diff --git a/docs/_sidebar.md b/docs/_sidebar.md
index a24712241..18fb1e704 100644
--- a/docs/_sidebar.md
+++ b/docs/_sidebar.md
@@ -19,6 +19,7 @@
   - [Email provider](email.md)
   - [Supported standards](standard-support.md)
   - [FoxIDs inside](foxids-inside.md)
+  - [Control Client & API](control#.md)
   - [Plans](plan.md)
 - [Development](development.md)
   - [Samples](samples.md)
diff --git a/docs/control.md b/docs/control.md
index a2f97f2bf..6d28772d3 100644
--- a/docs/control.md
+++ b/docs/control.md
@@ -60,13 +60,14 @@ The track properties can be configured by clicking the top right setting icon.
 ![Configure track settings](images/configure-track-setting.png)
 
 ## FoxIDs Control API
-FoxIDs Control API is a REST API. The API expose a Swagger (OpenApi) interface document.
+FoxIDs Control API is a REST API and has a Swagger (OpenApi) interface description.
 
-FoxIDs Control API require that the client calling the API is granted the `foxids:master` scope to access master tenant data or the `foxids:tenant` scope access tenant data in a particular tenant. Normally only tenant data is accessed.
+FoxIDs Control API require that the client calling the API is granted the `foxids:master` scope to access master tenant data or the `foxids:tenant` scope to access tenant data in a particular tenant. Normally only tenant data is accessed.
 
- - The client can be an OAuth 2.0 client. Where the client is granted the administrator role `foxids:tenant.admin` acting as the client itself using client credentials grant.  
- Her is how the [sample seed tool](samples.md#configure-the-sample-seed-tool) client is granted access.
- - Or a OpenID Connect client with an authenticated master track user. Where the user is granted the administrator role `foxids:tenant.admin`. 
+ - The API can be accessed with a OAuth 2.0 client. Where the client is granted the administrator role `foxids:tenant.admin` acting as the client itself using client credentials grant.  
+ It is probably helpful to take a look at how the [sample seed tool](samples.md#configure-the-sample-seed-tool) client is granted access.
+ - Or the API can be accessed with a OpenID Connect client with an authenticated master track user. Where the user is granted the administrator role `foxids:tenant.admin`.  
+ *As an advanced option the mater user can also be granted access via a trust.*
 
 This shows the FoxIDs Control API configuration in a tenants master track with a scope that grants access to tenant data.
 
@@ -76,5 +77,323 @@ FoxIDs Control API is called with an access token as described in the [OAuth 2.0
 
 The Swagger (OpenApi) interface document is exposed on `.../api/swagger/v1/swagger.json`.  
 
-You can also find the FoxIDs.com Swagger (OpenApi) [interface document](https://control.foxids.com/api/swagger/v1/swagger.json) online.
-
+> FoxIDs.com Swagger (OpenApi) [https://control.foxids.com/api/swagger/v1/swagger.json](https://control.foxids.com/api/swagger/v1/swagger.json)
+
+The FoxIDs Control API URL contains the tenant name and track name on winch you want to operate `.../[tenant_name]/[track_name]/...`. 
+To call the API you replace the `[tenant_name]` element with your tenant name and the `[track_name]` element with the track name of the track you want to call.
+
+If you e.g. want read a OpenID Connect down-party on FoxIDs.com with the name `some_oidc_app` you do a HTTP GET call to `https://control.foxids.com/api/[tenant_name]/[track_name]/!oidcdownparty?name=some_oidc_app` - replaced with your tenant and track names.
+
+### API access rights
+Access to FoxIDs Control API is limited by scopes and roles. There are two sets of scopes based on `foxids:master` which grant access to the master tenant data and `foxids:tenant` which grant access to tenant data.  
+The Control API resource `foxids_control_api` is defined in each tenant's master track and the configured set of scopes grant access the tenants data in the Control API.
+
+A scopes access is limited by adding more elements separated with semicolon and dot. The dot notation limits or grant a sub role, the notation is both used in scopes and roles. 
+To be granted access the caller is required to possess one or more matching scope(s) and role(s).
+
+Each access right is both defined as a scope and a role. This makes it possible to limit or grant access on both client and user level. The access rights are a hierarchy and the client and user do not need to be granted matching scopes and roles. 
+
+The administrator role `foxids:tenant.admin` grants access to all data in a tenant and the master tenant data, it is the same as having the role `foxids:tenant` and `foxids:master`.
+
+> A client request a scope by requesting a scope on a resource, separating the resource and scope with a semicolon. E.g., to request the `foxids:tenant:track:party.create` scope the client request for `foxids_control_api:foxids:tenant:track:party.create`.
+
+#### Tenant access rights
+The tenant access rights is at the same time both scopes and roles.
+
+The `:track[xxxx]` specifies a tenant e.g., the `dev` tenant is `:track[dev]`.
+
+<table>
+    <tr>
+        <th>Scope / role</th>
+        <th>Access</th>
+    </tr>
+    <tr>
+        <td colspan=2><i>Access to everything in the tenant, not master tenant data.</i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant</code></td>
+        <td>read, create, update, delete</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant.read</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant.create</code></td>
+        <td>create</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant.update</code></td>
+        <td>update</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant.delete</code></td>
+        <td>delete</td>
+    </tr>
+    <tr>
+        <td colspan=2><i>Access to basic tenant elements: 
+        <lu>
+            <li>My profile used in the Control Client.</li>
+            <li>Call the ReadCertificate API to get a JWT with certificate information from a X509 Certificate.</li>
+        </lu>
+        </i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:basic</code></td>
+        <td>read, create, update, delete</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:basic.read</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:basic.create</code></td>
+        <td>create</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:basic.update</code></td>
+        <td>update</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:basic.delete</code></td>
+        <td>delete</td>
+    </tr>
+    <tr>
+        <td colspan=2><i>Access to everything in all tracks in a tenant, not including the master track.</i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track</code></td>
+        <td>read, create, update, delete</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track.read</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track.create</code></td>
+        <td>create</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track.update</code></td>
+        <td>update</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track.delete</code></td>
+        <td>delete</td>
+    </tr>
+    <tr>
+        <td colspan=2><i>Access to everything in a specific track in a tenant.</i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]</code></td>
+        <td>read, create, update, delete</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx].read</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx].create</code></td>
+        <td>create</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx].update</code></td>
+        <td>update</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx].delete</code></td>
+        <td>delete</td>
+    </tr>
+    <tr>
+        <td colspan=2><i>All usage logs in all tracks in a tenant, not including the master track. Not applicable in the master tenant.</i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:usage</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td colspan=2><i>Usage logs in a specific track in a tenant. Not applicable in the master tenant.</i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:usage</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td colspan=2><i>All logs in all tracks in a tenant, not including the master track. </i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:log</code></td>
+        <td>read, create, update, delete</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:log.read</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:log.create</code></td>
+        <td>create</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:log.update</code></td>
+        <td>update</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:log.delete</code></td>
+        <td>delete</td>
+    </tr>
+    <tr>
+        <td colspan=2><i>Logs in a specific tenant.</i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:log</code></td>
+        <td>read, create, update, delete</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:log.read</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:log.create</code></td>
+        <td>create</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:log.update</code></td>
+        <td>update</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:log.delete</code></td>
+        <td>delete</td>
+    </tr>
+    <tr>
+        <td colspan=2><i>All users in all tracks in a tenant, not including the master track.</i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:user</code></td>
+        <td>read, create, update, delete</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:user.read</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:user.create</code></td>
+        <td>create</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:user.update</code></td>
+        <td>update</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:user.delete</code></td>
+        <td>delete</td>
+    </tr>
+    <tr>
+        <td colspan=2><i>All users in a specific track in a tenant. </i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:user</code></td>
+        <td>read, create, update, delete</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:user.read</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:user.create</code></td>
+        <td>create</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:user.update</code></td>
+        <td>update</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:user.delete</code></td>
+        <td>delete</td>
+    </tr>
+    <tr>
+        <td colspan=2><i>All down-parties and up-parties in all tracks in a tenant, not including the master track.</i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:party</code></td>
+        <td>read, create, update, delete</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:party.read</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:party.create</code></td>
+        <td>create</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:party.update</code></td>
+        <td>update</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track:party.delete</code></td>
+        <td>delete</td>
+    </tr>
+    <tr>
+        <td colspan=2><i>All down-parties and up-parties in a specific track in a tenant.</i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:party</code></td>
+        <td>read, create, update, delete</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:party.read</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:party.create</code></td>
+        <td>create</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:party.update</code></td>
+        <td>update</td>
+    </tr>
+    <tr>
+        <td><code>foxids:tenant:track[xxxx]:party.delete</code></td>
+        <td>delete</td>
+    </tr>
+</table>
+
+#### Master tenant access rights
+The master tenant access rights is at the same time both scopes and roles.
+
+<table>
+    <tr>
+        <td colspan=2><i>Access to the master tenant data<br />
+            Can list, create and delete tenants but not look into other tenants.
+        </i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:master</code></td>
+        <td>read, create, update, delete</td>
+    </tr>
+    <tr>
+        <td><code>foxids:master.read</code></td>
+        <td>read</td>
+    </tr>
+    <tr>
+        <td><code>foxids:master.create</code></td>
+        <td>create</td>
+    </tr>
+    <tr>
+        <td><code>foxids:master.update</code></td>
+        <td>update</td>
+    </tr>
+    <tr>
+        <td><code>foxids:master.delete</code></td>
+        <td>delete</td>
+    </tr>
+    <tr>
+        <td colspan=2><i>Usage log in the master tenant.</i></td>
+    </tr>
+    <tr>
+        <td><code>foxids:master:usage</code></td>
+        <td>read</td>
+    </tr>
+</table>
+
+If the scope you need is not defined on the Control API `foxids_control_api` you can add the scope. The same goes for roles which has to be defined on the user or the calling client.
\ No newline at end of file
diff --git a/docs/faq.md b/docs/faq.md
index b0bab9c8c..64a2b1f75 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -3,14 +3,18 @@
 ##### Only the `sub`, `sid`, `acr` and `amr` claims are pass through. I get more claims from the up-party by using log claims trace. What am I doing wrong?
 By default an up-party should pass through all claims to the down-party if Forward Claims has a `*`.
 ![Up-party default pass through all claims to the down-party](images/faq-pass-through-all-claims-up-party.png)
-You can also make the down-party (OpenID Connect client) add all claims in the access token issued to the application (not default).  
+You can also make the down-party (in this case a OpenID Connect client) add all claims to the access token issued to the application (not default).  
 Navigating to the down-party then click Show advanced settings and add a `*` in the Issue claims field. Optionally also include all claims in the issued ID token.
 ![Make the down-party issue all claims](images/faq-pass-through-all-claims-down-party.png)
 
