From e69183aa8a1ff8f6df1b730b771f656c1f698919 Mon Sep 17 00:00:00 2001
From: Matt Moyer <moyerm@vmware.com>
Date: Fri, 30 Oct 2020 11:03:25 -0500
Subject: [PATCH] Rename `idp.concierge.pinniped.dev` to
 `authentication.concierge.pinniped.dev`.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
---
 apis/concierge/authentication/doc.go.tmpl     |   8 +
 .../v1alpha1/conversion.go.tmpl               |   0
 .../v1alpha1/defaults.go.tmpl                 |   0
 .../v1alpha1/doc.go.tmpl                      |   5 +-
 .../v1alpha1/register.go.tmpl                 |   2 +-
 .../v1alpha1/types_meta.go.tmpl               |   0
 .../v1alpha1/types_tls.go.tmpl                |   0
 .../v1alpha1/types_webhook.go.tmpl            |   0
 apis/concierge/idp/doc.go.tmpl                |   8 -
 cmd/pinniped/cmd/exchange_credential.go       |   4 +-
 cmd/pinniped/cmd/get_kubeconfig.go            |   2 +-
 cmd/pinniped/cmd/get_kubeconfig_test.go       |   8 +-
 ...pinniped.dev_webhookidentityproviders.yaml |   4 +-
 ...pinniped.dev_webhookidentityproviders.yaml |   4 +-
 deploy/concierge/rbac.yaml                    |   2 +-
 deploy/concierge/z0_crd_overlay.yaml          |   2 +-
 doc/demo.md                                   |   2 +-
 generated/1.17/README.adoc                    | 210 +++++++++---------
 .../1.17/apis/concierge/authentication/doc.go |   8 +
 .../v1alpha1/conversion.go                    |   0
 .../v1alpha1/defaults.go                      |   0
 .../{idp => authentication}/v1alpha1/doc.go   |   5 +-
 .../v1alpha1/register.go                      |   2 +-
 .../v1alpha1/types_meta.go                    |   0
 .../v1alpha1/types_tls.go                     |   0
 .../v1alpha1/types_webhook.go                 |   0
 .../v1alpha1/zz_generated.conversion.go       |   0
 .../v1alpha1/zz_generated.deepcopy.go         |   0
 .../v1alpha1/zz_generated.defaults.go         |   0
 .../authentication}/zz_generated.deepcopy.go  |   2 +-
 generated/1.17/apis/concierge/idp/doc.go      |   8 -
 .../client/clientset/versioned/clientset.go   |  28 +--
 .../versioned/fake/clientset_generated.go     |  14 +-
 .../clientset/versioned/fake/register.go      |   4 +-
 .../clientset/versioned/scheme/register.go    |   4 +-
 .../v1alpha1/authentication_client.go}        |  28 +--
 .../{idp => authentication}/v1alpha1/doc.go   |   0
 .../v1alpha1/fake/doc.go                      |   0
 .../fake/fake_authentication_client.go}       |   8 +-
 .../fake/fake_webhookidentityprovider.go      |   8 +-
 .../v1alpha1/generated_expansion.go           |   0
 .../v1alpha1/webhookidentityprovider.go       |   4 +-
 .../{idp => authentication}/interface.go      |   4 +-
 .../v1alpha1/interface.go                     |   0
 .../v1alpha1/webhookidentityprovider.go       |  12 +-
 .../informers/externalversions/factory.go     |  12 +-
 .../informers/externalversions/generic.go     |  20 +-
 .../v1alpha1/expansion_generated.go           |   0
 .../v1alpha1/webhookidentityprovider.go       |   2 +-
 .../client/openapi/zz_generated.openapi.go    | 172 +++++++-------
 ...inniped.dev_webhookidentityproviders.yaml} |   4 +-
 generated/1.18/README.adoc                    | 210 +++++++++---------
 .../1.18/apis/concierge/authentication/doc.go |   8 +
 .../v1alpha1/conversion.go                    |   0
 .../v1alpha1/defaults.go                      |   0
 .../{idp => authentication}/v1alpha1/doc.go   |   5 +-
 .../authentication}/v1alpha1/register.go      |   2 +-
 .../v1alpha1/types_meta.go                    |   0
 .../v1alpha1/types_tls.go                     |   0
 .../v1alpha1/types_webhook.go                 |   0
 .../v1alpha1/zz_generated.conversion.go       |   0
 .../v1alpha1/zz_generated.deepcopy.go         |   0
 .../v1alpha1/zz_generated.defaults.go         |   0
 .../authentication}/zz_generated.deepcopy.go  |   2 +-
 generated/1.18/apis/concierge/idp/doc.go      |   8 -
 .../client/clientset/versioned/clientset.go   |  28 +--
 .../versioned/fake/clientset_generated.go     |  14 +-
 .../clientset/versioned/fake/register.go      |   4 +-
 .../clientset/versioned/scheme/register.go    |   4 +-
 .../v1alpha1/authentication_client.go}        |  28 +--
 .../{idp => authentication}/v1alpha1/doc.go   |   0
 .../v1alpha1/fake/doc.go                      |   0
 .../fake/fake_authentication_client.go}       |   8 +-
 .../fake/fake_webhookidentityprovider.go      |   8 +-
 .../v1alpha1/generated_expansion.go           |   0
 .../v1alpha1/webhookidentityprovider.go       |   4 +-
 .../{idp => authentication}/interface.go      |   4 +-
 .../v1alpha1/interface.go                     |   0
 .../v1alpha1/webhookidentityprovider.go       |  12 +-
 .../informers/externalversions/factory.go     |  12 +-
 .../informers/externalversions/generic.go     |  20 +-
 .../v1alpha1/expansion_generated.go           |   0
 .../v1alpha1/webhookidentityprovider.go       |   2 +-
 .../client/openapi/zz_generated.openapi.go    | 172 +++++++-------
 ...inniped.dev_webhookidentityproviders.yaml} |   4 +-
 generated/1.19/README.adoc                    | 210 +++++++++---------
 .../1.19/apis/concierge/authentication/doc.go |   8 +
 .../v1alpha1/conversion.go                    |   0
 .../v1alpha1/defaults.go                      |   0
 .../{idp => authentication}/v1alpha1/doc.go   |   5 +-
 .../authentication}/v1alpha1/register.go      |   2 +-
 .../v1alpha1/types_meta.go                    |   0
 .../v1alpha1/types_tls.go                     |   0
 .../v1alpha1/types_webhook.go                 |   0
 .../v1alpha1/zz_generated.conversion.go       |   0
 .../v1alpha1/zz_generated.deepcopy.go         |   0
 .../v1alpha1/zz_generated.defaults.go         |   0
 .../zz_generated.deepcopy.go                  |   2 +-
 generated/1.19/apis/concierge/idp/doc.go      |   8 -
 .../client/clientset/versioned/clientset.go   |  28 +--
 .../versioned/fake/clientset_generated.go     |  14 +-
 .../clientset/versioned/fake/register.go      |   4 +-
 .../clientset/versioned/scheme/register.go    |   4 +-
 .../v1alpha1/authentication_client.go}        |  28 +--
 .../{idp => authentication}/v1alpha1/doc.go   |   0
 .../v1alpha1/fake/doc.go                      |   0
 .../fake/fake_authentication_client.go}       |   8 +-
 .../fake/fake_webhookidentityprovider.go      |   8 +-
 .../v1alpha1/generated_expansion.go           |   0
 .../v1alpha1/webhookidentityprovider.go       |   4 +-
 .../{idp => authentication}/interface.go      |   4 +-
 .../v1alpha1/interface.go                     |   0
 .../v1alpha1/webhookidentityprovider.go       |  12 +-
 .../informers/externalversions/factory.go     |  12 +-
 .../informers/externalversions/generic.go     |  20 +-
 .../v1alpha1/expansion_generated.go           |   0
 .../v1alpha1/webhookidentityprovider.go       |   2 +-
 .../client/openapi/zz_generated.openapi.go    | 174 +++++++--------
 ...pinniped.dev_webhookidentityproviders.yaml | 149 +++++++++++++
 hack/lib/docs/config.yaml                     |   2 +-
 hack/lib/tilt/Tiltfile                        |   2 +-
 hack/lib/update-codegen.sh                    |   8 +-
 internal/client/client_test.go                |   6 +-
 .../identityprovider/idpcache/cache_test.go   |   4 +-
 .../webhookcachecleaner.go                    |   8 +-
 .../webhookcachecleaner_test.go               |  18 +-
 .../webhookcachefiller/webhookcachefiller.go  |  10 +-
 .../webhookcachefiller_test.go                |  26 +--
 .../controllermanager/prepare_controllers.go  |   4 +-
 .../concierge_credentialrequest_test.go       |   4 +-
 test/integration/kube_api_discovery_test.go   |   8 +-
 test/library/client.go                        |   8 +-
 test/library/env.go                           |   6 +-
 133 files changed, 1067 insertions(+), 922 deletions(-)
 create mode 100644 apis/concierge/authentication/doc.go.tmpl
 rename apis/concierge/{idp => authentication}/v1alpha1/conversion.go.tmpl (100%)
 rename apis/concierge/{idp => authentication}/v1alpha1/defaults.go.tmpl (100%)
 rename apis/concierge/{idp => authentication}/v1alpha1/doc.go.tmpl (83%)
 rename apis/concierge/{idp => authentication}/v1alpha1/register.go.tmpl (95%)
 rename apis/concierge/{idp => authentication}/v1alpha1/types_meta.go.tmpl (100%)
 rename apis/concierge/{idp => authentication}/v1alpha1/types_tls.go.tmpl (100%)
 rename apis/concierge/{idp => authentication}/v1alpha1/types_webhook.go.tmpl (100%)
 delete mode 100644 apis/concierge/idp/doc.go.tmpl
 rename generated/1.17/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml => deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml (98%)
 create mode 100644 generated/1.17/apis/concierge/authentication/doc.go
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/conversion.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/defaults.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/doc.go (83%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/register.go (95%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/types_meta.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/types_tls.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/types_webhook.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.conversion.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.deepcopy.go (100%)
 rename generated/1.17/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.defaults.go (100%)
 rename generated/{1.18/apis/concierge/idp => 1.17/apis/concierge/authentication}/zz_generated.deepcopy.go (89%)
 delete mode 100644 generated/1.17/apis/concierge/idp/doc.go
 rename generated/1.17/client/clientset/versioned/typed/{idp/v1alpha1/idp_client.go => authentication/v1alpha1/authentication_client.go} (53%)
 rename generated/1.17/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/doc.go (100%)
 rename generated/1.17/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/fake/doc.go (100%)
 rename generated/1.17/client/clientset/versioned/typed/{idp/v1alpha1/fake/fake_idp_client.go => authentication/v1alpha1/fake/fake_authentication_client.go} (66%)
 rename generated/1.17/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/fake/fake_webhookidentityprovider.go (94%)
 rename generated/1.17/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/generated_expansion.go (100%)
 rename generated/1.17/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/webhookidentityprovider.go (97%)
 rename generated/1.17/client/informers/externalversions/{idp => authentication}/interface.go (94%)
 rename generated/1.17/client/informers/externalversions/{idp => authentication}/v1alpha1/interface.go (100%)
 rename generated/1.17/client/informers/externalversions/{idp => authentication}/v1alpha1/webhookidentityprovider.go (85%)
 rename generated/1.17/client/listers/{idp => authentication}/v1alpha1/expansion_generated.go (100%)
 rename generated/1.17/client/listers/{idp => authentication}/v1alpha1/webhookidentityprovider.go (97%)
 rename generated/{1.18/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml => 1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml} (98%)
 create mode 100644 generated/1.18/apis/concierge/authentication/doc.go
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/conversion.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/defaults.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/doc.go (83%)
 rename generated/{1.19/apis/concierge/idp => 1.18/apis/concierge/authentication}/v1alpha1/register.go (95%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/types_meta.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/types_tls.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/types_webhook.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.conversion.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.deepcopy.go (100%)
 rename generated/1.18/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.defaults.go (100%)
 rename generated/{1.17/apis/concierge/idp => 1.18/apis/concierge/authentication}/zz_generated.deepcopy.go (89%)
 delete mode 100644 generated/1.18/apis/concierge/idp/doc.go
 rename generated/1.18/client/clientset/versioned/typed/{idp/v1alpha1/idp_client.go => authentication/v1alpha1/authentication_client.go} (53%)
 rename generated/1.18/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/doc.go (100%)
 rename generated/1.18/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/fake/doc.go (100%)
 rename generated/1.18/client/clientset/versioned/typed/{idp/v1alpha1/fake/fake_idp_client.go => authentication/v1alpha1/fake/fake_authentication_client.go} (66%)
 rename generated/{1.19/client/clientset/versioned/typed/idp => 1.18/client/clientset/versioned/typed/authentication}/v1alpha1/fake/fake_webhookidentityprovider.go (94%)
 rename generated/1.18/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/generated_expansion.go (100%)
 rename generated/1.18/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/webhookidentityprovider.go (97%)
 rename generated/1.18/client/informers/externalversions/{idp => authentication}/interface.go (94%)
 rename generated/1.18/client/informers/externalversions/{idp => authentication}/v1alpha1/interface.go (100%)
 rename generated/1.18/client/informers/externalversions/{idp => authentication}/v1alpha1/webhookidentityprovider.go (84%)
 rename generated/1.18/client/listers/{idp => authentication}/v1alpha1/expansion_generated.go (100%)
 rename generated/1.18/client/listers/{idp => authentication}/v1alpha1/webhookidentityprovider.go (97%)
 rename generated/{1.19/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml => 1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml} (98%)
 create mode 100644 generated/1.19/apis/concierge/authentication/doc.go
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/conversion.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/defaults.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/doc.go (83%)
 rename generated/{1.18/apis/concierge/idp => 1.19/apis/concierge/authentication}/v1alpha1/register.go (95%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/types_meta.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/types_tls.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/types_webhook.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.conversion.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.deepcopy.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/v1alpha1/zz_generated.defaults.go (100%)
 rename generated/1.19/apis/concierge/{idp => authentication}/zz_generated.deepcopy.go (89%)
 delete mode 100644 generated/1.19/apis/concierge/idp/doc.go
 rename generated/1.19/client/clientset/versioned/typed/{idp/v1alpha1/idp_client.go => authentication/v1alpha1/authentication_client.go} (53%)
 rename generated/1.19/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/doc.go (100%)
 rename generated/1.19/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/fake/doc.go (100%)
 rename generated/1.19/client/clientset/versioned/typed/{idp/v1alpha1/fake/fake_idp_client.go => authentication/v1alpha1/fake/fake_authentication_client.go} (66%)
 rename generated/{1.18/client/clientset/versioned/typed/idp => 1.19/client/clientset/versioned/typed/authentication}/v1alpha1/fake/fake_webhookidentityprovider.go (94%)
 rename generated/1.19/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/generated_expansion.go (100%)
 rename generated/1.19/client/clientset/versioned/typed/{idp => authentication}/v1alpha1/webhookidentityprovider.go (97%)
 rename generated/1.19/client/informers/externalversions/{idp => authentication}/interface.go (94%)
 rename generated/1.19/client/informers/externalversions/{idp => authentication}/v1alpha1/interface.go (100%)
 rename generated/1.19/client/informers/externalversions/{idp => authentication}/v1alpha1/webhookidentityprovider.go (84%)
 rename generated/1.19/client/listers/{idp => authentication}/v1alpha1/expansion_generated.go (100%)
 rename generated/1.19/client/listers/{idp => authentication}/v1alpha1/webhookidentityprovider.go (97%)
 create mode 100644 generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml

diff --git a/apis/concierge/authentication/doc.go.tmpl b/apis/concierge/authentication/doc.go.tmpl
new file mode 100644
index 00000000..c8558463
--- /dev/null
+++ b/apis/concierge/authentication/doc.go.tmpl
@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=authentication.concierge.pinniped.dev
+
+// Package authentication is the internal version of the Pinniped identity provider API.
+package authentication
diff --git a/apis/concierge/idp/v1alpha1/conversion.go.tmpl b/apis/concierge/authentication/v1alpha1/conversion.go.tmpl
similarity index 100%
rename from apis/concierge/idp/v1alpha1/conversion.go.tmpl
rename to apis/concierge/authentication/v1alpha1/conversion.go.tmpl
diff --git a/apis/concierge/idp/v1alpha1/defaults.go.tmpl b/apis/concierge/authentication/v1alpha1/defaults.go.tmpl
similarity index 100%
rename from apis/concierge/idp/v1alpha1/defaults.go.tmpl
rename to apis/concierge/authentication/v1alpha1/defaults.go.tmpl
diff --git a/apis/concierge/idp/v1alpha1/doc.go.tmpl b/apis/concierge/authentication/v1alpha1/doc.go.tmpl
similarity index 83%
rename from apis/concierge/idp/v1alpha1/doc.go.tmpl
rename to apis/concierge/authentication/v1alpha1/doc.go.tmpl
index 86223a81..4bd09774 100644
--- a/apis/concierge/idp/v1alpha1/doc.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/doc.go.tmpl
@@ -3,10 +3,9 @@
 
