diff --git a/conf/config.go b/conf/config.go
index ea1bb1a..7f56f50 100644
--- a/conf/config.go
+++ b/conf/config.go
@@ -3,7 +3,7 @@ package conf
 import "sync"
 
 type Config struct {
-	Demo           bool
+	AdminRole      string
 	PublicKeyPath  string
 	PrivateKeyPath string
 
diff --git a/controllers/oauth2.go b/controllers/oauth2.go
index 99100a0..ea90d8a 100644
--- a/controllers/oauth2.go
+++ b/controllers/oauth2.go
@@ -158,17 +158,6 @@ func (o *OAuthController) InternalAuthForward() {
 		o.ServeJSON()
 		return
 	}
-	isToken, err := infrastructure.GetAuthConnector().Introspect(reqToken, &http.Cookie{
-		Name:  "csrf_token",
-		Value: o.XSRFToken(),
-	}) // may be a problem... we should check if token is valid on our side
-	fmt.Println("InternalAuthForward", isToken, err)
-	// prefers a refresh token call
-	if err != nil || !isToken {
-		o.Ctx.ResponseWriter.WriteHeader(401)
-	} else {
-		o.Ctx.ResponseWriter.WriteHeader(200)
-	}
 	o.ServeJSON()
 }
 
diff --git a/docker_auth.json b/docker_auth.json
index 4c83f19..ac62f14 100644
--- a/docker_auth.json
+++ b/docker_auth.json
@@ -6,5 +6,5 @@
     "AUTH_CONNECTOR_HOST": "hydra",
     "PRIVATE_KEY_PATH": "/etc/oc/pem/private.pem",
     "PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem",
-    "DEMO": true
+    "LDAP_ENDPOINTS": "ldap:389"
 }
\ No newline at end of file
diff --git a/infrastructure/auth_connector/auth_connector.go b/infrastructure/auth_connector/auth_connector.go
index 69920d2..9032ddf 100644
--- a/infrastructure/auth_connector/auth_connector.go
+++ b/infrastructure/auth_connector/auth_connector.go
@@ -2,6 +2,7 @@ package auth_connectors
 
 import (
 	"net/http"
+	"oc-auth/conf"
 
 	"cloud.o-forge.io/core/oc-lib/tools"
 )
@@ -18,7 +19,7 @@ type AuthConnector interface {
 type Token struct {
 	Active      bool   `json:"active"`
 	AccessToken string `json:"access_token"`
-	ExpiresIn   int    `json:"expires_in"`
+	ExpiresIn   int64  `json:"expires_in"`
 	TokenType   string `json:"token_type"`
 
 	Username string `json:"username,omitempty"`
@@ -28,3 +29,13 @@ type Token struct {
 type Redirect struct {
 	RedirectTo string `json:"redirect_to"`
 }
+
+var a = map[string]AuthConnector{
+	"hydra": HydraConnector{
+		Caller: tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{}),
+		State:  "12345678", ResponseType: "token", Scopes: "openid profile email roles"}, // base url
+}
+
+func GetAuthConnector() AuthConnector {
+	return a[conf.GetConfig().Auth]
+}
diff --git a/infrastructure/auth_connector/hydra_connector.go b/infrastructure/auth_connector/hydra_connector.go
index e22f1f0..dff296f 100644
--- a/infrastructure/auth_connector/hydra_connector.go
+++ b/infrastructure/auth_connector/hydra_connector.go
@@ -13,6 +13,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"time"
 
 	oclib "cloud.o-forge.io/core/oc-lib"
 	"cloud.o-forge.io/core/oc-lib/models/peer"
@@ -179,8 +180,15 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
 	if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" {
 		return nil, errors.New("peer not found")
 	}
+	now := time.Now().UTC()
+	now = now.Add(time.Duration(token.ExpiresIn) * time.Second)
+	token.ExpiresIn = now.Unix()
+
 	c := claims.GetClaims().AddClaimsToToken(username, pp.Data[0].(*peer.Peer).Url)
+	c.Session.AccessToken["exp"] = token.ExpiresIn
+
 	b, _ = json.Marshal(c)
+
 	token.AccessToken = strings.ReplaceAll(token.AccessToken, "ory_at_", "") + "." + base64.StdEncoding.EncodeToString(b)
 	token.Active = true
 	return token, nil
diff --git a/infrastructure/claims/hydra_claims.go b/infrastructure/claims/hydra_claims.go
index bda3af9..69ca5f7 100644
--- a/infrastructure/claims/hydra_claims.go
+++ b/infrastructure/claims/hydra_claims.go
@@ -4,12 +4,12 @@ import (
 	"crypto/sha256"
 	"encoding/pem"
 	"errors"
-	"fmt"
 	"oc-auth/conf"
 	"oc-auth/infrastructure/perms_connectors"
 	"oc-auth/infrastructure/utils"
 	"os"
 	"strings"
+	"time"
 
