Merge pull request #299 from mattmoyer/update-go-dependencies

Update dependencies before v0.3.0 release.
2020-12-17 17:28:40 -06:00 · 2020-12-17 17:28:40 -06:00 · 81eb0735d1
parent 780d236d89 c7931bc6d5
commit 81eb0735d1
28 changed files with 1083 additions and 523 deletions
--- a/1
+++ b/1
@ -15,7 +15,6 @@ COPY generated ./generated
 COPY cmd ./cmd
 COPY pkg ./pkg
 COPY internal ./internal
-COPY tools ./tools
 COPY hack ./hack

 # Build the executable binary (CGO_ENABLED=0 means static linking)
--- a/cmd/pinniped/cmd/get.go
+++ b/cmd/pinniped/cmd/get.go
@ -8,11 +8,7 @@ import (
 )

 //nolint: gochecknoglobals
-var getCmd = &cobra.Command{
-	Use:          "get",
-	Short:        "get",
-	SilenceUsage: true, // do not print usage message when commands fail
-}
+var getCmd = &cobra.Command{Use: "get", Short: "get"}

 //nolint: gochecknoinits
 func init() {
--- a/cmd/pinniped/cmd/kubeconfig_test.go
+++ b/cmd/pinniped/cmd/kubeconfig_test.go
@ -81,7 +81,7 @@ func TestGetKubeconfig(t *testing.T) {
 			args:             []string{},
 			getPathToSelfErr: fmt.Errorf("some OS error"),
 			wantError:        true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: could not determine the Pinniped executable path: some OS error
 			`),
 		},
@ -91,7 +91,7 @@ func TestGetKubeconfig(t *testing.T) {
 				"--oidc-ca-bundle", "./does/not/exist",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: could not read --oidc-ca-bundle: open ./does/not/exist: no such file or directory
 			`),
 		},
@ -101,7 +101,7 @@ func TestGetKubeconfig(t *testing.T) {
 				"--kubeconfig", "./does/not/exist",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: could not load --kubeconfig: stat ./does/not/exist: no such file or directory
 			`),
 		},
@ -112,7 +112,7 @@ func TestGetKubeconfig(t *testing.T) {
 				"--kubeconfig-context", "invalid",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: could not load --kubeconfig/--kubeconfig-context: no such context "invalid"
 			`),
 		},
@ -123,7 +123,7 @@ func TestGetKubeconfig(t *testing.T) {
 			},
 			getClientsetErr: fmt.Errorf("some kube error"),
 			wantError:       true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: could not configure Kubernetes client: some kube error
 			`),
 		},
@ -135,7 +135,7 @@ func TestGetKubeconfig(t *testing.T) {
 				"--concierge-authenticator-name", "test-authenticator",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: webhookauthenticators.authentication.concierge.pinniped.dev "test-authenticator" not found
 			`),
 		},
@ -147,7 +147,7 @@ func TestGetKubeconfig(t *testing.T) {
 				"--concierge-authenticator-name", "test-authenticator",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: jwtauthenticators.authentication.concierge.pinniped.dev "test-authenticator" not found
 			`),
 		},
@ -159,7 +159,7 @@ func TestGetKubeconfig(t *testing.T) {
 				"--concierge-authenticator-name", "test-authenticator",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: invalid authenticator type "invalid", supported values are "webhook" and "jwt"
 			`),
 		},
@ -178,7 +178,7 @@ func TestGetKubeconfig(t *testing.T) {
 				},
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: failed to list JWTAuthenticator objects for autodiscovery: some list error
 			`),
 		},
@ -197,7 +197,7 @@ func TestGetKubeconfig(t *testing.T) {
 				},
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: failed to list WebhookAuthenticator objects for autodiscovery: some list error
 			`),
 		},
@ -207,7 +207,7 @@ func TestGetKubeconfig(t *testing.T) {
 				"--kubeconfig", "./testdata/kubeconfig.yaml",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: no authenticators were found in namespace "pinniped-concierge" (try setting --concierge-namespace)
 			`),
 		},
@ -224,7 +224,7 @@ func TestGetKubeconfig(t *testing.T) {
 				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4", Namespace: "test-namespace"}},
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: multiple authenticators were found in namespace "test-namespace", so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified
 			`),
 		},
@ -238,7 +238,7 @@ func TestGetKubeconfig(t *testing.T) {
 				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}},
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: could not autodiscover --oidc-issuer, and none was provided
 			`),
 		},
@ -259,7 +259,7 @@ func TestGetKubeconfig(t *testing.T) {
 				},
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-namespace/test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7
 			`),
 		},
@ -275,7 +275,7 @@ func TestGetKubeconfig(t *testing.T) {
 				&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator", Namespace: "test-namespace"}},
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: only one of --static-token and --static-token-env can be specified
 			`),
 		},
--- a/cmd/pinniped/cmd/login_oidc_test.go
+++ b/cmd/pinniped/cmd/login_oidc_test.go
@ -79,7 +79,7 @@ func TestLoginOIDCCommand(t *testing.T) {
 			name:      "missing required flags",
 			args:      []string{},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: required flag(s) "issuer" not set
 			`),
 		},
@ -91,7 +91,7 @@ func TestLoginOIDCCommand(t *testing.T) {
 				"--enable-concierge",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: invalid concierge parameters: endpoint must not be empty
 			`),
 		},
@ -103,7 +103,7 @@ func TestLoginOIDCCommand(t *testing.T) {
 				"--ca-bundle", "./does/not/exist",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: could not read --ca-bundle: open ./does/not/exist: no such file or directory
 			`),
 		},
@ -115,7 +115,7 @@ func TestLoginOIDCCommand(t *testing.T) {
 				"--ca-bundle-data", "invalid-base64",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: could not read --ca-bundle-data: illegal base64 data at input byte 7
 			`),
 		},
@ -128,7 +128,7 @@ func TestLoginOIDCCommand(t *testing.T) {
 			loginErr:         fmt.Errorf("some login error"),
 			wantOptionsCount: 3,
 			wantError:        true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: could not complete Pinniped login: some login error
 			`),
 		},
@ -145,7 +145,7 @@ func TestLoginOIDCCommand(t *testing.T) {
 			conciergeErr:     fmt.Errorf("some concierge error"),
 			wantOptionsCount: 3,
 			wantError:        true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: could not complete concierge credential exchange: some concierge error
 			`),
 		},
--- a/cmd/pinniped/cmd/login_static_test.go
+++ b/cmd/pinniped/cmd/login_static_test.go
@ -66,7 +66,7 @@ func TestLoginStaticCommand(t *testing.T) {
 			name:      "missing required flags",
 			args:      []string{},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: one of --token or --token-env must be set
 			`),
 		},
@ -77,7 +77,7 @@ func TestLoginStaticCommand(t *testing.T) {
 				"--enable-concierge",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: invalid concierge parameters: endpoint must not be empty
 			`),
 		},
@ -87,7 +87,7 @@ func TestLoginStaticCommand(t *testing.T) {
 				"--token-env", "TEST_TOKEN_ENV",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: --token-env variable "TEST_TOKEN_ENV" is not set
 			`),
 		},
@ -100,7 +100,7 @@ func TestLoginStaticCommand(t *testing.T) {
 				"TEST_TOKEN_ENV": "",
 			},
 			wantError: true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: --token-env variable "TEST_TOKEN_ENV" is empty
 			`),
 		},
@ -125,7 +125,7 @@ func TestLoginStaticCommand(t *testing.T) {
 			},
 			conciergeErr: fmt.Errorf("some concierge error"),
 			wantError:    true,
-			wantStdout: here.Doc(`
+			wantStderr: here.Doc(`
 				Error: could not complete concierge credential exchange: some concierge error
 			`),
 		},
--- a/cmd/pinniped/cmd/version_test.go
+++ b/cmd/pinniped/cmd/version_test.go
@ -7,6 +7,7 @@ import (
 	"bytes"
 	"testing"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"go.pinniped.dev/internal/here"
@ -41,7 +42,7 @@ func TestNewVersionCmd(t *testing.T) {
 		args             []string
 		wantError        bool
 		wantStdoutRegexp string
-		wantStderr       string
+		wantStderrRegexp string
 	}{
 		{
 			name:             "no flags",
@ -57,7 +58,8 @@ func TestNewVersionCmd(t *testing.T) {
 			name:             "arg passed",
 			args:             []string{"tuna"},
 			wantError:        true,
-			wantStdoutRegexp: `Error: unknown command "tuna" for "version"` + "\n" + knownGoodUsageRegexpForVersion,
+			wantStderrRegexp: `Error: unknown command "tuna" for "version"`,
+			wantStdoutRegexp: knownGoodUsageRegexpForVersion,
 		},
 	}
 	for _, tt := range tests {
@ -76,8 +78,8 @@ func TestNewVersionCmd(t *testing.T) {
 			} else {
 				require.NoError(t, err)
 			}
-			require.Regexp(t, tt.wantStdoutRegexp, stdout.String(), "unexpected stdout")
-			require.Equal(t, tt.wantStderr, stderr.String(), "unexpected stderr")
+			assert.Regexp(t, tt.wantStdoutRegexp, stdout.String(), "unexpected stdout")
+			assert.Regexp(t, tt.wantStderrRegexp, stderr.String(), "unexpected stderr")
 		})
 	}
 }
--- a/generated/1.19/apis/go.mod
+++ b/generated/1.19/apis/go.mod
@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.19/apis
 go 1.13