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/concierge/idp
+// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/concierge/authentication
 // +k8s:defaulter-gen=TypeMeta
-// +groupName=idp.concierge.pinniped.dev
-// +groupGoName=IDP
+// +groupName=authentication.concierge.pinniped.dev
 
 // Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
 package v1alpha1
diff --git a/apis/concierge/idp/v1alpha1/register.go.tmpl b/apis/concierge/authentication/v1alpha1/register.go.tmpl
similarity index 95%
rename from apis/concierge/idp/v1alpha1/register.go.tmpl
rename to apis/concierge/authentication/v1alpha1/register.go.tmpl
index 02164035..b372270d 100644
--- a/apis/concierge/idp/v1alpha1/register.go.tmpl
+++ b/apis/concierge/authentication/v1alpha1/register.go.tmpl
@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const GroupName = "idp.concierge.pinniped.dev"
+const GroupName = "authentication.concierge.pinniped.dev"
 
 // SchemeGroupVersion is group version used to register these objects.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
diff --git a/apis/concierge/idp/v1alpha1/types_meta.go.tmpl b/apis/concierge/authentication/v1alpha1/types_meta.go.tmpl
similarity index 100%
rename from apis/concierge/idp/v1alpha1/types_meta.go.tmpl
rename to apis/concierge/authentication/v1alpha1/types_meta.go.tmpl
diff --git a/apis/concierge/idp/v1alpha1/types_tls.go.tmpl b/apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
similarity index 100%
rename from apis/concierge/idp/v1alpha1/types_tls.go.tmpl
rename to apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
diff --git a/apis/concierge/idp/v1alpha1/types_webhook.go.tmpl b/apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
similarity index 100%
rename from apis/concierge/idp/v1alpha1/types_webhook.go.tmpl
rename to apis/concierge/authentication/v1alpha1/types_webhook.go.tmpl
diff --git a/apis/concierge/idp/doc.go.tmpl b/apis/concierge/idp/doc.go.tmpl
deleted file mode 100644
index 22adc1b5..00000000
--- a/apis/concierge/idp/doc.go.tmpl
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// +k8s:deepcopy-gen=package
-// +groupName=idp.concierge.pinniped.dev
-
-// Package idp is the internal version of the Pinniped identity provider API.
-package idp
diff --git a/cmd/pinniped/cmd/exchange_credential.go b/cmd/pinniped/cmd/exchange_credential.go
index 91941100..0e8d99d7 100644
--- a/cmd/pinniped/cmd/exchange_credential.go
+++ b/cmd/pinniped/cmd/exchange_credential.go
@@ -16,7 +16,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/internal/client"
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/here"
@@ -143,7 +143,7 @@ func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outp
 	idp := corev1.TypedLocalObjectReference{Name: idpName}
 	switch strings.ToLower(idpType) {
 	case "webhook":
-		idp.APIGroup = &idpv1alpha1.SchemeGroupVersion.Group
+		idp.APIGroup = &auth1alpha1.SchemeGroupVersion.Group
 		idp.Kind = "WebhookIdentityProvider"
 	default:
 		return fmt.Errorf(`%w: %q, supported values are "webhook"`, ErrInvalidIDPType, idpType)
diff --git a/cmd/pinniped/cmd/get_kubeconfig.go b/cmd/pinniped/cmd/get_kubeconfig.go
index 8ed99b0d..fa6935af 100644
--- a/cmd/pinniped/cmd/get_kubeconfig.go
+++ b/cmd/pinniped/cmd/get_kubeconfig.go
@@ -187,7 +187,7 @@ func getDefaultIDP(clientset pinnipedclientset.Interface, namespace string) (str
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancelFunc()
 
-	webhooks, err := clientset.IDPV1alpha1().WebhookIdentityProviders(namespace).List(ctx, metav1.ListOptions{})
+	webhooks, err := clientset.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(ctx, metav1.ListOptions{})
 	if err != nil {
 		return "", "", err
 	}
diff --git a/cmd/pinniped/cmd/get_kubeconfig_test.go b/cmd/pinniped/cmd/get_kubeconfig_test.go
index 23142591..23d920c5 100644
--- a/cmd/pinniped/cmd/get_kubeconfig_test.go
+++ b/cmd/pinniped/cmd/get_kubeconfig_test.go
@@ -17,7 +17,7 @@ import (
 	"k8s.io/client-go/rest"
 	coretesting "k8s.io/client-go/testing"
 
-	idpv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	authv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
 	pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
 	pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
@@ -256,8 +256,8 @@ func TestRun(t *testing.T) {
 				cmd.flags.idpType = ""
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						&idpv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-one"}},
-						&idpv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-two"}},
+						&authv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-one"}},
+						&authv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "webhook-two"}},
 					), nil
 				}
 			},
@@ -349,7 +349,7 @@ func TestRun(t *testing.T) {
 
 				cmd.kubeClientCreator = func(_ *rest.Config) (pinnipedclientset.Interface, error) {
 					return pinnipedfake.NewSimpleClientset(
-						&idpv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-idp"}},
+						&authv1alpha.WebhookIdentityProvider{ObjectMeta: metav1.ObjectMeta{Namespace: "test-namespace", Name: "discovered-idp"}},
 						newCredentialIssuerConfig("pinniped-config", "test-namespace", "https://example.com", "test-ca"),
 					), nil
 				}
diff --git a/generated/1.17/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
similarity index 98%
rename from generated/1.17/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
index af241642..5e7aba72 100644
--- a/generated/1.17/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.idp.concierge.pinniped.dev
+  name: webhookidentityproviders.authentication.concierge.pinniped.dev
 spec:
-  group: idp.concierge.pinniped.dev
+  group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
diff --git a/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml b/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
index af241642..5e7aba72 100644
--- a/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/deploy/concierge/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.idp.concierge.pinniped.dev
+  name: webhookidentityproviders.authentication.concierge.pinniped.dev
 spec:
-  group: idp.concierge.pinniped.dev
+  group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
diff --git a/deploy/concierge/rbac.yaml b/deploy/concierge/rbac.yaml
index 1571d56d..714944be 100644
--- a/deploy/concierge/rbac.yaml
+++ b/deploy/concierge/rbac.yaml
@@ -59,7 +59,7 @@ rules:
   - apiGroups: [ "" ]
     resources: [ pods/exec ]
     verbs: [ create ]
-  - apiGroups: [ config.pinniped.dev, idp.concierge.pinniped.dev ]
+  - apiGroups: [ config.pinniped.dev, authentication.concierge.pinniped.dev ]
     resources: [ "*" ]
     verbs: [ create, get, list, update, watch ]
 ---
diff --git a/deploy/concierge/z0_crd_overlay.yaml b/deploy/concierge/z0_crd_overlay.yaml
index 7f637f7e..61f4c93e 100644
--- a/deploy/concierge/z0_crd_overlay.yaml
+++ b/deploy/concierge/z0_crd_overlay.yaml
@@ -10,7 +10,7 @@ metadata:
   #@overlay/match missing_ok=True
   labels: #@ labels()
 
-#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookidentityproviders.idp.concierge.pinniped.dev"}}), expects=1
+#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"webhookidentityproviders.authentication.concierge.pinniped.dev"}}), expects=1
 ---
 metadata:
   #@overlay/match missing_ok=True
diff --git a/doc/demo.md b/doc/demo.md
index 8cc1a368..8b6cef40 100644
--- a/doc/demo.md
+++ b/doc/demo.md
@@ -122,7 +122,7 @@ as the identity provider.
 
     ```bash
     cat <<EOF | kubectl create --namespace pinniped -f -
-    apiVersion: idp.concierge.pinniped.dev/v1alpha1
+    apiVersion: authentication.concierge.pinniped.dev/v1alpha1
     kind: WebhookIdentityProvider
     metadata:
       name: local-user-authenticator
diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc
index 9cf1ecfd..081abb12 100644
--- a/generated/1.17/README.adoc
+++ b/generated/1.17/README.adoc
@@ -5,11 +5,115 @@
 == API Reference
 
 .Packages
+- xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-config-pinniped-dev-v1alpha1[$$config.pinniped.dev/v1alpha1$$]
-- xref:{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1[$$idp.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 
 
+[id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
+=== authentication.concierge.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-condition"]
+==== Condition 
+
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec"]
+==== TLSSpec 
+
+Configuration for configuring TLS on various identity providers.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityprovider"]
+==== WebhookIdentityProvider 
+
+WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec"]
+==== WebhookIdentityProviderSpec 
+
+Spec for configuring a webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`endpoint`* __string__ | Webhook server endpoint URL.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus"]
+==== WebhookIdentityProviderStatus 
+
+Status of a webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+|===
+
+
+
 [id="{anchor_prefix}-config-pinniped-dev-v1alpha1"]
 === config.pinniped.dev/v1alpha1
 
@@ -161,110 +265,6 @@ OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC
 
 
 
-[id="{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1"]
-=== idp.concierge.pinniped.dev/v1alpha1
-
-Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
-
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-condition"]
-==== Condition 
-
-Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
-| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
-| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
-| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-tlsspec"]
-==== TLSSpec 
-
-Configuration for configuring TLS on various identity providers.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityprovider"]
-==== WebhookIdentityProvider 
-
-WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
-|===
-
-
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderspec"]
-==== WebhookIdentityProviderSpec 
-
-Spec for configuring a webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`endpoint`* __string__ | Webhook server endpoint URL.
-| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus"]
-==== WebhookIdentityProviderStatus 
-
-Status of a webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
-|===
-
-
-
 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
 
diff --git a/generated/1.17/apis/concierge/authentication/doc.go b/generated/1.17/apis/concierge/authentication/doc.go
new file mode 100644
index 00000000..c8558463
--- /dev/null
+++ b/generated/1.17/apis/concierge/authentication/doc.go
@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=authentication.concierge.pinniped.dev
+
+// Package authentication is the internal version of the Pinniped identity provider API.
+package authentication
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/conversion.go b/generated/1.17/apis/concierge/authentication/v1alpha1/conversion.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/conversion.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/conversion.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/defaults.go b/generated/1.17/apis/concierge/authentication/v1alpha1/defaults.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/defaults.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/defaults.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/doc.go b/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
similarity index 83%
rename from generated/1.17/apis/concierge/idp/v1alpha1/doc.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
index e756111b..8cd69dfa 100644
--- a/generated/1.17/apis/concierge/idp/v1alpha1/doc.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/doc.go
@@ -3,10 +3,9 @@
 
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.17/apis/concierge/idp
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.17/apis/concierge/authentication
 // +k8s:defaulter-gen=TypeMeta
-// +groupName=idp.concierge.pinniped.dev
-// +groupGoName=IDP
+// +groupName=authentication.concierge.pinniped.dev
 
 // Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
 package v1alpha1
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/register.go b/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
similarity index 95%
rename from generated/1.17/apis/concierge/idp/v1alpha1/register.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/register.go
index 02164035..b372270d 100644
--- a/generated/1.17/apis/concierge/idp/v1alpha1/register.go
+++ b/generated/1.17/apis/concierge/authentication/v1alpha1/register.go
@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const GroupName = "idp.concierge.pinniped.dev"
+const GroupName = "authentication.concierge.pinniped.dev"
 
 // SchemeGroupVersion is group version used to register these objects.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/types_meta.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_meta.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/types_meta.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/types_meta.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/types_tls.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/types_tls.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/types_tls.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/types_webhook.go b/generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/types_webhook.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/types_webhook.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.conversion.go b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.conversion.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.conversion.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.conversion.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
diff --git a/generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.defaults.go b/generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.defaults.go
similarity index 100%
rename from generated/1.17/apis/concierge/idp/v1alpha1/zz_generated.defaults.go
rename to generated/1.17/apis/concierge/authentication/v1alpha1/zz_generated.defaults.go
diff --git a/generated/1.18/apis/concierge/idp/zz_generated.deepcopy.go b/generated/1.17/apis/concierge/authentication/zz_generated.deepcopy.go
similarity index 89%
rename from generated/1.18/apis/concierge/idp/zz_generated.deepcopy.go
rename to generated/1.17/apis/concierge/authentication/zz_generated.deepcopy.go
index 0b9642ea..3a7a0f4b 100644
--- a/generated/1.18/apis/concierge/idp/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/concierge/authentication/zz_generated.deepcopy.go
@@ -5,4 +5,4 @@
 
 // Code generated by deepcopy-gen. DO NOT EDIT.
 