 	"cloud.o-forge.io/core/oc-lib/tools"
 )
@@ -75,6 +75,11 @@ func (h HydraClaims) clearBlank(path []string) []string {
 	return newPath
 }
 
+func (a HydraClaims) CheckExpiry(exp int64) bool {
+	now := time.Now().UTC().Unix()
+	return now <= exp
+}
+
 func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) {
 	idTokenClaims := sessionClaims.Session.IDToken
 	if idTokenClaims["signature"] == nil {
@@ -87,6 +92,9 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 	claims := sessionClaims.Session.AccessToken
 	path := strings.ReplaceAll(forward, "http://"+host, "")
 	splittedPath := h.clearBlank(strings.Split(path, "/"))
+	if _, ok := claims["exp"].(float64); !ok || !h.CheckExpiry(int64(claims["exp"].(float64))) {
+		return false, errors.New("token is expired")
+	}
 	for m, p := range claims {
 		match := true
 		splittedP := h.clearBlank(strings.Split(p.(string), "/"))
@@ -94,7 +102,6 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 			continue
 		}
 		for i, v := range splittedP {
-			fmt.Println(v, splittedPath[i])
 			if strings.Contains(v, ":") { // is a param
 				continue
 			} else if v != splittedPath[i] {
diff --git a/infrastructure/infrastructure.go b/infrastructure/infrastructure.go
index 3cb1bc8..1d78dcc 100644
--- a/infrastructure/infrastructure.go
+++ b/infrastructure/infrastructure.go
@@ -1,22 +1,13 @@
 package infrastructure
 
 import (
-	"oc-auth/conf"
 	auth_connectors "oc-auth/infrastructure/auth_connector"
 	"oc-auth/infrastructure/claims"
 	"oc-auth/infrastructure/perms_connectors"
-
-	"cloud.o-forge.io/core/oc-lib/tools"
 )
 
-var a = map[string]auth_connectors.AuthConnector{
-	"hydra": auth_connectors.HydraConnector{
-		Caller: tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{}),
-		State:  "12345678", ResponseType: "token", Scopes: "openid profile email roles"}, // base url
-}
-
 func GetAuthConnector() auth_connectors.AuthConnector {
-	return a[conf.GetConfig().Auth]
+	return auth_connectors.GetAuthConnector()
 }
 
 func GetPermissionConnector() perms_connectors.PermConnector {
diff --git a/ldap-hydra/docker-compose.yml b/ldap-hydra/docker-compose.yml
index 9ba7272..225fd91 100644
--- a/ldap-hydra/docker-compose.yml
+++ b/ldap-hydra/docker-compose.yml
@@ -69,7 +69,7 @@ services:
             - hydra-net
             - catalog
         ports:
-            - "389:389"
+            - "390:389"
         deploy:
             restart_policy:
                 condition: on-failure
diff --git a/main.go b/main.go
index bd9b600..e68762a 100644
--- a/main.go
+++ b/main.go
@@ -29,6 +29,7 @@ func main() {
 	// Load the right config file
 	o := oclib.GetConfLoader()
 
+	conf.GetConfig().AdminRole = o.GetStringDefault("ADMIN_ROLE", "admin")
 	conf.GetConfig().PublicKeyPath = o.GetStringDefault("PUBLIC_KEY_PATH", "./pem/public.pem")
 	conf.GetConfig().PrivateKeyPath = o.GetStringDefault("PRIVATE_KEY_PATH", "./pem/private.pem")
 	conf.GetConfig().ClientSecret = o.GetStringDefault("CLIENT_SECRET", "oc-auth-got-secret")
@@ -99,8 +100,9 @@ func discovery() {
 	fmt.Println("Discovered")
 	api := tools.API{}
 	conn := infrastructure.GetPermissionConnector()
-	conn.CreateRole("admin")
-	conn.BindRole("admin", "admin")
+
+	conn.CreateRole(conf.GetConfig().AdminRole)
+	conn.BindRole(conf.GetConfig().AdminRole, "admin")
 	addPermissions := func(m map[string]interface{}) {
 		for k, v := range m {
 			for _, p := range v.([]interface{}) {