Update help message and doc (#1374 )

Use Endpoint.DeviceAuthURL of oauth2 package (#1372 )
Split oidc/client.go (#1371 )
2026-02-25 22:43:48 +00:00 · 2025-07-13 15:24:33 +09:00 · 2025-07-13 13:54:55 +09:00 · 2025-07-13 13:23:33 +09:00 · 2025-07-13 11:04:40 +09:00 · 2025-07-11 17:10:18 +00:00
130 changed files with 7568 additions and 4148 deletions
--- a/.github/release.yml
+++ b/.github/release.yml
@@ -0,0 +1,16 @@
+# https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+changelog:
+  categories:
+    - title: Features
+      labels:
+        - '*'
+      exclude:
+        labels:
+          - renovate
+          - refactoring
+    - title: Refactoring
+      labels:
+        - refactoring
+    - title: Dependencies
+      labels:
+        - renovate
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -2,9 +2,11 @@
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "github>int128/renovate-base",
-    "github>int128/go-renovate-config",
-    "github>int128/go-renovate-config:github-actions",
-    "github>int128/go-renovate-config:kubernetes",
-    "github>int128/go-renovate-config:kustomization-github-releases",
+    "github>int128/go-renovate-config#v1.7.2",
+    "github>int128/go-renovate-config:go-directive#v1.7.2",
+    "github>int128/go-renovate-config:github-actions#v1.7.2",
+    "github>int128/go-renovate-config:kubernetes#v1.7.2",
+    "github>int128/go-renovate-config:kustomization-github-releases#v1.7.2",
+    "helpers:pinGitHubActionDigests",
  ],
 }
--- a/.github/workflows/acceptance-test.yaml
+++ b/.github/workflows/acceptance-test.yaml
@@ -0,0 +1,34 @@
+name: acceptance-test
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/acceptance-test.yaml
+      - acceptance_test/**
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/acceptance-test.yaml
+      - acceptance_test/**
+
+jobs:
+  test-makefile:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make -C acceptance_test check
+      - run: make -C acceptance_test
+        env:
+          OIDC_ISSUER_URL: https://accounts.google.com
+          OIDC_CLIENT_ID: REDACTED.apps.googleusercontent.com
+          YOUR_EMAIL: REDACTED@gmail.com
+      - run: make -C acceptance_test delete-cluster
+      - run: make -C acceptance_test clean
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -9,7 +9,6 @@ on:
      - pkg/**
      - go.*
      - Dockerfile
-      - Makefile
  push:
    branches:
      - master
@@ -18,59 +17,58 @@ on:
      - pkg/**
      - go.*
      - Dockerfile
-      - Makefile
    tags:
      - v*

 jobs:
-  build-linux-amd64:
-    uses: int128/docker-build-workflow/.github/workflows/build.yaml@v1
-    with:
-      platforms: linux/amd64
-      flavor: latest=false,suffix=-linux-amd64
-
-  build-linux-arm64:
-    uses: int128/docker-build-workflow/.github/workflows/build.yaml@v1
-    with:
-      platforms: linux/arm64
-      flavor: latest=false,suffix=-linux-arm64
-
-  build-linux-ppc64le:
-    uses: int128/docker-build-workflow/.github/workflows/build.yaml@v1
-    with:
-      platforms: linux/ppc64le
-      flavor: latest=false,suffix=-linux-ppc64le
-
  build:
-    needs:
-      - build-linux-amd64
-      - build-linux-arm64
-      - build-linux-ppc64le
    runs-on: ubuntu-latest
    timeout-minutes: 10
+    permissions:
+      contents: read
+      packages: write
    outputs:
-      image-uri: ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }}
+      image-uri: ${{ steps.build-metadata.outputs.image-uri }}
    steps:
-      - uses: docker/login-action@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: docker/metadata-action@v5
+      - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        id: metadata
        with:
          images: ghcr.io/${{ github.repository }}
-      - uses: int128/docker-manifest-create-action@v2
+      - uses: int128/docker-build-cache-config-action@338206c80bf9eeb2b9694b7b4fc8c247c317e2a8 # v1.38.0
+        id: cache
+        with:
+          image: ghcr.io/${{ github.repository }}/cache
+      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        id: build
        with:
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.metadata.outputs.tags }}
-          sources: |
-            ghcr.io/${{ github.repository }}@${{ needs.build-linux-amd64.outputs.digest }}
-            ghcr.io/${{ github.repository }}@${{ needs.build-linux-arm64.outputs.digest }}
-            ghcr.io/${{ github.repository }}@${{ needs.build-linux-ppc64le.outputs.digest }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          cache-from: ${{ steps.cache.outputs.cache-from }}
+          cache-to: ${{ steps.cache.outputs.cache-to }}
+          platforms: |
+            linux/amd64
+            linux/arm64
+            linux/ppc64le
+      - uses: int128/docker-build-metadata-action@fac3c879c58b212e339c5e959cabb865cbee0c6e # v1.0.0
+        id: build-metadata
+        with:
+          metadata: ${{ steps.build.outputs.metadata }}

  test:
+    if: needs.build.outputs.image-uri != ''
    needs: build
    runs-on: ubuntu-latest
+    timeout-minutes: 10
    steps:
-      - run: docker run --rm '${{ needs.build.outputs.image-uri }}' --help
+      - run: docker run --rm "$IMAGE_URI" --help
+        env:
+          IMAGE_URI: ${{ needs.build.outputs.image-uri }}
--- a/.github/workflows/go.yaml
+++ b/.github/workflows/go.yaml
@@ -7,7 +7,10 @@ on:
    paths:
      - .github/workflows/go.yaml
      - pkg/**
-      - go.*
+      - integration_test/**
+      - mocks/**
+      - tools/**
+      - '**/go.*'
    tags:
      - v*
  pull_request:
@@ -16,21 +19,61 @@ on:
    paths:
      - .github/workflows/go.yaml
      - pkg/**
-      - go.*
+      - integration_test/**
+      - mocks/**
+      - tools/**
+      - '**/go.*'

 jobs:
-  check:
-    uses: int128/go-workflows/.github/workflows/check.yaml@v0.3.0
-    with:
-        go-version: 1.22.5
-        golangci-lint-version: v1.59.1
-
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: 1.22.5
-      - run: go test -v -race ./...
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make test
+
+  integration-test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - macos-latest
+          - windows-latest
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make integration-test
+
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: make lint
+
+  generate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - run: go mod tidy
+      - run: make generate
+      - uses: int128/update-generated-files-action@f6dc44e35ce252932e9018f1c38d1e2a4ff80e14 # v2.60.0
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -47,6 +47,9 @@ jobs:
          - runs-on: windows-latest
            GOOS: windows
            GOARCH: amd64
+          - runs-on: windows-latest
+            GOOS: windows
+            GOARCH: arm64
    runs-on: ${{ matrix.platform.runs-on }}
    env:
      GOOS: ${{ matrix.platform.GOOS }}
@@ -54,12 +57,13 @@ jobs:
      CGO_ENABLED: ${{ matrix.platform.CGO_ENABLED }}
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: 1.22.5
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
      - run: go build -ldflags '-X main.version=${{ github.ref_name }}'
-      - uses: int128/go-release-action@v2
+      - uses: int128/go-release-action@2979cc5b15ceb7ae458e95b0a9467afc7ae25259 # v2.0.0
        with:
          binary: kubelogin

@@ -70,5 +74,5 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
-      - uses: actions/checkout@v4
-      - uses: rajatjindal/krew-release-bot@v0.0.46
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47
--- a/.github/workflows/system-test.yaml
+++ b/.github/workflows/system-test.yaml
@@ -22,16 +22,18 @@ jobs:
  system-test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: 1.22.5
+          go-version-file: go.mod
+          cache-dependency-path: go.sum

-      # for certutil
+      - run: sudo apt-get update
+      # Install certutil.
      # https://packages.ubuntu.com/xenial/libnss3-tools
-      - run: sudo apt update
-      - run: sudo apt install -y libnss3-tools
-      - run: mkdir -p ~/.pki/nssdb
+      # Install keyring related packages.
+      # https://github.com/zalando/go-keyring/issues/45
+      - run: sudo apt-get install --no-install-recommends -y libnss3-tools dbus-x11 gnome-keyring

      - run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts

--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,7 @@
 /.idea

+/tools/bin
+
 /acceptance_test/output/

 /coverage.out
--- a/.krew.yaml
+++ b/.krew.yaml
@@ -60,3 +60,9 @@ spec:
      matchLabels:
        os: windows
        arch: amd64
+  - bin: kubelogin.exe
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_windows_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: windows
+        arch: arm64
--- a/.mockery.yaml
+++ b/.mockery.yaml
@@ -0,0 +1,12 @@
+dir: mocks/{{.SrcPackagePath}}_mock
+pkgname: '{{.SrcPackageName}}_mock'
+filename: mocks.go
+template: testify
+packages:
+  github.com/int128/kubelogin:
+    config:
+      all: true
+      recursive: true
+  io:
+    interfaces:
+      Closer: {}
--- a/14
+++ b/14
@@ -1,11 +1,19 @@
-FROM golang:1.22 as builder
+FROM --platform=$BUILDPLATFORM golang:1.24 AS builder

 WORKDIR /builder
-COPY go.* .
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
 RUN go mod download
+
+# Copy the go source
 COPY main.go .
 COPY pkg pkg
-RUN go build
+
+ARG TARGETOS
+ARG TARGETARCH
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build

 FROM gcr.io/distroless/base-debian12
 COPY --from=builder /builder/kubelogin /
--- a/20
+++ b/20
@@ -0,0 +1,20 @@
+.PHONY: all
+all:
+
+.PHONY: test
+test:
+	go test -v -race ./pkg/...
+
+.PHONY: integration-test
+integration-test:
+	go test -v -race ./integration_test/...
+
+.PHONY: generate
+generate:
+	go tool github.com/google/wire/cmd/wire ./pkg/di
+	rm -fr mocks/
+	go tool mockery
+
+.PHONY: lint
+lint:
+	go tool golangci-lint run
--- a/README.md
+++ b/README.md
@@ -13,7 +13,6 @@ Take a look at the diagram:

 ![Diagram of the credential plugin](docs/credential-plugin-diagram.svg)

-
 ## Getting Started

 ### Setup
@@ -22,7 +21,7 @@ Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://git

 ```sh
 # Homebrew (macOS and Linux)
-brew install int128/kubelogin/kubelogin
+brew install kubelogin

 # Krew (macOS, Linux, Windows and ARM)
 kubectl krew install oidc-login
@@ -31,28 +30,28 @@ kubectl krew install oidc-login
 choco install kubelogin
 ```

-If you install via GitHub releases, you need to put the `kubelogin` binary on your path under the name `kubectl-oidc_login` so that the [kubectl plugin mechanism](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/) can find it when you invoke `kubectl oidc-login`. The other install methods do this for you.
+If you install via GitHub releases, save the binary as the name `kubectl-oidc_login` on your path.
+When you invoke `kubectl oidc-login`, kubectl finds it by the [naming convention of kubectl plugins](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/).
+The other install methods do this for you.

 You need to set up the OIDC provider, cluster role binding, Kubernetes API server and kubeconfig.
-The kubeconfig looks like:
+Your kubeconfig looks like this:

 ```yaml
 users:
- name: oidc
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubectl
-      args:
-      - oidc-login
-      - get-token
-      - --oidc-issuer-url=ISSUER_URL
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
+  - name: oidc
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1
+        command: kubectl
+        args:
+          - oidc-login
+          - get-token
+          - --oidc-issuer-url=ISSUER_URL
+          - --oidc-client-id=YOUR_CLIENT_ID
 ```

-See [setup guide](docs/setup.md) for more.
-
+See the [setup guide](docs/setup.md) for more.

 ### Run

@@ -65,33 +64,46 @@ kubectl get pods
 Kubectl executes kubelogin before calling the Kubernetes APIs.
 Kubelogin automatically opens the browser, and you can log in to the provider.

-<img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">
+After the authentication, kubelogin returns the credentials to kubectl.
+Kubectl then calls the Kubernetes APIs with the credentials.

-After authentication, kubelogin returns the credentials to kubectl and kubectl then calls the Kubernetes APIs with these credentials.
-
-```
+```console
 % kubectl get pods
 Open http://localhost:8000 for authentication
 NAME                          READY   STATUS    RESTARTS   AGE
 echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
 ```

-Kubelogin writes the ID token and refresh token to the token cache file.
+Kubelogin stores the ID token and refresh token to the cache.
+If the ID token is valid, it just returns it.
+If the ID token has expired, it will refresh the token using the refresh token.
+If the refresh token has expired, it will perform re-authentication.

-If the cached ID token is valid, kubelogin just returns it.
-If the cached ID token has expired, kubelogin will refresh the token using the refresh token.
-If the refresh token has expired, kubelogin will perform re-authentication (you will have to login via browser again).
+## Troubleshooting

+### Token cache

-### Troubleshoot
+Kubelogin stores the token cache to the file system by default.
+For enhanced security, it is recommended to store it to the keyring.
+See the [token cache](docs/usage.md#token-cache) for details.

-You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
-Kubelogin will ask you to login via browser again if the token cache file does not exist i.e., it starts with a clean slate
-
-You can dump claims of an ID token by `setup` command.
+You can log out by deleting the token cache.

 ```console
-% kubectl oidc-login setup --oidc-issuer-url https://accounts.google.com --oidc-client-id REDACTED --oidc-client-secret REDACTED
+% kubectl oidc-login clean
+Deleted the token cache at /home/user/.kube/cache/oidc-login
+Deleted the token cache from the keyring
+```
+
+Kubelogin will ask you to log in via the browser again.
+If the browser has a cookie for the provider, you need to log out from the provider or clear the cookie.
+
+### ID token claims
+
+You can run `setup` command to dump the claims of an ID token from the provider.
+
+```console
+% kubectl oidc-login setup --oidc-issuer-url=ISSUER_URL --oidc-client-id=REDACTED
 ...
 You got a token with the following claims:

@@ -103,23 +115,22 @@ You got a token with the following claims:
 }
 ```

-You can increase the log level by `-v1` option.
+You can set `-v1` option to increase the log level.

 ```yaml
 users:
- name: oidc
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubectl
-      args:
-      - oidc-login
-      - get-token
-      - -v1
+  - name: oidc
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1
+        command: kubectl
+        args:
+          - oidc-login
+          - get-token
+          - -v1
 ```

-You can verify kubelogin works with your provider using [acceptance test](acceptance_test).
-
+You can run the [acceptance test](acceptance_test) to verify if kubelogin works with your provider.

 ## Docs

@@ -129,11 +140,7 @@ You can verify kubelogin works with your provider using [acceptance test](accept
 - [System test](system_test)
 - [Acceptance_test for identity providers](acceptance_test)

-
 ## Contributions

 This is an open source software licensed under Apache License 2.0.
 Feel free to open issues and pull requests for improving code and documents.
-
-This software is developed with [GoLand](https://www.jetbrains.com/go/) licensed for open source development.
-Special thanks for the support.
--- a/acceptance_test/Makefile
+++ b/acceptance_test/Makefile
@@ -4,33 +4,38 @@ OUTPUT_DIR := $(CURDIR)/output
 KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
 export KUBECONFIG

-# create a Kubernetes cluster
 .PHONY: cluster
 cluster:
-	# create a cluster
+	# Create a cluster.
 	mkdir -p $(OUTPUT_DIR)
 	sed -e "s|OIDC_ISSUER_URL|$(OIDC_ISSUER_URL)|" -e "s|OIDC_CLIENT_ID|$(OIDC_CLIENT_ID)|" cluster.yaml > $(OUTPUT_DIR)/cluster.yaml
 	kind create cluster --name $(CLUSTER_NAME) --config $(OUTPUT_DIR)/cluster.yaml
-	# set up access control
+
+	# Set up the access control.
 	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
 	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=$(YOUR_EMAIL)
-	# set up kubectl
+
+	# Set up kubectl.
 	kubectl config set-credentials oidc \
-		--exec-api-version=client.authentication.k8s.io/v1beta1 \
+		--exec-api-version=client.authentication.k8s.io/v1 \
+		--exec-interactive-mode=Never \
 		--exec-command=$(CURDIR)/../kubelogin \
 		--exec-arg=get-token \
 		--exec-arg=--token-cache-dir=$(OUTPUT_DIR)/token-cache \
 		--exec-arg=--oidc-issuer-url=$(OIDC_ISSUER_URL) \
 		--exec-arg=--oidc-client-id=$(OIDC_CLIENT_ID) \
-		--exec-arg=--oidc-client-secret=$(OIDC_CLIENT_SECRET) \
 		--exec-arg=--oidc-extra-scope=email
-	# switch the default user
+
+	# Switch the default user.
 	kubectl config set-context --current --user=oidc

-# clean up the resources
+	# Show the kubeconfig.
+	kubectl config view
+
 .PHONY: clean
 clean:
 	-rm -r $(OUTPUT_DIR)
+
 .PHONY: delete-cluster
 delete-cluster:
 	kind delete cluster --name $(CLUSTER_NAME)
--- a/acceptance_test/README.md
+++ b/acceptance_test/README.md
@@ -1,16 +1,14 @@
 # kubelogin/acceptance_test

-This is a manual test for verifying Kubernetes OIDC authentication with your OIDC provider.
-
+This is a manual test to verify if the Kubernetes OIDC authentication works with your OIDC provider.

 ## Purpose

 This test checks the following points:

-1. You can set up your OIDC provider using [setup guide](../docs/setup.md).
+1. You can set up your OIDC provider using the [setup guide](../docs/setup.md).
 1. The plugin works with your OIDC provider.

-
 ## Getting Started

 ### Prerequisite
@@ -22,7 +20,7 @@ make -C ..
 ```

 You need to set up your provider.
-See [setup guide](../docs/setup.md) for more.
+See the [setup guide](../docs/setup.md) for more.

 You need to install the following tools:

@@ -44,7 +42,6 @@ For example, you can create a cluster with Google account authentication.
 ```sh
 make OIDC_ISSUER_URL=https://accounts.google.com \
  OIDC_CLIENT_ID=REDACTED.apps.googleusercontent.com \
-  OIDC_CLIENT_SECRET=REDACTED \
  YOUR_EMAIL=REDACTED@gmail.com
 ```

--- a/docs/keycloak-login.png
+++ b/docs/keycloak-login.png
--- a/docs/setup.md
+++ b/docs/setup.md
@@ -10,178 +10,47 @@ Let's see the following steps:
 1. Set up the kubeconfig
 1. Verify cluster access

-
 ## 1. Set up the OIDC provider

-### Google Identity Platform
+Kubelogin supports the authentication flows such as Device Authorization Grant or Authorization Code Flow.
+For the details of flows supported in Kubelogin, see the [usage](usage.md).
+For the details of your provider, ask the administrator of your provider.

-You can log in with a Google account.
+## 2. Authenticate with the OpenID Connect Provider

-Open [Google APIs Console](https://console.developers.google.com/apis/credentials) and create an OAuth client with the following setting:
-
- Application Type: Other
-
-Check the client ID and secret.
-Replace the following variables in the later sections.
-
-Variable                | Value
------------------------|------
-`ISSUER_URL`            | `https://accounts.google.com`
-`YOUR_CLIENT_ID`        | `xxx.apps.googleusercontent.com`
-`YOUR_CLIENT_SECRET`    | random string
-
-### Keycloak
-
-You can log in with a user of Keycloak.
-Make sure you have an administrator role of the Keycloak realm.
-
-Open Keycloak and create an OIDC client as follows:
-
- Client ID: `YOUR_CLIENT_ID`
- Valid Redirect URLs:
-    - `http://localhost:8000`
-    - `http://localhost:18000` (used if the port 8000 is already in use)
- Issuer URL: `https://keycloak.example.com/auth/realms/YOUR_REALM`
-
-You can associate client roles by adding the following mapper:
-
- Name: `groups`
- Mapper Type: `User Client Role`
- Client ID: `YOUR_CLIENT_ID`
- Client Role prefix: `kubernetes:`
- Token Claim Name: `groups`
- Add to ID token: on
-
-For example, if you have `admin` role of the client, you will get a JWT with the claim `{"groups": ["kubernetes:admin"]}`.
-
-Replace the following variables in the later sections.
-
-Variable                | Value
------------------------|------
-`ISSUER_URL`            | `https://keycloak.example.com/auth/realms/YOUR_REALM`
-`YOUR_CLIENT_ID`        | `YOUR_CLIENT_ID`
-`YOUR_CLIENT_SECRET`    | random string
-
-### Dex with GitHub
-
-You can log in with a GitHub account.
-
-Open [GitHub OAuth Apps](https://github.com/settings/developers) and create an application with the following setting:
-
- Application name: (any)
- Homepage URL: `https://dex.example.com`
- Authorization callback URL: `https://dex.example.com/callback`
-
-Deploy [Dex](https://github.com/dexidp/dex) with the following config:
-
-```yaml
-issuer: https://dex.example.com
-connectors:
- type: github
-  id: github
-  name: GitHub
-  config:
-    clientID: YOUR_GITHUB_CLIENT_ID
-    clientSecret: YOUR_GITHUB_CLIENT_SECRET
-    redirectURI: https://dex.example.com/callback
-staticClients:
- id: YOUR_CLIENT_ID
-  name: Kubernetes
-  redirectURIs:
-  - http://localhost:8000
-  - http://localhost:18000
-  secret: YOUR_DEX_CLIENT_SECRET
-```
-
-Replace the following variables in the later sections.
-
-Variable                | Value
------------------------|------
-`ISSUER_URL`            | `https://dex.example.com`
-`YOUR_CLIENT_ID`        | `YOUR_CLIENT_ID`
-`YOUR_CLIENT_SECRET`    | `YOUR_DEX_CLIENT_SECRET`
-
-### Okta
-
-You can log in with an Okta user.
-Okta supports [the authorization code flow with PKCE](https://developer.okta.com/docs/guides/implement-auth-code-pkce/overview/)
-and this section explains how to set up it.
-
-Open your Okta organization and create an application with the following options:
-
- Application type: Native
- Initiate login URI: `http://localhost:8000`
- Login redirect URIs:
-    - `http://localhost:8000`
-    - `http://localhost:18000` (used if the port 8000 is already in use)
- Allowed grant types: Authorization Code
- Client authentication: Use PKCE (for public clients)
-
-Replace the following variables in the later sections.
-
-Variable                | Value
------------------------|------
-`ISSUER_URL`            | `https://YOUR_ORGANIZATION.okta.com`
-`YOUR_CLIENT_ID`        | random string
-
-You do not need to set `YOUR_CLIENT_SECRET`.
-
-If you need `groups` claim for access control,
-see [jetstack/okta-kubectl-auth](https://github.com/jetstack/okta-kubectl-auth/blob/master/docs/okta-setup.md) and [#250](https://github.com/int128/kubelogin/issues/250).
-
-### Ping Identity
-
-Login with an account that has permissions to create applications.
-Create an OIDC application with the following configuration:
-
- Redirect URIs:
-    - `http://localhost:8000`
-    - `http://localhost:18000` (used if the port 8000 is already in use)
- Grant type: Authorization Code
- PKCE Enforcement: Required
-
-Leverage the following variables in the next steps.
-
-Variable                | Value
------------------------|------
-`ISSUER_URL`            | `https://auth.pingone.com/<PingOne Tenant Id>/as`
-`YOUR_CLIENT_ID`        |  random string
-
-`YOUR_CLIENT_SECRET` is not required for this configuration.
-
-## 2. Verify authentication
-
-Run the following command:
+Run the following command to show the instruction to set up the configuration:

 ```sh
-kubectl oidc-login setup \
-  --oidc-issuer-url=ISSUER_URL \
-  --oidc-client-id=YOUR_CLIENT_ID \
-  --oidc-client-secret=YOUR_CLIENT_SECRET
+kubectl oidc-login setup --oidc-issuer-url=ISSUER_URL --oidc-client-id=YOUR_CLIENT_ID
 ```

-It launches the browser and navigates to `http://localhost:8000`.
-Please log in to the provider.
+Set the following flags:

-You can set extra options, for example, extra scope or CA certificate.
-See also the full options.
+- Set the issuer URL of your OpenID Connect provider to `--oidc-issuer-url`.
+- Set the client ID for your OpenID Connect provider to `--oidc-client-id`.
+- If your provider requires a client secret, set `--oidc-client-secret`.
+
+If your provider supports the Device Authorization Grant, set `--grant-type=device-code`.
+It launches the browser and navigates to the authentication page of your provider.
+
+If your provider supports the Authorization Code Flow, set `--grant-type=authcode`.
+It starts a local server for the authentication.
+It launches the browser and navigates to the authentication page of your provider.
+
+You can see the full options:

 ```sh
 kubectl oidc-login setup --help
 ```

-
 ## 3. Bind a cluster role

-Here bind `cluster-admin` role to you.
+You can run the following command to bind `cluster-admin` role to you:

 ```sh
 kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='ISSUER_URL#YOUR_SUBJECT'
 ```

-As well as you can create a custom cluster role and bind it.
-
-
 ## 4. Set up the Kubernetes API server

 Add the following flags to kube-apiserver:
@@ -193,40 +62,25 @@ Add the following flags to kube-apiserver:

 See [Kubernetes Authenticating: OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for the all flags.

-If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
-
-```yaml
-spec:
-  kubeAPIServer:
-    oidcIssuerURL: ISSUER_URL
-    oidcClientID: YOUR_CLIENT_ID
-```
-
-If you are using [kube-aws](https://github.com/kubernetes-incubator/kube-aws), append the following settings to the `cluster.yaml`:
-
-```yaml
-       oidc:
-         enabled: true
-         issuerUrl: ISSUER_URL
-         clientId: YOUR_CLIENT_ID
-```
-
-
 ## 5. Set up the kubeconfig

 Add `oidc` user to the kubeconfig.

 ```sh
 kubectl config set-credentials oidc \
-  --exec-api-version=client.authentication.k8s.io/v1beta1 \
+  --exec-interactive-mode=Never \
+  --exec-api-version=client.authentication.k8s.io/v1 \
  --exec-command=kubectl \
  --exec-arg=oidc-login \
  --exec-arg=get-token \
  --exec-arg=--oidc-issuer-url=ISSUER_URL \
-  --exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
-  --exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET
+  --exec-arg=--oidc-client-id=YOUR_CLIENT_ID
 ```

+If your provider requires a client secret, add `--oidc-client-secret=YOUR_CLIENT_SECRET`.
+
+For security, it is recommended to add `--token-cache-storage=keyring` to store the token cache to the keyring instead of the file system.
+If you encounter an error, see the [token cache](usage.md#token-cache) for details.

 ## 6. Verify cluster access

--- a/docs/standalone-mode.md
+++ b/docs/standalone-mode.md
@@ -3,7 +3,6 @@
 Kubelogin supports the standalone mode as well.
 It writes the token to the kubeconfig (typically `~/.kube/config`) after authentication.

-
 ## Getting started

 Configure your kubeconfig like:
@@ -53,16 +52,16 @@ Your kubeconfig looks like:

 ```yaml
 users:
- name: keycloak
-  user:
-    auth-provider:
-      config:
-        client-id: YOUR_CLIENT_ID
-        client-secret: YOUR_CLIENT_SECRET
-        idp-issuer-url: https://issuer.example.com
-        id-token: ey...       # kubelogin will add or update the ID token here
-        refresh-token: ey...  # kubelogin will add or update the refresh token here
-      name: oidc
+  - name: keycloak
+    user:
+      auth-provider:
+        config:
+          client-id: YOUR_CLIENT_ID
+          client-secret: YOUR_CLIENT_SECRET
+          idp-issuer-url: https://issuer.example.com
+          id-token: ey... # kubelogin will add or update the ID token here
+          refresh-token: ey... # kubelogin will add or update the refresh token here
+        name: oidc
 ```

 If the ID token is valid, kubelogin does nothing.
@@ -75,7 +74,6 @@ You already have a valid token until 2019-05-18 10:28:51 +0900 JST
 If the ID token has expired, kubelogin will refresh the token using the refresh token in the kubeconfig.
 If the refresh token has expired, kubelogin will proceed the authentication.

-
 ## Usage

 You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
@@ -94,15 +92,15 @@ If you set multiple files, kubelogin will find the file which has the current au
 Kubelogin supports the following keys of `auth-provider` in a kubeconfig.
 See [kubectl authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl) for more.

-Key | Direction | Value
----|-----------|------
-`idp-issuer-url`                  | Read (Mandatory) | Issuer URL of the provider.
-`client-id`                       | Read (Mandatory) | Client ID of the provider.
-`client-secret`                   | Read (Mandatory) | Client Secret of the provider.
-`idp-certificate-authority`       | Read | CA certificate path of the provider.
-`idp-certificate-authority-data`  | Read | Base64 encoded CA certificate of the provider.
-`extra-scopes`                    | Read | Scopes to request to the provider (comma separated).
-`id-token`                        | Write | ID token got from the provider.
-`refresh-token`                   | Write | Refresh token got from the provider.
+| Key                              | Direction        | Value                                                |
+| -------------------------------- | ---------------- | ---------------------------------------------------- |
+| `idp-issuer-url`                 | Read (Mandatory) | Issuer URL of the provider.                          |
+| `client-id`                      | Read (Mandatory) | Client ID of the provider.                           |
+| `client-secret`                  | Read (Mandatory) | Client Secret of the provider.                       |
+| `idp-certificate-authority`      | Read             | CA certificate path of the provider.                 |
+| `idp-certificate-authority-data` | Read             | Base64 encoded CA certificate of the provider.       |
+| `extra-scopes`                   | Read             | Scopes to request to the provider (comma separated). |
+| `id-token`                       | Write            | ID token got from the provider.                      |
+| `refresh-token`                  | Write            | Refresh token got from the provider.                 |

 See also [usage.md](usage.md).
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -10,16 +10,20 @@ Flags:
      --oidc-issuer-url string                          Issuer URL of the provider (mandatory)
      --oidc-client-id string                           Client ID of the provider (mandatory)
      --oidc-client-secret string                       Client secret of the provider
+      --oidc-redirect-url string                        [authcode, authcode-keyboard] Redirect URL
      --oidc-extra-scope strings                        Scopes to request to the provider
-      --oidc-use-pkce                                   Force PKCE usage
-      --token-cache-dir string                          Path to a directory for token cache (default "~/.kube/cache/oidc-login")
+      --oidc-use-access-token                           Instead of using the id_token, use the access_token to authenticate to Kubernetes
+      --oidc-request-header stringToString              HTTP headers to send with an authentication request (default [])
      --force-refresh                                   If set, refresh the ID token regardless of its expiration time
+      --token-cache-dir string                          Path to a directory of the token cache (default "~/.kube/cache/oidc-login")
+      --token-cache-storage string                      Storage for the token cache. One of (disk|keyring|none) (default "disk")
      --certificate-authority stringArray               Path to a cert file for the certificate authority
      --certificate-authority-data stringArray          Base64 encoded cert for the certificate authority
-      --insecure-skip-tls-verify                        If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --insecure-skip-tls-verify                        [SECURITY RISK] If set, the server's certificate will not be checked for validity
      --tls-renegotiation-once                          If set, allow a remote server to request renegotiation once per connection
      --tls-renegotiation-freely                        If set, allow a remote server to repeatedly request renegotiation
-      --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password|device-code) (default "auto")
+      --oidc-pkce-method string                         PKCE code challenge method. Automatically determined by default. One of (auto|no|S256) (default "auto")
+      --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password|device-code|client-credentials) (default "auto")
      --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
      --skip-open-browser                               [authcode] Do not open the browser automatically
      --browser-command string                          [authcode] Command to open the browser
@@ -27,30 +31,27 @@ Flags:
      --local-server-cert string                        [authcode] Certificate path for the local server
      --local-server-key string                         [authcode] Certificate key path for the local server
      --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
-      --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")
-      --oidc-redirect-url-authcode-keyboard string      [authcode-keyboard] Redirect URL (default "urn:ietf:wg:oauth:2.0:oob")
-      --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard] Extra query parameters to send with an authentication request (default [])
+      --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard, client-credentials] Extra query parameters to send with an authentication request (default [])
      --username string                                 [password] Username for resource owner password credentials grant
      --password string                                 [password] Password for resource owner password credentials grant
  -h, --help                                            help for get-token

 Global Flags:
      --add_dir_header                   If true, adds the file directory to the header of the log messages
-      --alsologtostderr                  log to standard error as well as files
+      --alsologtostderr                  log to standard error as well as files (no effect when -logtostderr=true)
      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
-      --log_dir string                   If non-empty, write log files in this directory
-      --log_file string                  If non-empty, use this log file
-      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --log_dir string                   If non-empty, write log files in this directory (no effect when -logtostderr=true)
+      --log_file string                  If non-empty, use this log file (no effect when -logtostderr=true)
+      --log_file_max_size uint           Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --logtostderr                      log to standard error instead of files (default true)
-      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level)
+      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
      --skip_headers                     If true, avoid header prefixes in the log messages
-      --skip_log_headers                 If true, avoid headers when opening log files
-      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
+      --skip_log_headers                 If true, avoid headers when opening log files (no effect when -logtostderr=true)
+      --stderrthreshold severity         logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2)
  -v, --v Level                          number for the log level verbosity
      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
 ```

-
 ## Options

 ### Authentication timeout
@@ -60,7 +61,7 @@ This prevents a process from remaining forever.
 You can change the timeout by the following flag:

 ```yaml
-      - --authentication-timeout-sec=60
+- --authentication-timeout-sec=60
 ```

 For now this timeout works only for the authorization code flow.
@@ -70,8 +71,32 @@ For now this timeout works only for the authorization code flow.
 You can set the extra scopes to request to the provider by `--oidc-extra-scope`.

 ```yaml
-      - --oidc-extra-scope=email
-      - --oidc-extra-scope=profile
+- --oidc-extra-scope=email
+- --oidc-extra-scope=profile
+```
+
+### PKCE
+
+Kubelogin automatically uses the PKCE if the provider supports it.
+It determines the code challenge method by the `code_challenge_methods_supported` claim of the OpenID Connect Discovery document.
+
+If your provider does not return a valid `code_challenge_methods_supported` claim,
+you can enforce the code challenge method by `--oidc-pkce-method`.
+
+```yaml
+- --oidc-pkce-method=S256
+```
+
+For the most providers, you don't need to set this option explicitly.
+
+### HTTP headers
+
+If your provider requires extra HTTP headers, you can set them by `--oidc-request-header`.
+
+For Azure AD Single Page Application with PKCE, you can set `Origin` header as follows:
+
+```yaml
+- --oidc-request-header=Origin=localhost
 ```

 ### CA certificate
@@ -79,8 +104,8 @@ You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
 You can use your self-signed certificate for the provider.

 ```yaml
-      - --certificate-authority=/home/user/.kube/keycloak-ca.pem
-      - --certificate-authority-data=LS0t...
+- --certificate-authority=/home/user/.kube/keycloak-ca.pem
+- --certificate-authority-data=LS0t...
 ```

 ### HTTP proxy
@@ -88,6 +113,27 @@ You can use your self-signed certificate for the provider.
 You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
 See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).

+### Token cache
+
+Kubelogin stores the token cache to the file system by default.
+
+You can store the token cache to the OS keyring for enhanced security.
+It depends on [zalando/go-keyring](https://github.com/zalando/go-keyring).
+
+```yaml
+- --token-cache-storage=keyring
+```
+
+You can delete the token cache by the clean command.
+
+```console
+% kubectl oidc-login clean
+Deleted the token cache at /home/user/.kube/cache/oidc-login
+Deleted the token cache from the keyring
+```
+
+For systems with immutable storage and no keyring, a cache type of none is available.
+
 ### Home directory expansion

 If a value in the following options begins with a tilde character `~`, it is expanded to the home directory.
@@ -97,18 +143,40 @@ If a value in the following options begins with a tilde character `~`, it is exp
 - `--local-server-key`
 - `--token-cache-dir`

-
 ## Authentication flows

 Kubelogin support the following flows:

- Authorization code flow
- Authorization code flow with a keyboard
- Resource owner password credentials grant flow
+- [Device Authorization Grant](#device-authorization-grant)
+- [Authorization Code Flow](#authorization-code-flow)
+- [Authorization Code Flow with a Keyboard](#authorization-code-flow-with-a-keyboard)
+- [Resource Owner Password Credentials Grant](#resource-owner-password-credentials-grant)
+- [Client Credentials Flow](#client-credentials-flow)

-### Authorization code flow
+### Device Authorization Grant

-Kubelogin performs the authorization code flow by default.
+It performs the [Device Authorization Grant (RFC 8628)](https://tools.ietf.org/html/rfc8628) when `--grant-type=device-code` is set.
+
+```yaml
+- --grant-type=device-code
+```
+
+It automatically opens the browser.
+If the provider returns the `verification_uri_complete` parameter, you don't need to enter the code.
+Otherwise, you need to enter the code shown.
+
+If you encounter a problem with the browser, you can change the browser command or skip opening the browser.
+
+```yaml
+# Change the browser command
+- --browser-command=google-chrome
+# Do not open the browser
+- --skip-open-browser
+```
+
+### Authorization Code Flow
+
+It performs the [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) when `--grant-type=authcode` is set or the flag is not given.

 It starts the local server at port 8000 or 18000 by default.
 You need to register the following redirect URIs to the provider:
@@ -119,50 +187,60 @@ You need to register the following redirect URIs to the provider:
 You can change the listening address.

 ```yaml
-      - --listen-address=127.0.0.1:12345
-      - --listen-address=127.0.0.1:23456
+- --listen-address=127.0.0.1:12345
+- --listen-address=127.0.0.1:23456
+```
+
+The redirect URL defaults to `http://localhost` with the listening port.
+You can override the redirect URL.
+
+```yaml
+- --oidc-redirect-url=http://127.0.0.1:8000/
+- --oidc-redirect-url=http://your-local-hostname:8000/
 ```

 You can specify a certificate for the local webserver if HTTPS is required by your identity provider.

 ```yaml
-      - --local-server-cert=localhost.crt
-      - --local-server-key=localhost.key
-```
-
-You can change the hostname of redirect URI from the default value `localhost`.
-
-```yaml
-      - --oidc-redirect-url-hostname=127.0.0.1
+- --local-server-cert=localhost.crt
+- --local-server-key=localhost.key
 ```

 You can add extra parameters to the authentication request.

 ```yaml
-      - --oidc-auth-request-extra-params=ttl=86400
+- --oidc-auth-request-extra-params=ttl=86400
 ```

 When authentication completed, kubelogin shows a message to close the browser.
 You can change the URL to show after authentication.

 ```yaml
-      - --open-url-after-authentication=https://example.com/success.html
+- --open-url-after-authentication=https://example.com/success.html
 ```

-You can skip opening the browser if you encounter some environment problem.
+If you encounter a problem with the browser, you can change the browser command or skip opening the browser.