+##### Is it possible to avoid the "Pick an account" dialog?
+Yes FoxIDs support to forward the login hint from an up-party to an external IdP or another FoxIDs down-party. In OpenID Connect the login hint is forwarded in the `login_hint` parameter. 
+In SAML 2.0 the login hint is forwarded as a `NameID` with the Email Format `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` in the `Subject` element.
+
 ##### Way am I unable to login for a moment when I change the certificate container types to 'Key Vault renewed self-signed certificates'?
-The first certificate have to be generated by Key Vault before the track can perform logins again. Thereafter the certificate is renewed without seamlessly.
+The first certificate have to be generated by Key Vault before the track can perform logins again. Thereafter the certificate is renewed seamlessly.
 
 ##### I am unable to logout of a client using OIDC if I login and theafter changed the certificate container type.
-The problem occurs if the OIDC logout require an ID Token before accepting logout. In this case the ID Token is invalid because the container type and there by the signing certificate have changed.
-The problem will occur in the FoxIDs Controle Client. You need to close the browser and start over.
+The problem occurs if the OIDC logout require an ID Token before accepting logout. In this case the ID Token is invalid because the container type and there by the signing certificate have changed.  
+Solution: You need to close the browser and start over.
 
diff --git a/docs/gs-context-handler.md b/docs/gs-context-handler.md
index 4eadfdf06..b4b26ef5c 100644
--- a/docs/gs-context-handler.md
+++ b/docs/gs-context-handler.md
@@ -18,7 +18,7 @@ Test Context Handler with the <a href="https://aspnetcoreoidcallupsample.itfoxte
 The OpenID Connect test app call FoxIDs and FoxIDs call Context Handler to let the user authenticate.
 
 ## Context Handler details
-FoxIDs support Context Handler including OIOSAML3, login, single logout, logging, issuer naming, OCES3 certificates and NSIS.
+FoxIDs support Context Handler including OIOSAML3, login, single logout, logging, issuer naming, OCES3 (RSASSA-PSS) certificates and NSIS.
 
 > Transform the [DK privilege XML claim](claim-transform-dk-privilege.md) to a JSON claim.
 
diff --git a/docs/gs-nemlogin.md b/docs/gs-nemlogin.md
index ce29aac63..4c6ae37b7 100644
--- a/docs/gs-nemlogin.md
+++ b/docs/gs-nemlogin.md
@@ -18,7 +18,7 @@ Test NemLog-in with the <a href="https://aspnetcoreoidcallupsample.itfoxtec.com/
 The OpenID Connect test app call FoxIDs and FoxIDs call NemLog-in to let the user authenticate with MitID.
 
 ## NemLog-in details
-FoxIDs support NemLog-in including OIOSAML3, login, single logout, logging, issuer naming, OCES3 certificates and NSIS.
+FoxIDs support NemLog-in including OIOSAML3, login, single logout, logging, issuer naming, OCES3 (RSASSA-PSS) certificates and NSIS.
 
 > Transform the [DK privilege XML claim](claim-transform-dk-privilege.md) to a JSON claim.
 
diff --git a/docs/howto-saml-2.0-context-handler.md b/docs/howto-saml-2.0-context-handler.md
index ca6f6f86e..d2088ef48 100644
--- a/docs/howto-saml-2.0-context-handler.md
+++ b/docs/howto-saml-2.0-context-handler.md
@@ -3,7 +3,7 @@
 FoxIDs can be connected to Context Handler / F&aelig;lleskommunal Adgangsstyring (Danish identity broker) with a [SAML 2.0 up-party](up-party-saml-2.0.md). 
 Context Handler is a Danish identity broker connecting the Danish municipalities in a common federation.
 
-Context Handler is connected as a SAML 2.0 [Identity Provider (IdP)](#configuring-context-handler-as-identity-provider).  
+Context Handler is connected as a SAML 2.0 [Identity Provider (IdP)](#configuring-context-handler-as-identity-provider) based on OIOSAML 3 and OCES3 (RSASSA-PSS).  
 