-package idp
+package authentication
diff --git a/generated/1.17/apis/concierge/idp/doc.go b/generated/1.17/apis/concierge/idp/doc.go
deleted file mode 100644
index 22adc1b5..00000000
--- a/generated/1.17/apis/concierge/idp/doc.go
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// +k8s:deepcopy-gen=package
-// +groupName=idp.concierge.pinniped.dev
-
-// Package idp is the internal version of the Pinniped identity provider API.
-package idp
diff --git a/generated/1.17/client/clientset/versioned/clientset.go b/generated/1.17/client/clientset/versioned/clientset.go
index 9fdf9233..99230a87 100644
--- a/generated/1.17/client/clientset/versioned/clientset.go
+++ b/generated/1.17/client/clientset/versioned/clientset.go
@@ -8,8 +8,8 @@ package versioned
 import (
 	"fmt"
 
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/login/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
@@ -18,8 +18,8 @@ import (
 
 type Interface interface {
 	Discovery() discovery.DiscoveryInterface
+	AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface
 	ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface
-	IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
 	LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface
 }
 
@@ -27,9 +27,14 @@ type Interface interface {
 // version included in a Clientset.
 type Clientset struct {
 	*discovery.DiscoveryClient
-	configV1alpha1 *configv1alpha1.ConfigV1alpha1Client
-	iDPV1alpha1    *idpv1alpha1.IDPV1alpha1Client
-	loginV1alpha1  *loginv1alpha1.LoginV1alpha1Client
+	authenticationV1alpha1 *authenticationv1alpha1.AuthenticationV1alpha1Client
+	configV1alpha1         *configv1alpha1.ConfigV1alpha1Client
+	loginV1alpha1          *loginv1alpha1.LoginV1alpha1Client
+}
+
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return c.authenticationV1alpha1
 }
 
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
@@ -37,11 +42,6 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return c.configV1alpha1
 }
 
-// IDPV1alpha1 retrieves the IDPV1alpha1Client
-func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
-	return c.iDPV1alpha1
-}
-
 // LoginV1alpha1 retrieves the LoginV1alpha1Client
 func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
 	return c.loginV1alpha1
@@ -68,11 +68,11 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 	}
 	var cs Clientset
 	var err error
-	cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy)
+	cs.authenticationV1alpha1, err = authenticationv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
 	}
-	cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy)
+	cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
 	}
@@ -92,8 +92,8 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 // panics if there is an error in the config.
 func NewForConfigOrDie(c *rest.Config) *Clientset {
 	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.NewForConfigOrDie(c)
 	cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c)
-	cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
 	cs.loginV1alpha1 = loginv1alpha1.NewForConfigOrDie(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
@@ -103,8 +103,8 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 // New creates a new Clientset for the given RESTClient.
 func New(c rest.Interface) *Clientset {
 	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.New(c)
 	cs.configV1alpha1 = configv1alpha1.New(c)
-	cs.iDPV1alpha1 = idpv1alpha1.New(c)
 	cs.loginV1alpha1 = loginv1alpha1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
diff --git a/generated/1.17/client/clientset/versioned/fake/clientset_generated.go b/generated/1.17/client/clientset/versioned/fake/clientset_generated.go
index 5ce3436b..b8c4ba16 100644
--- a/generated/1.17/client/clientset/versioned/fake/clientset_generated.go
+++ b/generated/1.17/client/clientset/versioned/fake/clientset_generated.go
@@ -7,10 +7,10 @@ package fake
 
 import (
 	clientset "go.pinniped.dev/generated/1.17/client/clientset/versioned"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1"
+	fakeauthenticationv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/config/v1alpha1"
 	fakeconfigv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/config/v1alpha1/fake"
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1"
-	fakeidpv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/login/v1alpha1"
 	fakeloginv1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/login/v1alpha1/fake"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -67,16 +67,16 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 
 var _ clientset.Interface = &Clientset{}
 
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return &fakeauthenticationv1alpha1.FakeAuthenticationV1alpha1{Fake: &c.Fake}
+}
+
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
 func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake}
 }
 
-// IDPV1alpha1 retrieves the IDPV1alpha1Client
-func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
-	return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
-}
-
 // LoginV1alpha1 retrieves the LoginV1alpha1Client
 func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
 	return &fakeloginv1alpha1.FakeLoginV1alpha1{Fake: &c.Fake}
diff --git a/generated/1.17/client/clientset/versioned/fake/register.go b/generated/1.17/client/clientset/versioned/fake/register.go
index 2866783b..da71772e 100644
--- a/generated/1.17/client/clientset/versioned/fake/register.go
+++ b/generated/1.17/client/clientset/versioned/fake/register.go
@@ -6,7 +6,7 @@
 package fake
 
 import (
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,8 +20,8 @@ var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)
 var parameterCodec = runtime.NewParameterCodec(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
 	configv1alpha1.AddToScheme,
-	idpv1alpha1.AddToScheme,
 	loginv1alpha1.AddToScheme,
 }
 
diff --git a/generated/1.17/client/clientset/versioned/scheme/register.go b/generated/1.17/client/clientset/versioned/scheme/register.go
index 9d4e26ea..f257102f 100644
--- a/generated/1.17/client/clientset/versioned/scheme/register.go
+++ b/generated/1.17/client/clientset/versioned/scheme/register.go
@@ -6,7 +6,7 @@
 package scheme
 
 import (
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,8 +20,8 @@ var Scheme = runtime.NewScheme()
 var Codecs = serializer.NewCodecFactory(Scheme)
 var ParameterCodec = runtime.NewParameterCodec(Scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
 	configv1alpha1.AddToScheme,
-	idpv1alpha1.AddToScheme,
 	loginv1alpha1.AddToScheme,
 }
 
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
similarity index 53%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
index 4b5cb0c4..360fce0f 100644
--- a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -6,27 +6,27 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
 	rest "k8s.io/client-go/rest"
 )
 
-type IDPV1alpha1Interface interface {
+type AuthenticationV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	WebhookIdentityProvidersGetter
 }
 
-// IDPV1alpha1Client is used to interact with features provided by the idp.concierge.pinniped.dev group.
-type IDPV1alpha1Client struct {
+// AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
+type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
+func (c *AuthenticationV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
 	return newWebhookIdentityProviders(c, namespace)
 }
 
-// NewForConfig creates a new IDPV1alpha1Client for the given config.
-func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
+// NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*AuthenticationV1alpha1Client, error) {
 	config := *c
 	if err := setConfigDefaults(&config); err != nil {
 		return nil, err
@@ -35,12 +35,12 @@ func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
 	if err != nil {
 		return nil, err
 	}
-	return &IDPV1alpha1Client{client}, nil
+	return &AuthenticationV1alpha1Client{client}, nil
 }
 
-// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and
+// NewForConfigOrDie creates a new AuthenticationV1alpha1Client for the given config and
 // panics if there is an error in the config.
-func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
+func NewForConfigOrDie(c *rest.Config) *AuthenticationV1alpha1Client {
 	client, err := NewForConfig(c)
 	if err != nil {
 		panic(err)
@@ -48,9 +48,9 @@ func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
 	return client
 }
 
-// New creates a new IDPV1alpha1Client for the given RESTClient.
-func New(c rest.Interface) *IDPV1alpha1Client {
-	return &IDPV1alpha1Client{c}
+// New creates a new AuthenticationV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *AuthenticationV1alpha1Client {
+	return &AuthenticationV1alpha1Client{c}
 }
 
 func setConfigDefaults(config *rest.Config) error {
@@ -68,7 +68,7 @@ func setConfigDefaults(config *rest.Config) error {
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *IDPV1alpha1Client) RESTClient() rest.Interface {
+func (c *AuthenticationV1alpha1Client) RESTClient() rest.Interface {
 	if c == nil {
 		return nil
 	}
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/doc.go
similarity index 100%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/doc.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/doc.go
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
similarity index 100%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
similarity index 66%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
index 3d093d10..331981fa 100644
--- a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -6,22 +6,22 @@
 package fake
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1"
 	rest "k8s.io/client-go/rest"
 	testing "k8s.io/client-go/testing"
 )
 
-type FakeIDPV1alpha1 struct {
+type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
+func (c *FakeAuthenticationV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
 	return &FakeWebhookIdentityProviders{c, namespace}
 }
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *FakeIDPV1alpha1) RESTClient() rest.Interface {
+func (c *FakeAuthenticationV1alpha1) RESTClient() rest.Interface {
 	var ret *rest.RESTClient
 	return ret
 }
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
similarity index 94%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
index 1d87624b..30681a89 100644
--- a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
@@ -6,7 +6,7 @@
 package fake
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -17,13 +17,13 @@ import (
 
 // FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
 type FakeWebhookIdentityProviders struct {
-	Fake *FakeIDPV1alpha1
+	Fake *FakeAuthenticationV1alpha1
 	ns   string
 }
 
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
+var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
 
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
+var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
 
 // Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
 func (c *FakeWebhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
similarity index 100%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
similarity index 97%
rename from generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
index afd49019..10114517 100644
--- a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.17/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
@@ -8,7 +8,7 @@ package v1alpha1
 import (
 	"time"
 
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.17/client/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
@@ -43,7 +43,7 @@ type webhookIdentityProviders struct {
 }
 
 // newWebhookIdentityProviders returns a WebhookIdentityProviders
-func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders {
+func newWebhookIdentityProviders(c *AuthenticationV1alpha1Client, namespace string) *webhookIdentityProviders {
 	return &webhookIdentityProviders{
 		client: c.RESTClient(),
 		ns:     namespace,
diff --git a/generated/1.17/client/informers/externalversions/idp/interface.go b/generated/1.17/client/informers/externalversions/authentication/interface.go
similarity index 94%
rename from generated/1.17/client/informers/externalversions/idp/interface.go
rename to generated/1.17/client/informers/externalversions/authentication/interface.go
index deb66201..2dfbf1ad 100644
--- a/generated/1.17/client/informers/externalversions/idp/interface.go
+++ b/generated/1.17/client/informers/externalversions/authentication/interface.go
@@ -3,10 +3,10 @@
 
 // Code generated by informer-gen. DO NOT EDIT.
 
-package idp
+package authentication
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/client/informers/externalversions/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/informers/externalversions/authentication/v1alpha1"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
 )
 
diff --git a/generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/interface.go
similarity index 100%
rename from generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go
rename to generated/1.17/client/informers/externalversions/authentication/v1alpha1/interface.go
diff --git a/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
similarity index 85%
rename from generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
index 246ac27b..86d3336a 100644
--- a/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.17/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
@@ -8,10 +8,10 @@ package v1alpha1
 import (
 	time "time"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.17/client/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
-	v1alpha1 "go.pinniped.dev/generated/1.17/client/listers/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/client/listers/authentication/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
@@ -48,16 +48,16 @@ func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, name
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(options)
+				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(options)
+				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).Watch(options)
 			},
 		},
-		&idpv1alpha1.WebhookIdentityProvider{},
+		&authenticationv1alpha1.WebhookIdentityProvider{},
 		resyncPeriod,
 		indexers,
 	)
@@ -68,7 +68,7 @@ func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Inter
 }
 
 func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
 }
 
 func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
diff --git a/generated/1.17/client/informers/externalversions/factory.go b/generated/1.17/client/informers/externalversions/factory.go
index 414a8b20..2c63113e 100644
--- a/generated/1.17/client/informers/externalversions/factory.go
+++ b/generated/1.17/client/informers/externalversions/factory.go
@@ -11,8 +11,8 @@ import (
 	time "time"
 
 	versioned "go.pinniped.dev/generated/1.17/client/clientset/versioned"
+	authentication "go.pinniped.dev/generated/1.17/client/informers/externalversions/authentication"
 	config "go.pinniped.dev/generated/1.17/client/informers/externalversions/config"
-	idp "go.pinniped.dev/generated/1.17/client/informers/externalversions/idp"
 	internalinterfaces "go.pinniped.dev/generated/1.17/client/informers/externalversions/internalinterfaces"
 	login "go.pinniped.dev/generated/1.17/client/informers/externalversions/login"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -161,19 +161,19 @@ type SharedInformerFactory interface {
 	ForResource(resource schema.GroupVersionResource) (GenericInformer, error)
 	WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
 
+	Authentication() authentication.Interface
 	Config() config.Interface
-	IDP() idp.Interface
 	Login() login.Interface
 }
 
+func (f *sharedInformerFactory) Authentication() authentication.Interface {
+	return authentication.New(f, f.namespace, f.tweakListOptions)
+}
+
 func (f *sharedInformerFactory) Config() config.Interface {
 	return config.New(f, f.namespace, f.tweakListOptions)
 }
 
-func (f *sharedInformerFactory) IDP() idp.Interface {
-	return idp.New(f, f.namespace, f.tweakListOptions)
-}
-
 func (f *sharedInformerFactory) Login() login.Interface {
 	return login.New(f, f.namespace, f.tweakListOptions)
 }
diff --git a/generated/1.17/client/informers/externalversions/generic.go b/generated/1.17/client/informers/externalversions/generic.go
index 6e150170..e6f3f43e 100644
--- a/generated/1.17/client/informers/externalversions/generic.go
+++ b/generated/1.17/client/informers/externalversions/generic.go
@@ -8,9 +8,9 @@ package externalversions
 import (
 	"fmt"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1"
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
+	configv1alpha1 "go.pinniped.dev/generated/1.17/apis/config/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -41,15 +41,15 @@ func (f *genericInformer) Lister() cache.GenericLister {
 // TODO extend this to unknown resources with a client pool
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
-	// Group=config.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
-	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
+	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 
-		// Group=idp.concierge.pinniped.dev, Version=v1alpha1
-	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
+		// Group=config.pinniped.dev, Version=v1alpha1
+	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+	case configv1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
 		// Group=login.concierge.pinniped.dev, Version=v1alpha1
 	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
diff --git a/generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go b/generated/1.17/client/listers/authentication/v1alpha1/expansion_generated.go
similarity index 100%
rename from generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go
rename to generated/1.17/client/listers/authentication/v1alpha1/expansion_generated.go
diff --git a/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go
similarity index 97%
rename from generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go
index afe20573..933b303d 100644
--- a/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.17/client/listers/authentication/v1alpha1/webhookidentityprovider.go
@@ -6,7 +6,7 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
diff --git a/generated/1.17/client/openapi/zz_generated.openapi.go b/generated/1.17/client/openapi/zz_generated.openapi.go
index 9350e05a..b8d43ca3 100644
--- a/generated/1.17/client/openapi/zz_generated.openapi.go
+++ b/generated/1.17/client/openapi/zz_generated.openapi.go
@@ -17,81 +17,81 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.Condition":                      schema_apis_concierge_idp_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.TLSSpec":                        schema_apis_concierge_idp_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProvider":        schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderList":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus":  schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":            schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":       schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus": schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfig":                schema_117_apis_config_v1alpha1_CredentialIssuerConfig(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":  schema_117_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigList":            schema_117_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStatus":          schema_117_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStrategy":        schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig":                    schema_117_apis_config_v1alpha1_OIDCProviderConfig(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigList":                schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec":                schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
-		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigStatus":              schema_117_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                             schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                         schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                          schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                      schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                          schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                        schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                        schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                             schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                        schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                             schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                           schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                            schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                        schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                         schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                             schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                     schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                 schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                        schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                        schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                             schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                 schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                             schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                          schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                   schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                            schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                           schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                       schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                            schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                         schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                        schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                            schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                            schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                               schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                          schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                        schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                         schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                             schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                    schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                 schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                            schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                             schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                        schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                           schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                              schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                  schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                   schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                      schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition":                     schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec":                       schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider":       schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderList":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus": schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.ClusterCredential":                      schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequest":                 schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestList":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":           schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfig":                          schema_117_apis_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":            schema_117_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigList":                      schema_117_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStatus":                    schema_117_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.CredentialIssuerConfigStrategy":                  schema_117_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfig":                              schema_117_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigList":                          schema_117_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigSpec":                          schema_117_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.17/apis/config/v1alpha1.OIDCProviderConfigStatus":                        schema_117_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                       schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                   schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                    schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                    schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                  schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                  schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                       schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                  schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                       schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                     schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                      schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                  schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                   schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                       schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                               schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                           schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                  schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                  schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                       schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                           schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                       schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                    schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                             schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                      schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                     schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                 schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                          schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                      schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                          schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                   schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                  schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                      schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                      schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                         schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                    schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                  schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                          schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                          schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                   schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                       schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                              schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                           schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                      schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                       schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                  schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                     schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                        schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                            schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                             schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                                schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -148,7 +148,7 @@ func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback)
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -168,7 +168,7 @@ func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) co
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -197,13 +197,13 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.Refer
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus"),
 						},
 					},
 				},
@@ -211,11 +211,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -247,7 +247,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.R
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProvider"),
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider"),
 									},
 								},
 							},
@@ -258,11 +258,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -279,7 +279,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.R
 					"tls": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TLS configuration.",
-							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.TLSSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec"),
 						},
 					},
 				},
@@ -287,11 +287,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.TLSSpec"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.TLSSpec"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -315,7 +315,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.Condition"),
+										Ref: ref("go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition"),
 									},
 								},
 							},
@@ -325,7 +325,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.17/apis/concierge/idp/v1alpha1.Condition"},
+			"go.pinniped.dev/generated/1.17/apis/concierge/authentication/v1alpha1.Condition"},
 	}
 }
 
diff --git a/generated/1.18/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
similarity index 98%
rename from generated/1.18/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
index af241642..5e7aba72 100644
--- a/generated/1.18/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.17/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.idp.concierge.pinniped.dev
+  name: webhookidentityproviders.authentication.concierge.pinniped.dev
 spec:
-  group: idp.concierge.pinniped.dev
+  group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc
index 42bbd525..ca7a442f 100644
--- a/generated/1.18/README.adoc
+++ b/generated/1.18/README.adoc
@@ -5,11 +5,115 @@
 == API Reference
 