 require (
-	k8s.io/api v0.19.2
-	k8s.io/apimachinery v0.19.2
+	k8s.io/api v0.19.5
+	k8s.io/apimachinery v0.19.5
 )
--- a/generated/1.19/apis/go.sum
+++ b/generated/1.19/apis/go.sum
@ -101,8 +101,8 @@ golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgNrpq9mjcfDemuexIKsU=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -113,8 +113,9 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4 h1:5/PjkGUjvEU5Gl6BxmvKRPpqo2uNMv4rcHBMwzk/st8=
-golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
+golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@ -157,10 +158,10 @@ gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.19.2 h1:q+/krnHWKsL7OBZg/rxnycsl9569Pud76UJ77MvKXms=
-k8s.io/api v0.19.2/go.mod h1:IQpK0zFQ1xc5iNIQPqzgoOwuFugaYHK4iCknlAQP9nI=
-k8s.io/apimachinery v0.19.2 h1:5Gy9vQpAGTKHPVOh5c4plE274X8D/6cuEiTO2zve7tc=
-k8s.io/apimachinery v0.19.2/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
+k8s.io/api v0.19.5 h1:p0MRzyhokJ9Kn5jcJAHNup0s+COMBPfn1mTasls6mMg=
+k8s.io/api v0.19.5/go.mod h1:yGZReuNa0vj56op6eT+NLrXJne0R0u9ktexZ8jdJzpc=
+k8s.io/apimachinery v0.19.5 h1:Yvz6dOE0WbVE+FXBEFqc9lSvo87VPtq6mCSsrtC95HI=
+k8s.io/apimachinery v0.19.5/go.mod h1:6sRbGRAVY5DOCuZwB5XkqguBqpqLU6q/kOaOdk29z6Q=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A=
--- a/generated/1.19/client/go.mod
+++ b/generated/1.19/client/go.mod
@ -6,8 +6,8 @@ go 1.13
 require (
 	github.com/go-openapi/spec v0.19.9
 	go.pinniped.dev/generated/1.19/apis v0.0.0-00010101000000-000000000000
-	k8s.io/apimachinery v0.19.2
-	k8s.io/client-go v0.19.2
+	k8s.io/apimachinery v0.19.5
+	k8s.io/client-go v0.19.5
 	k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6
 )

