0 error
 	if rf, ok := ret.Get(0).(func(credentialplugin.Output) error); ok {
 		r0 = rf(out)
@@ -40,7 +44,7 @@ type MockInterface_Write_Call struct {
 }
 
 // Write is a helper method to define mock.On call
-//  - out credentialplugin.Output
+//   - out credentialplugin.Output
 func (_e *MockInterface_Expecter) Write(out interface{}) *MockInterface_Write_Call {
 	return &MockInterface_Write_Call{Call: _e.mock.On("Write", out)}
 }
@@ -57,13 +61,17 @@ func (_c *MockInterface_Write_Call) Return(_a0 error) *MockInterface_Write_Call
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Write_Call) RunAndReturn(run func(credentialplugin.Output) error) *MockInterface_Write_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/browser_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package browser
+package browser_mock
 
 import (
 	context "context"
@@ -25,6 +25,10 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) Open(url string) error {
 	ret := _m.Called(url)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Open")
+	}
+
 	var r0 error
 	if rf, ok := ret.Get(0).(func(string) error); ok {
 		r0 = rf(url)
@@ -41,7 +45,7 @@ type MockInterface_Open_Call struct {
 }
 
 // Open is a helper method to define mock.On call
-//  - url string
+//   - url string
 func (_e *MockInterface_Expecter) Open(url interface{}) *MockInterface_Open_Call {
 	return &MockInterface_Open_Call{Call: _e.mock.On("Open", url)}
 }
@@ -58,10 +62,19 @@ func (_c *MockInterface_Open_Call) Return(_a0 error) *MockInterface_Open_Call {
 	return _c
 }
 
+func (_c *MockInterface_Open_Call) RunAndReturn(run func(string) error) *MockInterface_Open_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // OpenCommand provides a mock function with given fields: ctx, url, command
 func (_m *MockInterface) OpenCommand(ctx context.Context, url string, command string) error {
 	ret := _m.Called(ctx, url, command)
 
+	if len(ret) == 0 {
+		panic("no return value specified for OpenCommand")
+	}
+
 	var r0 error
 	if rf, ok := ret.Get(0).(func(context.Context, string, string) error); ok {
 		r0 = rf(ctx, url, command)
@@ -78,9 +91,9 @@ type MockInterface_OpenCommand_Call struct {
 }
 
 // OpenCommand is a helper method to define mock.On call
-//  - ctx context.Context
-//  - url string
-//  - command string
+//   - ctx context.Context
+//   - url string
+//   - command string
 func (_e *MockInterface_Expecter) OpenCommand(ctx interface{}, url interface{}, command interface{}) *MockInterface_OpenCommand_Call {
 	return &MockInterface_OpenCommand_Call{Call: _e.mock.On("OpenCommand", ctx, url, command)}
 }
@@ -97,13 +110,17 @@ func (_c *MockInterface_OpenCommand_Call) Return(_a0 error) *MockInterface_OpenC
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_OpenCommand_Call) RunAndReturn(run func(context.Context, string, string) error) *MockInterface_OpenCommand_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/clock_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package clock
+package clock_mock
 
 import (
 	time "time"
@@ -21,10 +21,14 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }
 
-// Now provides a mock function with given fields:
+// Now provides a mock function with no fields
 func (_m *MockInterface) Now() time.Time {
 	ret := _m.Called()
 
+	if len(ret) == 0 {
+		panic("no return value specified for Now")
+	}
+
 	var r0 time.Time
 	if rf, ok := ret.Get(0).(func() time.Time); ok {
 		r0 = rf()
@@ -57,13 +61,17 @@ func (_c *MockInterface_Now_Call) Return(_a0 time.Time) *MockInterface_Now_Call
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Now_Call) RunAndReturn(run func() time.Time) *MockInterface_Now_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mock_Interface.go

@@ -1,10 +1,12 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package logger
+package logger_mock
 
 import (
-	pflag "github.com/spf13/pflag"
+	logger "github.com/int128/kubelogin/pkg/infrastructure/logger"
 	mock "github.com/stretchr/testify/mock"
+
+	pflag "github.com/spf13/pflag"
 )
 
 // MockInterface is an autogenerated mock type for the Interface type
@@ -31,7 +33,7 @@ type MockInterface_AddFlags_Call struct {
 }
 
 // AddFlags is a helper method to define mock.On call
-//  - f *pflag.FlagSet
+//   - f *pflag.FlagSet
 func (_e *MockInterface_Expecter) AddFlags(f interface{}) *MockInterface_AddFlags_Call {
 	return &MockInterface_AddFlags_Call{Call: _e.mock.On("AddFlags", f)}
 }
@@ -48,10 +50,19 @@ func (_c *MockInterface_AddFlags_Call) Return() *MockInterface_AddFlags_Call {
 	return _c
 }
 
+func (_c *MockInterface_AddFlags_Call) RunAndReturn(run func(*pflag.FlagSet)) *MockInterface_AddFlags_Call {
+	_c.Run(run)
+	return _c
+}
+
 // IsEnabled provides a mock function with given fields: level
 func (_m *MockInterface) IsEnabled(level int) bool {
 	ret := _m.Called(level)
 
+	if len(ret) == 0 {
+		panic("no return value specified for IsEnabled")
+	}
+
 	var r0 bool
 	if rf, ok := ret.Get(0).(func(int) bool); ok {
 		r0 = rf(level)
@@ -68,7 +79,7 @@ type MockInterface_IsEnabled_Call struct {
 }
 
 // IsEnabled is a helper method to define mock.On call
-//  - level int
+//   - level int
 func (_e *MockInterface_Expecter) IsEnabled(level interface{}) *MockInterface_IsEnabled_Call {
 	return &MockInterface_IsEnabled_Call{Call: _e.mock.On("IsEnabled", level)}
 }
@@ -85,6 +96,11 @@ func (_c *MockInterface_IsEnabled_Call) Return(_a0 bool) *MockInterface_IsEnable
 	return _c
 }
 
+func (_c *MockInterface_IsEnabled_Call) RunAndReturn(run func(int) bool) *MockInterface_IsEnabled_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // Printf provides a mock function with given fields: format, args
 func (_m *MockInterface) Printf(format string, args ...interface{}) {
 	var _ca []interface{}
@@ -99,8 +115,8 @@ type MockInterface_Printf_Call struct {
 }
 
 // Printf is a helper method to define mock.On call
-//  - format string
-//  - args ...interface{}
+//   - format string
+//   - args ...interface{}
 func (_e *MockInterface_Expecter) Printf(format interface{}, args ...interface{}) *MockInterface_Printf_Call {
 	return &MockInterface_Printf_Call{Call: _e.mock.On("Printf",
 		append([]interface{}{format}, args...)...)}
@@ -124,16 +140,25 @@ func (_c *MockInterface_Printf_Call) Return() *MockInterface_Printf_Call {
 	return _c
 }
 
+func (_c *MockInterface_Printf_Call) RunAndReturn(run func(string, ...interface{})) *MockInterface_Printf_Call {
+	_c.Run(run)
+	return _c
+}
+
 // V provides a mock function with given fields: level
-func (_m *MockInterface) V(level int) Verbose {
+func (_m *MockInterface) V(level int) logger.Verbose {
 	ret := _m.Called(level)
 
-	var r0 Verbose
-	if rf, ok := ret.Get(0).(func(int) Verbose); ok {
+	if len(ret) == 0 {
+		panic("no return value specified for V")
+	}
+
+	var r0 logger.Verbose
+	if rf, ok := ret.Get(0).(func(int) logger.Verbose); ok {
 		r0 = rf(level)
 	} else {
 		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(Verbose)
+			r0 = ret.Get(0).(logger.Verbose)
 		}
 	}
 
@@ -146,7 +171,7 @@ type MockInterface_V_Call struct {
 }
 
 // V is a helper method to define mock.On call
-//  - level int
+//   - level int
 func (_e *MockInterface_Expecter) V(level interface{}) *MockInterface_V_Call {
 	return &MockInterface_V_Call{Call: _e.mock.On("V", level)}
 }
@@ -158,18 +183,22 @@ func (_c *MockInterface_V_Call) Run(run func(level int)) *MockInterface_V_Call {
 	return _c
 }
 
-func (_c *MockInterface_V_Call) Return(_a0 Verbose) *MockInterface_V_Call {
+func (_c *MockInterface_V_Call) Return(_a0 logger.Verbose) *MockInterface_V_Call {
 	_c.Call.Return(_a0)
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_V_Call) RunAndReturn(run func(int) logger.Verbose) *MockInterface_V_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mock_Verbose.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package logger
+package logger_mock
 
 import mock "github.com/stretchr/testify/mock"
 
@@ -31,8 +31,8 @@ type MockVerbose_Infof_Call struct {
 }
 
 // Infof is a helper method to define mock.On call
-//  - format string
-//  - args ...interface{}
+//   - format string
+//   - args ...interface{}
 func (_e *MockVerbose_Expecter) Infof(format interface{}, args ...interface{}) *MockVerbose_Infof_Call {
 	return &MockVerbose_Infof_Call{Call: _e.mock.On("Infof",
 		append([]interface{}{format}, args...)...)}
@@ -56,13 +56,17 @@ func (_c *MockVerbose_Infof_Call) Return() *MockVerbose_Infof_Call {
 	return _c
 }
 
-type mockConstructorTestingTNewMockVerbose interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockVerbose_Infof_Call) RunAndReturn(run func(string, ...interface{})) *MockVerbose_Infof_Call {
+	_c.Run(run)
+	return _c
 }
 
 // NewMockVerbose creates a new instance of MockVerbose. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockVerbose(t mockConstructorTestingTNewMockVerbose) *MockVerbose {
+// The first argument is typically a *testing.T value.
+func NewMockVerbose(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockVerbose {
 	mock := &MockVerbose{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mock_goLogger.go

@@ -0,0 +1,76 @@
+// Code generated by mockery v2.50.4. DO NOT EDIT.
+
+package logger_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockgoLogger is an autogenerated mock type for the goLogger type
+type MockgoLogger struct {
+	mock.Mock
+}
+
+type MockgoLogger_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockgoLogger) EXPECT() *MockgoLogger_Expecter {
+	return &MockgoLogger_Expecter{mock: &_m.Mock}
+}
+
+// Printf provides a mock function with given fields: format, v
+func (_m *MockgoLogger) Printf(format string, v ...interface{}) {
+	var _ca []interface{}
+	_ca = append(_ca, format)
+	_ca = append(_ca, v...)
+	_m.Called(_ca...)
+}
+
+// MockgoLogger_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
+type MockgoLogger_Printf_Call struct {
+	*mock.Call
+}
+
+// Printf is a helper method to define mock.On call
+//   - format string
+//   - v ...interface{}
+func (_e *MockgoLogger_Expecter) Printf(format interface{}, v ...interface{}) *MockgoLogger_Printf_Call {
+	return &MockgoLogger_Printf_Call{Call: _e.mock.On("Printf",
+		append([]interface{}{format}, v...)...)}
+}
+
+func (_c *MockgoLogger_Printf_Call) Run(run func(format string, v ...interface{})) *MockgoLogger_Printf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]interface{}, len(args)-1)
+		for i, a := range args[1:] {
+			if a != nil {
+				variadicArgs[i] = a.(interface{})
+			}
+		}
+		run(args[0].(string), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *MockgoLogger_Printf_Call) Return() *MockgoLogger_Printf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockgoLogger_Printf_Call) RunAndReturn(run func(string, ...interface{})) *MockgoLogger_Printf_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMockgoLogger creates a new instance of MockgoLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockgoLogger(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockgoLogger {
+	mock := &MockgoLogger{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/infrastructure/reader_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package reader
+package reader_mock
 
 import mock "github.com/stretchr/testify/mock"
 
@@ -21,14 +21,21 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) ReadPassword(prompt string) (string, error) {
 	ret := _m.Called(prompt)
 
+	if len(ret) == 0 {
+		panic("no return value specified for ReadPassword")
+	}
+
 	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (string, error)); ok {
+		return rf(prompt)
+	}
 	if rf, ok := ret.Get(0).(func(string) string); ok {
 		r0 = rf(prompt)
 	} else {
 		r0 = ret.Get(0).(string)
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func(string) error); ok {
 		r1 = rf(prompt)
 	} else {
@@ -44,7 +51,7 @@ type MockInterface_ReadPassword_Call struct {
 }
 
 // ReadPassword is a helper method to define mock.On call
-//  - prompt string
+//   - prompt string
 func (_e *MockInterface_Expecter) ReadPassword(prompt interface{}) *MockInterface_ReadPassword_Call {
 	return &MockInterface_ReadPassword_Call{Call: _e.mock.On("ReadPassword", prompt)}
 }
@@ -61,18 +68,30 @@ func (_c *MockInterface_ReadPassword_Call) Return(_a0 string, _a1 error) *MockIn
 	return _c
 }
 
+func (_c *MockInterface_ReadPassword_Call) RunAndReturn(run func(string) (string, error)) *MockInterface_ReadPassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // ReadString provides a mock function with given fields: prompt
 func (_m *MockInterface) ReadString(prompt string) (string, error) {
 	ret := _m.Called(prompt)
 
+	if len(ret) == 0 {
+		panic("no return value specified for ReadString")
+	}
+
 	var r0 string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (string, error)); ok {
+		return rf(prompt)
+	}
 	if rf, ok := ret.Get(0).(func(string) string); ok {
 		r0 = rf(prompt)
 	} else {
 		r0 = ret.Get(0).(string)
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func(string) error); ok {
 		r1 = rf(prompt)
 	} else {
@@ -88,7 +107,7 @@ type MockInterface_ReadString_Call struct {
 }
 
 // ReadString is a helper method to define mock.On call
-//  - prompt string
+//   - prompt string
 func (_e *MockInterface_Expecter) ReadString(prompt interface{}) *MockInterface_ReadString_Call {
 	return &MockInterface_ReadString_Call{Call: _e.mock.On("ReadString", prompt)}
 }
@@ -105,13 +124,17 @@ func (_c *MockInterface_ReadString_Call) Return(_a0 string, _a1 error) *MockInte
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_ReadString_Call) RunAndReturn(run func(string) (string, error)) *MockInterface_ReadString_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mock_Stdin.go

@@ -0,0 +1,88 @@
+// Code generated by mockery v2.50.4. DO NOT EDIT.
+
+package stdio_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockStdin is an autogenerated mock type for the Stdin type
+type MockStdin struct {
+	mock.Mock
+}
+
+type MockStdin_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockStdin) EXPECT() *MockStdin_Expecter {
+	return &MockStdin_Expecter{mock: &_m.Mock}
+}
+
+// Read provides a mock function with given fields: p
+func (_m *MockStdin) Read(p []byte) (int, error) {
+	ret := _m.Called(p)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Read")
+	}
+
+	var r0 int
+	var r1 error
+	if rf, ok := ret.Get(0).(func([]byte) (int, error)); ok {
+		return rf(p)
+	}
+	if rf, ok := ret.Get(0).(func([]byte) int); ok {
+		r0 = rf(p)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+
+	if rf, ok := ret.Get(1).(func([]byte) error); ok {
+		r1 = rf(p)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockStdin_Read_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Read'
+type MockStdin_Read_Call struct {
+	*mock.Call
+}
+
+// Read is a helper method to define mock.On call
+//   - p []byte
+func (_e *MockStdin_Expecter) Read(p interface{}) *MockStdin_Read_Call {
+	return &MockStdin_Read_Call{Call: _e.mock.On("Read", p)}
+}
+
+func (_c *MockStdin_Read_Call) Run(run func(p []byte)) *MockStdin_Read_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].([]byte))
+	})
+	return _c
+}
+
+func (_c *MockStdin_Read_Call) Return(n int, err error) *MockStdin_Read_Call {
+	_c.Call.Return(n, err)
+	return _c
+}
+
+func (_c *MockStdin_Read_Call) RunAndReturn(run func([]byte) (int, error)) *MockStdin_Read_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockStdin creates a new instance of MockStdin. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockStdin(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockStdin {
+	mock := &MockStdin{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mock_Stdout.go

@@ -0,0 +1,88 @@
+// Code generated by mockery v2.50.4. DO NOT EDIT.
+
+package stdio_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockStdout is an autogenerated mock type for the Stdout type
+type MockStdout struct {
+	mock.Mock
+}
+
+type MockStdout_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockStdout) EXPECT() *MockStdout_Expecter {
+	return &MockStdout_Expecter{mock: &_m.Mock}
+}
+
+// Write provides a mock function with given fields: p
+func (_m *MockStdout) Write(p []byte) (int, error) {
+	ret := _m.Called(p)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Write")
+	}
+
+	var r0 int
+	var r1 error
+	if rf, ok := ret.Get(0).(func([]byte) (int, error)); ok {
+		return rf(p)
+	}
+	if rf, ok := ret.Get(0).(func([]byte) int); ok {
+		r0 = rf(p)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+
+	if rf, ok := ret.Get(1).(func([]byte) error); ok {
+		r1 = rf(p)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockStdout_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'
+type MockStdout_Write_Call struct {
+	*mock.Call
+}
+
+// Write is a helper method to define mock.On call
+//   - p []byte
+func (_e *MockStdout_Expecter) Write(p interface{}) *MockStdout_Write_Call {
+	return &MockStdout_Write_Call{Call: _e.mock.On("Write", p)}
+}
+
+func (_c *MockStdout_Write_Call) Run(run func(p []byte)) *MockStdout_Write_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].([]byte))
+	})
+	return _c
+}
+
+func (_c *MockStdout_Write_Call) Return(n int, err error) *MockStdout_Write_Call {
+	_c.Call.Return(n, err)
+	return _c
+}
+
+func (_c *MockStdout_Write_Call) RunAndReturn(run func([]byte) (int, error)) *MockStdout_Write_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockStdout creates a new instance of MockStdout. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockStdout(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockStdout {
+	mock := &MockStdout{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/jwt_mock/mock_Clock.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package jwt
+package jwt_mock
 
 import (
 	time "time"
@@ -21,10 +21,14 @@ func (_m *MockClock) EXPECT() *MockClock_Expecter {
 	return &MockClock_Expecter{mock: &_m.Mock}
 }
 
-// Now provides a mock function with given fields:
+// Now provides a mock function with no fields
 func (_m *MockClock) Now() time.Time {
 	ret := _m.Called()
 
+	if len(ret) == 0 {
+		panic("no return value specified for Now")
+	}
+
 	var r0 time.Time
 	if rf, ok := ret.Get(0).(func() time.Time); ok {
 		r0 = rf()
@@ -57,13 +61,17 @@ func (_c *MockClock_Now_Call) Return(_a0 time.Time) *MockClock_Now_Call {
 	return _c
 }
 
-type mockConstructorTestingTNewMockClock interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockClock_Now_Call) RunAndReturn(run func() time.Time) *MockClock_Now_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockClock creates a new instance of MockClock. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockClock(t mockConstructorTestingTNewMockClock) *MockClock {
+// The first argument is typically a *testing.T value.
+func NewMockClock(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockClock {
 	mock := &MockClock{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/kubeconfig/loader_mock/mock_Interface.go

@@ -1,9 +1,10 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package loader
+package loader_mock
 
 import (
 	kubeconfig "github.com/int128/kubelogin/pkg/kubeconfig"
+
 	mock "github.com/stretchr/testify/mock"
 )
 
@@ -24,7 +25,15 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
 	ret := _m.Called(explicitFilename, contextName, userName)
 
+	if len(ret) == 0 {
+		panic("no return value specified for GetCurrentAuthProvider")
+	}
+
 	var r0 *kubeconfig.AuthProvider
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string, kubeconfig.ContextName, kubeconfig.UserName) (*kubeconfig.AuthProvider, error)); ok {
+		return rf(explicitFilename, contextName, userName)
+	}
 	if rf, ok := ret.Get(0).(func(string, kubeconfig.ContextName, kubeconfig.UserName) *kubeconfig.AuthProvider); ok {
 		r0 = rf(explicitFilename, contextName, userName)
 	} else {
@@ -33,7 +42,6 @@ func (_m *MockInterface) GetCurrentAuthProvider(explicitFilename string, context
 		}
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func(string, kubeconfig.ContextName, kubeconfig.UserName) error); ok {
 		r1 = rf(explicitFilename, contextName, userName)
 	} else {
@@ -49,9 +57,9 @@ type MockInterface_GetCurrentAuthProvider_Call struct {
 }
 
 // GetCurrentAuthProvider is a helper method to define mock.On call
-//  - explicitFilename string
-//  - contextName kubeconfig.ContextName
-//  - userName kubeconfig.UserName
+//   - explicitFilename string
+//   - contextName kubeconfig.ContextName
+//   - userName kubeconfig.UserName
 func (_e *MockInterface_Expecter) GetCurrentAuthProvider(explicitFilename interface{}, contextName interface{}, userName interface{}) *MockInterface_GetCurrentAuthProvider_Call {
 	return &MockInterface_GetCurrentAuthProvider_Call{Call: _e.mock.On("GetCurrentAuthProvider", explicitFilename, contextName, userName)}
 }
@@ -68,13 +76,17 @@ func (_c *MockInterface_GetCurrentAuthProvider_Call) Return(_a0 *kubeconfig.Auth
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_GetCurrentAuthProvider_Call) RunAndReturn(run func(string, kubeconfig.ContextName, kubeconfig.UserName) (*kubeconfig.AuthProvider, error)) *MockInterface_GetCurrentAuthProvider_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/kubeconfig/writer_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package writer
+package writer_mock
 
 import (
 	kubeconfig "github.com/int128/kubelogin/pkg/kubeconfig"
@@ -24,6 +24,10 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) UpdateAuthProvider(p kubeconfig.AuthProvider) error {
 	ret := _m.Called(p)
 
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateAuthProvider")
+	}
+
 	var r0 error
 	if rf, ok := ret.Get(0).(func(kubeconfig.AuthProvider) error); ok {
 		r0 = rf(p)
@@ -40,7 +44,7 @@ type MockInterface_UpdateAuthProvider_Call struct {
 }
 
 // UpdateAuthProvider is a helper method to define mock.On call
-//  - p kubeconfig.AuthProvider
+//   - p kubeconfig.AuthProvider
 func (_e *MockInterface_Expecter) UpdateAuthProvider(p interface{}) *MockInterface_UpdateAuthProvider_Call {
 	return &MockInterface_UpdateAuthProvider_Call{Call: _e.mock.On("UpdateAuthProvider", p)}
 }
@@ -57,13 +61,17 @@ func (_c *MockInterface_UpdateAuthProvider_Call) Return(_a0 error) *MockInterfac
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_UpdateAuthProvider_Call) RunAndReturn(run func(kubeconfig.AuthProvider) error) *MockInterface_UpdateAuthProvider_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/oidc/client_mock/mock_FactoryInterface.go