 ![Connect to Context Handler](images/how-to-context-handler.svg)
 
@@ -14,7 +14,7 @@ In the test environment, FoxIDs can be connected to Context Handler as a test Id
 
 ![Connect to Context Handler RP](images/how-to-context-handler-rp.svg)
 
-Context Handler can be configured based on either OIOSAML 2 or OIOSAML 3 and FoxIDs furthermore support the required certificates and it is possible to support NSIS.
+Context Handler can be configured based on either OIOSAML 2 or OIOSAML 3 with OCES3 (RSASSA-PSS) and FoxIDs furthermore support the required certificates and it is possible to support NSIS.
 
 > You can test Context Handler login with the [online web app sample](https://aspnetcoreoidcallupsample.itfoxtec.com) ([sample docs](samples.md#aspnetcoreoidcauthcodealluppartiessample)) by clicking `Log in` and then `Danish Context Handler TEST` for the test environment (on `FoxIDs - test-corp` on Context Handler) or `Danish Context Handler` for production.  
 > The sample is configured with a separate tracks for the Context Handler SAML 2.0 integration.  
diff --git a/docs/index.md b/docs/index.md
index dd3d68c58..b64c70954 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -17,7 +17,7 @@ FoxIDs consist of two services:
 FoxIDs can be deployed and used by a single company or deployed as a shared cloud container and used by multiple organisations. 
 You can select to use a shared cloud or a private cloud setup.
 
-- FoxIDs is available at [FoxIDs.com](https://foxids.com) as an Identity Services (IDS) also called Identity as a Service (IDaaS).  
+- FoxIDs SaaS is available at [FoxIDs.com](https://foxids.com) as an Identity Services (IDS) also called Identity as a Service (IDaaS).  
 FoxIDs.com is hosted in Europe and mainly in Microsoft Azure Holland, Netherlands.
 - You are free to [deploy](deployment.md) FoxIDs as your own private cloud on Microsoft Azure.
 
diff --git a/docs/up-party-howto-saml-2.0-nemlogin.md b/docs/up-party-howto-saml-2.0-nemlogin.md
index 3c1c68629..ee6be484a 100644
--- a/docs/up-party-howto-saml-2.0-nemlogin.md
+++ b/docs/up-party-howto-saml-2.0-nemlogin.md
@@ -7,7 +7,7 @@ FoxIDs will then handle the SAML 2.0 connection as a Relying Party (RP) / Servic
 
 ![Connect to NemLog-in](images/how-to-nemlogin.svg)
 
-FoxIDs support NemLog-in and the SAML 2.0 based OIOSAML3 including single logout (SLO), logging, issuer naming, required OCES3 certificates and it is possible to support NSIS.
+FoxIDs support NemLog-in and the SAML 2.0 based OIOSAML3 including single logout (SLO), logging, issuer naming, required OCES3 (RSASSA-PSS) certificates and it is possible to support NSIS.
 
 > You can test NemLog-in login with the [online web app sample](https://aspnetcoreoidcallupsample.itfoxtec.com) ([sample docs](samples.md#aspnetcoreoidcauthcodealluppartiessample)) by clicking `Log in` and then `Danish NemLog-in TEST` for the test environment or `Danish NemLog-in` for production.  
 > The sample is configured with a separate track for the NemLog-in SAML 2.0 integration.  
diff --git a/src/FoxIDs.Control/BuildInfo.g.cs b/src/FoxIDs.Control/BuildInfo.g.cs
new file mode 100644
index 000000000..0b5eadda3
--- /dev/null
+++ b/src/FoxIDs.Control/BuildInfo.g.cs
@@ -0,0 +1,9 @@
+using System;
+
+namespace FoxIDs
+{
+    public static partial class BuildInfo
+    {
+        public static DateTime CompilationTimestampUtc { get { return new DateTime(638430850953040022L, DateTimeKind.Utc); } }
+    }
+}
\ No newline at end of file
diff --git a/src/FoxIDs.Control/BuildInfo.tt b/src/FoxIDs.Control/BuildInfo.tt
new file mode 100644
index 000000000..82a1d0cb9
--- /dev/null
+++ b/src/FoxIDs.Control/BuildInfo.tt
@@ -0,0 +1,13 @@
+<#@ template debug="false" hostspecific="true" language="C#" #>
+<#@ assembly name="System.Core" #>
+<#@ import namespace="System" #>
+<#@ output extension=".g.cs" #>
+using System;
+
+namespace FoxIDs
+{
+    public static partial class BuildInfo
+    {
+        public static DateTime CompilationTimestampUtc { get { return new DateTime(<# Write(DateTime.UtcNow.Ticks.ToString()); #>L, DateTimeKind.Utc); } }
+    }
+}
\ No newline at end of file
diff --git a/src/FoxIDs.Control/Controllers/Base/ApiController.cs b/src/FoxIDs.Control/Controllers/Base/ApiController.cs
index bb4f71149..d8b313843 100644
--- a/src/FoxIDs.Control/Controllers/Base/ApiController.cs
+++ b/src/FoxIDs.Control/Controllers/Base/ApiController.cs
@@ -7,7 +7,6 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.ModelBinding;
 using Microsoft.AspNetCore.Routing;
-using Microsoft.IdentityModel.Tokens;
 using System;
 using System.Linq;
 
diff --git a/src/FoxIDs.Control/Controllers/Base/TenantApiController.cs b/src/FoxIDs.Control/Controllers/Base/TenantApiController.cs
deleted file mode 100644
index 92bac67ac..000000000
--- a/src/FoxIDs.Control/Controllers/Base/TenantApiController.cs
+++ /dev/null
@@ -1,12 +0,0 @@
-using FoxIDs.Infrastructure;
-using FoxIDs.Infrastructure.Security;
-
-namespace FoxIDs.Controllers
-{
-    [TenantScopeAuthorize]
-    public abstract class TenantApiController : ApiController
-    {
-        public TenantApiController(TelemetryScopedLogger logger) : base(logger)
-        { }
-    }
-}
diff --git a/src/FoxIDs.Control/Controllers/Client/WController.cs b/src/FoxIDs.Control/Controllers/Client/WController.cs
new file mode 100644
index 000000000..f7c8652d8
--- /dev/null
+++ b/src/FoxIDs.Control/Controllers/Client/WController.cs
@@ -0,0 +1,35 @@
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Hosting;
+
+namespace FoxIDs.Controllers.Client
+{
+    public class WController : Controller
+    {
+        private static string indexFile;
+        private readonly IWebHostEnvironment currentEnvironment;
+
+        public WController(IWebHostEnvironment env)
+        {
+            currentEnvironment = env;
+        }
+
+        [ResponseCache(Location = ResponseCacheLocation.None, NoStore = true)]
+        public IActionResult Index()
+        {
+            return GetProcessedIndexFile();
+        }
+
+        private IActionResult GetProcessedIndexFile()
+        {
+            if (indexFile == null)
+            {
+                var file = currentEnvironment.WebRootFileProvider.GetFileInfo("index.html");
+                indexFile = System.IO.File.ReadAllText(file.PhysicalPath);
+                indexFile = indexFile.Replace("{version}", BuildInfo.CompilationTimestampUtc.ToString("yyyyMMddHHmmss"));
+                indexFile = indexFile.Replace("{min}", currentEnvironment.IsDevelopment() ? string.Empty : ".min");
+            }
+            return Content(indexFile, "text/html");
+        }
+    }
+}
diff --git a/src/FoxIDs.Control/Controllers/Helpers/TReadCertificateController.cs b/src/FoxIDs.Control/Controllers/Helpers/TReadCertificateController.cs
index 988bea5db..5f0efabd4 100644
--- a/src/FoxIDs.Control/Controllers/Helpers/TReadCertificateController.cs
+++ b/src/FoxIDs.Control/Controllers/Helpers/TReadCertificateController.cs
@@ -9,10 +9,12 @@
 using Microsoft.AspNetCore.WebUtilities;
 using System;
 using System.ComponentModel.DataAnnotations;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TReadCertificateController : TenantApiController
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Base, Constants.ControlApi.Segment.Party)]
+    public class TReadCertificateController : ApiController
     {
         private readonly IMapper mapper;
 