--- a/generated/1.19/client/go.sum
+++ b/generated/1.19/client/go.sum
@ -209,8 +209,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgNrpq9mjcfDemuexIKsU=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -235,8 +235,9 @@ golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4 h1:5/PjkGUjvEU5Gl6BxmvKRPpqo2uNMv4rcHBMwzk/st8=
-golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
+golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
@ -327,12 +328,12 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-k8s.io/api v0.19.2 h1:q+/krnHWKsL7OBZg/rxnycsl9569Pud76UJ77MvKXms=
-k8s.io/api v0.19.2/go.mod h1:IQpK0zFQ1xc5iNIQPqzgoOwuFugaYHK4iCknlAQP9nI=
-k8s.io/apimachinery v0.19.2 h1:5Gy9vQpAGTKHPVOh5c4plE274X8D/6cuEiTO2zve7tc=
-k8s.io/apimachinery v0.19.2/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
-k8s.io/client-go v0.19.2 h1:gMJuU3xJZs86L1oQ99R4EViAADUPMHHtS9jFshasHSc=
-k8s.io/client-go v0.19.2/go.mod h1:S5wPhCqyDNAlzM9CnEdgTGV4OqhsW3jGO1UM1epwfJA=
+k8s.io/api v0.19.5 h1:p0MRzyhokJ9Kn5jcJAHNup0s+COMBPfn1mTasls6mMg=
+k8s.io/api v0.19.5/go.mod h1:yGZReuNa0vj56op6eT+NLrXJne0R0u9ktexZ8jdJzpc=
+k8s.io/apimachinery v0.19.5 h1:Yvz6dOE0WbVE+FXBEFqc9lSvo87VPtq6mCSsrtC95HI=
+k8s.io/apimachinery v0.19.5/go.mod h1:6sRbGRAVY5DOCuZwB5XkqguBqpqLU6q/kOaOdk29z6Q=
+k8s.io/client-go v0.19.5 h1:Y7LsFwgbm9+5oVXER04KNCSPhY6TblYRgG1DQdVq+ig=
+k8s.io/client-go v0.19.5/go.mod h1:BSG3iuxI40Bs0nNDLS1JRa/7ReBQDHzf0x8nZZrK0fo=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A=
--- a/go.mod
+++ b/go.mod
@ -3,40 +3,49 @@ module go.pinniped.dev
 go 1.14

 require (
+	cloud.google.com/go v0.60.0 // indirect
 	github.com/MakeNowJust/heredoc/v2 v2.0.1
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/davecgh/go-spew v1.1.1
-	github.com/go-logr/logr v0.2.1
+	github.com/go-logr/logr v0.3.0
 	github.com/go-logr/stdr v0.2.0
 	github.com/gofrs/flock v0.8.0
 	github.com/golang/mock v1.4.4
-	github.com/golangci/golangci-lint v1.31.0
-	github.com/google/go-cmp v0.5.2
-	github.com/google/gofuzz v1.1.0
+	github.com/google/go-cmp v0.5.4
+	github.com/google/gofuzz v1.2.0
 	github.com/gorilla/securecookie v1.1.1
-	github.com/ory/fosite v0.35.1
-	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
+	github.com/kr/text v0.2.0 // indirect
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	github.com/onsi/ginkgo v1.13.0 // indirect
+	github.com/ory/fosite v0.36.0
+	github.com/pkg/browser v0.0.0-20201207095918-0426ae3fba23
 	github.com/pkg/errors v0.9.1
 	github.com/sclevine/agouti v3.0.0+incompatible
 	github.com/sclevine/spec v1.4.0
-	github.com/spf13/cobra v1.0.0
+	github.com/spf13/cobra v1.1.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.6.1
 	go.pinniped.dev/generated/1.19/apis v0.0.0-00010101000000-000000000000
 	go.pinniped.dev/generated/1.19/client v0.0.0-00010101000000-000000000000
-	golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899
+	golang.org/x/crypto v0.0.0-20201217014255-9d1352758620
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
+	golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
+	golang.org/x/tools v0.0.0-20200825202427-b303f430e36d // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	google.golang.org/genproto v0.0.0-20200825200019-8632dd797987 // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1
-	k8s.io/api v0.19.2
-	k8s.io/apimachinery v0.19.2
-	k8s.io/apiserver v0.19.2
-	k8s.io/client-go v0.19.2
-	k8s.io/component-base v0.19.2
-	k8s.io/klog/v2 v2.3.0
-	k8s.io/kube-aggregator v0.19.2
-	k8s.io/utils v0.0.0-20200729134348-d5654de09c73
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
+	k8s.io/api v0.19.5
+	k8s.io/apimachinery v0.19.5
+	k8s.io/apiserver v0.19.5
+	k8s.io/client-go v0.19.5
+	k8s.io/component-base v0.19.5
+	k8s.io/klog/v2 v2.4.0
+	k8s.io/kube-aggregator v0.19.5
+	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
 	sigs.k8s.io/yaml v1.2.0
 )

--- a/go.sum
+++ b/go.sum
--- a/hack/lib/kube-versions.txt
+++ b/hack/lib/kube-versions.txt
@ -1,3 +1,3 @@
-1.19.2
+1.19.5
 1.18.2
 1.17.11
--- a/hack/lib/update-codegen.sh
+++ b/hack/lib/update-codegen.sh
@ -13,7 +13,7 @@ export GO111MODULE="on"
 if [[ -z "${CONTAINED:-}" ]]; then
    for kubeVersion in "${KUBE_VERSIONS[@]}"; do
        # CODEGEN_IMAGE is the container image to use when running
-        CODEGEN_IMAGE="docker.io/getpinniped/k8s-code-generator-$(echo "$kubeVersion" | cut -d"." -f1-2):latest"
+        CODEGEN_IMAGE="projects.registry.vmware.com/pinniped/k8s-code-generator-$(echo "$kubeVersion" | cut -d"." -f1-2):latest"