 .Packages
+- xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-config-pinniped-dev-v1alpha1[$$config.pinniped.dev/v1alpha1$$]
-- xref:{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1[$$idp.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 
 
+[id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
+=== authentication.concierge.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-condition"]
+==== Condition 
+
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec"]
+==== TLSSpec 
+
+Configuration for configuring TLS on various identity providers.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityprovider"]
+==== WebhookIdentityProvider 
+
+WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec"]
+==== WebhookIdentityProviderSpec 
+
+Spec for configuring a webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`endpoint`* __string__ | Webhook server endpoint URL.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus"]
+==== WebhookIdentityProviderStatus 
+
+Status of a webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+|===
+
+
+
 [id="{anchor_prefix}-config-pinniped-dev-v1alpha1"]
 === config.pinniped.dev/v1alpha1
 
@@ -161,110 +265,6 @@ OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC
 
 
 
-[id="{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1"]
-=== idp.concierge.pinniped.dev/v1alpha1
-
-Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
-
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-condition"]
-==== Condition 
-
-Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
-| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
-| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
-| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-tlsspec"]
-==== TLSSpec 
-
-Configuration for configuring TLS on various identity providers.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityprovider"]
-==== WebhookIdentityProvider 
-
-WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
-|===
-
-
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderspec"]
-==== WebhookIdentityProviderSpec 
-
-Spec for configuring a webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`endpoint`* __string__ | Webhook server endpoint URL.
-| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus"]
-==== WebhookIdentityProviderStatus 
-
-Status of a webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
-|===
-
-
-
 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
 
diff --git a/generated/1.18/apis/concierge/authentication/doc.go b/generated/1.18/apis/concierge/authentication/doc.go
new file mode 100644
index 00000000..c8558463
--- /dev/null
+++ b/generated/1.18/apis/concierge/authentication/doc.go
@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=authentication.concierge.pinniped.dev
+
+// Package authentication is the internal version of the Pinniped identity provider API.
+package authentication
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/conversion.go b/generated/1.18/apis/concierge/authentication/v1alpha1/conversion.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/conversion.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/conversion.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/defaults.go b/generated/1.18/apis/concierge/authentication/v1alpha1/defaults.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/defaults.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/defaults.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/doc.go b/generated/1.18/apis/concierge/authentication/v1alpha1/doc.go
similarity index 83%
rename from generated/1.18/apis/concierge/idp/v1alpha1/doc.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/doc.go
index 8053d0a2..49cd7430 100644
--- a/generated/1.18/apis/concierge/idp/v1alpha1/doc.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/doc.go
@@ -3,10 +3,9 @@
 
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.18/apis/concierge/idp
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.18/apis/concierge/authentication
 // +k8s:defaulter-gen=TypeMeta
-// +groupName=idp.concierge.pinniped.dev
-// +groupGoName=IDP
+// +groupName=authentication.concierge.pinniped.dev
 
 // Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
 package v1alpha1
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/register.go b/generated/1.18/apis/concierge/authentication/v1alpha1/register.go
similarity index 95%
rename from generated/1.19/apis/concierge/idp/v1alpha1/register.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/register.go
index 02164035..b372270d 100644
--- a/generated/1.19/apis/concierge/idp/v1alpha1/register.go
+++ b/generated/1.18/apis/concierge/authentication/v1alpha1/register.go
@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const GroupName = "idp.concierge.pinniped.dev"
+const GroupName = "authentication.concierge.pinniped.dev"
 
 // SchemeGroupVersion is group version used to register these objects.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/types_meta.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_meta.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/types_meta.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/types_meta.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/types_tls.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_tls.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/types_tls.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/types_tls.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/types_webhook.go b/generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/types_webhook.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/types_webhook.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.conversion.go b/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.conversion.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.conversion.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.conversion.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.defaults.go b/generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.defaults.go
similarity index 100%
rename from generated/1.18/apis/concierge/idp/v1alpha1/zz_generated.defaults.go
rename to generated/1.18/apis/concierge/authentication/v1alpha1/zz_generated.defaults.go
diff --git a/generated/1.17/apis/concierge/idp/zz_generated.deepcopy.go b/generated/1.18/apis/concierge/authentication/zz_generated.deepcopy.go
similarity index 89%
rename from generated/1.17/apis/concierge/idp/zz_generated.deepcopy.go
rename to generated/1.18/apis/concierge/authentication/zz_generated.deepcopy.go
index 0b9642ea..3a7a0f4b 100644
--- a/generated/1.17/apis/concierge/idp/zz_generated.deepcopy.go
+++ b/generated/1.18/apis/concierge/authentication/zz_generated.deepcopy.go
@@ -5,4 +5,4 @@
 
 // Code generated by deepcopy-gen. DO NOT EDIT.
 
-package idp
+package authentication
diff --git a/generated/1.18/apis/concierge/idp/doc.go b/generated/1.18/apis/concierge/idp/doc.go
deleted file mode 100644
index 22adc1b5..00000000
--- a/generated/1.18/apis/concierge/idp/doc.go
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// +k8s:deepcopy-gen=package
-// +groupName=idp.concierge.pinniped.dev
-
-// Package idp is the internal version of the Pinniped identity provider API.
-package idp
diff --git a/generated/1.18/client/clientset/versioned/clientset.go b/generated/1.18/client/clientset/versioned/clientset.go
index fcd663cd..5201e527 100644
--- a/generated/1.18/client/clientset/versioned/clientset.go
+++ b/generated/1.18/client/clientset/versioned/clientset.go
@@ -8,8 +8,8 @@ package versioned
 import (
 	"fmt"
 
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/login/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
@@ -18,8 +18,8 @@ import (
 
 type Interface interface {
 	Discovery() discovery.DiscoveryInterface
+	AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface
 	ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface
-	IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
 	LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface
 }
 
@@ -27,9 +27,14 @@ type Interface interface {
 // version included in a Clientset.
 type Clientset struct {
 	*discovery.DiscoveryClient
-	configV1alpha1 *configv1alpha1.ConfigV1alpha1Client
-	iDPV1alpha1    *idpv1alpha1.IDPV1alpha1Client
-	loginV1alpha1  *loginv1alpha1.LoginV1alpha1Client
+	authenticationV1alpha1 *authenticationv1alpha1.AuthenticationV1alpha1Client
+	configV1alpha1         *configv1alpha1.ConfigV1alpha1Client
+	loginV1alpha1          *loginv1alpha1.LoginV1alpha1Client
+}
+
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return c.authenticationV1alpha1
 }
 
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
@@ -37,11 +42,6 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return c.configV1alpha1
 }
 
-// IDPV1alpha1 retrieves the IDPV1alpha1Client
-func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
-	return c.iDPV1alpha1
-}
-
 // LoginV1alpha1 retrieves the LoginV1alpha1Client
 func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
 	return c.loginV1alpha1
@@ -68,11 +68,11 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 	}
 	var cs Clientset
 	var err error
-	cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy)
+	cs.authenticationV1alpha1, err = authenticationv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
 	}
-	cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy)
+	cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
 	}
@@ -92,8 +92,8 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 // panics if there is an error in the config.
 func NewForConfigOrDie(c *rest.Config) *Clientset {
 	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.NewForConfigOrDie(c)
 	cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c)
-	cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
 	cs.loginV1alpha1 = loginv1alpha1.NewForConfigOrDie(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
@@ -103,8 +103,8 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 // New creates a new Clientset for the given RESTClient.
 func New(c rest.Interface) *Clientset {
 	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.New(c)
 	cs.configV1alpha1 = configv1alpha1.New(c)
-	cs.iDPV1alpha1 = idpv1alpha1.New(c)
 	cs.loginV1alpha1 = loginv1alpha1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
diff --git a/generated/1.18/client/clientset/versioned/fake/clientset_generated.go b/generated/1.18/client/clientset/versioned/fake/clientset_generated.go
index 00b7ab1c..b8b6acea 100644
--- a/generated/1.18/client/clientset/versioned/fake/clientset_generated.go
+++ b/generated/1.18/client/clientset/versioned/fake/clientset_generated.go
@@ -7,10 +7,10 @@ package fake
 
 import (
 	clientset "go.pinniped.dev/generated/1.18/client/clientset/versioned"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1"
+	fakeauthenticationv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/config/v1alpha1"
 	fakeconfigv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/config/v1alpha1/fake"
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1"
-	fakeidpv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/login/v1alpha1"
 	fakeloginv1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/login/v1alpha1/fake"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -67,16 +67,16 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 
 var _ clientset.Interface = &Clientset{}
 
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return &fakeauthenticationv1alpha1.FakeAuthenticationV1alpha1{Fake: &c.Fake}
+}
+
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
 func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake}
 }
 
-// IDPV1alpha1 retrieves the IDPV1alpha1Client
-func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
-	return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
-}
-
 // LoginV1alpha1 retrieves the LoginV1alpha1Client
 func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
 	return &fakeloginv1alpha1.FakeLoginV1alpha1{Fake: &c.Fake}
diff --git a/generated/1.18/client/clientset/versioned/fake/register.go b/generated/1.18/client/clientset/versioned/fake/register.go
index 92d661ce..bdb2ee64 100644
--- a/generated/1.18/client/clientset/versioned/fake/register.go
+++ b/generated/1.18/client/clientset/versioned/fake/register.go
@@ -6,7 +6,7 @@
 package fake
 
 import (
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,8 +20,8 @@ var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)
 var parameterCodec = runtime.NewParameterCodec(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
 	configv1alpha1.AddToScheme,
-	idpv1alpha1.AddToScheme,
 	loginv1alpha1.AddToScheme,
 }
 
diff --git a/generated/1.18/client/clientset/versioned/scheme/register.go b/generated/1.18/client/clientset/versioned/scheme/register.go
index 47b008a8..e41b4bf9 100644
--- a/generated/1.18/client/clientset/versioned/scheme/register.go
+++ b/generated/1.18/client/clientset/versioned/scheme/register.go
@@ -6,7 +6,7 @@
 package scheme
 
 import (
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,8 +20,8 @@ var Scheme = runtime.NewScheme()
 var Codecs = serializer.NewCodecFactory(Scheme)
 var ParameterCodec = runtime.NewParameterCodec(Scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
 	configv1alpha1.AddToScheme,
-	idpv1alpha1.AddToScheme,
 	loginv1alpha1.AddToScheme,
 }
 
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
similarity index 53%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
index 45705e9a..4073c3c6 100644
--- a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -6,27 +6,27 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
 	rest "k8s.io/client-go/rest"
 )
 
-type IDPV1alpha1Interface interface {
+type AuthenticationV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	WebhookIdentityProvidersGetter
 }
 
-// IDPV1alpha1Client is used to interact with features provided by the idp.concierge.pinniped.dev group.
-type IDPV1alpha1Client struct {
+// AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
+type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
+func (c *AuthenticationV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
 	return newWebhookIdentityProviders(c, namespace)
 }
 
-// NewForConfig creates a new IDPV1alpha1Client for the given config.
-func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
+// NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*AuthenticationV1alpha1Client, error) {
 	config := *c
 	if err := setConfigDefaults(&config); err != nil {
 		return nil, err
@@ -35,12 +35,12 @@ func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
 	if err != nil {
 		return nil, err
 	}
-	return &IDPV1alpha1Client{client}, nil
+	return &AuthenticationV1alpha1Client{client}, nil
 }
 
-// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and
+// NewForConfigOrDie creates a new AuthenticationV1alpha1Client for the given config and
 // panics if there is an error in the config.
-func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
+func NewForConfigOrDie(c *rest.Config) *AuthenticationV1alpha1Client {
 	client, err := NewForConfig(c)
 	if err != nil {
 		panic(err)
@@ -48,9 +48,9 @@ func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
 	return client
 }
 
-// New creates a new IDPV1alpha1Client for the given RESTClient.
-func New(c rest.Interface) *IDPV1alpha1Client {
-	return &IDPV1alpha1Client{c}
+// New creates a new AuthenticationV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *AuthenticationV1alpha1Client {
+	return &AuthenticationV1alpha1Client{c}
 }
 
 func setConfigDefaults(config *rest.Config) error {
@@ -68,7 +68,7 @@ func setConfigDefaults(config *rest.Config) error {
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *IDPV1alpha1Client) RESTClient() rest.Interface {
+func (c *AuthenticationV1alpha1Client) RESTClient() rest.Interface {
 	if c == nil {
 		return nil
 	}
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/doc.go
similarity index 100%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/doc.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/doc.go
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
similarity index 100%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
similarity index 66%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
index ba62b218..73de150f 100644
--- a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -6,22 +6,22 @@
 package fake
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1"
 	rest "k8s.io/client-go/rest"
 	testing "k8s.io/client-go/testing"
 )
 
-type FakeIDPV1alpha1 struct {
+type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
+func (c *FakeAuthenticationV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
 	return &FakeWebhookIdentityProviders{c, namespace}
 }
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *FakeIDPV1alpha1) RESTClient() rest.Interface {
+func (c *FakeAuthenticationV1alpha1) RESTClient() rest.Interface {
 	var ret *rest.RESTClient
 	return ret
 }
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
similarity index 94%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
index 1b64361c..05757ab0 100644
--- a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
@@ -8,7 +8,7 @@ package fake
 import (
 	"context"
 
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -19,13 +19,13 @@ import (
 
 // FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
 type FakeWebhookIdentityProviders struct {
-	Fake *FakeIDPV1alpha1
+	Fake *FakeAuthenticationV1alpha1
 	ns   string
 }
 
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
+var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
 
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
+var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
 
 // Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
 func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
similarity index 100%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
similarity index 97%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
index 389aff71..157cb606 100644
--- a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.18/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
@@ -9,7 +9,7 @@ import (
 	"context"
 	"time"
 
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.18/client/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
@@ -44,7 +44,7 @@ type webhookIdentityProviders struct {
 }
 
 // newWebhookIdentityProviders returns a WebhookIdentityProviders
-func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders {
+func newWebhookIdentityProviders(c *AuthenticationV1alpha1Client, namespace string) *webhookIdentityProviders {
 	return &webhookIdentityProviders{
 		client: c.RESTClient(),
 		ns:     namespace,
diff --git a/generated/1.18/client/informers/externalversions/idp/interface.go b/generated/1.18/client/informers/externalversions/authentication/interface.go
similarity index 94%
rename from generated/1.18/client/informers/externalversions/idp/interface.go
rename to generated/1.18/client/informers/externalversions/authentication/interface.go
index b6c033f9..6770ff80 100644
--- a/generated/1.18/client/informers/externalversions/idp/interface.go
+++ b/generated/1.18/client/informers/externalversions/authentication/interface.go
@@ -3,10 +3,10 @@
 
 // Code generated by informer-gen. DO NOT EDIT.
 
