diff --git a/server/core/hep_client.py b/server/core/hep_client.py
index f0d64944..1c4fdbc9 100644
--- a/server/core/hep_client.py
+++ b/server/core/hep_client.py
@@ -4,7 +4,7 @@ from django.conf import settings
 import logging
 import requests
 
-from core import oauth
+from core.oauth import oauth
 
 logger = logging.getLogger(__name__)
 
@@ -76,11 +76,11 @@ class HepClient:
         return response
 
     def is_email_verified(self, user_data):
-        return 'confirmation' not in user_data
+        return user_data['email_verified_at'] is not None
 
     def user_details(self, token):
         response = self._call('/api/auth/user', token)
-        return response.json()
+        return response.json()['data']
 
     # gone --->
     def customer_activate(self, confirmation_key, user_id):
diff --git a/server/core/settings.py b/server/core/settings.py
index cb5a9ee9..e3445a19 100644
--- a/server/core/settings.py
+++ b/server/core/settings.py
@@ -422,7 +422,7 @@ AUTHLIB_OAUTH_CLIENTS = {
     }
 }
 
-OAUTH_REDIRECT_URI = 'https://d4bad3badee0.ngrok.io/oauth/callback/'
+OAUTH_LOCAL_REDIRECT_URI = os.environ.get("OAUTH_LOCAL_REDIRECT_URI")
 
 TASKBASE_USER = os.environ.get("TASKBASE_USER")
 TASKBASE_PASSWORD = os.environ.get("TASKBASE_PASSWORD")
diff --git a/server/core/urls.py b/server/core/urls.py
index 88ccfc52..d9528ca0 100644
--- a/server/core/urls.py
+++ b/server/core/urls.py
@@ -40,10 +40,6 @@ if settings.DEBUG:
 # actually we use the cms in headless mode but need the url pattern to get the wagtail_serve function
 urlpatterns += [url(r'pages/', include(wagtail_urls)), ]
 
-# oauth
-urlpatterns += [url(r'^oauth/login/', views.login, name='login')]
-urlpatterns += [url(r'^oauth/callback/', views.authorize, name='authorize')]
-
 urlpatterns += [re_path(r'^.*$', views.home, name='home')]
 
 admin.site.site_header = 'Myskillbox Admin'
diff --git a/server/core/views.py b/server/core/views.py
index 7d3a9c2e..9d37bd55 100644
--- a/server/core/views.py
+++ b/server/core/views.py
@@ -7,10 +7,8 @@ from django.views.decorators.csrf import ensure_csrf_cookie
 from django.views.generic import TemplateView
 from graphene_django.views import GraphQLView
 
-from core import hep_client
 from core.hep_client import HepClient
 from core.models import AdminData
-from core.oauth import oauth
 
 
 class PrivateGraphQLView(LoginRequiredMixin, GraphQLView):
@@ -46,18 +44,3 @@ class ConfirmationKeyDisplayView(TemplateView):
         context['confirmation_key'] = hep_user['confirmation']
         context['hep_id'] = hep_user['id']
         return context
-
-
-def login(request):
-    hep_oauth_client = oauth.create_client('hep')
-    redirect_uri = settings.OAUTH_REDIRECT_URI
-    return hep_oauth_client.authorize_redirect(request, redirect_uri)
-
-
-def authorize(request):
-    token = oauth.hep.authorize_access_token(request)
-    profile = hep_client.user_details(token)
-    print(profile)
-    # user, status_msg = handle_user_and_verify_products(user_data)
-    # do something with the token and profile
-    return '...'
diff --git a/server/users/managers.py b/server/users/managers.py
index cfeb33c9..17c5db15 100644
--- a/server/users/managers.py
+++ b/server/users/managers.py
@@ -113,16 +113,16 @@ class UserManager(DjangoUserManager):
             user = self.model.objects.get(email=user_data['email'])
             user.set_unusable_password()
         except self.model.DoesNotExist:
-            user = self._create_user_with_random_password_no_save( user_data['firstname'],
-                                                                   user_data['lastname'],
+            user = self._create_user_with_random_password_no_save(user_data['first_name'],
+                                                                   user_data['last_name'],
                                                                    user_data['email'])
 
         user.hep_id = user_data['id']
-        user.hep_group_id = user_data['group_id']
         user.save()
 