@@ -1,13 +1,16 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package client
+package client_mock
 
 import (
 	context "context"
 
-	oidc "github.com/int128/kubelogin/pkg/oidc"
+	client "github.com/int128/kubelogin/pkg/oidc/client"
+
 	mock "github.com/stretchr/testify/mock"
 
+	oidc "github.com/int128/kubelogin/pkg/oidc"
+
 	tlsclientconfig "github.com/int128/kubelogin/pkg/tlsclientconfig"
 )
 
@@ -25,19 +28,26 @@ func (_m *MockFactoryInterface) EXPECT() *MockFactoryInterface_Expecter {
 }
 
 // New provides a mock function with given fields: ctx, p, tlsClientConfig
-func (_m *MockFactoryInterface) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error) {
+func (_m *MockFactoryInterface) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config) (client.Interface, error) {
 	ret := _m.Called(ctx, p, tlsClientConfig)
 
-	var r0 Interface
-	if rf, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) Interface); ok {
+	if len(ret) == 0 {
+		panic("no return value specified for New")
+	}
+
+	var r0 client.Interface
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) (client.Interface, error)); ok {
+		return rf(ctx, p, tlsClientConfig)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) client.Interface); ok {
 		r0 = rf(ctx, p, tlsClientConfig)
 	} else {
 		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(Interface)
+			r0 = ret.Get(0).(client.Interface)
 		}
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func(context.Context, oidc.Provider, tlsclientconfig.Config) error); ok {
 		r1 = rf(ctx, p, tlsClientConfig)
 	} else {
@@ -53,9 +63,9 @@ type MockFactoryInterface_New_Call struct {
 }
 
 // New is a helper method to define mock.On call
-//  - ctx context.Context
-//  - p oidc.Provider
-//  - tlsClientConfig tlsclientconfig.Config
+//   - ctx context.Context
+//   - p oidc.Provider
+//   - tlsClientConfig tlsclientconfig.Config
 func (_e *MockFactoryInterface_Expecter) New(ctx interface{}, p interface{}, tlsClientConfig interface{}) *MockFactoryInterface_New_Call {
 	return &MockFactoryInterface_New_Call{Call: _e.mock.On("New", ctx, p, tlsClientConfig)}
 }
@@ -67,18 +77,22 @@ func (_c *MockFactoryInterface_New_Call) Run(run func(ctx context.Context, p oid
 	return _c
 }
 
-func (_c *MockFactoryInterface_New_Call) Return(_a0 Interface, _a1 error) *MockFactoryInterface_New_Call {
+func (_c *MockFactoryInterface_New_Call) Return(_a0 client.Interface, _a1 error) *MockFactoryInterface_New_Call {
 	_c.Call.Return(_a0, _a1)
 	return _c
 }
 
-type mockConstructorTestingTNewMockFactoryInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockFactoryInterface_New_Call) RunAndReturn(run func(context.Context, oidc.Provider, tlsclientconfig.Config) (client.Interface, error)) *MockFactoryInterface_New_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockFactoryInterface creates a new instance of MockFactoryInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockFactoryInterface(t mockConstructorTestingTNewMockFactoryInterface) *MockFactoryInterface {
+// The first argument is typically a *testing.T value.
+func NewMockFactoryInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockFactoryInterface {
 	mock := &MockFactoryInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/oidc/client_mock/mock_Interface.go

@@ -0,0 +1,490 @@
+// Code generated by mockery v2.50.4. DO NOT EDIT.
+
+package client_mock
+
+import (
+	context "context"
+
+	client "github.com/int128/kubelogin/pkg/oidc/client"
+
+	mock "github.com/stretchr/testify/mock"
+
+	oauth2dev "github.com/int128/oauth2dev"
+
+	oidc "github.com/int128/kubelogin/pkg/oidc"
+)
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// ExchangeAuthCode provides a mock function with given fields: ctx, in
+func (_m *MockInterface) ExchangeAuthCode(ctx context.Context, in client.ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ExchangeAuthCode")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, client.ExchangeAuthCodeInput) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, in)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, client.ExchangeAuthCodeInput) *oidc.TokenSet); ok {
+		r0 = rf(ctx, in)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, client.ExchangeAuthCodeInput) error); ok {
+		r1 = rf(ctx, in)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_ExchangeAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeAuthCode'
+type MockInterface_ExchangeAuthCode_Call struct {
+	*mock.Call
+}
+
+// ExchangeAuthCode is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in client.ExchangeAuthCodeInput
+func (_e *MockInterface_Expecter) ExchangeAuthCode(ctx interface{}, in interface{}) *MockInterface_ExchangeAuthCode_Call {
+	return &MockInterface_ExchangeAuthCode_Call{Call: _e.mock.On("ExchangeAuthCode", ctx, in)}
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) Run(run func(ctx context.Context, in client.ExchangeAuthCodeInput)) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(client.ExchangeAuthCodeInput))
+	})
+	return _c
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) RunAndReturn(run func(context.Context, client.ExchangeAuthCodeInput) (*oidc.TokenSet, error)) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ExchangeDeviceCode provides a mock function with given fields: ctx, authResponse
+func (_m *MockInterface) ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, authResponse)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ExchangeDeviceCode")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, authResponse)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *oauth2dev.AuthorizationResponse) *oidc.TokenSet); ok {
+		r0 = rf(ctx, authResponse)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *oauth2dev.AuthorizationResponse) error); ok {
+		r1 = rf(ctx, authResponse)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_ExchangeDeviceCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeDeviceCode'
+type MockInterface_ExchangeDeviceCode_Call struct {
+	*mock.Call
+}
+
+// ExchangeDeviceCode is a helper method to define mock.On call
+//   - ctx context.Context
+//   - authResponse *oauth2dev.AuthorizationResponse
+func (_e *MockInterface_Expecter) ExchangeDeviceCode(ctx interface{}, authResponse interface{}) *MockInterface_ExchangeDeviceCode_Call {
+	return &MockInterface_ExchangeDeviceCode_Call{Call: _e.mock.On("ExchangeDeviceCode", ctx, authResponse)}
+}
+
+func (_c *MockInterface_ExchangeDeviceCode_Call) Run(run func(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse)) *MockInterface_ExchangeDeviceCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(*oauth2dev.AuthorizationResponse))
+	})
+	return _c
+}
+
+func (_c *MockInterface_ExchangeDeviceCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_ExchangeDeviceCode_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_ExchangeDeviceCode_Call) RunAndReturn(run func(context.Context, *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)) *MockInterface_ExchangeDeviceCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetAuthCodeURL provides a mock function with given fields: in
+func (_m *MockInterface) GetAuthCodeURL(in client.AuthCodeURLInput) string {
+	ret := _m.Called(in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAuthCodeURL")
+	}
+
+	var r0 string
+	if rf, ok := ret.Get(0).(func(client.AuthCodeURLInput) string); ok {
+		r0 = rf(in)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	return r0
+}
+
+// MockInterface_GetAuthCodeURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAuthCodeURL'
+type MockInterface_GetAuthCodeURL_Call struct {
+	*mock.Call
+}
+
+// GetAuthCodeURL is a helper method to define mock.On call
+//   - in client.AuthCodeURLInput
+func (_e *MockInterface_Expecter) GetAuthCodeURL(in interface{}) *MockInterface_GetAuthCodeURL_Call {
+	return &MockInterface_GetAuthCodeURL_Call{Call: _e.mock.On("GetAuthCodeURL", in)}
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) Run(run func(in client.AuthCodeURLInput)) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(client.AuthCodeURLInput))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) Return(_a0 string) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) RunAndReturn(run func(client.AuthCodeURLInput) string) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetDeviceAuthorization provides a mock function with given fields: ctx
+func (_m *MockInterface) GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error) {
+	ret := _m.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetDeviceAuthorization")
+	}
+
+	var r0 *oauth2dev.AuthorizationResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context) (*oauth2dev.AuthorizationResponse, error)); ok {
+		return rf(ctx)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context) *oauth2dev.AuthorizationResponse); ok {
+		r0 = rf(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oauth2dev.AuthorizationResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = rf(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetDeviceAuthorization_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDeviceAuthorization'
+type MockInterface_GetDeviceAuthorization_Call struct {
+	*mock.Call
+}
+
+// GetDeviceAuthorization is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockInterface_Expecter) GetDeviceAuthorization(ctx interface{}) *MockInterface_GetDeviceAuthorization_Call {
+	return &MockInterface_GetDeviceAuthorization_Call{Call: _e.mock.On("GetDeviceAuthorization", ctx)}
+}
+
+func (_c *MockInterface_GetDeviceAuthorization_Call) Run(run func(ctx context.Context)) *MockInterface_GetDeviceAuthorization_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetDeviceAuthorization_Call) Return(_a0 *oauth2dev.AuthorizationResponse, _a1 error) *MockInterface_GetDeviceAuthorization_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_GetDeviceAuthorization_Call) RunAndReturn(run func(context.Context) (*oauth2dev.AuthorizationResponse, error)) *MockInterface_GetDeviceAuthorization_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetTokenByAuthCode provides a mock function with given fields: ctx, in, localServerReadyChan
+func (_m *MockInterface) GetTokenByAuthCode(ctx context.Context, in client.GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, in, localServerReadyChan)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTokenByAuthCode")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, in, localServerReadyChan)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) *oidc.TokenSet); ok {
+		r0 = rf(ctx, in, localServerReadyChan)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) error); ok {
+		r1 = rf(ctx, in, localServerReadyChan)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetTokenByAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByAuthCode'
+type MockInterface_GetTokenByAuthCode_Call struct {
+	*mock.Call
+}
+
+// GetTokenByAuthCode is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in client.GetTokenByAuthCodeInput
+//   - localServerReadyChan chan<- string
+func (_e *MockInterface_Expecter) GetTokenByAuthCode(ctx interface{}, in interface{}, localServerReadyChan interface{}) *MockInterface_GetTokenByAuthCode_Call {
+	return &MockInterface_GetTokenByAuthCode_Call{Call: _e.mock.On("GetTokenByAuthCode", ctx, in, localServerReadyChan)}
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) Run(run func(ctx context.Context, in client.GetTokenByAuthCodeInput, localServerReadyChan chan<- string)) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(client.GetTokenByAuthCodeInput), args[2].(chan<- string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) RunAndReturn(run func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) (*oidc.TokenSet, error)) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetTokenByROPC provides a mock function with given fields: ctx, username, password
+func (_m *MockInterface) GetTokenByROPC(ctx context.Context, username string, password string) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, username, password)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTokenByROPC")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, username, password)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) *oidc.TokenSet); ok {
+		r0 = rf(ctx, username, password)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
+		r1 = rf(ctx, username, password)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_GetTokenByROPC_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByROPC'
+type MockInterface_GetTokenByROPC_Call struct {
+	*mock.Call
+}
+
+// GetTokenByROPC is a helper method to define mock.On call
+//   - ctx context.Context
+//   - username string
+//   - password string
+func (_e *MockInterface_Expecter) GetTokenByROPC(ctx interface{}, username interface{}, password interface{}) *MockInterface_GetTokenByROPC_Call {
+	return &MockInterface_GetTokenByROPC_Call{Call: _e.mock.On("GetTokenByROPC", ctx, username, password)}
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) Run(run func(ctx context.Context, username string, password string)) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string), args[2].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) RunAndReturn(run func(context.Context, string, string) (*oidc.TokenSet, error)) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function with given fields: ctx, refreshToken
+func (_m *MockInterface) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
+	ret := _m.Called(ctx, refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string) (*oidc.TokenSet, error)); ok {
+		return rf(ctx, refreshToken)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string) *oidc.TokenSet); ok {
+		r0 = rf(ctx, refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+		r1 = rf(ctx, refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockInterface_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - ctx context.Context
+//   - refreshToken string
+func (_e *MockInterface_Expecter) Refresh(ctx interface{}, refreshToken interface{}) *MockInterface_Refresh_Call {
+	return &MockInterface_Refresh_Call{Call: _e.mock.On("Refresh", ctx, refreshToken)}
+}
+
+func (_c *MockInterface_Refresh_Call) Run(run func(ctx context.Context, refreshToken string)) *MockInterface_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Refresh_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_Refresh_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_Refresh_Call) RunAndReturn(run func(context.Context, string) (*oidc.TokenSet, error)) *MockInterface_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SupportedPKCEMethods provides a mock function with no fields
+func (_m *MockInterface) SupportedPKCEMethods() []string {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for SupportedPKCEMethods")
+	}
+
+	var r0 []string
+	if rf, ok := ret.Get(0).(func() []string); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]string)
+		}
+	}
+
+	return r0
+}
+
+// MockInterface_SupportedPKCEMethods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SupportedPKCEMethods'
+type MockInterface_SupportedPKCEMethods_Call struct {
+	*mock.Call
+}
+
+// SupportedPKCEMethods is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) SupportedPKCEMethods() *MockInterface_SupportedPKCEMethods_Call {
+	return &MockInterface_SupportedPKCEMethods_Call{Call: _e.mock.On("SupportedPKCEMethods")}
+}
+
+func (_c *MockInterface_SupportedPKCEMethods_Call) Run(run func()) *MockInterface_SupportedPKCEMethods_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_SupportedPKCEMethods_Call) Return(_a0 []string) *MockInterface_SupportedPKCEMethods_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockInterface_SupportedPKCEMethods_Call) RunAndReturn(run func() []string) *MockInterface_SupportedPKCEMethods_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/testing/logger_mock/mock_testingLogger.go

@@ -0,0 +1,76 @@
+// Code generated by mockery v2.50.4. DO NOT EDIT.
+
+package logger_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MocktestingLogger is an autogenerated mock type for the testingLogger type
+type MocktestingLogger struct {
+	mock.Mock
+}
+
+type MocktestingLogger_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MocktestingLogger) EXPECT() *MocktestingLogger_Expecter {
+	return &MocktestingLogger_Expecter{mock: &_m.Mock}
+}
+
+// Logf provides a mock function with given fields: format, v
+func (_m *MocktestingLogger) Logf(format string, v ...interface{}) {
+	var _ca []interface{}
+	_ca = append(_ca, format)
+	_ca = append(_ca, v...)
+	_m.Called(_ca...)
+}
+
+// MocktestingLogger_Logf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Logf'
+type MocktestingLogger_Logf_Call struct {
+	*mock.Call
+}
+
+// Logf is a helper method to define mock.On call
+//   - format string
+//   - v ...interface{}
+func (_e *MocktestingLogger_Expecter) Logf(format interface{}, v ...interface{}) *MocktestingLogger_Logf_Call {
+	return &MocktestingLogger_Logf_Call{Call: _e.mock.On("Logf",
+		append([]interface{}{format}, v...)...)}
+}
+
+func (_c *MocktestingLogger_Logf_Call) Run(run func(format string, v ...interface{})) *MocktestingLogger_Logf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]interface{}, len(args)-1)
+		for i, a := range args[1:] {
+			if a != nil {
+				variadicArgs[i] = a.(interface{})
+			}
+		}
+		run(args[0].(string), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *MocktestingLogger_Logf_Call) Return() *MocktestingLogger_Logf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MocktestingLogger_Logf_Call) RunAndReturn(run func(string, ...interface{})) *MocktestingLogger_Logf_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMocktestingLogger creates a new instance of MocktestingLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMocktestingLogger(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MocktestingLogger {
+	mock := &MocktestingLogger{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

mocks/github.com/int128/kubelogin/pkg/tlsclientconfig/loader_mock/mock_Interface.go

@@ -1,6 +1,6 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package loader
+package loader_mock
 
 import (
 	tls "crypto/tls"
@@ -27,7 +27,15 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) Load(config tlsclientconfig.Config) (*tls.Config, error) {
 	ret := _m.Called(config)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Load")
+	}
+
 	var r0 *tls.Config
+	var r1 error
+	if rf, ok := ret.Get(0).(func(tlsclientconfig.Config) (*tls.Config, error)); ok {
+		return rf(config)
+	}
 	if rf, ok := ret.Get(0).(func(tlsclientconfig.Config) *tls.Config); ok {
 		r0 = rf(config)
 	} else {
@@ -36,7 +44,6 @@ func (_m *MockInterface) Load(config tlsclientconfig.Config) (*tls.Config, error
 		}
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func(tlsclientconfig.Config) error); ok {
 		r1 = rf(config)
 	} else {
@@ -52,7 +59,7 @@ type MockInterface_Load_Call struct {
 }
 
 // Load is a helper method to define mock.On call
-//  - config tlsclientconfig.Config
+//   - config tlsclientconfig.Config
 func (_e *MockInterface_Expecter) Load(config interface{}) *MockInterface_Load_Call {
 	return &MockInterface_Load_Call{Call: _e.mock.On("Load", config)}
 }
@@ -69,13 +76,17 @@ func (_c *MockInterface_Load_Call) Return(_a0 *tls.Config, _a1 error) *MockInter
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Load_Call) RunAndReturn(run func(tlsclientconfig.Config) (*tls.Config, error)) *MockInterface_Load_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/tokencache/repository_mock/mock_Interface.go

@@ -1,8 +1,10 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package repository
+package repository_mock
 
 import (
+	io "io"
+
 	oidc "github.com/int128/kubelogin/pkg/oidc"
 	mock "github.com/stretchr/testify/mock"
 
@@ -26,7 +28,15 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 func (_m *MockInterface) FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet, error) {
 	ret := _m.Called(dir, key)
 
+	if len(ret) == 0 {
+		panic("no return value specified for FindByKey")
+	}
+
 	var r0 *oidc.TokenSet
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string, tokencache.Key) (*oidc.TokenSet, error)); ok {
+		return rf(dir, key)
+	}
 	if rf, ok := ret.Get(0).(func(string, tokencache.Key) *oidc.TokenSet); ok {
 		r0 = rf(dir, key)
 	} else {
@@ -35,7 +45,6 @@ func (_m *MockInterface) FindByKey(dir string, key tokencache.Key) (*oidc.TokenS
 		}
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func(string, tokencache.Key) error); ok {
 		r1 = rf(dir, key)
 	} else {
@@ -51,8 +60,8 @@ type MockInterface_FindByKey_Call struct {
 }
 
 // FindByKey is a helper method to define mock.On call
-//  - dir string
-//  - key tokencache.Key
+//   - dir string
+//   - key tokencache.Key
 func (_e *MockInterface_Expecter) FindByKey(dir interface{}, key interface{}) *MockInterface_FindByKey_Call {
 	return &MockInterface_FindByKey_Call{Call: _e.mock.On("FindByKey", dir, key)}
 }
@@ -69,10 +78,78 @@ func (_c *MockInterface_FindByKey_Call) Return(_a0 *oidc.TokenSet, _a1 error) *M
 	return _c
 }
 
+func (_c *MockInterface_FindByKey_Call) RunAndReturn(run func(string, tokencache.Key) (*oidc.TokenSet, error)) *MockInterface_FindByKey_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Lock provides a mock function with given fields: dir, key
+func (_m *MockInterface) Lock(dir string, key tokencache.Key) (io.Closer, error) {
+	ret := _m.Called(dir, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Lock")
+	}
+
+	var r0 io.Closer
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string, tokencache.Key) (io.Closer, error)); ok {
+		return rf(dir, key)
+	}
+	if rf, ok := ret.Get(0).(func(string, tokencache.Key) io.Closer); ok {
+		r0 = rf(dir, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(io.Closer)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(string, tokencache.Key) error); ok {
+		r1 = rf(dir, key)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockInterface_Lock_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Lock'
+type MockInterface_Lock_Call struct {
+	*mock.Call
+}
+
+// Lock is a helper method to define mock.On call
+//   - dir string
+//   - key tokencache.Key
+func (_e *MockInterface_Expecter) Lock(dir interface{}, key interface{}) *MockInterface_Lock_Call {
+	return &MockInterface_Lock_Call{Call: _e.mock.On("Lock", dir, key)}
+}
+
+func (_c *MockInterface_Lock_Call) Run(run func(dir string, key tokencache.Key)) *MockInterface_Lock_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(string), args[1].(tokencache.Key))
+	})
+	return _c
+}
+
+func (_c *MockInterface_Lock_Call) Return(_a0 io.Closer, _a1 error) *MockInterface_Lock_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockInterface_Lock_Call) RunAndReturn(run func(string, tokencache.Key) (io.Closer, error)) *MockInterface_Lock_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // Save provides a mock function with given fields: dir, key, tokenSet
 func (_m *MockInterface) Save(dir string, key tokencache.Key, tokenSet oidc.TokenSet) error {
 	ret := _m.Called(dir, key, tokenSet)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Save")
+	}
+
 	var r0 error
 	if rf, ok := ret.Get(0).(func(string, tokencache.Key, oidc.TokenSet) error); ok {
 		r0 = rf(dir, key, tokenSet)
@@ -89,9 +166,9 @@ type MockInterface_Save_Call struct {
 }
 
 // Save is a helper method to define mock.On call
-//  - dir string
-//  - key tokencache.Key
-//  - tokenSet oidc.TokenSet
+//   - dir string
+//   - key tokencache.Key
+//   - tokenSet oidc.TokenSet
 func (_e *MockInterface_Expecter) Save(dir interface{}, key interface{}, tokenSet interface{}) *MockInterface_Save_Call {
 	return &MockInterface_Save_Call{Call: _e.mock.On("Save", dir, key, tokenSet)}
 }
@@ -108,13 +185,17 @@ func (_c *MockInterface_Save_Call) Return(_a0 error) *MockInterface_Save_Call {
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Save_Call) RunAndReturn(run func(string, tokencache.Key, oidc.TokenSet) error) *MockInterface_Save_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/usecases/authentication_mock/mock_Interface.go

@@ -1,10 +1,12 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package authentication
+package authentication_mock
 
 import (
 	context "context"
 
+	authentication "github.com/int128/kubelogin/pkg/usecases/authentication"
+
 	mock "github.com/stretchr/testify/mock"
 )
 
@@ -22,20 +24,27 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 }
 
 // Do provides a mock function with given fields: ctx, in
-func (_m *MockInterface) Do(ctx context.Context, in Input) (*Output, error) {
+func (_m *MockInterface) Do(ctx context.Context, in authentication.Input) (*authentication.Output, error) {
 	ret := _m.Called(ctx, in)
 