 ```yaml
-      - --skip-open-browser
+# Change the browser command
+- --browser-command=google-chrome
+# Do not open the browser
+- --skip-open-browser
 ```

-For Linux users, you change the default browser by `BROWSER` environment variable.
-
-### Authorization code flow with a keyboard
+### Authorization Code Flow with a keyboard

 If you cannot access the browser, instead use the authorization code flow with a keyboard.

 ```yaml
-      - --grant-type=authcode-keyboard
+- --grant-type=authcode-keyboard
+```
+
+You need to explicitly set the redirect URL.
+
+```yaml
+- --oidc-redirect-url=urn:ietf:wg:oauth:2.0:oob
+- --oidc-redirect-url=http://localhost
 ```

 Kubelogin will show the URL and prompt.
@@ -174,38 +252,31 @@ Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=
 Enter code: YOUR_CODE
 ```

-The default of redirect URI is `urn:ietf:wg:oauth:2.0:oob`.
-You can overwrite it.
-
-```yaml
-      - oidc-redirect-url-authcode-keyboard=http://localhost
-```
-
 You can add extra parameters to the authentication request.

 ```yaml
-      - --oidc-auth-request-extra-params=ttl=86400
+- --oidc-auth-request-extra-params=ttl=86400
 ```

-### Resource owner password credentials grant flow
+### Resource Owner Password Credentials Grant

-Kubelogin performs the resource owner password credentials grant flow
+It performs the [Resource Owner Password Credentials Grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3)
 when `--grant-type=password` or `--username` is set.

-Note that most OIDC providers do not support this flow.
-Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
+Note that most OIDC providers do not support this grant.
+Keycloak supports this grant but you need to explicitly enable the "Direct Access Grants" feature in the client settings.

 You can set the username and password.

 ```yaml
-      - --username=USERNAME
-      - --password=PASSWORD
+- --username=USERNAME
+- --password=PASSWORD
 ```

 If the password is not set, kubelogin will show the prompt for the password.

 ```yaml
-      - --username=USERNAME
+- --username=USERNAME
 ```

 ```
@@ -216,7 +287,7 @@ Password:
 If the username is not set, kubelogin will show the prompt for the username and password.

 ```yaml
-      - --grant-type=password
+- --grant-type=password
 ```

 ```
@@ -225,6 +296,16 @@ Username: foo
 Password:
 ```

+### Client Credentials Flow
+
+It performs the [OAuth 2.0 Client Credentials Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.4) when `--grant-type=client-credentials` is set.
+
+```yaml
+- --grant-type=client-credentials
+```
+
+Per specification, this flow only returns authorization tokens.
+
 ## Run in Docker

 You can run [the Docker image](https://ghcr.io/int128/kubelogin) instead of the binary.
@@ -232,25 +313,25 @@ The kubeconfig looks like:

 ```yaml
 users:
- name: oidc
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: docker
-      args:
-      - run
-      - --rm
-      - -v
-      - /tmp/.token-cache:/.token-cache
-      - -p
-      - 8000:8000
-      - ghcr.io/int128/kubelogin
-      - get-token
-      - --token-cache-dir=/.token-cache
-      - --listen-address=0.0.0.0:8000
-      - --oidc-issuer-url=ISSUER_URL
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
+  - name: oidc
+    user:
+      exec:
+        apiVersion: client.authentication.k8s.io/v1
+        command: docker
+        args:
+          - run
+          - --rm
+          - -v
+          - /tmp/.token-cache:/.token-cache
+          - -p
+          - 8000:8000
+          - ghcr.io/int128/kubelogin
+          - get-token
+          - --token-cache-dir=/.token-cache
+          - --listen-address=0.0.0.0:8000
+          - --oidc-issuer-url=ISSUER_URL
+          - --oidc-client-id=YOUR_CLIENT_ID
+          - --oidc-client-secret=YOUR_CLIENT_SECRET
 ```

 Known limitations:
--- a/go.mod
+++ b/go.mod
@@ -1,59 +1,274 @@
 module github.com/int128/kubelogin

-go 1.22.2
+go 1.24.5

 require (
-	github.com/alexflint/go-filemutex v1.3.0
-	github.com/chromedp/chromedp v0.10.0
-	github.com/coreos/go-oidc/v3 v3.11.0
-	github.com/golang-jwt/jwt/v5 v5.2.1
-	github.com/google/go-cmp v0.6.0
+	github.com/chromedp/chromedp v0.13.7
+	github.com/coreos/go-oidc/v3 v3.14.1
+	github.com/gofrs/flock v0.12.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/google/go-cmp v0.7.0
 	github.com/google/wire v0.6.0
-	github.com/int128/oauth2cli v1.14.0
-	github.com/int128/oauth2dev v1.0.1
+	github.com/int128/oauth2cli v1.17.0
+	github.com/int128/oauth2dev v1.1.0
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
-	github.com/spf13/cobra v1.8.1
-	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.9.0
-	golang.org/x/oauth2 v0.21.0
-	golang.org/x/sync v0.7.0
-	golang.org/x/term v0.22.0
-	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/apimachinery v0.30.3
-	k8s.io/client-go v0.30.3
+	github.com/spf13/cobra v1.9.1
+	github.com/spf13/pflag v1.0.6
+	github.com/stretchr/testify v1.10.0
+	github.com/zalando/go-keyring v0.2.6
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/sync v0.16.0
+	golang.org/x/term v0.33.0
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/apimachinery v0.33.2
+	k8s.io/client-go v0.33.2
 	k8s.io/klog/v2 v2.130.1
 )

 require (
-	github.com/chromedp/cdproto v0.0.0-20240801214329-3f85d328b335 // indirect
-	github.com/chromedp/sysutil v1.0.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	4d63.com/gocheckcompilerdirectives v1.3.0 // indirect
+	4d63.com/gochecknoglobals v0.2.2 // indirect
+	al.essio.dev/pkg/shellescape v1.5.1 // indirect
+	codeberg.org/chavacava/garif v0.2.0 // indirect
+	github.com/4meepo/tagalign v1.4.2 // indirect
+	github.com/Abirdcfly/dupword v0.1.6 // indirect
+	github.com/AlwxSin/noinlineerr v1.0.4 // indirect
+	github.com/Antonboom/errname v1.1.0 // indirect
+	github.com/Antonboom/nilnil v1.1.0 // indirect
+	github.com/Antonboom/testifylint v1.6.1 // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
+	github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
+	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/OpenPeeDeeP/depguard/v2 v2.2.1 // indirect
+	github.com/alecthomas/chroma/v2 v2.19.0 // indirect
+	github.com/alecthomas/go-check-sumtype v0.3.1 // indirect
+	github.com/alexkohler/nakedret/v2 v2.0.6 // indirect
+	github.com/alexkohler/prealloc v1.0.0 // indirect
+	github.com/alingse/asasalint v0.0.11 // indirect
+	github.com/alingse/nilnesserr v0.2.0 // indirect
+	github.com/ashanbrown/forbidigo/v2 v2.1.0 // indirect
+	github.com/ashanbrown/makezero/v2 v2.0.1 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bkielbasa/cyclop v1.2.3 // indirect
+	github.com/blizzy78/varnamelen v0.8.0 // indirect
+	github.com/bombsimon/wsl/v4 v4.7.0 // indirect
+	github.com/bombsimon/wsl/v5 v5.0.0 // indirect
+	github.com/breml/bidichk v0.3.3 // indirect
+	github.com/breml/errchkjson v0.4.1 // indirect
+	github.com/brunoga/deep v1.2.4 // indirect
+	github.com/butuzov/ireturn v0.4.0 // indirect
+	github.com/butuzov/mirror v1.3.0 // indirect
+	github.com/catenacyber/perfsprint v0.9.1 // indirect
+	github.com/ccojocar/zxcvbn-go v1.0.4 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/charithe/durationcheck v0.0.10 // indirect
+	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
+	github.com/charmbracelet/lipgloss v1.1.0 // indirect
+	github.com/charmbracelet/x/ansi v0.8.0 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
+	github.com/charmbracelet/x/term v0.2.1 // indirect
+	github.com/chromedp/cdproto v0.0.0-20250403032234-65de8f5d025b // indirect
+	github.com/chromedp/sysutil v1.1.0 // indirect
+	github.com/ckaznocha/intrange v0.3.1 // indirect
+	github.com/curioswitch/go-reassign v0.3.0 // indirect
+	github.com/daixiang0/gci v0.13.6 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
+	github.com/dave/dst v0.27.3 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/denis-tingaikin/go-header v0.5.0 // indirect
+	github.com/dlclark/regexp2 v1.11.5 // indirect
+	github.com/ettle/strcase v0.2.0 // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/fatih/structs v1.1.0 // indirect
+	github.com/fatih/structtag v1.2.0 // indirect
+	github.com/firefart/nonamedreturns v1.0.6 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/fzipp/gocyclo v0.6.0 // indirect
+	github.com/ghostiam/protogetter v0.3.15 // indirect
+	github.com/go-critic/go-critic v0.13.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-json-experiment/json v0.0.0-20250211171154-1ae217ad3535 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-toolsmith/astcast v1.1.0 // indirect
+	github.com/go-toolsmith/astcopy v1.1.0 // indirect
+	github.com/go-toolsmith/astequal v1.2.0 // indirect
+	github.com/go-toolsmith/astfmt v1.1.0 // indirect
+	github.com/go-toolsmith/astp v1.1.0 // indirect
+	github.com/go-toolsmith/strparse v1.1.0 // indirect
+	github.com/go-toolsmith/typep v1.1.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
+	github.com/go-xmlfmt/xmlfmt v1.1.3 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/gobwas/ws v1.4.0 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/imdario/mergo v0.3.6 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 // indirect
+	github.com/golangci/go-printf-func-name v0.1.0 // indirect
+	github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d // indirect
+	github.com/golangci/golangci-lint/v2 v2.2.2 // indirect
+	github.com/golangci/golines v0.0.0-20250217134842-442fd0091d95 // indirect
+	github.com/golangci/misspell v0.7.0 // indirect
+	github.com/golangci/plugin-module-register v0.1.2 // indirect
+	github.com/golangci/revgrep v0.8.0 // indirect
+	github.com/golangci/swaggoswag v0.0.0-20250504205917-77f2aca3143e // indirect
+	github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e // indirect
+	github.com/google/subcommands v1.2.0 // indirect
+	github.com/gordonklaus/ineffassign v0.1.0 // indirect
+	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
+	github.com/gostaticanalysis/comment v1.5.0 // indirect
+	github.com/gostaticanalysis/forcetypeassert v0.2.0 // indirect
+	github.com/gostaticanalysis/nilerr v0.1.1 // indirect
+	github.com/hashicorp/go-immutable-radix/v2 v2.1.0 // indirect
+	github.com/hashicorp/go-version v1.7.0 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/hexops/gotextdiff v1.0.3 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/int128/listener v1.1.0 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
+	github.com/int128/listener v1.2.0 // indirect
+	github.com/jedib0t/go-pretty/v6 v6.6.7 // indirect
+	github.com/jgautheron/goconst v1.8.2 // indirect
+	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
+	github.com/jjti/go-spancheck v0.6.5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/julz/importas v0.2.0 // indirect
+	github.com/karamaru-alpha/copyloopvar v1.2.1 // indirect
+	github.com/kisielk/errcheck v1.9.0 // indirect
+	github.com/kkHAIKE/contextcheck v1.1.6 // indirect
+	github.com/knadh/koanf/maps v0.1.2 // indirect
+	github.com/knadh/koanf/parsers/yaml v0.1.0 // indirect
+	github.com/knadh/koanf/providers/env v1.0.0 // indirect
+	github.com/knadh/koanf/providers/file v1.1.2 // indirect
+	github.com/knadh/koanf/providers/posflag v0.1.0 // indirect
+	github.com/knadh/koanf/providers/structs v0.1.0 // indirect
+	github.com/knadh/koanf/v2 v2.2.1 // indirect
+	github.com/kulti/thelper v0.6.3 // indirect
+	github.com/kunwardeep/paralleltest v1.0.14 // indirect
+	github.com/lasiar/canonicalheader v1.1.2 // indirect
+	github.com/ldez/exptostd v0.4.4 // indirect
+	github.com/ldez/gomoddirectives v0.7.0 // indirect
+	github.com/ldez/grignotin v0.9.0 // indirect
+	github.com/ldez/tagliatelle v0.7.1 // indirect
+	github.com/ldez/usetesting v0.5.0 // indirect
+	github.com/leonklingele/grouper v1.1.2 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/macabu/inamedparam v0.2.0 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/manuelarte/embeddedstructfieldcheck v0.3.0 // indirect
+	github.com/manuelarte/funcorder v0.5.0 // indirect
+	github.com/maratori/testableexamples v1.0.0 // indirect
+	github.com/maratori/testpackage v1.1.1 // indirect
+	github.com/matoous/godox v1.1.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/mgechev/revive v1.10.0 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/moricho/tparallel v0.3.2 // indirect
+	github.com/muesli/termenv v0.16.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/nakabonne/nestif v0.3.1 // indirect
+	github.com/nishanths/exhaustive v0.12.0 // indirect
+	github.com/nishanths/predeclared v0.2.2 // indirect
+	github.com/nunnatsa/ginkgolinter v0.19.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/polyfloyd/go-errorlint v1.8.0 // indirect
+	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/quasilyte/go-ruleguard v0.4.4 // indirect
+	github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
+	github.com/quasilyte/gogrep v0.5.0 // indirect
+	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
+	github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
+	github.com/raeperd/recvcheck v0.2.0 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/rs/zerolog v1.33.0 // indirect
+	github.com/ryancurrah/gomodguard v1.4.1 // indirect
+	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/sanposhiho/wastedassign/v2 v2.1.0 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
+	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
+	github.com/sashamelentyev/usestdlibvars v1.29.0 // indirect
+	github.com/securego/gosec/v2 v2.22.5 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sivchari/containedctx v1.0.3 // indirect
+	github.com/sonatard/noctx v0.3.4 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/sourcegraph/go-diff v0.7.0 // indirect
+	github.com/spf13/afero v1.14.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/viper v1.20.0 // indirect
+	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
+	github.com/stbenjam/no-sprintf-host-port v0.2.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	golang.org/x/crypto v0.25.0 // indirect
-	golang.org/x/net v0.27.0 // indirect
-	golang.org/x/sys v0.22.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/tdakkota/asciicheck v0.4.1 // indirect
+	github.com/tetafro/godot v1.5.1 // indirect
+	github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67 // indirect
+	github.com/timonwong/loggercheck v0.11.0 // indirect
+	github.com/tomarrell/wrapcheck/v2 v2.11.0 // indirect
+	github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
+	github.com/ultraware/funlen v0.2.0 // indirect
+	github.com/ultraware/whitespace v0.2.0 // indirect
+	github.com/uudashr/gocognit v1.2.0 // indirect
+	github.com/uudashr/iface v1.4.0 // indirect
+	github.com/vektra/mockery/v3 v3.5.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/xen0n/gosmopolitan v1.3.0 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	github.com/yagipy/maintidx v1.0.0 // indirect
+	github.com/yeya24/promlinter v0.3.0 // indirect
+	github.com/ykadowak/zerologlint v0.1.5 // indirect
+	gitlab.com/bosi/decorder v0.4.2 // indirect
+	go-simpler.org/musttag v0.13.1 // indirect
+	go-simpler.org/sloglint v0.11.0 // indirect
+	go.augendre.info/arangolint v0.2.0 // indirect
+	go.augendre.info/fatcontext v0.8.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.24.0 // indirect
+	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect
+	golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect
+	golang.org/x/mod v0.26.0 // indirect
+	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	golang.org/x/tools v0.34.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	honnef.co/go/tools v0.6.1 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	mvdan.cc/gofumpt v0.8.0 // indirect
+	mvdan.cc/unparam v0.0.0-20250301125049-0df0534333a4 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)
+
+tool (
+	github.com/golangci/golangci-lint/v2/cmd/golangci-lint
+	github.com/google/wire/cmd/wire
+	github.com/vektra/mockery/v3
 )
--- a/go.sum
+++ b/go.sum
--- a/integration_test/clean_test.go
+++ b/integration_test/clean_test.go
@@ -0,0 +1,27 @@
+package integration_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/integration_test/httpdriver"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/testing/clock"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+)
+
+func TestClean(t *testing.T) {
+	tokenCacheDir := t.TempDir()
+
+	cmd := di.NewCmdForHeadless(clock.Fake(time.Now()), os.Stdin, os.Stdout, logger.New(t), httpdriver.Zero(t))
+	exitCode := cmd.Run(context.TODO(), []string{
+		"kubelogin",
+		"clean",
+		"--token-cache-dir", tokenCacheDir,
+	}, "HEAD")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}
--- a/integration_test/credetial_plugin_test.go
+++ b/integration_test/credetial_plugin_test.go
@@ -13,12 +13,13 @@ import (
 	"github.com/int128/kubelogin/integration_test/httpdriver"
 	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/integration_test/oidcserver"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
 	"github.com/int128/kubelogin/pkg/di"
 	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/testing/clock"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
+	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
 )

 // Run the integration tests of the credential plugin use-case.
@@ -42,56 +43,57 @@ func TestCredentialPlugin(t *testing.T) {
 			args:    []string{"--certificate-authority", keypair.Server.CACertPath},
 		},
 	} {
-		httpDriverOption := httpdriver.Option{
+		httpDriverConfig := httpdriver.Config{
 			TLSConfig:    tc.keyPair.TLSConfig,
 			BodyContains: "Authenticated",
 		}

 		t.Run(name, func(t *testing.T) {
 			t.Run("AuthCode", func(t *testing.T) {
-				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
-						Scope:             "openid",
-						RedirectURIPrefix: "http://localhost:",
+				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
+						Scope:               "openid",
+						RedirectURIPrefix:   "http://localhost:",
+						CodeChallengeMethod: "S256",
 					},
-					Response: oidcserver.Response{
-						IDTokenExpiry: now.Add(time.Hour),
+					Response: testconfig.Response{
+						IDTokenExpiry:                 now.Add(time.Hour),
+						CodeChallengeMethodsSupported: []string{"plain", "S256"},
 					},
 				})
 				var stdout bytes.Buffer
 				runGetToken(t, ctx, getTokenConfig{
 					tokenCacheDir: tokenCacheDir,
-					issuerURL:     sv.IssuerURL(),
-					httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+					issuerURL:     svc.IssuerURL(),
+					httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
 					now:           now,
 					stdout:        &stdout,
 					args:          tc.args,
 				})
-				assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+				assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 			})

 			t.Run("ROPC", func(t *testing.T) {
-				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 						Username:          "USER1",
 						Password:          "PASS1",
 					},
-					Response: oidcserver.Response{
-						IDTokenExpiry: now.Add(time.Hour),
+					Response: testconfig.Response{
+						IDTokenExpiry:                 now.Add(time.Hour),
+						CodeChallengeMethodsSupported: []string{"plain", "S256"},
 					},
 				})
 				var stdout bytes.Buffer
 				runGetToken(t, ctx, getTokenConfig{
 					tokenCacheDir: tokenCacheDir,
-					issuerURL:     sv.IssuerURL(),
+					issuerURL:     svc.IssuerURL(),
 					httpDriver:    httpdriver.Zero(t),
 					now:           now,
 					stdout:        &stdout,
@@ -100,110 +102,165 @@ func TestCredentialPlugin(t *testing.T) {
 						"--password", "PASS1",
 					}, tc.args...),
 				})
-				assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+				assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 			})

 			t.Run("TokenCacheLifecycle", func(t *testing.T) {
-				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
+				svc := oidcserver.New(t, tc.keyPair, testconfig.Config{})

 				t.Run("NoCache", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
-							Scope:             "openid",
-							RedirectURIPrefix: "http://localhost:",
+					svc.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
+							Scope:               "openid",
+							RedirectURIPrefix:   "http://localhost:",
+							CodeChallengeMethod: "S256",
 						},
-						Response: oidcserver.Response{
-							IDTokenExpiry: now.Add(time.Hour),
-							RefreshToken:  "REFRESH_TOKEN_1",
+						Response: testconfig.Response{
+							IDTokenExpiry:                 now.Add(time.Hour),
+							RefreshToken:                  "REFRESH_TOKEN_1",
+							CodeChallengeMethodsSupported: []string{"plain", "S256"},
 						},
 					})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
-						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
 						now:           now,
 						stdout:        &stdout,
 						args:          tc.args,
 					})
-					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 				})
 				t.Run("Valid", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{})
+					svc.SetConfig(testconfig.Config{})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
-						issuerURL:     sv.IssuerURL(),
+						issuerURL:     svc.IssuerURL(),
 						httpDriver:    httpdriver.Zero(t),
 						now:           now,
 						stdout:        &stdout,
 						args:          tc.args,
 					})
-					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 				})
 				t.Run("Refresh", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					svc.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_1",
 						},
-						Response: oidcserver.Response{
-							IDTokenExpiry: now.Add(3 * time.Hour),
-							RefreshToken:  "REFRESH_TOKEN_2",
+						Response: testconfig.Response{
+							IDTokenExpiry:                 now.Add(3 * time.Hour),
+							RefreshToken:                  "REFRESH_TOKEN_2",
+							CodeChallengeMethodsSupported: []string{"plain", "S256"},
 						},
 					})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
-						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
 						now:           now.Add(2 * time.Hour),
 						stdout:        &stdout,
 						args:          tc.args,
 					})
-					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(3*time.Hour))
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(3*time.Hour))
 				})
 				t.Run("RefreshAgain", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					svc.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_2",
 						},
-						Response: oidcserver.Response{
-							IDTokenExpiry: now.Add(5 * time.Hour),
+						Response: testconfig.Response{
+							IDTokenExpiry:                 now.Add(5 * time.Hour),
+							CodeChallengeMethodsSupported: []string{"plain", "S256"},
 						},
 					})
 					var stdout bytes.Buffer
 					runGetToken(t, ctx, getTokenConfig{
 						tokenCacheDir: tokenCacheDir,
-						issuerURL:     sv.IssuerURL(),
-						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+						issuerURL:     svc.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverConfig),
 						now:           now.Add(4 * time.Hour),
 						stdout:        &stdout,
 						args:          tc.args,
 					})
-					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(5*time.Hour))
+					assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(5*time.Hour))
 				})
 			})
 		})
 	}

 	t.Run("PKCE", func(t *testing.T) {
-		t.Parallel()
+		t.Run("Not supported by provider", func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+			defer cancel()
+			svc := oidcserver.New(t, keypair.None, testconfig.Config{
+				Want: testconfig.Want{
+					Scope:               "openid",
+					RedirectURIPrefix:   "http://localhost:",
+					CodeChallengeMethod: "",
+				},
+				Response: testconfig.Response{
+					IDTokenExpiry:                 now.Add(time.Hour),
+					CodeChallengeMethodsSupported: nil,
+				},
+			})
+			var stdout bytes.Buffer
+			runGetToken(t, ctx, getTokenConfig{
+				tokenCacheDir: tokenCacheDir,
+				issuerURL:     svc.IssuerURL(),
+				httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
+				now:           now,
+				stdout:        &stdout,
+			})
+			assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+		})
+
+		t.Run("Enforce", func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+			defer cancel()
+			svc := oidcserver.New(t, keypair.None, testconfig.Config{
+				Want: testconfig.Want{
+					Scope:               "openid",
+					RedirectURIPrefix:   "http://localhost:",
+					CodeChallengeMethod: "S256",
+				},
+				Response: testconfig.Response{
+					IDTokenExpiry:                 now.Add(time.Hour),
+					CodeChallengeMethodsSupported: nil,
+				},
+			})
+			var stdout bytes.Buffer
+			runGetToken(t, ctx, getTokenConfig{
+				tokenCacheDir: tokenCacheDir,
+				issuerURL:     svc.IssuerURL(),
+				httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
+				now:           now,
+				stdout:        &stdout,
+				args:          []string{"--oidc-use-pkce"},
+			})
+			assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
+		})
+	})
+
+	t.Run("TLSData", func(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		svc := oidcserver.New(t, keypair.Server, testconfig.Config{
+			Want: testconfig.Want{
 				Scope:               "openid",
 				RedirectURIPrefix:   "http://localhost:",
 				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry:                 now.Add(time.Hour),
 				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
@@ -211,57 +268,34 @@ func TestCredentialPlugin(t *testing.T) {
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
-			now:           now,
-			stdout:        &stdout,
-		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
-	})
-
-	t.Run("TLSData", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "http://localhost:",
-			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
-			},
-		})
-		var stdout bytes.Buffer
-		runGetToken(t, ctx, getTokenConfig{
-			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{TLSConfig: keypair.Server.TLSConfig, BodyContains: "Authenticated"}),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{TLSConfig: keypair.Server.TLSConfig, BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args:          []string{"--certificate-authority-data", keypair.Server.CACertBase64},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})

 	t.Run("ExtraScopes", func(t *testing.T) {
-		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "email profile openid",
-				RedirectURIPrefix: "http://localhost:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "email profile openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args: []string{
@@ -269,77 +303,80 @@ func TestCredentialPlugin(t *testing.T) {
 				"--oidc-extra-scope", "profile",
 			},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})

 	t.Run("OpenURLAfterAuthentication", func(t *testing.T) {
-		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "http://localhost:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "URL=https://example.com/success"}),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "URL=https://example.com/success"}),
 			now:           now,
 			stdout:        &stdout,
 			args:          []string{"--open-url-after-authentication", "https://example.com/success"},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})

 	t.Run("RedirectURLHostname", func(t *testing.T) {
-		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "http://127.0.0.1:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://127.0.0.1:",
+				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args:          []string{"--oidc-redirect-url-hostname", "127.0.0.1"},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})

 	t.Run("RedirectURLHTTPS", func(t *testing.T) {
-		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "https://localhost:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "https://localhost:",
+				CodeChallengeMethod: "S256",
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver: httpdriver.New(ctx, t, httpdriver.Option{
+			issuerURL:     svc.IssuerURL(),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Config{
 				TLSConfig:    keypair.Server.TLSConfig,
 				BodyContains: "Authenticated",
 			}),
@@ -350,31 +387,32 @@ func TestCredentialPlugin(t *testing.T) {
 				"--local-server-key", keypair.Server.KeyPath,
 			},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})

 	t.Run("ExtraParams", func(t *testing.T) {
-		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
-				Scope:             "openid",
-				RedirectURIPrefix: "http://localhost:",
+		svc := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
 				ExtraParams: map[string]string{
 					"ttl":    "86400",
 					"reauth": "false",
 				},
 			},
-			Response: oidcserver.Response{
-				IDTokenExpiry: now.Add(time.Hour),
+			Response: testconfig.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
 			},
 		})
 		var stdout bytes.Buffer
 		runGetToken(t, ctx, getTokenConfig{
 			tokenCacheDir: tokenCacheDir,
-			issuerURL:     sv.IssuerURL(),
-			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			issuerURL:     svc.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
 			now:           now,
 			stdout:        &stdout,
 			args: []string{
@@ -382,7 +420,7 @@ func TestCredentialPlugin(t *testing.T) {
 				"--oidc-auth-request-extra-params", "reauth=false",
 			},
 		})
-		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+		assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
 	})
 }

@@ -397,6 +435,10 @@ type getTokenConfig struct {

 func runGetToken(t *testing.T, ctx context.Context, cfg getTokenConfig) {
 	cmd := di.NewCmdForHeadless(clock.Fake(cfg.now), os.Stdin, cfg.stdout, logger.New(t), cfg.httpDriver)
+	t.Setenv(
+		"KUBERNETES_EXEC_INFO",
+		`{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1","spec":{"interactive":true}}`,
+	)
 	exitCode := cmd.Run(ctx, append([]string{
 		"kubelogin",
 		"get-token",
@@ -411,22 +453,22 @@ func runGetToken(t *testing.T, ctx context.Context, cfg getTokenConfig) {
 }

 func assertCredentialPluginStdout(t *testing.T, stdout io.Reader, token string, expiry time.Time) {
-	var got clientauthenticationv1beta1.ExecCredential
+	var got clientauthenticationv1.ExecCredential
 	if err := json.NewDecoder(stdout).Decode(&got); err != nil {
 		t.Errorf("could not decode json of the credential plugin: %s", err)
 		return
 	}
-	want := clientauthenticationv1beta1.ExecCredential{
+	want := clientauthenticationv1.ExecCredential{
 		TypeMeta: metav1.TypeMeta{
-			APIVersion: "client.authentication.k8s.io/v1beta1",
+			APIVersion: "client.authentication.k8s.io/v1",
 			Kind:       "ExecCredential",
 		},
-		Status: &clientauthenticationv1beta1.ExecCredentialStatus{
+		Status: &clientauthenticationv1.ExecCredentialStatus{
 			Token:               token,
 			ExpirationTimestamp: &metav1.Time{Time: expiry},
 		},
 	}
 	if diff := cmp.Diff(want, got); diff != "" {
-		t.Errorf("kubeconfig mismatch (-want +got):\n%s", diff)
+		t.Errorf("stdout mismatch (-want +got):\n%s", diff)
 	}
 }
--- a/integration_test/httpdriver/http_driver.go
+++ b/integration_test/httpdriver/http_driver.go
@@ -10,14 +10,14 @@ import (
 	"testing"
 )

-type Option struct {
+type Config struct {
 	TLSConfig    *tls.Config
 	BodyContains string
 }

 // New returns a client to simulate browser access.
-func New(ctx context.Context, t *testing.T, o Option) *client {
-	return &client{ctx, t, o}
+func New(ctx context.Context, t *testing.T, config Config) *client {
+	return &client{ctx, t, config}
 }

 // Zero returns a client which call is not expected.
@@ -26,13 +26,13 @@ func Zero(t *testing.T) *zeroClient {
 }

 type client struct {
-	ctx context.Context
-	t   *testing.T
-	o   Option
+	ctx    context.Context
+	t      *testing.T
+	config Config
 }

 func (c *client) Open(url string) error {
-	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.o.TLSConfig}}
+	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.config.TLSConfig}}
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
 		c.t.Errorf("could not create a request: %s", err)
@@ -44,7 +44,11 @@ func (c *client) Open(url string) error {
 		c.t.Errorf("could not send a request: %s", err)
 		return nil
 	}
-	defer resp.Body.Close()
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			c.t.Errorf("could not close response body: %s", err)
+		}
+	}()
 	if resp.StatusCode != 200 {
 		c.t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
 	}
@@ -54,8 +58,8 @@ func (c *client) Open(url string) error {
 		return nil
 	}
 	body := string(b)
-	if !strings.Contains(body, c.o.BodyContains) {
-		c.t.Errorf("body should contain %s but was %s", c.o.BodyContains, body)
+	if !strings.Contains(body, c.config.BodyContains) {
+		c.t.Errorf("body should contain %s but was %s", c.config.BodyContains, body)
 	}
 	return nil
 }
--- a/integration_test/keypair/keypair.go
+++ b/integration_test/keypair/keypair.go
@@ -36,7 +36,11 @@ func readAsBase64(name string) string {
 	if err != nil {
 		panic(err)
 	}
-	defer f.Close()
+	defer func() {
+		if err := f.Close(); err != nil {
+			panic(err)
+		}
+	}()
 	var s strings.Builder
 	e := base64.NewEncoder(base64.StdEncoding, &s)
 	if _, err := io.Copy(e, f); err != nil {
--- a/integration_test/kubeconfig/kubeconfig.go
+++ b/integration_test/kubeconfig/kubeconfig.go
@@ -6,7 +6,7 @@ import (
 	"path/filepath"
 	"testing"

-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )

 // Values represents values in .kubeconfig template.
@@ -27,7 +27,11 @@ func Create(t *testing.T, v *Values) string {
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer f.Close()
+	defer func() {
+		if err := f.Close(); err != nil {
+			t.Fatal(err)
+		}
+	}()
 	tpl, err := template.ParseFiles("kubeconfig/testdata/kubeconfig.yaml")
 	if err != nil {
 		t.Fatal(err)
@@ -51,7 +55,11 @@ func Verify(t *testing.T, kubeconfig string, want AuthProviderConfig) {
 		t.Errorf("could not open kubeconfig: %s", err)
 		return
 	}
-	defer f.Close()
+	defer func() {
+		if err := f.Close(); err != nil {
+			t.Errorf("could not close kubeconfig: %s", err)
+		}
+	}()

 	var y struct {
 		Users []struct {
--- a/integration_test/oidcserver/handler/handler.go
+++ b/integration_test/oidcserver/handler/handler.go
@@ -1,4 +1,4 @@
-// Package handler provides a HTTP handler for the OpenID Connect Provider.
+// Package handler provides HTTP handlers for the OpenID Connect Provider.
 package handler

 import (
@@ -6,29 +6,34 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 	"testing"
+
+	"github.com/int128/kubelogin/integration_test/oidcserver/service"
 )

-func New(t *testing.T, provider Provider) *Handler {
-	return &Handler{t, provider}
+func Register(t *testing.T, mux *http.ServeMux, provider service.Provider) {
+	h := &Handlers{t, provider}
+	mux.HandleFunc("GET /.well-known/openid-configuration", h.Discovery)
+	mux.HandleFunc("GET /certs", h.GetCertificates)
+	mux.HandleFunc("GET /auth", h.AuthenticateCode)
+	mux.HandleFunc("POST /token", h.Exchange)
 }

-// Handler provides a HTTP handler for the OpenID Connect Provider.
+// Handlers provides HTTP handlers for the OpenID Connect Provider.
 // You need to implement the Provider interface.
 // Note that this skips some security checks and is only for testing.
-type Handler struct {
+type Handlers struct {
 	t        *testing.T
-	provider Provider
+	provider service.Provider
 }

-func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	wr := &responseWriterRecorder{w, 200}
-	err := h.serveHTTP(wr, r)
+func (h *Handlers) handleError(w http.ResponseWriter, r *http.Request, f func() error) {
+	err := f()
 	if err == nil {
-		h.t.Logf("%d %s %s", wr.statusCode, r.Method, r.RequestURI)
 		return
 	}
-	if errResp := new(ErrorResponse); errors.As(err, &errResp) {
+	if errResp := new(service.ErrorResponse); errors.As(err, &errResp) {
 		h.t.Logf("400 %s %s: %s", r.Method, r.RequestURI, err)
 		w.Header().Add("Content-Type", "application/json")
 		w.WriteHeader(400)
@@ -42,38 +47,35 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	http.Error(w, err.Error(), 500)
 }

-type responseWriterRecorder struct {
-	http.ResponseWriter
-	statusCode int
-}
-
-func (w *responseWriterRecorder) WriteHeader(statusCode int) {
-	w.ResponseWriter.WriteHeader(statusCode)
-	w.statusCode = statusCode
-}
-
-func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
-	m := r.Method
-	p := r.URL.Path
-	switch {
-	case m == "GET" && p == "/.well-known/openid-configuration":
+func (h *Handlers) Discovery(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		discoveryResponse := h.provider.Discovery()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(discoveryResponse); err != nil {
 			return fmt.Errorf("could not render json: %w", err)
 		}
-	case m == "GET" && p == "/certs":
+		return nil
+	})
+}
+
+func (h *Handlers) GetCertificates(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		certificatesResponse := h.provider.GetCertificates()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(certificatesResponse); err != nil {
 			return fmt.Errorf("could not render json: %w", err)
 		}
-	case m == "GET" && p == "/auth":
+		return nil
+	})
+}
+
+func (h *Handlers) AuthenticateCode(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		q := r.URL.Query()
 		redirectURI, state := q.Get("redirect_uri"), q.Get("state")
-		code, err := h.provider.AuthenticateCode(AuthenticationRequest{
+		code, err := h.provider.AuthenticateCode(service.AuthenticationRequest{
 			RedirectURI:         redirectURI,
 			State:               state,
 			Scope:               q.Get("scope"),
@@ -85,16 +87,25 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 		if err != nil {
 			return fmt.Errorf("authentication error: %w", err)
 		}
-		to := fmt.Sprintf("%s?state=%s&code=%s", redirectURI, state, code)
-		http.Redirect(w, r, to, 302)
-	case m == "POST" && p == "/token":
+		redirectTo, err := url.Parse(redirectURI)
+		if err != nil {
+			return fmt.Errorf("invalid redirect_uri: %w", err)
+		}
+		redirectTo.RawQuery = url.Values{"state": {state}, "code": {code}}.Encode()
+		http.Redirect(w, r, redirectTo.String(), http.StatusFound)
+		return nil
+	})
+}
+
+func (h *Handlers) Exchange(w http.ResponseWriter, r *http.Request) {
+	h.handleError(w, r, func() error {
 		if err := r.ParseForm(); err != nil {
 			return fmt.Errorf("could not parse the form: %w", err)
 		}
 		grantType := r.Form.Get("grant_type")
 		switch grantType {
 		case "authorization_code":
-			tokenResponse, err := h.provider.Exchange(TokenRequest{
+			tokenResponse, err := h.provider.Exchange(service.TokenRequest{
 				Code:         r.Form.Get("code"),
 				CodeVerifier: r.Form.Get("code_verifier"),
 			})
@@ -135,13 +146,11 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 		default:
 			// 5.2. Error Response
 			// https://tools.ietf.org/html/rfc6749#section-5.2
-			return &ErrorResponse{
+			return &service.ErrorResponse{
 				Code:        "invalid_grant",
 				Description: fmt.Sprintf("unknown grant_type %s", grantType),
 			}
 		}
-	default:
-		http.NotFound(w, r)
-	}
-	return nil
+		return nil
+	})
 }
--- a/integration_test/oidcserver/http/http.go
+++ b/integration_test/oidcserver/http/http.go
@@ -1,74 +0,0 @@
-// Package http provides a http server running on localhost for testing.
-package http
-
-import (
-	"context"
-	"net"
-	"net/http"
-	"testing"
-
-	"github.com/int128/kubelogin/integration_test/keypair"
-)
-
-func Start(t *testing.T, h http.Handler, k keypair.KeyPair) string {
-	if k == keypair.None {
-		return startNoTLS(t, h)
-	}
-	return startTLS(t, h, k)
-}
-
-func startNoTLS(t *testing.T, h http.Handler) string {
-	t.Helper()
-	l, port := newLocalhostListener(t)
-	url := "http://localhost:" + port
-	s := &http.Server{
-		Handler: h,
-	}
-	go func() {
-		err := s.Serve(l)
-		if err != nil && err != http.ErrServerClosed {
-			t.Error(err)
-		}
-	}()
-	t.Cleanup(func() {
-		if err := s.Shutdown(context.TODO()); err != nil {
-			t.Errorf("could not shutdown the server: %s", err)
-		}
-	})
-	return url
-}
-
-func startTLS(t *testing.T, h http.Handler, k keypair.KeyPair) string {
-	t.Helper()
-	l, port := newLocalhostListener(t)
-	url := "https://localhost:" + port
-	s := &http.Server{
-		Handler: h,
-	}
-	go func() {
-		err := s.ServeTLS(l, k.CertPath, k.KeyPath)
-		if err != nil && err != http.ErrServerClosed {
-			t.Error(err)
-		}
-	}()
-	t.Cleanup(func() {
-		if err := s.Shutdown(context.TODO()); err != nil {
-			t.Errorf("could not shutdown the server: %s", err)
-		}
-	})
-	return url
-}
-
-func newLocalhostListener(t *testing.T) (net.Listener, string) {
-	t.Helper()
-	l, err := net.Listen("tcp", "localhost:0")
-	if err != nil {
-		t.Fatalf("Could not create a listener: %s", err)
-	}
-	addr := l.Addr().String()
-	_, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		t.Fatalf("Could not parse the address %s: %s", addr, err)
-	}
-	return l, port
-}
--- a/integration_test/oidcserver/oidcserver.go
+++ b/integration_test/oidcserver/oidcserver.go
@@ -0,0 +1,54 @@
+// Package oidcserver provides a stub of OpenID Connect provider.
+package oidcserver
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/oidcserver/handler"
+	"github.com/int128/kubelogin/integration_test/oidcserver/service"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+)
+
+// New starts a server for the OpenID Connect provider.
+func New(t *testing.T, kp keypair.KeyPair, config testconfig.Config) service.Service {
+	mux := http.NewServeMux()
+	serverURL := startServer(t, mux, kp)
+
+	svc := service.New(t, serverURL, config)
+	handler.Register(t, mux, svc)
+	return svc
+}
+
+func startServer(t *testing.T, h http.Handler, kp keypair.KeyPair) string {
+	if kp == keypair.None {
+		srv := httptest.NewServer(h)
+		t.Cleanup(srv.Close)
+		return srv.URL
+	}
+
+	// Unfortunately, httptest package did not work with keypair.KeyPair.
+	// We use httptest package only for allocating a new port.
+	portAllocator := httptest.NewUnstartedServer(h)
+	t.Cleanup(portAllocator.Close)
+	serverURL := fmt.Sprintf("https://localhost:%d", portAllocator.Listener.Addr().(*net.TCPAddr).Port)
+	srv := &http.Server{Handler: h}
+	go func() {
+		err := srv.ServeTLS(portAllocator.Listener, kp.CertPath, kp.KeyPath)
+		if err != nil && !errors.Is(err, http.ErrServerClosed) {
+			t.Error(err)
+		}
+	}()
+	t.Cleanup(func() {
+		if err := srv.Shutdown(context.TODO()); err != nil {
+			t.Errorf("could not shutdown the server: %s", err)
+		}
+	})
+	return serverURL
+}
--- a/integration_test/oidcserver/server.go
+++ b/integration_test/oidcserver/server.go
@@ -1,216 +0,0 @@
-// Package oidcserver provides a stub of OpenID Connect provider.
-package oidcserver
-
-import (
-	"crypto/sha256"
-	"encoding/base64"
-	"fmt"
-	"math/big"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/int128/kubelogin/integration_test/keypair"
-	"github.com/int128/kubelogin/integration_test/oidcserver/handler"
-	"github.com/int128/kubelogin/integration_test/oidcserver/http"
-	testingJWT "github.com/int128/kubelogin/pkg/testing/jwt"
-)
-
-type Server interface {
-	IssuerURL() string
-	SetConfig(Config)
-	LastTokenResponse() *handler.TokenResponse
-}
-
-// Want represents a set of expected values.
-type Want struct {
-	Scope               string
-	RedirectURIPrefix   string
-	CodeChallengeMethod string            // optional
-	ExtraParams         map[string]string // optional
-	Username            string            // optional
-	Password            string            // optional
-	RefreshToken        string            // optional
-}
-
-// Response represents a set of response values.
-type Response struct {
-	IDTokenExpiry                 time.Time
-	RefreshToken                  string
-	RefreshError                  string   // if set, Refresh() will return the error
-	CodeChallengeMethodsSupported []string // optional
-}
-
-// Config represents a configuration of the OpenID Connect provider.
-type Config struct {
-	Want     Want
-	Response Response
-}
-
-// New starts a HTTP server for the OpenID Connect provider.
-func New(t *testing.T, k keypair.KeyPair, c Config) Server {
-	sv := server{Config: c, t: t}
-	sv.issuerURL = http.Start(t, handler.New(t, &sv), k)
-	return &sv
-}
-
-type server struct {
-	Config
-	t                         *testing.T
-	issuerURL                 string
-	lastAuthenticationRequest *handler.AuthenticationRequest
-	lastTokenResponse         *handler.TokenResponse
-}
-
-func (sv *server) IssuerURL() string {
-	return sv.issuerURL
-}
-
-func (sv *server) SetConfig(cfg Config) {
-	sv.Config = cfg
-}
-
-func (sv *server) LastTokenResponse() *handler.TokenResponse {
-	return sv.lastTokenResponse
-}
-
-func (sv *server) Discovery() *handler.DiscoveryResponse {
-	// based on https://accounts.google.com/.well-known/openid-configuration
-	return &handler.DiscoveryResponse{
-		Issuer:                            sv.issuerURL,
-		AuthorizationEndpoint:             sv.issuerURL + "/auth",
-		TokenEndpoint:                     sv.issuerURL + "/token",
-		JwksURI:                           sv.issuerURL + "/certs",
-		UserinfoEndpoint:                  sv.issuerURL + "/userinfo",
-		RevocationEndpoint:                sv.issuerURL + "/revoke",
-		ResponseTypesSupported:            []string{"code id_token"},
-		SubjectTypesSupported:             []string{"public"},
-		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
-		ScopesSupported:                   []string{"openid", "email", "profile"},
-		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
-		CodeChallengeMethodsSupported:     sv.Config.Response.CodeChallengeMethodsSupported,
-		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
-	}
-}
-
-func (sv *server) GetCertificates() *handler.CertificatesResponse {
-	idTokenKeyPair := testingJWT.PrivateKey
-	return &handler.CertificatesResponse{
-		Keys: []*handler.CertificatesResponseKey{
-			{
-				Kty: "RSA",
-				Alg: "RS256",
-				Use: "sig",
-				Kid: "dummy",
-				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
-				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
-			},
-		},
-	}
-}
-
-func (sv *server) AuthenticateCode(req handler.AuthenticationRequest) (code string, err error) {
-	if req.Scope != sv.Want.Scope {
-		sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, req.Scope)
-	}
-	if !strings.HasPrefix(req.RedirectURI, sv.Want.RedirectURIPrefix) {
-		sv.t.Errorf("redirectURI wants prefix `%s` but was `%s`", sv.Want.RedirectURIPrefix, req.RedirectURI)
-	}
-	if req.CodeChallengeMethod != sv.Want.CodeChallengeMethod {
-		sv.t.Errorf("code_challenge_method wants `%s` but was `%s`", sv.Want.CodeChallengeMethod, req.CodeChallengeMethod)
-	}
-	for k, v := range sv.Want.ExtraParams {
-		got := req.RawQuery.Get(k)
-		if got != v {
-			sv.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
-		}
-	}
-	sv.lastAuthenticationRequest = &req
-	return "YOUR_AUTH_CODE", nil
-}
-
-func (sv *server) Exchange(req handler.TokenRequest) (*handler.TokenResponse, error) {
-	if req.Code != "YOUR_AUTH_CODE" {
-		return nil, fmt.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
-	}
-	if sv.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
-		// https://tools.ietf.org/html/rfc7636#section-4.6
-		challenge := computeS256Challenge(req.CodeVerifier)
-		if challenge != sv.lastAuthenticationRequest.CodeChallenge {
-			sv.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", sv.lastAuthenticationRequest.CodeChallenge, challenge)
-		}
-	}
-	resp := &handler.TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		RefreshToken: sv.Response.RefreshToken,
-		IDToken: testingJWT.EncodeF(sv.t, func(claims *testingJWT.Claims) {
-			claims.Issuer = sv.issuerURL
-			claims.Subject = "SUBJECT"
-			claims.IssuedAt = jwt.NewNumericDate(sv.Response.IDTokenExpiry.Add(-time.Hour))
-			claims.ExpiresAt = jwt.NewNumericDate(sv.Response.IDTokenExpiry)
-			claims.Audience = []string{"kubernetes"}
-			claims.Nonce = sv.lastAuthenticationRequest.Nonce
-		}),
-	}
-	sv.lastTokenResponse = resp
-	return resp, nil
-}
-
-func computeS256Challenge(verifier string) string {
-	c := sha256.Sum256([]byte(verifier))
-	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
-}
-
-func (sv *server) AuthenticatePassword(username, password, scope string) (*handler.TokenResponse, error) {
-	if scope != sv.Want.Scope {
-		sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, scope)
-	}
-	if username != sv.Want.Username {
-		sv.t.Errorf("username wants `%s` but was `%s`", sv.Want.Username, username)
-	}
-	if password != sv.Want.Password {
-		sv.t.Errorf("password wants `%s` but was `%s`", sv.Want.Password, password)
-	}
-	resp := &handler.TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		RefreshToken: sv.Response.RefreshToken,
-		IDToken: testingJWT.EncodeF(sv.t, func(claims *testingJWT.Claims) {
-			claims.Issuer = sv.issuerURL
-			claims.Subject = "SUBJECT"
-			claims.IssuedAt = jwt.NewNumericDate(sv.Response.IDTokenExpiry.Add(-time.Hour))
-			claims.ExpiresAt = jwt.NewNumericDate(sv.Response.IDTokenExpiry)
-			claims.Audience = []string{"kubernetes"}
-		}),
-	}
-	sv.lastTokenResponse = resp
-	return resp, nil
-}
-