@@ -22,12 +24,12 @@ public TReadCertificateController(TelemetryScopedLogger logger, IMapper mapper)
         }
 
         /// <summary>
-        /// Read JWT with certificate information.
+        /// Read JWK with certificate information.
         /// </summary>
         /// <param name="certificateAndPassword">Base64 URL encode certificate and optionally password.</param>
         /// <returns>User.</returns>
-        [ProducesResponseType(typeof(Api.JwtWithCertificateInfo), StatusCodes.Status200OK)]
-        public async Task<ActionResult<Api.JwtWithCertificateInfo>> PostReadCertificate([FromBody] Api.CertificateAndPassword certificateAndPassword)
+        [ProducesResponseType(typeof(Api.JwkWithCertificateInfo), StatusCodes.Status200OK)]
+        public async Task<ActionResult<Api.JwkWithCertificateInfo>> PostReadCertificate([FromBody] Api.CertificateAndPassword certificateAndPassword)
         {
             if (!await ModelState.TryValidateObjectAsync(certificateAndPassword)) return BadRequest(ModelState);
 
@@ -45,7 +47,7 @@ public TReadCertificateController(TelemetryScopedLogger logger, IMapper mapper)
                 }
 
                 var jwt = await certificate.ToFTJsonWebKeyAsync(includePrivateKey: true);
-                return Ok(mapper.Map<Api.JwtWithCertificateInfo>(jwt));
+                return Ok(mapper.Map<Api.JwkWithCertificateInfo>(jwt));
             }
             catch (ValidationException)
             {
diff --git a/src/FoxIDs.Control/Controllers/Master/MFilterPlanController.cs b/src/FoxIDs.Control/Controllers/Master/MFilterPlanController.cs
index f66c27cbc..9c55e7d38 100644
--- a/src/FoxIDs.Control/Controllers/Master/MFilterPlanController.cs
+++ b/src/FoxIDs.Control/Controllers/Master/MFilterPlanController.cs
@@ -10,10 +10,15 @@
 using AutoMapper;
 using ITfoxtec.Identity;
 using System.Linq;
+using FoxIDs.Infrastructure.Filters;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class MFilterPlanController : MasterApiController
+    [RequireMasterTenant]
+    [MasterScopeAuthorize]
+
+    public class MFilterPlanController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Master/MPlanController.cs b/src/FoxIDs.Control/Controllers/Master/MPlanController.cs
index 36724e97d..682210161 100644
--- a/src/FoxIDs.Control/Controllers/Master/MPlanController.cs
+++ b/src/FoxIDs.Control/Controllers/Master/MPlanController.cs
@@ -10,10 +10,14 @@
 using System.Linq;
 using System;
 using FoxIDs.Logic;
+using FoxIDs.Infrastructure.Filters;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class MPlanController : MasterApiController
+    [RequireMasterTenant]
+    [MasterScopeAuthorize]
+    public class MPlanController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Master/MRiskPasswordController.cs b/src/FoxIDs.Control/Controllers/Master/MRiskPasswordController.cs
index 712dceba6..a1e30fde8 100644
--- a/src/FoxIDs.Control/Controllers/Master/MRiskPasswordController.cs
+++ b/src/FoxIDs.Control/Controllers/Master/MRiskPasswordController.cs
@@ -9,10 +9,14 @@
 using System.Net;
 using System.Threading.Tasks;
 using AutoMapper;
+using FoxIDs.Infrastructure.Filters;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class MRiskPasswordController : MasterApiController
+    [RequireMasterTenant]
+    [MasterScopeAuthorize]
+    public class MRiskPasswordController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Master/MRiskPasswordFirstController.cs b/src/FoxIDs.Control/Controllers/Master/MRiskPasswordFirstController.cs
index 014359fa5..5bf23dbd3 100644
--- a/src/FoxIDs.Control/Controllers/Master/MRiskPasswordFirstController.cs
+++ b/src/FoxIDs.Control/Controllers/Master/MRiskPasswordFirstController.cs
@@ -7,10 +7,14 @@
 using System.Collections.Generic;
 using System.Threading.Tasks;
 using AutoMapper;
+using FoxIDs.Infrastructure.Filters;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class MRiskPasswordFirstController : MasterApiController
+    [RequireMasterTenant]
+    [MasterScopeAuthorize]
+    public class MRiskPasswordFirstController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Master/MRiskPasswordInfoController.cs b/src/FoxIDs.Control/Controllers/Master/MRiskPasswordInfoController.cs
index de595d62a..50a66e00d 100644
--- a/src/FoxIDs.Control/Controllers/Master/MRiskPasswordInfoController.cs
+++ b/src/FoxIDs.Control/Controllers/Master/MRiskPasswordInfoController.cs
@@ -5,10 +5,14 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using System.Threading.Tasks;
+using FoxIDs.Infrastructure.Filters;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class MRiskPasswordInfoController : MasterApiController
+    [RequireMasterTenant]
+    [MasterScopeAuthorize]
+    public class MRiskPasswordInfoController : ApiController
     {
         private readonly IMasterRepository masterRepository;
 
diff --git a/src/FoxIDs.Control/Controllers/Master/MRiskPasswordTestController.cs b/src/FoxIDs.Control/Controllers/Master/MRiskPasswordTestController.cs
index 0254fceed..fd0aac954 100644
--- a/src/FoxIDs.Control/Controllers/Master/MRiskPasswordTestController.cs
+++ b/src/FoxIDs.Control/Controllers/Master/MRiskPasswordTestController.cs
@@ -1,4 +1,6 @@
 using FoxIDs.Infrastructure;
+using FoxIDs.Infrastructure.Filters;
+using FoxIDs.Infrastructure.Security;
 using FoxIDs.Models;
 using FoxIDs.Repository;
 using Microsoft.AspNetCore.Http;
@@ -8,7 +10,9 @@
 
 namespace FoxIDs.Controllers
 {
-    public class MRiskPasswordTestController : MasterApiController
+    [RequireMasterTenant]
+    [MasterScopeAuthorize]
+    public class MRiskPasswordTestController : ApiController
     {
         private readonly IMasterRepository masterRepository;
 