-        if user.hep_group_id == settings.HEP_MYSKILLBOX_GROUP_ID:
-            apps.get_model('users.UserData').objects.create(user=user, accepted_terms=True)
+        # todo: how to handle
+        # if user.hep_group_id == settings.HEP_MYSKILLBOX_GROUP_ID:
+        #     apps.get_model('users.UserData').objects.create(user=user, accepted_terms=True)
 
         return user
 
diff --git a/server/users/urls.py b/server/users/urls.py
new file mode 100644
index 00000000..d2e68058
--- /dev/null
+++ b/server/users/urls.py
@@ -0,0 +1,9 @@
+from django.conf.urls import url
+from users import views
+
+app_name = 'registration'
+urlpatterns = [
+    url(r'^oauth/login/', views.login, name='login'),
+    url(r'^oauth/callback/', views.authorize, name='authorize')
+    # url(r'^oauth/callback/', views.authorize, name='authorize')
+]
diff --git a/server/users/user_signup_login_handler.py b/server/users/user_signup_login_handler.py
index 0d6205d3..fa932d20 100644
--- a/server/users/user_signup_login_handler.py
+++ b/server/users/user_signup_login_handler.py
@@ -9,7 +9,7 @@ UNKNOWN_ERROR = 'unknown_error'
 NO_VALID_LICENSE = 'no_valid_license'
 
 
-def handle_user_and_verify_products(user_data):
+def handle_user_and_verify_products(user_data, ):
     hep_client = HepClient()
 
     try:
@@ -23,18 +23,18 @@ def handle_user_and_verify_products(user_data):
     except HepClientException:
         return user, UNKNOWN_ERROR
 
-    license = License.objects.get_active_license_for_user(user)
-
-    if not license:
-        license, error_msg = check_and_create_licenses(hep_client, user)
-
-        if error_msg:
-            return user, error_msg
-
-        create_role_for_user(user, license.for_role.key)
-
-    if not license.is_valid():
-        return user, NO_VALID_LICENSE
+    # license = License.objects.get_active_license_for_user(user)
+    #
+    # if not license:
+    #     license, error_msg = check_and_create_licenses(hep_client, user)
+    #
+    #     if error_msg:
+    #         return user, error_msg
+    #
+    #     create_role_for_user(user, license.for_role.key)
+    #
+    # if not license.is_valid():
+    #     return user, NO_VALID_LICENSE
 
     return user, None
 
diff --git a/server/users/views.py b/server/users/views.py
new file mode 100644
index 00000000..f7f27516
--- /dev/null
+++ b/server/users/views.py
@@ -0,0 +1,29 @@
+from django.conf import settings
+
+from core.hep_client import HepClient
+from core.oauth import oauth
+from users.user_signup_login_handler import handle_user_and_verify_products, EMAIL_NOT_VERIFIED
+from django.contrib.auth import login as dj_login
+
+
+def login(request):
+    hep_oauth_client = oauth.create_client('hep')
+    redirect_uri = settings.OAUTH_LOCAL_REDIRECT_URI
+    return hep_oauth_client.authorize_redirect(request, redirect_uri)
+
+
+def authorize(request):
+    hep_client = HepClient()
+    token = oauth.hep.authorize_access_token(request)
+    user_data = hep_client.user_details(token)
+    print(user_data)
+    user, status_msg = handle_user_and_verify_products(user_data) # todo: move handle_fn or authorize
+    user.sync_with_hep_data(user_data)
+
+    if user and status_msg != EMAIL_NOT_VERIFIED:
+        dj_login(request, user)
+
+    if status_msg:
+        return status_msg
+        # return cls.return_login_message(status_msg)
+    return '...'