-package idp
+package authentication
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.18/client/informers/externalversions/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/informers/externalversions/authentication/v1alpha1"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
 )
 
diff --git a/generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/interface.go
similarity index 100%
rename from generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go
rename to generated/1.18/client/informers/externalversions/authentication/v1alpha1/interface.go
diff --git a/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
similarity index 84%
rename from generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
index 30c79d4d..3225aa73 100644
--- a/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.18/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
@@ -9,10 +9,10 @@ import (
 	"context"
 	time "time"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.18/client/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
-	v1alpha1 "go.pinniped.dev/generated/1.18/client/listers/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/client/listers/authentication/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
@@ -49,16 +49,16 @@ func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, name
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
+				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
+				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
 			},
 		},
-		&idpv1alpha1.WebhookIdentityProvider{},
+		&authenticationv1alpha1.WebhookIdentityProvider{},
 		resyncPeriod,
 		indexers,
 	)
@@ -69,7 +69,7 @@ func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Inter
 }
 
 func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
 }
 
 func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
diff --git a/generated/1.18/client/informers/externalversions/factory.go b/generated/1.18/client/informers/externalversions/factory.go
index f3793b09..a2b67de7 100644
--- a/generated/1.18/client/informers/externalversions/factory.go
+++ b/generated/1.18/client/informers/externalversions/factory.go
@@ -11,8 +11,8 @@ import (
 	time "time"
 
 	versioned "go.pinniped.dev/generated/1.18/client/clientset/versioned"
+	authentication "go.pinniped.dev/generated/1.18/client/informers/externalversions/authentication"
 	config "go.pinniped.dev/generated/1.18/client/informers/externalversions/config"
-	idp "go.pinniped.dev/generated/1.18/client/informers/externalversions/idp"
 	internalinterfaces "go.pinniped.dev/generated/1.18/client/informers/externalversions/internalinterfaces"
 	login "go.pinniped.dev/generated/1.18/client/informers/externalversions/login"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -161,19 +161,19 @@ type SharedInformerFactory interface {
 	ForResource(resource schema.GroupVersionResource) (GenericInformer, error)
 	WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
 
+	Authentication() authentication.Interface
 	Config() config.Interface
-	IDP() idp.Interface
 	Login() login.Interface
 }
 
+func (f *sharedInformerFactory) Authentication() authentication.Interface {
+	return authentication.New(f, f.namespace, f.tweakListOptions)
+}
+
 func (f *sharedInformerFactory) Config() config.Interface {
 	return config.New(f, f.namespace, f.tweakListOptions)
 }
 
-func (f *sharedInformerFactory) IDP() idp.Interface {
-	return idp.New(f, f.namespace, f.tweakListOptions)
-}
-
 func (f *sharedInformerFactory) Login() login.Interface {
 	return login.New(f, f.namespace, f.tweakListOptions)
 }
diff --git a/generated/1.18/client/informers/externalversions/generic.go b/generated/1.18/client/informers/externalversions/generic.go
index 1c522d11..0509c7d3 100644
--- a/generated/1.18/client/informers/externalversions/generic.go
+++ b/generated/1.18/client/informers/externalversions/generic.go
@@ -8,9 +8,9 @@ package externalversions
 import (
 	"fmt"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1"
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
+	configv1alpha1 "go.pinniped.dev/generated/1.18/apis/config/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -41,15 +41,15 @@ func (f *genericInformer) Lister() cache.GenericLister {
 // TODO extend this to unknown resources with a client pool
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
-	// Group=config.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
-	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
+	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 
-		// Group=idp.concierge.pinniped.dev, Version=v1alpha1
-	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
+		// Group=config.pinniped.dev, Version=v1alpha1
+	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+	case configv1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
 		// Group=login.concierge.pinniped.dev, Version=v1alpha1
 	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
diff --git a/generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go b/generated/1.18/client/listers/authentication/v1alpha1/expansion_generated.go
similarity index 100%
rename from generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go
rename to generated/1.18/client/listers/authentication/v1alpha1/expansion_generated.go
diff --git a/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go
similarity index 97%
rename from generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go
index 6a9940c8..218cf682 100644
--- a/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.18/client/listers/authentication/v1alpha1/webhookidentityprovider.go
@@ -6,7 +6,7 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
diff --git a/generated/1.18/client/openapi/zz_generated.openapi.go b/generated/1.18/client/openapi/zz_generated.openapi.go
index bf054a3e..44332c47 100644
--- a/generated/1.18/client/openapi/zz_generated.openapi.go
+++ b/generated/1.18/client/openapi/zz_generated.openapi.go
@@ -17,81 +17,81 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.Condition":                      schema_apis_concierge_idp_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.TLSSpec":                        schema_apis_concierge_idp_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProvider":        schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderList":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus":  schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":            schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":       schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus": schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfig":                schema_118_apis_config_v1alpha1_CredentialIssuerConfig(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":  schema_118_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigList":            schema_118_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStatus":          schema_118_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStrategy":        schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig":                    schema_118_apis_config_v1alpha1_OIDCProviderConfig(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigList":                schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec":                schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
-		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigStatus":              schema_118_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                             schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                         schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                          schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                      schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                          schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                        schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                        schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                             schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                        schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                             schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                           schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                            schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                        schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                         schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                             schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                     schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                 schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                        schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                        schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                             schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                 schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                             schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                          schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                   schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                            schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                           schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                       schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                            schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                         schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                        schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                            schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                            schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                               schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                          schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                        schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                         schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                             schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                    schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                 schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                            schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                             schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                        schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                           schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                              schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                  schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                   schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                      schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition":                     schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec":                       schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider":       schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderList":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus": schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.ClusterCredential":                      schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequest":                 schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestList":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":           schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfig":                          schema_118_apis_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":            schema_118_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigList":                      schema_118_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStatus":                    schema_118_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.CredentialIssuerConfigStrategy":                  schema_118_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfig":                              schema_118_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigList":                          schema_118_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigSpec":                          schema_118_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.18/apis/config/v1alpha1.OIDCProviderConfigStatus":                        schema_118_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                       schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                   schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                    schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                    schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                  schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                  schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                       schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                  schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                       schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                     schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                      schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                  schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                   schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                       schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                               schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                           schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                  schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                  schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                       schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                           schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                       schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                    schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                             schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                      schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                     schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                 schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                          schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                      schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                          schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                   schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                  schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                      schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                      schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                         schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                    schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                  schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                          schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                          schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                   schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                       schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                              schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                           schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                      schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                       schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                  schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                     schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                        schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                            schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                             schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                                schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -148,7 +148,7 @@ func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback)
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -168,7 +168,7 @@ func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) co
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -197,13 +197,13 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.Refer
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus"),
 						},
 					},
 				},
@@ -211,11 +211,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -247,7 +247,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.R
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProvider"),
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider"),
 									},
 								},
 							},
@@ -258,11 +258,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -279,7 +279,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.R
 					"tls": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TLS configuration.",
-							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.TLSSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec"),
 						},
 					},
 				},
@@ -287,11 +287,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.TLSSpec"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.TLSSpec"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -315,7 +315,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.Condition"),
+										Ref: ref("go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition"),
 									},
 								},
 							},
@@ -325,7 +325,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1.Condition"},
+			"go.pinniped.dev/generated/1.18/apis/concierge/authentication/v1alpha1.Condition"},
 	}
 }
 
diff --git a/generated/1.19/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
similarity index 98%
rename from generated/1.19/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
rename to generated/1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
index af241642..5e7aba72 100644
--- a/generated/1.19/crds/idp.concierge.pinniped.dev_webhookidentityproviders.yaml
+++ b/generated/1.18/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
-  name: webhookidentityproviders.idp.concierge.pinniped.dev
+  name: webhookidentityproviders.authentication.concierge.pinniped.dev
 spec:
-  group: idp.concierge.pinniped.dev
+  group: authentication.concierge.pinniped.dev
   names:
     categories:
     - all
diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc
index 1c8018cc..00984654 100644
--- a/generated/1.19/README.adoc
+++ b/generated/1.19/README.adoc
@@ -5,11 +5,115 @@
 == API Reference
 
 .Packages
+- xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-config-pinniped-dev-v1alpha1[$$config.pinniped.dev/v1alpha1$$]
-- xref:{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1[$$idp.concierge.pinniped.dev/v1alpha1$$]
 - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$]
 
 
+[id="{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1"]
+=== authentication.concierge.pinniped.dev/v1alpha1
+
+Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-condition"]
+==== Condition 
+
+Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
+| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec"]
+==== TLSSpec 
+
+Configuration for configuring TLS on various identity providers.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityprovider"]
+==== WebhookIdentityProvider 
+
+WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
+
+| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
+| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
+|===
+
+
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderspec"]
+==== WebhookIdentityProviderSpec 
+
+Spec for configuring a webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`endpoint`* __string__ | Webhook server endpoint URL.
+| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
+|===
+
+
+[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityproviderstatus"]
+==== WebhookIdentityProviderStatus 
+
+Status of a webhook identity provider.
+
+.Appears In:
+****
+- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
+****
+
+[cols="25a,75a", options="header"]
+|===
+| Field | Description
+| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-authentication-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
+|===
+
+
+
 [id="{anchor_prefix}-config-pinniped-dev-v1alpha1"]
 === config.pinniped.dev/v1alpha1
 
@@ -161,110 +265,6 @@ OIDCProviderConfigStatus is a struct that describes the actual state of an OIDC
 
 
 
-[id="{anchor_prefix}-idp-concierge-pinniped-dev-v1alpha1"]
-=== idp.concierge.pinniped.dev/v1alpha1
-
-Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
-
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-condition"]
-==== Condition 
-
-Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
-| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
-| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
-| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-tlsspec"]
-==== TLSSpec 
-
-Configuration for configuring TLS on various identity providers.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityprovider"]
-==== WebhookIdentityProvider 
-
-WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
-
-| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
-| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
-|===
-
-
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderspec"]
-==== WebhookIdentityProviderSpec 
-
-Spec for configuring a webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`endpoint`* __string__ | Webhook server endpoint URL.
-| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
-|===
-
-
-[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityproviderstatus"]
-==== WebhookIdentityProviderStatus 
-
-Status of a webhook identity provider.
-
-.Appears In:
-****
-- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
-****
-
-[cols="25a,75a", options="header"]
-|===
-| Field | Description
-| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
-|===
-
-
-
 [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
 === login.concierge.pinniped.dev/v1alpha1
 
diff --git a/generated/1.19/apis/concierge/authentication/doc.go b/generated/1.19/apis/concierge/authentication/doc.go
new file mode 100644
index 00000000..c8558463
--- /dev/null
+++ b/generated/1.19/apis/concierge/authentication/doc.go
@@ -0,0 +1,8 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// +k8s:deepcopy-gen=package
+// +groupName=authentication.concierge.pinniped.dev
+
+// Package authentication is the internal version of the Pinniped identity provider API.
+package authentication
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/conversion.go b/generated/1.19/apis/concierge/authentication/v1alpha1/conversion.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/conversion.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/conversion.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/defaults.go b/generated/1.19/apis/concierge/authentication/v1alpha1/defaults.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/defaults.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/defaults.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/doc.go b/generated/1.19/apis/concierge/authentication/v1alpha1/doc.go
similarity index 83%
rename from generated/1.19/apis/concierge/idp/v1alpha1/doc.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/doc.go
index 63c0d3c4..981b832f 100644
--- a/generated/1.19/apis/concierge/idp/v1alpha1/doc.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/doc.go
@@ -3,10 +3,9 @@
 
 // +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
-// +k8s:conversion-gen=go.pinniped.dev/generated/1.19/apis/concierge/idp
+// +k8s:conversion-gen=go.pinniped.dev/generated/1.19/apis/concierge/authentication
 // +k8s:defaulter-gen=TypeMeta
-// +groupName=idp.concierge.pinniped.dev
-// +groupGoName=IDP
+// +groupName=authentication.concierge.pinniped.dev
 
 // Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
 package v1alpha1
diff --git a/generated/1.18/apis/concierge/idp/v1alpha1/register.go b/generated/1.19/apis/concierge/authentication/v1alpha1/register.go
similarity index 95%
rename from generated/1.18/apis/concierge/idp/v1alpha1/register.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/register.go
index 02164035..b372270d 100644
--- a/generated/1.18/apis/concierge/idp/v1alpha1/register.go
+++ b/generated/1.19/apis/concierge/authentication/v1alpha1/register.go
@@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-const GroupName = "idp.concierge.pinniped.dev"
+const GroupName = "authentication.concierge.pinniped.dev"
 
 // SchemeGroupVersion is group version used to register these objects.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/types_meta.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_meta.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/types_meta.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/types_meta.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/types_tls.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_tls.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/types_tls.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/types_tls.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/types_webhook.go b/generated/1.19/apis/concierge/authentication/v1alpha1/types_webhook.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/types_webhook.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/types_webhook.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.conversion.go b/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.conversion.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.conversion.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.conversion.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.deepcopy.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go
diff --git a/generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.defaults.go b/generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.defaults.go
similarity index 100%
rename from generated/1.19/apis/concierge/idp/v1alpha1/zz_generated.defaults.go
rename to generated/1.19/apis/concierge/authentication/v1alpha1/zz_generated.defaults.go
diff --git a/generated/1.19/apis/concierge/idp/zz_generated.deepcopy.go b/generated/1.19/apis/concierge/authentication/zz_generated.deepcopy.go
similarity index 89%
rename from generated/1.19/apis/concierge/idp/zz_generated.deepcopy.go
rename to generated/1.19/apis/concierge/authentication/zz_generated.deepcopy.go
index 0b9642ea..3a7a0f4b 100644
--- a/generated/1.19/apis/concierge/idp/zz_generated.deepcopy.go
+++ b/generated/1.19/apis/concierge/authentication/zz_generated.deepcopy.go
@@ -5,4 +5,4 @@
 
 // Code generated by deepcopy-gen. DO NOT EDIT.
 