diff --git a/src/FoxIDs.Control/Controllers/Master/MasterApiController.cs b/src/FoxIDs.Control/Controllers/Master/MasterApiController.cs
deleted file mode 100644
index fee052b01..000000000
--- a/src/FoxIDs.Control/Controllers/Master/MasterApiController.cs
+++ /dev/null
@@ -1,18 +0,0 @@
-using FoxIDs.Infrastructure;
-using FoxIDs.Infrastructure.Filters;
-using FoxIDs.Infrastructure.Security;
-
-namespace FoxIDs.Controllers
-{
-    [RequireMasterTenant]
-    [MasterScopeAuthorize]
-    public abstract class MasterApiController : ApiController
-    {
-        private readonly TelemetryScopedLogger logger;
-
-        public MasterApiController(TelemetryScopedLogger logger) : base(logger)
-        {
-            this.logger = logger;
-        }
-    }
-}
diff --git a/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientKeyUpPartyController.cs b/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientKeyUpPartyController.cs
index 816d8a091..0584cddc7 100644
--- a/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientKeyUpPartyController.cs
+++ b/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientKeyUpPartyController.cs
@@ -13,13 +13,15 @@
 using ITfoxtec.Identity;
 using System.Security.Cryptography.X509Certificates;
 using System;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
     /// <summary>
     /// Abstract OAuth 2.0 import client key for up-party API.
     /// </summary>
-    public abstract class GenericOAuthClientKeyUpPartyController<TParty, TClient, TScope, TClaim> : TenantApiController where TParty : OAuthDownParty<TClient, TScope, TClaim> where TClient : OAuthDownClient<TScope, TClaim> where TScope : OAuthDownScope<TClaim> where TClaim : OAuthDownClaim
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Party)]
+    public abstract class GenericOAuthClientKeyUpPartyController<TParty, TClient> : ApiController where TParty : OAuthUpParty<TClient> where TClient : OAuthUpClient
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
@@ -43,7 +45,7 @@ public GenericOAuthClientKeyUpPartyController(TelemetryScopedLogger logger, IMap
                 if (!ModelState.TryValidateRequiredParameter(partyName, nameof(partyName))) return BadRequest(ModelState);
                 partyName = partyName?.ToLower();
 
-                var oauthUpParty = await tenantRepository.GetAsync<OAuthUpParty>(await UpParty.IdFormatAsync(RouteBinding, partyName));
+                var oauthUpParty = await tenantRepository.GetAsync<TParty>(await UpParty.IdFormatAsync(RouteBinding, partyName));
                 if (oauthUpParty.Client.ClientKeys?.Count() > 0 && oauthUpParty.Client.ClientKeys.First().Type == ClientKeyTypes.KeyVaultImport)
                 {
                     var clientKey = oauthUpParty.Client.ClientKeys.First();
@@ -62,8 +64,8 @@ public GenericOAuthClientKeyUpPartyController(TelemetryScopedLogger logger, IMap
             {
                 if (ex.StatusCode == HttpStatusCode.NotFound)
                 {
-                    logger.Warning(ex, $"NotFound, Get '{typeof(OAuthUpParty).Name}' client key by name '{partyName}'.");
-                    return NotFound(typeof(OAuthUpParty).Name, partyName);
+                    logger.Warning(ex, $"NotFound, Get '{typeof(TParty).Name}' client key by name '{partyName}'.");
+                    return NotFound(typeof(TParty).Name, partyName);
                 }
                 throw;
             }
@@ -82,7 +84,7 @@ public GenericOAuthClientKeyUpPartyController(TelemetryScopedLogger logger, IMap
                     throw new Exception($"Key Vault and thereby client certificates is not supported in the '{plan.Name}' plan.");
                 }
 
-                var oauthUpParty = await tenantRepository.GetAsync<OAuthUpParty>(await UpParty.IdFormatAsync(RouteBinding, keyRequest.PartyName));
+                var oauthUpParty = await tenantRepository.GetAsync<TParty>(await UpParty.IdFormatAsync(RouteBinding, keyRequest.PartyName));
 
                 (var externalName, var publicCertificate, var externalId) = await externalKeyLogic.ImportExternalKeyAsync(WebEncoders.Base64UrlDecode(keyRequest.Certificate), keyRequest.Password, upPartyName: keyRequest.PartyName);
                 var publicKey = new X509Certificate2(publicCertificate).ToFTJsonWebKey();
@@ -117,8 +119,8 @@ public GenericOAuthClientKeyUpPartyController(TelemetryScopedLogger logger, IMap
             {
                 if (ex.StatusCode == HttpStatusCode.Conflict)
                 {
-                    logger.Warning(ex, $"Conflict, Create client key on client '{typeof(OAuthUpParty).Name}' by name '{keyRequest.PartyName}'.");
-                    return Conflict(typeof(OAuthUpParty).Name, keyRequest.PartyName, nameof(keyRequest.PartyName));
+                    logger.Warning(ex, $"Conflict, Create client key on client '{typeof(TParty).Name}' by name '{keyRequest.PartyName}'.");
+                    return Conflict(typeof(TParty).Name, keyRequest.PartyName, nameof(keyRequest.PartyName));
                 }
                 throw;
             }
@@ -135,7 +137,7 @@ protected async Task<IActionResult> Delete(string name)
                 var externalName = name.GetLastInDotList();
                 if (!ModelState.TryValidateRequiredParameter(externalName, $"{nameof(name)}[1]")) return BadRequest(ModelState);
 
-                var oauthUpParty = await tenantRepository.GetAsync<OAuthUpParty>(await UpParty.IdFormatAsync(RouteBinding, partyName));
+                var oauthUpParty = await tenantRepository.GetAsync<TParty>(await UpParty.IdFormatAsync(RouteBinding, partyName));
 