        echo "generating code for ${kubeVersion} using ${CODEGEN_IMAGE}..."
        docker run --rm \
--- a/hack/module.sh
+++ b/hack/module.sh
@ -12,12 +12,7 @@ function tidy_cmd() {
 }

 function lint_cmd() {
-  if [ -x "$(command -v golangci-lint)" ]; then
-    cmd='golangci-lint'
-  else
-    cmd='go run github.com/golangci/golangci-lint/cmd/golangci-lint'
-  fi
-  echo "${cmd} run --modules-download-mode=readonly --timeout=10m"
+  echo "golangci-lint run --modules-download-mode=readonly --timeout=10m"
 }

 function test_cmd() {
--- a/internal/fositestorage/accesstoken/accesstoken.go
+++ b/internal/fositestorage/accesstoken/accesstoken.go
@ -86,7 +86,7 @@ func (a *accessTokenStorage) getSession(ctx context.Context, signature string) (
 	rv, err := a.storage.Get(ctx, signature, session)

 	if errors.IsNotFound(err) {
-		return nil, "", fosite.ErrNotFound.WithCause(err).WithDebug(err.Error())
+		return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
 	}

 	if err != nil {
--- a/internal/fositestorage/authorizationcode/authorizationcode.go
+++ b/internal/fositestorage/authorizationcode/authorizationcode.go
@ -110,7 +110,7 @@ func (a *authorizeCodeStorage) getSession(ctx context.Context, signature string)
 	rv, err := a.storage.Get(ctx, signature, session)

 	if errors.IsNotFound(err) {
-		return nil, "", fosite.ErrNotFound.WithCause(err).WithDebug(err.Error())
+		return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
 	}