-	var r0 *Output
-	if rf, ok := ret.Get(0).(func(context.Context, Input) *Output); ok {
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
+	var r0 *authentication.Output
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, authentication.Input) (*authentication.Output, error)); ok {
+		return rf(ctx, in)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, authentication.Input) *authentication.Output); ok {
 		r0 = rf(ctx, in)
 	} else {
 		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*Output)
+			r0 = ret.Get(0).(*authentication.Output)
 		}
 	}
 
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, Input) error); ok {
+	if rf, ok := ret.Get(1).(func(context.Context, authentication.Input) error); ok {
 		r1 = rf(ctx, in)
 	} else {
 		r1 = ret.Error(1)
@@ -50,31 +59,35 @@ type MockInterface_Do_Call struct {
 }
 
 // Do is a helper method to define mock.On call
-//  - ctx context.Context
-//  - in Input
+//   - ctx context.Context
+//   - in authentication.Input
 func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
 	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
 }
 
-func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in Input)) *MockInterface_Do_Call {
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in authentication.Input)) *MockInterface_Do_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(Input))
+		run(args[0].(context.Context), args[1].(authentication.Input))
 	})
 	return _c
 }
 
-func (_c *MockInterface_Do_Call) Return(_a0 *Output, _a1 error) *MockInterface_Do_Call {
+func (_c *MockInterface_Do_Call) Return(_a0 *authentication.Output, _a1 error) *MockInterface_Do_Call {
 	_c.Call.Return(_a0, _a1)
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(context.Context, authentication.Input) (*authentication.Output, error)) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/usecases/credentialplugin_mock/mock_Interface.go

@@ -1,10 +1,11 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package credentialplugin
+package credentialplugin_mock
 
 import (
 	context "context"
 
+	credentialplugin "github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	mock "github.com/stretchr/testify/mock"
 )
 
@@ -22,11 +23,15 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 }
 
 // Do provides a mock function with given fields: ctx, in
-func (_m *MockInterface) Do(ctx context.Context, in Input) error {
+func (_m *MockInterface) Do(ctx context.Context, in credentialplugin.Input) error {
 	ret := _m.Called(ctx, in)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
 	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, Input) error); ok {
+	if rf, ok := ret.Get(0).(func(context.Context, credentialplugin.Input) error); ok {
 		r0 = rf(ctx, in)
 	} else {
 		r0 = ret.Error(0)
@@ -41,15 +46,15 @@ type MockInterface_Do_Call struct {
 }
 
 // Do is a helper method to define mock.On call
-//  - ctx context.Context
-//  - in Input
+//   - ctx context.Context
+//   - in credentialplugin.Input
 func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
 	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
 }
 
-func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in Input)) *MockInterface_Do_Call {
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in credentialplugin.Input)) *MockInterface_Do_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(Input))
+		run(args[0].(context.Context), args[1].(credentialplugin.Input))
 	})
 	return _c
 }
@@ -59,13 +64,17 @@ func (_c *MockInterface_Do_Call) Return(_a0 error) *MockInterface_Do_Call {
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(context.Context, credentialplugin.Input) error) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/usecases/setup_mock/mock_Interface.go

@@ -1,10 +1,11 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package setup
+package setup_mock
 
 import (
 	context "context"
 
+	setup "github.com/int128/kubelogin/pkg/usecases/setup"
 	mock "github.com/stretchr/testify/mock"
 )
 
@@ -21,7 +22,7 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }
 
-// DoStage1 provides a mock function with given fields:
+// DoStage1 provides a mock function with no fields
 func (_m *MockInterface) DoStage1() {
 	_m.Called()
 }
@@ -48,12 +49,21 @@ func (_c *MockInterface_DoStage1_Call) Return() *MockInterface_DoStage1_Call {
 	return _c
 }
 
+func (_c *MockInterface_DoStage1_Call) RunAndReturn(run func()) *MockInterface_DoStage1_Call {
+	_c.Run(run)
+	return _c
+}
+
 // DoStage2 provides a mock function with given fields: ctx, in
-func (_m *MockInterface) DoStage2(ctx context.Context, in Stage2Input) error {
+func (_m *MockInterface) DoStage2(ctx context.Context, in setup.Stage2Input) error {
 	ret := _m.Called(ctx, in)
 
+	if len(ret) == 0 {
+		panic("no return value specified for DoStage2")
+	}
+
 	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, Stage2Input) error); ok {
+	if rf, ok := ret.Get(0).(func(context.Context, setup.Stage2Input) error); ok {
 		r0 = rf(ctx, in)
 	} else {
 		r0 = ret.Error(0)
@@ -68,15 +78,15 @@ type MockInterface_DoStage2_Call struct {
 }
 
 // DoStage2 is a helper method to define mock.On call
-//  - ctx context.Context
-//  - in Stage2Input
+//   - ctx context.Context
+//   - in setup.Stage2Input
 func (_e *MockInterface_Expecter) DoStage2(ctx interface{}, in interface{}) *MockInterface_DoStage2_Call {
 	return &MockInterface_DoStage2_Call{Call: _e.mock.On("DoStage2", ctx, in)}
 }
 
-func (_c *MockInterface_DoStage2_Call) Run(run func(ctx context.Context, in Stage2Input)) *MockInterface_DoStage2_Call {
+func (_c *MockInterface_DoStage2_Call) Run(run func(ctx context.Context, in setup.Stage2Input)) *MockInterface_DoStage2_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(Stage2Input))
+		run(args[0].(context.Context), args[1].(setup.Stage2Input))
 	})
 	return _c
 }
@@ -86,13 +96,17 @@ func (_c *MockInterface_DoStage2_Call) Return(_a0 error) *MockInterface_DoStage2
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_DoStage2_Call) RunAndReturn(run func(context.Context, setup.Stage2Input) error) *MockInterface_DoStage2_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/github.com/int128/kubelogin/pkg/usecases/standalone_mock/mock_Interface.go

@@ -1,10 +1,11 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery v2.50.4. DO NOT EDIT.
 
-package standalone
+package standalone_mock
 
 import (
 	context "context"
 
+	standalone "github.com/int128/kubelogin/pkg/usecases/standalone"
 	mock "github.com/stretchr/testify/mock"
 )
 
@@ -22,11 +23,15 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 }
 
 // Do provides a mock function with given fields: ctx, in
-func (_m *MockInterface) Do(ctx context.Context, in Input) error {
+func (_m *MockInterface) Do(ctx context.Context, in standalone.Input) error {
 	ret := _m.Called(ctx, in)
 
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
 	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, Input) error); ok {
+	if rf, ok := ret.Get(0).(func(context.Context, standalone.Input) error); ok {
 		r0 = rf(ctx, in)
 	} else {
 		r0 = ret.Error(0)
@@ -41,15 +46,15 @@ type MockInterface_Do_Call struct {
 }
 
 // Do is a helper method to define mock.On call
-//  - ctx context.Context
-//  - in Input
+//   - ctx context.Context
+//   - in standalone.Input
 func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
 	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
 }
 
-func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in Input)) *MockInterface_Do_Call {
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in standalone.Input)) *MockInterface_Do_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(Input))
+		run(args[0].(context.Context), args[1].(standalone.Input))
 	})
 	return _c
 }
@@ -59,13 +64,17 @@ func (_c *MockInterface_Do_Call) Return(_a0 error) *MockInterface_Do_Call {
 	return _c
 }
 
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(context.Context, standalone.Input) error) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
 }
 
 // NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
 	mock := &MockInterface{}
 	mock.Mock.Test(t)
 

mocks/io_mock/mock_Closer.go

@@ -0,0 +1,77 @@
+// Code generated by mockery v2.50.4. DO NOT EDIT.
+
+package io_mock
+
+import mock "github.com/stretchr/testify/mock"
+
+// MockCloser is an autogenerated mock type for the Closer type
+type MockCloser struct {
+	mock.Mock
+}
+
+type MockCloser_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockCloser) EXPECT() *MockCloser_Expecter {
+	return &MockCloser_Expecter{mock: &_m.Mock}
+}
+
+// Close provides a mock function with no fields
+func (_m *MockCloser) Close() error {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Close")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func() error); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockCloser_Close_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Close'
+type MockCloser_Close_Call struct {
+	*mock.Call
+}
+
+// Close is a helper method to define mock.On call
+func (_e *MockCloser_Expecter) Close() *MockCloser_Close_Call {
+	return &MockCloser_Close_Call{Call: _e.mock.On("Close")}
+}
+
+func (_c *MockCloser_Close_Call) Run(run func()) *MockCloser_Close_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockCloser_Close_Call) Return(_a0 error) *MockCloser_Close_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockCloser_Close_Call) RunAndReturn(run func() error) *MockCloser_Close_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockCloser creates a new instance of MockCloser. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockCloser(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockCloser {
+	mock := &MockCloser{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

pkg/cmd/authentication.go

@@ -7,39 +7,27 @@ import (
 
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/devicecode"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
 	"github.com/spf13/pflag"
 )
 
-type authenticationOptions struct {
-	GrantType                  string
-	ListenAddress              []string
-	ListenPort                 []int // deprecated
-	AuthenticationTimeoutSec   int
-	SkipOpenBrowser            bool
-	BrowserCommand             string
-	LocalServerCertFile        string
-	LocalServerKeyFile         string
-	OpenURLAfterAuthentication string
-	RedirectURLHostname        string
-	AuthRequestExtraParams     map[string]string
-	Username                   string
-	Password                   string
-}
+const oobRedirectURI = "urn:ietf:wg:oauth:2.0:oob"
 
-// determineListenAddress returns the addresses from the flags.
-// Note that --listen-address is always given due to the default value.
-// If --listen-port is not set, it returns --listen-address.
-// If --listen-port is set, it returns the strings of --listen-port.
-func (o *authenticationOptions) determineListenAddress() []string {
-	if len(o.ListenPort) == 0 {
-		return o.ListenAddress
-	}
-	var a []string
-	for _, p := range o.ListenPort {
-		a = append(a, fmt.Sprintf("127.0.0.1:%d", p))
-	}
-	return a
+type authenticationOptions struct {
+	GrantType                   string
+	ListenAddress               []string
+	AuthenticationTimeoutSec    int
+	SkipOpenBrowser             bool
+	BrowserCommand              string
+	LocalServerCertFile         string
+	LocalServerKeyFile          string
+	OpenURLAfterAuthentication  string
+	RedirectURLHostname         string
+	RedirectURLAuthCodeKeyboard string
+	AuthRequestExtraParams      map[string]string
+	Username                    string
+	Password                    string
 }
 
 var allGrantType = strings.Join([]string{
@@ -47,16 +35,12 @@ var allGrantType = strings.Join([]string{
 	"authcode",
 	"authcode-keyboard",
 	"password",
+	"device-code",
 }, "|")
 
 func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.GrantType, "grant-type", "auto", fmt.Sprintf("Authorization grant type to use. One of (%s)", allGrantType))
 	f.StringSliceVar(&o.ListenAddress, "listen-address", defaultListenAddress, "[authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order")
-	//TODO: remove the deprecated flag
-	f.IntSliceVar(&o.ListenPort, "listen-port", nil, "[authcode] deprecated: port to bind to the local server")
-	if err := f.MarkDeprecated("listen-port", "use --listen-address instead"); err != nil {
-		panic(err)
-	}
 	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "[authcode] Do not open the browser automatically")
 	f.StringVar(&o.BrowserCommand, "browser-command", "", "[authcode] Command to open the browser")
 	f.IntVar(&o.AuthenticationTimeoutSec, "authentication-timeout-sec", defaultAuthenticationTimeoutSec, "[authcode] Timeout of authentication in seconds")
@@ -64,6 +48,7 @@ func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.LocalServerKeyFile, "local-server-key", "", "[authcode] Certificate key path for the local server")
 	f.StringVar(&o.OpenURLAfterAuthentication, "open-url-after-authentication", "", "[authcode] If set, open the URL in the browser after authentication")
 	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "[authcode] Hostname of the redirect URL")
+	f.StringVar(&o.RedirectURLAuthCodeKeyboard, "oidc-redirect-url-authcode-keyboard", oobRedirectURI, "[authcode-keyboard] Redirect URL")
 	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "[authcode, authcode-keyboard] Extra query parameters to send with an authentication request")
 	f.StringVar(&o.Username, "username", "", "[password] Username for resource owner password credentials grant")
 	f.StringVar(&o.Password, "password", "", "[password] Password for resource owner password credentials grant")
@@ -78,7 +63,7 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 	switch {
 	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
 		s.AuthCodeBrowserOption = &authcode.BrowserOption{
-			BindAddress:                o.determineListenAddress(),
+			BindAddress:                o.ListenAddress,
 			SkipOpenBrowser:            o.SkipOpenBrowser,
 			BrowserCommand:             o.BrowserCommand,
 			AuthenticationTimeout:      time.Duration(o.AuthenticationTimeoutSec) * time.Second,
@@ -91,12 +76,18 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 	case o.GrantType == "authcode-keyboard":
 		s.AuthCodeKeyboardOption = &authcode.KeyboardOption{
 			AuthRequestExtraParams: o.AuthRequestExtraParams,
+			RedirectURL:            o.RedirectURLAuthCodeKeyboard,
 		}
 	case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
 		s.ROPCOption = &ropc.Option{
 			Username: o.Username,
 			Password: o.Password,
 		}
+	case o.GrantType == "device-code":
+		s.DeviceCodeOption = &devicecode.Option{
+			SkipOpenBrowser: o.SkipOpenBrowser,
+			BrowserCommand:  o.BrowserCommand,
+		}
 	default:
 		err = fmt.Errorf("grant-type must be one of (%s)", allGrantType)
 	}

pkg/cmd/authentication_test.go

@@ -56,40 +56,25 @@ func Test_authenticationOptions_grantOptionSet(t *testing.T) {
 				},
 			},
 		},
-		"when --listen-port is set, it should convert the port to address": {
-			args: []string{
-				"--listen-port", "10080",
-				"--listen-port", "20080",
-			},
-			want: authentication.GrantOptionSet{
-				AuthCodeBrowserOption: &authcode.BrowserOption{
-					BindAddress:           []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
-					RedirectURLHostname:   "localhost",
-				},
-			},
-		},
-		"when --listen-port is set, it should ignore --listen-address flags": {
-			args: []string{
-				"--listen-port", "10080",
-				"--listen-port", "20080",
-				"--listen-address", "127.0.0.1:30080",
-				"--listen-address", "127.0.0.1:40080",
-			},
-			want: authentication.GrantOptionSet{
-				AuthCodeBrowserOption: &authcode.BrowserOption{
-					BindAddress:           []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
-					RedirectURLHostname:   "localhost",
-				},
-			},
-		},
 		"GrantType=authcode-keyboard": {
 			args: []string{
 				"--grant-type", "authcode-keyboard",
 			},
 			want: authentication.GrantOptionSet{
-				AuthCodeKeyboardOption: &authcode.KeyboardOption{},
+				AuthCodeKeyboardOption: &authcode.KeyboardOption{
+					RedirectURL: oobRedirectURI,
+				},
+			},
+		},
+		"GrantType=authcode-keyboard with full options": {
+			args: []string{
+				"--grant-type", "authcode-keyboard",
+				"--oidc-redirect-url-authcode-keyboard", "http://localhost",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeKeyboardOption: &authcode.KeyboardOption{
+					RedirectURL: "http://localhost",
+				},
 			},
 		},
 		"GrantType=password": {

pkg/cmd/cmd.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"context"
+	"os"
 	"path/filepath"
 	"runtime"
 
@@ -23,8 +24,17 @@ type Interface interface {
 	Run(ctx context.Context, args []string, version string) int
 }
 
+func getDefaultTokenCacheDir(key, fallback string) string {
+	if value, ok := os.LookupEnv(key); ok {
+		return value
+	}
+	return fallback
+}
+
 var defaultListenAddress = []string{"127.0.0.1:8000", "127.0.0.1:18000"}
-var defaultTokenCacheDir = filepath.Join("~", ".kube", "cache", "oidc-login")
+var defaultTokenCacheDir = filepath.Join(
+	getDefaultTokenCacheDir("KUBECACHEDIR", filepath.Join("~", ".kube", "cache")),
+	"oidc-login")
 
 const defaultAuthenticationTimeoutSec = 180
 

pkg/cmd/cmd_test.go

@@ -7,6 +7,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/usecases/credentialplugin_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/usecases/standalone_mock"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
@@ -61,7 +63,7 @@ func TestCmd_Run(t *testing.T) {
 		for name, c := range tests {
 			t.Run(name, func(t *testing.T) {
 				ctx := context.TODO()
-				mockStandalone := standalone.NewMockInterface(t)
+				mockStandalone := standalone_mock.NewMockInterface(t)
 				mockStandalone.EXPECT().
 					Do(ctx, c.in).
 					Return(nil)
@@ -82,7 +84,7 @@ func TestCmd_Run(t *testing.T) {
 		t.Run("TooManyArgs", func(t *testing.T) {
 			cmd := Cmd{
 				Root: &Root{
-					Standalone: standalone.NewMockInterface(t),
+					Standalone: standalone_mock.NewMockInterface(t),
 					Logger:     logger.New(t),
 				},
 				Logger: logger.New(t),
@@ -152,6 +154,29 @@ func TestCmd_Run(t *testing.T) {
 					},
 				},
 			},
+			"AccessToken": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--oidc-use-access-token=true",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+					Provider: oidc.Provider{
+						IssuerURL:      "https://issuer.example.com",
+						ClientID:       "YOUR_CLIENT_ID",
+						UseAccessToken: true,
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
 			"HomedirExpansion": {
 				args: []string{executable,
 					"get-token",
@@ -186,7 +211,7 @@ func TestCmd_Run(t *testing.T) {
 		for name, c := range tests {
 			t.Run(name, func(t *testing.T) {
 				ctx := context.TODO()
-				getToken := credentialplugin.NewMockInterface(t)
+				getToken := credentialplugin_mock.NewMockInterface(t)
 				getToken.EXPECT().
 					Do(ctx, c.in).
 					Return(nil)
@@ -214,7 +239,7 @@ func TestCmd_Run(t *testing.T) {
 					Logger: logger.New(t),
 				},
 				GetToken: &GetToken{
-					GetToken: credentialplugin.NewMockInterface(t),
+					GetToken: credentialplugin_mock.NewMockInterface(t),
 					Logger:   logger.New(t),
 				},
 				Logger: logger.New(t),
@@ -232,7 +257,7 @@ func TestCmd_Run(t *testing.T) {
 					Logger: logger.New(t),
 				},
 				GetToken: &GetToken{
-					GetToken: credentialplugin.NewMockInterface(t),
+					GetToken: credentialplugin_mock.NewMockInterface(t),
 					Logger:   logger.New(t),
 				},
 				Logger: logger.New(t),

pkg/cmd/get_token.go

@@ -18,9 +18,11 @@ type getTokenOptions struct {
 	ClientSecret          string
 	ExtraScopes           []string
 	UsePKCE               bool
+	UseAccessToken        bool
 	TokenCacheDir         string
 	tlsOptions            tlsOptions
 	authenticationOptions authenticationOptions
+	ForceRefresh          bool
 }
 
 func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
@@ -29,7 +31,9 @@ func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
 	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
+	f.BoolVar(&o.UseAccessToken, "oidc-use-access-token", false, "Instead of using the id_token, use the access_token to authenticate to Kubernetes")
 	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for token cache")
+	f.BoolVar(&o.ForceRefresh, "force-refresh", false, "If set, refresh the ID token regardless of its expiration time")
 	o.tlsOptions.addFlags(f)
 	o.authenticationOptions.addFlags(f)
 }
@@ -73,15 +77,17 @@ func (cmd *GetToken) New() *cobra.Command {
 			}
 			in := credentialplugin.Input{
 				Provider: oidc.Provider{
-					IssuerURL:    o.IssuerURL,
-					ClientID:     o.ClientID,
-					ClientSecret: o.ClientSecret,
-					UsePKCE:      o.UsePKCE,
-					ExtraScopes:  o.ExtraScopes,
+					IssuerURL:      o.IssuerURL,
+					ClientID:       o.ClientID,
+					ClientSecret:   o.ClientSecret,
+					UsePKCE:        o.UsePKCE,
+					UseAccessToken: o.UseAccessToken,
+					ExtraScopes:    o.ExtraScopes,
 				},
 				TokenCacheDir:   o.TokenCacheDir,
 				GrantOptionSet:  grantOptionSet,
 				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
+				ForceRefresh:    o.ForceRefresh,
 			}
 			if err := cmd.GetToken.Do(c.Context(), in); err != nil {
 				return fmt.Errorf("get-token: %w", err)

pkg/cmd/root.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"fmt"
+
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/int128/kubelogin/pkg/kubeconfig"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"

pkg/cmd/setup.go

@@ -15,6 +15,7 @@ type setupOptions struct {
 	ClientSecret          string
 	ExtraScopes           []string
 	UsePKCE               bool
+	UseAccessToken        bool
 	tlsOptions            tlsOptions
 	authenticationOptions authenticationOptions
 }
@@ -25,6 +26,7 @@ func (o *setupOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
 	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
+	f.BoolVar(&o.UseAccessToken, "oidc-use-access-token", false, "Instead of using the id_token, use the access_token to authenticate to Kubernetes")
 	o.tlsOptions.addFlags(f)
 	o.authenticationOptions.addFlags(f)
 }
@@ -50,6 +52,7 @@ func (cmd *Setup) New() *cobra.Command {
 				ClientSecret:    o.ClientSecret,
 				ExtraScopes:     o.ExtraScopes,
 				UsePKCE:         o.UsePKCE,
+				UseAccessToken:  o.UseAccessToken,
 				GrantOptionSet:  grantOptionSet,
 				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
 			}

pkg/credentialplugin/reader/reader.go

@@ -0,0 +1,39 @@
+// Package reader provides a loader for the credential plugin.
+package reader
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/credentialplugin"
+	"k8s.io/client-go/pkg/apis/clientauthentication"
+)
+
+var Set = wire.NewSet(
+	wire.Struct(new(Reader), "*"),
+	wire.Bind(new(Interface), new(*Reader)),
+)
+
+type Interface interface {
+	Read() (credentialplugin.Input, error)
+}
+
+type Reader struct{}
+
+// Read parses the environment variable KUBERNETES_EXEC_INFO.
+// If the environment variable is not given by kubectl, Read returns a zero value.
+func (r Reader) Read() (credentialplugin.Input, error) {
+	execInfo := os.Getenv("KUBERNETES_EXEC_INFO")
+	if execInfo == "" {
+		return credentialplugin.Input{}, nil
+	}
+	var execCredential clientauthentication.ExecCredential
+	if err := json.Unmarshal([]byte(execInfo), &execCredential); err != nil {
+		return credentialplugin.Input{}, fmt.Errorf("invalid KUBERNETES_EXEC_INFO: %w", err)
+	}
+	return credentialplugin.Input{
+		ClientAuthenticationAPIVersion: execCredential.APIVersion,
+	}, nil
+}

pkg/credentialplugin/reader/reader_test.go

@@ -0,0 +1,44 @@
+package reader
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/credentialplugin"
+)
+
+func TestReader_Read(t *testing.T) {
+	var reader Reader
+
+	t.Run("KUBERNETES_EXEC_INFO is empty", func(t *testing.T) {
+		input, err := reader.Read()
+		if err != nil {
+			t.Errorf("Read returned error: %v", err)
+		}
+		want := credentialplugin.Input{}
+		if diff := cmp.Diff(want, input); diff != "" {
+			t.Errorf("input mismatch (-want +got):\n%s", diff)
+		}
+	})
+	t.Run("KUBERNETES_EXEC_INFO is invalid JSON", func(t *testing.T) {
+		t.Setenv("KUBERNETES_EXEC_INFO", "invalid")
+		_, err := reader.Read()
+		if err == nil {
+			t.Errorf("Read wants error but no error")
+		}
+	})
+	t.Run("KUBERNETES_EXEC_INFO is v1", func(t *testing.T) {
+		t.Setenv(
+			"KUBERNETES_EXEC_INFO",
+			`{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1","spec":{"interactive":true}}`,
+		)
+		input, err := reader.Read()
+		if err != nil {
+			t.Errorf("Read returned error: %v", err)
+		}
+		want := credentialplugin.Input{ClientAuthenticationAPIVersion: "client.authentication.k8s.io/v1"}
+		if diff := cmp.Diff(want, input); diff != "" {
+			t.Errorf("input mismatch (-want +got):\n%s", diff)
+		}
+	})
+}

pkg/credentialplugin/types.go

@@ -3,8 +3,15 @@ package credentialplugin
 
 import "time"
 