                 var key = oauthUpParty.Client.ClientKeys?.Where(k => k.Type == ClientKeyTypes.KeyVaultImport && k.ExternalName == externalName).FirstOrDefault();
                 if (key != null)
@@ -151,8 +153,8 @@ protected async Task<IActionResult> Delete(string name)
             {
                 if (ex.StatusCode == HttpStatusCode.NotFound)
                 {
-                    logger.Warning(ex, $"NotFound, Delete client key from client '{typeof(OAuthUpParty).Name}' by name '{name}'.");
-                    return NotFound(typeof(OAuthUpParty).Name, name);
+                    logger.Warning(ex, $"NotFound, Delete client key from client '{typeof(TParty).Name}' by name '{name}'.");
+                    return NotFound(typeof(TParty).Name, name);
                 }
                 throw;
             }
diff --git a/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientSecretDownPartyController.cs b/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientSecretDownPartyController.cs
index fe091c0f0..fed17f395 100644
--- a/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientSecretDownPartyController.cs
+++ b/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientSecretDownPartyController.cs
@@ -9,13 +9,15 @@
 using AutoMapper;
 using System.Collections.Generic;
 using FoxIDs.Logic;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
     /// <summary>
     /// Abstract OAuth 2.0 client secret for down-party API.
     /// </summary>
-    public abstract class GenericOAuthClientSecretDownPartyController<TParty, TClient, TScope, TClaim> : TenantApiController where TParty : OAuthDownParty<TClient, TScope, TClaim> where TClient : OAuthDownClient<TScope, TClaim> where TScope : OAuthDownScope<TClaim> where TClaim : OAuthDownClaim
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Party)]
+    public abstract class GenericOAuthClientSecretDownPartyController<TParty, TClient, TScope, TClaim> : ApiController where TParty : OAuthDownParty<TClient, TScope, TClaim> where TClient : OAuthDownClient<TScope, TClaim> where TScope : OAuthDownScope<TClaim> where TClaim : OAuthDownClaim
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientSecretUpPartyController.cs b/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientSecretUpPartyController.cs
new file mode 100644
index 000000000..0285e4164
--- /dev/null
+++ b/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientSecretUpPartyController.cs
@@ -0,0 +1,118 @@
+using FoxIDs.Infrastructure;
+using FoxIDs.Models;
+using Api = FoxIDs.Models.Api;
+using FoxIDs.Repository;
+using Microsoft.AspNetCore.Mvc;
+using System.Net;
+using System.Threading.Tasks;
+using ITfoxtec.Identity;
+using System;
+using FoxIDs.Infrastructure.Security;
+
+namespace FoxIDs.Controllers
+{
+    /// <summary>
+    /// Abstract OAuth 2.0 import client secret for up-party API.
+    /// </summary>
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Party)]
+    public abstract class GenericOAuthClientSecretUpPartyController<TParty, TClient> : ApiController where TParty : OAuthUpParty<TClient> where TClient : OAuthUpClient
+    {
+        private readonly TelemetryScopedLogger logger;
+        private readonly ITenantRepository tenantRepository;
+
+        public GenericOAuthClientSecretUpPartyController(TelemetryScopedLogger logger, ITenantRepository tenantRepository) : base(logger)
+        {
+            this.logger = logger;
+            this.tenantRepository = tenantRepository;
+        }
+
+        protected async Task<ActionResult<Api.OAuthClientSecretSingleResponse>> Get(string partyName)
+        {
+            try
+            {
+                if (!ModelState.TryValidateRequiredParameter(partyName, nameof(partyName))) return BadRequest(ModelState);
+                partyName = partyName?.ToLower();
+
+                var oauthUpParty = await tenantRepository.GetAsync<TParty>(await UpParty.IdFormatAsync(RouteBinding, partyName));
+                if (!string.IsNullOrWhiteSpace(oauthUpParty?.Client?.ClientSecret))
+                {
+                    return Ok(new Api.OAuthClientSecretSingleResponse
+                    {
+                        Info = oauthUpParty.Client.ClientSecret.Length > 20 ? oauthUpParty.Client.ClientSecret.Substring(0, 3) : oauthUpParty.Client.ClientSecret,
+                    });
+                }
+                else
+                {
+                    return Ok(new Api.OAuthClientSecretSingleResponse());
+                }
+            }
+            catch (CosmosDataException ex)
+            {
+                if (ex.StatusCode == HttpStatusCode.NotFound)
+                {
+                    logger.Warning(ex, $"NotFound, Get '{typeof(TParty).Name}' client key by name '{partyName}'.");
+                    return NotFound(typeof(TParty).Name, partyName);
+                }
+                throw;
+            }
+        }
+
+        protected async Task<ActionResult<Api.OAuthUpParty>> Put([FromBody] Api.OAuthClientSecretSingleRequest secretRequest)
+        {
+            try
+            {
+                if (!await ModelState.TryValidateObjectAsync(secretRequest)) return BadRequest(ModelState);
+                secretRequest.PartyName = secretRequest.PartyName?.ToLower();
+
+                var oauthUpParty = await tenantRepository.GetAsync<TParty>(await UpParty.IdFormatAsync(RouteBinding, secretRequest.PartyName));
+                if (oauthUpParty.Client.ClientAuthenticationMethod != ClientAuthenticationMethods.PrivateKeyJwt && secretRequest.Secret.IsNullOrEmpty())
+                {
+                    throw new Exception($"Client secret is require if 'ClientAuthenticationMethod' is different from '{ClientAuthenticationMethods.PrivateKeyJwt}'");
+                }
+
+                oauthUpParty.Client.ClientSecret = secretRequest.Secret;
+                await tenantRepository.UpdateAsync(oauthUpParty);
+
+                return Created(new Api.OAuthUpParty { Name = secretRequest.PartyName });
+            }
+            catch (CosmosDataException ex)
+            {
+                if (ex.StatusCode == HttpStatusCode.Conflict)
+                {
+                    logger.Warning(ex, $"Conflict, Create client key on client '{typeof(TParty).Name}' by name '{secretRequest.PartyName}'.");
+                    return Conflict(typeof(TParty).Name, secretRequest.PartyName, nameof(secretRequest.PartyName));
+                }
+                throw;
+            }
+        }
+
+        protected async Task<IActionResult> Delete(string name)
+        {
+            try
+            {
+                if (!ModelState.TryValidateRequiredParameter(name, nameof(name))) return BadRequest(ModelState);
+
+                var partyName = name?.ToLower();
+                var oauthUpParty = await tenantRepository.GetAsync<TParty>(await UpParty.IdFormatAsync(RouteBinding, partyName));
+                if (oauthUpParty.Client.ClientAuthenticationMethod != ClientAuthenticationMethods.PrivateKeyJwt)
+                {
+                    throw new Exception($"Client secret is require if 'ClientAuthenticationMethod' is different from '{ClientAuthenticationMethods.PrivateKeyJwt}'");
+                }
+
+                oauthUpParty.Client.ClientSecret = null;
+                await tenantRepository.UpdateAsync(oauthUpParty);
+
+                return NoContent();
+            }
+            catch (CosmosDataException ex)
+            {
+                if (ex.StatusCode == HttpStatusCode.NotFound)
+                {
+                    logger.Warning(ex, $"NotFound, Delete client secret from client '{typeof(TParty).Name}' by name '{name}'.");
+                    return NotFound(typeof(TParty).Name, name);
+                }
+                throw;
+            }
+        }
+    }
+}
diff --git a/src/FoxIDs.Control/Controllers/Parties/GenericPartyApiController.cs b/src/FoxIDs.Control/Controllers/Parties/GenericPartyApiController.cs
index 1d7c8884f..a81187b76 100644
--- a/src/FoxIDs.Control/Controllers/Parties/GenericPartyApiController.cs
+++ b/src/FoxIDs.Control/Controllers/Parties/GenericPartyApiController.cs
@@ -8,14 +8,15 @@
 using AutoMapper;
 using System;
 using FoxIDs.Logic;
-using System.ComponentModel.DataAnnotations;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
     /// <summary>
     /// Abstract party API.
     /// </summary>
-    public abstract class GenericPartyApiController<AParty, AClaimTransform, MParty> : TenantApiController where AParty : Api.INameValue, Api.IClaimTransform<AClaimTransform> where MParty : Party where AClaimTransform : Api.ClaimTransform
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Party)]
+    public abstract class GenericPartyApiController<AParty, AClaimTransform, MParty> : ApiController where AParty : Api.INameValue, Api.IClaimTransform<AClaimTransform> where MParty : Party where AClaimTransform : Api.ClaimTransform
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
@@ -45,8 +46,8 @@ protected async Task<ActionResult<AParty>> Get(string name)
                 if (!ModelState.TryValidateRequiredParameter(name, nameof(name))) return BadRequest(ModelState);
                 name = name?.ToLower();
 
-                var MParty = await tenantRepository.GetAsync<MParty>(await GetId(IsUpParty(), name));
-                return Ok(mapper.Map<AParty>(MParty));
+                var mParty = await tenantRepository.GetAsync<MParty>(await GetId(IsUpParty(), name));
+                return base.Ok(ModelToApiMap(mParty));
             }
             catch (CosmosDataException ex)
             {
@@ -107,7 +108,7 @@ protected async Task<ActionResult<AParty>> Post(AParty party, Func<AParty, Value
                     throw new NotSupportedException($"{mParty?.GetType()?.Name} type not supported.");
                 }
 