-func (sv *server) Refresh(refreshToken string) (*handler.TokenResponse, error) {
-	if refreshToken != sv.Want.RefreshToken {
-		sv.t.Errorf("refreshToken wants %s but was %s", sv.Want.RefreshToken, refreshToken)
-	}
-	if sv.Response.RefreshError != "" {
-		return nil, &handler.ErrorResponse{Code: "invalid_request", Description: sv.Response.RefreshError}
-	}
-	resp := &handler.TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		RefreshToken: sv.Response.RefreshToken,
-		IDToken: testingJWT.EncodeF(sv.t, func(claims *testingJWT.Claims) {
-			claims.Issuer = sv.issuerURL
-			claims.Subject = "SUBJECT"
-			claims.IssuedAt = jwt.NewNumericDate(sv.Response.IDTokenExpiry.Add(-time.Hour))
-			claims.ExpiresAt = jwt.NewNumericDate(sv.Response.IDTokenExpiry)
-			claims.Audience = []string{"kubernetes"}
-		}),
-	}
-	sv.lastTokenResponse = resp
-	return resp, nil
-}
--- a/integration_test/oidcserver/service/service.go
+++ b/integration_test/oidcserver/service/service.go
@@ -0,0 +1,184 @@
+package service
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"math/big"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+	testingJWT "github.com/int128/kubelogin/pkg/testing/jwt"
+)
+
+func New(t *testing.T, issuerURL string, config testconfig.Config) Service {
+	return &service{
+		config:    config,
+		t:         t,
+		issuerURL: issuerURL,
+	}
+}
+
+type service struct {
+	config                    testconfig.Config
+	t                         *testing.T
+	issuerURL                 string
+	lastAuthenticationRequest *AuthenticationRequest
+	lastTokenResponse         *TokenResponse
+}
+
+func (svc *service) IssuerURL() string {
+	return svc.issuerURL
+}
+
+func (svc *service) SetConfig(cfg testconfig.Config) {
+	svc.config = cfg
+}
+
+func (svc *service) LastTokenResponse() *TokenResponse {
+	return svc.lastTokenResponse
+}
+
+func (svc *service) Discovery() *DiscoveryResponse {
+	// based on https://accounts.google.com/.well-known/openid-configuration
+	return &DiscoveryResponse{
+		Issuer:                            svc.issuerURL,
+		AuthorizationEndpoint:             svc.issuerURL + "/auth",
+		TokenEndpoint:                     svc.issuerURL + "/token",
+		JwksURI:                           svc.issuerURL + "/certs",
+		UserinfoEndpoint:                  svc.issuerURL + "/userinfo",
+		RevocationEndpoint:                svc.issuerURL + "/revoke",
+		ResponseTypesSupported:            []string{"code id_token"},
+		SubjectTypesSupported:             []string{"public"},
+		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+		ScopesSupported:                   []string{"openid", "email", "profile"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
+		CodeChallengeMethodsSupported:     svc.config.Response.CodeChallengeMethodsSupported,
+		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
+	}
+}
+
+func (svc *service) GetCertificates() *CertificatesResponse {
+	idTokenKeyPair := testingJWT.PrivateKey
+	return &CertificatesResponse{
+		Keys: []*CertificatesResponseKey{
+			{
+				Kty: "RSA",
+				Alg: "RS256",
+				Use: "sig",
+				Kid: "dummy",
+				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
+				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
+			},
+		},
+	}
+}
+
+func (svc *service) AuthenticateCode(req AuthenticationRequest) (code string, err error) {
+	if req.Scope != svc.config.Want.Scope {
+		svc.t.Errorf("scope wants `%s` but was `%s`", svc.config.Want.Scope, req.Scope)
+	}
+	if !strings.HasPrefix(req.RedirectURI, svc.config.Want.RedirectURIPrefix) {
+		svc.t.Errorf("redirectURI wants prefix `%s` but was `%s`", svc.config.Want.RedirectURIPrefix, req.RedirectURI)
+	}
+	if diff := cmp.Diff(svc.config.Want.CodeChallengeMethod, req.CodeChallengeMethod); diff != "" {
+		svc.t.Errorf("code_challenge_method mismatch (-want +got):\n%s", diff)
+	}
+	for k, v := range svc.config.Want.ExtraParams {
+		got := req.RawQuery.Get(k)
+		if got != v {
+			svc.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
+		}
+	}
+	svc.lastAuthenticationRequest = &req
+	return "YOUR_AUTH_CODE", nil
+}
+
+func (svc *service) Exchange(req TokenRequest) (*TokenResponse, error) {
+	if req.Code != "YOUR_AUTH_CODE" {
+		return nil, fmt.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
+	}
+	if svc.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
+		// https://tools.ietf.org/html/rfc7636#section-4.6
+		challenge := computeS256Challenge(req.CodeVerifier)
+		if challenge != svc.lastAuthenticationRequest.CodeChallenge {
+			svc.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", svc.lastAuthenticationRequest.CodeChallenge, challenge)
+		}
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+			claims.Nonce = svc.lastAuthenticationRequest.Nonce
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}
+
+func computeS256Challenge(verifier string) string {
+	c := sha256.Sum256([]byte(verifier))
+	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
+}
+
+func (svc *service) AuthenticatePassword(username, password, scope string) (*TokenResponse, error) {
+	if scope != svc.config.Want.Scope {
+		svc.t.Errorf("scope wants `%s` but was `%s`", svc.config.Want.Scope, scope)
+	}
+	if username != svc.config.Want.Username {
+		svc.t.Errorf("username wants `%s` but was `%s`", svc.config.Want.Username, username)
+	}
+	if password != svc.config.Want.Password {
+		svc.t.Errorf("password wants `%s` but was `%s`", svc.config.Want.Password, password)
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}
+
+func (svc *service) Refresh(refreshToken string) (*TokenResponse, error) {
+	if refreshToken != svc.config.Want.RefreshToken {
+		svc.t.Errorf("refreshToken wants %s but was %s", svc.config.Want.RefreshToken, refreshToken)
+	}
+	if svc.config.Response.RefreshError != "" {
+		return nil, &ErrorResponse{Code: "invalid_request", Description: svc.config.Response.RefreshError}
+	}
+	resp := &TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: svc.config.Response.RefreshToken,
+		IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
+			claims.Issuer = svc.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
+			claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	svc.lastTokenResponse = resp
+	return resp, nil
+}
--- a/integration_test/oidcserver/service/types.go
+++ b/integration_test/oidcserver/service/types.go
@@ -1,11 +1,24 @@
-package handler
+package service

 import (
 	"fmt"
 	"net/url"
+
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
 )

-// Provider provides discovery and authentication methods.
+// Service represents the test service of OpenID Connect Provider.
+// It provides the feature of Provider and additional methods for testing.
+type Service interface {
+	Provider
+
+	IssuerURL() string
+	SetConfig(config testconfig.Config)
+	LastTokenResponse() *TokenResponse
+}
+
+// Provider represents an OpenID Connect Provider.
+//
 // If an implemented method returns an ErrorResponse,
 // the handler will respond 400 and corresponding json of the ErrorResponse.
 // Otherwise, the handler will respond 500 and fail the current test.
@@ -18,6 +31,8 @@ type Provider interface {
 	Refresh(refreshToken string) (*TokenResponse, error)
 }

+// DiscoveryResponse represents the type of:
+// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
 type DiscoveryResponse struct {
 	Issuer                            string   `json:"issuer"`
 	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
@@ -34,10 +49,14 @@ type DiscoveryResponse struct {
 	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`
 }

+// CertificatesResponse represents the type of:
+// https://datatracker.ietf.org/doc/html/rfc7517#section-5
 type CertificatesResponse struct {
 	Keys []*CertificatesResponseKey `json:"keys"`
 }

+// CertificatesResponseKey represents the type of:
+// https://datatracker.ietf.org/doc/html/rfc7517#section-4
 type CertificatesResponseKey struct {
 	Kty string `json:"kty"`
 	Alg string `json:"alg"`
@@ -47,7 +66,7 @@ type CertificatesResponseKey struct {
 	E   string `json:"e"`
 }

-// AuthenticationRequest represents a type of:
+// AuthenticationRequest represents the type of:
 // https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 type AuthenticationRequest struct {
 	RedirectURI         string
@@ -59,13 +78,15 @@ type AuthenticationRequest struct {
 	RawQuery            url.Values
 }

-// TokenRequest represents a type of:
+// TokenRequest represents the type of:
 // https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
 type TokenRequest struct {
 	Code         string
 	CodeVerifier string
 }

+// TokenResponse represents the type of:
+// https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
 type TokenResponse struct {
 	AccessToken  string `json:"access_token"`
 	TokenType    string `json:"token_type"`
@@ -74,7 +95,7 @@ type TokenResponse struct {
 	IDToken      string `json:"id_token"`
 }

-// ErrorResponse represents an error response described in the following section:
+// ErrorResponse represents the error response described in the following section:
 // 5.2 Error Response
 // https://tools.ietf.org/html/rfc6749#section-5.2
 type ErrorResponse struct {
--- a/integration_test/oidcserver/testconfig/types.go
+++ b/integration_test/oidcserver/testconfig/types.go
@@ -0,0 +1,28 @@
+package testconfig
+
+import "time"
+
+// Want represents a set of expected values.
+type Want struct {
+	Scope               string
+	RedirectURIPrefix   string
+	CodeChallengeMethod string
+	ExtraParams         map[string]string // optional
+	Username            string            // optional
+	Password            string            // optional
+	RefreshToken        string            // optional
+}
+
+// Response represents a set of response values.
+type Response struct {
+	IDTokenExpiry                 time.Time
+	RefreshToken                  string
+	RefreshError                  string // if set, Refresh() will return the error
+	CodeChallengeMethodsSupported []string
+}
+
+// Config represents a configuration of the OpenID Connect provider.
+type Config struct {
+	Want     Want
+	Response Response
+}
--- a/integration_test/standalone_test.go
+++ b/integration_test/standalone_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/int128/kubelogin/integration_test/keypair"
 	"github.com/int128/kubelogin/integration_test/kubeconfig"
 	"github.com/int128/kubelogin/integration_test/oidcserver"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
 	"github.com/int128/kubelogin/pkg/di"
 	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/testing/clock"
@@ -35,7 +36,7 @@ func TestStandalone(t *testing.T) {
 			keyPair: keypair.Server,
 		},
 	} {
-		httpDriverOption := httpdriver.Option{
+		httpDriverOption := httpdriver.Config{
 			TLSConfig:    tc.keyPair.TLSConfig,
 			BodyContains: "Authenticated",
 		}
@@ -45,12 +46,12 @@ func TestStandalone(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				sv := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 					},
-					Response: oidcserver.Response{
+					Response: testconfig.Response{
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
@@ -74,14 +75,14 @@ func TestStandalone(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
-					Want: oidcserver.Want{
+				sv := oidcserver.New(t, tc.keyPair, testconfig.Config{
+					Want: testconfig.Want{
 						Scope:             "openid",
 						RedirectURIPrefix: "http://localhost:",
 						Username:          "USER1",
 						Password:          "PASS1",
 					},
-					Response: oidcserver.Response{
+					Response: testconfig.Response{
 						IDTokenExpiry: now.Add(time.Hour),
 					},
 				})
@@ -109,19 +110,19 @@ func TestStandalone(t *testing.T) {
 				t.Parallel()
 				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 				defer cancel()
-				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
+				sv := oidcserver.New(t, tc.keyPair, testconfig.Config{})
 				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
 					Issuer:                  sv.IssuerURL(),
 					IDPCertificateAuthority: tc.keyPair.CACertPath,
 				})

 				t.Run("NoToken", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(time.Hour),
 							RefreshToken:  "REFRESH_TOKEN_1",
 						},
@@ -138,7 +139,7 @@ func TestStandalone(t *testing.T) {
 					})
 				})
 				t.Run("Valid", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{})
+					sv.SetConfig(testconfig.Config{})
 					runStandalone(t, ctx, standaloneConfig{
 						issuerURL:          sv.IssuerURL(),
 						kubeConfigFilename: kubeConfigFilename,
@@ -151,13 +152,13 @@ func TestStandalone(t *testing.T) {
 					})
 				})
 				t.Run("Refresh", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_1",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(3 * time.Hour),
 							RefreshToken:  "REFRESH_TOKEN_2",
 						},
@@ -174,13 +175,13 @@ func TestStandalone(t *testing.T) {
 					})
 				})
 				t.Run("RefreshAgain", func(t *testing.T) {
-					sv.SetConfig(oidcserver.Config{
-						Want: oidcserver.Want{
+					sv.SetConfig(testconfig.Config{
+						Want: testconfig.Want{
 							Scope:             "openid",
 							RedirectURIPrefix: "http://localhost:",
 							RefreshToken:      "REFRESH_TOKEN_2",
 						},
-						Response: oidcserver.Response{
+						Response: testconfig.Response{
 							IDTokenExpiry: now.Add(5 * time.Hour),
 						},
 					})
@@ -203,12 +204,12 @@ func TestStandalone(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.Server, testconfig.Config{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -219,7 +220,7 @@ func TestStandalone(t *testing.T) {
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:          sv.IssuerURL(),
 			kubeConfigFilename: kubeConfigFilename,
-			httpDriver:         httpdriver.New(ctx, t, httpdriver.Option{TLSConfig: keypair.Server.TLSConfig}),
+			httpDriver:         httpdriver.New(ctx, t, httpdriver.Config{TLSConfig: keypair.Server.TLSConfig}),
 			now:                now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -231,12 +232,12 @@ func TestStandalone(t *testing.T) {
 	t.Run("env_KUBECONFIG", func(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
 				Scope:             "openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -246,7 +247,7 @@ func TestStandalone(t *testing.T) {
 		t.Setenv("KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:  sv.IssuerURL(),
-			httpDriver: httpdriver.New(ctx, t, httpdriver.Option{}),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Config{}),
 			now:        now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -259,12 +260,12 @@ func TestStandalone(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
 		defer cancel()
-		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
-			Want: oidcserver.Want{
+		sv := oidcserver.New(t, keypair.None, testconfig.Config{
+			Want: testconfig.Want{
 				Scope:             "profile groups openid",
 				RedirectURIPrefix: "http://localhost:",
 			},
-			Response: oidcserver.Response{
+			Response: testconfig.Response{
 				IDTokenExpiry: now.Add(time.Hour),
 			},
 		})
@@ -275,7 +276,7 @@ func TestStandalone(t *testing.T) {
 		runStandalone(t, ctx, standaloneConfig{
 			issuerURL:          sv.IssuerURL(),
 			kubeConfigFilename: kubeConfigFilename,
-			httpDriver:         httpdriver.New(ctx, t, httpdriver.Option{}),
+			httpDriver:         httpdriver.New(ctx, t, httpdriver.Config{}),
 			now:                now,
 		})
 		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
--- a/main.go
+++ b/main.go
@@ -3,6 +3,8 @@ package main
 import (
 	"context"
 	"os"
+	"os/signal"
+	"syscall"

 	"github.com/int128/kubelogin/pkg/di"
 )
@@ -10,5 +12,8 @@ import (
 var version = "HEAD"

 func main() {
-	os.Exit(di.NewCmd().Run(context.Background(), os.Args, version))
+	ctx := context.Background()
+	ctx, stop := signal.NotifyContext(ctx, os.Interrupt, syscall.SIGTERM)
+	defer stop()
+	os.Exit(di.NewCmd().Run(ctx, os.Args, version))
 }
--- a/mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mocks.go
@@ -0,0 +1,895 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package service_mock
+
+import (
+	"github.com/int128/kubelogin/integration_test/oidcserver/service"
+	"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockService creates a new instance of MockService. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockService(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockService {
+	mock := &MockService{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockService is an autogenerated mock type for the Service type
+type MockService struct {
+	mock.Mock
+}
+
+type MockService_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockService) EXPECT() *MockService_Expecter {
+	return &MockService_Expecter{mock: &_m.Mock}
+}
+
+// AuthenticateCode provides a mock function for the type MockService
+func (_mock *MockService) AuthenticateCode(req service.AuthenticationRequest) (string, error) {
+	ret := _mock.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticateCode")
+	}
+
+	var r0 string
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(service.AuthenticationRequest) (string, error)); ok {
+		return returnFunc(req)
+	}
+	if returnFunc, ok := ret.Get(0).(func(service.AuthenticationRequest) string); ok {
+		r0 = returnFunc(req)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	if returnFunc, ok := ret.Get(1).(func(service.AuthenticationRequest) error); ok {
+		r1 = returnFunc(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockService_AuthenticateCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticateCode'
+type MockService_AuthenticateCode_Call struct {
+	*mock.Call
+}
+
+// AuthenticateCode is a helper method to define mock.On call
+//   - req service.AuthenticationRequest
+func (_e *MockService_Expecter) AuthenticateCode(req interface{}) *MockService_AuthenticateCode_Call {
+	return &MockService_AuthenticateCode_Call{Call: _e.mock.On("AuthenticateCode", req)}
+}
+
+func (_c *MockService_AuthenticateCode_Call) Run(run func(req service.AuthenticationRequest)) *MockService_AuthenticateCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 service.AuthenticationRequest
+		if args[0] != nil {
+			arg0 = args[0].(service.AuthenticationRequest)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockService_AuthenticateCode_Call) Return(code string, err error) *MockService_AuthenticateCode_Call {
+	_c.Call.Return(code, err)
+	return _c
+}
+
+func (_c *MockService_AuthenticateCode_Call) RunAndReturn(run func(req service.AuthenticationRequest) (string, error)) *MockService_AuthenticateCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// AuthenticatePassword provides a mock function for the type MockService
+func (_mock *MockService) AuthenticatePassword(username string, password string, scope string) (*service.TokenResponse, error) {
+	ret := _mock.Called(username, password, scope)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticatePassword")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string, string, string) (*service.TokenResponse, error)); ok {
+		return returnFunc(username, password, scope)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, string, string) *service.TokenResponse); ok {
+		r0 = returnFunc(username, password, scope)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, string, string) error); ok {
+		r1 = returnFunc(username, password, scope)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockService_AuthenticatePassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticatePassword'
+type MockService_AuthenticatePassword_Call struct {
+	*mock.Call
+}
+
+// AuthenticatePassword is a helper method to define mock.On call
+//   - username string
+//   - password string
+//   - scope string
+func (_e *MockService_Expecter) AuthenticatePassword(username interface{}, password interface{}, scope interface{}) *MockService_AuthenticatePassword_Call {
+	return &MockService_AuthenticatePassword_Call{Call: _e.mock.On("AuthenticatePassword", username, password, scope)}
+}
+
+func (_c *MockService_AuthenticatePassword_Call) Run(run func(username string, password string, scope string)) *MockService_AuthenticatePassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockService_AuthenticatePassword_Call) Return(tokenResponse *service.TokenResponse, err error) *MockService_AuthenticatePassword_Call {
+	_c.Call.Return(tokenResponse, err)
+	return _c
+}
+
+func (_c *MockService_AuthenticatePassword_Call) RunAndReturn(run func(username string, password string, scope string) (*service.TokenResponse, error)) *MockService_AuthenticatePassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Discovery provides a mock function for the type MockService
+func (_mock *MockService) Discovery() *service.DiscoveryResponse {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Discovery")
+	}
+
+	var r0 *service.DiscoveryResponse
+	if returnFunc, ok := ret.Get(0).(func() *service.DiscoveryResponse); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.DiscoveryResponse)
+		}
+	}
+	return r0
+}
+
+// MockService_Discovery_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discovery'
+type MockService_Discovery_Call struct {
+	*mock.Call
+}
+
+// Discovery is a helper method to define mock.On call
+func (_e *MockService_Expecter) Discovery() *MockService_Discovery_Call {
+	return &MockService_Discovery_Call{Call: _e.mock.On("Discovery")}
+}
+
+func (_c *MockService_Discovery_Call) Run(run func()) *MockService_Discovery_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_Discovery_Call) Return(discoveryResponse *service.DiscoveryResponse) *MockService_Discovery_Call {
+	_c.Call.Return(discoveryResponse)
+	return _c
+}
+
+func (_c *MockService_Discovery_Call) RunAndReturn(run func() *service.DiscoveryResponse) *MockService_Discovery_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Exchange provides a mock function for the type MockService
+func (_mock *MockService) Exchange(req service.TokenRequest) (*service.TokenResponse, error) {
+	ret := _mock.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Exchange")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(service.TokenRequest) (*service.TokenResponse, error)); ok {
+		return returnFunc(req)
+	}
+	if returnFunc, ok := ret.Get(0).(func(service.TokenRequest) *service.TokenResponse); ok {
+		r0 = returnFunc(req)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(service.TokenRequest) error); ok {
+		r1 = returnFunc(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockService_Exchange_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exchange'
+type MockService_Exchange_Call struct {
+	*mock.Call
+}
+
+// Exchange is a helper method to define mock.On call
+//   - req service.TokenRequest
+func (_e *MockService_Expecter) Exchange(req interface{}) *MockService_Exchange_Call {
+	return &MockService_Exchange_Call{Call: _e.mock.On("Exchange", req)}
+}
+
+func (_c *MockService_Exchange_Call) Run(run func(req service.TokenRequest)) *MockService_Exchange_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 service.TokenRequest
+		if args[0] != nil {
+			arg0 = args[0].(service.TokenRequest)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockService_Exchange_Call) Return(tokenResponse *service.TokenResponse, err error) *MockService_Exchange_Call {
+	_c.Call.Return(tokenResponse, err)
+	return _c
+}
+
+func (_c *MockService_Exchange_Call) RunAndReturn(run func(req service.TokenRequest) (*service.TokenResponse, error)) *MockService_Exchange_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCertificates provides a mock function for the type MockService
+func (_mock *MockService) GetCertificates() *service.CertificatesResponse {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCertificates")
+	}
+
+	var r0 *service.CertificatesResponse
+	if returnFunc, ok := ret.Get(0).(func() *service.CertificatesResponse); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.CertificatesResponse)
+		}
+	}
+	return r0
+}
+
+// MockService_GetCertificates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCertificates'
+type MockService_GetCertificates_Call struct {
+	*mock.Call
+}
+
+// GetCertificates is a helper method to define mock.On call
+func (_e *MockService_Expecter) GetCertificates() *MockService_GetCertificates_Call {
+	return &MockService_GetCertificates_Call{Call: _e.mock.On("GetCertificates")}
+}
+
+func (_c *MockService_GetCertificates_Call) Run(run func()) *MockService_GetCertificates_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_GetCertificates_Call) Return(certificatesResponse *service.CertificatesResponse) *MockService_GetCertificates_Call {
+	_c.Call.Return(certificatesResponse)
+	return _c
+}
+
+func (_c *MockService_GetCertificates_Call) RunAndReturn(run func() *service.CertificatesResponse) *MockService_GetCertificates_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// IssuerURL provides a mock function for the type MockService
+func (_mock *MockService) IssuerURL() string {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for IssuerURL")
+	}
+
+	var r0 string
+	if returnFunc, ok := ret.Get(0).(func() string); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	return r0
+}
+
+// MockService_IssuerURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IssuerURL'
+type MockService_IssuerURL_Call struct {
+	*mock.Call
+}
+
+// IssuerURL is a helper method to define mock.On call
+func (_e *MockService_Expecter) IssuerURL() *MockService_IssuerURL_Call {
+	return &MockService_IssuerURL_Call{Call: _e.mock.On("IssuerURL")}
+}
+
+func (_c *MockService_IssuerURL_Call) Run(run func()) *MockService_IssuerURL_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_IssuerURL_Call) Return(s string) *MockService_IssuerURL_Call {
+	_c.Call.Return(s)
+	return _c
+}
+
+func (_c *MockService_IssuerURL_Call) RunAndReturn(run func() string) *MockService_IssuerURL_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// LastTokenResponse provides a mock function for the type MockService
+func (_mock *MockService) LastTokenResponse() *service.TokenResponse {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for LastTokenResponse")
+	}
+
+	var r0 *service.TokenResponse
+	if returnFunc, ok := ret.Get(0).(func() *service.TokenResponse); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	return r0
+}
+
+// MockService_LastTokenResponse_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'LastTokenResponse'
+type MockService_LastTokenResponse_Call struct {
+	*mock.Call
+}
+
+// LastTokenResponse is a helper method to define mock.On call
+func (_e *MockService_Expecter) LastTokenResponse() *MockService_LastTokenResponse_Call {
+	return &MockService_LastTokenResponse_Call{Call: _e.mock.On("LastTokenResponse")}
+}
+
+func (_c *MockService_LastTokenResponse_Call) Run(run func()) *MockService_LastTokenResponse_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockService_LastTokenResponse_Call) Return(tokenResponse *service.TokenResponse) *MockService_LastTokenResponse_Call {
+	_c.Call.Return(tokenResponse)
+	return _c
+}
+
+func (_c *MockService_LastTokenResponse_Call) RunAndReturn(run func() *service.TokenResponse) *MockService_LastTokenResponse_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function for the type MockService
+func (_mock *MockService) Refresh(refreshToken string) (*service.TokenResponse, error) {
+	ret := _mock.Called(refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string) (*service.TokenResponse, error)); ok {
+		return returnFunc(refreshToken)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string) *service.TokenResponse); ok {
+		r0 = returnFunc(refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string) error); ok {
+		r1 = returnFunc(refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockService_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockService_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - refreshToken string
+func (_e *MockService_Expecter) Refresh(refreshToken interface{}) *MockService_Refresh_Call {
+	return &MockService_Refresh_Call{Call: _e.mock.On("Refresh", refreshToken)}
+}
+
+func (_c *MockService_Refresh_Call) Run(run func(refreshToken string)) *MockService_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockService_Refresh_Call) Return(tokenResponse *service.TokenResponse, err error) *MockService_Refresh_Call {
+	_c.Call.Return(tokenResponse, err)
+	return _c
+}
+
+func (_c *MockService_Refresh_Call) RunAndReturn(run func(refreshToken string) (*service.TokenResponse, error)) *MockService_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SetConfig provides a mock function for the type MockService
+func (_mock *MockService) SetConfig(config testconfig.Config) {
+	_mock.Called(config)
+	return
+}
+
+// MockService_SetConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SetConfig'
+type MockService_SetConfig_Call struct {
+	*mock.Call
+}
+
+// SetConfig is a helper method to define mock.On call
+//   - config testconfig.Config
+func (_e *MockService_Expecter) SetConfig(config interface{}) *MockService_SetConfig_Call {
+	return &MockService_SetConfig_Call{Call: _e.mock.On("SetConfig", config)}
+}
+
+func (_c *MockService_SetConfig_Call) Run(run func(config testconfig.Config)) *MockService_SetConfig_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 testconfig.Config
+		if args[0] != nil {
+			arg0 = args[0].(testconfig.Config)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockService_SetConfig_Call) Return() *MockService_SetConfig_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockService_SetConfig_Call) RunAndReturn(run func(config testconfig.Config)) *MockService_SetConfig_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMockProvider creates a new instance of MockProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockProvider {
+	mock := &MockProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockProvider is an autogenerated mock type for the Provider type
+type MockProvider struct {
+	mock.Mock
+}
+
+type MockProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockProvider) EXPECT() *MockProvider_Expecter {
+	return &MockProvider_Expecter{mock: &_m.Mock}
+}
+
+// AuthenticateCode provides a mock function for the type MockProvider
+func (_mock *MockProvider) AuthenticateCode(req service.AuthenticationRequest) (string, error) {
+	ret := _mock.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticateCode")
+	}
+
+	var r0 string
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(service.AuthenticationRequest) (string, error)); ok {
+		return returnFunc(req)
+	}
+	if returnFunc, ok := ret.Get(0).(func(service.AuthenticationRequest) string); ok {
+		r0 = returnFunc(req)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	if returnFunc, ok := ret.Get(1).(func(service.AuthenticationRequest) error); ok {
+		r1 = returnFunc(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_AuthenticateCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticateCode'
+type MockProvider_AuthenticateCode_Call struct {
+	*mock.Call
+}
+
+// AuthenticateCode is a helper method to define mock.On call
+//   - req service.AuthenticationRequest
+func (_e *MockProvider_Expecter) AuthenticateCode(req interface{}) *MockProvider_AuthenticateCode_Call {
+	return &MockProvider_AuthenticateCode_Call{Call: _e.mock.On("AuthenticateCode", req)}
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) Run(run func(req service.AuthenticationRequest)) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 service.AuthenticationRequest
+		if args[0] != nil {
+			arg0 = args[0].(service.AuthenticationRequest)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) Return(code string, err error) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Return(code, err)
+	return _c
+}
+
+func (_c *MockProvider_AuthenticateCode_Call) RunAndReturn(run func(req service.AuthenticationRequest) (string, error)) *MockProvider_AuthenticateCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// AuthenticatePassword provides a mock function for the type MockProvider
+func (_mock *MockProvider) AuthenticatePassword(username string, password string, scope string) (*service.TokenResponse, error) {
+	ret := _mock.Called(username, password, scope)
+
+	if len(ret) == 0 {
+		panic("no return value specified for AuthenticatePassword")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string, string, string) (*service.TokenResponse, error)); ok {
+		return returnFunc(username, password, scope)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, string, string) *service.TokenResponse); ok {
+		r0 = returnFunc(username, password, scope)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, string, string) error); ok {
+		r1 = returnFunc(username, password, scope)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_AuthenticatePassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticatePassword'
+type MockProvider_AuthenticatePassword_Call struct {
+	*mock.Call
+}
+
+// AuthenticatePassword is a helper method to define mock.On call
+//   - username string
+//   - password string
+//   - scope string
+func (_e *MockProvider_Expecter) AuthenticatePassword(username interface{}, password interface{}, scope interface{}) *MockProvider_AuthenticatePassword_Call {
+	return &MockProvider_AuthenticatePassword_Call{Call: _e.mock.On("AuthenticatePassword", username, password, scope)}
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) Run(run func(username string, password string, scope string)) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) Return(tokenResponse *service.TokenResponse, err error) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Return(tokenResponse, err)
+	return _c
+}
+
+func (_c *MockProvider_AuthenticatePassword_Call) RunAndReturn(run func(username string, password string, scope string) (*service.TokenResponse, error)) *MockProvider_AuthenticatePassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Discovery provides a mock function for the type MockProvider
+func (_mock *MockProvider) Discovery() *service.DiscoveryResponse {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Discovery")
+	}
+
+	var r0 *service.DiscoveryResponse
+	if returnFunc, ok := ret.Get(0).(func() *service.DiscoveryResponse); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.DiscoveryResponse)
+		}
+	}
+	return r0
+}
+
+// MockProvider_Discovery_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discovery'
+type MockProvider_Discovery_Call struct {
+	*mock.Call
+}
+
+// Discovery is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) Discovery() *MockProvider_Discovery_Call {
+	return &MockProvider_Discovery_Call{Call: _e.mock.On("Discovery")}
+}
+
+func (_c *MockProvider_Discovery_Call) Run(run func()) *MockProvider_Discovery_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_Discovery_Call) Return(discoveryResponse *service.DiscoveryResponse) *MockProvider_Discovery_Call {
+	_c.Call.Return(discoveryResponse)
+	return _c
+}
+
+func (_c *MockProvider_Discovery_Call) RunAndReturn(run func() *service.DiscoveryResponse) *MockProvider_Discovery_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Exchange provides a mock function for the type MockProvider
+func (_mock *MockProvider) Exchange(req service.TokenRequest) (*service.TokenResponse, error) {
+	ret := _mock.Called(req)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Exchange")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(service.TokenRequest) (*service.TokenResponse, error)); ok {
+		return returnFunc(req)
+	}
+	if returnFunc, ok := ret.Get(0).(func(service.TokenRequest) *service.TokenResponse); ok {
+		r0 = returnFunc(req)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(service.TokenRequest) error); ok {
+		r1 = returnFunc(req)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_Exchange_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exchange'
+type MockProvider_Exchange_Call struct {
+	*mock.Call
+}
+
+// Exchange is a helper method to define mock.On call
+//   - req service.TokenRequest
+func (_e *MockProvider_Expecter) Exchange(req interface{}) *MockProvider_Exchange_Call {
+	return &MockProvider_Exchange_Call{Call: _e.mock.On("Exchange", req)}
+}
+
+func (_c *MockProvider_Exchange_Call) Run(run func(req service.TokenRequest)) *MockProvider_Exchange_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 service.TokenRequest
+		if args[0] != nil {
+			arg0 = args[0].(service.TokenRequest)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_Exchange_Call) Return(tokenResponse *service.TokenResponse, err error) *MockProvider_Exchange_Call {
+	_c.Call.Return(tokenResponse, err)
+	return _c
+}
+
+func (_c *MockProvider_Exchange_Call) RunAndReturn(run func(req service.TokenRequest) (*service.TokenResponse, error)) *MockProvider_Exchange_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCertificates provides a mock function for the type MockProvider
+func (_mock *MockProvider) GetCertificates() *service.CertificatesResponse {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCertificates")
+	}
+
+	var r0 *service.CertificatesResponse
+	if returnFunc, ok := ret.Get(0).(func() *service.CertificatesResponse); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.CertificatesResponse)
+		}
+	}
+	return r0
+}
+
+// MockProvider_GetCertificates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCertificates'
+type MockProvider_GetCertificates_Call struct {
+	*mock.Call
+}
+
+// GetCertificates is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) GetCertificates() *MockProvider_GetCertificates_Call {
+	return &MockProvider_GetCertificates_Call{Call: _e.mock.On("GetCertificates")}
+}
+
+func (_c *MockProvider_GetCertificates_Call) Run(run func()) *MockProvider_GetCertificates_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetCertificates_Call) Return(certificatesResponse *service.CertificatesResponse) *MockProvider_GetCertificates_Call {
+	_c.Call.Return(certificatesResponse)
+	return _c
+}
+
+func (_c *MockProvider_GetCertificates_Call) RunAndReturn(run func() *service.CertificatesResponse) *MockProvider_GetCertificates_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function for the type MockProvider
+func (_mock *MockProvider) Refresh(refreshToken string) (*service.TokenResponse, error) {
+	ret := _mock.Called(refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *service.TokenResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string) (*service.TokenResponse, error)); ok {
+		return returnFunc(refreshToken)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string) *service.TokenResponse); ok {
+		r0 = returnFunc(refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*service.TokenResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string) error); ok {
+		r1 = returnFunc(refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockProvider_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - refreshToken string
+func (_e *MockProvider_Expecter) Refresh(refreshToken interface{}) *MockProvider_Refresh_Call {
+	return &MockProvider_Refresh_Call{Call: _e.mock.On("Refresh", refreshToken)}
+}
+
+func (_c *MockProvider_Refresh_Call) Run(run func(refreshToken string)) *MockProvider_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_Refresh_Call) Return(tokenResponse *service.TokenResponse, err error) *MockProvider_Refresh_Call {
+	_c.Call.Return(tokenResponse, err)
+	return _c
+}
+
+func (_c *MockProvider_Refresh_Call) RunAndReturn(run func(refreshToken string) (*service.TokenResponse, error)) *MockProvider_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/cmd_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/cmd_mock/mocks.go
@@ -1,13 +1,29 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify

-package cmd
+package cmd_mock

 import (
-	context "context"
+	"context"

 	mock "github.com/stretchr/testify/mock"
 )

+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
 // MockInterface is an autogenerated mock type for the Interface type
 type MockInterface struct {
 	mock.Mock
@@ -21,17 +37,20 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }

-// Run provides a mock function with given fields: ctx, args, version
-func (_m *MockInterface) Run(ctx context.Context, args []string, version string) int {
-	ret := _m.Called(ctx, args, version)
+// Run provides a mock function for the type MockInterface
+func (_mock *MockInterface) Run(ctx context.Context, args []string, version string) int {
+	ret := _mock.Called(ctx, args, version)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Run")
+	}

 	var r0 int
-	if rf, ok := ret.Get(0).(func(context.Context, []string, string) int); ok {
-		r0 = rf(ctx, args, version)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, []string, string) int); ok {
+		r0 = returnFunc(ctx, args, version)
 	} else {
 		r0 = ret.Get(0).(int)
 	}
-
 	return r0
 }

@@ -50,27 +69,33 @@ func (_e *MockInterface_Expecter) Run(ctx interface{}, args interface{}, version

 func (_c *MockInterface_Run_Call) Run(run func(ctx context.Context, args []string, version string)) *MockInterface_Run_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].([]string), args[2].(string))
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 []string
+		if args[1] != nil {
+			arg1 = args[1].([]string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
 	})
 	return _c
 }

-func (_c *MockInterface_Run_Call) Return(_a0 int) *MockInterface_Run_Call {
-	_c.Call.Return(_a0)
+func (_c *MockInterface_Run_Call) Return(n int) *MockInterface_Run_Call {
+	_c.Call.Return(n)
 	return _c
 }

-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
+func (_c *MockInterface_Run_Call) RunAndReturn(run func(ctx context.Context, args []string, version string) int) *MockInterface_Run_Call {
+	_c.Call.Return(run)
+	return _c
 }
--- a/mocks/github.com/int128/kubelogin/pkg/credentialplugin/reader_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/credentialplugin/reader_mock/mocks.go
@@ -0,0 +1,90 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package reader_mock
+
+import (
+	"github.com/int128/kubelogin/pkg/credentialplugin"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Read provides a mock function for the type MockInterface
+func (_mock *MockInterface) Read() (credentialplugin.Input, error) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Read")
+	}
+
+	var r0 credentialplugin.Input
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func() (credentialplugin.Input, error)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() credentialplugin.Input); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(credentialplugin.Input)
+	}
+	if returnFunc, ok := ret.Get(1).(func() error); ok {
+		r1 = returnFunc()
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_Read_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Read'
+type MockInterface_Read_Call struct {
+	*mock.Call
+}
+
+// Read is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) Read() *MockInterface_Read_Call {
+	return &MockInterface_Read_Call{Call: _e.mock.On("Read")}
+}
+
+func (_c *MockInterface_Read_Call) Run(run func()) *MockInterface_Read_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_Read_Call) Return(input credentialplugin.Input, err error) *MockInterface_Read_Call {
+	_c.Call.Return(input, err)
+	return _c
+}
+
+func (_c *MockInterface_Read_Call) RunAndReturn(run func() (credentialplugin.Input, error)) *MockInterface_Read_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/credentialplugin/writer_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/credentialplugin/writer_mock/mocks.go
@@ -1,12 +1,28 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify

-package writer
+package writer_mock

 import (
-	credentialplugin "github.com/int128/kubelogin/pkg/credentialplugin"
+	"github.com/int128/kubelogin/pkg/credentialplugin"
 	mock "github.com/stretchr/testify/mock"
 )

+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
 // MockInterface is an autogenerated mock type for the Interface type
 type MockInterface struct {
 	mock.Mock
@@ -20,17 +36,20 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }

-// Write provides a mock function with given fields: out
-func (_m *MockInterface) Write(out credentialplugin.Output) error {
-	ret := _m.Called(out)
+// Write provides a mock function for the type MockInterface
+func (_mock *MockInterface) Write(out credentialplugin.Output) error {
+	ret := _mock.Called(out)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Write")
+	}

 	var r0 error
-	if rf, ok := ret.Get(0).(func(credentialplugin.Output) error); ok {
-		r0 = rf(out)
+	if returnFunc, ok := ret.Get(0).(func(credentialplugin.Output) error); ok {
+		r0 = returnFunc(out)
 	} else {
 		r0 = ret.Error(0)
 	}
-
 	return r0
 }

@@ -47,27 +66,23 @@ func (_e *MockInterface_Expecter) Write(out interface{}) *MockInterface_Write_Ca

 func (_c *MockInterface_Write_Call) Run(run func(out credentialplugin.Output)) *MockInterface_Write_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(credentialplugin.Output))
+		var arg0 credentialplugin.Output
+		if args[0] != nil {
+			arg0 = args[0].(credentialplugin.Output)
+		}
+		run(
+			arg0,
+		)
 	})
 	return _c
 }

-func (_c *MockInterface_Write_Call) Return(_a0 error) *MockInterface_Write_Call {
-	_c.Call.Return(_a0)
+func (_c *MockInterface_Write_Call) Return(err error) *MockInterface_Write_Call {
+	_c.Call.Return(err)
 	return _c
 }

-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
+func (_c *MockInterface_Write_Call) RunAndReturn(run func(out credentialplugin.Output) error) *MockInterface_Write_Call {
+	_c.Call.Return(run)
+	return _c
 }
--- a/mocks/github.com/int128/kubelogin/pkg/infrastructure/browser_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/infrastructure/browser_mock/mocks.go
@@ -1,13 +1,29 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify

-package browser
+package browser_mock

 import (
-	context "context"
+	"context"

 	mock "github.com/stretchr/testify/mock"
 )

+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
 // MockInterface is an autogenerated mock type for the Interface type
 type MockInterface struct {
 	mock.Mock
@@ -21,17 +37,20 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }

-// Open provides a mock function with given fields: url
-func (_m *MockInterface) Open(url string) error {