+// Input represents an input object of the credential plugin.
+// This may be a zero value if the input is not available.
+type Input struct {
+	ClientAuthenticationAPIVersion string
+}
+
 // Output represents an output object of the credential plugin.
 type Output struct {
-	Token  string
-	Expiry time.Time
+	Token                          string
+	Expiry                         time.Time
+	ClientAuthenticationAPIVersion string
 }

pkg/credentialplugin/writer/credential_plugin.go

@@ -1,4 +1,4 @@
-// Package writer provides a writer for a credential plugin.
+// Package writer provides a writer for the credential plugin.
 package writer
 
 import (
@@ -9,6 +9,7 @@ import (
 	"github.com/int128/kubelogin/pkg/credentialplugin"
 	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 )
 
@@ -27,19 +28,44 @@ type Writer struct {
 
 // Write writes the ExecCredential to standard output for kubectl.
 func (w *Writer) Write(out credentialplugin.Output) error {
-	ec := &clientauthenticationv1beta1.ExecCredential{
-		TypeMeta: metav1.TypeMeta{
-			APIVersion: "client.authentication.k8s.io/v1beta1",
-			Kind:       "ExecCredential",
-		},
-		Status: &clientauthenticationv1beta1.ExecCredentialStatus{
-			Token:               out.Token,
-			ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
-		},
+	execCredential, err := generateExecCredential(out)
+	if err != nil {
+		return fmt.Errorf("generate ExecCredential: %w", err)
 	}
-	e := json.NewEncoder(w.Stdout)
-	if err := e.Encode(ec); err != nil {
-		return fmt.Errorf("could not write the ExecCredential: %w", err)
+	if err := json.NewEncoder(w.Stdout).Encode(execCredential); err != nil {
+		return fmt.Errorf("write ExecCredential: %w", err)
 	}
 	return nil
 }
+
+func generateExecCredential(out credentialplugin.Output) (any, error) {
+	switch out.ClientAuthenticationAPIVersion {
+	// If the API version is not available, fall back to v1beta1.
+	case clientauthenticationv1beta1.SchemeGroupVersion.String(), "":
+		return &clientauthenticationv1beta1.ExecCredential{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(),
+				Kind:       "ExecCredential",
+			},
+			Status: &clientauthenticationv1beta1.ExecCredentialStatus{
+				Token:               out.Token,
+				ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
+			},
+		}, nil
+
+	case clientauthenticationv1.SchemeGroupVersion.String():
+		return &clientauthenticationv1.ExecCredential{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: clientauthenticationv1.SchemeGroupVersion.String(),
+				Kind:       "ExecCredential",
+			},
+			Status: &clientauthenticationv1.ExecCredentialStatus{
+				Token:               out.Token,
+				ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
+			},
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unknown apiVersion: %s", out.ClientAuthenticationAPIVersion)
+	}
+}

pkg/di/di.go

@@ -1,4 +1,5 @@
-//+build wireinject
+//go:build wireinject
+// +build wireinject
 
 // Package di provides dependency injection.
 package di
@@ -6,11 +7,11 @@ package di
 import (
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/cmd"
-	"github.com/int128/kubelogin/pkg/credentialplugin/writer"
+	credentialpluginreader "github.com/int128/kubelogin/pkg/credentialplugin/reader"
+	credentialpluginwriter "github.com/int128/kubelogin/pkg/credentialplugin/writer"
 	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/infrastructure/clock"
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-	"github.com/int128/kubelogin/pkg/infrastructure/mutex"
 	"github.com/int128/kubelogin/pkg/infrastructure/reader"
 	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
 	kubeconfigLoader "github.com/int128/kubelogin/pkg/kubeconfig/loader"
@@ -55,8 +56,8 @@ func NewCmdForHeadless(clock.Interface, stdio.Stdin, stdio.Stdout, logger.Interf
 		repository.Set,
 		client.Set,
 		loader.Set,
-		writer.Set,
-		mutex.Set,
+		credentialpluginreader.Set,
+		credentialpluginwriter.Set,
 	)
 	return nil
 }

pkg/di/wire_gen.go

@@ -1,17 +1,18 @@
 // Code generated by Wire. DO NOT EDIT.
 
-//go:generate wire
-//+build !wireinject
+//go:generate go run -mod=mod github.com/google/wire/cmd/wire
+//go:build !wireinject
+// +build !wireinject
 
 package di
 
 import (
 	"github.com/int128/kubelogin/pkg/cmd"
+	reader2 "github.com/int128/kubelogin/pkg/credentialplugin/reader"
 	writer2 "github.com/int128/kubelogin/pkg/credentialplugin/writer"
 	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/infrastructure/clock"
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-	"github.com/int128/kubelogin/pkg/infrastructure/mutex"
 	"github.com/int128/kubelogin/pkg/infrastructure/reader"
 	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
 	loader2 "github.com/int128/kubelogin/pkg/kubeconfig/loader"
@@ -21,6 +22,7 @@ import (
 	"github.com/int128/kubelogin/pkg/tokencache/repository"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/devicecode"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/setup"
@@ -30,6 +32,7 @@ import (
 
 // Injectors from di.go:
 
+// NewCmd returns an instance of infrastructure.Cmd.
 func NewCmd() cmd.Interface {
 	clockReal := &clock.Real{}
 	stdin := _wireFileValue
@@ -45,6 +48,7 @@ var (
 	_wireOsFileValue = os.Stdout
 )
 
+// NewCmdForHeadless returns an instance of infrastructure.Cmd for headless testing.
 func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout stdio.Stdout, loggerInterface logger.Interface, browserInterface browser.Interface) cmd.Interface {
 	loaderLoader := loader.Loader{}
 	factory := &client.Factory{
@@ -67,13 +71,17 @@ func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout
 		Reader: readerReader,
 		Logger: loggerInterface,
 	}
+	deviceCode := &devicecode.DeviceCode{
+		Browser: browserInterface,
+		Logger:  loggerInterface,
+	}
 	authenticationAuthentication := &authentication.Authentication{
 		ClientFactory:    factory,
 		Logger:           loggerInterface,
-		Clock:            clockInterface,
 		AuthCodeBrowser:  authcodeBrowser,
 		AuthCodeKeyboard: keyboard,
 		ROPC:             ropcROPC,
+		DeviceCode:       deviceCode,
 	}
 	loader3 := &loader2.Loader{}
 	writerWriter := &writer.Writer{}
@@ -82,24 +90,24 @@ func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout
 		KubeconfigLoader: loader3,
 		KubeconfigWriter: writerWriter,
 		Logger:           loggerInterface,
+		Clock:            clockInterface,
 	}
 	root := &cmd.Root{
 		Standalone: standaloneStandalone,
 		Logger:     loggerInterface,
 	}
 	repositoryRepository := &repository.Repository{}
+	reader3 := &reader2.Reader{}
 	writer3 := &writer2.Writer{
 		Stdout: stdout,
 	}
-	mutexMutex := &mutex.Mutex{
-		Logger: loggerInterface,
-	}
 	getToken := &credentialplugin.GetToken{
-		Authentication:       authenticationAuthentication,
-		TokenCacheRepository: repositoryRepository,
-		Writer:               writer3,
-		Mutex:                mutexMutex,
-		Logger:               loggerInterface,
+		Authentication:         authenticationAuthentication,
+		TokenCacheRepository:   repositoryRepository,
+		CredentialPluginReader: reader3,
+		CredentialPluginWriter: writer3,
+		Logger:                 loggerInterface,
+		Clock:                  clockInterface,
 	}
 	cmdGetToken := &cmd.GetToken{
 		GetToken: getToken,

pkg/infrastructure/logger/mock_goLogger.go

@@ -1,72 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package logger
-
-import mock "github.com/stretchr/testify/mock"
-
-// mockGoLogger is an autogenerated mock type for the goLogger type
-type mockGoLogger struct {
-	mock.Mock
-}
-
-type mockGoLogger_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *mockGoLogger) EXPECT() *mockGoLogger_Expecter {
-	return &mockGoLogger_Expecter{mock: &_m.Mock}
-}
-
-// Printf provides a mock function with given fields: format, v
-func (_m *mockGoLogger) Printf(format string, v ...interface{}) {
-	var _ca []interface{}
-	_ca = append(_ca, format)
-	_ca = append(_ca, v...)
-	_m.Called(_ca...)
-}
-
-// mockGoLogger_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
-type mockGoLogger_Printf_Call struct {
-	*mock.Call
-}
-
-// Printf is a helper method to define mock.On call
-//  - format string
-//  - v ...interface{}
-func (_e *mockGoLogger_Expecter) Printf(format interface{}, v ...interface{}) *mockGoLogger_Printf_Call {
-	return &mockGoLogger_Printf_Call{Call: _e.mock.On("Printf",
-		append([]interface{}{format}, v...)...)}
-}
-
-func (_c *mockGoLogger_Printf_Call) Run(run func(format string, v ...interface{})) *mockGoLogger_Printf_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]interface{}, len(args)-1)
-		for i, a := range args[1:] {
-			if a != nil {
-				variadicArgs[i] = a.(interface{})
-			}
-		}
-		run(args[0].(string), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *mockGoLogger_Printf_Call) Return() *mockGoLogger_Printf_Call {
-	_c.Call.Return()
-	return _c
-}
-
-type mockConstructorTestingTnewMockGoLogger interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// newMockGoLogger creates a new instance of mockGoLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func newMockGoLogger(t mockConstructorTestingTnewMockGoLogger) *mockGoLogger {
-	mock := &mockGoLogger{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

pkg/infrastructure/mutex/mock_Interface.go

@@ -1,121 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package mutex
-
-import (
-	context "context"
-
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockInterface is an autogenerated mock type for the Interface type
-type MockInterface struct {
-	mock.Mock
-}
-
-type MockInterface_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
-	return &MockInterface_Expecter{mock: &_m.Mock}
-}
-
-// Acquire provides a mock function with given fields: ctx, name
-func (_m *MockInterface) Acquire(ctx context.Context, name string) (*Lock, error) {
-	ret := _m.Called(ctx, name)
-
-	var r0 *Lock
-	if rf, ok := ret.Get(0).(func(context.Context, string) *Lock); ok {
-		r0 = rf(ctx, name)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*Lock)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
-		r1 = rf(ctx, name)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_Acquire_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Acquire'
-type MockInterface_Acquire_Call struct {
-	*mock.Call
-}
-
-// Acquire is a helper method to define mock.On call
-//  - ctx context.Context
-//  - name string
-func (_e *MockInterface_Expecter) Acquire(ctx interface{}, name interface{}) *MockInterface_Acquire_Call {
-	return &MockInterface_Acquire_Call{Call: _e.mock.On("Acquire", ctx, name)}
-}
-
-func (_c *MockInterface_Acquire_Call) Run(run func(ctx context.Context, name string)) *MockInterface_Acquire_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_Acquire_Call) Return(_a0 *Lock, _a1 error) *MockInterface_Acquire_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// Release provides a mock function with given fields: lock
-func (_m *MockInterface) Release(lock *Lock) error {
-	ret := _m.Called(lock)
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(*Lock) error); ok {
-		r0 = rf(lock)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockInterface_Release_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Release'
-type MockInterface_Release_Call struct {
-	*mock.Call
-}
-
-// Release is a helper method to define mock.On call
-//  - lock *Lock
-func (_e *MockInterface_Expecter) Release(lock interface{}) *MockInterface_Release_Call {
-	return &MockInterface_Release_Call{Call: _e.mock.On("Release", lock)}
-}
-
-func (_c *MockInterface_Release_Call) Run(run func(lock *Lock)) *MockInterface_Release_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*Lock))
-	})
-	return _c
-}
-
-func (_c *MockInterface_Release_Call) Return(_a0 error) *MockInterface_Release_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

pkg/infrastructure/mutex/mutex.go

@@ -1,87 +0,0 @@
-package mutex
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path"
-
-	"github.com/alexflint/go-filemutex"
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-)
-
-var Set = wire.NewSet(
-	wire.Struct(new(Mutex), "*"),
-	wire.Bind(new(Interface), new(*Mutex)),
-)
-
-type Interface interface {
-	Acquire(ctx context.Context, name string) (*Lock, error)
-	Release(lock *Lock) error
-}
-
-// Lock holds the lock data.
-type Lock struct {
-	Data interface{}
-	Name string
-}
-
-type Mutex struct {
-	Logger logger.Interface
-}
-
-// internalAcquire wait for acquisition of the lock
-func internalAcquire(fm *filemutex.FileMutex) chan error {
-	result := make(chan error)
-	go func() {
-		if err := fm.Lock(); err != nil {
-			result <- err
-		}
-		close(result)
-	}()
-	return result
-}
-
-// internalRelease disposes of resources associated with a lock
-func internalRelease(fm *filemutex.FileMutex, lfn string, log logger.Interface) error {
-	err := fm.Close()
-	if err != nil {
-		log.V(1).Infof("Error closing lock file %s: %s", lfn, err)
-	}
-	return err
-}
-
-// LockFileName get the lock file name from the lock name.
-func LockFileName(name string) string {
-	return path.Join(os.TempDir(), fmt.Sprintf(".kubelogin.%s.lock", name))
-}
-
-// Acquire acquire a lock for the specified name. The context could be used to set a timeout.
-func (m *Mutex) Acquire(ctx context.Context, name string) (*Lock, error) {
-	lfn := LockFileName(name)
-	fm, err := filemutex.New(lfn)
-	if err != nil {
-		return nil, fmt.Errorf("error creating mutex file %s: %w", lfn, err)
-	}
-
-	lockChan := internalAcquire(fm)
-	select {
-	case <-ctx.Done():
-		_ = internalRelease(fm, lfn, m.Logger)
-		return nil, ctx.Err()
-	case err := <-lockChan:
-		if err != nil {
-			_ = internalRelease(fm, lfn, m.Logger)
-			return nil, fmt.Errorf("error acquiring lock on file %s: %w", lfn, err)
-		}
-		return &Lock{Data: fm, Name: name}, nil
-	}
-}
-
-// Release release the specified lock
-func (m *Mutex) Release(lock *Lock) error {
-	fm := lock.Data.(*filemutex.FileMutex)
-	lfn := LockFileName(lock.Name)
-	return internalRelease(fm, lfn, m.Logger)
-}

pkg/infrastructure/mutex/mutex_test.go

@@ -1,64 +0,0 @@
-package mutex
-
-import (
-	"fmt"
-	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-	"golang.org/x/net/context"
-	"math/rand"
-	"sync"
-	"testing"
-	"time"
-)
-
-func TestMutex(t *testing.T) {
-
-	t.Run("Test successful parallel acquisition with no reentry allowed", func(t *testing.T) {
-
-		ctx, cancel := context.WithCancel(context.Background())
-		defer cancel()
-
-		nbConcurrency := 20
-		wg := sync.WaitGroup{}
-		events := make(chan int, nbConcurrency*2)
-		errors := make(chan error, nbConcurrency)
-		doLockUnlock := func() {
-			defer wg.Done()
-
-			m := Mutex{
-				Logger: logger.New(),
-			}
-			if mutex, err := m.Acquire(ctx, "test"); err == nil {
-				events <- 1
-				var dur = time.Duration(rand.Intn(5000))
-				time.Sleep(dur * time.Microsecond)
-				events <- -1
-				if err := m.Release(mutex); err != nil {
-					errors <- fmt.Errorf("Release error: %w", err)
-				}
-			} else {
-				errors <- fmt.Errorf("Acquire error: %w", err)
-			}
-		}
-
-		for i := 0; i < nbConcurrency; i++ {
-			wg.Add(1)
-			go doLockUnlock()
-		}
-
-		wg.Wait()
-		close(events)
-		close(errors)
-
-		countConcurrent := 0
-		for delta := range events {
-			countConcurrent += delta
-			if countConcurrent > 1 {
-				t.Errorf("The mutex did not prevented reentry: %d", countConcurrent)
-			}
-		}
-
-		for anError := range errors {
-			t.Errorf("The gorouting returned an error: %s", anError)
-		}
-	})
-}

pkg/kubeconfig/writer/write_test.go

@@ -1,7 +1,6 @@
 package writer
 
 import (
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
@@ -26,7 +25,7 @@ func TestKubeconfig_UpdateAuth(t *testing.T) {
 		}); err != nil {
 			t.Fatalf("Could not update auth: %s", err)
 		}
-		b, err := ioutil.ReadFile(f)
+		b, err := os.ReadFile(f)
 		if err != nil {
 			t.Fatalf("Could not read kubeconfig: %s", err)
 		}
@@ -71,7 +70,7 @@ users:
 		}); err != nil {
 			t.Fatalf("Could not update auth: %s", err)
 		}
-		b, err := ioutil.ReadFile(f)
+		b, err := os.ReadFile(f)
 		if err != nil {
 			t.Fatalf("Could not read kubeconfig: %s", err)
 		}

pkg/mocks.go

@@ -1,3 +0,0 @@
-package pkg
-
-//go:generate mockery --all --inpackage --with-expecter

pkg/oidc/client/client.go

@@ -12,6 +12,7 @@ import (
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/pkce"
 	"github.com/int128/oauth2cli"
+	"github.com/int128/oauth2dev"
 	"golang.org/x/oauth2"
 )
 
@@ -20,6 +21,8 @@ type Interface interface {
 	ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error)
 	GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error)
 	GetTokenByROPC(ctx context.Context, username, password string) (*oidc.TokenSet, error)
+	GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error)
+	ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)
 	Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error)
 	SupportedPKCEMethods() []string
 }
@@ -52,12 +55,14 @@ type GetTokenByAuthCodeInput struct {
 }
 
 type client struct {
-	httpClient           *http.Client
-	provider             *gooidc.Provider
-	oauth2Config         oauth2.Config
-	clock                clock.Interface
-	logger               logger.Interface
-	supportedPKCEMethods []string
+	httpClient                  *http.Client
+	provider                    *gooidc.Provider
+	oauth2Config                oauth2.Config
+	clock                       clock.Interface
+	logger                      logger.Interface
+	supportedPKCEMethods        []string
+	deviceAuthorizationEndpoint string
+	useAccessToken              bool
 }
 
 func (c *client) wrapContext(ctx context.Context) context.Context {
@@ -151,6 +156,26 @@ func (c *client) GetTokenByROPC(ctx context.Context, username, password string)
 	return c.verifyToken(ctx, token, "")
 }
 
+// GetDeviceAuthorization initializes the device authorization code challenge
+func (c *client) GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error) {
+	ctx = c.wrapContext(ctx)
+	config := c.oauth2Config
+	config.Endpoint = oauth2.Endpoint{
+		AuthURL: c.deviceAuthorizationEndpoint,
+	}
+	return oauth2dev.RetrieveCode(ctx, config)
+}
+
+// ExchangeDeviceCode exchanges the device to an oidc.TokenSet
+func (c *client) ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	tokenResponse, err := oauth2dev.PollToken(ctx, c.oauth2Config, *authResponse)
+	if err != nil {
+		return nil, fmt.Errorf("device-code: exchange failed: %w", err)
+	}
+	return c.verifyToken(ctx, tokenResponse, "")
+}
+
 // Refresh sends a refresh token request and returns a token set.
 func (c *client) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
 	ctx = c.wrapContext(ctx)
@@ -171,7 +196,7 @@ func (c *client) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenS
 func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce string) (*oidc.TokenSet, error) {
 	idToken, ok := token.Extra("id_token").(string)
 	if !ok {
-		return nil, fmt.Errorf("id_token is missing in the token response: %s", token)
+		return nil, fmt.Errorf("id_token is missing in the token response: %#v", token)
 	}
 	verifier := c.provider.Verifier(&gooidc.Config{ClientID: c.oauth2Config.ClientID, Now: c.clock.Now})
 	verifiedIDToken, err := verifier.Verify(ctx, idToken)
@@ -181,6 +206,32 @@ func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce str
 	if nonce != "" && nonce != verifiedIDToken.Nonce {
 		return nil, fmt.Errorf("nonce did not match (wants %s but got %s)", nonce, verifiedIDToken.Nonce)
 	}
+
+	if c.useAccessToken {
+		accessToken, ok := token.Extra("access_token").(string)
+		if !ok {
+			return nil, fmt.Errorf("access_token is missing in the token response: %#v", accessToken)
+		}
+
+		// We intentionally do not perform a ClientID check here because there
+		// are some use cases in access_tokens where we *expect* the audience
+		// to differ. For example, one can explicitly set
+		// `audience=CLUSTER_CLIENT_ID` as an extra auth parameter.
+		verifier = c.provider.Verifier(&gooidc.Config{ClientID: "", Now: c.clock.Now, SkipClientIDCheck: true})
+
+		_, err := verifier.Verify(ctx, accessToken)
+		if err != nil {
+			return nil, fmt.Errorf("could not verify the access token: %w", err)
+		}
+
+		// There is no `nonce` to check on the `access_token`. We rely on the
+		// above `nonce` check on the `id_token`.
+
+		return &oidc.TokenSet{
+			IDToken:      accessToken,
+			RefreshToken: token.RefreshToken,
+		}, nil
+	}
 	return &oidc.TokenSet{
 		IDToken:      idToken,
 		RefreshToken: token.RefreshToken,

pkg/oidc/client/factory.go

@@ -63,6 +63,10 @@ func (f *Factory) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsc
 	if len(supportedPKCEMethods) == 0 && p.UsePKCE {
 		supportedPKCEMethods = []string{pkce.MethodS256}
 	}
+	deviceAuthorizationEndpoint, err := extractDeviceAuthorizationEndpoint(provider)
+	if err != nil {
+		return nil, fmt.Errorf("could not determine device authorization endpoint: %w", err)
+	}
 	return &client{
 		httpClient: httpClient,
 		provider:   provider,
@@ -72,9 +76,11 @@ func (f *Factory) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsc
 			ClientSecret: p.ClientSecret,
 			Scopes:       append(p.ExtraScopes, gooidc.ScopeOpenID),
 		},
-		clock:                f.Clock,
-		logger:               f.Logger,
-		supportedPKCEMethods: supportedPKCEMethods,
+		clock:                       f.Clock,
+		logger:                      f.Logger,
+		supportedPKCEMethods:        supportedPKCEMethods,
+		deviceAuthorizationEndpoint: deviceAuthorizationEndpoint,
+		useAccessToken:              p.UseAccessToken,
 	}, nil
 }
 