-                return Created(mapper.Map<AParty>(mParty));
+                return Created(ModelToApiMap(mParty));
             }
             catch (CosmosDataException ex)
             {
@@ -139,7 +140,7 @@ protected async Task<ActionResult<AParty>> Put(AParty party, Func<AParty, ValueT
                 if(party is Api.OidcDownParty)
                 {
                     var tempMParty = await tenantRepository.GetAsync<MParty>(mParty.Id);
-                    if((tempMParty as OidcDownParty)?.Client?.Secrets?.Count > 0)
+                    if((tempMParty as OidcDownParty).Client != null && (mParty as OidcDownParty).Client != null)
                     {
                         (mParty as OidcDownParty).Client.Secrets = (tempMParty as OidcDownParty).Client.Secrets;
                     }
@@ -147,7 +148,7 @@ protected async Task<ActionResult<AParty>> Put(AParty party, Func<AParty, ValueT
                 else if (party is Api.OAuthDownParty)
                 {
                     var tempMParty = await tenantRepository.GetAsync<MParty>(mParty.Id);
-                    if ((tempMParty as OAuthDownParty)?.Client?.Secrets?.Count > 0)
+                    if ((tempMParty as OAuthDownParty).Client != null && (mParty as OAuthDownParty).Client != null)
                     {
                         (mParty as OAuthDownParty).Client.Secrets = (tempMParty as OAuthDownParty).Client.Secrets;
                     }
@@ -155,10 +156,8 @@ protected async Task<ActionResult<AParty>> Put(AParty party, Func<AParty, ValueT
                 else if (party is Api.OidcUpParty)
                 {
                     var tempMParty = await tenantRepository.GetAsync<MParty>(mParty.Id);
-                    if ((tempMParty as OidcUpParty)?.Client?.ClientKeys?.Count > 0)
-                    {
-                        (mParty as OidcUpParty).Client.ClientKeys = (tempMParty as OidcUpParty).Client.ClientKeys;
-                    }
+                    (mParty as OidcUpParty).Client.ClientSecret = (tempMParty as OidcUpParty).Client.ClientSecret;
+                    (mParty as OidcUpParty).Client.ClientKeys = (tempMParty as OidcUpParty).Client.ClientKeys;
                 }
 
                 var oldMUpParty = (mParty is UpParty mUpParty) ? await tenantRepository.GetAsync<UpParty>(await UpParty.IdFormatAsync(RouteBinding, mParty.Name)) : null;
@@ -178,7 +177,7 @@ protected async Task<ActionResult<AParty>> Put(AParty party, Func<AParty, ValueT
                     throw new NotSupportedException($"{mParty?.GetType()?.Name} type not supported.");
                 }
 
-                return Ok(mapper.Map<AParty>(mParty));
+                return Ok(ModelToApiMap(mParty));
             }
             catch (CosmosDataException ex)
             {
@@ -229,6 +228,22 @@ protected async Task<IActionResult> Delete(string name)
             }
         }
 
+        private AParty ModelToApiMap(MParty mParty)
+        {
+            var arParty = mapper.Map<AParty>(mParty);
+            if (arParty is Api.OidcUpParty arOidcUpParty)
+            {
+                if (arOidcUpParty.Client?.ClientSecret != null)
+                {
+                    if (arOidcUpParty.Client.ClientSecret.Length > 20)
+                    {
+                        arOidcUpParty.Client.ClientSecret = arOidcUpParty.Client.ClientSecret.Substring(0, 3);
+                    }
+                }
+            }
+            return arParty;
+        }
+
         private bool IsUpParty()
         {
             if (EqualsBaseType(0, typeof(MParty), (typeof(UpParty))))
diff --git a/src/FoxIDs.Control/Controllers/Parties/TFilterDownPartyController.cs b/src/FoxIDs.Control/Controllers/Parties/TFilterDownPartyController.cs
index 5993ea3ce..ba1e3a5cc 100644
--- a/src/FoxIDs.Control/Controllers/Parties/TFilterDownPartyController.cs
+++ b/src/FoxIDs.Control/Controllers/Parties/TFilterDownPartyController.cs
@@ -11,10 +11,12 @@
 using System.Linq;
 using ITfoxtec.Identity;
 using System;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TFilterDownPartyController : TenantApiController
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Party)]
+    public class TFilterDownPartyController : ApiController
     {
         private const string dataType = "party:down";
         private readonly TelemetryScopedLogger logger;
diff --git a/src/FoxIDs.Control/Controllers/Parties/TFilterUpPartyController.cs b/src/FoxIDs.Control/Controllers/Parties/TFilterUpPartyController.cs
index fe5546780..c2de93ef0 100644
--- a/src/FoxIDs.Control/Controllers/Parties/TFilterUpPartyController.cs
+++ b/src/FoxIDs.Control/Controllers/Parties/TFilterUpPartyController.cs
@@ -11,10 +11,12 @@
 using System.Linq;
 using ITfoxtec.Identity;
 using System;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TFilterUpPartyController : TenantApiController
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Party)]
+    public class TFilterUpPartyController : ApiController
     {
         private const string dataType = "party:up";
         private readonly TelemetryScopedLogger logger;
diff --git a/src/FoxIDs.Control/Controllers/Parties/TOidcClientKeyUpPartyController.cs b/src/FoxIDs.Control/Controllers/Parties/TOidcClientKeyUpPartyController.cs
index 1b5913848..c26a076ba 100644
--- a/src/FoxIDs.Control/Controllers/Parties/TOidcClientKeyUpPartyController.cs
+++ b/src/FoxIDs.Control/Controllers/Parties/TOidcClientKeyUpPartyController.cs
@@ -14,7 +14,7 @@ namespace FoxIDs.Controllers
     /// <summary>
     /// OIDC import client key for up-party API.
     /// </summary>
-    public class TOidcClientKeyUpPartyController : GenericOAuthClientKeyUpPartyController<OidcDownParty, OidcDownClient, OidcDownScope, OidcDownClaim>
+    public class TOidcClientKeyUpPartyController : GenericOAuthClientKeyUpPartyController<OidcUpParty, OidcUpClient>
     {
         public TOidcClientKeyUpPartyController(TelemetryScopedLogger logger, IMapper mapper, ITenantRepository tenantRepository, PlanCacheLogic planCacheLogic, ExternalKeyLogic externalKeyLogic) : base(logger, mapper, tenantRepository, planCacheLogic, externalKeyLogic)
         { }
diff --git a/src/FoxIDs.Control/Controllers/Parties/TOidcClientSecretUpPartyController.cs b/src/FoxIDs.Control/Controllers/Parties/TOidcClientSecretUpPartyController.cs
new file mode 100644
index 000000000..ffae6987c
--- /dev/null
+++ b/src/FoxIDs.Control/Controllers/Parties/TOidcClientSecretUpPartyController.cs
@@ -0,0 +1,45 @@
+using FoxIDs.Infrastructure;
+using FoxIDs.Models;
+using Api = FoxIDs.Models.Api;
+using FoxIDs.Repository;
+using Microsoft.AspNetCore.Mvc;
+using System.Threading.Tasks;
+using System.Collections.Generic;
+using Microsoft.AspNetCore.Http;
+
+namespace FoxIDs.Controllers
+{
+    /// <summary>
+    /// OIDC import client secret for up-party API.
+    /// </summary>
+    public class TOidcClientSecretUpPartyController : GenericOAuthClientSecretUpPartyController<OidcUpParty, OidcUpClient>
+    {
+        public TOidcClientSecretUpPartyController(TelemetryScopedLogger logger, ITenantRepository tenantRepository) : base(logger, tenantRepository)
+        { }
+
+        /// <summary>
+        /// Get OIDC client secret for up-party.
+        /// </summary>
+        /// <param name="partyName">OIDC party name.</param>
+        /// <returns>OIDC client secret for up-party.</returns>
+        [ProducesResponseType(typeof(List<Api.OAuthClientSecretSingleResponse>), StatusCodes.Status200OK)]
+        [ProducesResponseType(StatusCodes.Status404NotFound)]
+        public async Task<ActionResult<Api.OAuthClientSecretSingleResponse>> GetOidcClientSecretUpParty(string partyName) => await Get(partyName);
+
+        /// <summary>
+        /// Update OIDC client secret for up-party.
+        /// </summary>
+        /// <param name="secretRequest">OIDC client secret for up-party.</param>
+        [ProducesResponseType(typeof(Api.OAuthUpParty), StatusCodes.Status201Created)]
+        [ProducesResponseType(StatusCodes.Status409Conflict)]
+        public async Task<ActionResult<Api.OAuthUpParty>> PutOidcClientSecretUpParty([FromBody] Api.OAuthClientSecretSingleRequest secretRequest) => await Put(secretRequest);
+
+        /// <summary>
+        /// Delete OIDC client secret for up-party.
+        /// </summary>
+        /// <param name="name">Party name.</param>
+        [ProducesResponseType(StatusCodes.Status204NoContent)]
+        [ProducesResponseType(StatusCodes.Status404NotFound)]
+        public async Task<IActionResult> DeleteOidcClientSecretUpParty(string name) => await Delete(name);
+    }
+}
diff --git a/src/FoxIDs.Control/Controllers/Parties/TOidcUpPartyController.cs b/src/FoxIDs.Control/Controllers/Parties/TOidcUpPartyController.cs
index aeedff786..02b016854 100644
--- a/src/FoxIDs.Control/Controllers/Parties/TOidcUpPartyController.cs
+++ b/src/FoxIDs.Control/Controllers/Parties/TOidcUpPartyController.cs
@@ -16,11 +16,13 @@ namespace FoxIDs.Controllers
     public class TOidcUpPartyController : GenericPartyApiController<Api.OidcUpParty, Api.OAuthClaimTransform, OidcUpParty>
     {
         private readonly ValidateApiModelOAuthOidcPartyLogic validateApiModelOAuthOidcPartyLogic;
+        private readonly ValidateModelOAuthOidcPartyLogic validateModelOAuthOidcPartyLogic;
         private readonly OidcDiscoveryReadUpLogic<OidcUpParty, OidcUpClient> oidcDiscoveryReadUpLogic;
 