-	ret := _m.Called(url)
+// Open provides a mock function for the type MockInterface
+func (_mock *MockInterface) Open(url string) error {
+	ret := _mock.Called(url)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Open")
+	}

 	var r0 error
-	if rf, ok := ret.Get(0).(func(string) error); ok {
-		r0 = rf(url)
+	if returnFunc, ok := ret.Get(0).(func(string) error); ok {
+		r0 = returnFunc(url)
 	} else {
 		r0 = ret.Error(0)
 	}
-
 	return r0
 }

@@ -48,27 +67,41 @@ func (_e *MockInterface_Expecter) Open(url interface{}) *MockInterface_Open_Call

 func (_c *MockInterface_Open_Call) Run(run func(url string)) *MockInterface_Open_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
 	})
 	return _c
 }

-func (_c *MockInterface_Open_Call) Return(_a0 error) *MockInterface_Open_Call {
-	_c.Call.Return(_a0)
+func (_c *MockInterface_Open_Call) Return(err error) *MockInterface_Open_Call {
+	_c.Call.Return(err)
 	return _c
 }

-// OpenCommand provides a mock function with given fields: ctx, url, command
-func (_m *MockInterface) OpenCommand(ctx context.Context, url string, command string) error {
-	ret := _m.Called(ctx, url, command)
+func (_c *MockInterface_Open_Call) RunAndReturn(run func(url string) error) *MockInterface_Open_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// OpenCommand provides a mock function for the type MockInterface
+func (_mock *MockInterface) OpenCommand(ctx context.Context, url string, command string) error {
+	ret := _mock.Called(ctx, url, command)
+
+	if len(ret) == 0 {
+		panic("no return value specified for OpenCommand")
+	}

 	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string, string) error); ok {
-		r0 = rf(ctx, url, command)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, string) error); ok {
+		r0 = returnFunc(ctx, url, command)
 	} else {
 		r0 = ret.Error(0)
 	}
-
 	return r0
 }

@@ -87,27 +120,33 @@ func (_e *MockInterface_Expecter) OpenCommand(ctx interface{}, url interface{},

 func (_c *MockInterface_OpenCommand_Call) Run(run func(ctx context.Context, url string, command string)) *MockInterface_OpenCommand_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(string), args[2].(string))
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
 	})
 	return _c
 }

-func (_c *MockInterface_OpenCommand_Call) Return(_a0 error) *MockInterface_OpenCommand_Call {
-	_c.Call.Return(_a0)
+func (_c *MockInterface_OpenCommand_Call) Return(err error) *MockInterface_OpenCommand_Call {
+	_c.Call.Return(err)
 	return _c
 }

-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
+func (_c *MockInterface_OpenCommand_Call) RunAndReturn(run func(ctx context.Context, url string, command string) error) *MockInterface_OpenCommand_Call {
+	_c.Call.Return(run)
+	return _c
 }
--- a/mocks/github.com/int128/kubelogin/pkg/infrastructure/clock_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/infrastructure/clock_mock/mocks.go
@@ -1,13 +1,29 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify

-package clock
+package clock_mock

 import (
-	time "time"
+	"time"

 	mock "github.com/stretchr/testify/mock"
 )

+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
 // MockInterface is an autogenerated mock type for the Interface type
 type MockInterface struct {
 	mock.Mock
@@ -21,17 +37,20 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }

-// Now provides a mock function with given fields:
-func (_m *MockInterface) Now() time.Time {
-	ret := _m.Called()
+// Now provides a mock function for the type MockInterface
+func (_mock *MockInterface) Now() time.Time {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Now")
+	}

 	var r0 time.Time
-	if rf, ok := ret.Get(0).(func() time.Time); ok {
-		r0 = rf()
+	if returnFunc, ok := ret.Get(0).(func() time.Time); ok {
+		r0 = returnFunc()
 	} else {
 		r0 = ret.Get(0).(time.Time)
 	}
-
 	return r0
 }

@@ -52,22 +71,12 @@ func (_c *MockInterface_Now_Call) Run(run func()) *MockInterface_Now_Call {
 	return _c
 }

-func (_c *MockInterface_Now_Call) Return(_a0 time.Time) *MockInterface_Now_Call {
-	_c.Call.Return(_a0)
+func (_c *MockInterface_Now_Call) Return(time1 time.Time) *MockInterface_Now_Call {
+	_c.Call.Return(time1)
 	return _c
 }

-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
+func (_c *MockInterface_Now_Call) RunAndReturn(run func() time.Time) *MockInterface_Now_Call {
+	_c.Call.Return(run)
+	return _c
 }
--- a/mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mocks.go
@@ -0,0 +1,398 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package logger_mock
+
+import (
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/spf13/pflag"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// AddFlags provides a mock function for the type MockInterface
+func (_mock *MockInterface) AddFlags(f *pflag.FlagSet) {
+	_mock.Called(f)
+	return
+}
+
+// MockInterface_AddFlags_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AddFlags'
+type MockInterface_AddFlags_Call struct {
+	*mock.Call
+}
+
+// AddFlags is a helper method to define mock.On call
+//   - f *pflag.FlagSet
+func (_e *MockInterface_Expecter) AddFlags(f interface{}) *MockInterface_AddFlags_Call {
+	return &MockInterface_AddFlags_Call{Call: _e.mock.On("AddFlags", f)}
+}
+
+func (_c *MockInterface_AddFlags_Call) Run(run func(f *pflag.FlagSet)) *MockInterface_AddFlags_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *pflag.FlagSet
+		if args[0] != nil {
+			arg0 = args[0].(*pflag.FlagSet)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_AddFlags_Call) Return() *MockInterface_AddFlags_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockInterface_AddFlags_Call) RunAndReturn(run func(f *pflag.FlagSet)) *MockInterface_AddFlags_Call {
+	_c.Run(run)
+	return _c
+}
+
+// IsEnabled provides a mock function for the type MockInterface
+func (_mock *MockInterface) IsEnabled(level int) bool {
+	ret := _mock.Called(level)
+
+	if len(ret) == 0 {
+		panic("no return value specified for IsEnabled")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func(int) bool); ok {
+		r0 = returnFunc(level)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockInterface_IsEnabled_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IsEnabled'
+type MockInterface_IsEnabled_Call struct {
+	*mock.Call
+}
+
+// IsEnabled is a helper method to define mock.On call
+//   - level int
+func (_e *MockInterface_Expecter) IsEnabled(level interface{}) *MockInterface_IsEnabled_Call {
+	return &MockInterface_IsEnabled_Call{Call: _e.mock.On("IsEnabled", level)}
+}
+
+func (_c *MockInterface_IsEnabled_Call) Run(run func(level int)) *MockInterface_IsEnabled_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 int
+		if args[0] != nil {
+			arg0 = args[0].(int)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_IsEnabled_Call) Return(b bool) *MockInterface_IsEnabled_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockInterface_IsEnabled_Call) RunAndReturn(run func(level int) bool) *MockInterface_IsEnabled_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Printf provides a mock function for the type MockInterface
+func (_mock *MockInterface) Printf(format string, args ...interface{}) {
+	if len(args) > 0 {
+		_mock.Called(format, args)
+	} else {
+		_mock.Called(format)
+	}
+
+	return
+}
+
+// MockInterface_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
+type MockInterface_Printf_Call struct {
+	*mock.Call
+}
+
+// Printf is a helper method to define mock.On call
+//   - format string
+//   - args ...interface{}
+func (_e *MockInterface_Expecter) Printf(format interface{}, args ...interface{}) *MockInterface_Printf_Call {
+	return &MockInterface_Printf_Call{Call: _e.mock.On("Printf",
+		append([]interface{}{format}, args...)...)}
+}
+
+func (_c *MockInterface_Printf_Call) Run(run func(format string, args ...interface{})) *MockInterface_Printf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 []interface{}
+		var variadicArgs []interface{}
+		if len(args) > 1 {
+			variadicArgs = args[1].([]interface{})
+		}
+		arg1 = variadicArgs
+		run(
+			arg0,
+			arg1...,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Printf_Call) Return() *MockInterface_Printf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockInterface_Printf_Call) RunAndReturn(run func(format string, args ...interface{})) *MockInterface_Printf_Call {
+	_c.Run(run)
+	return _c
+}
+
+// V provides a mock function for the type MockInterface
+func (_mock *MockInterface) V(level int) logger.Verbose {
+	ret := _mock.Called(level)
+
+	if len(ret) == 0 {
+		panic("no return value specified for V")
+	}
+
+	var r0 logger.Verbose
+	if returnFunc, ok := ret.Get(0).(func(int) logger.Verbose); ok {
+		r0 = returnFunc(level)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(logger.Verbose)
+		}
+	}
+	return r0
+}
+
+// MockInterface_V_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'V'
+type MockInterface_V_Call struct {
+	*mock.Call
+}
+
+// V is a helper method to define mock.On call
+//   - level int
+func (_e *MockInterface_Expecter) V(level interface{}) *MockInterface_V_Call {
+	return &MockInterface_V_Call{Call: _e.mock.On("V", level)}
+}
+
+func (_c *MockInterface_V_Call) Run(run func(level int)) *MockInterface_V_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 int
+		if args[0] != nil {
+			arg0 = args[0].(int)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_V_Call) Return(verbose logger.Verbose) *MockInterface_V_Call {
+	_c.Call.Return(verbose)
+	return _c
+}
+
+func (_c *MockInterface_V_Call) RunAndReturn(run func(level int) logger.Verbose) *MockInterface_V_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockVerbose creates a new instance of MockVerbose. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockVerbose(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockVerbose {
+	mock := &MockVerbose{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockVerbose is an autogenerated mock type for the Verbose type
+type MockVerbose struct {
+	mock.Mock
+}
+
+type MockVerbose_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockVerbose) EXPECT() *MockVerbose_Expecter {
+	return &MockVerbose_Expecter{mock: &_m.Mock}
+}
+
+// Infof provides a mock function for the type MockVerbose
+func (_mock *MockVerbose) Infof(format string, args ...interface{}) {
+	if len(args) > 0 {
+		_mock.Called(format, args)
+	} else {
+		_mock.Called(format)
+	}
+
+	return
+}
+
+// MockVerbose_Infof_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Infof'
+type MockVerbose_Infof_Call struct {
+	*mock.Call
+}
+
+// Infof is a helper method to define mock.On call
+//   - format string
+//   - args ...interface{}
+func (_e *MockVerbose_Expecter) Infof(format interface{}, args ...interface{}) *MockVerbose_Infof_Call {
+	return &MockVerbose_Infof_Call{Call: _e.mock.On("Infof",
+		append([]interface{}{format}, args...)...)}
+}
+
+func (_c *MockVerbose_Infof_Call) Run(run func(format string, args ...interface{})) *MockVerbose_Infof_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 []interface{}
+		var variadicArgs []interface{}
+		if len(args) > 1 {
+			variadicArgs = args[1].([]interface{})
+		}
+		arg1 = variadicArgs
+		run(
+			arg0,
+			arg1...,
+		)
+	})
+	return _c
+}
+
+func (_c *MockVerbose_Infof_Call) Return() *MockVerbose_Infof_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockVerbose_Infof_Call) RunAndReturn(run func(format string, args ...interface{})) *MockVerbose_Infof_Call {
+	_c.Run(run)
+	return _c
+}
+
+// newMockgoLogger creates a new instance of mockgoLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func newMockgoLogger(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *mockgoLogger {
+	mock := &mockgoLogger{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// mockgoLogger is an autogenerated mock type for the goLogger type
+type mockgoLogger struct {
+	mock.Mock
+}
+
+type mockgoLogger_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *mockgoLogger) EXPECT() *mockgoLogger_Expecter {
+	return &mockgoLogger_Expecter{mock: &_m.Mock}
+}
+
+// Printf provides a mock function for the type mockgoLogger
+func (_mock *mockgoLogger) Printf(format string, v ...interface{}) {
+	if len(v) > 0 {
+		_mock.Called(format, v)
+	} else {
+		_mock.Called(format)
+	}
+
+	return
+}
+
+// mockgoLogger_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
+type mockgoLogger_Printf_Call struct {
+	*mock.Call
+}
+
+// Printf is a helper method to define mock.On call
+//   - format string
+//   - v ...interface{}
+func (_e *mockgoLogger_Expecter) Printf(format interface{}, v ...interface{}) *mockgoLogger_Printf_Call {
+	return &mockgoLogger_Printf_Call{Call: _e.mock.On("Printf",
+		append([]interface{}{format}, v...)...)}
+}
+
+func (_c *mockgoLogger_Printf_Call) Run(run func(format string, v ...interface{})) *mockgoLogger_Printf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 []interface{}
+		var variadicArgs []interface{}
+		if len(args) > 1 {
+			variadicArgs = args[1].([]interface{})
+		}
+		arg1 = variadicArgs
+		run(
+			arg0,
+			arg1...,
+		)
+	})
+	return _c
+}
+
+func (_c *mockgoLogger_Printf_Call) Return() *mockgoLogger_Printf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *mockgoLogger_Printf_Call) RunAndReturn(run func(format string, v ...interface{})) *mockgoLogger_Printf_Call {
+	_c.Run(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/infrastructure/reader_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/infrastructure/reader_mock/mocks.go
@@ -1,8 +1,26 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify

-package reader
+package reader_mock

-import mock "github.com/stretchr/testify/mock"
+import (
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

 // MockInterface is an autogenerated mock type for the Interface type
 type MockInterface struct {
@@ -17,24 +35,29 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }

-// ReadPassword provides a mock function with given fields: prompt
-func (_m *MockInterface) ReadPassword(prompt string) (string, error) {
-	ret := _m.Called(prompt)
+// ReadPassword provides a mock function for the type MockInterface
+func (_mock *MockInterface) ReadPassword(prompt string) (string, error) {
+	ret := _mock.Called(prompt)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ReadPassword")
+	}

 	var r0 string
-	if rf, ok := ret.Get(0).(func(string) string); ok {
-		r0 = rf(prompt)
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string) (string, error)); ok {
+		return returnFunc(prompt)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string) string); ok {
+		r0 = returnFunc(prompt)
 	} else {
 		r0 = ret.Get(0).(string)
 	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(string) error); ok {
-		r1 = rf(prompt)
+	if returnFunc, ok := ret.Get(1).(func(string) error); ok {
+		r1 = returnFunc(prompt)
 	} else {
 		r1 = ret.Error(1)
 	}
-
 	return r0, r1
 }

@@ -51,34 +74,50 @@ func (_e *MockInterface_Expecter) ReadPassword(prompt interface{}) *MockInterfac

 func (_c *MockInterface_ReadPassword_Call) Run(run func(prompt string)) *MockInterface_ReadPassword_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
 	})
 	return _c
 }

-func (_c *MockInterface_ReadPassword_Call) Return(_a0 string, _a1 error) *MockInterface_ReadPassword_Call {
-	_c.Call.Return(_a0, _a1)
+func (_c *MockInterface_ReadPassword_Call) Return(s string, err error) *MockInterface_ReadPassword_Call {
+	_c.Call.Return(s, err)
 	return _c
 }

-// ReadString provides a mock function with given fields: prompt
-func (_m *MockInterface) ReadString(prompt string) (string, error) {
-	ret := _m.Called(prompt)
+func (_c *MockInterface_ReadPassword_Call) RunAndReturn(run func(prompt string) (string, error)) *MockInterface_ReadPassword_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ReadString provides a mock function for the type MockInterface
+func (_mock *MockInterface) ReadString(prompt string) (string, error) {
+	ret := _mock.Called(prompt)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ReadString")
+	}

 	var r0 string
-	if rf, ok := ret.Get(0).(func(string) string); ok {
-		r0 = rf(prompt)
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string) (string, error)); ok {
+		return returnFunc(prompt)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string) string); ok {
+		r0 = returnFunc(prompt)
 	} else {
 		r0 = ret.Get(0).(string)
 	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(string) error); ok {
-		r1 = rf(prompt)
+	if returnFunc, ok := ret.Get(1).(func(string) error); ok {
+		r1 = returnFunc(prompt)
 	} else {
 		r1 = ret.Error(1)
 	}
-
 	return r0, r1
 }

@@ -95,27 +134,23 @@ func (_e *MockInterface_Expecter) ReadString(prompt interface{}) *MockInterface_

 func (_c *MockInterface_ReadString_Call) Run(run func(prompt string)) *MockInterface_ReadString_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
 	})
 	return _c
 }

-func (_c *MockInterface_ReadString_Call) Return(_a0 string, _a1 error) *MockInterface_ReadString_Call {
-	_c.Call.Return(_a0, _a1)
+func (_c *MockInterface_ReadString_Call) Return(s string, err error) *MockInterface_ReadString_Call {
+	_c.Call.Return(s, err)
 	return _c
 }

-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
+func (_c *MockInterface_ReadString_Call) RunAndReturn(run func(prompt string) (string, error)) *MockInterface_ReadString_Call {
+	_c.Call.Return(run)
+	return _c
 }
--- a/mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mocks.go
@@ -0,0 +1,183 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package stdio_mock
+
+import (
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockStdout creates a new instance of MockStdout. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockStdout(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockStdout {
+	mock := &MockStdout{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockStdout is an autogenerated mock type for the Stdout type
+type MockStdout struct {
+	mock.Mock
+}
+
+type MockStdout_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockStdout) EXPECT() *MockStdout_Expecter {
+	return &MockStdout_Expecter{mock: &_m.Mock}
+}
+
+// Write provides a mock function for the type MockStdout
+func (_mock *MockStdout) Write(p []byte) (int, error) {
+	ret := _mock.Called(p)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Write")
+	}
+
+	var r0 int
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func([]byte) (int, error)); ok {
+		return returnFunc(p)
+	}
+	if returnFunc, ok := ret.Get(0).(func([]byte) int); ok {
+		r0 = returnFunc(p)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+	if returnFunc, ok := ret.Get(1).(func([]byte) error); ok {
+		r1 = returnFunc(p)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockStdout_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'
+type MockStdout_Write_Call struct {
+	*mock.Call
+}
+
+// Write is a helper method to define mock.On call
+//   - p []byte
+func (_e *MockStdout_Expecter) Write(p interface{}) *MockStdout_Write_Call {
+	return &MockStdout_Write_Call{Call: _e.mock.On("Write", p)}
+}
+
+func (_c *MockStdout_Write_Call) Run(run func(p []byte)) *MockStdout_Write_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 []byte
+		if args[0] != nil {
+			arg0 = args[0].([]byte)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockStdout_Write_Call) Return(n int, err error) *MockStdout_Write_Call {
+	_c.Call.Return(n, err)
+	return _c
+}
+
+func (_c *MockStdout_Write_Call) RunAndReturn(run func(p []byte) (int, error)) *MockStdout_Write_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockStdin creates a new instance of MockStdin. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockStdin(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockStdin {
+	mock := &MockStdin{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockStdin is an autogenerated mock type for the Stdin type
+type MockStdin struct {
+	mock.Mock
+}
+
+type MockStdin_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockStdin) EXPECT() *MockStdin_Expecter {
+	return &MockStdin_Expecter{mock: &_m.Mock}
+}
+
+// Read provides a mock function for the type MockStdin
+func (_mock *MockStdin) Read(p []byte) (int, error) {
+	ret := _mock.Called(p)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Read")
+	}
+
+	var r0 int
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func([]byte) (int, error)); ok {
+		return returnFunc(p)
+	}
+	if returnFunc, ok := ret.Get(0).(func([]byte) int); ok {
+		r0 = returnFunc(p)
+	} else {
+		r0 = ret.Get(0).(int)
+	}
+	if returnFunc, ok := ret.Get(1).(func([]byte) error); ok {
+		r1 = returnFunc(p)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockStdin_Read_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Read'
+type MockStdin_Read_Call struct {
+	*mock.Call
+}
+
+// Read is a helper method to define mock.On call
+//   - p []byte
+func (_e *MockStdin_Expecter) Read(p interface{}) *MockStdin_Read_Call {
+	return &MockStdin_Read_Call{Call: _e.mock.On("Read", p)}
+}
+
+func (_c *MockStdin_Read_Call) Run(run func(p []byte)) *MockStdin_Read_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 []byte
+		if args[0] != nil {
+			arg0 = args[0].([]byte)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockStdin_Read_Call) Return(n int, err error) *MockStdin_Read_Call {
+	_c.Call.Return(n, err)
+	return _c
+}
+
+func (_c *MockStdin_Read_Call) RunAndReturn(run func(p []byte) (int, error)) *MockStdin_Read_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/jwt_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/jwt_mock/mocks.go
@@ -1,13 +1,29 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify

-package jwt
+package jwt_mock

 import (
-	time "time"
+	"time"

 	mock "github.com/stretchr/testify/mock"
 )

+// NewMockClock creates a new instance of MockClock. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockClock(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockClock {
+	mock := &MockClock{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
 // MockClock is an autogenerated mock type for the Clock type
 type MockClock struct {
 	mock.Mock
@@ -21,17 +37,20 @@ func (_m *MockClock) EXPECT() *MockClock_Expecter {
 	return &MockClock_Expecter{mock: &_m.Mock}
 }

-// Now provides a mock function with given fields:
-func (_m *MockClock) Now() time.Time {
-	ret := _m.Called()
+// Now provides a mock function for the type MockClock
+func (_mock *MockClock) Now() time.Time {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Now")
+	}

 	var r0 time.Time
-	if rf, ok := ret.Get(0).(func() time.Time); ok {
-		r0 = rf()
+	if returnFunc, ok := ret.Get(0).(func() time.Time); ok {
+		r0 = returnFunc()
 	} else {
 		r0 = ret.Get(0).(time.Time)
 	}
-
 	return r0
 }

@@ -52,22 +71,12 @@ func (_c *MockClock_Now_Call) Run(run func()) *MockClock_Now_Call {
 	return _c
 }

-func (_c *MockClock_Now_Call) Return(_a0 time.Time) *MockClock_Now_Call {
-	_c.Call.Return(_a0)
+func (_c *MockClock_Now_Call) Return(time1 time.Time) *MockClock_Now_Call {
+	_c.Call.Return(time1)
 	return _c
 }

-type mockConstructorTestingTNewMockClock interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockClock creates a new instance of MockClock. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockClock(t mockConstructorTestingTNewMockClock) *MockClock {
-	mock := &MockClock{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
+func (_c *MockClock_Now_Call) RunAndReturn(run func() time.Time) *MockClock_Now_Call {
+	_c.Call.Return(run)
+	return _c
 }
--- a/mocks/github.com/int128/kubelogin/pkg/kubeconfig/loader_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/kubeconfig/loader_mock/mocks.go
@@ -0,0 +1,111 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package loader_mock
+
+import (
+	"github.com/int128/kubelogin/pkg/kubeconfig"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// GetCurrentAuthProvider provides a mock function for the type MockInterface
+func (_mock *MockInterface) GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
+	ret := _mock.Called(explicitFilename, contextName, userName)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCurrentAuthProvider")
+	}
+
+	var r0 *kubeconfig.AuthProvider
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string, kubeconfig.ContextName, kubeconfig.UserName) (*kubeconfig.AuthProvider, error)); ok {
+		return returnFunc(explicitFilename, contextName, userName)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, kubeconfig.ContextName, kubeconfig.UserName) *kubeconfig.AuthProvider); ok {
+		r0 = returnFunc(explicitFilename, contextName, userName)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*kubeconfig.AuthProvider)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, kubeconfig.ContextName, kubeconfig.UserName) error); ok {
+		r1 = returnFunc(explicitFilename, contextName, userName)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_GetCurrentAuthProvider_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCurrentAuthProvider'
+type MockInterface_GetCurrentAuthProvider_Call struct {
+	*mock.Call
+}
+
+// GetCurrentAuthProvider is a helper method to define mock.On call
+//   - explicitFilename string
+//   - contextName kubeconfig.ContextName
+//   - userName kubeconfig.UserName
+func (_e *MockInterface_Expecter) GetCurrentAuthProvider(explicitFilename interface{}, contextName interface{}, userName interface{}) *MockInterface_GetCurrentAuthProvider_Call {
+	return &MockInterface_GetCurrentAuthProvider_Call{Call: _e.mock.On("GetCurrentAuthProvider", explicitFilename, contextName, userName)}
+}
+
+func (_c *MockInterface_GetCurrentAuthProvider_Call) Run(run func(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName)) *MockInterface_GetCurrentAuthProvider_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 kubeconfig.ContextName
+		if args[1] != nil {
+			arg1 = args[1].(kubeconfig.ContextName)
+		}
+		var arg2 kubeconfig.UserName
+		if args[2] != nil {
+			arg2 = args[2].(kubeconfig.UserName)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetCurrentAuthProvider_Call) Return(authProvider *kubeconfig.AuthProvider, err error) *MockInterface_GetCurrentAuthProvider_Call {
+	_c.Call.Return(authProvider, err)
+	return _c
+}
+
+func (_c *MockInterface_GetCurrentAuthProvider_Call) RunAndReturn(run func(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error)) *MockInterface_GetCurrentAuthProvider_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/kubeconfig/writer_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/kubeconfig/writer_mock/mocks.go
@@ -1,12 +1,28 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify

-package writer
+package writer_mock

 import (
-	kubeconfig "github.com/int128/kubelogin/pkg/kubeconfig"
+	"github.com/int128/kubelogin/pkg/kubeconfig"
 	mock "github.com/stretchr/testify/mock"
 )

+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
 // MockInterface is an autogenerated mock type for the Interface type
 type MockInterface struct {
 	mock.Mock
@@ -20,17 +36,20 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }

-// UpdateAuthProvider provides a mock function with given fields: p
-func (_m *MockInterface) UpdateAuthProvider(p kubeconfig.AuthProvider) error {
-	ret := _m.Called(p)
+// UpdateAuthProvider provides a mock function for the type MockInterface
+func (_mock *MockInterface) UpdateAuthProvider(p kubeconfig.AuthProvider) error {
+	ret := _mock.Called(p)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateAuthProvider")
+	}

 	var r0 error
-	if rf, ok := ret.Get(0).(func(kubeconfig.AuthProvider) error); ok {
-		r0 = rf(p)
+	if returnFunc, ok := ret.Get(0).(func(kubeconfig.AuthProvider) error); ok {
+		r0 = returnFunc(p)
 	} else {
 		r0 = ret.Error(0)
 	}
-
 	return r0
 }

@@ -47,27 +66,23 @@ func (_e *MockInterface_Expecter) UpdateAuthProvider(p interface{}) *MockInterfa

 func (_c *MockInterface_UpdateAuthProvider_Call) Run(run func(p kubeconfig.AuthProvider)) *MockInterface_UpdateAuthProvider_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(kubeconfig.AuthProvider))
+		var arg0 kubeconfig.AuthProvider
+		if args[0] != nil {
+			arg0 = args[0].(kubeconfig.AuthProvider)
+		}
+		run(
+			arg0,
+		)
 	})
 	return _c
 }

-func (_c *MockInterface_UpdateAuthProvider_Call) Return(_a0 error) *MockInterface_UpdateAuthProvider_Call {
-	_c.Call.Return(_a0)
+func (_c *MockInterface_UpdateAuthProvider_Call) Return(err error) *MockInterface_UpdateAuthProvider_Call {
+	_c.Call.Return(err)
 	return _c
 }

-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
+func (_c *MockInterface_UpdateAuthProvider_Call) RunAndReturn(run func(p kubeconfig.AuthProvider) error) *MockInterface_UpdateAuthProvider_Call {
+	_c.Call.Return(run)
+	return _c
 }
--- a/mocks/github.com/int128/kubelogin/pkg/oidc/client_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/oidc/client_mock/mocks.go
@@ -0,0 +1,721 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package client_mock
+
+import (
+	"context"
+
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/oidc/client"
+	"github.com/int128/kubelogin/pkg/pkce"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+	"github.com/int128/oauth2dev"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// ExchangeAuthCode provides a mock function for the type MockInterface
+func (_mock *MockInterface) ExchangeAuthCode(ctx context.Context, in client.ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
+	ret := _mock.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ExchangeAuthCode")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, client.ExchangeAuthCodeInput) (*oidc.TokenSet, error)); ok {
+		return returnFunc(ctx, in)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, client.ExchangeAuthCodeInput) *oidc.TokenSet); ok {
+		r0 = returnFunc(ctx, in)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, client.ExchangeAuthCodeInput) error); ok {
+		r1 = returnFunc(ctx, in)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_ExchangeAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeAuthCode'
+type MockInterface_ExchangeAuthCode_Call struct {
+	*mock.Call
+}
+
+// ExchangeAuthCode is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in client.ExchangeAuthCodeInput
+func (_e *MockInterface_Expecter) ExchangeAuthCode(ctx interface{}, in interface{}) *MockInterface_ExchangeAuthCode_Call {
+	return &MockInterface_ExchangeAuthCode_Call{Call: _e.mock.On("ExchangeAuthCode", ctx, in)}
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) Run(run func(ctx context.Context, in client.ExchangeAuthCodeInput)) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 client.ExchangeAuthCodeInput
+		if args[1] != nil {
+			arg1 = args[1].(client.ExchangeAuthCodeInput)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Return(tokenSet, err)
+	return _c
+}
+
+func (_c *MockInterface_ExchangeAuthCode_Call) RunAndReturn(run func(ctx context.Context, in client.ExchangeAuthCodeInput) (*oidc.TokenSet, error)) *MockInterface_ExchangeAuthCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ExchangeDeviceCode provides a mock function for the type MockInterface
+func (_mock *MockInterface) ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error) {
+	ret := _mock.Called(ctx, authResponse)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ExchangeDeviceCode")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)); ok {
+		return returnFunc(ctx, authResponse)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *oauth2dev.AuthorizationResponse) *oidc.TokenSet); ok {
+		r0 = returnFunc(ctx, authResponse)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *oauth2dev.AuthorizationResponse) error); ok {
+		r1 = returnFunc(ctx, authResponse)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_ExchangeDeviceCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeDeviceCode'
+type MockInterface_ExchangeDeviceCode_Call struct {
+	*mock.Call
+}
+
+// ExchangeDeviceCode is a helper method to define mock.On call
+//   - ctx context.Context
+//   - authResponse *oauth2dev.AuthorizationResponse
+func (_e *MockInterface_Expecter) ExchangeDeviceCode(ctx interface{}, authResponse interface{}) *MockInterface_ExchangeDeviceCode_Call {
+	return &MockInterface_ExchangeDeviceCode_Call{Call: _e.mock.On("ExchangeDeviceCode", ctx, authResponse)}
+}
+
+func (_c *MockInterface_ExchangeDeviceCode_Call) Run(run func(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse)) *MockInterface_ExchangeDeviceCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *oauth2dev.AuthorizationResponse
+		if args[1] != nil {
+			arg1 = args[1].(*oauth2dev.AuthorizationResponse)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_ExchangeDeviceCode_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_ExchangeDeviceCode_Call {
+	_c.Call.Return(tokenSet, err)
+	return _c
+}
+
+func (_c *MockInterface_ExchangeDeviceCode_Call) RunAndReturn(run func(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)) *MockInterface_ExchangeDeviceCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetAuthCodeURL provides a mock function for the type MockInterface
+func (_mock *MockInterface) GetAuthCodeURL(in client.AuthCodeURLInput) string {
+	ret := _mock.Called(in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAuthCodeURL")
+	}
+
+	var r0 string
+	if returnFunc, ok := ret.Get(0).(func(client.AuthCodeURLInput) string); ok {
+		r0 = returnFunc(in)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	return r0
+}
+
+// MockInterface_GetAuthCodeURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAuthCodeURL'
+type MockInterface_GetAuthCodeURL_Call struct {
+	*mock.Call
+}
+
+// GetAuthCodeURL is a helper method to define mock.On call
+//   - in client.AuthCodeURLInput
+func (_e *MockInterface_Expecter) GetAuthCodeURL(in interface{}) *MockInterface_GetAuthCodeURL_Call {
+	return &MockInterface_GetAuthCodeURL_Call{Call: _e.mock.On("GetAuthCodeURL", in)}
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) Run(run func(in client.AuthCodeURLInput)) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 client.AuthCodeURLInput
+		if args[0] != nil {
+			arg0 = args[0].(client.AuthCodeURLInput)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) Return(s string) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Return(s)
+	return _c
+}
+
+func (_c *MockInterface_GetAuthCodeURL_Call) RunAndReturn(run func(in client.AuthCodeURLInput) string) *MockInterface_GetAuthCodeURL_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetDeviceAuthorization provides a mock function for the type MockInterface
+func (_mock *MockInterface) GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetDeviceAuthorization")
+	}
+
+	var r0 *oauth2dev.AuthorizationResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) (*oauth2dev.AuthorizationResponse, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) *oauth2dev.AuthorizationResponse); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oauth2dev.AuthorizationResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_GetDeviceAuthorization_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDeviceAuthorization'
+type MockInterface_GetDeviceAuthorization_Call struct {
+	*mock.Call
+}
+
+// GetDeviceAuthorization is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockInterface_Expecter) GetDeviceAuthorization(ctx interface{}) *MockInterface_GetDeviceAuthorization_Call {
+	return &MockInterface_GetDeviceAuthorization_Call{Call: _e.mock.On("GetDeviceAuthorization", ctx)}
+}
+
+func (_c *MockInterface_GetDeviceAuthorization_Call) Run(run func(ctx context.Context)) *MockInterface_GetDeviceAuthorization_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetDeviceAuthorization_Call) Return(authorizationResponse *oauth2dev.AuthorizationResponse, err error) *MockInterface_GetDeviceAuthorization_Call {
+	_c.Call.Return(authorizationResponse, err)
+	return _c
+}
+
+func (_c *MockInterface_GetDeviceAuthorization_Call) RunAndReturn(run func(ctx context.Context) (*oauth2dev.AuthorizationResponse, error)) *MockInterface_GetDeviceAuthorization_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetTokenByAuthCode provides a mock function for the type MockInterface
+func (_mock *MockInterface) GetTokenByAuthCode(ctx context.Context, in client.GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
+	ret := _mock.Called(ctx, in, localServerReadyChan)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTokenByAuthCode")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) (*oidc.TokenSet, error)); ok {
+		return returnFunc(ctx, in, localServerReadyChan)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) *oidc.TokenSet); ok {
+		r0 = returnFunc(ctx, in, localServerReadyChan)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) error); ok {
+		r1 = returnFunc(ctx, in, localServerReadyChan)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_GetTokenByAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByAuthCode'
+type MockInterface_GetTokenByAuthCode_Call struct {
+	*mock.Call
+}
+
+// GetTokenByAuthCode is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in client.GetTokenByAuthCodeInput
+//   - localServerReadyChan chan<- string
+func (_e *MockInterface_Expecter) GetTokenByAuthCode(ctx interface{}, in interface{}, localServerReadyChan interface{}) *MockInterface_GetTokenByAuthCode_Call {
+	return &MockInterface_GetTokenByAuthCode_Call{Call: _e.mock.On("GetTokenByAuthCode", ctx, in, localServerReadyChan)}
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) Run(run func(ctx context.Context, in client.GetTokenByAuthCodeInput, localServerReadyChan chan<- string)) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 client.GetTokenByAuthCodeInput
+		if args[1] != nil {
+			arg1 = args[1].(client.GetTokenByAuthCodeInput)
+		}
+		var arg2 chan<- string
+		if args[2] != nil {
+			arg2 = args[2].(chan<- string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Return(tokenSet, err)
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByAuthCode_Call) RunAndReturn(run func(ctx context.Context, in client.GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error)) *MockInterface_GetTokenByAuthCode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetTokenByClientCredentials provides a mock function for the type MockInterface
+func (_mock *MockInterface) GetTokenByClientCredentials(ctx context.Context, in client.GetTokenByClientCredentialsInput) (*oidc.TokenSet, error) {
+	ret := _mock.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTokenByClientCredentials")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, client.GetTokenByClientCredentialsInput) (*oidc.TokenSet, error)); ok {
+		return returnFunc(ctx, in)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, client.GetTokenByClientCredentialsInput) *oidc.TokenSet); ok {
+		r0 = returnFunc(ctx, in)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, client.GetTokenByClientCredentialsInput) error); ok {
+		r1 = returnFunc(ctx, in)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_GetTokenByClientCredentials_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByClientCredentials'
+type MockInterface_GetTokenByClientCredentials_Call struct {
+	*mock.Call
+}
+
+// GetTokenByClientCredentials is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in client.GetTokenByClientCredentialsInput
+func (_e *MockInterface_Expecter) GetTokenByClientCredentials(ctx interface{}, in interface{}) *MockInterface_GetTokenByClientCredentials_Call {
+	return &MockInterface_GetTokenByClientCredentials_Call{Call: _e.mock.On("GetTokenByClientCredentials", ctx, in)}
+}
+
+func (_c *MockInterface_GetTokenByClientCredentials_Call) Run(run func(ctx context.Context, in client.GetTokenByClientCredentialsInput)) *MockInterface_GetTokenByClientCredentials_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 client.GetTokenByClientCredentialsInput
+		if args[1] != nil {
+			arg1 = args[1].(client.GetTokenByClientCredentialsInput)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByClientCredentials_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_GetTokenByClientCredentials_Call {
+	_c.Call.Return(tokenSet, err)
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByClientCredentials_Call) RunAndReturn(run func(ctx context.Context, in client.GetTokenByClientCredentialsInput) (*oidc.TokenSet, error)) *MockInterface_GetTokenByClientCredentials_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetTokenByROPC provides a mock function for the type MockInterface
+func (_mock *MockInterface) GetTokenByROPC(ctx context.Context, username string, password string) (*oidc.TokenSet, error) {
+	ret := _mock.Called(ctx, username, password)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTokenByROPC")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, string) (*oidc.TokenSet, error)); ok {
+		return returnFunc(ctx, username, password)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, string) *oidc.TokenSet); ok {
+		r0 = returnFunc(ctx, username, password)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
+		r1 = returnFunc(ctx, username, password)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_GetTokenByROPC_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByROPC'
+type MockInterface_GetTokenByROPC_Call struct {
+	*mock.Call
+}
+
+// GetTokenByROPC is a helper method to define mock.On call
+//   - ctx context.Context
+//   - username string
+//   - password string
+func (_e *MockInterface_Expecter) GetTokenByROPC(ctx interface{}, username interface{}, password interface{}) *MockInterface_GetTokenByROPC_Call {
+	return &MockInterface_GetTokenByROPC_Call{Call: _e.mock.On("GetTokenByROPC", ctx, username, password)}
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) Run(run func(ctx context.Context, username string, password string)) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Return(tokenSet, err)
+	return _c
+}
+
+func (_c *MockInterface_GetTokenByROPC_Call) RunAndReturn(run func(ctx context.Context, username string, password string) (*oidc.TokenSet, error)) *MockInterface_GetTokenByROPC_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NegotiatedPKCEMethod provides a mock function for the type MockInterface
+func (_mock *MockInterface) NegotiatedPKCEMethod() pkce.Method {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for NegotiatedPKCEMethod")
+	}
+
+	var r0 pkce.Method
+	if returnFunc, ok := ret.Get(0).(func() pkce.Method); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(pkce.Method)
+	}
+	return r0
+}
+
+// MockInterface_NegotiatedPKCEMethod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NegotiatedPKCEMethod'
+type MockInterface_NegotiatedPKCEMethod_Call struct {
+	*mock.Call
+}
+
+// NegotiatedPKCEMethod is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) NegotiatedPKCEMethod() *MockInterface_NegotiatedPKCEMethod_Call {
+	return &MockInterface_NegotiatedPKCEMethod_Call{Call: _e.mock.On("NegotiatedPKCEMethod")}
+}
+
+func (_c *MockInterface_NegotiatedPKCEMethod_Call) Run(run func()) *MockInterface_NegotiatedPKCEMethod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_NegotiatedPKCEMethod_Call) Return(method pkce.Method) *MockInterface_NegotiatedPKCEMethod_Call {
+	_c.Call.Return(method)
+	return _c
+}
+
+func (_c *MockInterface_NegotiatedPKCEMethod_Call) RunAndReturn(run func() pkce.Method) *MockInterface_NegotiatedPKCEMethod_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Refresh provides a mock function for the type MockInterface
+func (_mock *MockInterface) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
+	ret := _mock.Called(ctx, refreshToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Refresh")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string) (*oidc.TokenSet, error)); ok {
+		return returnFunc(ctx, refreshToken)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string) *oidc.TokenSet); ok {
+		r0 = returnFunc(ctx, refreshToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, string) error); ok {
+		r1 = returnFunc(ctx, refreshToken)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
+type MockInterface_Refresh_Call struct {
+	*mock.Call
+}
+
+// Refresh is a helper method to define mock.On call
+//   - ctx context.Context
+//   - refreshToken string
+func (_e *MockInterface_Expecter) Refresh(ctx interface{}, refreshToken interface{}) *MockInterface_Refresh_Call {
+	return &MockInterface_Refresh_Call{Call: _e.mock.On("Refresh", ctx, refreshToken)}
+}
+
+func (_c *MockInterface_Refresh_Call) Run(run func(ctx context.Context, refreshToken string)) *MockInterface_Refresh_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Refresh_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_Refresh_Call {
+	_c.Call.Return(tokenSet, err)
+	return _c
+}
+
+func (_c *MockInterface_Refresh_Call) RunAndReturn(run func(ctx context.Context, refreshToken string) (*oidc.TokenSet, error)) *MockInterface_Refresh_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockFactoryInterface creates a new instance of MockFactoryInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockFactoryInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockFactoryInterface {
+	mock := &MockFactoryInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockFactoryInterface is an autogenerated mock type for the FactoryInterface type
+type MockFactoryInterface struct {
+	mock.Mock
+}
+
+type MockFactoryInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockFactoryInterface) EXPECT() *MockFactoryInterface_Expecter {
+	return &MockFactoryInterface_Expecter{mock: &_m.Mock}
+}
+
+// New provides a mock function for the type MockFactoryInterface
+func (_mock *MockFactoryInterface) New(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config) (client.Interface, error) {
+	ret := _mock.Called(ctx, prov, tlsClientConfig)
+
+	if len(ret) == 0 {
+		panic("no return value specified for New")
+	}
+
+	var r0 client.Interface
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) (client.Interface, error)); ok {
+		return returnFunc(ctx, prov, tlsClientConfig)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) client.Interface); ok {
+		r0 = returnFunc(ctx, prov, tlsClientConfig)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(client.Interface)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, oidc.Provider, tlsclientconfig.Config) error); ok {