@@ -87,3 +93,13 @@ func extractSupportedPKCEMethods(provider *gooidc.Provider) ([]string, error) {
 	}
 	return d.CodeChallengeMethodsSupported, nil
 }
+
+func extractDeviceAuthorizationEndpoint(provider *gooidc.Provider) (string, error) {
+	var d struct {
+		DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint"`
+	}
+	if err := provider.Claims(&d); err != nil {
+		return "", fmt.Errorf("invalid discovery document: %w", err)
+	}
+	return d.DeviceAuthorizationEndpoint, nil
+}

pkg/oidc/client/mock_Interface.go

@@ -1,303 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package client
-
-import (
-	context "context"
-
-	oidc "github.com/int128/kubelogin/pkg/oidc"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockInterface is an autogenerated mock type for the Interface type
-type MockInterface struct {
-	mock.Mock
-}
-
-type MockInterface_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
-	return &MockInterface_Expecter{mock: &_m.Mock}
-}
-
-// ExchangeAuthCode provides a mock function with given fields: ctx, in
-func (_m *MockInterface) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, in)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, ExchangeAuthCodeInput) *oidc.TokenSet); ok {
-		r0 = rf(ctx, in)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, ExchangeAuthCodeInput) error); ok {
-		r1 = rf(ctx, in)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_ExchangeAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeAuthCode'
-type MockInterface_ExchangeAuthCode_Call struct {
-	*mock.Call
-}
-
-// ExchangeAuthCode is a helper method to define mock.On call
-//  - ctx context.Context
-//  - in ExchangeAuthCodeInput
-func (_e *MockInterface_Expecter) ExchangeAuthCode(ctx interface{}, in interface{}) *MockInterface_ExchangeAuthCode_Call {
-	return &MockInterface_ExchangeAuthCode_Call{Call: _e.mock.On("ExchangeAuthCode", ctx, in)}
-}
-
-func (_c *MockInterface_ExchangeAuthCode_Call) Run(run func(ctx context.Context, in ExchangeAuthCodeInput)) *MockInterface_ExchangeAuthCode_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(ExchangeAuthCodeInput))
-	})
-	return _c
-}
-
-func (_c *MockInterface_ExchangeAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_ExchangeAuthCode_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// GetAuthCodeURL provides a mock function with given fields: in
-func (_m *MockInterface) GetAuthCodeURL(in AuthCodeURLInput) string {
-	ret := _m.Called(in)
-
-	var r0 string
-	if rf, ok := ret.Get(0).(func(AuthCodeURLInput) string); ok {
-		r0 = rf(in)
-	} else {
-		r0 = ret.Get(0).(string)
-	}
-
-	return r0
-}
-
-// MockInterface_GetAuthCodeURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAuthCodeURL'
-type MockInterface_GetAuthCodeURL_Call struct {
-	*mock.Call
-}
-
-// GetAuthCodeURL is a helper method to define mock.On call
-//  - in AuthCodeURLInput
-func (_e *MockInterface_Expecter) GetAuthCodeURL(in interface{}) *MockInterface_GetAuthCodeURL_Call {
-	return &MockInterface_GetAuthCodeURL_Call{Call: _e.mock.On("GetAuthCodeURL", in)}
-}
-
-func (_c *MockInterface_GetAuthCodeURL_Call) Run(run func(in AuthCodeURLInput)) *MockInterface_GetAuthCodeURL_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(AuthCodeURLInput))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetAuthCodeURL_Call) Return(_a0 string) *MockInterface_GetAuthCodeURL_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-// GetTokenByAuthCode provides a mock function with given fields: ctx, in, localServerReadyChan
-func (_m *MockInterface) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, in, localServerReadyChan)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, GetTokenByAuthCodeInput, chan<- string) *oidc.TokenSet); ok {
-		r0 = rf(ctx, in, localServerReadyChan)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, GetTokenByAuthCodeInput, chan<- string) error); ok {
-		r1 = rf(ctx, in, localServerReadyChan)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_GetTokenByAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByAuthCode'
-type MockInterface_GetTokenByAuthCode_Call struct {
-	*mock.Call
-}
-
-// GetTokenByAuthCode is a helper method to define mock.On call
-//  - ctx context.Context
-//  - in GetTokenByAuthCodeInput
-//  - localServerReadyChan chan<- string
-func (_e *MockInterface_Expecter) GetTokenByAuthCode(ctx interface{}, in interface{}, localServerReadyChan interface{}) *MockInterface_GetTokenByAuthCode_Call {
-	return &MockInterface_GetTokenByAuthCode_Call{Call: _e.mock.On("GetTokenByAuthCode", ctx, in, localServerReadyChan)}
-}
-
-func (_c *MockInterface_GetTokenByAuthCode_Call) Run(run func(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string)) *MockInterface_GetTokenByAuthCode_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(GetTokenByAuthCodeInput), args[2].(chan<- string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetTokenByAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByAuthCode_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// GetTokenByROPC provides a mock function with given fields: ctx, username, password
-func (_m *MockInterface) GetTokenByROPC(ctx context.Context, username string, password string) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, username, password)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, string, string) *oidc.TokenSet); ok {
-		r0 = rf(ctx, username, password)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
-		r1 = rf(ctx, username, password)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_GetTokenByROPC_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByROPC'
-type MockInterface_GetTokenByROPC_Call struct {
-	*mock.Call
-}
-
-// GetTokenByROPC is a helper method to define mock.On call
-//  - ctx context.Context
-//  - username string
-//  - password string
-func (_e *MockInterface_Expecter) GetTokenByROPC(ctx interface{}, username interface{}, password interface{}) *MockInterface_GetTokenByROPC_Call {
-	return &MockInterface_GetTokenByROPC_Call{Call: _e.mock.On("GetTokenByROPC", ctx, username, password)}
-}
-
-func (_c *MockInterface_GetTokenByROPC_Call) Run(run func(ctx context.Context, username string, password string)) *MockInterface_GetTokenByROPC_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(string), args[2].(string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetTokenByROPC_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByROPC_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// Refresh provides a mock function with given fields: ctx, refreshToken
-func (_m *MockInterface) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, refreshToken)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, string) *oidc.TokenSet); ok {
-		r0 = rf(ctx, refreshToken)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
-		r1 = rf(ctx, refreshToken)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
-type MockInterface_Refresh_Call struct {
-	*mock.Call
-}
-
-// Refresh is a helper method to define mock.On call
-//  - ctx context.Context
-//  - refreshToken string
-func (_e *MockInterface_Expecter) Refresh(ctx interface{}, refreshToken interface{}) *MockInterface_Refresh_Call {
-	return &MockInterface_Refresh_Call{Call: _e.mock.On("Refresh", ctx, refreshToken)}
-}
-
-func (_c *MockInterface_Refresh_Call) Run(run func(ctx context.Context, refreshToken string)) *MockInterface_Refresh_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_Refresh_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_Refresh_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// SupportedPKCEMethods provides a mock function with given fields:
-func (_m *MockInterface) SupportedPKCEMethods() []string {
-	ret := _m.Called()
-
-	var r0 []string
-	if rf, ok := ret.Get(0).(func() []string); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]string)
-		}
-	}
-
-	return r0
-}
-
-// MockInterface_SupportedPKCEMethods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SupportedPKCEMethods'
-type MockInterface_SupportedPKCEMethods_Call struct {
-	*mock.Call
-}
-
-// SupportedPKCEMethods is a helper method to define mock.On call
-func (_e *MockInterface_Expecter) SupportedPKCEMethods() *MockInterface_SupportedPKCEMethods_Call {
-	return &MockInterface_SupportedPKCEMethods_Call{Call: _e.mock.On("SupportedPKCEMethods")}
-}
-
-func (_c *MockInterface_SupportedPKCEMethods_Call) Run(run func()) *MockInterface_SupportedPKCEMethods_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockInterface_SupportedPKCEMethods_Call) Return(_a0 []string) *MockInterface_SupportedPKCEMethods_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

pkg/oidc/oidc.go

@@ -11,11 +11,12 @@ import (
 
 // Provider represents an OIDC provider.
 type Provider struct {
-	IssuerURL    string
-	ClientID     string
-	ClientSecret string   // optional
-	ExtraScopes  []string // optional
-	UsePKCE      bool     // optional
+	IssuerURL      string
+	ClientID       string
+	ClientSecret   string   // optional
+	ExtraScopes    []string // optional
+	UsePKCE        bool     // optional
+	UseAccessToken bool     // optional
 }
 
 // TokenSet represents a set of ID token and refresh token.

pkg/testing/jwt/encode.go

@@ -5,7 +5,7 @@ import (
 	"crypto/rsa"
 	"testing"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 var PrivateKey = generateKey(1024)
@@ -19,7 +19,7 @@ func generateKey(b int) *rsa.PrivateKey {
 }
 
 type Claims struct {
-	jwt.StandardClaims
+	jwt.RegisteredClaims
 	// aud claim is either a string or an array of strings.
 	// https://tools.ietf.org/html/rfc7519#section-4.1.3
 	Audience      []string `json:"aud,omitempty"`

pkg/testing/logger/mock_testingLogger.go

@@ -1,72 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package logger
-
-import mock "github.com/stretchr/testify/mock"
-
-// mockTestingLogger is an autogenerated mock type for the testingLogger type
-type mockTestingLogger struct {
-	mock.Mock
-}
-
-type mockTestingLogger_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *mockTestingLogger) EXPECT() *mockTestingLogger_Expecter {
-	return &mockTestingLogger_Expecter{mock: &_m.Mock}
-}
-
-// Logf provides a mock function with given fields: format, v
-func (_m *mockTestingLogger) Logf(format string, v ...interface{}) {
-	var _ca []interface{}
-	_ca = append(_ca, format)
-	_ca = append(_ca, v...)
-	_m.Called(_ca...)
-}
-
-// mockTestingLogger_Logf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Logf'
-type mockTestingLogger_Logf_Call struct {
-	*mock.Call
-}
-
-// Logf is a helper method to define mock.On call
-//  - format string
-//  - v ...interface{}
-func (_e *mockTestingLogger_Expecter) Logf(format interface{}, v ...interface{}) *mockTestingLogger_Logf_Call {
-	return &mockTestingLogger_Logf_Call{Call: _e.mock.On("Logf",
-		append([]interface{}{format}, v...)...)}
-}
-
-func (_c *mockTestingLogger_Logf_Call) Run(run func(format string, v ...interface{})) *mockTestingLogger_Logf_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]interface{}, len(args)-1)
-		for i, a := range args[1:] {
-			if a != nil {
-				variadicArgs[i] = a.(interface{})
-			}
-		}
-		run(args[0].(string), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *mockTestingLogger_Logf_Call) Return() *mockTestingLogger_Logf_Call {
-	_c.Call.Return()
-	return _c
-}
-
-type mockConstructorTestingTnewMockTestingLogger interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// newMockTestingLogger creates a new instance of mockTestingLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func newMockTestingLogger(t mockConstructorTestingTnewMockTestingLogger) *mockTestingLogger {
-	mock := &mockTestingLogger{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}

pkg/tlsclientconfig/loader/load.go

@@ -7,7 +7,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"os"
 
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
@@ -38,8 +38,8 @@ func (l *Loader) Load(config tlsclientconfig.Config) (*tls.Config, error) {
 			return nil, fmt.Errorf("could not load the certificate: %w", err)
 		}
 	}
-	if len(rootCAs.Subjects()) == 0 {
-		// use the host's root CA set
+	if rootCAs.Equal(x509.NewCertPool()) {
+		// if empty, use the host's root CA set
 		rootCAs = nil
 	}
 	return &tls.Config{
@@ -50,7 +50,7 @@ func (l *Loader) Load(config tlsclientconfig.Config) (*tls.Config, error) {
 }
 
 func addFile(p *x509.CertPool, filename string) error {
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		return fmt.Errorf("could not read: %w", err)
 	}

pkg/tlsclientconfig/loader/load_test.go

@@ -1,7 +1,7 @@
 package loader
 
 import (
-	"io/ioutil"
+	"os"
 	"testing"
 
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
@@ -25,8 +25,8 @@ func TestLoader_Load(t *testing.T) {
 		if err != nil {
 			t.Errorf("Load error: %s", err)
 		}
-		if n := len(cfg.RootCAs.Subjects()); n != 1 {
-			t.Errorf("n wants 1 but was %d", n)
+		if cfg.RootCAs == nil {
+			t.Errorf("RootCAs wants non-nil but was nil")
 		}
 	})
 	t.Run("InvalidFile", func(t *testing.T) {
@@ -44,15 +44,15 @@ func TestLoader_Load(t *testing.T) {
 		if err != nil {
 			t.Errorf("Load error: %s", err)
 		}
-		if n := len(cfg.RootCAs.Subjects()); n != 1 {
-			t.Errorf("n wants 1 but was %d", n)
+		if cfg.RootCAs == nil {
+			t.Errorf("RootCAs wants non-nil but was nil")
 		}
 	})
 }
 
 func readFile(t *testing.T, filename string) string {
 	t.Helper()
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		t.Fatalf("ReadFile error: %s", err)
 	}

pkg/tokencache/repository/repository.go

@@ -6,9 +6,11 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 
+	"github.com/gofrs/flock"
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/tokencache"
@@ -23,6 +25,7 @@ var Set = wire.NewSet(
 type Interface interface {
 	FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet, error)
 	Save(dir string, key tokencache.Key, tokenSet oidc.TokenSet) error
+	Lock(dir string, key tokencache.Key) (io.Closer, error)
 }
 
 type entity struct {
@@ -80,6 +83,24 @@ func (r *Repository) Save(dir string, key tokencache.Key, tokenSet oidc.TokenSet
 	return nil
 }
 
+func (r *Repository) Lock(tokenCacheDir string, key tokencache.Key) (io.Closer, error) {
+	if err := os.MkdirAll(tokenCacheDir, 0700); err != nil {
+		return nil, fmt.Errorf("could not create directory %s: %w", tokenCacheDir, err)
+	}
+	keyDigest, err := computeFilename(key)
+	if err != nil {
+		return nil, fmt.Errorf("could not compute the key: %w", err)
+	}
+	// Do not lock the token cache file.
+	// https://github.com/int128/kubelogin/issues/1144
+	lockFilepath := filepath.Join(tokenCacheDir, keyDigest+".lock")
+	lockFile := flock.New(lockFilepath)
+	if err := lockFile.Lock(); err != nil {
+		return nil, fmt.Errorf("could not lock the cache file %s: %w", lockFilepath, err)
+	}
+	return lockFile, nil
+}
+
 func computeFilename(key tokencache.Key) (string, error) {
 	s := sha256.New()
 	e := gob.NewEncoder(s)

pkg/tokencache/repository/repository_test.go

@@ -1,12 +1,13 @@
 package repository
 
 import (
-	"io/ioutil"
+	"os"
 	"path/filepath"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
 	"github.com/int128/kubelogin/pkg/tokencache"
 )
 
@@ -16,12 +17,15 @@ func TestRepository_FindByKey(t *testing.T) {
 	t.Run("Success", func(t *testing.T) {
 		dir := t.TempDir()
 		key := tokencache.Key{
-			IssuerURL:      "YOUR_ISSUER",
-			ClientID:       "YOUR_CLIENT_ID",
-			ClientSecret:   "YOUR_CLIENT_SECRET",
-			ExtraScopes:    []string{"openid", "email"},
-			CACertFilename: "/path/to/cert",
-			SkipTLSVerify:  false,
+			Provider: oidc.Provider{
+				IssuerURL:    "YOUR_ISSUER",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				ExtraScopes:  []string{"openid", "email"},
+			},
+			TLSClientConfig: tlsclientconfig.Config{
+				CACertFilename: []string{"/path/to/cert"},
+			},
 		}
 		json := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}`
 		filename, err := computeFilename(key)
@@ -29,7 +33,7 @@ func TestRepository_FindByKey(t *testing.T) {
 			t.Errorf("could not compute the key: %s", err)
 		}
 		p := filepath.Join(dir, filename)
-		if err := ioutil.WriteFile(p, []byte(json), 0600); err != nil {
+		if err := os.WriteFile(p, []byte(json), 0600); err != nil {
 			t.Fatalf("could not write to the temp file: %s", err)
 		}
 
@@ -50,12 +54,15 @@ func TestRepository_Save(t *testing.T) {
 	t.Run("Success", func(t *testing.T) {
 		dir := t.TempDir()
 		key := tokencache.Key{
-			IssuerURL:      "YOUR_ISSUER",
-			ClientID:       "YOUR_CLIENT_ID",
-			ClientSecret:   "YOUR_CLIENT_SECRET",
-			ExtraScopes:    []string{"openid", "email"},
-			CACertFilename: "/path/to/cert",
-			SkipTLSVerify:  false,
+			Provider: oidc.Provider{
+				IssuerURL:    "YOUR_ISSUER",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				ExtraScopes:  []string{"openid", "email"},
+			},
+			TLSClientConfig: tlsclientconfig.Config{
+				CACertFilename: []string{"/path/to/cert"},
+			},
 		}
 		tokenSet := oidc.TokenSet{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
 		if err := r.Save(dir, key, tokenSet); err != nil {
@@ -67,7 +74,7 @@ func TestRepository_Save(t *testing.T) {
 			t.Errorf("could not compute the key: %s", err)
 		}
 		p := filepath.Join(dir, filename)
-		b, err := ioutil.ReadFile(p)
+		b, err := os.ReadFile(p)
 		if err != nil {
 			t.Fatalf("could not read the token cache file: %s", err)
 		}

pkg/tokencache/types.go

@@ -1,13 +1,13 @@
 package tokencache
 
+import (
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+)
+
 // Key represents a key of a token cache.
 type Key struct {
-	IssuerURL      string
-	ClientID       string
-	ClientSecret   string
-	Username       string
-	ExtraScopes    []string
-	CACertFilename string
-	CACertData     string
-	SkipTLSVerify  bool
+	Provider        oidc.Provider
+	TLSClientConfig tlsclientconfig.Config
+	Username        string
 }

pkg/usecases/authentication/authcode/browser_test.go

@@ -6,7 +6,8 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/int128/kubelogin/pkg/infrastructure/browser"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/infrastructure/browser_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/oidc/client_mock"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/oidc/client"
 	"github.com/int128/kubelogin/pkg/testing/logger"
@@ -29,7 +30,7 @@ func TestBrowser_Do(t *testing.T) {
 			RedirectURLHostname:        "localhost",
 			AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},
 		}
-		mockClient := client.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
 		mockClient.EXPECT().
 			SupportedPKCEMethods().
 			Return(nil)
@@ -83,7 +84,7 @@ func TestBrowser_Do(t *testing.T) {
 			BindAddress:           []string{"127.0.0.1:8000"},
 			AuthenticationTimeout: 10 * time.Second,
 		}
-		mockClient := client.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
 		mockClient.EXPECT().
 			SupportedPKCEMethods().
 			Return(nil)
@@ -96,7 +97,7 @@ func TestBrowser_Do(t *testing.T) {
 				IDToken:      "YOUR_ID_TOKEN",
 				RefreshToken: "YOUR_REFRESH_TOKEN",
 			}, nil)
-		mockBrowser := browser.NewMockInterface(t)
+		mockBrowser := browser_mock.NewMockInterface(t)
 		mockBrowser.EXPECT().
 			Open("LOCAL_SERVER_URL").
 			Return(nil)
@@ -125,7 +126,7 @@ func TestBrowser_Do(t *testing.T) {
 			BrowserCommand:        "firefox",
 			AuthenticationTimeout: 10 * time.Second,
 		}
-		mockClient := client.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
 		mockClient.EXPECT().
 			SupportedPKCEMethods().
 			Return(nil)
@@ -138,7 +139,7 @@ func TestBrowser_Do(t *testing.T) {
 				IDToken:      "YOUR_ID_TOKEN",
 				RefreshToken: "YOUR_REFRESH_TOKEN",
 			}, nil)
-		mockBrowser := browser.NewMockInterface(t)
+		mockBrowser := browser_mock.NewMockInterface(t)
 		mockBrowser.EXPECT().
 			OpenCommand(mock.Anything, "LOCAL_SERVER_URL", "firefox").
 			Return(nil)

pkg/usecases/authentication/authcode/keyboard.go

@@ -12,10 +12,10 @@ import (
 )
 
 const keyboardPrompt = "Enter code: "
-const oobRedirectURI = "urn:ietf:wg:oauth:2.0:oob"
 
 type KeyboardOption struct {
 	AuthRequestExtraParams map[string]string
+	RedirectURL            string
 }
 