-package idp
+package authentication
diff --git a/generated/1.19/apis/concierge/idp/doc.go b/generated/1.19/apis/concierge/idp/doc.go
deleted file mode 100644
index 22adc1b5..00000000
--- a/generated/1.19/apis/concierge/idp/doc.go
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// +k8s:deepcopy-gen=package
-// +groupName=idp.concierge.pinniped.dev
-
-// Package idp is the internal version of the Pinniped identity provider API.
-package idp
diff --git a/generated/1.19/client/clientset/versioned/clientset.go b/generated/1.19/client/clientset/versioned/clientset.go
index 29731075..13bdbea2 100644
--- a/generated/1.19/client/clientset/versioned/clientset.go
+++ b/generated/1.19/client/clientset/versioned/clientset.go
@@ -8,8 +8,8 @@ package versioned
 import (
 	"fmt"
 
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/config/v1alpha1"
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/login/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
@@ -18,8 +18,8 @@ import (
 
 type Interface interface {
 	Discovery() discovery.DiscoveryInterface
+	AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface
 	ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface
-	IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
 	LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface
 }
 
@@ -27,9 +27,14 @@ type Interface interface {
 // version included in a Clientset.
 type Clientset struct {
 	*discovery.DiscoveryClient
-	configV1alpha1 *configv1alpha1.ConfigV1alpha1Client
-	iDPV1alpha1    *idpv1alpha1.IDPV1alpha1Client
-	loginV1alpha1  *loginv1alpha1.LoginV1alpha1Client
+	authenticationV1alpha1 *authenticationv1alpha1.AuthenticationV1alpha1Client
+	configV1alpha1         *configv1alpha1.ConfigV1alpha1Client
+	loginV1alpha1          *loginv1alpha1.LoginV1alpha1Client
+}
+
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return c.authenticationV1alpha1
 }
 
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
@@ -37,11 +42,6 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return c.configV1alpha1
 }
 
-// IDPV1alpha1 retrieves the IDPV1alpha1Client
-func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
-	return c.iDPV1alpha1
-}
-
 // LoginV1alpha1 retrieves the LoginV1alpha1Client
 func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
 	return c.loginV1alpha1
@@ -68,11 +68,11 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 	}
 	var cs Clientset
 	var err error
-	cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy)
+	cs.authenticationV1alpha1, err = authenticationv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
 	}
-	cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy)
+	cs.configV1alpha1, err = configv1alpha1.NewForConfig(&configShallowCopy)
 	if err != nil {
 		return nil, err
 	}
@@ -92,8 +92,8 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
 // panics if there is an error in the config.
 func NewForConfigOrDie(c *rest.Config) *Clientset {
 	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.NewForConfigOrDie(c)
 	cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c)
-	cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
 	cs.loginV1alpha1 = loginv1alpha1.NewForConfigOrDie(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
@@ -103,8 +103,8 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 // New creates a new Clientset for the given RESTClient.
 func New(c rest.Interface) *Clientset {
 	var cs Clientset
+	cs.authenticationV1alpha1 = authenticationv1alpha1.New(c)
 	cs.configV1alpha1 = configv1alpha1.New(c)
-	cs.iDPV1alpha1 = idpv1alpha1.New(c)
 	cs.loginV1alpha1 = loginv1alpha1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
diff --git a/generated/1.19/client/clientset/versioned/fake/clientset_generated.go b/generated/1.19/client/clientset/versioned/fake/clientset_generated.go
index 627c9388..b87c4e8f 100644
--- a/generated/1.19/client/clientset/versioned/fake/clientset_generated.go
+++ b/generated/1.19/client/clientset/versioned/fake/clientset_generated.go
@@ -7,10 +7,10 @@ package fake
 
 import (
 	clientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1"
+	fakeauthenticationv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/config/v1alpha1"
 	fakeconfigv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/config/v1alpha1/fake"
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1"
-	fakeidpv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/login/v1alpha1"
 	fakeloginv1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/login/v1alpha1/fake"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -67,16 +67,16 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 
 var _ clientset.Interface = &Clientset{}
 
+// AuthenticationV1alpha1 retrieves the AuthenticationV1alpha1Client
+func (c *Clientset) AuthenticationV1alpha1() authenticationv1alpha1.AuthenticationV1alpha1Interface {
+	return &fakeauthenticationv1alpha1.FakeAuthenticationV1alpha1{Fake: &c.Fake}
+}
+
 // ConfigV1alpha1 retrieves the ConfigV1alpha1Client
 func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface {
 	return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake}
 }
 
-// IDPV1alpha1 retrieves the IDPV1alpha1Client
-func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
-	return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
-}
-
 // LoginV1alpha1 retrieves the LoginV1alpha1Client
 func (c *Clientset) LoginV1alpha1() loginv1alpha1.LoginV1alpha1Interface {
 	return &fakeloginv1alpha1.FakeLoginV1alpha1{Fake: &c.Fake}
diff --git a/generated/1.19/client/clientset/versioned/fake/register.go b/generated/1.19/client/clientset/versioned/fake/register.go
index 6ac8af66..c2e584bd 100644
--- a/generated/1.19/client/clientset/versioned/fake/register.go
+++ b/generated/1.19/client/clientset/versioned/fake/register.go
@@ -6,7 +6,7 @@
 package fake
 
 import (
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,8 +20,8 @@ var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)
 
 var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
 	configv1alpha1.AddToScheme,
-	idpv1alpha1.AddToScheme,
 	loginv1alpha1.AddToScheme,
 }
 
diff --git a/generated/1.19/client/clientset/versioned/scheme/register.go b/generated/1.19/client/clientset/versioned/scheme/register.go
index bec738f4..9f302580 100644
--- a/generated/1.19/client/clientset/versioned/scheme/register.go
+++ b/generated/1.19/client/clientset/versioned/scheme/register.go
@@ -6,7 +6,7 @@
 package scheme
 
 import (
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,8 +20,8 @@ var Scheme = runtime.NewScheme()
 var Codecs = serializer.NewCodecFactory(Scheme)
 var ParameterCodec = runtime.NewParameterCodec(Scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
+	authenticationv1alpha1.AddToScheme,
 	configv1alpha1.AddToScheme,
-	idpv1alpha1.AddToScheme,
 	loginv1alpha1.AddToScheme,
 }
 
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
similarity index 53%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
index cf93cc9a..cdfa725e 100644
--- a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go
@@ -6,27 +6,27 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	"go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
 	rest "k8s.io/client-go/rest"
 )
 
-type IDPV1alpha1Interface interface {
+type AuthenticationV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	WebhookIdentityProvidersGetter
 }
 
-// IDPV1alpha1Client is used to interact with features provided by the idp.concierge.pinniped.dev group.
-type IDPV1alpha1Client struct {
+// AuthenticationV1alpha1Client is used to interact with features provided by the authentication.concierge.pinniped.dev group.
+type AuthenticationV1alpha1Client struct {
 	restClient rest.Interface
 }
 
-func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
+func (c *AuthenticationV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
 	return newWebhookIdentityProviders(c, namespace)
 }
 
-// NewForConfig creates a new IDPV1alpha1Client for the given config.
-func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
+// NewForConfig creates a new AuthenticationV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*AuthenticationV1alpha1Client, error) {
 	config := *c
 	if err := setConfigDefaults(&config); err != nil {
 		return nil, err
@@ -35,12 +35,12 @@ func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
 	if err != nil {
 		return nil, err
 	}
-	return &IDPV1alpha1Client{client}, nil
+	return &AuthenticationV1alpha1Client{client}, nil
 }
 
-// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and
+// NewForConfigOrDie creates a new AuthenticationV1alpha1Client for the given config and
 // panics if there is an error in the config.
-func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
+func NewForConfigOrDie(c *rest.Config) *AuthenticationV1alpha1Client {
 	client, err := NewForConfig(c)
 	if err != nil {
 		panic(err)
@@ -48,9 +48,9 @@ func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
 	return client
 }
 
-// New creates a new IDPV1alpha1Client for the given RESTClient.
-func New(c rest.Interface) *IDPV1alpha1Client {
-	return &IDPV1alpha1Client{c}
+// New creates a new AuthenticationV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *AuthenticationV1alpha1Client {
+	return &AuthenticationV1alpha1Client{c}
 }
 
 func setConfigDefaults(config *rest.Config) error {
@@ -68,7 +68,7 @@ func setConfigDefaults(config *rest.Config) error {
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *IDPV1alpha1Client) RESTClient() rest.Interface {
+func (c *AuthenticationV1alpha1Client) RESTClient() rest.Interface {
 	if c == nil {
 		return nil
 	}
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/doc.go
similarity index 100%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/doc.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/doc.go
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
similarity index 100%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
similarity index 66%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
index 3181fd18..f75f4480 100644
--- a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go
@@ -6,22 +6,22 @@
 package fake
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1"
 	rest "k8s.io/client-go/rest"
 	testing "k8s.io/client-go/testing"
 )
 
-type FakeIDPV1alpha1 struct {
+type FakeAuthenticationV1alpha1 struct {
 	*testing.Fake
 }
 
-func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
+func (c *FakeAuthenticationV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
 	return &FakeWebhookIdentityProviders{c, namespace}
 }
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *FakeIDPV1alpha1) RESTClient() rest.Interface {
+func (c *FakeAuthenticationV1alpha1) RESTClient() rest.Interface {
 	var ret *rest.RESTClient
 	return ret
 }
diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
similarity index 94%
rename from generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
index 00071eee..62fe34a8 100644
--- a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookidentityprovider.go
@@ -8,7 +8,7 @@ package fake
 import (
 	"context"
 
-	v1alpha1 "go.pinniped.dev/generated/1.18/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -19,13 +19,13 @@ import (
 
 // FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
 type FakeWebhookIdentityProviders struct {
-	Fake *FakeIDPV1alpha1
+	Fake *FakeAuthenticationV1alpha1
 	ns   string
 }
 
-var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
+var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
 
-var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
+var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "authentication.concierge.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
 
 // Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
 func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
similarity index 100%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go
diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
similarity index 97%
rename from generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
index b17cc8f2..1b7c2405 100644
--- a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.19/client/clientset/versioned/typed/authentication/v1alpha1/webhookidentityprovider.go
@@ -9,7 +9,7 @@ import (
 	"context"
 	"time"
 
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	scheme "go.pinniped.dev/generated/1.19/client/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
@@ -44,7 +44,7 @@ type webhookIdentityProviders struct {
 }
 
 // newWebhookIdentityProviders returns a WebhookIdentityProviders
-func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders {
+func newWebhookIdentityProviders(c *AuthenticationV1alpha1Client, namespace string) *webhookIdentityProviders {
 	return &webhookIdentityProviders{
 		client: c.RESTClient(),
 		ns:     namespace,
diff --git a/generated/1.19/client/informers/externalversions/idp/interface.go b/generated/1.19/client/informers/externalversions/authentication/interface.go
similarity index 94%
rename from generated/1.19/client/informers/externalversions/idp/interface.go
rename to generated/1.19/client/informers/externalversions/authentication/interface.go
index 8094d853..a8e51d7f 100644
--- a/generated/1.19/client/informers/externalversions/idp/interface.go
+++ b/generated/1.19/client/informers/externalversions/authentication/interface.go
@@ -3,10 +3,10 @@
 
 // Code generated by informer-gen. DO NOT EDIT.
 
-package idp
+package authentication
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.19/client/informers/externalversions/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/informers/externalversions/authentication/v1alpha1"
 	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
 )
 
diff --git a/generated/1.19/client/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/interface.go
similarity index 100%
rename from generated/1.19/client/informers/externalversions/idp/v1alpha1/interface.go
rename to generated/1.19/client/informers/externalversions/authentication/v1alpha1/interface.go
diff --git a/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
similarity index 84%
rename from generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
index 0238ec1a..938349b5 100644
--- a/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.19/client/informers/externalversions/authentication/v1alpha1/webhookidentityprovider.go
@@ -9,10 +9,10 @@ import (
 	"context"
 	time "time"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	authenticationv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	versioned "go.pinniped.dev/generated/1.19/client/clientset/versioned"
 	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
-	v1alpha1 "go.pinniped.dev/generated/1.19/client/listers/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/client/listers/authentication/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	watch "k8s.io/apimachinery/pkg/watch"
@@ -49,16 +49,16 @@ func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, name
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
+				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
 				}
-				return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
+				return client.AuthenticationV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
 			},
 		},
-		&idpv1alpha1.WebhookIdentityProvider{},
+		&authenticationv1alpha1.WebhookIdentityProvider{},
 		resyncPeriod,
 		indexers,
 	)
@@ -69,7 +69,7 @@ func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Inter
 }
 
 func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
+	return f.factory.InformerFor(&authenticationv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
 }
 
 func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
diff --git a/generated/1.19/client/informers/externalversions/factory.go b/generated/1.19/client/informers/externalversions/factory.go
index 5f503b85..58dcf259 100644
--- a/generated/1.19/client/informers/externalversions/factory.go
+++ b/generated/1.19/client/informers/externalversions/factory.go
@@ -11,8 +11,8 @@ import (
 	time "time"
 
 	versioned "go.pinniped.dev/generated/1.19/client/clientset/versioned"
+	authentication "go.pinniped.dev/generated/1.19/client/informers/externalversions/authentication"
 	config "go.pinniped.dev/generated/1.19/client/informers/externalversions/config"
-	idp "go.pinniped.dev/generated/1.19/client/informers/externalversions/idp"
 	internalinterfaces "go.pinniped.dev/generated/1.19/client/informers/externalversions/internalinterfaces"
 	login "go.pinniped.dev/generated/1.19/client/informers/externalversions/login"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -161,19 +161,19 @@ type SharedInformerFactory interface {
 	ForResource(resource schema.GroupVersionResource) (GenericInformer, error)
 	WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
 
+	Authentication() authentication.Interface
 	Config() config.Interface
-	IDP() idp.Interface
 	Login() login.Interface
 }
 
+func (f *sharedInformerFactory) Authentication() authentication.Interface {
+	return authentication.New(f, f.namespace, f.tweakListOptions)
+}
+
 func (f *sharedInformerFactory) Config() config.Interface {
 	return config.New(f, f.namespace, f.tweakListOptions)
 }
 