 	if err != nil {
@ -170,31 +170,31 @@ func (e *errSerializationFailureWithCause) Error() string {
 const ExpectedAuthorizeCodeSessionJSONFromFuzzing = `{
 	  "active": true,
 	  "request": {
-		"id": "嫎l蟲aƖ啘艿",
+		"id": "曑x螠Gæ鄋楨",
 		"requestedAt": "2082-11-10T18:36:11.627253638Z",
 		"client": {
-			"id": "!ſɄĈp[述齛ʘUȻ.5ȿE",
+		  "id": ":Ǌ¸Ɣ8(黋馛ÄRɴJa¶z",
 		  "client_secret": "UQ==",
 		  "redirect_uris": [
-				"ǣ珑 ʑ飶畛Ȳ螤Yɫüeɯ紤邥翔勋\\",
-				"Bʒ;",
-				"鿃攴Ųęʍ鎾ʦ©cÏN,Ġ/_"
+			"ǖ枭kʍ切厦ȳ箦;¥ʊXĝ奨誷傥祩d",
+			"zŇZ",
+			"優蒼ĊɌț訫ǄǽeʀO2ƚ&N"
 		  ],
 		  "grant_types": [
-				"憉sHĒ尥窘挼Ŀŉ"
+			"唐W6ɻ橩斚薛ɑƐ"
 		  ],
 		  "response_types": [
-				"4",
-				"ʄÔ@}i{絧遗Ū^ȝĸ谋Vʋ鱴閇T"
+			"w",
+			"ǔŭe[u@阽羂ŷ-Ĵ½輢OÅ濲喾H"
 		  ],
 		  "scopes": [
-				"R鴝順諲ŮŚ节ȭŀȋc剠鏯ɽÿ¸"
+			"G螩歐湡ƙı唡ɸğƎ&胢輢Ƈĵƚ"
 		  ],
 		  "audience": [
-				"Ƥ"
+			"ě"
 		  ],
-			"public": true,
-			"jwks_uri": "BA瘪囷ɫCʄɢ雐譄uée'",
+		  "public": false,
+		  "jwks_uri": "o*泞羅ʘ Ⱦķ瀊垰7ã\")",
 		  "jwks": {
 			"keys": [
 			  {
@ -233,95 +233,95 @@ const ExpectedAuthorizeCodeSessionJSONFromFuzzing = `{
 			  }
 			]
 		  },
-			"token_endpoint_auth_method": "ŚǗƳȕ暭Q0ņP羾,塐",
+		  "token_endpoint_auth_method": "ƿʥǟȒ伉<x¹T鼓c吏",
 		  "request_uris": [
-				"ǉ翻LH^俤µǲɹ@©|\u003eɃ",
-				"[:c顎疻紵D"
+			"Ć捘j]=谅ʑɑɮ$Ól4Ȟ",
+			",Q7钎漡臧n"
 		  ],
-			"request_object_signing_alg": "m1Ì恣S@T嵇ǇV,Æ櫔袆鋹奘",
-			"token_endpoint_auth_signing_alg": "Fãƻʚ肈ą8O+a駣"
+		  "request_object_signing_alg": "3@¡廜+v,淬Ʋ4Dʧ呩锏緍场",
+		  "token_endpoint_auth_signing_alg": "(ưƓǴ罷ǹ~]ea胠"
 		},
 		"scopes": [
-			"ɼk瘸'鴵yſǮŁ±\u003eFA曎餄FxD溪",
-			"綻N镪p赌h%桙dĽ"
+		  "ĩv絹b垇IŕĩǀŻQ'k頂箨J-a稆",
+		  "啶#昏Q遐*\\髎bŸ"
 		],
 		"grantedScopes": [
-			"癗E]Ņʘʟ車s"
+		  "慂UFƼĮǡ鑻Z"
 		],
 		"form": {
-			"蹬器ķ8ŷ萒寎廭#疶昄Ą-Ƃƞ轵": [
-				"熞ĝƌĆ1ȇyǴ濎=Tʉȼʁŀ\u003c",
-				"耡q戨稞R÷mȵg釽[ƞ@",
-				"đ[嬧鱒Ȁ彆媚杨嶒ĤGÀ吧Lŷ"
+		  "褾攚ŝlĆ厦駳骪l拁乖¡J¿Ƈ妔": [
+			"懧¥ɂĵ~Čyʊ恀c\"Ǌřðȿ/",
+			"裢?霃谥vƘ:ƿ/濔Aʉ<",
+			"ȭ$奍囀ǅ悷鵱民撲ʓeŘ嬀j¤"
 		  ],
-			"餟": [
-				"蒍z\u0026(K鵢Kj ŏ9Q韉Ķ%",
-				"輫ǘ(¨Ƞ亱6ě#嫀^xz ",
-				"@耢ɝ^¡!犃ĹĐJí¿ō擫"
+		  "诞": [
+			"狲N<Cq罉ZPſĝEK郊©l",
+			"餚Ǉ/ɷȑ潠[ĝU噤'pX ",
+			"Y妶ǵ!ȁu狍ɶȳsčɦƦ诱"
 		  ]
 		},
 		"session": {
 		  "Claims": {
-				"JTI": "懫砰¿C筽娴ƓaPu镈賆ŗɰ",
-				"Issuer": "皶竇瞍涘¹焕iǢǽɽĺŧ",
-				"Subject": "矠M6ɡǜg炾ʙ$%o6肿Ȫ",
+			"JTI": "攬林Ñz焁糳¿o>Q鱙翑ȲŻ",
+			"Issuer": "锰劝旣樎Ȱ鍌#ȳńƩŴȭ",
+			"Subject": "绝TFǊĆw宵ɚeY48珎²",
 			"Audience": [
-					"ƌÙ鯆GQơ鮫R嫁ɍUƞ9+u!Ȱ踾$"
+			  "éã越|j¦鲶H股ƲLŋZ-{5£踉4"
 			],
-				"Nonce": "us旸Ť/Õ薝隧;綡,鼞",
+			"Nonce": "5^驜Ŗ~ů崧軒q腟u尿",
 			"ExpiresAt": "2065-11-30T13:47:03.613000626Z",
 			"IssuedAt": "1976-02-22T09:57:20.479850437Z",
 			"RequestedAt": "2016-04-13T04:18:53.648949323Z",
 			"AuthTime": "2098-07-12T04:38:54.034043015Z",
-				"AccessTokenHash": "滮]",
-				"AuthenticationContextClassReference": "°3\u003eÙ",
-				"AuthenticationMethodsReference": "k?µ鱔ǤÂ",
-				"CodeHash": "Țƒ1v¸KĶ跭};",
+			"AccessTokenHash": "嫯R",
+			"AuthenticationContextClassReference": "¤'+ʣ",
+			"AuthenticationMethodsReference": "L&ɽ艄ʬʏ",
+			"CodeHash": "ğǫ\\aȊ4ț髄Al",
 			"Extra": {
-					"=ſ氆": {
-						"Ƿī,廖ʡ彑V\\廳蟕Ț": [
+			  "PƢ曰": {
+				"ĸŴB岺Ð嫹Sx镯荫ő": [
 				  843216989
 				],
-						"蔯ʠ浵Ī": {
-							"H\"nǕ=rlƆ褡{ǏSȳŅ": {
-								"Žg": false
+				"疂ư墫ɓ": {
+				  "\\BRë_g\"ʎ啴SƇMǃļ": {
+					"ʦ4": false
 				  },
-							"枱鰧ɛ鸁A渇": null
+				  "鶡萷ɵ啜s攦": null
 				}
 			  },
-					"斻遟a衪荖舃9闄岈锘肺ńʥƕU}j%": 2520197933
+			  "曓蓳n匟鯘磹*金爃鶴滱ůĮǐ_c3#": 2520197933
 			}
 		  },
 		  "Headers": {
 			"Extra": {
-					"熒ɘȏıȒ諃龟ŴŠ'耐Ƭ扵ƹ玄ɕwL": {
-						"ýÏʥZq7烱藌\\捀¿őŧQ": {
-							"微'X焌襱ǭɕņ殥!_": null,
-							"荇届UȚ?戋璖$9\u00269舋": {
-								"ɕ餦ÑEǰ哤癨浦浏1Rk頓ć§蚲6": true
-							}
+			  "寱ĊƑ÷Ƒ螞费Ďğ~劰û橸ɽ銐ƭ?}": {
+				"ȜʁɁ;Bd謺錳4帳ŅǃĊd": {
+				  "翢砜Fȏl鐉诳DT=3骜": {
+					"ų厷ɁOƪ穋嶿鳈恱va|载ǰɱ汶C": false
 				  },
-						"鲒鿮禗O暒aJP鐜?ĮV嫎h譭ȉ]DĘ": [
+				  "鸨EJ毕懴řĬń戹%c": null
+				},
+				"室癑勦e骲v0H晦XŘO溪V蔓Ȍ+~ē": [
 				  954647573
 				]
 			  },
-					"皩Ƭ}Ɇ.雬Ɨ´唁": 1572524915
+			  "麈ƵDǀ\\郂üţ垂": 1572524915
 			}
 		  },
 		  "ExpiresAt": {
-				"\u003cqċ譈8ŪɎP绿MÅ": "2031-10-18T22:07:34.950803105Z",
-				"ȸěaʜD捛?½ʀ+Ċ偢镳ʬÍɷȓ\u003c": "2049-05-13T15:27:20.968432454Z"
+			"'=ĸ闒NȢȰ.醋fʜ": "2031-10-18T22:07:34.950803105Z",
+			"ɦüHêQ仏1őƖ2Ė暮唍ǞʜƢú4": "2049-05-13T15:27:20.968432454Z"
 		  },
-			"Username": "1藍殙菥趏酱Nʎ\u0026^横懋ƶ峦Fïȫƅw",
-			"Subject": "檾ĩĆ爨4犹|v炩f柏ʒ鴙*鸆偡"
+		  "Username": "+韁臯氃妪婝rȤ\"h丬鎒ơ娻}ɼƟȥE",
+		  "Subject": "龳ǽÙ龦O亾EW莛8嘶×姮c恭企"
 		},
 		"requestedAudience": [
-			"肯Ûx穞Ƀ",
-			"ź蕴3ǐ薝Ƅ腲=ʐ诂鱰屾Ê窢ɋ鄊qɠ谫"
+		  "邖ɐ5檄¬",
+		  "Ĭ葜SŦ餧Ĭ倏4ĵ嶼仒篻ɥ闣ʬ橳(ý綃"
 		],
 		"grantedAudience": [
-			"ǵƕ牀1鞊\\ȹ)}鉍商OɄƣ圔,xĪ",
-			"悾xn冏裻摼0Ʈ蚵Ȼ塕»£#稏扟X"
+		  "ʚƟ覣k眐4ĈtC嵽痊w©Ź榨Q|ô",
+		  "猊Ia瓕巈環_ɑ彨ƍ蛊ʚ£:設虝2"
 		]
 	  },
 	  "version": "1"
--- a/internal/fositestorage/authorizationcode/authorizationcode_test.go
+++ b/internal/fositestorage/authorizationcode/authorizationcode_test.go
@ -391,5 +391,5 @@ func TestFuzzAndJSONNewValidEmptyAuthorizeCodeSession(t *testing.T) {
 	// while the fuzzer will panic if AuthorizeRequest changes in a way that cannot be fuzzed,
 	// if it adds a new field that can be fuzzed, this check will fail
 	// thus if AuthorizeRequest changes, we will detect it here (though we could possibly miss an omitempty field)
-	require.Equal(t, ExpectedAuthorizeCodeSessionJSONFromFuzzing, authorizeCodeSessionJSONFromFuzzing)
+	require.JSONEq(t, ExpectedAuthorizeCodeSessionJSONFromFuzzing, authorizeCodeSessionJSONFromFuzzing)
 }
--- a/internal/fositestorage/openidconnect/openidconnect.go
+++ b/internal/fositestorage/openidconnect/openidconnect.go
@ -88,7 +88,7 @@ func (a *openIDConnectRequestStorage) getSession(ctx context.Context, signature
 	rv, err := a.storage.Get(ctx, signature, session)