+		r1 = returnFunc(ctx, prov, tlsClientConfig)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockFactoryInterface_New_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'New'
+type MockFactoryInterface_New_Call struct {
+	*mock.Call
+}
+
+// New is a helper method to define mock.On call
+//   - ctx context.Context
+//   - prov oidc.Provider
+//   - tlsClientConfig tlsclientconfig.Config
+func (_e *MockFactoryInterface_Expecter) New(ctx interface{}, prov interface{}, tlsClientConfig interface{}) *MockFactoryInterface_New_Call {
+	return &MockFactoryInterface_New_Call{Call: _e.mock.On("New", ctx, prov, tlsClientConfig)}
+}
+
+func (_c *MockFactoryInterface_New_Call) Run(run func(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config)) *MockFactoryInterface_New_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 oidc.Provider
+		if args[1] != nil {
+			arg1 = args[1].(oidc.Provider)
+		}
+		var arg2 tlsclientconfig.Config
+		if args[2] != nil {
+			arg2 = args[2].(tlsclientconfig.Config)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockFactoryInterface_New_Call) Return(interfaceParam client.Interface, err error) *MockFactoryInterface_New_Call {
+	_c.Call.Return(interfaceParam, err)
+	return _c
+}
+
+func (_c *MockFactoryInterface_New_Call) RunAndReturn(run func(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config) (client.Interface, error)) *MockFactoryInterface_New_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/testing/logger_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/testing/logger_mock/mocks.go
@@ -0,0 +1,90 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package logger_mock
+
+import (
+	mock "github.com/stretchr/testify/mock"
+)
+
+// newMocktestingLogger creates a new instance of mocktestingLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func newMocktestingLogger(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *mocktestingLogger {
+	mock := &mocktestingLogger{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// mocktestingLogger is an autogenerated mock type for the testingLogger type
+type mocktestingLogger struct {
+	mock.Mock
+}
+
+type mocktestingLogger_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *mocktestingLogger) EXPECT() *mocktestingLogger_Expecter {
+	return &mocktestingLogger_Expecter{mock: &_m.Mock}
+}
+
+// Logf provides a mock function for the type mocktestingLogger
+func (_mock *mocktestingLogger) Logf(format string, v ...interface{}) {
+	if len(v) > 0 {
+		_mock.Called(format, v)
+	} else {
+		_mock.Called(format)
+	}
+
+	return
+}
+
+// mocktestingLogger_Logf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Logf'
+type mocktestingLogger_Logf_Call struct {
+	*mock.Call
+}
+
+// Logf is a helper method to define mock.On call
+//   - format string
+//   - v ...interface{}
+func (_e *mocktestingLogger_Expecter) Logf(format interface{}, v ...interface{}) *mocktestingLogger_Logf_Call {
+	return &mocktestingLogger_Logf_Call{Call: _e.mock.On("Logf",
+		append([]interface{}{format}, v...)...)}
+}
+
+func (_c *mocktestingLogger_Logf_Call) Run(run func(format string, v ...interface{})) *mocktestingLogger_Logf_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 []interface{}
+		var variadicArgs []interface{}
+		if len(args) > 1 {
+			variadicArgs = args[1].([]interface{})
+		}
+		arg1 = variadicArgs
+		run(
+			arg0,
+			arg1...,
+		)
+	})
+	return _c
+}
+
+func (_c *mocktestingLogger_Logf_Call) Return() *mocktestingLogger_Logf_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *mocktestingLogger_Logf_Call) RunAndReturn(run func(format string, v ...interface{})) *mocktestingLogger_Logf_Call {
+	_c.Run(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/tlsclientconfig/loader_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/tlsclientconfig/loader_mock/mocks.go
@@ -1,15 +1,30 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify

-package loader
+package loader_mock

 import (
-	tls "crypto/tls"
+	"crypto/tls"

+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
 	mock "github.com/stretchr/testify/mock"
-
-	tlsclientconfig "github.com/int128/kubelogin/pkg/tlsclientconfig"
 )

+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
 // MockInterface is an autogenerated mock type for the Interface type
 type MockInterface struct {
 	mock.Mock
@@ -23,26 +38,31 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }

-// Load provides a mock function with given fields: config
-func (_m *MockInterface) Load(config tlsclientconfig.Config) (*tls.Config, error) {
-	ret := _m.Called(config)
+// Load provides a mock function for the type MockInterface
+func (_mock *MockInterface) Load(config tlsclientconfig.Config) (*tls.Config, error) {
+	ret := _mock.Called(config)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Load")
+	}

 	var r0 *tls.Config
-	if rf, ok := ret.Get(0).(func(tlsclientconfig.Config) *tls.Config); ok {
-		r0 = rf(config)
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(tlsclientconfig.Config) (*tls.Config, error)); ok {
+		return returnFunc(config)
+	}
+	if returnFunc, ok := ret.Get(0).(func(tlsclientconfig.Config) *tls.Config); ok {
+		r0 = returnFunc(config)
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).(*tls.Config)
 		}
 	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(tlsclientconfig.Config) error); ok {
-		r1 = rf(config)
+	if returnFunc, ok := ret.Get(1).(func(tlsclientconfig.Config) error); ok {
+		r1 = returnFunc(config)
 	} else {
 		r1 = ret.Error(1)
 	}
-
 	return r0, r1
 }

@@ -59,27 +79,23 @@ func (_e *MockInterface_Expecter) Load(config interface{}) *MockInterface_Load_C

 func (_c *MockInterface_Load_Call) Run(run func(config tlsclientconfig.Config)) *MockInterface_Load_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(tlsclientconfig.Config))
+		var arg0 tlsclientconfig.Config
+		if args[0] != nil {
+			arg0 = args[0].(tlsclientconfig.Config)
+		}
+		run(
+			arg0,
+		)
 	})
 	return _c
 }

-func (_c *MockInterface_Load_Call) Return(_a0 *tls.Config, _a1 error) *MockInterface_Load_Call {
-	_c.Call.Return(_a0, _a1)
+func (_c *MockInterface_Load_Call) Return(config1 *tls.Config, err error) *MockInterface_Load_Call {
+	_c.Call.Return(config1, err)
 	return _c
 }

-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
+func (_c *MockInterface_Load_Call) RunAndReturn(run func(config tlsclientconfig.Config) (*tls.Config, error)) *MockInterface_Load_Call {
+	_c.Call.Return(run)
+	return _c
 }
--- a/mocks/github.com/int128/kubelogin/pkg/tokencache/repository_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/tokencache/repository_mock/mocks.go
@@ -0,0 +1,290 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package repository_mock
+
+import (
+	"io"
+
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/tokencache"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// DeleteAll provides a mock function for the type MockInterface
+func (_mock *MockInterface) DeleteAll(config tokencache.Config) error {
+	ret := _mock.Called(config)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DeleteAll")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(tokencache.Config) error); ok {
+		r0 = returnFunc(config)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockInterface_DeleteAll_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteAll'
+type MockInterface_DeleteAll_Call struct {
+	*mock.Call
+}
+
+// DeleteAll is a helper method to define mock.On call
+//   - config tokencache.Config
+func (_e *MockInterface_Expecter) DeleteAll(config interface{}) *MockInterface_DeleteAll_Call {
+	return &MockInterface_DeleteAll_Call{Call: _e.mock.On("DeleteAll", config)}
+}
+
+func (_c *MockInterface_DeleteAll_Call) Run(run func(config tokencache.Config)) *MockInterface_DeleteAll_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 tokencache.Config
+		if args[0] != nil {
+			arg0 = args[0].(tokencache.Config)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_DeleteAll_Call) Return(err error) *MockInterface_DeleteAll_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockInterface_DeleteAll_Call) RunAndReturn(run func(config tokencache.Config) error) *MockInterface_DeleteAll_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// FindByKey provides a mock function for the type MockInterface
+func (_mock *MockInterface) FindByKey(config tokencache.Config, key tokencache.Key) (*oidc.TokenSet, error) {
+	ret := _mock.Called(config, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for FindByKey")
+	}
+
+	var r0 *oidc.TokenSet
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) (*oidc.TokenSet, error)); ok {
+		return returnFunc(config, key)
+	}
+	if returnFunc, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) *oidc.TokenSet); ok {
+		r0 = returnFunc(config, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*oidc.TokenSet)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(tokencache.Config, tokencache.Key) error); ok {
+		r1 = returnFunc(config, key)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_FindByKey_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'FindByKey'
+type MockInterface_FindByKey_Call struct {
+	*mock.Call
+}
+
+// FindByKey is a helper method to define mock.On call
+//   - config tokencache.Config
+//   - key tokencache.Key
+func (_e *MockInterface_Expecter) FindByKey(config interface{}, key interface{}) *MockInterface_FindByKey_Call {
+	return &MockInterface_FindByKey_Call{Call: _e.mock.On("FindByKey", config, key)}
+}
+
+func (_c *MockInterface_FindByKey_Call) Run(run func(config tokencache.Config, key tokencache.Key)) *MockInterface_FindByKey_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 tokencache.Config
+		if args[0] != nil {
+			arg0 = args[0].(tokencache.Config)
+		}
+		var arg1 tokencache.Key
+		if args[1] != nil {
+			arg1 = args[1].(tokencache.Key)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_FindByKey_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_FindByKey_Call {
+	_c.Call.Return(tokenSet, err)
+	return _c
+}
+
+func (_c *MockInterface_FindByKey_Call) RunAndReturn(run func(config tokencache.Config, key tokencache.Key) (*oidc.TokenSet, error)) *MockInterface_FindByKey_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Lock provides a mock function for the type MockInterface
+func (_mock *MockInterface) Lock(config tokencache.Config, key tokencache.Key) (io.Closer, error) {
+	ret := _mock.Called(config, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Lock")
+	}
+
+	var r0 io.Closer
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) (io.Closer, error)); ok {
+		return returnFunc(config, key)
+	}
+	if returnFunc, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) io.Closer); ok {
+		r0 = returnFunc(config, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(io.Closer)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(tokencache.Config, tokencache.Key) error); ok {
+		r1 = returnFunc(config, key)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_Lock_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Lock'
+type MockInterface_Lock_Call struct {
+	*mock.Call
+}
+
+// Lock is a helper method to define mock.On call
+//   - config tokencache.Config
+//   - key tokencache.Key
+func (_e *MockInterface_Expecter) Lock(config interface{}, key interface{}) *MockInterface_Lock_Call {
+	return &MockInterface_Lock_Call{Call: _e.mock.On("Lock", config, key)}
+}
+
+func (_c *MockInterface_Lock_Call) Run(run func(config tokencache.Config, key tokencache.Key)) *MockInterface_Lock_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 tokencache.Config
+		if args[0] != nil {
+			arg0 = args[0].(tokencache.Config)
+		}
+		var arg1 tokencache.Key
+		if args[1] != nil {
+			arg1 = args[1].(tokencache.Key)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Lock_Call) Return(closer io.Closer, err error) *MockInterface_Lock_Call {
+	_c.Call.Return(closer, err)
+	return _c
+}
+
+func (_c *MockInterface_Lock_Call) RunAndReturn(run func(config tokencache.Config, key tokencache.Key) (io.Closer, error)) *MockInterface_Lock_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Save provides a mock function for the type MockInterface
+func (_mock *MockInterface) Save(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet) error {
+	ret := _mock.Called(config, key, tokenSet)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Save")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key, oidc.TokenSet) error); ok {
+		r0 = returnFunc(config, key, tokenSet)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockInterface_Save_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Save'
+type MockInterface_Save_Call struct {
+	*mock.Call
+}
+
+// Save is a helper method to define mock.On call
+//   - config tokencache.Config
+//   - key tokencache.Key
+//   - tokenSet oidc.TokenSet
+func (_e *MockInterface_Expecter) Save(config interface{}, key interface{}, tokenSet interface{}) *MockInterface_Save_Call {
+	return &MockInterface_Save_Call{Call: _e.mock.On("Save", config, key, tokenSet)}
+}
+
+func (_c *MockInterface_Save_Call) Run(run func(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet)) *MockInterface_Save_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 tokencache.Config
+		if args[0] != nil {
+			arg0 = args[0].(tokencache.Config)
+		}
+		var arg1 tokencache.Key
+		if args[1] != nil {
+			arg1 = args[1].(tokencache.Key)
+		}
+		var arg2 oidc.TokenSet
+		if args[2] != nil {
+			arg2 = args[2].(oidc.TokenSet)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Save_Call) Return(err error) *MockInterface_Save_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockInterface_Save_Call) RunAndReturn(run func(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet) error) *MockInterface_Save_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/usecases/authentication_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/usecases/authentication_mock/mocks.go
@@ -0,0 +1,107 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package authentication_mock
+
+import (
+	"context"
+
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Do provides a mock function for the type MockInterface
+func (_mock *MockInterface) Do(ctx context.Context, in authentication.Input) (*authentication.Output, error) {
+	ret := _mock.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
+	var r0 *authentication.Output
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authentication.Input) (*authentication.Output, error)); ok {
+		return returnFunc(ctx, in)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, authentication.Input) *authentication.Output); ok {
+		r0 = returnFunc(ctx, in)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*authentication.Output)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, authentication.Input) error); ok {
+		r1 = returnFunc(ctx, in)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
+type MockInterface_Do_Call struct {
+	*mock.Call
+}
+
+// Do is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in authentication.Input
+func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
+	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
+}
+
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in authentication.Input)) *MockInterface_Do_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 authentication.Input
+		if args[1] != nil {
+			arg1 = args[1].(authentication.Input)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) Return(output *authentication.Output, err error) *MockInterface_Do_Call {
+	_c.Call.Return(output, err)
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(ctx context.Context, in authentication.Input) (*authentication.Output, error)) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/usecases/clean_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/usecases/clean_mock/mocks.go
@@ -1,13 +1,30 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify

-package credentialplugin
+package clean_mock

 import (
-	context "context"
+	"context"

+	"github.com/int128/kubelogin/pkg/usecases/clean"
 	mock "github.com/stretchr/testify/mock"
 )

+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
 // MockInterface is an autogenerated mock type for the Interface type
 type MockInterface struct {
 	mock.Mock
@@ -21,17 +38,20 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }

-// Do provides a mock function with given fields: ctx, in
-func (_m *MockInterface) Do(ctx context.Context, in Input) error {
-	ret := _m.Called(ctx, in)
+// Do provides a mock function for the type MockInterface
+func (_mock *MockInterface) Do(ctx context.Context, in clean.Input) error {
+	ret := _mock.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}

 	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, Input) error); ok {
-		r0 = rf(ctx, in)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, clean.Input) error); ok {
+		r0 = returnFunc(ctx, in)
 	} else {
 		r0 = ret.Error(0)
 	}
-
 	return r0
 }

@@ -42,34 +62,35 @@ type MockInterface_Do_Call struct {

 // Do is a helper method to define mock.On call
 //   - ctx context.Context
-//   - in Input
+//   - in clean.Input
 func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
 	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
 }

-func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in Input)) *MockInterface_Do_Call {
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in clean.Input)) *MockInterface_Do_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(Input))
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 clean.Input
+		if args[1] != nil {
+			arg1 = args[1].(clean.Input)
+		}
+		run(
+			arg0,
+			arg1,
+		)
 	})
 	return _c
 }

-func (_c *MockInterface_Do_Call) Return(_a0 error) *MockInterface_Do_Call {
-	_c.Call.Return(_a0)
+func (_c *MockInterface_Do_Call) Return(err error) *MockInterface_Do_Call {
+	_c.Call.Return(err)
 	return _c
 }

-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(ctx context.Context, in clean.Input) error) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
 }
--- a/mocks/github.com/int128/kubelogin/pkg/usecases/credentialplugin_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/usecases/credentialplugin_mock/mocks.go
@@ -0,0 +1,96 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package credentialplugin_mock
+
+import (
+	"context"
+
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Do provides a mock function for the type MockInterface
+func (_mock *MockInterface) Do(ctx context.Context, in credentialplugin.Input) error {
+	ret := _mock.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, credentialplugin.Input) error); ok {
+		r0 = returnFunc(ctx, in)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
+type MockInterface_Do_Call struct {
+	*mock.Call
+}
+
+// Do is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in credentialplugin.Input
+func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
+	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
+}
+
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in credentialplugin.Input)) *MockInterface_Do_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 credentialplugin.Input
+		if args[1] != nil {
+			arg1 = args[1].(credentialplugin.Input)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) Return(err error) *MockInterface_Do_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(ctx context.Context, in credentialplugin.Input) error) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/github.com/int128/kubelogin/pkg/usecases/setup_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/usecases/setup_mock/mocks.go
@@ -1,13 +1,30 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify

-package standalone
+package setup_mock

 import (
-	context "context"
+	"context"

+	"github.com/int128/kubelogin/pkg/usecases/setup"
 	mock "github.com/stretchr/testify/mock"
 )

+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
 // MockInterface is an autogenerated mock type for the Interface type
 type MockInterface struct {
 	mock.Mock
@@ -21,17 +38,20 @@ func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
 	return &MockInterface_Expecter{mock: &_m.Mock}
 }

-// Do provides a mock function with given fields: ctx, in
-func (_m *MockInterface) Do(ctx context.Context, in Input) error {
-	ret := _m.Called(ctx, in)
+// Do provides a mock function for the type MockInterface
+func (_mock *MockInterface) Do(ctx context.Context, in setup.Input) error {
+	ret := _mock.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}

 	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, Input) error); ok {
-		r0 = rf(ctx, in)
+	if returnFunc, ok := ret.Get(0).(func(context.Context, setup.Input) error); ok {
+		r0 = returnFunc(ctx, in)
 	} else {
 		r0 = ret.Error(0)
 	}
-
 	return r0
 }

@@ -42,34 +62,35 @@ type MockInterface_Do_Call struct {

 // Do is a helper method to define mock.On call
 //   - ctx context.Context
-//   - in Input
+//   - in setup.Input
 func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
 	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
 }

-func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in Input)) *MockInterface_Do_Call {
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in setup.Input)) *MockInterface_Do_Call {
 	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(Input))
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 setup.Input
+		if args[1] != nil {
+			arg1 = args[1].(setup.Input)
+		}
+		run(
+			arg0,
+			arg1,
+		)
 	})
 	return _c
 }

-func (_c *MockInterface_Do_Call) Return(_a0 error) *MockInterface_Do_Call {
-	_c.Call.Return(_a0)
+func (_c *MockInterface_Do_Call) Return(err error) *MockInterface_Do_Call {
+	_c.Call.Return(err)
 	return _c
 }

-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(ctx context.Context, in setup.Input) error) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
 }
--- a/mocks/github.com/int128/kubelogin/pkg/usecases/standalone_mock/mocks.go
+++ b/mocks/github.com/int128/kubelogin/pkg/usecases/standalone_mock/mocks.go
@@ -0,0 +1,96 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package standalone_mock
+
+import (
+	"context"
+
+	"github.com/int128/kubelogin/pkg/usecases/standalone"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// Do provides a mock function for the type MockInterface
+func (_mock *MockInterface) Do(ctx context.Context, in standalone.Input) error {
+	ret := _mock.Called(ctx, in)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Do")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, standalone.Input) error); ok {
+		r0 = returnFunc(ctx, in)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
+type MockInterface_Do_Call struct {
+	*mock.Call
+}
+
+// Do is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in standalone.Input
+func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
+	return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
+}
+
+func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in standalone.Input)) *MockInterface_Do_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 standalone.Input
+		if args[1] != nil {
+			arg1 = args[1].(standalone.Input)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) Return(err error) *MockInterface_Do_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockInterface_Do_Call) RunAndReturn(run func(ctx context.Context, in standalone.Input) error) *MockInterface_Do_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/mocks/io_mock/mocks.go
+++ b/mocks/io_mock/mocks.go
@@ -0,0 +1,80 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package io_mock
+
+import (
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockCloser creates a new instance of MockCloser. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockCloser(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockCloser {
+	mock := &MockCloser{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockCloser is an autogenerated mock type for the Closer type
+type MockCloser struct {
+	mock.Mock
+}
+
+type MockCloser_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockCloser) EXPECT() *MockCloser_Expecter {
+	return &MockCloser_Expecter{mock: &_m.Mock}
+}
+
+// Close provides a mock function for the type MockCloser
+func (_mock *MockCloser) Close() error {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Close")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func() error); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockCloser_Close_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Close'
+type MockCloser_Close_Call struct {
+	*mock.Call
+}
+
+// Close is a helper method to define mock.On call
+func (_e *MockCloser_Expecter) Close() *MockCloser_Close_Call {
+	return &MockCloser_Close_Call{Call: _e.mock.On("Close")}
+}
+
+func (_c *MockCloser_Close_Call) Run(run func()) *MockCloser_Close_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockCloser_Close_Call) Return(err error) *MockCloser_Close_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockCloser_Close_Call) RunAndReturn(run func() error) *MockCloser_Close_Call {
+	_c.Call.Return(run)
+	return _c
+}
--- a/pkg/cmd/authentication.go
+++ b/pkg/cmd/authentication.go
@@ -5,72 +5,58 @@ import (
 	"strings"
 	"time"

+	"github.com/spf13/pflag"
+
+	"github.com/int128/kubelogin/pkg/oidc/client"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/devicecode"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
-	"github.com/spf13/pflag"
 )

-const oobRedirectURI = "urn:ietf:wg:oauth:2.0:oob"
-
 type authenticationOptions struct {
 	GrantType                   string
 	ListenAddress               []string
-	ListenPort                  []int // deprecated
 	AuthenticationTimeoutSec    int
 	SkipOpenBrowser             bool
 	BrowserCommand              string
 	LocalServerCertFile         string
 	LocalServerKeyFile          string
 	OpenURLAfterAuthentication  string
-	RedirectURLHostname         string
-	RedirectURLAuthCodeKeyboard string
+	RedirectURLHostname         string // DEPRECATED
+	RedirectURLAuthCodeKeyboard string // DEPRECATED
 	AuthRequestExtraParams      map[string]string
 	Username                    string
 	Password                    string
 }

-// determineListenAddress returns the addresses from the flags.
-// Note that --listen-address is always given due to the default value.
-// If --listen-port is not set, it returns --listen-address.
-// If --listen-port is set, it returns the strings of --listen-port.
-func (o *authenticationOptions) determineListenAddress() []string {
-	if len(o.ListenPort) == 0 {
-		return o.ListenAddress
-	}
-	var a []string
-	for _, p := range o.ListenPort {
-		a = append(a, fmt.Sprintf("127.0.0.1:%d", p))
-	}
-	return a
-}
-
 var allGrantType = strings.Join([]string{
 	"auto",
 	"authcode",
 	"authcode-keyboard",
 	"password",
 	"device-code",
+	"client-credentials",
 }, "|")

 func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.GrantType, "grant-type", "auto", fmt.Sprintf("Authorization grant type to use. One of (%s)", allGrantType))
 	f.StringSliceVar(&o.ListenAddress, "listen-address", defaultListenAddress, "[authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order")
-	//TODO: remove the deprecated flag
-	f.IntSliceVar(&o.ListenPort, "listen-port", nil, "[authcode] deprecated: port to bind to the local server")
-	if err := f.MarkDeprecated("listen-port", "use --listen-address instead"); err != nil {
-		panic(err)
-	}
 	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "[authcode] Do not open the browser automatically")
 	f.StringVar(&o.BrowserCommand, "browser-command", "", "[authcode] Command to open the browser")
 	f.IntVar(&o.AuthenticationTimeoutSec, "authentication-timeout-sec", defaultAuthenticationTimeoutSec, "[authcode] Timeout of authentication in seconds")
 	f.StringVar(&o.LocalServerCertFile, "local-server-cert", "", "[authcode] Certificate path for the local server")
 	f.StringVar(&o.LocalServerKeyFile, "local-server-key", "", "[authcode] Certificate key path for the local server")
 	f.StringVar(&o.OpenURLAfterAuthentication, "open-url-after-authentication", "", "[authcode] If set, open the URL in the browser after authentication")
-	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "[authcode] Hostname of the redirect URL")
-	f.StringVar(&o.RedirectURLAuthCodeKeyboard, "oidc-redirect-url-authcode-keyboard", oobRedirectURI, "[authcode-keyboard] Redirect URL")
-	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "[authcode, authcode-keyboard] Extra query parameters to send with an authentication request")
+	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "", "[authcode] Hostname of the redirect URL")
+	if err := f.MarkDeprecated("oidc-redirect-url-hostname", "use --oidc-redirect-url instead."); err != nil {
+		panic(err)
+	}
+	f.StringVar(&o.RedirectURLAuthCodeKeyboard, "oidc-redirect-url-authcode-keyboard", "", "Equivalent to --oidc-redirect-url")
+	if err := f.MarkDeprecated("oidc-redirect-url-authcode-keyboard", "use --oidc-redirect-url instead."); err != nil {
+		panic(err)
+	}
+	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "[authcode, authcode-keyboard, client-credentials] Extra query parameters to send with an authentication request")
 	f.StringVar(&o.Username, "username", "", "[password] Username for resource owner password credentials grant")
 	f.StringVar(&o.Password, "password", "", "[password] Password for resource owner password credentials grant")
 }
@@ -84,7 +70,7 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 	switch {
 	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
 		s.AuthCodeBrowserOption = &authcode.BrowserOption{
-			BindAddress:                o.determineListenAddress(),
+			BindAddress:                o.ListenAddress,
 			SkipOpenBrowser:            o.SkipOpenBrowser,
 			BrowserCommand:             o.BrowserCommand,
 			AuthenticationTimeout:      time.Duration(o.AuthenticationTimeoutSec) * time.Second,
@@ -97,7 +83,6 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 	case o.GrantType == "authcode-keyboard":
 		s.AuthCodeKeyboardOption = &authcode.KeyboardOption{
 			AuthRequestExtraParams: o.AuthRequestExtraParams,
-			RedirectURL:            o.RedirectURLAuthCodeKeyboard,
 		}
 	case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
 		s.ROPCOption = &ropc.Option{
@@ -109,6 +94,12 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 			SkipOpenBrowser: o.SkipOpenBrowser,
 			BrowserCommand:  o.BrowserCommand,
 		}
+	case o.GrantType == "client-credentials":
+		endpointparams := make(map[string][]string, len(o.AuthRequestExtraParams))
+		for k, v := range o.AuthRequestExtraParams {
+			endpointparams[k] = []string{v}
+		}
+		s.ClientCredentialsOption = &client.GetTokenByClientCredentialsInput{EndpointParams: endpointparams}
 	default:
 		err = fmt.Errorf("grant-type must be one of (%s)", allGrantType)
 	}
--- a/pkg/cmd/authentication_test.go
+++ b/pkg/cmd/authentication_test.go
@@ -5,6 +5,7 @@ import (
 	"time"

 	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/oidc/client"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
@@ -21,7 +22,6 @@ func Test_authenticationOptions_grantOptionSet(t *testing.T) {
 				AuthCodeBrowserOption: &authcode.BrowserOption{
 					BindAddress:           defaultListenAddress,
 					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
-					RedirectURLHostname:   "localhost",
 				},
 			},
 		},
@@ -56,52 +56,24 @@ func Test_authenticationOptions_grantOptionSet(t *testing.T) {
 				},
 			},
 		},
-		"when --listen-port is set, it should convert the port to address": {
-			args: []string{
-				"--listen-port", "10080",
-				"--listen-port", "20080",
-			},
-			want: authentication.GrantOptionSet{
-				AuthCodeBrowserOption: &authcode.BrowserOption{
-					BindAddress:           []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
-					RedirectURLHostname:   "localhost",
-				},
-			},
-		},
-		"when --listen-port is set, it should ignore --listen-address flags": {
-			args: []string{
-				"--listen-port", "10080",
-				"--listen-port", "20080",
-				"--listen-address", "127.0.0.1:30080",
-				"--listen-address", "127.0.0.1:40080",
-			},
-			want: authentication.GrantOptionSet{
-				AuthCodeBrowserOption: &authcode.BrowserOption{
-					BindAddress:           []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
-					RedirectURLHostname:   "localhost",
-				},
-			},
-		},
 		"GrantType=authcode-keyboard": {
 			args: []string{
 				"--grant-type", "authcode-keyboard",
 			},
 			want: authentication.GrantOptionSet{
-				AuthCodeKeyboardOption: &authcode.KeyboardOption{
-					RedirectURL: oobRedirectURI,
-				},
+				AuthCodeKeyboardOption: &authcode.KeyboardOption{},
 			},
 		},
 		"GrantType=authcode-keyboard with full options": {
 			args: []string{
 				"--grant-type", "authcode-keyboard",
 				"--oidc-redirect-url-authcode-keyboard", "http://localhost",
+				"--oidc-auth-request-extra-params", "ttl=86400",
+				"--oidc-auth-request-extra-params", "reauth=true",
 			},
 			want: authentication.GrantOptionSet{
 				AuthCodeKeyboardOption: &authcode.KeyboardOption{
-					RedirectURL: "http://localhost",
+					AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
 				},
 			},
 		},
@@ -120,6 +92,21 @@ func Test_authenticationOptions_grantOptionSet(t *testing.T) {
 				},
 			},
 		},
+		"GrantType=client-credentials": {
+			args: []string{
+				"--grant-type", "client-credentials",
+				"--oidc-auth-request-extra-params", "audience=https://example.com/service1",
+				"--oidc-auth-request-extra-params", "jti=myUUID",
+			},
+			want: authentication.GrantOptionSet{
+				ClientCredentialsOption: &client.GetTokenByClientCredentialsInput{
+					EndpointParams: map[string][]string{
+						"audience": []string{"https://example.com/service1"},
+						"jti":      []string{"myUUID"},
+					},
+				},
+			},
+		},
 		"GrantType=auto": {
 			args: []string{
 				"--listen-address", "127.0.0.1:10080",
--- a/pkg/cmd/clean.go
+++ b/pkg/cmd/clean.go
@@ -0,0 +1,47 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/usecases/clean"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type cleanOptions struct {
+	TokenCacheDir string
+}
+
+func (o *cleanOptions) addFlags(f *pflag.FlagSet) {
+	f.StringVar(&o.TokenCacheDir, "token-cache-dir", getDefaultTokenCacheDir(), "Path to a directory of the token cache")
+}
+
+type Clean struct {
+	Clean clean.Interface
+}
+
+func (cmd *Clean) New() *cobra.Command {
+	var o cleanOptions
+	c := &cobra.Command{
+		Use:   "clean [flags]",
+		Short: "Delete the token cache",
+		Long: `Delete the token cache.
+
+This deletes the token cache directory from both the file system and the keyring.
+`,
+		Args: cobra.NoArgs,
+		RunE: func(c *cobra.Command, _ []string) error {
+			o.TokenCacheDir = expandHomedir(o.TokenCacheDir)
+			in := clean.Input{
+				TokenCacheDir: o.TokenCacheDir,
+			}
+			if err := cmd.Clean.Do(c.Context(), in); err != nil {
+				return fmt.Errorf("clean: %w", err)
+			}
+			return nil
+		},
+	}
+	c.Flags().SortFlags = false
+	o.addFlags(c.Flags())
+	return c
+}
--- a/pkg/cmd/cmd.go
+++ b/pkg/cmd/cmd.go
@@ -2,8 +2,6 @@ package cmd

 import (
 	"context"
-	"os"
-	"path/filepath"
 	"runtime"

 	"github.com/google/wire"
@@ -18,23 +16,14 @@ var Set = wire.NewSet(
 	wire.Struct(new(Root), "*"),
 	wire.Struct(new(GetToken), "*"),
 	wire.Struct(new(Setup), "*"),
+	wire.Struct(new(Clean), "*"),
 )

 type Interface interface {
 	Run(ctx context.Context, args []string, version string) int
 }

-func getDefaultTokenCacheDir(key, fallback string) string {
-	if value, ok := os.LookupEnv(key); ok {
-		return value
-	}
-	return fallback
-}
-
 var defaultListenAddress = []string{"127.0.0.1:8000", "127.0.0.1:18000"}
-var defaultTokenCacheDir = filepath.Join(
-	getDefaultTokenCacheDir("KUBECACHEDIR", filepath.Join("~", ".kube", "cache")),
-	"oidc-login")

 const defaultAuthenticationTimeoutSec = 180

@@ -43,6 +32,7 @@ type Cmd struct {
 	Root     *Root
 	GetToken *GetToken
 	Setup    *Setup
+	Clean    *Clean
 	Logger   logger.Interface
 }

@@ -60,6 +50,9 @@ func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
 	setupCmd := cmd.Setup.New()
 	rootCmd.AddCommand(setupCmd)

+	cleanCmd := cmd.Clean.New()
+	rootCmd.AddCommand(cleanCmd)
+
 	versionCmd := &cobra.Command{
 		Use:   "version",
 		Short: "Print the version information",
--- a/pkg/cmd/cmd_test.go
+++ b/pkg/cmd/cmd_test.go
@@ -7,12 +7,17 @@ import (
 	"testing"
 	"time"

+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/usecases/credentialplugin_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/usecases/setup_mock"
+	"github.com/int128/kubelogin/mocks/github.com/int128/kubelogin/pkg/usecases/standalone_mock"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/testing/logger"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+	"github.com/int128/kubelogin/pkg/tokencache"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
 )

@@ -20,6 +25,13 @@ func TestCmd_Run(t *testing.T) {
 	const executable = "kubelogin"
 	const version = "HEAD"

+	defaultGrantOptionSet := authentication.GrantOptionSet{
+		AuthCodeBrowserOption: &authcode.BrowserOption{
+			BindAddress:           defaultListenAddress,
+			AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+		},
+	}
+
 	t.Run("root", func(t *testing.T) {
 		tests := map[string]struct {
 			args []string
@@ -28,13 +40,7 @@ func TestCmd_Run(t *testing.T) {
 			"Defaults": {
 				args: []string{executable},
 				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:           defaultListenAddress,
-							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
-							RedirectURLHostname:   "localhost",
-						},
-					},
+					GrantOptionSet: defaultGrantOptionSet,
 				},
 			},
 			"FullOptions": {
@@ -48,20 +54,14 @@ func TestCmd_Run(t *testing.T) {
 					KubeconfigFilename: "/path/to/kubeconfig",
 					KubeconfigContext:  "hello.k8s.local",
 					KubeconfigUser:     "google",
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:           defaultListenAddress,
-							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
-							RedirectURLHostname:   "localhost",
-						},
-					},
+					GrantOptionSet:     defaultGrantOptionSet,
 				},
 			},
 		}
 		for name, c := range tests {
 			t.Run(name, func(t *testing.T) {
 				ctx := context.TODO()
-				mockStandalone := standalone.NewMockInterface(t)
+				mockStandalone := standalone_mock.NewMockInterface(t)
 				mockStandalone.EXPECT().
 					Do(ctx, c.in).
 					Return(nil)
@@ -82,7 +82,7 @@ func TestCmd_Run(t *testing.T) {
 		t.Run("TooManyArgs", func(t *testing.T) {
 			cmd := Cmd{
 				Root: &Root{
-					Standalone: standalone.NewMockInterface(t),
+					Standalone: standalone_mock.NewMockInterface(t),
 					Logger:     logger.New(t),
 				},
 				Logger: logger.New(t),
@@ -111,18 +111,14 @@ func TestCmd_Run(t *testing.T) {
 					"--oidc-client-id", "YOUR_CLIENT_ID",
 				},
 				in: credentialplugin.Input{
-					TokenCacheDir: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
 					Provider: oidc.Provider{
 						IssuerURL: "https://issuer.example.com",
 						ClientID:  "YOUR_CLIENT_ID",
 					},
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:           defaultListenAddress,
-							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
-							RedirectURLHostname:   "localhost",
-						},
+					TokenCacheConfig: tokencache.Config{
+						Directory: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
 					},
+					GrantOptionSet: defaultGrantOptionSet,
 				},
 			},
 			"FullOptions": {
@@ -133,23 +129,44 @@ func TestCmd_Run(t *testing.T) {
 					"--oidc-client-secret", "YOUR_CLIENT_SECRET",
 					"--oidc-extra-scope", "email",
 					"--oidc-extra-scope", "profile",
+					"--oidc-request-header", "Origin=localhost:8080",
+					"--token-cache-storage", "keyring",
 					"-v1",
 				},
 				in: credentialplugin.Input{
-					TokenCacheDir: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
 					Provider: oidc.Provider{
 						IssuerURL:    "https://issuer.example.com",
 						ClientID:     "YOUR_CLIENT_ID",
 						ClientSecret: "YOUR_CLIENT_SECRET",
 						ExtraScopes:  []string{"email", "profile"},
-					},
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeBrowserOption: &authcode.BrowserOption{
-							BindAddress:           defaultListenAddress,
-							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
-							RedirectURLHostname:   "localhost",
+						RequestHeaders: map[string]string{
+							"Origin": "localhost:8080",
 						},
 					},
+					TokenCacheConfig: tokencache.Config{
+						Directory: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+						Storage:   tokencache.StorageKeyring,
+					},
+					GrantOptionSet: defaultGrantOptionSet,
+				},
+			},
+			"AccessToken": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--oidc-use-access-token=true",
+				},
+				in: credentialplugin.Input{
+					Provider: oidc.Provider{
+						IssuerURL:      "https://issuer.example.com",
+						ClientID:       "YOUR_CLIENT_ID",
+						UseAccessToken: true,
+					},
+					TokenCacheConfig: tokencache.Config{
+						Directory: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+					},
+					GrantOptionSet: defaultGrantOptionSet,
 				},
 			},
 			"HomedirExpansion": {
@@ -163,16 +180,17 @@ func TestCmd_Run(t *testing.T) {
 					"--token-cache-dir", "~/.kube/oidc-cache",
 				},
 				in: credentialplugin.Input{
-					TokenCacheDir: filepath.Join(userHomeDir, ".kube/oidc-cache"),
 					Provider: oidc.Provider{
 						IssuerURL: "https://issuer.example.com",
 						ClientID:  "YOUR_CLIENT_ID",
 					},
+					TokenCacheConfig: tokencache.Config{
+						Directory: filepath.Join(userHomeDir, ".kube/oidc-cache"),
+					},
 					GrantOptionSet: authentication.GrantOptionSet{
 						AuthCodeBrowserOption: &authcode.BrowserOption{
 							BindAddress:           defaultListenAddress,
 							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
-							RedirectURLHostname:   "localhost",
 							LocalServerCertFile:   filepath.Join(userHomeDir, ".kube/oidc-server.crt"),
 							LocalServerKeyFile:    filepath.Join(userHomeDir, ".kube/oidc-server.key"),
 						},
@@ -186,7 +204,7 @@ func TestCmd_Run(t *testing.T) {
 		for name, c := range tests {
 			t.Run(name, func(t *testing.T) {
 				ctx := context.TODO()
-				getToken := credentialplugin.NewMockInterface(t)
+				getToken := credentialplugin_mock.NewMockInterface(t)
 				getToken.EXPECT().
 					Do(ctx, c.in).
 					Return(nil)
@@ -214,7 +232,7 @@ func TestCmd_Run(t *testing.T) {
 					Logger: logger.New(t),
 				},
 				GetToken: &GetToken{
-					GetToken: credentialplugin.NewMockInterface(t),
+					GetToken: credentialplugin_mock.NewMockInterface(t),
 					Logger:   logger.New(t),
 				},
 				Logger: logger.New(t),
@@ -232,7 +250,7 @@ func TestCmd_Run(t *testing.T) {
 					Logger: logger.New(t),
 				},
 				GetToken: &GetToken{
-					GetToken: credentialplugin.NewMockInterface(t),
+					GetToken: credentialplugin_mock.NewMockInterface(t),
 					Logger:   logger.New(t),
 				},
 				Logger: logger.New(t),
@@ -243,4 +261,54 @@ func TestCmd_Run(t *testing.T) {
 			}
 		})
 	})
+
+	t.Run("setup", func(t *testing.T) {
+		t.Run("NoOption", func(t *testing.T) {
+			ctx := context.TODO()
+			cmd := Cmd{
+				Logger: logger.New(t),
+				Root: &Root{
+					Logger: logger.New(t),
+				},
+			}
+			exitCode := cmd.Run(ctx, []string{executable, "setup"}, version)
+			if exitCode != 0 {
+				t.Errorf("exitCode wants 0 but %d", exitCode)
+			}
+		})
+
+		t.Run("WithOptions", func(t *testing.T) {
+			ctx := context.TODO()
+			setupMock := setup_mock.NewMockInterface(t)
+			setupMock.EXPECT().Do(ctx, setup.Input{
+				IssuerURL:      "https://issuer.example.com",
+				ClientID:       "YOUR_CLIENT",
+				ExtraScopes:    []string{"email", "profile"},
+				GrantOptionSet: defaultGrantOptionSet,
+				ChangedFlags: []string{
+					"--oidc-issuer-url=https://issuer.example.com",
+					"--oidc-client-id=YOUR_CLIENT",
+					"--oidc-extra-scope=email",
+					"--oidc-extra-scope=profile",
+				},
+			}).Return(nil)
+			cmd := Cmd{
+				Logger: logger.New(t),
+				Root: &Root{
+					Logger: logger.New(t),
+				},
+				Setup: &Setup{
+					Setup: setupMock,
+				},
+			}
+			exitCode := cmd.Run(ctx, []string{executable, "setup",
+				"--oidc-issuer-url", "https://issuer.example.com",
+				"--oidc-client-id", "YOUR_CLIENT",
+				"--oidc-extra-scope", "email,profile",
+			}, version)
+			if exitCode != 0 {
+				t.Errorf("exitCode wants 0 but %d", exitCode)
+			}
+		})
+	})
 }
--- a/pkg/cmd/get_token.go
+++ b/pkg/cmd/get_token.go
@@ -16,10 +16,13 @@ type getTokenOptions struct {
 	IssuerURL             string
 	ClientID              string
 	ClientSecret          string
+	RedirectURL           string
 	ExtraScopes           []string
-	UsePKCE               bool
-	TokenCacheDir         string
+	UseAccessToken        bool
+	RequestHeaders        map[string]string
+	tokenCacheOptions     tokenCacheOptions
 	tlsOptions            tlsOptions
+	pkceOptions           pkceOptions
 	authenticationOptions authenticationOptions
 	ForceRefresh          bool
 }
@@ -28,19 +31,21 @@ func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)")
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
+	f.StringVar(&o.RedirectURL, "oidc-redirect-url", "", "[authcode, authcode-keyboard] Redirect URL")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
-	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for token cache")
+	f.BoolVar(&o.UseAccessToken, "oidc-use-access-token", false, "Instead of using the id_token, use the access_token to authenticate to Kubernetes")
+	f.StringToStringVar(&o.RequestHeaders, "oidc-request-header", nil, "HTTP headers to send with an authentication request")
 	f.BoolVar(&o.ForceRefresh, "force-refresh", false, "If set, refresh the ID token regardless of its expiration time")
+	o.tokenCacheOptions.addFlags(f)
 	o.tlsOptions.addFlags(f)
+	o.pkceOptions.addFlags(f)
 	o.authenticationOptions.addFlags(f)
 }

-func (o *getTokenOptions) expandHomedir() error {
-	o.TokenCacheDir = expandHomedir(o.TokenCacheDir)
+func (o *getTokenOptions) expandHomedir() {
+	o.tokenCacheOptions.expandHomedir()
 	o.authenticationOptions.expandHomedir()