-func (f *sharedInformerFactory) IDP() idp.Interface {
-	return idp.New(f, f.namespace, f.tweakListOptions)
-}
-
 func (f *sharedInformerFactory) Login() login.Interface {
 	return login.New(f, f.namespace, f.tweakListOptions)
 }
diff --git a/generated/1.19/client/informers/externalversions/generic.go b/generated/1.19/client/informers/externalversions/generic.go
index 424b7380..6568bab8 100644
--- a/generated/1.19/client/informers/externalversions/generic.go
+++ b/generated/1.19/client/informers/externalversions/generic.go
@@ -8,9 +8,9 @@ package externalversions
 import (
 	"fmt"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
+	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -41,15 +41,15 @@ func (f *genericInformer) Lister() cache.GenericLister {
 // TODO extend this to unknown resources with a client pool
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
-	// Group=config.pinniped.dev, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
-	case v1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
+	// Group=authentication.concierge.pinniped.dev, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Authentication().V1alpha1().WebhookIdentityProviders().Informer()}, nil
 
-		// Group=idp.concierge.pinniped.dev, Version=v1alpha1
-	case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
+		// Group=config.pinniped.dev, Version=v1alpha1
+	case configv1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
+	case configv1alpha1.SchemeGroupVersion.WithResource("oidcproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviderConfigs().Informer()}, nil
 
 		// Group=login.concierge.pinniped.dev, Version=v1alpha1
 	case loginv1alpha1.SchemeGroupVersion.WithResource("tokencredentialrequests"):
diff --git a/generated/1.19/client/listers/idp/v1alpha1/expansion_generated.go b/generated/1.19/client/listers/authentication/v1alpha1/expansion_generated.go
similarity index 100%
rename from generated/1.19/client/listers/idp/v1alpha1/expansion_generated.go
rename to generated/1.19/client/listers/authentication/v1alpha1/expansion_generated.go
diff --git a/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go
similarity index 97%
rename from generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go
rename to generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go
index ec0af7e1..ea078005 100644
--- a/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go
+++ b/generated/1.19/client/listers/authentication/v1alpha1/webhookidentityprovider.go
@@ -6,7 +6,7 @@
 package v1alpha1
 
 import (
-	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	v1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
diff --git a/generated/1.19/client/openapi/zz_generated.openapi.go b/generated/1.19/client/openapi/zz_generated.openapi.go
index ee18adb8..24f3440b 100644
--- a/generated/1.19/client/openapi/zz_generated.openapi.go
+++ b/generated/1.19/client/openapi/zz_generated.openapi.go
@@ -17,82 +17,82 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.Condition":                      schema_apis_concierge_idp_v1alpha1_Condition(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.TLSSpec":                        schema_apis_concierge_idp_v1alpha1_TLSSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProvider":        schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderList":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec":    schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus":  schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.ClusterCredential":            schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequest":       schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestList":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":   schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus": schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfig":                schema_119_apis_config_v1alpha1_CredentialIssuerConfig(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":  schema_119_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigList":            schema_119_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStatus":          schema_119_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStrategy":        schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig":                    schema_119_apis_config_v1alpha1_OIDCProviderConfig(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigList":                schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec":                schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
-		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigStatus":              schema_119_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                             schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                         schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                          schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                      schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                          schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                            schema_pkg_apis_meta_v1_Condition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                        schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                        schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                             schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                        schema_pkg_apis_meta_v1_ExportOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                             schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                           schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                            schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                        schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                         schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                             schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                     schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                 schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                        schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                        schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                             schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                 schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                             schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                          schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                   schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                            schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                           schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                       schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                            schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                         schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                        schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                            schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                            schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                               schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                          schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                        schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                         schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                             schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                    schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                 schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                            schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                             schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                        schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                           schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                              schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                  schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                   schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                      schema_k8sio_apimachinery_pkg_version_Info(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.Condition":                     schema_apis_concierge_authentication_v1alpha1_Condition(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.TLSSpec":                       schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider":       schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderList":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec":   schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus": schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.ClusterCredential":                      schema_apis_concierge_login_v1alpha1_ClusterCredential(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequest":                 schema_apis_concierge_login_v1alpha1_TokenCredentialRequest(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestList":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestList(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestSpec":             schema_apis_concierge_login_v1alpha1_TokenCredentialRequestSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1.TokenCredentialRequestStatus":           schema_apis_concierge_login_v1alpha1_TokenCredentialRequestStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfig":                          schema_119_apis_config_v1alpha1_CredentialIssuerConfig(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigKubeConfigInfo":            schema_119_apis_config_v1alpha1_CredentialIssuerConfigKubeConfigInfo(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigList":                      schema_119_apis_config_v1alpha1_CredentialIssuerConfigList(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStatus":                    schema_119_apis_config_v1alpha1_CredentialIssuerConfigStatus(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.CredentialIssuerConfigStrategy":                  schema_119_apis_config_v1alpha1_CredentialIssuerConfigStrategy(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfig":                              schema_119_apis_config_v1alpha1_OIDCProviderConfig(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigList":                          schema_119_apis_config_v1alpha1_OIDCProviderConfigList(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigSpec":                          schema_119_apis_config_v1alpha1_OIDCProviderConfigSpec(ref),
+		"go.pinniped.dev/generated/1.19/apis/config/v1alpha1.OIDCProviderConfigStatus":                        schema_119_apis_config_v1alpha1_OIDCProviderConfigStatus(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                       schema_pkg_apis_meta_v1_APIGroup(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                   schema_pkg_apis_meta_v1_APIGroupList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                    schema_pkg_apis_meta_v1_APIResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                schema_pkg_apis_meta_v1_APIResourceList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                    schema_pkg_apis_meta_v1_APIVersions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                                      schema_pkg_apis_meta_v1_Condition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                  schema_pkg_apis_meta_v1_CreateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                  schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                       schema_pkg_apis_meta_v1_Duration(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions":                                                  schema_pkg_apis_meta_v1_ExportOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                       schema_pkg_apis_meta_v1_FieldsV1(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                     schema_pkg_apis_meta_v1_GetOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                      schema_pkg_apis_meta_v1_GroupKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                  schema_pkg_apis_meta_v1_GroupResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                   schema_pkg_apis_meta_v1_GroupVersion(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                       schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                               schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                           schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                  schema_pkg_apis_meta_v1_InternalEvent(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                  schema_pkg_apis_meta_v1_LabelSelector(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                       schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                           schema_pkg_apis_meta_v1_List(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                       schema_pkg_apis_meta_v1_ListMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                    schema_pkg_apis_meta_v1_ListOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                             schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                      schema_pkg_apis_meta_v1_MicroTime(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                     schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                 schema_pkg_apis_meta_v1_OwnerReference(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                          schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                      schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                          schema_pkg_apis_meta_v1_Patch(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                   schema_pkg_apis_meta_v1_PatchOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                  schema_pkg_apis_meta_v1_Preconditions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                      schema_pkg_apis_meta_v1_RootPaths(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                      schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                         schema_pkg_apis_meta_v1_Status(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                    schema_pkg_apis_meta_v1_StatusCause(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                  schema_pkg_apis_meta_v1_StatusDetails(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                          schema_pkg_apis_meta_v1_Table(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                          schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                   schema_pkg_apis_meta_v1_TableOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                       schema_pkg_apis_meta_v1_TableRow(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                              schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                           schema_pkg_apis_meta_v1_Time(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                      schema_pkg_apis_meta_v1_Timestamp(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                       schema_pkg_apis_meta_v1_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                  schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                     schema_pkg_apis_meta_v1_WatchEvent(ref),
+		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                        schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                            schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                             schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		"k8s.io/apimachinery/pkg/version.Info":                                                                schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -149,7 +149,7 @@ func schema_apis_concierge_idp_v1alpha1_Condition(ref common.ReferenceCallback)
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -169,7 +169,7 @@ func schema_apis_concierge_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) co
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -198,13 +198,13 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.Refer
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec for configuring the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the identity provider.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus"),
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus"),
 						},
 					},
 				},
@@ -212,11 +212,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProvider(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderSpec", "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -248,7 +248,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.R
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProvider"),
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider"),
 									},
 								},
 							},
@@ -259,11 +259,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderList(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -280,7 +280,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.R
 					"tls": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TLS configuration.",
-							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.TLSSpec"),
+							Ref:         ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.TLSSpec"),
 						},
 					},
 				},
@@ -288,11 +288,11 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.TLSSpec"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.TLSSpec"},
 	}
 }
 
-func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_apis_concierge_authentication_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -316,7 +316,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.Condition"),
+										Ref: ref("go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.Condition"),
 									},
 								},
 							},
@@ -326,7 +326,7 @@ func schema_apis_concierge_idp_v1alpha1_WebhookIdentityProviderStatus(ref common
 			},
 		},
 		Dependencies: []string{
-			"go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1.Condition"},
+			"go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1.Condition"},
 	}
 }
 
diff --git a/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml b/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
new file mode 100644
index 00000000..5e7aba72
--- /dev/null
+++ b/generated/1.19/crds/authentication.concierge.pinniped.dev_webhookidentityproviders.yaml
@@ -0,0 +1,149 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: webhookidentityproviders.authentication.concierge.pinniped.dev
+spec:
+  group: authentication.concierge.pinniped.dev
+  names:
+    categories:
+    - all
+    - idp
+    - idps
+    kind: WebhookIdentityProvider
+    listKind: WebhookIdentityProviderList
+    plural: webhookidentityproviders
+    shortNames:
+    - webhookidp
+    - webhookidps
+    singular: webhookidentityprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.endpoint
+      name: Endpoint
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: WebhookIdentityProvider describes the configuration of a Pinniped
+          webhook identity provider.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for configuring the identity provider.
+            properties:
+              endpoint:
+                description: Webhook server endpoint URL.
+                minLength: 1
+                pattern: ^https://
+                type: string
+              tls:
+                description: TLS configuration.
+                properties:
+                  certificateAuthorityData:
+                    description: X.509 Certificate Authority (base64-encoded PEM bundle).
+                      If omitted, a default set of system roots will be trusted.
+                    type: string
+                type: object
+            required:
+            - endpoint
+            type: object
+          status:
+            description: Status of the identity provider.
+            properties:
+              conditions:
+                description: Represents the observations of an identity provider's
+                  current state.
+                items:
+                  description: Condition status of a resource (mirrored from the metav1.Condition
+                    type added in Kubernetes 1.19). In a future API version we can
+                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/hack/lib/docs/config.yaml b/hack/lib/docs/config.yaml
index 078c13cd..99958597 100644
--- a/hack/lib/docs/config.yaml
+++ b/hack/lib/docs/config.yaml
@@ -4,7 +4,7 @@ processor:
   #  Ignore internal API versions
   ignoreGroupVersions:
     - "config.pinniped.dev/config"
-    - "idp.concierge.pinniped.dev/idp"
+    - "authentication.concierge.pinniped.dev/authentication"
     - "login.concierge.pinniped.dev/login"
   ignoreFields:
     - "TypeMeta$"
diff --git a/hack/lib/tilt/Tiltfile b/hack/lib/tilt/Tiltfile
index 65366854..8891632f 100644
--- a/hack/lib/tilt/Tiltfile
+++ b/hack/lib/tilt/Tiltfile
@@ -170,7 +170,7 @@ k8s_resource(
         'pinniped-concierge:clusterrolebinding',
         'pinniped-concierge:serviceaccount',
         'credentialissuerconfigs.config.pinniped.dev:customresourcedefinition',
-        'webhookidentityproviders.idp.concierge.pinniped.dev:customresourcedefinition',
+        'webhookidentityproviders.authentication.concierge.pinniped.dev:customresourcedefinition',
         'v1alpha1.login.concierge.pinniped.dev:apiservice',
     ],
 )
diff --git a/hack/lib/update-codegen.sh b/hack/lib/update-codegen.sh
index bef6aec0..293ccae1 100755
--- a/hack/lib/update-codegen.sh
+++ b/hack/lib/update-codegen.sh
@@ -110,7 +110,7 @@ echo "generating API-related code for our public API groups..."
         deepcopy \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
-        "config:v1alpha1 concierge/idp:v1alpha1 concierge/login:v1alpha1" \
+        "config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1" \
         --go-header-file "${ROOT}/hack/boilerplate.go.txt" 2>&1 | sed "s|^|gen-api > |"
 )
 
@@ -122,7 +122,7 @@ echo "generating API-related code for our internal API groups..."
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client" \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
-        "config:v1alpha1 concierge/idp:v1alpha1 concierge/login:v1alpha1" \
+        "config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1" \
         --go-header-file "${ROOT}/hack/boilerplate.go.txt"  2>&1 | sed "s|^|gen-int-api > |"
 )
 
@@ -137,7 +137,7 @@ echo "generating client code for our public API groups..."
         client,lister,informer \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client" \
         "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \
-        "config:v1alpha1 concierge/idp:v1alpha1 concierge/login:v1alpha1" \
+        "config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1" \
         --go-header-file "${ROOT}/hack/boilerplate.go.txt"  2>&1 | sed "s|^|gen-client > |"
 )
 
@@ -157,5 +157,5 @@ crd-ref-docs \
 # Generate CRD YAML
 (cd apis &&
     controller-gen paths=./config/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds &&
-    controller-gen paths=./concierge/idp/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds
+    controller-gen paths=./concierge/authentication/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds
 )
diff --git a/internal/client/client_test.go b/internal/client/client_test.go
index bcb1e2e6..58ae7a1a 100644
--- a/internal/client/client_test.go
+++ b/internal/client/client_test.go
@@ -16,7 +16,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
 	"go.pinniped.dev/internal/testutil"
 )
@@ -26,7 +26,7 @@ func TestExchangeToken(t *testing.T) {
 	ctx := context.Background()
 
 	testIDP := corev1.TypedLocalObjectReference{
-		APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
+		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
 		Kind:     "WebhookIdentityProvider",
 		Name:     "test-webhook",
 	}
@@ -106,7 +106,7 @@ func TestExchangeToken(t *testing.T) {
 				  "spec": {
 					"token": "test-token",
 					"identityProvider": {
-						"apiGroup": "idp.concierge.pinniped.dev",
+						"apiGroup": "authentication.concierge.pinniped.dev",
 						"kind": "WebhookIdentityProvider",
 						"name": "test-webhook"
 					}
diff --git a/internal/controller/identityprovider/idpcache/cache_test.go b/internal/controller/identityprovider/idpcache/cache_test.go
index 1cc0c292..24043bc8 100644
--- a/internal/controller/identityprovider/idpcache/cache_test.go
+++ b/internal/controller/identityprovider/idpcache/cache_test.go
@@ -17,7 +17,7 @@ import (
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 
-	idpv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	authv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	loginapi "go.pinniped.dev/generated/1.19/apis/concierge/login"
 	"go.pinniped.dev/internal/mocks/mocktokenauthenticator"
 )
@@ -76,7 +76,7 @@ func TestAuthenticateTokenCredentialRequest(t *testing.T) {
 		},
 		Spec: loginapi.TokenCredentialRequestSpec{
 			IdentityProvider: corev1.TypedLocalObjectReference{
-				APIGroup: &idpv1alpha.SchemeGroupVersion.Group,
+				APIGroup: &authv1alpha.SchemeGroupVersion.Group,
 				Kind:     "WebhookIdentityProvider",
 				Name:     "test-name",
 			},
diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
index 9ab9e169..48b66351 100644
--- a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
+++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go
@@ -11,8 +11,8 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/klog/v2"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
-	idpinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
+	idpinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/authentication/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
 	"go.pinniped.dev/internal/controllerlib"
@@ -51,7 +51,7 @@ func (c *controller) Sync(_ controllerlib.Context) error {
 	}
 