 	if errors.IsNotFound(err) {
-		return nil, "", fosite.ErrNotFound.WithCause(err).WithDebug(err.Error())
+		return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
 	}

 	if err != nil {
--- a/internal/fositestorage/pkce/pkce.go
+++ b/internal/fositestorage/pkce/pkce.go
@ -72,7 +72,7 @@ func (a *pkceStorage) getSession(ctx context.Context, signature string) (*sessio
 	rv, err := a.storage.Get(ctx, signature, session)

 	if errors.IsNotFound(err) {
-		return nil, "", fosite.ErrNotFound.WithCause(err).WithDebug(err.Error())
+		return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
 	}

 	if err != nil {
--- a/internal/fositestorage/refreshtoken/refreshtoken.go
+++ b/internal/fositestorage/refreshtoken/refreshtoken.go
@ -86,7 +86,7 @@ func (a *refreshTokenStorage) getSession(ctx context.Context, signature string)
 	rv, err := a.storage.Get(ctx, signature, session)

 	if errors.IsNotFound(err) {
-		return nil, "", fosite.ErrNotFound.WithCause(err).WithDebug(err.Error())
+		return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
 	}

 	if err != nil {
--- a/internal/oidc/auth/auth_handler_test.go
+++ b/internal/oidc/auth/auth_handler_test.go
@ -41,76 +41,62 @@ func TestAuthorizationEndpoint(t *testing.T) {
 		fositeInvalidClientErrorBody = here.Doc(`
 			{
 				"error":             "invalid_client",
-				"error_verbose":     "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)",
-				"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)\n\nThe requested OAuth 2.0 Client does not exist.",
-				"error_hint":        "The requested OAuth 2.0 Client does not exist.",
-				"status_code":       401
+				"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The requested OAuth 2.0 Client does not exist."
 			 }
 		`)

 		fositeInvalidRedirectURIErrorBody = here.Doc(`
 			{
 				"error":             "invalid_request",
-				"error_verbose":     "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
-				"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nThe \"redirect_uri\" parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls.",
-				"error_hint":        "The \"redirect_uri\" parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls.",
-				"status_code":       400
+				"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls."
 			}
 		`)

 		fositePromptHasNoneAndOtherValueErrorQuery = map[string]string{
 			"error":             "invalid_request",
-			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nParameter \"prompt\" was set to \"none\", but contains other values as well which is not allowed.",
-			"error_hint":        "Parameter \"prompt\" was set to \"none\", but contains other values as well which is not allowed.",
+			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Parameter 'prompt' was set to 'none', but contains other values as well which is not allowed.",
 			"state":             happyState,
 		}

 		fositeMissingCodeChallengeErrorQuery = map[string]string{
 			"error":             "invalid_request",
-			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nClients must include a code_challenge when performing the authorize code flow, but it is missing.",
-			"error_hint":        "Clients must include a code_challenge when performing the authorize code flow, but it is missing.",
+			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Clients must include a code_challenge when performing the authorize code flow, but it is missing.",
 			"state":             happyState,
 		}

 		fositeMissingCodeChallengeMethodErrorQuery = map[string]string{
 			"error":             "invalid_request",
-			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nClients must use code_challenge_method=S256, plain is not allowed.",
-			"error_hint":        "Clients must use code_challenge_method=S256, plain is not allowed.",
+			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Clients must use code_challenge_method=S256, plain is not allowed.",
 			"state":             happyState,
 		}

 		fositeInvalidCodeChallengeErrorQuery = map[string]string{
 			"error":             "invalid_request",
-			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nThe code_challenge_method is not supported, use S256 instead.",
-			"error_hint":        "The code_challenge_method is not supported, use S256 instead.",
+			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The code_challenge_method is not supported, use S256 instead.",
 			"state":             happyState,
 		}