 // Keyboard provides the authorization code flow with keyboard interactive.
@@ -38,11 +38,12 @@ func (u *Keyboard) Do(ctx context.Context, o *KeyboardOption, oidcClient client.
 	if err != nil {
 		return nil, fmt.Errorf("could not generate PKCE parameters: %w", err)
 	}
+
 	authCodeURL := oidcClient.GetAuthCodeURL(client.AuthCodeURLInput{
 		State:                  state,
 		Nonce:                  nonce,
 		PKCEParams:             p,
-		RedirectURI:            oobRedirectURI,
+		RedirectURI:            o.RedirectURL,
 		AuthRequestExtraParams: o.AuthRequestExtraParams,
 	})
 	u.Logger.Printf("Please visit the following URL in your browser: %s", authCodeURL)
@@ -56,7 +57,7 @@ func (u *Keyboard) Do(ctx context.Context, o *KeyboardOption, oidcClient client.
 		Code:        code,
 		PKCEParams:  p,
 		Nonce:       nonce,
-		RedirectURI: oobRedirectURI,
+		RedirectURI: o.RedirectURL,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("could not exchange the authorization code: %w", err)

pkg/usecases/authentication/authcode/keyboard_test.go

@@ -6,7 +6,8 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/int128/kubelogin/pkg/infrastructure/reader"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/infrastructure/reader_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/oidc/client_mock"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/oidc/client"
 	"github.com/int128/kubelogin/pkg/testing/logger"
@@ -22,7 +23,7 @@ func TestKeyboard_Do(t *testing.T) {
 		o := &KeyboardOption{
 			AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
 		}
-		mockClient := client.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
 		mockClient.EXPECT().
 			SupportedPKCEMethods().
 			Return(nil)
@@ -45,7 +46,7 @@ func TestKeyboard_Do(t *testing.T) {
 				IDToken:      "YOUR_ID_TOKEN",
 				RefreshToken: "YOUR_REFRESH_TOKEN",
 			}, nil)
-		mockReader := reader.NewMockInterface(t)
+		mockReader := reader_mock.NewMockInterface(t)
 		mockReader.EXPECT().
 			ReadString(keyboardPrompt).
 			Return("YOUR_AUTH_CODE", nil)

pkg/usecases/authentication/authentication.go

@@ -5,12 +5,12 @@ import (
 	"fmt"
 
 	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/infrastructure/clock"
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/oidc/client"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/devicecode"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
 )
 
@@ -21,6 +21,7 @@ var Set = wire.NewSet(
 	wire.Struct(new(authcode.Browser), "*"),
 	wire.Struct(new(authcode.Keyboard), "*"),
 	wire.Struct(new(ropc.ROPC), "*"),
+	wire.Struct(new(devicecode.DeviceCode), "*"),
 )
 
 type Interface interface {
@@ -33,18 +34,20 @@ type Input struct {
 	GrantOptionSet  GrantOptionSet
 	CachedTokenSet  *oidc.TokenSet // optional
 	TLSClientConfig tlsclientconfig.Config
+	ForceRefresh    bool
+	UseAccessToken  bool
 }
 
 type GrantOptionSet struct {
 	AuthCodeBrowserOption  *authcode.BrowserOption
 	AuthCodeKeyboardOption *authcode.KeyboardOption
 	ROPCOption             *ropc.Option
+	DeviceCodeOption       *devicecode.Option
 }
 
 // Output represents an output DTO of the Authentication use-case.
 type Output struct {
-	AlreadyHasValidIDToken bool
-	TokenSet               oidc.TokenSet
+	TokenSet oidc.TokenSet
 }
 
 // Authentication provides the internal use-case of authentication.
@@ -59,36 +62,16 @@ type Output struct {
 // If the Username is not set, it performs the authorization code flow.
 // Otherwise, it performs the resource owner password credentials flow.
 // If the Password is not set, it asks a password by the prompt.
-//
 type Authentication struct {
 	ClientFactory    client.FactoryInterface
 	Logger           logger.Interface
-	Clock            clock.Interface
 	AuthCodeBrowser  *authcode.Browser
 	AuthCodeKeyboard *authcode.Keyboard
 	ROPC             *ropc.ROPC
+	DeviceCode       *devicecode.DeviceCode
 }
 
 func (u *Authentication) Do(ctx context.Context, in Input) (*Output, error) {
-	if in.CachedTokenSet != nil {
-		u.Logger.V(1).Infof("checking expiration of the existing token")
-		// Skip verification of the token to reduce time of a discovery request.
-		// Here it trusts the signature and claims and checks only expiration,
-		// because the token has been verified before caching.
-		claims, err := in.CachedTokenSet.DecodeWithoutVerify()
-		if err != nil {
-			return nil, fmt.Errorf("invalid token cache (you may need to remove): %w", err)
-		}
-		if !claims.IsExpired(u.Clock) {
-			u.Logger.V(1).Infof("you already have a valid token until %s", claims.Expiry)
-			return &Output{
-				AlreadyHasValidIDToken: true,
-				TokenSet:               *in.CachedTokenSet,
-			}, nil
-		}
-		u.Logger.V(1).Infof("you have an expired token at %s", claims.Expiry)
-	}
-
 	u.Logger.V(1).Infof("initializing an OpenID Connect client")
 	oidcClient, err := u.ClientFactory.New(ctx, in.Provider, in.TLSClientConfig)
 	if err != nil {
@@ -125,5 +108,12 @@ func (u *Authentication) Do(ctx context.Context, in Input) (*Output, error) {
 		}
 		return &Output{TokenSet: *tokenSet}, nil
 	}
+	if in.GrantOptionSet.DeviceCodeOption != nil {
+		tokenSet, err := u.DeviceCode.Do(ctx, in.GrantOptionSet.DeviceCodeOption, oidcClient)
+		if err != nil {
+			return nil, fmt.Errorf("device-code error: %w", err)
+		}
+		return &Output{TokenSet: *tokenSet}, nil
+	}
 	return nil, fmt.Errorf("any authorization grant must be set")
 }

pkg/usecases/authentication/authentication_test.go

@@ -6,10 +6,11 @@ import (
 	"testing"
 	"time"
 
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/oidc/client_mock"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/oidc/client"
-	"github.com/int128/kubelogin/pkg/testing/clock"
 	testingJWT "github.com/int128/kubelogin/pkg/testing/jwt"
 	testingLogger "github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
@@ -32,36 +33,7 @@ func TestAuthentication_Do(t *testing.T) {
 	issuedIDToken := testingJWT.EncodeF(t, func(claims *testingJWT.Claims) {
 		claims.Issuer = "https://accounts.google.com"
 		claims.Subject = "YOUR_SUBJECT"
-		claims.ExpiresAt = expiryTime.Unix()
-	})
-
-	t.Run("HasValidIDToken", func(t *testing.T) {
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		in := Input{
-			Provider:        dummyProvider,
-			TLSClientConfig: dummyTLSClientConfig,
-			CachedTokenSet: &oidc.TokenSet{
-				IDToken: issuedIDToken,
-			},
-		}
-		u := Authentication{
-			Logger: testingLogger.New(t),
-			Clock:  clock.Fake(expiryTime.Add(-time.Hour)),
-		}
-		got, err := u.Do(ctx, in)
-		if err != nil {
-			t.Errorf("Do returned error: %+v", err)
-		}
-		want := &Output{
-			AlreadyHasValidIDToken: true,
-			TokenSet: oidc.TokenSet{
-				IDToken: issuedIDToken,
-			},
-		}
-		if diff := cmp.Diff(want, got); diff != "" {
-			t.Errorf("mismatch (-want +got):\n%s", diff)
-		}
+		claims.ExpiresAt = jwt.NewNumericDate(expiryTime)
 	})
 
 	t.Run("HasValidRefreshToken", func(t *testing.T) {
@@ -75,21 +47,20 @@ func TestAuthentication_Do(t *testing.T) {
 				RefreshToken: "VALID_REFRESH_TOKEN",
 			},
 		}
-		mockClient := client.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
 		mockClient.EXPECT().
 			Refresh(ctx, "VALID_REFRESH_TOKEN").
 			Return(&oidc.TokenSet{
 				IDToken:      "NEW_ID_TOKEN",
 				RefreshToken: "NEW_REFRESH_TOKEN",
 			}, nil)
-		mockClientFactory := client.NewMockFactoryInterface(t)
+		mockClientFactory := client_mock.NewMockFactoryInterface(t)
 		mockClientFactory.EXPECT().
 			New(ctx, dummyProvider, dummyTLSClientConfig).
 			Return(mockClient, nil)
 		u := Authentication{
 			ClientFactory: mockClientFactory,
 			Logger:        testingLogger.New(t),
-			Clock:         clock.Fake(expiryTime.Add(+time.Hour)),
 		}
 		got, err := u.Do(ctx, in)
 		if err != nil {
@@ -124,7 +95,7 @@ func TestAuthentication_Do(t *testing.T) {
 				RefreshToken: "EXPIRED_REFRESH_TOKEN",
 			},
 		}
-		mockClient := client.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
 		mockClient.EXPECT().
 			SupportedPKCEMethods().
 			Return(nil)
@@ -140,14 +111,13 @@ func TestAuthentication_Do(t *testing.T) {
 				IDToken:      "NEW_ID_TOKEN",
 				RefreshToken: "NEW_REFRESH_TOKEN",
 			}, nil)
-		mockClientFactory := client.NewMockFactoryInterface(t)
+		mockClientFactory := client_mock.NewMockFactoryInterface(t)
 		mockClientFactory.EXPECT().
 			New(ctx, dummyProvider, dummyTLSClientConfig).
 			Return(mockClient, nil)
 		u := Authentication{
 			ClientFactory: mockClientFactory,
 			Logger:        testingLogger.New(t),
-			Clock:         clock.Fake(expiryTime.Add(+time.Hour)),
 			AuthCodeBrowser: &authcode.Browser{
 				Logger: testingLogger.New(t),
 			},
@@ -180,14 +150,14 @@ func TestAuthentication_Do(t *testing.T) {
 				},
 			},
 		}
-		mockClient := client.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
 		mockClient.EXPECT().
 			GetTokenByROPC(mock.Anything, "USER", "PASS").
 			Return(&oidc.TokenSet{
 				IDToken:      "YOUR_ID_TOKEN",
 				RefreshToken: "YOUR_REFRESH_TOKEN",
 			}, nil)
-		mockClientFactory := client.NewMockFactoryInterface(t)
+		mockClientFactory := client_mock.NewMockFactoryInterface(t)
 		mockClientFactory.EXPECT().
 			New(ctx, dummyProvider, dummyTLSClientConfig).
 			Return(mockClient, nil)

pkg/usecases/authentication/devicecode/devicecode.go

@@ -0,0 +1,72 @@
+package devicecode
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/oidc/client"
+)
+
+type Option struct {
+	SkipOpenBrowser bool
+	BrowserCommand  string
+}
+
+// DeviceCode provides the oauth2 device code flow.
+type DeviceCode struct {
+	Browser browser.Interface
+	Logger  logger.Interface
+}
+
+func (u *DeviceCode) Do(ctx context.Context, in *Option, oidcClient client.Interface) (*oidc.TokenSet, error) {
+	u.Logger.V(1).Infof("starting the oauth2 device code flow")
+
+	authResponse, err := oidcClient.GetDeviceAuthorization(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("authorization error: %w", err)
+	}
+
+	if authResponse.VerificationURIComplete != "" {
+		u.openURL(ctx, in, authResponse.VerificationURIComplete)
+	} else if authResponse.VerificationURI != "" {
+		u.Logger.Printf("Please enter the following code when asked in your browser: %s", authResponse.UserCode)
+		u.openURL(ctx, in, authResponse.VerificationURI)
+	} else if authResponse.VerificationURL != "" {
+		u.Logger.Printf("Please enter the following code when asked in your browser: %s", authResponse.UserCode)
+		u.openURL(ctx, in, authResponse.VerificationURL)
+	} else {
+		return nil, fmt.Errorf("no verification URI in the authorization response")
+	}
+
+	tokenSet, err := oidcClient.ExchangeDeviceCode(ctx, authResponse)
+	u.Logger.V(1).Infof("finished the oauth2 device code flow")
+	if err != nil {
+		return nil, fmt.Errorf("unable to exchange device code: %w", err)
+	}
+	return tokenSet, nil
+}
+
+func (u *DeviceCode) openURL(ctx context.Context, o *Option, url string) {
+	if o != nil && o.SkipOpenBrowser {
+		u.Logger.Printf("Please visit the following URL in your browser: %s", url)
+		return
+	}
+
+	u.Logger.V(1).Infof("opening %s in the browser", url)
+	if o != nil && o.BrowserCommand != "" {
+		if err := u.Browser.OpenCommand(ctx, url, o.BrowserCommand); err != nil {
+			u.Logger.Printf(`error: could not open the browser: %s
+
+Please visit the following URL in your browser manually: %s`, err, url)
+		}
+		return
+	}
+	if err := u.Browser.Open(url); err != nil {
+		u.Logger.Printf(`error: could not open the browser: %s
+
+Please visit the following URL in your browser manually: %s`, err, url)
+	}
+}

pkg/usecases/authentication/devicecode/devicecode_test.go

@@ -0,0 +1,185 @@
+package devicecode
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/infrastructure/browser_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/oidc/client_mock"
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+	"github.com/int128/oauth2dev"
+	"github.com/stretchr/testify/mock"
+)
+
+func TestDeviceCode(t *testing.T) {
+	ctx := context.TODO()
+
+	t.Run("Authorization error", func(t *testing.T) {
+		mockClient := client_mock.NewMockInterface(t)
+		dc := &DeviceCode{
+			Browser: browser_mock.NewMockInterface(t),
+			Logger:  logger.New(t),
+		}
+		errTest := errors.New("test error")
+		mockClient.EXPECT().GetDeviceAuthorization(ctx).Return(nil, errTest).Once()
+		_, err := dc.Do(ctx, &Option{}, mockClient)
+		if !errors.Is(err, errTest) {
+			t.Errorf("returned error is not the test error: %v", err)
+		}
+	})
+
+	t.Run("Server returns verification_uri_complete", func(t *testing.T) {
+		mockBrowser := browser_mock.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
+		dc := &DeviceCode{
+			Browser: mockBrowser,
+			Logger:  logger.New(t),
+		}
+		mockResponse := &oauth2dev.AuthorizationResponse{
+			DeviceCode:              "device-code-1",
+			VerificationURIComplete: "https://example.com/verificationComplete?code=code123",
+			ExpiresIn:               2,
+			Interval:                1,
+		}
+		mockClient.EXPECT().GetDeviceAuthorization(ctx).Return(&oauth2dev.AuthorizationResponse{
+			Interval:                1,
+			ExpiresIn:               2,
+			VerificationURIComplete: "https://example.com/verificationComplete?code=code123",
+			DeviceCode:              "device-code-1",
+		}, nil).Once()
+		mockBrowser.EXPECT().Open("https://example.com/verificationComplete?code=code123").Return(nil).Once()
+		mockClient.EXPECT().ExchangeDeviceCode(mock.Anything, mockResponse).Return(&oidc.TokenSet{
+			IDToken: "test-id-token",
+		}, nil).Once()
+		ts, err := dc.Do(ctx, &Option{}, mockClient)
+		if err != nil {
+			t.Errorf("returned unexpected error: %v", err)
+		}
+		if ts.IDToken != "test-id-token" {
+			t.Errorf("wrong returned tokenset: %v", err)
+		}
+	})
+
+	t.Run("Server returns verification_uri", func(t *testing.T) {
+		mockBrowser := browser_mock.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
+		dc := &DeviceCode{
+			Browser: mockBrowser,
+			Logger:  logger.New(t),
+		}
+		mockResponseWithoutComplete := &oauth2dev.AuthorizationResponse{
+			DeviceCode:      "device-code-1",
+			VerificationURI: "https://example.com/verificationComplete",
+			ExpiresIn:       2,
+			Interval:        1,
+		}
+		mockClient.EXPECT().GetDeviceAuthorization(ctx).Return(&oauth2dev.AuthorizationResponse{
+			Interval:        1,
+			ExpiresIn:       2,
+			VerificationURI: "https://example.com/verificationComplete",
+			DeviceCode:      "device-code-1",
+		}, nil).Once()
+		mockBrowser.EXPECT().Open("https://example.com/verificationComplete").Return(nil).Once()
+		mockClient.EXPECT().ExchangeDeviceCode(mock.Anything, mockResponseWithoutComplete).Return(&oidc.TokenSet{
+			IDToken: "test-id-token",
+		}, nil).Once()
+		ts, err := dc.Do(ctx, &Option{}, mockClient)
+		if err != nil {
+			t.Errorf("returned unexpected error: %v", err)
+		}
+		if ts.IDToken != "test-id-token" {
+			t.Errorf("wrong returned tokenset: %v", err)
+		}
+	})
+
+	t.Run("Server returns verification_url", func(t *testing.T) {
+		mockBrowser := browser_mock.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
+		dc := &DeviceCode{
+			Browser: mockBrowser,
+			Logger:  logger.New(t),
+		}
+		mockResponse := &oauth2dev.AuthorizationResponse{
+			DeviceCode:      "device-code-1",
+			VerificationURL: "https://example.com/verificationCompleteURL",
+			ExpiresIn:       2,
+			Interval:        1,
+		}
+		mockClient.EXPECT().GetDeviceAuthorization(ctx).Return(mockResponse, nil).Once()
+		mockBrowser.EXPECT().Open("https://example.com/verificationCompleteURL").Return(nil).Once()
+		mockClient.EXPECT().ExchangeDeviceCode(mock.Anything, mockResponse).Return(&oidc.TokenSet{
+			IDToken: "test-id-token",
+		}, nil).Once()
+		ts, err := dc.Do(ctx, &Option{}, mockClient)
+		if err != nil {
+			t.Errorf("returned unexpected error: %v", err)
+		}
+		if ts.IDToken != "test-id-token" {
+			t.Errorf("wrong returned tokenset: %v", err)
+		}
+	})
+
+	t.Run("Error when exchanging the device code", func(t *testing.T) {
+		mockBrowser := browser_mock.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
+		dc := &DeviceCode{
+			Browser: mockBrowser,
+			Logger:  logger.New(t),
+		}
+		mockResponse := &oauth2dev.AuthorizationResponse{
+			DeviceCode:              "device-code-1",
+			VerificationURIComplete: "https://example.com/verificationComplete?code=code123",
+			ExpiresIn:               2,
+			Interval:                1,
+		}
+		mockClient.EXPECT().GetDeviceAuthorization(ctx).Return(&oauth2dev.AuthorizationResponse{
+			Interval:                1,
+			ExpiresIn:               2,
+			VerificationURIComplete: "https://example.com/verificationComplete?code=code123",
+			DeviceCode:              "device-code-1",
+		}, nil).Once()
+		mockBrowser.EXPECT().Open("https://example.com/verificationComplete?code=code123").Return(nil).Once()
+		mockClient.EXPECT().ExchangeDeviceCode(mock.Anything, mockResponse).Return(nil, errors.New("test error")).Once()
+		_, err := dc.Do(ctx, &Option{}, mockClient)
+		if err == nil {
+			t.Errorf("did not return error: %v", err)
+		}
+	})
+}
+
+func TestDeviceCode_openURL(t *testing.T) {
+	ctx := context.TODO()
+	const url = "https://example.com"
+	var testError = errors.New("test error")
+
+	t.Run("Continue if error opening the browser", func(t *testing.T) {
+		browserMock := browser_mock.NewMockInterface(t)
+		deviceCode := &DeviceCode{
+			Browser: browserMock,
+			Logger:  logger.New(t),
+		}
+		browserMock.EXPECT().Open(url).Return(testError).Once()
+		deviceCode.openURL(ctx, nil, url)
+	})
+
+	t.Run("SkipOpenBrowser is set", func(t *testing.T) {
+		browserMock := browser_mock.NewMockInterface(t)
+		deviceCode := &DeviceCode{
+			Browser: browserMock,
+			Logger:  logger.New(t),
+		}
+		deviceCode.openURL(ctx, &Option{SkipOpenBrowser: true}, url)
+	})
+
+	t.Run("BrowserCommand is set", func(t *testing.T) {
+		browserMock := browser_mock.NewMockInterface(t)
+		deviceCode := &DeviceCode{
+			Browser: browserMock,
+			Logger:  logger.New(t),
+		}
+		browserMock.EXPECT().OpenCommand(ctx, url, "test-command").Return(testError).Once()
+		deviceCode.openURL(ctx, &Option{BrowserCommand: "test-command"}, url)
+	})
+}

pkg/usecases/authentication/ropc/ropc_test.go

@@ -7,9 +7,9 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/int128/kubelogin/pkg/infrastructure/reader"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/infrastructure/reader_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/oidc/client_mock"
 	"github.com/int128/kubelogin/pkg/oidc"
-	"github.com/int128/kubelogin/pkg/oidc/client"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/stretchr/testify/mock"
 )
@@ -21,14 +21,14 @@ func TestROPC_Do(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
 		o := &Option{}
-		mockClient := client.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
 		mockClient.EXPECT().
 			GetTokenByROPC(mock.Anything, "USER", "PASS").
 			Return(&oidc.TokenSet{
 				IDToken:      "YOUR_ID_TOKEN",
 				RefreshToken: "YOUR_REFRESH_TOKEN",
 			}, nil)
-		mockReader := reader.NewMockInterface(t)
+		mockReader := reader_mock.NewMockInterface(t)
 		mockReader.EXPECT().ReadString(usernamePrompt).Return("USER", nil)
 		mockReader.EXPECT().ReadPassword(passwordPrompt).Return("PASS", nil)
 		u := ROPC{
@@ -55,7 +55,7 @@ func TestROPC_Do(t *testing.T) {
 			Username: "USER",
 			Password: "PASS",
 		}
-		mockClient := client.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
 		mockClient.EXPECT().
 			GetTokenByROPC(mock.Anything, "USER", "PASS").
 			Return(&oidc.TokenSet{
@@ -84,14 +84,14 @@ func TestROPC_Do(t *testing.T) {
 		o := &Option{
 			Username: "USER",
 		}
-		mockClient := client.NewMockInterface(t)
+		mockClient := client_mock.NewMockInterface(t)
 		mockClient.EXPECT().
 			GetTokenByROPC(mock.Anything, "USER", "PASS").
 			Return(&oidc.TokenSet{
 				IDToken:      "YOUR_ID_TOKEN",
 				RefreshToken: "YOUR_REFRESH_TOKEN",
 			}, nil)
-		mockEnv := reader.NewMockInterface(t)
+		mockEnv := reader_mock.NewMockInterface(t)
 		mockEnv.EXPECT().ReadPassword(passwordPrompt).Return("PASS", nil)
 		u := ROPC{
 			Reader: mockEnv,
@@ -116,13 +116,13 @@ func TestROPC_Do(t *testing.T) {
 		o := &Option{
 			Username: "USER",
 		}
-		mockEnv := reader.NewMockInterface(t)
+		mockEnv := reader_mock.NewMockInterface(t)
 		mockEnv.EXPECT().ReadPassword(passwordPrompt).Return("", errors.New("error"))
 		u := ROPC{
 			Reader: mockEnv,
 			Logger: logger.New(t),
 		}
-		out, err := u.Do(ctx, o, client.NewMockInterface(t))
+		out, err := u.Do(ctx, o, client_mock.NewMockInterface(t))
 		if err == nil {
 			t.Errorf("err wants non-nil but nil")
 		}

pkg/usecases/credentialplugin/get_token.go

@@ -6,20 +6,18 @@ package credentialplugin
 import (
 	"context"
 	"fmt"
-	"net"
-	"strings"
 