 	// Index the current webhooks by key.
-	webhooksByKey := map[controllerlib.Key]*idpv1alpha1.WebhookIdentityProvider{}
+	webhooksByKey := map[controllerlib.Key]*auth1alpha1.WebhookIdentityProvider{}
 	for _, webhook := range webhooks {
 		key := controllerlib.Key{Namespace: webhook.Namespace, Name: webhook.Name}
 		webhooksByKey[key] = webhook
@@ -59,7 +59,7 @@ func (c *controller) Sync(_ controllerlib.Context) error {
 
 	// Delete any entries from the cache which are no longer in the cluster.
 	for _, key := range c.cache.Keys() {
-		if key.APIGroup != idpv1alpha1.SchemeGroupVersion.Group || key.Kind != "WebhookIdentityProvider" {
+		if key.APIGroup != auth1alpha1.SchemeGroupVersion.Group || key.Kind != "WebhookIdentityProvider" {
 			continue
 		}
 		if _, exists := webhooksByKey[controllerlib.Key{Namespace: key.Namespace, Name: key.Name}]; !exists {
diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
index e2450916..28f8effa 100644
--- a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
+++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go
@@ -12,7 +12,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	idpv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	authv1alpha "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
@@ -24,19 +24,19 @@ func TestController(t *testing.T) {
 	t.Parallel()
 
 	testKey1 := idpcache.Key{
-		APIGroup:  "idp.concierge.pinniped.dev",
+		APIGroup:  "authentication.concierge.pinniped.dev",
 		Kind:      "WebhookIdentityProvider",
 		Namespace: "test-namespace",
 		Name:      "test-name-one",
 	}
 	testKey2 := idpcache.Key{
-		APIGroup:  "idp.concierge.pinniped.dev",
+		APIGroup:  "authentication.concierge.pinniped.dev",
 		Kind:      "WebhookIdentityProvider",
 		Namespace: "test-namespace",
 		Name:      "test-name-two",
 	}
 	testKeyNonwebhook := idpcache.Key{
-		APIGroup:  "idp.concierge.pinniped.dev",
+		APIGroup:  "authentication.concierge.pinniped.dev",
 		Kind:      "SomeOtherIdentityProvider",
 		Namespace: "test-namespace",
 		Name:      "test-name-one",
@@ -54,7 +54,7 @@ func TestController(t *testing.T) {
 			name:         "no change",
 			initialCache: map[idpcache.Key]idpcache.Value{testKey1: nil},
 			webhookIDPs: []runtime.Object{
-				&idpv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookIdentityProvider{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
 						Name:      testKey1.Name,
@@ -67,13 +67,13 @@ func TestController(t *testing.T) {
 			name:         "IDPs not yet added",
 			initialCache: nil,
 			webhookIDPs: []runtime.Object{
-				&idpv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookIdentityProvider{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
 						Name:      testKey1.Name,
 					},
 				},
-				&idpv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookIdentityProvider{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey2.Namespace,
 						Name:      testKey2.Name,
@@ -90,7 +90,7 @@ func TestController(t *testing.T) {
 				testKeyNonwebhook: nil,
 			},
 			webhookIDPs: []runtime.Object{
-				&idpv1alpha.WebhookIdentityProvider{
+				&authv1alpha.WebhookIdentityProvider{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: testKey1.Namespace,
 						Name:      testKey1.Name,
@@ -116,7 +116,7 @@ func TestController(t *testing.T) {
 			}
 			testLog := testlogger.New(t)
 
-			controller := New(cache, informers.IDP().V1alpha1().WebhookIdentityProviders(), testLog)
+			controller := New(cache, informers.Authentication().V1alpha1().WebhookIdentityProviders(), testLog)
 
 			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 			defer cancel()
diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
index 0f6b5539..cf664bc4 100644
--- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
+++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go
@@ -20,8 +20,8 @@ import (
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/klog/v2"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
-	idpinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
+	idpinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions/authentication/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
 	"go.pinniped.dev/internal/controllerlib"
@@ -69,7 +69,7 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
 	}
 
 	c.cache.Store(idpcache.Key{
-		APIGroup:  idpv1alpha1.GroupName,
+		APIGroup:  auth1alpha1.GroupName,
 		Kind:      "WebhookIdentityProvider",
 		Namespace: ctx.Key.Namespace,
 		Name:      ctx.Key.Name,
@@ -81,7 +81,7 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
 // newWebhookAuthenticator creates a webhook from the provided API server url and caBundle
 // used to validate TLS connections.
 func newWebhookAuthenticator(
-	spec *idpv1alpha1.WebhookIdentityProviderSpec,
+	spec *auth1alpha1.WebhookIdentityProviderSpec,
 	tempfileFunc func(string, string) (*os.File, error),
 	marshalFunc func(clientcmdapi.Config, string) error,
 ) (*webhook.WebhookTokenAuthenticator, error) {
@@ -122,7 +122,7 @@ func newWebhookAuthenticator(
 	return webhook.New(temp.Name(), version, implicitAuds, customDial)
 }
 
-func getCABundle(spec *idpv1alpha1.TLSSpec) ([]byte, error) {
+func getCABundle(spec *auth1alpha1.TLSSpec) ([]byte, error) {
 	if spec == nil {
 		return nil, nil
 	}
diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
index b46b3281..8172e7f4 100644
--- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
+++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go
@@ -19,7 +19,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	pinnipedfake "go.pinniped.dev/generated/1.19/client/clientset/versioned/fake"
 	pinnipedinformers "go.pinniped.dev/generated/1.19/client/informers/externalversions"
 	"go.pinniped.dev/internal/controller/identityprovider/idpcache"
@@ -50,12 +50,12 @@ func TestController(t *testing.T) {
 			name:    "invalid webhook",
 			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
 			webhookIDPs: []runtime.Object{
-				&idpv1alpha1.WebhookIdentityProvider{
+				&auth1alpha1.WebhookIdentityProvider{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: "test-namespace",
 						Name:      "test-name",
 					},
-					Spec: idpv1alpha1.WebhookIdentityProviderSpec{
+					Spec: auth1alpha1.WebhookIdentityProviderSpec{
 						Endpoint: "invalid url",
 					},
 				},
@@ -66,14 +66,14 @@ func TestController(t *testing.T) {
 			name:    "valid webhook",
 			syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"},
 			webhookIDPs: []runtime.Object{
-				&idpv1alpha1.WebhookIdentityProvider{
+				&auth1alpha1.WebhookIdentityProvider{
 					ObjectMeta: metav1.ObjectMeta{
 						Namespace: "test-namespace",
 						Name:      "test-name",
 					},
-					Spec: idpv1alpha1.WebhookIdentityProviderSpec{
+					Spec: auth1alpha1.WebhookIdentityProviderSpec{
 						Endpoint: "https://example.com",
-						TLS:      &idpv1alpha1.TLSSpec{CertificateAuthorityData: ""},
+						TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: ""},
 					},
 				},
 			},
@@ -93,7 +93,7 @@ func TestController(t *testing.T) {
 			cache := idpcache.New()
 			testLog := testlogger.New(t)
 
-			controller := New(cache, informers.IDP().V1alpha1().WebhookIdentityProviders(), testLog)
+			controller := New(cache, informers.Authentication().V1alpha1().WebhookIdentityProviders(), testLog)
 
 			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 			defer cancel()
@@ -124,22 +124,22 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 
 	t.Run("marshal failure", func(t *testing.T) {
 		marshalError := func(_ clientcmdapi.Config, _ string) error { return fmt.Errorf("some marshal error") }
-		res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{}, ioutil.TempFile, marshalError)
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookIdentityProviderSpec{}, ioutil.TempFile, marshalError)
 		require.Nil(t, res)
 		require.EqualError(t, err, "unable to marshal kubeconfig: some marshal error")
 	})
 
 	t.Run("invalid base64", func(t *testing.T) {
-		res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookIdentityProviderSpec{
 			Endpoint: "https://example.com",
-			TLS:      &idpv1alpha1.TLSSpec{CertificateAuthorityData: "invalid-base64"},
+			TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: "invalid-base64"},
 		}, ioutil.TempFile, clientcmd.WriteToFile)
 		require.Nil(t, res)
 		require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7")
 	})
 
 	t.Run("valid config with no TLS spec", func(t *testing.T) {
-		res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookIdentityProviderSpec{
 			Endpoint: "https://example.com",
 		}, ioutil.TempFile, clientcmd.WriteToFile)
 		require.NotNil(t, res)
@@ -154,9 +154,9 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 			_, err = w.Write([]byte(`{}`))
 			require.NoError(t, err)
 		})
-		spec := &idpv1alpha1.WebhookIdentityProviderSpec{
+		spec := &auth1alpha1.WebhookIdentityProviderSpec{
 			Endpoint: url,
-			TLS: &idpv1alpha1.TLSSpec{
+			TLS: &auth1alpha1.TLSSpec{
 				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(caBundle)),
 			},
 		}
diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go
index e4bb8b32..228551e1 100644
--- a/internal/controllermanager/prepare_controllers.go
+++ b/internal/controllermanager/prepare_controllers.go
@@ -232,7 +232,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			webhookcachefiller.New(
 				c.IDPCache,
-				informers.installationNamespacePinniped.IDP().V1alpha1().WebhookIdentityProviders(),
+				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookIdentityProviders(),
 				klogr.New(),
 			),
 			singletonWorker,
@@ -240,7 +240,7 @@ func PrepareControllers(c *Config) (func(ctx context.Context), error) {
 		WithController(
 			webhookcachecleaner.New(
 				c.IDPCache,
-				informers.installationNamespacePinniped.IDP().V1alpha1().WebhookIdentityProviders(),
+				informers.installationNamespacePinniped.Authentication().V1alpha1().WebhookIdentityProviders(),
 				klogr.New(),
 			),
 			singletonWorker,
diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go
index b4504cd8..fdf240ce 100644
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@@ -16,7 +16,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	loginv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/login/v1alpha1"
 	"go.pinniped.dev/test/library"
 )
@@ -28,7 +28,7 @@ func TestUnsuccessfulCredentialRequest(t *testing.T) {
 	defer cancel()
 
 	response, err := makeRequest(ctx, t, validCredentialRequestSpecWithRealToken(t, corev1.TypedLocalObjectReference{
-		APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
+		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
 		Kind:     "WebhookIdentityProvider",
 		Name:     "some-webhook-that-does-not-exist",
 	}))
diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go
index 473cc682..6facc829 100644
--- a/test/integration/kube_api_discovery_test.go
+++ b/test/integration/kube_api_discovery_test.go
@@ -91,20 +91,20 @@ func TestGetAPIResourceList(t *testing.T) {
 		},
 		{
 			group: metav1.APIGroup{
-				Name: "idp.concierge.pinniped.dev",
+				Name: "authentication.concierge.pinniped.dev",
 				Versions: []metav1.GroupVersionForDiscovery{
 					{
-						GroupVersion: "idp.concierge.pinniped.dev/v1alpha1",
+						GroupVersion: "authentication.concierge.pinniped.dev/v1alpha1",
 						Version:      "v1alpha1",
 					},
 				},
 				PreferredVersion: metav1.GroupVersionForDiscovery{
-					GroupVersion: "idp.concierge.pinniped.dev/v1alpha1",
+					GroupVersion: "authentication.concierge.pinniped.dev/v1alpha1",
 					Version:      "v1alpha1",
 				},
 			},
 			resourceByVersion: map[string][]metav1.APIResource{
-				"idp.concierge.pinniped.dev/v1alpha1": {
+				"authentication.concierge.pinniped.dev/v1alpha1": {
 					{
 						Name:         "webhookidentityproviders",
 						SingularName: "webhookidentityprovider",
diff --git a/test/library/client.go b/test/library/client.go
index 50aa9057..285968f9 100644
--- a/test/library/client.go
+++ b/test/library/client.go
@@ -23,7 +23,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
 	pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
 
@@ -127,12 +127,12 @@ func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalOb
 	testEnv := IntegrationEnv(t)
 
 	client := NewPinnipedClientset(t)
-	webhooks := client.IDPV1alpha1().WebhookIdentityProviders(testEnv.ConciergeNamespace)
+	webhooks := client.AuthenticationV1alpha1().WebhookIdentityProviders(testEnv.ConciergeNamespace)
 
 	createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
 
-	idp, err := webhooks.Create(createContext, &idpv1alpha1.WebhookIdentityProvider{
+	idp, err := webhooks.Create(createContext, &auth1alpha1.WebhookIdentityProvider{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "test-webhook-",
 			Labels:       map[string]string{"pinniped.dev/test": ""},
@@ -153,7 +153,7 @@ func CreateTestWebhookIDP(ctx context.Context, t *testing.T) corev1.TypedLocalOb
 	})
 
 	return corev1.TypedLocalObjectReference{
-		APIGroup: &idpv1alpha1.SchemeGroupVersion.Group,
+		APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
 		Kind:     "WebhookIdentityProvider",
 		Name:     idp.Name,
 	}
diff --git a/test/library/env.go b/test/library/env.go
index 1ed59e1a..da5afb34 100644
--- a/test/library/env.go
+++ b/test/library/env.go
@@ -13,7 +13,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"sigs.k8s.io/yaml"
 
-	idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/idp/v1alpha1"
+	auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
 )
 
 type Capability string
@@ -33,7 +33,7 @@ type TestEnv struct {
 	SupervisorCustomLabels         map[string]string                       `json:"supervisorCustomLabels"`
 	ConciergeCustomLabels          map[string]string                       `json:"conciergeCustomLabels"`
 	Capabilities                   map[Capability]bool                     `json:"capabilities"`
-	TestWebhook                    idpv1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"`
+	TestWebhook                    auth1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"`
 	SupervisorHTTPAddress          string                                  `json:"supervisorHttpAddress"`
 	SupervisorHTTPSAddress         string                                  `json:"supervisorHttpsAddress"`
 	SupervisorHTTPSIngressAddress  string                                  `json:"supervisorHttpsIngressAddress"`
@@ -100,7 +100,7 @@ func loadEnvVars(t *testing.T, result *TestEnv) {
 	result.TestWebhook.Endpoint = needEnv(t, "PINNIPED_TEST_WEBHOOK_ENDPOINT")
 	result.SupervisorNamespace = needEnv(t, "PINNIPED_TEST_SUPERVISOR_NAMESPACE")
 	result.SupervisorAppName = needEnv(t, "PINNIPED_TEST_SUPERVISOR_APP_NAME")
-	result.TestWebhook.TLS = &idpv1alpha1.TLSSpec{CertificateAuthorityData: needEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")}
+	result.TestWebhook.TLS = &auth1alpha1.TLSSpec{CertificateAuthorityData: needEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")}
 
 	result.SupervisorHTTPAddress = os.Getenv("PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS")
 	result.SupervisorHTTPSIngressAddress = os.Getenv("PINNIPED_TEST_SUPERVISOR_HTTPS_INGRESS_ADDRESS")