 		fositeUnsupportedResponseTypeErrorQuery = map[string]string{
 			"error":             "unsupported_response_type",
-			"error_description": "The authorization server does not support obtaining a token using this method\n\nThe client is not allowed to request response_type \"unsupported\".",
-			"error_hint":        `The client is not allowed to request response_type "unsupported".`,
+			"error_description": "The authorization server does not support obtaining a token using this method. The client is not allowed to request response_type 'unsupported'.",
 			"state":             happyState,
 		}

 		fositeInvalidScopeErrorQuery = map[string]string{
 			"error":             "invalid_scope",
-			"error_description": "The requested scope is invalid, unknown, or malformed\n\nThe OAuth 2.0 Client is not allowed to request scope \"tuna\".",
-			"error_hint":        `The OAuth 2.0 Client is not allowed to request scope "tuna".`,
+			"error_description": "The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'tuna'.",
 			"state":             happyState,
 		}

 		fositeInvalidStateErrorQuery = map[string]string{
 			"error":             "invalid_state",
-			"error_description": "The state is missing or does not have enough characters and is therefore considered too weak\n\nRequest parameter \"state\" must be at least be 8 characters long to ensure sufficient entropy.",
-			"error_hint":        `Request parameter "state" must be at least be 8 characters long to ensure sufficient entropy.`,
+			"error_description": "The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy.",
 			"state":             "short",
 		}

 		fositeMissingResponseTypeErrorQuery = map[string]string{
 			"error":             "unsupported_response_type",
-			"error_description": "The authorization server does not support obtaining a token using this method\n\nThe request is missing the \"response_type\"\" parameter.",
-			"error_hint":        `The request is missing the "response_type"" parameter.`,
+			"error_description": "The authorization server does not support obtaining a token using this method. `The request is missing the 'response_type' parameter.",
 			"state":             happyState,
 		}
 	)
--- a/internal/oidc/callback/callback_handler_test.go
+++ b/internal/oidc/callback/callback_handler_test.go
@ -356,7 +356,7 @@ func TestCallbackEndpoint(t *testing.T) {
 				).String(),
 			csrfCookie:                        happyCSRFCookie,
 			wantStatus:                        http.StatusFound,
-			wantRedirectLocationRegexp:        downstreamRedirectURI + `\?code=([^&]+)&scope=openid%20offline_access&state=` + happyDownstreamState,
+			wantRedirectLocationRegexp:        downstreamRedirectURI + `\?code=([^&]+)&scope=openid\+offline_access&state=` + happyDownstreamState,
 			wantDownstreamIDTokenUsername:     upstreamUsername,
 			wantDownstreamIDTokenSubject:      upstreamIssuer + "?sub=" + upstreamSubject,
 			wantDownstreamRequestedScopes:     []string{"openid", "offline_access"},
--- a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go
+++ b/internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go
@ -50,7 +50,7 @@ func (s *dynamicOpenIDConnectECDSAStrategy) GenerateIDToken(
 	_, activeJwk := s.jwksProvider.GetJWKS(s.fositeConfig.IDTokenIssuer)
 	if activeJwk == nil {
 		plog.Debug("no JWK found for issuer", "issuer", s.fositeConfig.IDTokenIssuer)
-		return "", fosite.ErrTemporarilyUnavailable.WithCause(constable.Error("no JWK found for issuer"))
+		return "", fosite.ErrTemporarilyUnavailable.WithWrap(constable.Error("no JWK found for issuer"))
 	}
 	key, ok := activeJwk.Key.(*ecdsa.PrivateKey)
 	if !ok {
@ -65,7 +65,7 @@ func (s *dynamicOpenIDConnectECDSAStrategy) GenerateIDToken(
 			"actualType",
 			actualType,
 		)
-		return "", fosite.ErrServerError.WithCause(constable.Error("JWK must be of type ecdsa"))
+		return "", fosite.ErrServerError.WithWrap(constable.Error("JWK must be of type ecdsa"))
 	}

 	return compose.NewOpenIDConnectECDSAStrategy(s.fositeConfig, key).GenerateIDToken(ctx, requester)
--- a/internal/oidc/oidc.go
+++ b/internal/oidc/oidc.go
@ -266,11 +266,11 @@ func FositeErrorForLog(err error) []interface{} {
 	rfc6749Error := fosite.ErrorToRFC6749Error(err)
 	keysAndValues := make([]interface{}, 0)
 	keysAndValues = append(keysAndValues, "name")
-	keysAndValues = append(keysAndValues, rfc6749Error.Name)
+	keysAndValues = append(keysAndValues, rfc6749Error.ErrorField)
 	keysAndValues = append(keysAndValues, "status")
 	keysAndValues = append(keysAndValues, rfc6749Error.Status())
 	keysAndValues = append(keysAndValues, "description")
-	keysAndValues = append(keysAndValues, rfc6749Error.Description)
+	keysAndValues = append(keysAndValues, rfc6749Error.DescriptionField)
 	return keysAndValues
 }

--- a/internal/oidc/token/token_handler_test.go
+++ b/internal/oidc/token/token_handler_test.go
@ -78,138 +78,99 @@ var (
 		return here.Docf(`
 			{
 				"error":             "invalid_request",
-				"error_verbose":     "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
-				"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nHTTP method is \"%s\", expected \"POST\".",
-				"error_hint":        "HTTP method is \"%s\", expected \"POST\".",
-				"status_code":       400
+				"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. HTTP method is '%s', expected 'POST'."
 			 }
-		`, actual, actual)
+		`, actual)
 	}

 	fositeMissingGrantTypeErrorBody = here.Docf(`
 		{
 			"error":             "invalid_request",
-			"error_verbose":     "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
-			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nRequest parameter \"grant_type\"\" is missing",
-			"error_hint":        "Request parameter \"grant_type\"\" is missing",
-			"status_code":       400
+			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Request parameter 'grant_type' is missing"
 		}
 	`)

 	fositeEmptyPayloadErrorBody = here.Doc(`
 		{
 			"error":             "invalid_request",
-			"error_verbose":     "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
-			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nThe POST body can not be empty.",
-			"error_hint":        "The POST body can not be empty.",
-			"status_code":       400
+			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The POST body can not be empty."
 		}
 	`)