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/credentialplugin"
-	"github.com/int128/kubelogin/pkg/credentialplugin/writer"
+	credentialpluginreader "github.com/int128/kubelogin/pkg/credentialplugin/reader"
+	credentialpluginwriter "github.com/int128/kubelogin/pkg/credentialplugin/writer"
+	"github.com/int128/kubelogin/pkg/infrastructure/clock"
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-	"github.com/int128/kubelogin/pkg/infrastructure/mutex"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
 	"github.com/int128/kubelogin/pkg/tokencache"
 	"github.com/int128/kubelogin/pkg/tokencache/repository"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
 )
 
 var Set = wire.NewSet(
@@ -37,59 +35,86 @@ type Input struct {
 	TokenCacheDir   string
 	GrantOptionSet  authentication.GrantOptionSet
 	TLSClientConfig tlsclientconfig.Config
+	ForceRefresh    bool
 }
 
 type GetToken struct {
-	Authentication       authentication.Interface
-	TokenCacheRepository repository.Interface
-	Writer               writer.Interface
-	Mutex                mutex.Interface
-	Logger               logger.Interface
+	Authentication         authentication.Interface
+	TokenCacheRepository   repository.Interface
+	CredentialPluginReader credentialpluginreader.Interface
+	CredentialPluginWriter credentialpluginwriter.Interface
+	Logger                 logger.Interface
+	Clock                  clock.Interface
 }
 
 func (u *GetToken) Do(ctx context.Context, in Input) error {
 	u.Logger.V(1).Infof("WARNING: log may contain your secrets such as token or password")
 
-	// Prevent multiple concurrent port binding using a file mutex.
-	// See https://github.com/int128/kubelogin/issues/389
-	bindPorts := extractBindAddressPorts(in.GrantOptionSet.AuthCodeBrowserOption)
-	if bindPorts != nil {
-		key := fmt.Sprintf("get-token-%s", strings.Join(bindPorts, "-"))
-		u.Logger.V(1).Infof("acquiring a lock %s", key)
-		lock, err := u.Mutex.Acquire(ctx, key)
-		if err != nil {
-			return fmt.Errorf("could not acquire a lock: %w", err)
-		}
-		defer func() {
-			if err := u.Mutex.Release(lock); err != nil {
-				u.Logger.V(1).Infof("could not release the lock: %s", err)
-			}
-		}()
+	credentialPluginInput, err := u.CredentialPluginReader.Read()
+	if err != nil {
+		return fmt.Errorf("could not read the input of credential plugin: %w", err)
 	}
+	u.Logger.V(1).Infof("credential plugin is called with apiVersion: %s", credentialPluginInput.ClientAuthenticationAPIVersion)
 
 	u.Logger.V(1).Infof("finding a token from cache directory %s", in.TokenCacheDir)
 	tokenCacheKey := tokencache.Key{
-		IssuerURL:      in.Provider.IssuerURL,
-		ClientID:       in.Provider.ClientID,
-		ClientSecret:   in.Provider.ClientSecret,
-		ExtraScopes:    in.Provider.ExtraScopes,
-		CACertFilename: strings.Join(in.TLSClientConfig.CACertFilename, ","),
-		CACertData:     strings.Join(in.TLSClientConfig.CACertData, ","),
-		SkipTLSVerify:  in.TLSClientConfig.SkipTLSVerify,
+		Provider:        in.Provider,
+		TLSClientConfig: in.TLSClientConfig,
 	}
 	if in.GrantOptionSet.ROPCOption != nil {
 		tokenCacheKey.Username = in.GrantOptionSet.ROPCOption.Username
 	}
+
+	u.Logger.V(1).Infof("acquiring the lock of token cache")
+	lock, err := u.TokenCacheRepository.Lock(in.TokenCacheDir, tokenCacheKey)
+	if err != nil {
+		return fmt.Errorf("could not lock the token cache: %w", err)
+	}
+	defer func() {
+		u.Logger.V(1).Infof("releasing the lock of token cache")
+		if err := lock.Close(); err != nil {
+			u.Logger.Printf("could not unlock the token cache: %s", err)
+		}
+	}()
+
 	cachedTokenSet, err := u.TokenCacheRepository.FindByKey(in.TokenCacheDir, tokenCacheKey)
 	if err != nil {
 		u.Logger.V(1).Infof("could not find a token cache: %s", err)
 	}
+	if cachedTokenSet != nil {
+		if in.ForceRefresh {
+			u.Logger.V(1).Infof("forcing refresh of the existing token")
+		} else {
+			u.Logger.V(1).Infof("checking expiration of the existing token")
+			// Skip verification of the token to reduce time of a discovery request.
+			// Here it trusts the signature and claims and checks only expiration,
+			// because the token has been verified before caching.
+			claims, err := cachedTokenSet.DecodeWithoutVerify()
+			if err != nil {
+				return fmt.Errorf("invalid token cache (you may need to remove): %w", err)
+			}
+			if !claims.IsExpired(u.Clock) {
+				u.Logger.V(1).Infof("you already have a valid token until %s", claims.Expiry)
+				out := credentialplugin.Output{
+					Token:                          cachedTokenSet.IDToken,
+					Expiry:                         claims.Expiry,
+					ClientAuthenticationAPIVersion: credentialPluginInput.ClientAuthenticationAPIVersion,
+				}
+				if err := u.CredentialPluginWriter.Write(out); err != nil {
+					return fmt.Errorf("could not write the token to client-go: %w", err)
+				}
+				return nil
+			}
+			u.Logger.V(1).Infof("you have an expired token at %s", claims.Expiry)
+		}
+	}
 
 	authenticationInput := authentication.Input{
 		Provider:        in.Provider,
 		GrantOptionSet:  in.GrantOptionSet,
 		CachedTokenSet:  cachedTokenSet,
 		TLSClientConfig: in.TLSClientConfig,
+		ForceRefresh:    in.ForceRefresh,
 	}
 	authenticationOutput, err := u.Authentication.Do(ctx, authenticationInput)
 	if err != nil {
@@ -100,40 +125,18 @@ func (u *GetToken) Do(ctx context.Context, in Input) error {
 		return fmt.Errorf("you got an invalid token: %w", err)
 	}
 	u.Logger.V(1).Infof("you got a token: %s", idTokenClaims.Pretty)
-
-	if authenticationOutput.AlreadyHasValidIDToken {
-		u.Logger.V(1).Infof("you already have a valid token until %s", idTokenClaims.Expiry)
-	} else {
-		u.Logger.V(1).Infof("you got a valid token until %s", idTokenClaims.Expiry)
-		if err := u.TokenCacheRepository.Save(in.TokenCacheDir, tokenCacheKey, authenticationOutput.TokenSet); err != nil {
-			return fmt.Errorf("could not write the token cache: %w", err)
-		}
+	u.Logger.V(1).Infof("you got a valid token until %s", idTokenClaims.Expiry)
+	if err := u.TokenCacheRepository.Save(in.TokenCacheDir, tokenCacheKey, authenticationOutput.TokenSet); err != nil {
+		return fmt.Errorf("could not write the token cache: %w", err)
 	}
 	u.Logger.V(1).Infof("writing the token to client-go")
 	out := credentialplugin.Output{
-		Token:  authenticationOutput.TokenSet.IDToken,
-		Expiry: idTokenClaims.Expiry,
+		Token:                          authenticationOutput.TokenSet.IDToken,
+		Expiry:                         idTokenClaims.Expiry,
+		ClientAuthenticationAPIVersion: credentialPluginInput.ClientAuthenticationAPIVersion,
 	}
-	if err := u.Writer.Write(out); err != nil {
+	if err := u.CredentialPluginWriter.Write(out); err != nil {
 		return fmt.Errorf("could not write the token to client-go: %w", err)
 	}
 	return nil
 }
-
-func extractBindAddressPorts(o *authcode.BrowserOption) []string {
-	if o == nil {
-		return nil
-	}
-	var ports []string
-	for _, addr := range o.BindAddress {
-		_, port, err := net.SplitHostPort(addr)
-		if err != nil {
-			return nil // invalid address
-		}
-		if port == "0" {
-			return nil // any port
-		}
-		ports = append(ports, port)
-	}
-	return ports
-}

pkg/usecases/credentialplugin/get_token_test.go

@@ -6,10 +6,14 @@ import (
 	"testing"
 	"time"
 
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/credentialplugin/reader_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/credentialplugin/writer_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/tokencache/repository_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/usecases/authentication_mock"
+	"github.com/int128/kubelogin/mocks/io_mock"
 	"github.com/int128/kubelogin/pkg/credentialplugin"
-	"github.com/int128/kubelogin/pkg/credentialplugin/writer"
-	"github.com/int128/kubelogin/pkg/infrastructure/mutex"
-	"github.com/int128/kubelogin/pkg/tokencache/repository"
+	"github.com/int128/kubelogin/pkg/testing/clock"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
 
 	"github.com/int128/kubelogin/pkg/oidc"
@@ -26,19 +30,23 @@ func TestGetToken_Do(t *testing.T) {
 		ClientID:     "YOUR_CLIENT_ID",
 		ClientSecret: "YOUR_CLIENT_SECRET",
 	}
-	issuedIDTokenExpiration := time.Now().Add(1 * time.Hour).Round(time.Second)
+	expiryTime := time.Date(2020, 1, 2, 3, 4, 5, 0, time.UTC).Local()
 	issuedIDToken := testingJWT.EncodeF(t, func(claims *testingJWT.Claims) {
 		claims.Issuer = "https://accounts.google.com"
 		claims.Subject = "YOUR_SUBJECT"
-		claims.ExpiresAt = issuedIDTokenExpiration.Unix()
+		claims.ExpiresAt = jwt.NewNumericDate(expiryTime)
 	})
 	issuedTokenSet := oidc.TokenSet{
 		IDToken:      issuedIDToken,
 		RefreshToken: "YOUR_REFRESH_TOKEN",
 	}
 	issuedOutput := credentialplugin.Output{
-		Token:  issuedIDToken,
-		Expiry: issuedIDTokenExpiration,
+		Token:                          issuedIDToken,
+		Expiry:                         expiryTime,
+		ClientAuthenticationAPIVersion: "client.authentication.k8s.io/v1",
+	}
+	credentialpluginInput := credentialplugin.Input{
+		ClientAuthenticationAPIVersion: "client.authentication.k8s.io/v1",
 	}
 	grantOptionSet := authentication.GrantOptionSet{
 		AuthCodeBrowserOption: &authcode.BrowserOption{
@@ -48,95 +56,54 @@ func TestGetToken_Do(t *testing.T) {
 
 	t.Run("NoTokenCache", func(t *testing.T) {
 		tokenCacheKey := tokencache.Key{
-			IssuerURL:    "https://accounts.google.com",
-			ClientID:     "YOUR_CLIENT_ID",
-			ClientSecret: "YOUR_CLIENT_SECRET",
-		}
-		ctx := context.TODO()
-		in := Input{
-			Provider:       dummyProvider,
-			TokenCacheDir:  "/path/to/token-cache",
-			GrantOptionSet: grantOptionSet,
-		}
-		mockAuthentication := authentication.NewMockInterface(t)
-		mockAuthentication.EXPECT().
-			Do(ctx, authentication.Input{
-				Provider:       dummyProvider,
-				GrantOptionSet: grantOptionSet,
-			}).
-			Return(&authentication.Output{TokenSet: issuedTokenSet}, nil)
-		mockRepository := repository.NewMockInterface(t)
-		mockRepository.EXPECT().
-			FindByKey("/path/to/token-cache", tokenCacheKey).
-			Return(nil, errors.New("file not found"))
-		mockRepository.EXPECT().
-			Save("/path/to/token-cache", tokenCacheKey, issuedTokenSet).
-			Return(nil)
-		mockWriter := writer.NewMockInterface(t)
-		mockWriter.EXPECT().
-			Write(issuedOutput).
-			Return(nil)
-		u := GetToken{
-			Authentication:       mockAuthentication,
-			TokenCacheRepository: mockRepository,
-			Writer:               mockWriter,
-			Mutex:                mutex.NewMockInterface(t),
-			Logger:               logger.New(t),
-		}
-		if err := u.Do(ctx, in); err != nil {
-			t.Errorf("Do returned error: %+v", err)
-		}
-	})
-
-	t.Run("NeedBindPortMutex", func(t *testing.T) {
-		grantOptionSet := authentication.GrantOptionSet{
-			AuthCodeBrowserOption: &authcode.BrowserOption{
-				BindAddress: []string{"127.0.0.1:8080"},
+			Provider: oidc.Provider{
+				IssuerURL:    "https://accounts.google.com",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
 			},
 		}
-		tokenCacheKey := tokencache.Key{
-			IssuerURL:    "https://accounts.google.com",
-			ClientID:     "YOUR_CLIENT_ID",
-			ClientSecret: "YOUR_CLIENT_SECRET",
-		}
-
 		ctx := context.TODO()
 		in := Input{
 			Provider:       dummyProvider,
 			TokenCacheDir:  "/path/to/token-cache",
 			GrantOptionSet: grantOptionSet,
 		}
-		mockAuthentication := authentication.NewMockInterface(t)
+		mockAuthentication := authentication_mock.NewMockInterface(t)
 		mockAuthentication.EXPECT().
 			Do(ctx, authentication.Input{
 				Provider:       dummyProvider,
 				GrantOptionSet: grantOptionSet,
 			}).
 			Return(&authentication.Output{TokenSet: issuedTokenSet}, nil)
-		mockRepository := repository.NewMockInterface(t)
+		mockCloser := io_mock.NewMockCloser(t)
+		mockCloser.EXPECT().
+			Close().
+			Return(nil)
+		mockRepository := repository_mock.NewMockInterface(t)
+		mockRepository.EXPECT().
+			Lock("/path/to/token-cache", tokenCacheKey).
+			Return(mockCloser, nil)
 		mockRepository.EXPECT().
 			FindByKey("/path/to/token-cache", tokenCacheKey).
 			Return(nil, errors.New("file not found"))
 		mockRepository.EXPECT().
 			Save("/path/to/token-cache", tokenCacheKey, issuedTokenSet).
 			Return(nil)
-		mockWriter := writer.NewMockInterface(t)
+		mockReader := reader_mock.NewMockInterface(t)
+		mockReader.EXPECT().
+			Read().
+			Return(credentialpluginInput, nil)
+		mockWriter := writer_mock.NewMockInterface(t)
 		mockWriter.EXPECT().
 			Write(issuedOutput).
 			Return(nil)
-		mockMutex := mutex.NewMockInterface(t)
-		mockMutex.EXPECT().
-			Acquire(ctx, "get-token-8080").
-			Return(&mutex.Lock{Data: "testData"}, nil)
-		mockMutex.EXPECT().
-			Release(&mutex.Lock{Data: "testData"}).
-			Return(nil)
 		u := GetToken{
-			Authentication:       mockAuthentication,
-			TokenCacheRepository: mockRepository,
-			Writer:               mockWriter,
-			Mutex:                mockMutex,
-			Logger:               logger.New(t),
+			Authentication:         mockAuthentication,
+			TokenCacheRepository:   mockRepository,
+			CredentialPluginReader: mockReader,
+			CredentialPluginWriter: mockWriter,
+			Logger:                 logger.New(t),
+			Clock:                  clock.Fake(expiryTime.Add(-time.Hour)),
 		}
 		if err := u.Do(ctx, in); err != nil {
 			t.Errorf("Do returned error: %+v", err)
@@ -148,10 +115,12 @@ func TestGetToken_Do(t *testing.T) {
 			ROPCOption: &ropc.Option{Username: "YOUR_USERNAME"},
 		}
 		tokenCacheKey := tokencache.Key{
-			IssuerURL:    "https://accounts.google.com",
-			ClientID:     "YOUR_CLIENT_ID",
-			ClientSecret: "YOUR_CLIENT_SECRET",
-			Username:     "YOUR_USERNAME",
+			Provider: oidc.Provider{
+				IssuerURL:    "https://accounts.google.com",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+			Username: "YOUR_USERNAME",
 		}
 
 		ctx := context.TODO()
@@ -160,30 +129,42 @@ func TestGetToken_Do(t *testing.T) {
 			TokenCacheDir:  "/path/to/token-cache",
 			GrantOptionSet: grantOptionSet,
 		}
-		mockAuthentication := authentication.NewMockInterface(t)
+		mockAuthentication := authentication_mock.NewMockInterface(t)
 		mockAuthentication.EXPECT().
 			Do(ctx, authentication.Input{
 				Provider:       dummyProvider,
 				GrantOptionSet: grantOptionSet,
 			}).
 			Return(&authentication.Output{TokenSet: issuedTokenSet}, nil)
-		mockRepository := repository.NewMockInterface(t)
+		mockCloser := io_mock.NewMockCloser(t)
+		mockCloser.EXPECT().
+			Close().
+			Return(nil)
+		mockRepository := repository_mock.NewMockInterface(t)
+		mockRepository.EXPECT().
+			Lock("/path/to/token-cache", tokenCacheKey).
+			Return(mockCloser, nil)
 		mockRepository.EXPECT().
 			FindByKey("/path/to/token-cache", tokenCacheKey).
 			Return(nil, errors.New("file not found"))
 		mockRepository.EXPECT().
 			Save("/path/to/token-cache", tokenCacheKey, issuedTokenSet).
 			Return(nil)
-		mockWriter := writer.NewMockInterface(t)
+		mockReader := reader_mock.NewMockInterface(t)
+		mockReader.EXPECT().
+			Read().
+			Return(credentialplugin.Input{ClientAuthenticationAPIVersion: "client.authentication.k8s.io/v1"}, nil)
+		mockWriter := writer_mock.NewMockInterface(t)
 		mockWriter.EXPECT().
 			Write(issuedOutput).
 			Return(nil)
 		u := GetToken{
-			Authentication:       mockAuthentication,
-			TokenCacheRepository: mockRepository,
-			Writer:               mockWriter,
-			Mutex:                mutex.NewMockInterface(t),
-			Logger:               logger.New(t),
+			Authentication:         mockAuthentication,
+			TokenCacheRepository:   mockRepository,
+			CredentialPluginReader: mockReader,
+			CredentialPluginWriter: mockWriter,
+			Logger:                 logger.New(t),
+			Clock:                  clock.Fake(expiryTime.Add(-time.Hour)),
 		}
 		if err := u.Do(ctx, in); err != nil {
 			t.Errorf("Do returned error: %+v", err)
@@ -191,41 +172,52 @@ func TestGetToken_Do(t *testing.T) {
 	})
 
 	t.Run("HasValidIDToken", func(t *testing.T) {
+		tokenCacheKey := tokencache.Key{
+			Provider: oidc.Provider{
+				IssuerURL:    "https://accounts.google.com",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
+
 		ctx := context.TODO()
 		in := Input{
 			Provider:       dummyProvider,
 			TokenCacheDir:  "/path/to/token-cache",
 			GrantOptionSet: grantOptionSet,
 		}
-		mockAuthentication := authentication.NewMockInterface(t)
-		mockAuthentication.EXPECT().
-			Do(ctx, authentication.Input{
-				Provider:       dummyProvider,
-				CachedTokenSet: &issuedTokenSet,
-				GrantOptionSet: grantOptionSet,
-			}).
-			Return(&authentication.Output{
-				AlreadyHasValidIDToken: true,
-				TokenSet:               issuedTokenSet,
-			}, nil)
-		mockRepository := repository.NewMockInterface(t)
+		mockCloser := io_mock.NewMockCloser(t)
+		mockCloser.EXPECT().
+			Close().
+			Return(nil)
+		mockRepository := repository_mock.NewMockInterface(t)
+		mockRepository.EXPECT().
+			Lock("/path/to/token-cache", tokenCacheKey).
+			Return(mockCloser, nil)
 		mockRepository.EXPECT().
 			FindByKey("/path/to/token-cache", tokencache.Key{
-				IssuerURL:    "https://accounts.google.com",
-				ClientID:     "YOUR_CLIENT_ID",
-				ClientSecret: "YOUR_CLIENT_SECRET",
+				Provider: oidc.Provider{
+					IssuerURL:    "https://accounts.google.com",
+					ClientID:     "YOUR_CLIENT_ID",
+					ClientSecret: "YOUR_CLIENT_SECRET",
+				},
 			}).
 			Return(&issuedTokenSet, nil)
-		mockWriter := writer.NewMockInterface(t)
+		mockReader := reader_mock.NewMockInterface(t)
+		mockReader.EXPECT().
+			Read().
+			Return(credentialpluginInput, nil)
+		mockWriter := writer_mock.NewMockInterface(t)
 		mockWriter.EXPECT().
 			Write(issuedOutput).
 			Return(nil)
 		u := GetToken{
-			Authentication:       mockAuthentication,
-			TokenCacheRepository: mockRepository,
-			Writer:               mockWriter,
-			Mutex:                mutex.NewMockInterface(t),
-			Logger:               logger.New(t),
+			Authentication:         authentication_mock.NewMockInterface(t),
+			TokenCacheRepository:   mockRepository,
+			CredentialPluginReader: mockReader,
+			CredentialPluginWriter: mockWriter,
+			Logger:                 logger.New(t),
+			Clock:                  clock.Fake(expiryTime.Add(-time.Hour)),
 		}
 		if err := u.Do(ctx, in); err != nil {
 			t.Errorf("Do returned error: %+v", err)
@@ -233,33 +225,54 @@ func TestGetToken_Do(t *testing.T) {
 	})
 