 	o.tlsOptions.expandHomedir()
-	return nil
 }

 type GetToken struct {
@@ -66,25 +71,38 @@ func (cmd *GetToken) New() *cobra.Command {
 			return nil
 		},
 		RunE: func(c *cobra.Command, _ []string) error {
-			if err := o.expandHomedir(); err != nil {
-				return err
-			}
+			o.expandHomedir()
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
 				return fmt.Errorf("get-token: %w", err)
 			}
+			tokenCacheConfig, err := o.tokenCacheOptions.tokenCacheConfig()
+			if err != nil {
+				return fmt.Errorf("get-token: %w", err)
+			}
+			pkceMethod, err := o.pkceOptions.pkceMethod()
+			if err != nil {
+				return fmt.Errorf("get-token: %w", err)
+			}
+			redirectURL := o.RedirectURL
+			if o.authenticationOptions.RedirectURLAuthCodeKeyboard != "" {
+				redirectURL = o.authenticationOptions.RedirectURLAuthCodeKeyboard
+			}
 			in := credentialplugin.Input{
 				Provider: oidc.Provider{
-					IssuerURL:    o.IssuerURL,
-					ClientID:     o.ClientID,
-					ClientSecret: o.ClientSecret,
-					UsePKCE:      o.UsePKCE,
-					ExtraScopes:  o.ExtraScopes,
+					IssuerURL:      o.IssuerURL,
+					ClientID:       o.ClientID,
+					ClientSecret:   o.ClientSecret,
+					RedirectURL:    redirectURL,
+					PKCEMethod:     pkceMethod,
+					UseAccessToken: o.UseAccessToken,
+					ExtraScopes:    o.ExtraScopes,
+					RequestHeaders: o.RequestHeaders,
 				},
-				TokenCacheDir:   o.TokenCacheDir,
-				GrantOptionSet:  grantOptionSet,
-				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
-				ForceRefresh:    o.ForceRefresh,
+				ForceRefresh:     o.ForceRefresh,
+				TokenCacheConfig: tokenCacheConfig,
+				GrantOptionSet:   grantOptionSet,
+				TLSClientConfig:  o.tlsOptions.tlsClientConfig(),
 			}
 			if err := cmd.GetToken.Do(c.Context(), in); err != nil {
 				return fmt.Errorf("get-token: %w", err)
--- a/pkg/cmd/pkce.go
+++ b/pkg/cmd/pkce.go
@@ -0,0 +1,40 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/spf13/pflag"
+)
+
+var allPKCEMethods = strings.Join([]string{"auto", "no", "S256"}, "|")
+
+type pkceOptions struct {
+	UsePKCE    bool
+	PKCEMethod string
+}
+
+func (o *pkceOptions) addFlags(f *pflag.FlagSet) {
+	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE S256 code challenge method")
+	if err := f.MarkDeprecated("oidc-use-pkce", "use --oidc-pkce-method instead. For the most providers, you don't need to set the flag."); err != nil {
+		panic(err)
+	}
+	f.StringVar(&o.PKCEMethod, "oidc-pkce-method", "auto", fmt.Sprintf("PKCE code challenge method. Automatically determined by default. One of (%s)", allPKCEMethods))
+}
+
+func (o *pkceOptions) pkceMethod() (oidc.PKCEMethod, error) {
+	if o.UsePKCE {
+		return oidc.PKCEMethodS256, nil
+	}
+	switch o.PKCEMethod {
+	case "auto":
+		return oidc.PKCEMethodAuto, nil
+	case "no":
+		return oidc.PKCEMethodNo, nil
+	case "S256":
+		return oidc.PKCEMethodS256, nil
+	default:
+		return 0, fmt.Errorf("oidc-pkce-method must be one of (%s)", allPKCEMethods)
+	}
+}
--- a/pkg/cmd/setup.go
+++ b/pkg/cmd/setup.go
@@ -3,6 +3,8 @@ package cmd
 import (
 	"fmt"

+	_ "embed"
+
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -13,9 +15,12 @@ type setupOptions struct {
 	IssuerURL             string
 	ClientID              string
 	ClientSecret          string
+	RedirectURL           string
 	ExtraScopes           []string
-	UsePKCE               bool
+	UseAccessToken        bool
+	RequestHeaders        map[string]string
 	tlsOptions            tlsOptions
+	pkceOptions           pkceOptions
 	authenticationOptions authenticationOptions
 }

@@ -23,9 +28,12 @@ func (o *setupOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider")
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
+	f.StringVar(&o.RedirectURL, "oidc-redirect-url", "", "[authcode, authcode-keyboard] Redirect URL")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
+	f.BoolVar(&o.UseAccessToken, "oidc-use-access-token", false, "Instead of using the id_token, use the access_token to authenticate to Kubernetes")
+	f.StringToStringVar(&o.RequestHeaders, "oidc-request-header", nil, "HTTP headers to send with an authentication request")
 	o.tlsOptions.addFlags(f)
+	o.pkceOptions.addFlags(f)
 	o.authenticationOptions.addFlags(f)
 }

@@ -33,34 +41,56 @@ type Setup struct {
 	Setup setup.Interface
 }

+//go:embed setup.md
+var setupLongDescription string
+
 func (cmd *Setup) New() *cobra.Command {
 	var o setupOptions
 	c := &cobra.Command{
 		Use:   "setup",
 		Short: "Show the setup instruction",
+		Long:  setupLongDescription,
 		Args:  cobra.NoArgs,
 		RunE: func(c *cobra.Command, _ []string) error {
+			var changedFlags []string
+			c.Flags().VisitAll(func(f *pflag.Flag) {
+				if !f.Changed {
+					return
+				}
+				if sliceValue, ok := f.Value.(pflag.SliceValue); ok {
+					for _, v := range sliceValue.GetSlice() {
+						changedFlags = append(changedFlags, fmt.Sprintf("--%s=%s", f.Name, v))
+					}
+					return
+				}
+				changedFlags = append(changedFlags, fmt.Sprintf("--%s=%s", f.Name, f.Value))
+			})
+
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
 				return fmt.Errorf("setup: %w", err)
 			}
-			in := setup.Stage2Input{
+			pkceMethod, err := o.pkceOptions.pkceMethod()
+			if err != nil {
+				return fmt.Errorf("setup: %w", err)
+			}
+			in := setup.Input{
 				IssuerURL:       o.IssuerURL,
 				ClientID:        o.ClientID,
 				ClientSecret:    o.ClientSecret,
+				RedirectURL:     o.RedirectURL,
 				ExtraScopes:     o.ExtraScopes,
-				UsePKCE:         o.UsePKCE,
+				UseAccessToken:  o.UseAccessToken,
+				RequestHeaders:  o.RequestHeaders,
+				PKCEMethod:      pkceMethod,
 				GrantOptionSet:  grantOptionSet,
 				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
-			}
-			if c.Flags().Lookup("listen-address").Changed {
-				in.ListenAddressArgs = o.authenticationOptions.ListenAddress
+				ChangedFlags:    changedFlags,
 			}
 			if in.IssuerURL == "" || in.ClientID == "" {
-				cmd.Setup.DoStage1()
-				return nil
+				return c.Help()
 			}
-			if err := cmd.Setup.DoStage2(c.Context(), in); err != nil {
+			if err := cmd.Setup.Do(c.Context(), in); err != nil {
 				return fmt.Errorf("setup: %w", err)
 			}
 			return nil
--- a/pkg/cmd/setup.md
+++ b/pkg/cmd/setup.md
@@ -0,0 +1,12 @@
+This setup shows the instruction of Kubernetes OpenID Connect authentication.
+
+You need to set up the OpenID Connect Provider.
+Run the following command to authenticate with the OpenID Connect Provider:
+
+```
+kubectl oidc-login setup \
+  --oidc-issuer-url=ISSUER_URL \
+  --oidc-client-id=YOUR_CLIENT_ID
+```
+
+See https://github.com/int128/kubelogin for the details.
--- a/pkg/cmd/tls.go
+++ b/pkg/cmd/tls.go
@@ -18,7 +18,7 @@ type tlsOptions struct {
 func (o *tlsOptions) addFlags(f *pflag.FlagSet) {
 	f.StringArrayVar(&o.CACertFilename, "certificate-authority", nil, "Path to a cert file for the certificate authority")
 	f.StringArrayVar(&o.CACertData, "certificate-authority-data", nil, "Base64 encoded cert for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "[SECURITY RISK] If set, the server's certificate will not be checked for validity")
 	f.BoolVar(&o.RenegotiateOnceAsClient, "tls-renegotiation-once", false, "If set, allow a remote server to request renegotiation once per connection")
 	f.BoolVar(&o.RenegotiateFreelyAsClient, "tls-renegotiation-freely", false, "If set, allow a remote server to repeatedly request renegotiation")
 }
--- a/pkg/cmd/tokencache.go
+++ b/pkg/cmd/tokencache.go
@@ -0,0 +1,52 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/int128/kubelogin/pkg/tokencache"
+	"github.com/spf13/pflag"
+)
+
+func getDefaultTokenCacheDir() string {
+	// https://github.com/int128/kubelogin/pull/975
+	if kubeCacheDir, ok := os.LookupEnv("KUBECACHEDIR"); ok {
+		return filepath.Join(kubeCacheDir, "oidc-login")
+	}
+	return filepath.Join("~", ".kube", "cache", "oidc-login")
+}
+
+var allTokenCacheStorage = strings.Join([]string{"disk", "keyring", "none"}, "|")
+
+type tokenCacheOptions struct {
+	TokenCacheDir     string
+	TokenCacheStorage string
+}
+
+func (o *tokenCacheOptions) addFlags(f *pflag.FlagSet) {
+	f.StringVar(&o.TokenCacheDir, "token-cache-dir", getDefaultTokenCacheDir(), "Path to a directory of the token cache")
+	f.StringVar(&o.TokenCacheStorage, "token-cache-storage", "disk", fmt.Sprintf("Storage for the token cache. One of (%s)", allTokenCacheStorage))
+}
+
+func (o *tokenCacheOptions) expandHomedir() {
+	o.TokenCacheDir = expandHomedir(o.TokenCacheDir)
+}
+
+func (o *tokenCacheOptions) tokenCacheConfig() (tokencache.Config, error) {
+	config := tokencache.Config{
+		Directory: o.TokenCacheDir,
+	}
+	switch o.TokenCacheStorage {
+	case "disk":
+		config.Storage = tokencache.StorageDisk
+	case "keyring":
+		config.Storage = tokencache.StorageKeyring
+	case "none":
+		config.Storage = tokencache.StorageNone
+	default:
+		return tokencache.Config{}, fmt.Errorf("token-cache-storage must be one of (%s)", allTokenCacheStorage)
+	}
+	return config, nil
+}
--- a/pkg/credentialplugin/reader/reader.go
+++ b/pkg/credentialplugin/reader/reader.go
@@ -0,0 +1,39 @@
+// Package reader provides a loader for the credential plugin.
+package reader
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/credentialplugin"
+	"k8s.io/client-go/pkg/apis/clientauthentication"
+)
+
+var Set = wire.NewSet(
+	wire.Struct(new(Reader), "*"),
+	wire.Bind(new(Interface), new(*Reader)),
+)
+
+type Interface interface {
+	Read() (credentialplugin.Input, error)
+}
+
+type Reader struct{}
+
+// Read parses the environment variable KUBERNETES_EXEC_INFO.
+// If the environment variable is not given by kubectl, Read returns a zero value.
+func (r Reader) Read() (credentialplugin.Input, error) {
+	execInfo := os.Getenv("KUBERNETES_EXEC_INFO")
+	if execInfo == "" {
+		return credentialplugin.Input{}, nil
+	}
+	var execCredential clientauthentication.ExecCredential
+	if err := json.Unmarshal([]byte(execInfo), &execCredential); err != nil {
+		return credentialplugin.Input{}, fmt.Errorf("invalid KUBERNETES_EXEC_INFO: %w", err)
+	}
+	return credentialplugin.Input{
+		ClientAuthenticationAPIVersion: execCredential.APIVersion,
+	}, nil
+}
--- a/pkg/credentialplugin/reader/reader_test.go
+++ b/pkg/credentialplugin/reader/reader_test.go
@@ -0,0 +1,44 @@
+package reader
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/credentialplugin"
+)
+
+func TestReader_Read(t *testing.T) {
+	var reader Reader
+
+	t.Run("KUBERNETES_EXEC_INFO is empty", func(t *testing.T) {
+		input, err := reader.Read()
+		if err != nil {
+			t.Errorf("Read returned error: %v", err)
+		}
+		want := credentialplugin.Input{}
+		if diff := cmp.Diff(want, input); diff != "" {
+			t.Errorf("input mismatch (-want +got):\n%s", diff)
+		}
+	})
+	t.Run("KUBERNETES_EXEC_INFO is invalid JSON", func(t *testing.T) {
+		t.Setenv("KUBERNETES_EXEC_INFO", "invalid")
+		_, err := reader.Read()
+		if err == nil {
+			t.Errorf("Read wants error but no error")
+		}
+	})
+	t.Run("KUBERNETES_EXEC_INFO is v1", func(t *testing.T) {
+		t.Setenv(
+			"KUBERNETES_EXEC_INFO",
+			`{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1","spec":{"interactive":true}}`,
+		)
+		input, err := reader.Read()
+		if err != nil {
+			t.Errorf("Read returned error: %v", err)
+		}
+		want := credentialplugin.Input{ClientAuthenticationAPIVersion: "client.authentication.k8s.io/v1"}
+		if diff := cmp.Diff(want, input); diff != "" {
+			t.Errorf("input mismatch (-want +got):\n%s", diff)
+		}
+	})
+}
--- a/pkg/credentialplugin/types.go
+++ b/pkg/credentialplugin/types.go
@@ -3,8 +3,15 @@ package credentialplugin

 import "time"

+// Input represents an input object of the credential plugin.
+// This may be a zero value if the input is not available.
+type Input struct {
+	ClientAuthenticationAPIVersion string
+}
+
 // Output represents an output object of the credential plugin.
 type Output struct {
-	Token  string
-	Expiry time.Time
+	Token                          string
+	Expiry                         time.Time
+	ClientAuthenticationAPIVersion string
 }
--- a/pkg/credentialplugin/writer/credential_plugin.go
+++ b/pkg/credentialplugin/writer/credential_plugin.go
@@ -1,4 +1,4 @@
-// Package writer provides a writer for a credential plugin.
+// Package writer provides a writer for the credential plugin.
 package writer

 import (
@@ -9,6 +9,7 @@ import (
 	"github.com/int128/kubelogin/pkg/credentialplugin"
 	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 )

@@ -27,19 +28,44 @@ type Writer struct {

 // Write writes the ExecCredential to standard output for kubectl.
 func (w *Writer) Write(out credentialplugin.Output) error {
-	ec := &clientauthenticationv1beta1.ExecCredential{
-		TypeMeta: metav1.TypeMeta{
-			APIVersion: "client.authentication.k8s.io/v1beta1",
-			Kind:       "ExecCredential",
-		},
-		Status: &clientauthenticationv1beta1.ExecCredentialStatus{
-			Token:               out.Token,
-			ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
-		},
+	execCredential, err := generateExecCredential(out)
+	if err != nil {
+		return fmt.Errorf("generate ExecCredential: %w", err)
 	}
-	e := json.NewEncoder(w.Stdout)
-	if err := e.Encode(ec); err != nil {
-		return fmt.Errorf("could not write the ExecCredential: %w", err)
+	if err := json.NewEncoder(w.Stdout).Encode(execCredential); err != nil {
+		return fmt.Errorf("write ExecCredential: %w", err)
 	}
 	return nil
 }
+
+func generateExecCredential(out credentialplugin.Output) (any, error) {
+	switch out.ClientAuthenticationAPIVersion {
+	// If the API version is not available, fall back to v1beta1.
+	case clientauthenticationv1beta1.SchemeGroupVersion.String(), "":
+		return &clientauthenticationv1beta1.ExecCredential{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(),
+				Kind:       "ExecCredential",
+			},
+			Status: &clientauthenticationv1beta1.ExecCredentialStatus{
+				Token:               out.Token,
+				ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
+			},
+		}, nil
+
+	case clientauthenticationv1.SchemeGroupVersion.String():
+		return &clientauthenticationv1.ExecCredential{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: clientauthenticationv1.SchemeGroupVersion.String(),
+				Kind:       "ExecCredential",
+			},
+			Status: &clientauthenticationv1.ExecCredentialStatus{
+				Token:               out.Token,
+				ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
+			},
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unknown apiVersion: %s", out.ClientAuthenticationAPIVersion)
+	}
+}
--- a/pkg/di/di.go
+++ b/pkg/di/di.go
@@ -7,11 +7,11 @@ package di
 import (
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/cmd"
-	"github.com/int128/kubelogin/pkg/credentialplugin/writer"
+	credentialpluginreader "github.com/int128/kubelogin/pkg/credentialplugin/reader"
+	credentialpluginwriter "github.com/int128/kubelogin/pkg/credentialplugin/writer"
 	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/infrastructure/clock"
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-	"github.com/int128/kubelogin/pkg/infrastructure/mutex"
 	"github.com/int128/kubelogin/pkg/infrastructure/reader"
 	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
 	kubeconfigLoader "github.com/int128/kubelogin/pkg/kubeconfig/loader"
@@ -20,6 +20,7 @@ import (
 	"github.com/int128/kubelogin/pkg/tlsclientconfig/loader"
 	"github.com/int128/kubelogin/pkg/tokencache/repository"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	"github.com/int128/kubelogin/pkg/usecases/clean"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
@@ -47,6 +48,7 @@ func NewCmdForHeadless(clock.Interface, stdio.Stdin, stdio.Stdout, logger.Interf
 		standalone.Set,
 		credentialplugin.Set,
 		setup.Set,
+		clean.Set,

 		// infrastructure
 		cmd.Set,
@@ -56,8 +58,8 @@ func NewCmdForHeadless(clock.Interface, stdio.Stdin, stdio.Stdout, logger.Interf
 		repository.Set,
 		client.Set,
 		loader.Set,
-		writer.Set,
-		mutex.Set,
+		credentialpluginreader.Set,
+		credentialpluginwriter.Set,
 	)
 	return nil
 }
--- a/pkg/di/wire_gen.go
+++ b/pkg/di/wire_gen.go
@@ -1,6 +1,6 @@
 // Code generated by Wire. DO NOT EDIT.

-//go:generate go run github.com/google/wire/cmd/wire
+//go:generate go run -mod=mod github.com/google/wire/cmd/wire
 //go:build !wireinject
 // +build !wireinject

@@ -8,11 +8,11 @@ package di

 import (
 	"github.com/int128/kubelogin/pkg/cmd"
+	reader2 "github.com/int128/kubelogin/pkg/credentialplugin/reader"
 	writer2 "github.com/int128/kubelogin/pkg/credentialplugin/writer"
 	"github.com/int128/kubelogin/pkg/infrastructure/browser"
 	"github.com/int128/kubelogin/pkg/infrastructure/clock"
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-	"github.com/int128/kubelogin/pkg/infrastructure/mutex"
 	"github.com/int128/kubelogin/pkg/infrastructure/reader"
 	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
 	loader2 "github.com/int128/kubelogin/pkg/kubeconfig/loader"
@@ -22,8 +22,10 @@ import (
 	"github.com/int128/kubelogin/pkg/tokencache/repository"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/clientcredentials"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/devicecode"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
+	"github.com/int128/kubelogin/pkg/usecases/clean"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
@@ -75,14 +77,17 @@ func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout
 		Browser: browserInterface,
 		Logger:  loggerInterface,
 	}
+	clientCredentials := &clientcredentials.ClientCredentials{
+		Logger: loggerInterface,
+	}
 	authenticationAuthentication := &authentication.Authentication{
-		ClientFactory:    factory,
-		Logger:           loggerInterface,
-		Clock:            clockInterface,
-		AuthCodeBrowser:  authcodeBrowser,
-		AuthCodeKeyboard: keyboard,
-		ROPC:             ropcROPC,
-		DeviceCode:       deviceCode,
+		ClientFactory:     factory,
+		Logger:            loggerInterface,
+		AuthCodeBrowser:   authcodeBrowser,
+		AuthCodeKeyboard:  keyboard,
+		ROPC:              ropcROPC,
+		DeviceCode:        deviceCode,
+		ClientCredentials: clientCredentials,
 	}
 	loader3 := &loader2.Loader{}
 	writerWriter := &writer.Writer{}
@@ -91,24 +96,24 @@ func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout
 		KubeconfigLoader: loader3,
 		KubeconfigWriter: writerWriter,
 		Logger:           loggerInterface,
+		Clock:            clockInterface,
 	}
 	root := &cmd.Root{
 		Standalone: standaloneStandalone,
 		Logger:     loggerInterface,
 	}
 	repositoryRepository := &repository.Repository{}
+	reader3 := &reader2.Reader{}
 	writer3 := &writer2.Writer{
 		Stdout: stdout,
 	}
-	mutexMutex := &mutex.Mutex{
-		Logger: loggerInterface,
-	}
 	getToken := &credentialplugin.GetToken{
-		Authentication:       authenticationAuthentication,
-		TokenCacheRepository: repositoryRepository,
-		Writer:               writer3,
-		Mutex:                mutexMutex,
-		Logger:               loggerInterface,
+		Authentication:         authenticationAuthentication,
+		TokenCacheRepository:   repositoryRepository,
+		CredentialPluginReader: reader3,
+		CredentialPluginWriter: writer3,
+		Logger:                 loggerInterface,
+		Clock:                  clockInterface,
 	}
 	cmdGetToken := &cmd.GetToken{
 		GetToken: getToken,
@@ -121,10 +126,18 @@ func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout
 	cmdSetup := &cmd.Setup{
 		Setup: setupSetup,
 	}
+	cleanClean := &clean.Clean{
+		TokenCacheRepository: repositoryRepository,
+		Logger:               loggerInterface,
+	}
+	cmdClean := &cmd.Clean{
+		Clean: cleanClean,
+	}
 	cmdCmd := &cmd.Cmd{
 		Root:     root,
 		GetToken: cmdGetToken,
 		Setup:    cmdSetup,
+		Clean:    cmdClean,
 		Logger:   loggerInterface,
 	}
 	return cmdCmd
--- a/pkg/infrastructure/logger/mock_Interface.go
+++ b/pkg/infrastructure/logger/mock_Interface.go
@@ -1,179 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package logger
-
-import (
-	pflag "github.com/spf13/pflag"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockInterface is an autogenerated mock type for the Interface type
-type MockInterface struct {
-	mock.Mock
-}
-
-type MockInterface_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
-	return &MockInterface_Expecter{mock: &_m.Mock}
-}
-
-// AddFlags provides a mock function with given fields: f
-func (_m *MockInterface) AddFlags(f *pflag.FlagSet) {
-	_m.Called(f)
-}
-
-// MockInterface_AddFlags_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AddFlags'
-type MockInterface_AddFlags_Call struct {
-	*mock.Call
-}
-
-// AddFlags is a helper method to define mock.On call
-//   - f *pflag.FlagSet
-func (_e *MockInterface_Expecter) AddFlags(f interface{}) *MockInterface_AddFlags_Call {
-	return &MockInterface_AddFlags_Call{Call: _e.mock.On("AddFlags", f)}
-}
-
-func (_c *MockInterface_AddFlags_Call) Run(run func(f *pflag.FlagSet)) *MockInterface_AddFlags_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*pflag.FlagSet))
-	})
-	return _c
-}
-
-func (_c *MockInterface_AddFlags_Call) Return() *MockInterface_AddFlags_Call {
-	_c.Call.Return()
-	return _c
-}
-
-// IsEnabled provides a mock function with given fields: level
-func (_m *MockInterface) IsEnabled(level int) bool {
-	ret := _m.Called(level)
-
-	var r0 bool
-	if rf, ok := ret.Get(0).(func(int) bool); ok {
-		r0 = rf(level)
-	} else {
-		r0 = ret.Get(0).(bool)
-	}
-
-	return r0
-}
-
-// MockInterface_IsEnabled_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IsEnabled'
-type MockInterface_IsEnabled_Call struct {
-	*mock.Call
-}
-
-// IsEnabled is a helper method to define mock.On call
-//   - level int
-func (_e *MockInterface_Expecter) IsEnabled(level interface{}) *MockInterface_IsEnabled_Call {
-	return &MockInterface_IsEnabled_Call{Call: _e.mock.On("IsEnabled", level)}
-}
-
-func (_c *MockInterface_IsEnabled_Call) Run(run func(level int)) *MockInterface_IsEnabled_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(int))
-	})
-	return _c
-}
-
-func (_c *MockInterface_IsEnabled_Call) Return(_a0 bool) *MockInterface_IsEnabled_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-// Printf provides a mock function with given fields: format, args
-func (_m *MockInterface) Printf(format string, args ...interface{}) {
-	var _ca []interface{}
-	_ca = append(_ca, format)
-	_ca = append(_ca, args...)
-	_m.Called(_ca...)
-}
-
-// MockInterface_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
-type MockInterface_Printf_Call struct {
-	*mock.Call
-}
-
-// Printf is a helper method to define mock.On call
-//   - format string
-//   - args ...interface{}
-func (_e *MockInterface_Expecter) Printf(format interface{}, args ...interface{}) *MockInterface_Printf_Call {
-	return &MockInterface_Printf_Call{Call: _e.mock.On("Printf",
-		append([]interface{}{format}, args...)...)}
-}
-
-func (_c *MockInterface_Printf_Call) Run(run func(format string, args ...interface{})) *MockInterface_Printf_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]interface{}, len(args)-1)
-		for i, a := range args[1:] {
-			if a != nil {
-				variadicArgs[i] = a.(interface{})
-			}
-		}
-		run(args[0].(string), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *MockInterface_Printf_Call) Return() *MockInterface_Printf_Call {
-	_c.Call.Return()
-	return _c
-}
-
-// V provides a mock function with given fields: level
-func (_m *MockInterface) V(level int) Verbose {
-	ret := _m.Called(level)
-
-	var r0 Verbose
-	if rf, ok := ret.Get(0).(func(int) Verbose); ok {
-		r0 = rf(level)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(Verbose)
-		}
-	}
-
-	return r0
-}
-
-// MockInterface_V_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'V'
-type MockInterface_V_Call struct {
-	*mock.Call
-}
-
-// V is a helper method to define mock.On call
-//   - level int
-func (_e *MockInterface_Expecter) V(level interface{}) *MockInterface_V_Call {
-	return &MockInterface_V_Call{Call: _e.mock.On("V", level)}
-}
-
-func (_c *MockInterface_V_Call) Run(run func(level int)) *MockInterface_V_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(int))
-	})
-	return _c
-}
-
-func (_c *MockInterface_V_Call) Return(_a0 Verbose) *MockInterface_V_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/pkg/infrastructure/logger/mock_Verbose.go
+++ b/pkg/infrastructure/logger/mock_Verbose.go
@@ -1,72 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package logger
-
-import mock "github.com/stretchr/testify/mock"
-
-// MockVerbose is an autogenerated mock type for the Verbose type
-type MockVerbose struct {
-	mock.Mock
-}
-
-type MockVerbose_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockVerbose) EXPECT() *MockVerbose_Expecter {
-	return &MockVerbose_Expecter{mock: &_m.Mock}
-}
-
-// Infof provides a mock function with given fields: format, args
-func (_m *MockVerbose) Infof(format string, args ...interface{}) {
-	var _ca []interface{}
-	_ca = append(_ca, format)
-	_ca = append(_ca, args...)
-	_m.Called(_ca...)
-}
-
-// MockVerbose_Infof_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Infof'
-type MockVerbose_Infof_Call struct {
-	*mock.Call
-}
-
-// Infof is a helper method to define mock.On call
-//   - format string
-//   - args ...interface{}
-func (_e *MockVerbose_Expecter) Infof(format interface{}, args ...interface{}) *MockVerbose_Infof_Call {
-	return &MockVerbose_Infof_Call{Call: _e.mock.On("Infof",
-		append([]interface{}{format}, args...)...)}
-}
-
-func (_c *MockVerbose_Infof_Call) Run(run func(format string, args ...interface{})) *MockVerbose_Infof_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]interface{}, len(args)-1)
-		for i, a := range args[1:] {
-			if a != nil {
-				variadicArgs[i] = a.(interface{})
-			}
-		}
-		run(args[0].(string), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *MockVerbose_Infof_Call) Return() *MockVerbose_Infof_Call {
-	_c.Call.Return()
-	return _c
-}
-
-type mockConstructorTestingTNewMockVerbose interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockVerbose creates a new instance of MockVerbose. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockVerbose(t mockConstructorTestingTNewMockVerbose) *MockVerbose {
-	mock := &MockVerbose{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/pkg/infrastructure/logger/mock_goLogger.go
+++ b/pkg/infrastructure/logger/mock_goLogger.go
@@ -1,72 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package logger
-
-import mock "github.com/stretchr/testify/mock"
-
-// mockGoLogger is an autogenerated mock type for the goLogger type
-type mockGoLogger struct {
-	mock.Mock
-}
-
-type mockGoLogger_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *mockGoLogger) EXPECT() *mockGoLogger_Expecter {
-	return &mockGoLogger_Expecter{mock: &_m.Mock}
-}
-
-// Printf provides a mock function with given fields: format, v
-func (_m *mockGoLogger) Printf(format string, v ...interface{}) {
-	var _ca []interface{}
-	_ca = append(_ca, format)
-	_ca = append(_ca, v...)
-	_m.Called(_ca...)
-}
-
-// mockGoLogger_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
-type mockGoLogger_Printf_Call struct {
-	*mock.Call
-}
-
-// Printf is a helper method to define mock.On call
-//   - format string
-//   - v ...interface{}
-func (_e *mockGoLogger_Expecter) Printf(format interface{}, v ...interface{}) *mockGoLogger_Printf_Call {
-	return &mockGoLogger_Printf_Call{Call: _e.mock.On("Printf",
-		append([]interface{}{format}, v...)...)}
-}
-
-func (_c *mockGoLogger_Printf_Call) Run(run func(format string, v ...interface{})) *mockGoLogger_Printf_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]interface{}, len(args)-1)
-		for i, a := range args[1:] {
-			if a != nil {
-				variadicArgs[i] = a.(interface{})
-			}
-		}
-		run(args[0].(string), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *mockGoLogger_Printf_Call) Return() *mockGoLogger_Printf_Call {
-	_c.Call.Return()
-	return _c
-}
-
-type mockConstructorTestingTnewMockGoLogger interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// newMockGoLogger creates a new instance of mockGoLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func newMockGoLogger(t mockConstructorTestingTnewMockGoLogger) *mockGoLogger {
-	mock := &mockGoLogger{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/pkg/infrastructure/mutex/mock_Interface.go
+++ b/pkg/infrastructure/mutex/mock_Interface.go
@@ -1,121 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package mutex
-
-import (
-	context "context"
-
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockInterface is an autogenerated mock type for the Interface type
-type MockInterface struct {
-	mock.Mock
-}
-
-type MockInterface_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
-	return &MockInterface_Expecter{mock: &_m.Mock}
-}
-
-// Acquire provides a mock function with given fields: ctx, name
-func (_m *MockInterface) Acquire(ctx context.Context, name string) (*Lock, error) {
-	ret := _m.Called(ctx, name)
-
-	var r0 *Lock
-	if rf, ok := ret.Get(0).(func(context.Context, string) *Lock); ok {
-		r0 = rf(ctx, name)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*Lock)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
-		r1 = rf(ctx, name)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_Acquire_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Acquire'
-type MockInterface_Acquire_Call struct {
-	*mock.Call
-}
-
-// Acquire is a helper method to define mock.On call
-//   - ctx context.Context
-//   - name string
-func (_e *MockInterface_Expecter) Acquire(ctx interface{}, name interface{}) *MockInterface_Acquire_Call {
-	return &MockInterface_Acquire_Call{Call: _e.mock.On("Acquire", ctx, name)}
-}
-
-func (_c *MockInterface_Acquire_Call) Run(run func(ctx context.Context, name string)) *MockInterface_Acquire_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_Acquire_Call) Return(_a0 *Lock, _a1 error) *MockInterface_Acquire_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// Release provides a mock function with given fields: lock
-func (_m *MockInterface) Release(lock *Lock) error {
-	ret := _m.Called(lock)
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(*Lock) error); ok {
-		r0 = rf(lock)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockInterface_Release_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Release'
-type MockInterface_Release_Call struct {
-	*mock.Call
-}
-
-// Release is a helper method to define mock.On call
-//   - lock *Lock
-func (_e *MockInterface_Expecter) Release(lock interface{}) *MockInterface_Release_Call {
-	return &MockInterface_Release_Call{Call: _e.mock.On("Release", lock)}
-}
-
-func (_c *MockInterface_Release_Call) Run(run func(lock *Lock)) *MockInterface_Release_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*Lock))
-	})
-	return _c
-}
-
-func (_c *MockInterface_Release_Call) Return(_a0 error) *MockInterface_Release_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/pkg/infrastructure/mutex/mutex.go
+++ b/pkg/infrastructure/mutex/mutex.go
@@ -1,87 +0,0 @@
-package mutex
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path"
-
-	"github.com/alexflint/go-filemutex"
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-)
-
-var Set = wire.NewSet(
-	wire.Struct(new(Mutex), "*"),
-	wire.Bind(new(Interface), new(*Mutex)),
-)
-
-type Interface interface {
-	Acquire(ctx context.Context, name string) (*Lock, error)
-	Release(lock *Lock) error
-}
-
-// Lock holds the lock data.
-type Lock struct {
-	Data interface{}
-	Name string
-}
-
-type Mutex struct {
-	Logger logger.Interface
-}
-
-// internalAcquire wait for acquisition of the lock
-func internalAcquire(fm *filemutex.FileMutex) chan error {
-	result := make(chan error)
-	go func() {
-		if err := fm.Lock(); err != nil {
-			result <- err
-		}
-		close(result)
-	}()
-	return result
-}
-
-// internalRelease disposes of resources associated with a lock
-func internalRelease(fm *filemutex.FileMutex, lfn string, log logger.Interface) error {
-	err := fm.Close()
-	if err != nil {
-		log.V(1).Infof("Error closing lock file %s: %s", lfn, err)
-	}
-	return err
-}
-
-// LockFileName get the lock file name from the lock name.
-func LockFileName(name string) string {
-	return path.Join(os.TempDir(), fmt.Sprintf(".kubelogin.%s.lock", name))
-}
-
-// Acquire acquire a lock for the specified name. The context could be used to set a timeout.
-func (m *Mutex) Acquire(ctx context.Context, name string) (*Lock, error) {
-	lfn := LockFileName(name)
-	fm, err := filemutex.New(lfn)
-	if err != nil {
-		return nil, fmt.Errorf("error creating mutex file %s: %w", lfn, err)
-	}
-
-	lockChan := internalAcquire(fm)
-	select {
-	case <-ctx.Done():
-		_ = internalRelease(fm, lfn, m.Logger)
-		return nil, ctx.Err()
-	case err := <-lockChan:
-		if err != nil {
-			_ = internalRelease(fm, lfn, m.Logger)
-			return nil, fmt.Errorf("error acquiring lock on file %s: %w", lfn, err)
-		}
-		return &Lock{Data: fm, Name: name}, nil
-	}
-}
-
-// Release release the specified lock
-func (m *Mutex) Release(lock *Lock) error {
-	fm := lock.Data.(*filemutex.FileMutex)
-	lfn := LockFileName(lock.Name)
-	return internalRelease(fm, lfn, m.Logger)
-}
--- a/pkg/infrastructure/mutex/mutex_test.go
+++ b/pkg/infrastructure/mutex/mutex_test.go
@@ -1,65 +0,0 @@
-package mutex
-
-import (
-	"context"
-	"fmt"
-	"math/rand"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/int128/kubelogin/pkg/infrastructure/logger"
-)
-
-func TestMutex(t *testing.T) {
-
-	t.Run("Test successful parallel acquisition with no reentry allowed", func(t *testing.T) {
-
-		ctx, cancel := context.WithCancel(context.Background())
-		defer cancel()
-
-		nbConcurrency := 20
-		wg := sync.WaitGroup{}
-		events := make(chan int, nbConcurrency*2)
-		errors := make(chan error, nbConcurrency)
-		doLockUnlock := func() {
-			defer wg.Done()
-
-			m := Mutex{
-				Logger: logger.New(),
-			}
-			if mutex, err := m.Acquire(ctx, "test"); err == nil {
-				events <- 1
-				var dur = time.Duration(rand.Intn(5000))
-				time.Sleep(dur * time.Microsecond)
-				events <- -1
-				if err := m.Release(mutex); err != nil {
-					errors <- fmt.Errorf("Release error: %w", err)
-				}
-			} else {
-				errors <- fmt.Errorf("Acquire error: %w", err)
-			}
-		}
-
-		for i := 0; i < nbConcurrency; i++ {
-			wg.Add(1)
-			go doLockUnlock()
-		}
-
-		wg.Wait()
-		close(events)
-		close(errors)
-
-		countConcurrent := 0
-		for delta := range events {
-			countConcurrent += delta
-			if countConcurrent > 1 {
-				t.Errorf("The mutex did not prevented reentry: %d", countConcurrent)
-			}
-		}
-
-		for anError := range errors {
-			t.Errorf("The gorouting returned an error: %s", anError)
-		}
-	})
-}
--- a/pkg/kubeconfig/loader/mock_Interface.go
+++ b/pkg/kubeconfig/loader/mock_Interface.go
@@ -1,84 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package loader
-
-import (
-	kubeconfig "github.com/int128/kubelogin/pkg/kubeconfig"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockInterface is an autogenerated mock type for the Interface type
-type MockInterface struct {
-	mock.Mock
-}
-
-type MockInterface_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
-	return &MockInterface_Expecter{mock: &_m.Mock}
-}
-
-// GetCurrentAuthProvider provides a mock function with given fields: explicitFilename, contextName, userName
-func (_m *MockInterface) GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
-	ret := _m.Called(explicitFilename, contextName, userName)
-
-	var r0 *kubeconfig.AuthProvider
-	if rf, ok := ret.Get(0).(func(string, kubeconfig.ContextName, kubeconfig.UserName) *kubeconfig.AuthProvider); ok {
-		r0 = rf(explicitFilename, contextName, userName)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*kubeconfig.AuthProvider)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(string, kubeconfig.ContextName, kubeconfig.UserName) error); ok {
-		r1 = rf(explicitFilename, contextName, userName)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_GetCurrentAuthProvider_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCurrentAuthProvider'
-type MockInterface_GetCurrentAuthProvider_Call struct {
-	*mock.Call
-}
-
-// GetCurrentAuthProvider is a helper method to define mock.On call
-//   - explicitFilename string
-//   - contextName kubeconfig.ContextName
-//   - userName kubeconfig.UserName
-func (_e *MockInterface_Expecter) GetCurrentAuthProvider(explicitFilename interface{}, contextName interface{}, userName interface{}) *MockInterface_GetCurrentAuthProvider_Call {
-	return &MockInterface_GetCurrentAuthProvider_Call{Call: _e.mock.On("GetCurrentAuthProvider", explicitFilename, contextName, userName)}
-}
-
-func (_c *MockInterface_GetCurrentAuthProvider_Call) Run(run func(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName)) *MockInterface_GetCurrentAuthProvider_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(kubeconfig.ContextName), args[2].(kubeconfig.UserName))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetCurrentAuthProvider_Call) Return(_a0 *kubeconfig.AuthProvider, _a1 error) *MockInterface_GetCurrentAuthProvider_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/pkg/mocks.go
+++ b/pkg/mocks.go
@@ -1,3 +0,0 @@
-package pkg
-
-//go:generate mockery --all --inpackage --with-expecter
--- a/pkg/oidc/client/authcode.go
+++ b/pkg/oidc/client/authcode.go
@@ -0,0 +1,102 @@
+package client
+
+import (
+	"context"
+	"fmt"
+
+	gooidc "github.com/coreos/go-oidc/v3/oidc"
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/pkce"
+	"github.com/int128/oauth2cli"
+	"golang.org/x/oauth2"
+)
+
+type AuthCodeURLInput struct {
+	State                  string
+	Nonce                  string
+	PKCEParams             pkce.Params
+	AuthRequestExtraParams map[string]string
+}
+
+type ExchangeAuthCodeInput struct {
+	Code       string
+	PKCEParams pkce.Params
+	Nonce      string
+}
+
+type GetTokenByAuthCodeInput struct {
+	BindAddress            []string
+	State                  string
+	Nonce                  string
+	PKCEParams             pkce.Params
+	RedirectURLHostname    string // DEPRECATED
+	AuthRequestExtraParams map[string]string
+	LocalServerSuccessHTML string
+	LocalServerCertFile    string
+	LocalServerKeyFile     string
+}
+
+func (c *client) NegotiatedPKCEMethod() pkce.Method {
+	return c.negotiatedPKCEMethod
+}
+
+// GetTokenByAuthCode performs the authorization code flow.
+func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	config := oauth2cli.Config{
+		OAuth2Config:           c.oauth2Config,
+		State:                  in.State,
+		AuthCodeOptions:        authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams),
+		TokenRequestOptions:    tokenRequestOptions(in.PKCEParams),
+		LocalServerBindAddress: in.BindAddress,
+		LocalServerReadyChan:   localServerReadyChan,
+		RedirectURLHostname:    in.RedirectURLHostname,
+		LocalServerSuccessHTML: in.LocalServerSuccessHTML,
+		LocalServerCertFile:    in.LocalServerCertFile,
+		LocalServerKeyFile:     in.LocalServerKeyFile,
+		Logf:                   c.logger.V(1).Infof,
+	}
+	token, err := oauth2cli.GetToken(ctx, config)
+	if err != nil {
+		return nil, fmt.Errorf("oauth2 error: %w", err)
+	}
+	return c.verifyToken(ctx, token, in.Nonce)
+}
+
+// GetAuthCodeURL returns the URL of authentication request for the authorization code flow.
+func (c *client) GetAuthCodeURL(in AuthCodeURLInput) string {
+	opts := authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams)
+	return c.oauth2Config.AuthCodeURL(in.State, opts...)
+}
+
+// ExchangeAuthCode exchanges the authorization code and token.
+func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	opts := tokenRequestOptions(in.PKCEParams)
+	token, err := c.oauth2Config.Exchange(ctx, in.Code, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("exchange error: %w", err)
+	}
+	return c.verifyToken(ctx, token, in.Nonce)
+}
+
+func authorizationRequestOptions(nonce string, pkceParams pkce.Params, extraParams map[string]string) []oauth2.AuthCodeOption {
+	opts := []oauth2.AuthCodeOption{
+		oauth2.AccessTypeOffline,
+		gooidc.Nonce(nonce),
+	}
+	if pkceOpt := pkceParams.AuthCodeOption(); pkceOpt != nil {
+		opts = append(opts, pkceOpt)
+	}
+	for key, value := range extraParams {
+		opts = append(opts, oauth2.SetAuthURLParam(key, value))
+	}
+	return opts
+}
+
+func tokenRequestOptions(pkceParams pkce.Params) []oauth2.AuthCodeOption {
+	if pkceOpt := pkceParams.TokenRequestOption(); pkceOpt != nil {
+		return []oauth2.AuthCodeOption{pkceOpt}
+	}
+	return nil
+}
--- a/pkg/oidc/client/client.go
+++ b/pkg/oidc/client/client.go
@@ -11,7 +11,6 @@ import (
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/pkce"
-	"github.com/int128/oauth2cli"
 	"github.com/int128/oauth2dev"
 	"golang.org/x/oauth2"
 )
@@ -20,48 +19,22 @@ type Interface interface {
 	GetAuthCodeURL(in AuthCodeURLInput) string
 	ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error)
 	GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error)
+	NegotiatedPKCEMethod() pkce.Method
 	GetTokenByROPC(ctx context.Context, username, password string) (*oidc.TokenSet, error)
+	GetTokenByClientCredentials(ctx context.Context, in GetTokenByClientCredentialsInput) (*oidc.TokenSet, error)
 	GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error)
 	ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)
 	Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error)
-	SupportedPKCEMethods() []string
-}
-
-type AuthCodeURLInput struct {
-	State                  string
-	Nonce                  string
-	PKCEParams             pkce.Params
-	RedirectURI            string
-	AuthRequestExtraParams map[string]string
-}
-
-type ExchangeAuthCodeInput struct {
-	Code        string
-	PKCEParams  pkce.Params
-	Nonce       string
-	RedirectURI string
-}
-
-type GetTokenByAuthCodeInput struct {
-	BindAddress            []string
-	State                  string
-	Nonce                  string
-	PKCEParams             pkce.Params
-	RedirectURLHostname    string
-	AuthRequestExtraParams map[string]string
-	LocalServerSuccessHTML string
-	LocalServerCertFile    string
-	LocalServerKeyFile     string
 }

 type client struct {
-	httpClient                  *http.Client
-	provider                    *gooidc.Provider
-	oauth2Config                oauth2.Config
-	clock                       clock.Interface
-	logger                      logger.Interface
-	supportedPKCEMethods        []string
-	deviceAuthorizationEndpoint string
+	httpClient           *http.Client
+	provider             *gooidc.Provider
+	oauth2Config         oauth2.Config
+	clock                clock.Interface
+	logger               logger.Interface
+	negotiatedPKCEMethod pkce.Method
+	useAccessToken       bool
 }

 func (c *client) wrapContext(ctx context.Context) context.Context {
@@ -71,110 +44,6 @@ func (c *client) wrapContext(ctx context.Context) context.Context {
 	return ctx
 }

-// GetTokenByAuthCode performs the authorization code flow.
-func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	config := oauth2cli.Config{
-		OAuth2Config:           c.oauth2Config,
-		State:                  in.State,
-		AuthCodeOptions:        authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams),
-		TokenRequestOptions:    tokenRequestOptions(in.PKCEParams),
-		LocalServerBindAddress: in.BindAddress,
-		LocalServerReadyChan:   localServerReadyChan,
-		RedirectURLHostname:    in.RedirectURLHostname,
-		LocalServerSuccessHTML: in.LocalServerSuccessHTML,
-		LocalServerCertFile:    in.LocalServerCertFile,
-		LocalServerKeyFile:     in.LocalServerKeyFile,
-		Logf:                   c.logger.V(1).Infof,
-	}
-	token, err := oauth2cli.GetToken(ctx, config)
-	if err != nil {
-		return nil, fmt.Errorf("oauth2 error: %w", err)
-	}
-	return c.verifyToken(ctx, token, in.Nonce)
-}
-
-// GetAuthCodeURL returns the URL of authentication request for the authorization code flow.
-func (c *client) GetAuthCodeURL(in AuthCodeURLInput) string {
-	cfg := c.oauth2Config
-	cfg.RedirectURL = in.RedirectURI
-	opts := authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams)
-	return cfg.AuthCodeURL(in.State, opts...)
-}
-
-// ExchangeAuthCode exchanges the authorization code and token.
-func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	cfg := c.oauth2Config
-	cfg.RedirectURL = in.RedirectURI
-	opts := tokenRequestOptions(in.PKCEParams)
-	token, err := cfg.Exchange(ctx, in.Code, opts...)
-	if err != nil {
-		return nil, fmt.Errorf("exchange error: %w", err)
-	}
-	return c.verifyToken(ctx, token, in.Nonce)
-}
-
-func authorizationRequestOptions(n string, p pkce.Params, e map[string]string) []oauth2.AuthCodeOption {
-	o := []oauth2.AuthCodeOption{
-		oauth2.AccessTypeOffline,
-		gooidc.Nonce(n),
-	}
-	if !p.IsZero() {
-		o = append(o,
-			oauth2.SetAuthURLParam("code_challenge", p.CodeChallenge),
-			oauth2.SetAuthURLParam("code_challenge_method", p.CodeChallengeMethod),
-		)
-	}
-	for key, value := range e {
-		o = append(o, oauth2.SetAuthURLParam(key, value))
-	}
-	return o
-}
-
-func tokenRequestOptions(p pkce.Params) (o []oauth2.AuthCodeOption) {
-	if !p.IsZero() {
-		o = append(o, oauth2.SetAuthURLParam("code_verifier", p.CodeVerifier))
-	}
-	return
-}
-
-// SupportedPKCEMethods returns the PKCE methods supported by the provider.
-// This may return nil if PKCE is not supported.
-func (c *client) SupportedPKCEMethods() []string {
-	return c.supportedPKCEMethods
-}
-
-// GetTokenByROPC performs the resource owner password credentials flow.
-func (c *client) GetTokenByROPC(ctx context.Context, username, password string) (*oidc.TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, username, password)
-	if err != nil {
-		return nil, fmt.Errorf("resource owner password credentials flow error: %w", err)
-	}
-	return c.verifyToken(ctx, token, "")
-}
-
-// GetDeviceAuthorization initializes the device authorization code challenge
-func (c *client) GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error) {
-	ctx = c.wrapContext(ctx)
-	config := c.oauth2Config
-	config.Endpoint = oauth2.Endpoint{
-		AuthURL: c.deviceAuthorizationEndpoint,
-	}
-	return oauth2dev.RetrieveCode(ctx, config)
-}
-
-// ExchangeDeviceCode exchanges the device to an oidc.TokenSet
-func (c *client) ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	tokenResponse, err := oauth2dev.PollToken(ctx, c.oauth2Config, *authResponse)
-	if err != nil {