 	fositeInvalidPayloadErrorBody = here.Doc(`
 		{
 			"error":             "invalid_request",
-			"error_verbose":     "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
-			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nUnable to parse HTTP body, make sure to send a properly formatted form request body.",
-			"error_hint":        "Unable to parse HTTP body, make sure to send a properly formatted form request body.",
-			"status_code":       400
+			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Unable to parse HTTP body, make sure to send a properly formatted form request body."
 		}
 	`)

 	fositeInvalidRequestErrorBody = here.Doc(`
 		{
 			"error":             "invalid_request",
-			"error_verbose":     "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
-			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nMake sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified.",
-			"error_hint":        "Make sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified.",
-			"status_code":       400
+			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Make sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified."
 		}
 	`)

 	fositeInvalidRequestMissingGrantTypeErrorBody = here.Doc(`
 		{
 		  "error": "invalid_request",
-		  "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nRequest parameter \"grant_type\"\" is missing",
-		  "error_hint": "Request parameter \"grant_type\"\" is missing",
-		  "error_verbose": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
-		  "status_code": 400
+		  "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Request parameter 'grant_type' is missing"
 		}
 	`)

 	fositeMissingClientErrorBody = here.Doc(`
 		{
 			"error":             "invalid_request",
-			"error_verbose":     "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
-			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\n\nClient credentials missing or malformed in both HTTP Authorization header and HTTP POST body.",
-			"error_hint":        "Client credentials missing or malformed in both HTTP Authorization header and HTTP POST body.",
-			"status_code":       400
+			"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client credentials missing or malformed in both HTTP Authorization header and HTTP POST body."
 		}
 	`)

 	fositeInvalidClientErrorBody = here.Doc(`
 		{
 			"error":             "invalid_client",
-			"error_verbose":     "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)",
-			"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)",
-			"status_code":       401
+			"error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."
 		}
 	`)

 	fositeInvalidAuthCodeErrorBody = here.Doc(`
 		{
 			"error":             "invalid_grant",
-			"error_verbose":     "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
-			"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
-			"status_code":       400
+			"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
 		}
 	`)

 	fositeReusedAuthCodeErrorBody = here.Doc(`
 		{
 			"error":             "invalid_grant",
-			"error_verbose":     "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
-			"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\n\nThe authorization code has already been used.",
-			"error_hint":        "The authorization code has already been used.",
-			"status_code":       400
+			"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The authorization code has already been used."
 		}
 	`)

 	fositeInvalidRedirectURIErrorBody = here.Doc(`
 		{
 			"error":             "invalid_grant",
-			"error_verbose":     "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
-			"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\n\nThe \"redirect_uri\" from this request does not match the one from the authorize request.",
-			"error_hint":        "The \"redirect_uri\" from this request does not match the one from the authorize request.",
-			"status_code":       400
+			"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request."
 		}
 	`)

 	fositeMissingPKCEVerifierErrorBody = here.Doc(`
 		{
 			"error":             "invalid_grant",
-			"error_verbose":     "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
-			"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\n\nThe PKCE code verifier must be at least 43 characters.",
-			"error_hint":        "The PKCE code verifier must be at least 43 characters.",
-			"status_code":       400
+			"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code verifier must be at least 43 characters."
 		}
 	`)

 	fositeWrongPKCEVerifierErrorBody = here.Doc(`
 		{
 			"error":             "invalid_grant",
-			"error_verbose":     "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
-			"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\n\nThe PKCE code challenge did not match the code verifier.",
-			"error_hint":        "The PKCE code challenge did not match the code verifier.",
-			"status_code":       400
+			"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code challenge did not match the code verifier."
 		}
 	`)

 	fositeTemporarilyUnavailableErrorBody = here.Doc(`
 		{
 		  "error": "temporarily_unavailable",
-		  "error_description": "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server",
-		  "error_verbose": "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server",
-		  "status_code": 503
+		  "error_description": "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server."
 		}
 	`)

@ -749,7 +710,7 @@ func TestTokenExchange(t *testing.T) {
 			},
 			requestedAudience:        "some-workload-cluster",
 			wantStatus:               http.StatusForbidden,
-			wantResponseBodyContains: `missing the \"pinniped:request-audience\" scope`,
+			wantResponseBodyContains: `missing the 'pinniped:request-audience' scope`,
 		},
 		{
 			name: "access token missing openid scope",
@ -766,7 +727,7 @@ func TestTokenExchange(t *testing.T) {
 			},
 			requestedAudience:        "some-workload-cluster",
 			wantStatus:               http.StatusForbidden,
-			wantResponseBodyContains: `missing the \"openid\" scope`,
+			wantResponseBodyContains: `missing the 'openid' scope`,
 		},
 		{
 			name: "token minting failure",
--- a/internal/oidc/token_exchange.go
+++ b/internal/oidc/token_exchange.go
@ -135,7 +135,7 @@ func (t *TokenExchangeHandler) validateAccessToken(ctx context.Context, requeste
 	signature := t.accessTokenStrategy.AccessTokenSignature(accessToken)
 	originalRequester, err := t.accessTokenStorage.GetAccessTokenSession(ctx, signature, requester.GetSession())
 	if err != nil {
-		return nil, fosite.ErrRequestUnauthorized.WithCause(err).WithHint("invalid subject_token")
+		return nil, fosite.ErrRequestUnauthorized.WithWrap(err).WithHint("invalid subject_token")
 	}
 	return originalRequester, nil
 }
--- a/tools/tools.go
+++ b/tools/tools.go
@ -1,12 +0,0 @@
-// +build tools
-
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Package tools exists to work around a Go modules oddity and depend on some tool versions.
-package tools
-
-import (
-	_ "github.com/golang/mock/mockgen"
-	_ "github.com/golangci/golangci-lint/cmd/golangci-lint"
-)