diff --git a/credentials/credential.go b/credentials/credential.go
index 8f6381a..76e96a8 100644
--- a/credentials/credential.go
+++ b/credentials/credential.go
@@ -205,13 +205,6 @@ func NewCredential(config *Config) (credential Credential, err error) {
 	case "credentials_uri":
 		credential = newURLCredential(tea.StringValue(config.Url))
 	case "oidc_role_arn":
-		runtime := &utils.Runtime{
-			Host:           tea.StringValue(config.Host),
-			Proxy:          tea.StringValue(config.Proxy),
-			ReadTimeout:    tea.IntValue(config.Timeout),
-			ConnectTimeout: tea.IntValue(config.ConnectTimeout),
-		}
-
 		provider, err := providers.NewOIDCCredentialsProviderBuilder().
 			WithRoleArn(tea.StringValue(config.RoleArn)).
 			WithOIDCTokenFilePath(tea.StringValue(config.OIDCTokenFilePath)).
@@ -220,7 +213,11 @@ func NewCredential(config *Config) (credential Credential, err error) {
 			WithPolicy(tea.StringValue(config.Policy)).
 			WithRoleSessionName(tea.StringValue(config.RoleSessionName)).
 			WithSTSEndpoint(tea.StringValue(config.STSEndpoint)).
-			WithRuntime(runtime).
+			WithHttpOptions(&providers.HttpOptions{
+				Proxy:          tea.StringValue(config.Proxy),
+				ReadTimeout:    tea.IntValue(config.Timeout),
+				ConnectTimeout: tea.IntValue(config.ConnectTimeout),
+			}).
 			Build()
 
 		if err != nil {
diff --git a/credentials/internal/providers/oidc.go b/credentials/internal/providers/oidc.go
index 1c6e2d0..78f3654 100644
--- a/credentials/internal/providers/oidc.go
+++ b/credentials/internal/providers/oidc.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"os"
 	"strconv"
 	"strings"
@@ -26,7 +27,8 @@ type OIDCCredentialsProvider struct {
 	lastUpdateTimestamp int64
 	expirationTimestamp int64
 	sessionCredentials  *sessionCredentials
-	runtime             *utils.Runtime
+	// for http options
+	httpOptions *HttpOptions
 }
 
 type OIDCCredentialsProviderBuilder struct {
@@ -79,8 +81,8 @@ func (b *OIDCCredentialsProviderBuilder) WithSTSEndpoint(stsEndpoint string) *OI
 	return b
 }
 
-func (b *OIDCCredentialsProviderBuilder) WithRuntime(runtime *utils.Runtime) *OIDCCredentialsProviderBuilder {
-	b.provider.runtime = runtime
+func (b *OIDCCredentialsProviderBuilder) WithHttpOptions(httpOptions *HttpOptions) *OIDCCredentialsProviderBuilder {
+	b.provider.httpOptions = httpOptions
 	return b
 }
 
@@ -186,6 +188,23 @@ func (provider *OIDCCredentialsProvider) getCredentials() (session *sessionCrede
 	httpRequest.Header["Content-Type"] = []string{"application/x-www-form-urlencoded"}
 	httpClient := &http.Client{}
 
+	if provider.httpOptions != nil {
+		httpClient.Timeout = time.Duration(provider.httpOptions.ReadTimeout) * time.Second
+		proxy := &url.URL{}
+		if provider.httpOptions.Proxy != "" {
+			proxy, err = url.Parse(provider.httpOptions.Proxy)
+			if err != nil {
+				return
+			}
+		}
+		trans := &http.Transport{}
+		if proxy != nil && provider.httpOptions.Proxy != "" {
+			trans.Proxy = http.ProxyURL(proxy)
+		}
+		trans.DialContext = utils.Timeout(time.Duration(provider.httpOptions.ConnectTimeout) * time.Second)
+		httpClient.Transport = trans
+	}
+
 	httpResponse, err := hookDo(httpClient.Do)(httpRequest)
 	if err != nil {
 		return
diff --git a/integration/proxy/proxy_test.go b/integration/proxy/proxy_test.go
new file mode 100644
index 0000000..485bd7d
--- /dev/null
+++ b/integration/proxy/proxy_test.go
@@ -0,0 +1,43 @@
+package proxy
+
+import (
+	"os"
+	"testing"
+
+	"github.com/alibabacloud-go/tea/tea"
+	"github.com/aliyun/credentials-go/credentials"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRAMRoleARNWithInvalidProxy(t *testing.T) {
+	config := &credentials.Config{
+		Type:                  tea.String("ram_role_arn"),
+		AccessKeyId:           tea.String("akid"),
+		AccessKeySecret:       tea.String("aksecret"),
+		RoleArn:               tea.String("rolearn"),
+		RoleSessionName:       tea.String("rolesessionname"),
+		RoleSessionExpiration: tea.Int(3600),
+		Proxy:                 tea.String("https://localhost:3600/"),
+	}
+	cred, err := credentials.NewCredential(config)
+	assert.Nil(t, err)
+	_, err = cred.GetCredential()
+	assert.Contains(t, err.Error(), "proxyconnect tcp: dial tcp")
+	assert.Contains(t, err.Error(), ":3600: connect: connection refused")
+}
+
+func TestOIDCWithInvalidProxy(t *testing.T) {
+	config := &credentials.Config{
+		Type:              tea.String("oidc_role_arn"),
+		RoleArn:           tea.String(os.Getenv("ALIBABA_CLOUD_ROLE_ARN")),
+		OIDCProviderArn:   tea.String(os.Getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN")),
+		OIDCTokenFilePath: tea.String(os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")),
+		RoleSessionName:   tea.String("credentials-go-test"),
+		Proxy:             tea.String("https://localhost:3600/"),
+	}
+	cred, err := credentials.NewCredential(config)
+	assert.Nil(t, err)
+	_, err = cred.GetCredential()
+	assert.Contains(t, err.Error(), "proxyconnect tcp: dial tcp")
+	assert.Contains(t, err.Error(), ":3600: connect: connection refused")
+}