-		return nil, fmt.Errorf("device-code: exchange failed: %w", err)
-	}
-	return c.verifyToken(ctx, tokenResponse, "")
-}
-
 // Refresh sends a refresh token request and returns a token set.
 func (c *client) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
 	ctx = c.wrapContext(ctx)
@@ -205,6 +74,32 @@ func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce str
 	if nonce != "" && nonce != verifiedIDToken.Nonce {
 		return nil, fmt.Errorf("nonce did not match (wants %s but got %s)", nonce, verifiedIDToken.Nonce)
 	}
+
+	if c.useAccessToken {
+		accessToken, ok := token.Extra("access_token").(string)
+		if !ok {
+			return nil, fmt.Errorf("access_token is missing in the token response: %#v", accessToken)
+		}
+
+		// We intentionally do not perform a ClientID check here because there
+		// are some use cases in access_tokens where we *expect* the audience
+		// to differ. For example, one can explicitly set
+		// `audience=CLUSTER_CLIENT_ID` as an extra auth parameter.
+		verifier = c.provider.Verifier(&gooidc.Config{ClientID: "", Now: c.clock.Now, SkipClientIDCheck: true})
+
+		_, err := verifier.Verify(ctx, accessToken)
+		if err != nil {
+			return nil, fmt.Errorf("could not verify the access token: %w", err)
+		}
+
+		// There is no `nonce` to check on the `access_token`. We rely on the
+		// above `nonce` check on the `id_token`.
+
+		return &oidc.TokenSet{
+			IDToken:      accessToken,
+			RefreshToken: token.RefreshToken,
+		}, nil
+	}
 	return &oidc.TokenSet{
 		IDToken:      idToken,
 		RefreshToken: token.RefreshToken,
--- a/pkg/oidc/client/clientcredentials.go
+++ b/pkg/oidc/client/clientcredentials.go
@@ -0,0 +1,41 @@
+package client
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/oidc"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/clientcredentials"
+)
+
+type GetTokenByClientCredentialsInput struct {
+	EndpointParams map[string][]string
+}
+
+// GetTokenByClientCredentials performs the client credentials flow.
+func (c *client) GetTokenByClientCredentials(ctx context.Context, in GetTokenByClientCredentialsInput) (*oidc.TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	c.logger.V(1).Infof("%s, %s, %v", c.oauth2Config.ClientID, c.oauth2Config.Endpoint.AuthURL, c.oauth2Config.Scopes)
+
+	config := clientcredentials.Config{
+		ClientID:       c.oauth2Config.ClientID,
+		ClientSecret:   c.oauth2Config.ClientSecret,
+		TokenURL:       c.oauth2Config.Endpoint.TokenURL,
+		Scopes:         c.oauth2Config.Scopes,
+		EndpointParams: in.EndpointParams,
+		AuthStyle:      oauth2.AuthStyleInHeader,
+	}
+	source := config.TokenSource(ctx)
+	token, err := source.Token()
+	if err != nil {
+		return nil, fmt.Errorf("could not acquire token: %w", err)
+	}
+	if c.useAccessToken {
+		return &oidc.TokenSet{
+			IDToken:      token.AccessToken,
+			RefreshToken: token.RefreshToken,
+		}, nil
+	}
+	return c.verifyToken(ctx, token, "")
+}
--- a/pkg/oidc/client/devicecode.go
+++ b/pkg/oidc/client/devicecode.go
@@ -0,0 +1,30 @@
+package client
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/oauth2dev"
+	"golang.org/x/oauth2"
+)
+
+// GetDeviceAuthorization initializes the device authorization code challenge
+func (c *client) GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error) {
+	ctx = c.wrapContext(ctx)
+	config := c.oauth2Config
+	config.Endpoint = oauth2.Endpoint{
+		AuthURL: c.provider.Endpoint().DeviceAuthURL,
+	}
+	return oauth2dev.RetrieveCode(ctx, config)
+}
+
+// ExchangeDeviceCode exchanges the device authorization code for an oidc.TokenSet
+func (c *client) ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	tokenResponse, err := oauth2dev.PollToken(ctx, c.oauth2Config, *authResponse)
+	if err != nil {
+		return nil, fmt.Errorf("device-code: exchange failed: %w", err)
+	}
+	return c.verifyToken(ctx, tokenResponse, "")
+}
--- a/pkg/oidc/client/factory.go
+++ b/pkg/oidc/client/factory.go
@@ -5,13 +5,14 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"slices"

 	gooidc "github.com/coreos/go-oidc/v3/oidc"
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/infrastructure/clock"
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/int128/kubelogin/pkg/oidc"
-	"github.com/int128/kubelogin/pkg/oidc/client/logging"
+	"github.com/int128/kubelogin/pkg/oidc/client/transport"
 	"github.com/int128/kubelogin/pkg/pkce"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
 	"github.com/int128/kubelogin/pkg/tlsclientconfig/loader"
@@ -24,7 +25,7 @@ var Set = wire.NewSet(
 )

 type FactoryInterface interface {
-	New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error)
+	New(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error)
 }

 type Factory struct {
@@ -34,25 +35,26 @@ type Factory struct {
 }

 // New returns an instance of infrastructure.Interface with the given configuration.
-func (f *Factory) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error) {
+func (f *Factory) New(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error) {
 	rawTLSClientConfig, err := f.Loader.Load(tlsClientConfig)
 	if err != nil {
 		return nil, fmt.Errorf("could not load the TLS client config: %w", err)
 	}
-	baseTransport := &http.Transport{
-		TLSClientConfig: rawTLSClientConfig,
-		Proxy:           http.ProxyFromEnvironment,
-	}
-	loggingTransport := &logging.Transport{
-		Base:   baseTransport,
-		Logger: f.Logger,
-	}
 	httpClient := &http.Client{
-		Transport: loggingTransport,
+		Transport: &transport.WithHeader{
+			Base: &transport.WithLogging{
+				Base: &http.Transport{
+					TLSClientConfig: rawTLSClientConfig,
+					Proxy:           http.ProxyFromEnvironment,
+				},
+				Logger: f.Logger,
+			},
+			RequestHeaders: prov.RequestHeaders,
+		},
 	}

 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
-	provider, err := gooidc.NewProvider(ctx, p.IssuerURL)
+	provider, err := gooidc.NewProvider(ctx, prov.IssuerURL)
 	if err != nil {
 		return nil, fmt.Errorf("oidc discovery error: %w", err)
 	}
@@ -60,45 +62,43 @@ func (f *Factory) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsc
 	if err != nil {
 		return nil, fmt.Errorf("could not determine supported PKCE methods: %w", err)
 	}
-	if len(supportedPKCEMethods) == 0 && p.UsePKCE {
-		supportedPKCEMethods = []string{pkce.MethodS256}
-	}
-	deviceAuthorizationEndpoint, err := extractDeviceAuthorizationEndpoint(provider)
-	if err != nil {
-		return nil, fmt.Errorf("could not determine device authorization endpoint: %w", err)
-	}
 	return &client{
 		httpClient: httpClient,
 		provider:   provider,
 		oauth2Config: oauth2.Config{
 			Endpoint:     provider.Endpoint(),
-			ClientID:     p.ClientID,
-			ClientSecret: p.ClientSecret,
-			Scopes:       append(p.ExtraScopes, gooidc.ScopeOpenID),
+			ClientID:     prov.ClientID,
+			ClientSecret: prov.ClientSecret,
+			RedirectURL:  prov.RedirectURL,
+			Scopes:       append(prov.ExtraScopes, gooidc.ScopeOpenID),
 		},
-		clock:                       f.Clock,
-		logger:                      f.Logger,
-		supportedPKCEMethods:        supportedPKCEMethods,
-		deviceAuthorizationEndpoint: deviceAuthorizationEndpoint,
+		clock:                f.Clock,
+		logger:               f.Logger,
+		negotiatedPKCEMethod: determinePKCEMethod(supportedPKCEMethods, prov.PKCEMethod),
+		useAccessToken:       prov.UseAccessToken,
 	}, nil
 }

-func extractSupportedPKCEMethods(provider *gooidc.Provider) ([]string, error) {
-	var d struct {
-		CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
+func determinePKCEMethod(supportedMethods []string, preferredMethod oidc.PKCEMethod) pkce.Method {
+	switch preferredMethod {
+	case oidc.PKCEMethodNo:
+		return pkce.NoMethod
+	case oidc.PKCEMethodS256:
+		return pkce.MethodS256
+	default:
+		if slices.Contains(supportedMethods, "S256") {
+			return pkce.MethodS256
+		}
+		return pkce.NoMethod
 	}
-	if err := provider.Claims(&d); err != nil {
-		return nil, fmt.Errorf("invalid discovery document: %w", err)
-	}
-	return d.CodeChallengeMethodsSupported, nil
 }

-func extractDeviceAuthorizationEndpoint(provider *gooidc.Provider) (string, error) {
-	var d struct {
-		DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint"`
+func extractSupportedPKCEMethods(provider *gooidc.Provider) ([]string, error) {
+	var claims struct {
+		CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
 	}
-	if err := provider.Claims(&d); err != nil {
-		return "", fmt.Errorf("invalid discovery document: %w", err)
+	if err := provider.Claims(&claims); err != nil {
+		return nil, fmt.Errorf("invalid discovery document: %w", err)
 	}
-	return d.DeviceAuthorizationEndpoint, nil
+	return claims.CodeChallengeMethodsSupported, nil
 }
--- a/pkg/oidc/client/mock_FactoryInterface.go
+++ b/pkg/oidc/client/mock_FactoryInterface.go
@@ -1,88 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package client
-
-import (
-	context "context"
-
-	oidc "github.com/int128/kubelogin/pkg/oidc"
-	mock "github.com/stretchr/testify/mock"
-
-	tlsclientconfig "github.com/int128/kubelogin/pkg/tlsclientconfig"
-)
-
-// MockFactoryInterface is an autogenerated mock type for the FactoryInterface type
-type MockFactoryInterface struct {
-	mock.Mock
-}
-
-type MockFactoryInterface_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockFactoryInterface) EXPECT() *MockFactoryInterface_Expecter {
-	return &MockFactoryInterface_Expecter{mock: &_m.Mock}
-}
-
-// New provides a mock function with given fields: ctx, p, tlsClientConfig
-func (_m *MockFactoryInterface) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config) (Interface, error) {
-	ret := _m.Called(ctx, p, tlsClientConfig)
-
-	var r0 Interface
-	if rf, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) Interface); ok {
-		r0 = rf(ctx, p, tlsClientConfig)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(Interface)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, oidc.Provider, tlsclientconfig.Config) error); ok {
-		r1 = rf(ctx, p, tlsClientConfig)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockFactoryInterface_New_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'New'
-type MockFactoryInterface_New_Call struct {
-	*mock.Call
-}
-
-// New is a helper method to define mock.On call
-//   - ctx context.Context
-//   - p oidc.Provider
-//   - tlsClientConfig tlsclientconfig.Config
-func (_e *MockFactoryInterface_Expecter) New(ctx interface{}, p interface{}, tlsClientConfig interface{}) *MockFactoryInterface_New_Call {
-	return &MockFactoryInterface_New_Call{Call: _e.mock.On("New", ctx, p, tlsClientConfig)}
-}
-
-func (_c *MockFactoryInterface_New_Call) Run(run func(ctx context.Context, p oidc.Provider, tlsClientConfig tlsclientconfig.Config)) *MockFactoryInterface_New_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(oidc.Provider), args[2].(tlsclientconfig.Config))
-	})
-	return _c
-}
-
-func (_c *MockFactoryInterface_New_Call) Return(_a0 Interface, _a1 error) *MockFactoryInterface_New_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-type mockConstructorTestingTNewMockFactoryInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockFactoryInterface creates a new instance of MockFactoryInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockFactoryInterface(t mockConstructorTestingTNewMockFactoryInterface) *MockFactoryInterface {
-	mock := &MockFactoryInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/pkg/oidc/client/mock_Interface.go
+++ b/pkg/oidc/client/mock_Interface.go
@@ -1,398 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package client
-
-import (
-	context "context"
-
-	oauth2dev "github.com/int128/oauth2dev"
-	mock "github.com/stretchr/testify/mock"
-
-	oidc "github.com/int128/kubelogin/pkg/oidc"
-)
-
-// MockInterface is an autogenerated mock type for the Interface type
-type MockInterface struct {
-	mock.Mock
-}
-
-type MockInterface_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
-	return &MockInterface_Expecter{mock: &_m.Mock}
-}
-
-// ExchangeAuthCode provides a mock function with given fields: ctx, in
-func (_m *MockInterface) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, in)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, ExchangeAuthCodeInput) *oidc.TokenSet); ok {
-		r0 = rf(ctx, in)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, ExchangeAuthCodeInput) error); ok {
-		r1 = rf(ctx, in)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_ExchangeAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeAuthCode'
-type MockInterface_ExchangeAuthCode_Call struct {
-	*mock.Call
-}
-
-// ExchangeAuthCode is a helper method to define mock.On call
-//   - ctx context.Context
-//   - in ExchangeAuthCodeInput
-func (_e *MockInterface_Expecter) ExchangeAuthCode(ctx interface{}, in interface{}) *MockInterface_ExchangeAuthCode_Call {
-	return &MockInterface_ExchangeAuthCode_Call{Call: _e.mock.On("ExchangeAuthCode", ctx, in)}
-}
-
-func (_c *MockInterface_ExchangeAuthCode_Call) Run(run func(ctx context.Context, in ExchangeAuthCodeInput)) *MockInterface_ExchangeAuthCode_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(ExchangeAuthCodeInput))
-	})
-	return _c
-}
-
-func (_c *MockInterface_ExchangeAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_ExchangeAuthCode_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// ExchangeDeviceCode provides a mock function with given fields: ctx, authResponse
-func (_m *MockInterface) ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, authResponse)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, *oauth2dev.AuthorizationResponse) *oidc.TokenSet); ok {
-		r0 = rf(ctx, authResponse)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, *oauth2dev.AuthorizationResponse) error); ok {
-		r1 = rf(ctx, authResponse)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_ExchangeDeviceCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeDeviceCode'
-type MockInterface_ExchangeDeviceCode_Call struct {
-	*mock.Call
-}
-
-// ExchangeDeviceCode is a helper method to define mock.On call
-//   - ctx context.Context
-//   - authResponse *oauth2dev.AuthorizationResponse
-func (_e *MockInterface_Expecter) ExchangeDeviceCode(ctx interface{}, authResponse interface{}) *MockInterface_ExchangeDeviceCode_Call {
-	return &MockInterface_ExchangeDeviceCode_Call{Call: _e.mock.On("ExchangeDeviceCode", ctx, authResponse)}
-}
-
-func (_c *MockInterface_ExchangeDeviceCode_Call) Run(run func(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse)) *MockInterface_ExchangeDeviceCode_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*oauth2dev.AuthorizationResponse))
-	})
-	return _c
-}
-
-func (_c *MockInterface_ExchangeDeviceCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_ExchangeDeviceCode_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// GetAuthCodeURL provides a mock function with given fields: in
-func (_m *MockInterface) GetAuthCodeURL(in AuthCodeURLInput) string {
-	ret := _m.Called(in)
-
-	var r0 string
-	if rf, ok := ret.Get(0).(func(AuthCodeURLInput) string); ok {
-		r0 = rf(in)
-	} else {
-		r0 = ret.Get(0).(string)
-	}
-
-	return r0
-}
-
-// MockInterface_GetAuthCodeURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAuthCodeURL'
-type MockInterface_GetAuthCodeURL_Call struct {
-	*mock.Call
-}
-
-// GetAuthCodeURL is a helper method to define mock.On call
-//   - in AuthCodeURLInput
-func (_e *MockInterface_Expecter) GetAuthCodeURL(in interface{}) *MockInterface_GetAuthCodeURL_Call {
-	return &MockInterface_GetAuthCodeURL_Call{Call: _e.mock.On("GetAuthCodeURL", in)}
-}
-
-func (_c *MockInterface_GetAuthCodeURL_Call) Run(run func(in AuthCodeURLInput)) *MockInterface_GetAuthCodeURL_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(AuthCodeURLInput))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetAuthCodeURL_Call) Return(_a0 string) *MockInterface_GetAuthCodeURL_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-// GetDeviceAuthorization provides a mock function with given fields: ctx
-func (_m *MockInterface) GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error) {
-	ret := _m.Called(ctx)
-
-	var r0 *oauth2dev.AuthorizationResponse
-	if rf, ok := ret.Get(0).(func(context.Context) *oauth2dev.AuthorizationResponse); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oauth2dev.AuthorizationResponse)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_GetDeviceAuthorization_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDeviceAuthorization'
-type MockInterface_GetDeviceAuthorization_Call struct {
-	*mock.Call
-}
-
-// GetDeviceAuthorization is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockInterface_Expecter) GetDeviceAuthorization(ctx interface{}) *MockInterface_GetDeviceAuthorization_Call {
-	return &MockInterface_GetDeviceAuthorization_Call{Call: _e.mock.On("GetDeviceAuthorization", ctx)}
-}
-
-func (_c *MockInterface_GetDeviceAuthorization_Call) Run(run func(ctx context.Context)) *MockInterface_GetDeviceAuthorization_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetDeviceAuthorization_Call) Return(_a0 *oauth2dev.AuthorizationResponse, _a1 error) *MockInterface_GetDeviceAuthorization_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// GetTokenByAuthCode provides a mock function with given fields: ctx, in, localServerReadyChan
-func (_m *MockInterface) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, in, localServerReadyChan)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, GetTokenByAuthCodeInput, chan<- string) *oidc.TokenSet); ok {
-		r0 = rf(ctx, in, localServerReadyChan)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, GetTokenByAuthCodeInput, chan<- string) error); ok {
-		r1 = rf(ctx, in, localServerReadyChan)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_GetTokenByAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByAuthCode'
-type MockInterface_GetTokenByAuthCode_Call struct {
-	*mock.Call
-}
-
-// GetTokenByAuthCode is a helper method to define mock.On call
-//   - ctx context.Context
-//   - in GetTokenByAuthCodeInput
-//   - localServerReadyChan chan<- string
-func (_e *MockInterface_Expecter) GetTokenByAuthCode(ctx interface{}, in interface{}, localServerReadyChan interface{}) *MockInterface_GetTokenByAuthCode_Call {
-	return &MockInterface_GetTokenByAuthCode_Call{Call: _e.mock.On("GetTokenByAuthCode", ctx, in, localServerReadyChan)}
-}
-
-func (_c *MockInterface_GetTokenByAuthCode_Call) Run(run func(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string)) *MockInterface_GetTokenByAuthCode_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(GetTokenByAuthCodeInput), args[2].(chan<- string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetTokenByAuthCode_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByAuthCode_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// GetTokenByROPC provides a mock function with given fields: ctx, username, password
-func (_m *MockInterface) GetTokenByROPC(ctx context.Context, username string, password string) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, username, password)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, string, string) *oidc.TokenSet); ok {
-		r0 = rf(ctx, username, password)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
-		r1 = rf(ctx, username, password)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_GetTokenByROPC_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByROPC'
-type MockInterface_GetTokenByROPC_Call struct {
-	*mock.Call
-}
-
-// GetTokenByROPC is a helper method to define mock.On call
-//   - ctx context.Context
-//   - username string
-//   - password string
-func (_e *MockInterface_Expecter) GetTokenByROPC(ctx interface{}, username interface{}, password interface{}) *MockInterface_GetTokenByROPC_Call {
-	return &MockInterface_GetTokenByROPC_Call{Call: _e.mock.On("GetTokenByROPC", ctx, username, password)}
-}
-
-func (_c *MockInterface_GetTokenByROPC_Call) Run(run func(ctx context.Context, username string, password string)) *MockInterface_GetTokenByROPC_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(string), args[2].(string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetTokenByROPC_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_GetTokenByROPC_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// Refresh provides a mock function with given fields: ctx, refreshToken
-func (_m *MockInterface) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
-	ret := _m.Called(ctx, refreshToken)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(context.Context, string) *oidc.TokenSet); ok {
-		r0 = rf(ctx, refreshToken)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
-		r1 = rf(ctx, refreshToken)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
-type MockInterface_Refresh_Call struct {
-	*mock.Call
-}
-
-// Refresh is a helper method to define mock.On call
-//   - ctx context.Context
-//   - refreshToken string
-func (_e *MockInterface_Expecter) Refresh(ctx interface{}, refreshToken interface{}) *MockInterface_Refresh_Call {
-	return &MockInterface_Refresh_Call{Call: _e.mock.On("Refresh", ctx, refreshToken)}
-}
-
-func (_c *MockInterface_Refresh_Call) Run(run func(ctx context.Context, refreshToken string)) *MockInterface_Refresh_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_Refresh_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_Refresh_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// SupportedPKCEMethods provides a mock function with given fields:
-func (_m *MockInterface) SupportedPKCEMethods() []string {
-	ret := _m.Called()
-
-	var r0 []string
-	if rf, ok := ret.Get(0).(func() []string); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]string)
-		}
-	}
-
-	return r0
-}
-
-// MockInterface_SupportedPKCEMethods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SupportedPKCEMethods'
-type MockInterface_SupportedPKCEMethods_Call struct {
-	*mock.Call
-}
-
-// SupportedPKCEMethods is a helper method to define mock.On call
-func (_e *MockInterface_Expecter) SupportedPKCEMethods() *MockInterface_SupportedPKCEMethods_Call {
-	return &MockInterface_SupportedPKCEMethods_Call{Call: _e.mock.On("SupportedPKCEMethods")}
-}
-
-func (_c *MockInterface_SupportedPKCEMethods_Call) Run(run func()) *MockInterface_SupportedPKCEMethods_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockInterface_SupportedPKCEMethods_Call) Return(_a0 []string) *MockInterface_SupportedPKCEMethods_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/pkg/oidc/client/ropc.go
+++ b/pkg/oidc/client/ropc.go
@@ -0,0 +1,18 @@
+package client
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/oidc"
+)
+
+// GetTokenByROPC performs the resource owner password credentials flow.
+func (c *client) GetTokenByROPC(ctx context.Context, username, password string) (*oidc.TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, username, password)
+	if err != nil {
+		return nil, fmt.Errorf("resource owner password credentials flow error: %w", err)
+	}
+	return c.verifyToken(ctx, token, "")
+}
--- a/pkg/oidc/client/transport/header.go
+++ b/pkg/oidc/client/transport/header.go
@@ -0,0 +1,21 @@
+package transport
+
+import "net/http"
+
+// WithHeader is a RoundTripper that adds custom headers to each request.
+//
+// Token retrievel fails when an auth code has been retrieved using Azure AD
+// Single Page Application due to the missing "Origin" header for CORS
+// validation.
+// https://github.com/int128/kubelogin/issues/1048
+type WithHeader struct {
+	Base           http.RoundTripper
+	RequestHeaders map[string]string
+}
+
+func (t *WithHeader) RoundTrip(req *http.Request) (*http.Response, error) {
+	for key, value := range t.RequestHeaders {
+		req.Header.Set(key, value)
+	}
+	return t.Base.RoundTrip(req)
+}
--- a/pkg/oidc/client/transport/logging.go
+++ b/pkg/oidc/client/transport/logging.go
@@ -1,4 +1,4 @@
-package logging
+package transport

 import (
 	"net/http"
@@ -12,12 +12,12 @@ const (
 	levelDumpBody    = 3
 )

-type Transport struct {
+type WithLogging struct {
 	Base   http.RoundTripper
 	Logger logger.Interface
 }

-func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
+func (t *WithLogging) RoundTrip(req *http.Request) (*http.Response, error) {
 	if !t.Logger.IsEnabled(levelDumpHeaders) {
 		return t.Base.RoundTrip(req)
 	}
--- a/pkg/oidc/client/transport/logging_test.go
+++ b/pkg/oidc/client/transport/logging_test.go
@@ -1,4 +1,4 @@
-package logging
+package transport

 import (
 	"bufio"
@@ -20,7 +20,7 @@ func (t *mockTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	return t.resp, nil
 }

-func TestLoggingTransport_RoundTrip(t *testing.T) {
+func TestWithLogging_RoundTrip(t *testing.T) {
 	req := httptest.NewRequest("GET", "http://example.com/hello", nil)
 	resp, err := http.ReadResponse(bufio.NewReader(strings.NewReader(`HTTP/1.1 200 OK
 Host: example.com
@@ -29,9 +29,13 @@ dummy`)), req)
 	if err != nil {
 		t.Errorf("could not create a response: %s", err)
 	}
-	defer resp.Body.Close()
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			t.Errorf("could not close response body: %s", err)
+		}
+	}()

-	transport := &Transport{
+	transport := &WithLogging{
 		Base:   &mockTransport{resp: resp},
 		Logger: logger.New(t),
 	}
--- a/pkg/oidc/oidc.go
+++ b/pkg/oidc/oidc.go
@@ -11,13 +11,25 @@ import (

 // Provider represents an OIDC provider.
 type Provider struct {
-	IssuerURL    string
-	ClientID     string
-	ClientSecret string   // optional
-	ExtraScopes  []string // optional
-	UsePKCE      bool     // optional
+	IssuerURL      string
+	ClientID       string
+	ClientSecret   string   // optional
+	ExtraScopes    []string // optional
+	RedirectURL    string   // optional
+	PKCEMethod     PKCEMethod
+	UseAccessToken bool
+	RequestHeaders map[string]string
 }

+// PKCEMethod represents a preferred method of PKCE.
+type PKCEMethod int
+
+const (
+	PKCEMethodAuto PKCEMethod = iota
+	PKCEMethodNo
+	PKCEMethodS256
+)
+
 // TokenSet represents a set of ID token and refresh token.
 type TokenSet struct {
 	IDToken      string
--- a/pkg/pkce/pkce.go
+++ b/pkg/pkce/pkce.go
@@ -2,72 +2,45 @@
 // See also https://tools.ietf.org/html/rfc7636.
 package pkce

-import (
-	"crypto/rand"
-	"crypto/sha256"
-	"encoding/base64"
-	"encoding/binary"
-	"fmt"
-)
+import "golang.org/x/oauth2"

-var Plain Params
+type Method int

 const (
-	// code challenge methods defined as https://tools.ietf.org/html/rfc7636#section-4.3
-	MethodS256 = "S256"
+	// Code challenge methods defined as https://tools.ietf.org/html/rfc7636#section-4.3
+	NoMethod Method = iota
+	MethodS256
 )

 // Params represents a set of the PKCE parameters.
 type Params struct {
-	CodeChallenge       string
-	CodeChallengeMethod string
-	CodeVerifier        string
+	Method   Method
+	Verifier string
 }

-func (p Params) IsZero() bool {
-	return p == Params{}
+func (params Params) AuthCodeOption() oauth2.AuthCodeOption {
+	if params.Method == MethodS256 {
+		return oauth2.S256ChallengeOption(params.Verifier)
+	}
+	return nil
+}
+
+func (params Params) TokenRequestOption() oauth2.AuthCodeOption {
+	if params.Method == MethodS256 {
+		return oauth2.VerifierOption(params.Verifier)
+	}
+	return nil
 }

 // New returns a parameters supported by the provider.
 // You need to pass the code challenge methods defined in RFC7636.
-// It returns Plain if no method is available.
-func New(methods []string) (Params, error) {
-	for _, method := range methods {
-		if method == MethodS256 {
-			return NewS256()
-		}
+// It returns a zero value if no method is available.
+func New(method Method) (Params, error) {
+	if method == MethodS256 {
+		return Params{
+			Method:   MethodS256,
+			Verifier: oauth2.GenerateVerifier(),
+		}, nil
 	}
-	return Plain, nil
-}
-
-// NewS256 generates a parameters for S256.
-func NewS256() (Params, error) {
-	b, err := random32()
-	if err != nil {
-		return Plain, fmt.Errorf("could not generate a random: %w", err)
-	}
-	return computeS256(b), nil
-}
-
-func random32() ([]byte, error) {
-	b := make([]byte, 32)
-	if err := binary.Read(rand.Reader, binary.LittleEndian, b); err != nil {
-		return nil, fmt.Errorf("read error: %w", err)
-	}
-	return b, nil
-}
-
-func computeS256(b []byte) Params {
-	v := base64URLEncode(b)
-	s := sha256.New()
-	_, _ = s.Write([]byte(v))
-	return Params{
-		CodeChallenge:       base64URLEncode(s.Sum(nil)),
-		CodeChallengeMethod: MethodS256,
-		CodeVerifier:        v,
-	}
-}
-
-func base64URLEncode(b []byte) string {
-	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(b)
+	return Params{}, nil
 }
--- a/pkg/pkce/pkce_test.go
+++ b/pkg/pkce/pkce_test.go
@@ -1,61 +0,0 @@
-package pkce
-
-import (
-	"testing"
-)
-
-func TestNew(t *testing.T) {
-	t.Run("S256", func(t *testing.T) {
-		p, err := New([]string{"plain", "S256"})
-		if err != nil {
-			t.Fatalf("New error: %s", err)
-		}
-		if p.CodeChallengeMethod != "S256" {
-			t.Errorf("CodeChallengeMethod wants S256 but was %s", p.CodeChallengeMethod)
-		}
-		if p.CodeChallenge == "" {
-			t.Errorf("CodeChallenge wants non-empty but was empty")
-		}
-		if p.CodeVerifier == "" {
-			t.Errorf("CodeVerifier wants non-empty but was empty")
-		}
-	})
-	t.Run("plain", func(t *testing.T) {
-		p, err := New([]string{"plain"})
-		if err != nil {
-			t.Fatalf("New error: %s", err)
-		}
-		if !p.IsZero() {
-			t.Errorf("IsZero wants true but was false")
-		}
-	})
-	t.Run("nil", func(t *testing.T) {
-		p, err := New(nil)
-		if err != nil {
-			t.Fatalf("New error: %s", err)
-		}
-		if !p.IsZero() {
-			t.Errorf("IsZero wants true but was false")
-		}
-	})
-}
-
-func Test_computeS256(t *testing.T) {
-	// Testdata described at:
-	// https://tools.ietf.org/html/rfc7636#appendix-B
-	b := []byte{
-		116, 24, 223, 180, 151, 153, 224, 37, 79, 250, 96, 125, 216, 173,
-		187, 186, 22, 212, 37, 77, 105, 214, 191, 240, 91, 88, 5, 88, 83,
-		132, 141, 121,
-	}
-	p := computeS256(b)
-	if want := "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"; want != p.CodeVerifier {
-		t.Errorf("CodeVerifier wants %s but was %s", want, p.CodeVerifier)
-	}
-	if want := "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"; want != p.CodeChallenge {
-		t.Errorf("CodeChallenge wants %s but was %s", want, p.CodeChallenge)
-	}
-	if p.CodeChallengeMethod != "S256" {
-		t.Errorf("CodeChallengeMethod wants S256 but was %s", p.CodeChallengeMethod)
-	}
-}
--- a/pkg/testing/logger/mock_testingLogger.go
+++ b/pkg/testing/logger/mock_testingLogger.go
@@ -1,72 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package logger
-
-import mock "github.com/stretchr/testify/mock"
-
-// mockTestingLogger is an autogenerated mock type for the testingLogger type
-type mockTestingLogger struct {
-	mock.Mock
-}
-
-type mockTestingLogger_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *mockTestingLogger) EXPECT() *mockTestingLogger_Expecter {
-	return &mockTestingLogger_Expecter{mock: &_m.Mock}
-}
-
-// Logf provides a mock function with given fields: format, v
-func (_m *mockTestingLogger) Logf(format string, v ...interface{}) {
-	var _ca []interface{}
-	_ca = append(_ca, format)
-	_ca = append(_ca, v...)
-	_m.Called(_ca...)
-}
-
-// mockTestingLogger_Logf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Logf'
-type mockTestingLogger_Logf_Call struct {
-	*mock.Call
-}
-
-// Logf is a helper method to define mock.On call
-//   - format string
-//   - v ...interface{}
-func (_e *mockTestingLogger_Expecter) Logf(format interface{}, v ...interface{}) *mockTestingLogger_Logf_Call {
-	return &mockTestingLogger_Logf_Call{Call: _e.mock.On("Logf",
-		append([]interface{}{format}, v...)...)}
-}
-
-func (_c *mockTestingLogger_Logf_Call) Run(run func(format string, v ...interface{})) *mockTestingLogger_Logf_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		variadicArgs := make([]interface{}, len(args)-1)
-		for i, a := range args[1:] {
-			if a != nil {
-				variadicArgs[i] = a.(interface{})
-			}
-		}
-		run(args[0].(string), variadicArgs...)
-	})
-	return _c
-}
-
-func (_c *mockTestingLogger_Logf_Call) Return() *mockTestingLogger_Logf_Call {
-	_c.Call.Return()
-	return _c
-}
-
-type mockConstructorTestingTnewMockTestingLogger interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// newMockTestingLogger creates a new instance of mockTestingLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func newMockTestingLogger(t mockConstructorTestingTnewMockTestingLogger) *mockTestingLogger {
-	mock := &mockTestingLogger{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/pkg/tokencache/repository/mock_Interface.go
+++ b/pkg/tokencache/repository/mock_Interface.go
@@ -1,124 +0,0 @@
-// Code generated by mockery v2.13.1. DO NOT EDIT.
-
-package repository
-
-import (
-	oidc "github.com/int128/kubelogin/pkg/oidc"
-	mock "github.com/stretchr/testify/mock"
-
-	tokencache "github.com/int128/kubelogin/pkg/tokencache"
-)
-
-// MockInterface is an autogenerated mock type for the Interface type
-type MockInterface struct {
-	mock.Mock
-}
-
-type MockInterface_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
-	return &MockInterface_Expecter{mock: &_m.Mock}
-}
-
-// FindByKey provides a mock function with given fields: dir, key
-func (_m *MockInterface) FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet, error) {
-	ret := _m.Called(dir, key)
-
-	var r0 *oidc.TokenSet
-	if rf, ok := ret.Get(0).(func(string, tokencache.Key) *oidc.TokenSet); ok {
-		r0 = rf(dir, key)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*oidc.TokenSet)
-		}
-	}
-
-	var r1 error
-	if rf, ok := ret.Get(1).(func(string, tokencache.Key) error); ok {
-		r1 = rf(dir, key)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_FindByKey_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'FindByKey'
-type MockInterface_FindByKey_Call struct {
-	*mock.Call
-}
-
-// FindByKey is a helper method to define mock.On call
-//   - dir string
-//   - key tokencache.Key
-func (_e *MockInterface_Expecter) FindByKey(dir interface{}, key interface{}) *MockInterface_FindByKey_Call {
-	return &MockInterface_FindByKey_Call{Call: _e.mock.On("FindByKey", dir, key)}
-}
-
-func (_c *MockInterface_FindByKey_Call) Run(run func(dir string, key tokencache.Key)) *MockInterface_FindByKey_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(tokencache.Key))
-	})
-	return _c
-}
-
-func (_c *MockInterface_FindByKey_Call) Return(_a0 *oidc.TokenSet, _a1 error) *MockInterface_FindByKey_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-// Save provides a mock function with given fields: dir, key, tokenSet
-func (_m *MockInterface) Save(dir string, key tokencache.Key, tokenSet oidc.TokenSet) error {
-	ret := _m.Called(dir, key, tokenSet)
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(string, tokencache.Key, oidc.TokenSet) error); ok {
-		r0 = rf(dir, key, tokenSet)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockInterface_Save_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Save'
-type MockInterface_Save_Call struct {
-	*mock.Call
-}
-
-// Save is a helper method to define mock.On call
-//   - dir string
-//   - key tokencache.Key
-//   - tokenSet oidc.TokenSet
-func (_e *MockInterface_Expecter) Save(dir interface{}, key interface{}, tokenSet interface{}) *MockInterface_Save_Call {
-	return &MockInterface_Save_Call{Call: _e.mock.On("Save", dir, key, tokenSet)}
-}
-
-func (_c *MockInterface_Save_Call) Run(run func(dir string, key tokencache.Key, tokenSet oidc.TokenSet)) *MockInterface_Save_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(tokencache.Key), args[2].(oidc.TokenSet))
-	})
-	return _c
-}
-
-func (_c *MockInterface_Save_Call) Return(_a0 error) *MockInterface_Save_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-type mockConstructorTestingTNewMockInterface interface {
-	mock.TestingT
-	Cleanup(func())
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewMockInterface(t mockConstructorTestingTNewMockInterface) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/pkg/tokencache/repository/repository.go
+++ b/pkg/tokencache/repository/repository.go
@@ -6,12 +6,15 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"

+	"github.com/gofrs/flock"
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/tokencache"
+	"github.com/zalando/go-keyring"
 )

 // Set provides an implementation and interface for Kubeconfig.
@@ -21,8 +24,10 @@ var Set = wire.NewSet(
 )

 type Interface interface {
-	FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet, error)
-	Save(dir string, key tokencache.Key, tokenSet oidc.TokenSet) error
+	FindByKey(config tokencache.Config, key tokencache.Key) (*oidc.TokenSet, error)
+	Save(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet) error
+	Lock(config tokencache.Config, key tokencache.Key) (io.Closer, error)
+	DeleteAll(config tokencache.Config) error
 }

 type entity struct {
@@ -34,21 +39,62 @@ type entity struct {
 // Filename of a token cache is sha256 digest of the issuer, zero-character and client ID.
 type Repository struct{}

-func (r *Repository) FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet, error) {
-	filename, err := computeFilename(key)
+// keyringService is used to namespace the keyring access.
+// Some implementations may also display this string when prompting the user
+// for allowing access.
+const keyringService = "kubelogin"
+
+// keyringItemPrefix is used as the prefix in the keyring items.
+const keyringItemPrefix = "kubelogin/tokencache/"
+
+func (r *Repository) FindByKey(config tokencache.Config, key tokencache.Key) (*oidc.TokenSet, error) {
+	checksum, err := computeChecksum(key)
 	if err != nil {
 		return nil, fmt.Errorf("could not compute the key: %w", err)
 	}
-	p := filepath.Join(dir, filename)
-	f, err := os.Open(p)
+	switch config.Storage {
+	case tokencache.StorageDisk:
+		return readFromFile(config, checksum)
+	case tokencache.StorageKeyring:
+		return readFromKeyring(checksum)
+	case tokencache.StorageNone:
+		return nil, nil
+	default:
+		return nil, fmt.Errorf("unknown storage mode: %v", config.Storage)
+	}
+}
+
+func readFromFile(config tokencache.Config, checksum string) (*oidc.TokenSet, error) {
+	p := filepath.Join(config.Directory, checksum)
+	b, err := os.ReadFile(p)
 	if err != nil {
 		return nil, fmt.Errorf("could not open file %s: %w", p, err)
 	}
-	defer f.Close()
-	d := json.NewDecoder(f)
+	t, err := decodeKey(b)
+	if err != nil {
+		return nil, fmt.Errorf("file %s: %w", p, err)
+	}
+	return t, nil
+}
+
+func readFromKeyring(checksum string) (*oidc.TokenSet, error) {
+	p := keyringItemPrefix + checksum
+	s, err := keyring.Get(keyringService, p)
+	if err != nil {
+		return nil, fmt.Errorf("could not get keyring secret %s: %w", p, err)
+	}
+	t, err := decodeKey([]byte(s))
+	if err != nil {
+		return nil, fmt.Errorf("keyring %s: %w", p, err)
+	}
+	return t, nil
+}
+
+func decodeKey(b []byte) (*oidc.TokenSet, error) {
 	var e entity
-	if err := d.Decode(&e); err != nil {
-		return nil, fmt.Errorf("invalid json file %s: %w", p, err)
+	err := json.Unmarshal(b, &e)
+	if err != nil {
+		return nil, fmt.Errorf("invalid token cache json: %w", err)
 	}
 	return &oidc.TokenSet{
 		IDToken:      e.IDToken,
@@ -56,31 +102,106 @@ func (r *Repository) FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet,
 	}, nil
 }

-func (r *Repository) Save(dir string, key tokencache.Key, tokenSet oidc.TokenSet) error {
-	if err := os.MkdirAll(dir, 0700); err != nil {
-		return fmt.Errorf("could not create directory %s: %w", dir, err)
-	}
-	filename, err := computeFilename(key)
+func (r *Repository) Save(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet) error {
+	checksum, err := computeChecksum(key)
 	if err != nil {
 		return fmt.Errorf("could not compute the key: %w", err)
 	}
-	p := filepath.Join(dir, filename)
-	f, err := os.OpenFile(p, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	switch config.Storage {
+	case tokencache.StorageDisk:
+		return writeToFile(config, checksum, tokenSet)
+	case tokencache.StorageKeyring:
+		return writeToKeyring(checksum, tokenSet)
+	case tokencache.StorageNone:
+		return nil
+	default:
+		return fmt.Errorf("unknown storage mode: %v", config.Storage)
+	}
+}
+
+func writeToFile(config tokencache.Config, checksum string, tokenSet oidc.TokenSet) error {
+	p := filepath.Join(config.Directory, checksum)
+	b, err := encodeKey(tokenSet)
 	if err != nil {
+		return fmt.Errorf("file %s: %w", p, err)
+	}
+	if err := os.MkdirAll(config.Directory, 0700); err != nil {
+		return fmt.Errorf("could not create directory %s: %w", config.Directory, err)
+	}
+	if err := os.WriteFile(p, b, 0600); err != nil {
 		return fmt.Errorf("could not create file %s: %w", p, err)
 	}
-	defer f.Close()
-	e := entity{
-		IDToken:      tokenSet.IDToken,
-		RefreshToken: tokenSet.RefreshToken,
-	}
-	if err := json.NewEncoder(f).Encode(&e); err != nil {
-		return fmt.Errorf("json encode error: %w", err)
-	}
 	return nil
 }

-func computeFilename(key tokencache.Key) (string, error) {
+func writeToKeyring(checksum string, tokenSet oidc.TokenSet) error {
+	p := keyringItemPrefix + checksum
+	b, err := encodeKey(tokenSet)
+	if err != nil {
+		return fmt.Errorf("keyring %s: %w", p, err)
+	}
+	if err := keyring.Set(keyringService, p, string(b)); err != nil {
+		return fmt.Errorf("keyring write %s: %w", p, err)
+	}
+	return nil
+}
+
+// Implement io.Closer for noneStorage type
+type noneStorageCloser struct{}
+
+func (c noneStorageCloser) Close() error { return nil }
+
+func (r *Repository) Lock(config tokencache.Config, key tokencache.Key) (io.Closer, error) {
+	if config.Storage == tokencache.StorageNone {
+		return noneStorageCloser{}, nil
+	}
+	checksum, err := computeChecksum(key)
+	if err != nil {
+		return nil, fmt.Errorf("could not compute the key: %w", err)
+	}
+	// NOTE: Both keyring and disk storage types use files for locking
+	// No sensitive data is stored in the lock file
+	if err := os.MkdirAll(config.Directory, 0700); err != nil {
+		return nil, fmt.Errorf("could not create directory %s: %w", config.Directory, err)
+	}
+	// Do not lock the token cache file.
+	// https://github.com/int128/kubelogin/issues/1144
+	lockFilepath := filepath.Join(config.Directory, checksum+".lock")
+	lockFile := flock.New(lockFilepath)
+	if err := lockFile.Lock(); err != nil {
+		return nil, fmt.Errorf("could not lock the cache file %s: %w", lockFilepath, err)
+	}
+	return lockFile, nil
+}
+
+func (r *Repository) DeleteAll(config tokencache.Config) error {
+	switch config.Storage {
+	case tokencache.StorageDisk:
+		if err := os.RemoveAll(config.Directory); err != nil {
+			return fmt.Errorf("remove the directory %s: %w", config.Directory, err)
+		}
+		return nil
+	case tokencache.StorageKeyring:
+		if err := keyring.DeleteAll(keyringService); err != nil {
+			return fmt.Errorf("keyring delete: %w", err)
+		}
+		return nil
+	case tokencache.StorageNone:
+		return nil
+	default:
+		return fmt.Errorf("unknown storage mode: %v", config.Storage)
+	}
+}
+
+func encodeKey(tokenSet oidc.TokenSet) ([]byte, error) {
+	e := entity{
+		IDToken:      tokenSet.IDToken,
+		RefreshToken: tokenSet.RefreshToken,
+	}
+	return json.Marshal(&e)
+}
+
+func computeChecksum(key tokencache.Key) (string, error) {
 	s := sha256.New()
 	e := gob.NewEncoder(s)
 	if err := e.Encode(&key); err != nil {
--- a/pkg/tokencache/repository/repository_test.go
+++ b/pkg/tokencache/repository/repository_test.go
@@ -7,6 +7,7 @@ import (

 	"github.com/google/go-cmp/cmp"
 	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
 	"github.com/int128/kubelogin/pkg/tokencache"
 )

@@ -15,16 +16,24 @@ func TestRepository_FindByKey(t *testing.T) {

 	t.Run("Success", func(t *testing.T) {
 		dir := t.TempDir()
-		key := tokencache.Key{
-			IssuerURL:      "YOUR_ISSUER",
-			ClientID:       "YOUR_CLIENT_ID",
-			ClientSecret:   "YOUR_CLIENT_SECRET",
-			ExtraScopes:    []string{"openid", "email"},
-			CACertFilename: "/path/to/cert",
-			SkipTLSVerify:  false,
+		config := tokencache.Config{
+			Directory: dir,
+			Storage:   tokencache.StorageDisk,
 		}
+		key := tokencache.Key{
+			Provider: oidc.Provider{
+				IssuerURL:    "YOUR_ISSUER",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				ExtraScopes:  []string{"openid", "email"},
+			},
+			TLSClientConfig: tlsclientconfig.Config{
+				CACertFilename: []string{"/path/to/cert"},
+			},
+		}
+
 		json := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}`
-		filename, err := computeFilename(key)
+		filename, err := computeChecksum(key)
 		if err != nil {
 			t.Errorf("could not compute the key: %s", err)
 		}
@@ -33,7 +42,7 @@ func TestRepository_FindByKey(t *testing.T) {
 			t.Fatalf("could not write to the temp file: %s", err)
 		}

-		got, err := r.FindByKey(dir, key)
+		got, err := r.FindByKey(config, key)
 		if err != nil {
 			t.Errorf("err wants nil but %+v", err)
 		}
@@ -49,20 +58,27 @@ func TestRepository_Save(t *testing.T) {

 	t.Run("Success", func(t *testing.T) {
 		dir := t.TempDir()
+		config := tokencache.Config{
+			Directory: dir,
+			Storage:   tokencache.StorageDisk,
+		}
 		key := tokencache.Key{
-			IssuerURL:      "YOUR_ISSUER",
-			ClientID:       "YOUR_CLIENT_ID",
-			ClientSecret:   "YOUR_CLIENT_SECRET",
-			ExtraScopes:    []string{"openid", "email"},
-			CACertFilename: "/path/to/cert",
-			SkipTLSVerify:  false,
+			Provider: oidc.Provider{
+				IssuerURL:    "YOUR_ISSUER",
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				ExtraScopes:  []string{"openid", "email"},
+			},
+			TLSClientConfig: tlsclientconfig.Config{
+				CACertFilename: []string{"/path/to/cert"},
+			},
 		}
 		tokenSet := oidc.TokenSet{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
-		if err := r.Save(dir, key, tokenSet); err != nil {
+		if err := r.Save(config, key, tokenSet); err != nil {
 			t.Errorf("err wants nil but %+v", err)
 		}

-		filename, err := computeFilename(key)
+		filename, err := computeChecksum(key)
 		if err != nil {
 			t.Errorf("could not compute the key: %s", err)
 		}
@@ -71,8 +87,7 @@ func TestRepository_Save(t *testing.T) {
 		if err != nil {
 			t.Fatalf("could not read the token cache file: %s", err)
 		}
-		want := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}
-`
+		want := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}`
 		got := string(b)
 		if diff := cmp.Diff(want, got); diff != "" {
 			t.Errorf("mismatch (-want +got):\n%s", diff)
--- a/Show More
+++ b/Show More