 	t.Run("AuthenticationError", func(t *testing.T) {
+		tokenCacheKey := tokencache.Key{
+			Provider: oidc.Provider{
+				IssuerURL:    "https://accounts.google.com",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+			},
+		}
 		ctx := context.TODO()
 		in := Input{
 			Provider:       dummyProvider,
 			TokenCacheDir:  "/path/to/token-cache",
 			GrantOptionSet: grantOptionSet,
 		}
-		mockAuthentication := authentication.NewMockInterface(t)
+		mockAuthentication := authentication_mock.NewMockInterface(t)
 		mockAuthentication.EXPECT().
 			Do(ctx, authentication.Input{
 				Provider:       dummyProvider,
 				GrantOptionSet: grantOptionSet,
 			}).
 			Return(nil, errors.New("authentication error"))
-		mockRepository := repository.NewMockInterface(t)
+		mockCloser := io_mock.NewMockCloser(t)
+		mockCloser.EXPECT().
+			Close().
+			Return(nil)
+		mockRepository := repository_mock.NewMockInterface(t)
+		mockRepository.EXPECT().
+			Lock("/path/to/token-cache", tokenCacheKey).
+			Return(mockCloser, nil)
 		mockRepository.EXPECT().
 			FindByKey("/path/to/token-cache", tokencache.Key{
-				IssuerURL:    "https://accounts.google.com",
-				ClientID:     "YOUR_CLIENT_ID",
-				ClientSecret: "YOUR_CLIENT_SECRET",
+				Provider: oidc.Provider{
+					IssuerURL:    "https://accounts.google.com",
+					ClientID:     "YOUR_CLIENT_ID",
+					ClientSecret: "YOUR_CLIENT_SECRET",
+				},
 			}).
 			Return(nil, errors.New("file not found"))
+		mockReader := reader_mock.NewMockInterface(t)
+		mockReader.EXPECT().
+			Read().
+			Return(credentialpluginInput, nil)
 		u := GetToken{
-			Authentication:       mockAuthentication,
-			TokenCacheRepository: mockRepository,
-			Writer:               writer.NewMockInterface(t),
-			Mutex:                mutex.NewMockInterface(t),
-			Logger:               logger.New(t),
+			Authentication:         mockAuthentication,
+			TokenCacheRepository:   mockRepository,
+			CredentialPluginReader: mockReader,
+			CredentialPluginWriter: writer_mock.NewMockInterface(t),
+			Logger:                 logger.New(t),
+			Clock:                  clock.Fake(expiryTime.Add(-time.Hour)),
 		}
 		if err := u.Do(ctx, in); err == nil {
 			t.Errorf("err wants non-nil but nil")

pkg/usecases/setup/stage2.go

@@ -74,6 +74,7 @@ type Stage2Input struct {
 	ClientSecret      string
 	ExtraScopes       []string // optional
 	UsePKCE           bool     // optional
+	UseAccessToken    bool     // optional
 	ListenAddressArgs []string // non-nil if set by the command arg
 	GrantOptionSet    authentication.GrantOptionSet
 	TLSClientConfig   tlsclientconfig.Config
@@ -91,6 +92,7 @@ func (u *Setup) DoStage2(ctx context.Context, in Stage2Input) error {
 		},
 		GrantOptionSet:  in.GrantOptionSet,
 		TLSClientConfig: in.TLSClientConfig,
+		UseAccessToken:  in.UseAccessToken,
 	})
 	if err != nil {
 		return fmt.Errorf("authentication error: %w", err)
@@ -128,6 +130,9 @@ func makeCredentialPluginArgs(in Stage2Input) []string {
 	if in.UsePKCE {
 		args = append(args, "--oidc-use-pkce")
 	}
+	if in.UseAccessToken {
+		args = append(args, "--oidc-use-access-token")
+	}
 	for _, f := range in.TLSClientConfig.CACertFilename {
 		args = append(args, "--certificate-authority="+f)
 	}
@@ -160,7 +165,9 @@ func makeCredentialPluginArgs(in Stage2Input) []string {
 			args = append(args, "--local-server-key="+keypath)
 		}
 	}
-	args = append(args, in.ListenAddressArgs...)
+	for _, l := range in.ListenAddressArgs {
+		args = append(args, "--listen-address="+l)
+	}
 	if in.GrantOptionSet.ROPCOption != nil {
 		if in.GrantOptionSet.ROPCOption.Username != "" {
 			args = append(args, "--username="+in.GrantOptionSet.ROPCOption.Username)

pkg/usecases/setup/stage2_test.go

@@ -5,18 +5,23 @@ import (
 	"testing"
 	"time"
 
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/usecases/authentication_mock"
 	"github.com/int128/kubelogin/pkg/oidc"
 	testingJWT "github.com/int128/kubelogin/pkg/testing/jwt"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestSetup_DoStage2(t *testing.T) {
 	issuedIDToken := testingJWT.EncodeF(t, func(claims *testingJWT.Claims) {
 		claims.Issuer = "https://issuer.example.com"
 		claims.Subject = "YOUR_SUBJECT"
-		claims.ExpiresAt = time.Now().Add(1 * time.Hour).Unix()
+		claims.ExpiresAt = jwt.NewNumericDate(time.Now().Add(1 * time.Hour))
 	})
 	dummyTLSClientConfig := tlsclientconfig.Config{
 		CACertFilename: []string{"/path/to/cert"},
@@ -32,7 +37,7 @@ func TestSetup_DoStage2(t *testing.T) {
 		GrantOptionSet:  grantOptionSet,
 		TLSClientConfig: dummyTLSClientConfig,
 	}
-	mockAuthentication := authentication.NewMockInterface(t)
+	mockAuthentication := authentication_mock.NewMockInterface(t)
 	mockAuthentication.EXPECT().
 		Do(ctx, authentication.Input{
 			Provider: oidc.Provider{
@@ -58,3 +63,49 @@ func TestSetup_DoStage2(t *testing.T) {
 		t.Errorf("DoStage2 returned error: %+v", err)
 	}
 }
+
+func Test_makeCredentialPluginArgs(t *testing.T) {
+	in := Stage2Input{
+		IssuerURL:         "https://oidc.example.com",
+		ClientID:          "test_kid",
+		ClientSecret:      "test_ksecret",
+		ExtraScopes:       []string{"groups"},
+		UsePKCE:           true,
+		ListenAddressArgs: []string{"127.0.0.1:8080", "127.0.0.1:8888"},
+		GrantOptionSet: authentication.GrantOptionSet{
+			AuthCodeBrowserOption: &authcode.BrowserOption{
+				SkipOpenBrowser:     true,
+				BrowserCommand:      "firefox",
+				LocalServerCertFile: "/path/to/cert.crt",
+				LocalServerKeyFile:  "/path/to/cert.key",
+			},
+			ROPCOption: &ropc.Option{
+				Username: "user1",
+			},
+		},
+		TLSClientConfig: tlsclientconfig.Config{
+			CACertFilename: []string{"/path/to/ca.crt"},
+			CACertData:     []string{"base64encoded1"},
+			SkipTLSVerify:  true,
+		},
+	}
+	expet := []string{
+		"--oidc-issuer-url=https://oidc.example.com",
+		"--oidc-client-id=test_kid",
+		"--oidc-client-secret=test_ksecret",
+		"--oidc-extra-scope=groups",
+		"--oidc-use-pkce",
+		"--certificate-authority=/path/to/ca.crt",
+		"--certificate-authority-data=base64encoded1",
+		"--insecure-skip-tls-verify",
+		"--skip-open-browser",
+		"--browser-command=firefox",
+		"--local-server-cert=/path/to/cert.crt",
+		"--local-server-key=/path/to/cert.key",
+		"--listen-address=127.0.0.1:8080",
+		"--listen-address=127.0.0.1:8888",
+		"--username=user1",
+	}
+	got := makeCredentialPluginArgs(in)
+	assert.Equal(t, expet, got)
+}

pkg/usecases/standalone/standalone.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/infrastructure/clock"
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/int128/kubelogin/pkg/kubeconfig"
 	"github.com/int128/kubelogin/pkg/kubeconfig/loader"
@@ -47,12 +48,12 @@ See https://github.com/int128/kubelogin for more.
 // If the current auth provider is not oidc, show the error.
 // If the kubeconfig has a valid token, do nothing.
 // Otherwise, update the kubeconfig.
-//
 type Standalone struct {
 	Authentication   authentication.Interface
 	KubeconfigLoader loader.Interface
 	KubeconfigWriter writer.Interface
 	Logger           logger.Interface
+	Clock            clock.Interface
 }
 
 func (u *Standalone) Do(ctx context.Context, in Input) error {
@@ -79,6 +80,18 @@ func (u *Standalone) Do(ctx context.Context, in Input) error {
 			IDToken:      authProvider.IDToken,
 			RefreshToken: authProvider.RefreshToken,
 		}
+		u.Logger.V(1).Infof("checking expiration of the existing token")
+		// Skip verification of the token to reduce time of a discovery request.
+		// Here it trusts the signature and claims and checks only expiration,
+		// because the token has been verified before caching.
+		claims, err := cachedTokenSet.DecodeWithoutVerify()
+		if err != nil {
+			return fmt.Errorf("invalid token cache (you may need to remove): %w", err)
+		}
+		if !claims.IsExpired(u.Clock) {
+			u.Logger.V(1).Infof("you already have a valid token until %s", claims.Expiry)
+			return nil
+		}
 	}
 
 	authenticationInput := authentication.Input{
@@ -102,11 +115,6 @@ func (u *Standalone) Do(ctx context.Context, in Input) error {
 		return fmt.Errorf("you got an invalid token: %w", err)
 	}
 	u.Logger.V(1).Infof("you got a token: %s", idTokenClaims.Pretty)
-	if authenticationOutput.AlreadyHasValidIDToken {
-		u.Logger.Printf("You already have a valid token until %s", idTokenClaims.Expiry)
-		return nil
-	}
-
 	u.Logger.Printf("You got a valid token until %s", idTokenClaims.Expiry)
 	authProvider.IDToken = authenticationOutput.TokenSet.IDToken
 	authProvider.RefreshToken = authenticationOutput.TokenSet.RefreshToken

pkg/usecases/standalone/standalone_test.go

@@ -6,10 +6,13 @@ import (
 	"testing"
 	"time"
 
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/kubeconfig/loader_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/kubeconfig/writer_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/usecases/authentication_mock"
 	"github.com/int128/kubelogin/pkg/kubeconfig"
-	"github.com/int128/kubelogin/pkg/kubeconfig/loader"
-	"github.com/int128/kubelogin/pkg/kubeconfig/writer"
 	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/testing/clock"
 	testingJWT "github.com/int128/kubelogin/pkg/testing/jwt"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
@@ -17,11 +20,11 @@ import (
 )
 
 func TestStandalone_Do(t *testing.T) {
-	issuedIDTokenExpiration := time.Now().Add(1 * time.Hour).Round(time.Second)
+	expiryTime := time.Date(2020, 1, 2, 3, 4, 5, 0, time.UTC)
 	issuedIDToken := testingJWT.EncodeF(t, func(claims *testingJWT.Claims) {
 		claims.Issuer = "https://accounts.google.com"
 		claims.Subject = "YOUR_SUBJECT"
-		claims.ExpiresAt = issuedIDTokenExpiration.Unix()
+		claims.ExpiresAt = jwt.NewNumericDate(expiryTime)
 	})
 
 	t.Run("FullOptions", func(t *testing.T) {
@@ -42,11 +45,11 @@ func TestStandalone_Do(t *testing.T) {
 			IDPCertificateAuthority:     "/path/to/cert2",
 			IDPCertificateAuthorityData: "BASE64ENCODED2",
 		}
-		mockLoader := loader.NewMockInterface(t)
+		mockLoader := loader_mock.NewMockInterface(t)
 		mockLoader.EXPECT().
 			GetCurrentAuthProvider("/path/to/kubeconfig", kubeconfig.ContextName("theContext"), kubeconfig.UserName("theUser")).
 			Return(currentAuthProvider, nil)
-		mockWriter := writer.NewMockInterface(t)
+		mockWriter := writer_mock.NewMockInterface(t)
 		mockWriter.EXPECT().
 			UpdateAuthProvider(kubeconfig.AuthProvider{
 				LocationOfOrigin:            "/path/to/kubeconfig",
@@ -60,7 +63,7 @@ func TestStandalone_Do(t *testing.T) {
 				RefreshToken:                "YOUR_REFRESH_TOKEN",
 			}).
 			Return(nil)
-		mockAuthentication := authentication.NewMockInterface(t)
+		mockAuthentication := authentication_mock.NewMockInterface(t)
 		mockAuthentication.EXPECT().
 			Do(ctx, authentication.Input{
 				Provider: oidc.Provider{
@@ -85,6 +88,7 @@ func TestStandalone_Do(t *testing.T) {
 			KubeconfigLoader: mockLoader,
 			KubeconfigWriter: mockWriter,
 			Logger:           logger.New(t),
+			Clock:            clock.Fake(expiryTime.Add(-time.Hour)),
 		}
 		if err := u.Do(ctx, in); err != nil {
 			t.Errorf("Do returned error: %+v", err)
@@ -102,32 +106,15 @@ func TestStandalone_Do(t *testing.T) {
 			ClientSecret:     "YOUR_CLIENT_SECRET",
 			IDToken:          issuedIDToken,
 		}
-		mockLoader := loader.NewMockInterface(t)
+		mockLoader := loader_mock.NewMockInterface(t)
 		mockLoader.EXPECT().
 			GetCurrentAuthProvider("", kubeconfig.ContextName(""), kubeconfig.UserName("")).
 			Return(currentAuthProvider, nil)
-		mockAuthentication := authentication.NewMockInterface(t)
-		mockAuthentication.EXPECT().
-			Do(ctx, authentication.Input{
-				Provider: oidc.Provider{
-					IssuerURL:    "https://accounts.google.com",
-					ClientID:     "YOUR_CLIENT_ID",
-					ClientSecret: "YOUR_CLIENT_SECRET",
-				},
-				CachedTokenSet: &oidc.TokenSet{
-					IDToken: issuedIDToken,
-				},
-			}).
-			Return(&authentication.Output{
-				AlreadyHasValidIDToken: true,
-				TokenSet: oidc.TokenSet{
-					IDToken: issuedIDToken,
-				},
-			}, nil)
 		u := Standalone{
-			Authentication:   mockAuthentication,
+			Authentication:   authentication_mock.NewMockInterface(t),
 			KubeconfigLoader: mockLoader,
 			Logger:           logger.New(t),
+			Clock:            clock.Fake(expiryTime.Add(-time.Hour)),
 		}
 		if err := u.Do(ctx, in); err != nil {
 			t.Errorf("Do returned error: %+v", err)
@@ -137,15 +124,16 @@ func TestStandalone_Do(t *testing.T) {
 	t.Run("NoOIDCConfig", func(t *testing.T) {
 		ctx := context.TODO()
 		in := Input{}
-		mockLoader := loader.NewMockInterface(t)
+		mockLoader := loader_mock.NewMockInterface(t)
 		mockLoader.EXPECT().
 			GetCurrentAuthProvider("", kubeconfig.ContextName(""), kubeconfig.UserName("")).
 			Return(nil, errors.New("no oidc config"))
-		mockAuthentication := authentication.NewMockInterface(t)
+		mockAuthentication := authentication_mock.NewMockInterface(t)
 		u := Standalone{
 			Authentication:   mockAuthentication,
 			KubeconfigLoader: mockLoader,
 			Logger:           logger.New(t),
+			Clock:            clock.Fake(expiryTime.Add(-time.Hour)),
 		}
 		if err := u.Do(ctx, in); err == nil {
 			t.Errorf("err wants non-nil but nil")
@@ -162,11 +150,11 @@ func TestStandalone_Do(t *testing.T) {
 			ClientID:         "YOUR_CLIENT_ID",
 			ClientSecret:     "YOUR_CLIENT_SECRET",
 		}
-		mockLoader := loader.NewMockInterface(t)
+		mockLoader := loader_mock.NewMockInterface(t)
 		mockLoader.EXPECT().
 			GetCurrentAuthProvider("", kubeconfig.ContextName(""), kubeconfig.UserName("")).
 			Return(currentAuthProvider, nil)
-		mockAuthentication := authentication.NewMockInterface(t)
+		mockAuthentication := authentication_mock.NewMockInterface(t)
 		mockAuthentication.EXPECT().
 			Do(ctx, authentication.Input{
 				Provider: oidc.Provider{
@@ -180,6 +168,7 @@ func TestStandalone_Do(t *testing.T) {
 			Authentication:   mockAuthentication,
 			KubeconfigLoader: mockLoader,
 			Logger:           logger.New(t),
+			Clock:            clock.Fake(expiryTime.Add(-time.Hour)),
 		}
 		if err := u.Do(ctx, in); err == nil {
 			t.Errorf("err wants non-nil but nil")
@@ -196,11 +185,11 @@ func TestStandalone_Do(t *testing.T) {
 			ClientID:         "YOUR_CLIENT_ID",
 			ClientSecret:     "YOUR_CLIENT_SECRET",
 		}
-		mockLoader := loader.NewMockInterface(t)
+		mockLoader := loader_mock.NewMockInterface(t)
 		mockLoader.EXPECT().
 			GetCurrentAuthProvider("", kubeconfig.ContextName(""), kubeconfig.UserName("")).
 			Return(currentAuthProvider, nil)
-		mockWriter := writer.NewMockInterface(t)
+		mockWriter := writer_mock.NewMockInterface(t)
 		mockWriter.EXPECT().
 			UpdateAuthProvider(kubeconfig.AuthProvider{
 				LocationOfOrigin: "/path/to/kubeconfig",
@@ -212,7 +201,7 @@ func TestStandalone_Do(t *testing.T) {
 				RefreshToken:     "YOUR_REFRESH_TOKEN",
 			}).
 			Return(errors.New("I/O error"))
-		mockAuthentication := authentication.NewMockInterface(t)
+		mockAuthentication := authentication_mock.NewMockInterface(t)
 		mockAuthentication.EXPECT().
 			Do(ctx, authentication.Input{
 				Provider: oidc.Provider{
@@ -232,6 +221,7 @@ func TestStandalone_Do(t *testing.T) {
 			KubeconfigLoader: mockLoader,
 			KubeconfigWriter: mockWriter,
 			Logger:           logger.New(t),
+			Clock:            clock.Fake(expiryTime.Add(-time.Hour)),
 		}
 		if err := u.Do(ctx, in); err == nil {
 			t.Errorf("err wants non-nil but nil")

system_test/dex/Makefile

@@ -5,7 +5,7 @@ dex: dex.yaml
 	# wait for kind network
 	while true; do if docker network inspect kind; then break; fi; sleep 1; done
 	# create a container
-	docker create --name dex-server -p 10443:10443 --network kind quay.io/dexidp/dex:v2.21.0 serve /dex.yaml
+	docker create -q --name dex-server -p 10443:10443 --network kind ghcr.io/dexidp/dex:v2.39.0 dex serve /dex.yaml
 	# deploy the config
 	docker cp $(CERT_DIR)/server.crt dex-server:/
 	docker cp $(CERT_DIR)/server.key dex-server:/

system_test/login/Makefile

@@ -19,7 +19,8 @@ test: build
 		--browser-command=$(BIN_DIR)/chromelogin
 	# set up the kubeconfig
 	kubectl config set-credentials oidc \
-		--exec-api-version=client.authentication.k8s.io/v1beta1 \
+		--exec-api-version=client.authentication.k8s.io/v1 \
+		--exec-interactive-mode=Never \
 		--exec-command=kubectl \
 		--exec-arg=oidc-login \
 		--exec-arg=get-token \

system_test/login/chromelogin/main.go

@@ -28,20 +28,29 @@ func main() {
 
 func runBrowser(ctx context.Context, url string) error {
 	execOpts := chromedp.DefaultExecAllocatorOptions[:]
-	execOpts = append(execOpts, chromedp.NoSandbox)
-	ctx, cancel := chromedp.NewExecAllocator(ctx, execOpts...)
-	defer cancel()
-	ctx, cancel = chromedp.NewContext(ctx, chromedp.WithLogf(log.Printf))
-	defer cancel()
-	ctx, cancel = context.WithTimeout(ctx, 30*time.Second)
-	defer cancel()
-	if err := logInToDex(ctx, url); err != nil {
+	execOpts = append(execOpts,
+		chromedp.NoSandbox,
+		chromedp.WSURLReadTimeout(30*time.Second),
+	)
+	ctx, cancelExec := chromedp.NewExecAllocator(ctx, execOpts...)
+	defer cancelExec()
+	ctx, cancelCtx := chromedp.NewContext(ctx, chromedp.WithLogf(log.Printf))
+	defer cancelCtx()
+	log.Printf("Opening a new browser and navigating to %s", url)
+	if err := openBrowser(ctx, url); err != nil {
+		return fmt.Errorf("could not open a new browser: %w", err)
+	}
+
+	ctx, cancelTimeout := context.WithTimeout(ctx, 30*time.Second)
+	defer cancelTimeout()
+	log.Printf("Logging in to Dex")
+	if err := logInToDex(ctx); err != nil {
 		return fmt.Errorf("could not run the browser: %w", err)
 	}
 	return nil
 }
 
-func logInToDex(ctx context.Context, url string) error {
+func openBrowser(ctx context.Context, url string) error {
 	for {
 		var location string
 		err := chromedp.Run(ctx,
@@ -51,14 +60,16 @@ func logInToDex(ctx context.Context, url string) error {
 		if err != nil {
 			return err
 		}
-		log.Printf("location: %s", location)
+		log.Printf("Location: %s", location)
 		if strings.HasPrefix(location, `http://`) || strings.HasPrefix(location, `https://`) {
-			break
+			return nil
 		}
 		time.Sleep(1 * time.Second)
 	}
+}
 
-	err := chromedp.Run(ctx,
+func logInToDex(ctx context.Context) error {
+	return chromedp.Run(ctx,
 		// https://dex-server:10443/dex/auth/local
 		chromedp.WaitVisible(`#login`),
 		logPageMetadata(),
@@ -73,10 +84,6 @@ func logInToDex(ctx context.Context, url string) error {
 		chromedp.WaitReady(`body`),
 		logPageMetadata(),
 	)
-	if err != nil {
-		return err
-	}
-	return nil
 }
 
 func logPageMetadata() chromedp.Action {
@@ -86,7 +93,7 @@ func logPageMetadata() chromedp.Action {
 		chromedp.Location(&location),
 		chromedp.Title(&title),
 		chromedp.ActionFunc(func(ctx context.Context) error {
-			log.Printf("location: %s [%s]", location, title)
+			log.Printf("Location: %s, Title: %s", location, title)
 			return nil
 		}),
 	}

tools/Makefile

@@ -0,0 +1,13 @@
+GOBIN := $(CURDIR)/bin
+export GOBIN
+
+all: bin/mockery bin/wire bin/golangci-lint
+
+bin/mockery:
+	go install github.com/vektra/mockery/v2
+
+bin/wire:
+	go install github.com/google/wire/cmd/wire
+
+bin/golangci-lint:
+	go install github.com/golangci/golangci-lint/cmd/golangci-lint