-        public TOidcUpPartyController(TelemetryScopedLogger logger, IMapper mapper, ITenantRepository tenantRepository, DownPartyCacheLogic downPartyCacheLogic, UpPartyCacheLogic upPartyCacheLogic, DownPartyAllowUpPartiesQueueLogic downPartyAllowUpPartiesQueueLogic, ValidateApiModelGenericPartyLogic validateApiModelGenericPartyLogic, ValidateModelGenericPartyLogic validateModelGenericPartyLogic, ValidateApiModelOAuthOidcPartyLogic validateApiModelOAuthOidcPartyLogic, OidcDiscoveryReadUpLogic<OidcUpParty, OidcUpClient> oidcDiscoveryReadUpLogic) : base(logger, mapper, tenantRepository, downPartyCacheLogic, upPartyCacheLogic, downPartyAllowUpPartiesQueueLogic, validateApiModelGenericPartyLogic, validateModelGenericPartyLogic)
+        public TOidcUpPartyController(TelemetryScopedLogger logger, IMapper mapper, ITenantRepository tenantRepository, DownPartyCacheLogic downPartyCacheLogic, UpPartyCacheLogic upPartyCacheLogic, DownPartyAllowUpPartiesQueueLogic downPartyAllowUpPartiesQueueLogic, ValidateApiModelGenericPartyLogic validateApiModelGenericPartyLogic, ValidateModelGenericPartyLogic validateModelGenericPartyLogic, ValidateApiModelOAuthOidcPartyLogic validateApiModelOAuthOidcPartyLogic, ValidateModelOAuthOidcPartyLogic validateModelOAuthOidcPartyLogic, OidcDiscoveryReadUpLogic<OidcUpParty, OidcUpClient> oidcDiscoveryReadUpLogic) : base(logger, mapper, tenantRepository, downPartyCacheLogic, upPartyCacheLogic, downPartyAllowUpPartiesQueueLogic, validateApiModelGenericPartyLogic, validateModelGenericPartyLogic)
         {
             this.validateApiModelOAuthOidcPartyLogic = validateApiModelOAuthOidcPartyLogic;
+            this.validateModelOAuthOidcPartyLogic = validateModelOAuthOidcPartyLogic;
             this.oidcDiscoveryReadUpLogic = oidcDiscoveryReadUpLogic;
         }
 
@@ -40,16 +42,17 @@ public TOidcUpPartyController(TelemetryScopedLogger logger, IMapper mapper, ITen
         /// <returns>OIDC up-party.</returns>
         [ProducesResponseType(typeof(Api.OidcUpParty), StatusCodes.Status201Created)]
         [ProducesResponseType(StatusCodes.Status409Conflict)]
-        public async Task<ActionResult<Api.OidcUpParty>> PostOidcUpParty([FromBody] Api.OidcUpParty party) => await Post(party, ap => new ValueTask<bool>(validateApiModelOAuthOidcPartyLogic.ValidateApiModel(ModelState, ap)), async (ap, mp) => await oidcDiscoveryReadUpLogic.PopulateModelAsync(ModelState, mp));
+        public async Task<ActionResult<Api.OidcUpParty>> PostOidcUpParty([FromBody] Api.OidcUpParty party) => await Post(party, ap => new ValueTask<bool>(validateApiModelOAuthOidcPartyLogic.ValidateApiModel(ModelState, ap)), async (ap, mp) => validateModelOAuthOidcPartyLogic.ValidateApiModel(ModelState, mp) && await oidcDiscoveryReadUpLogic.PopulateModelAsync(ModelState, mp));
 
         /// <summary>
         /// Update OIDC up-party.
+        /// You cannot update the ClientSecret in this method.
         /// </summary>
         /// <param name="party">OIDC up-party.</param>
         /// <returns>OIDC up-party.</returns>
         [ProducesResponseType(typeof(Api.OidcUpParty), StatusCodes.Status200OK)]
         [ProducesResponseType(StatusCodes.Status404NotFound)]
-        public async Task<ActionResult<Api.OidcUpParty>> PutOidcUpParty([FromBody] Api.OidcUpParty party) => await Put(party, ap => new ValueTask<bool>(validateApiModelOAuthOidcPartyLogic.ValidateApiModel(ModelState, ap)), async (ap, mp) => await oidcDiscoveryReadUpLogic.PopulateModelAsync(ModelState, mp));
+        public async Task<ActionResult<Api.OidcUpParty>> PutOidcUpParty([FromBody] Api.OidcUpParty party) => await Put(party, ap => new ValueTask<bool>(validateApiModelOAuthOidcPartyLogic.ValidateApiModel(ModelState, ap)), async (ap, mp) => validateModelOAuthOidcPartyLogic.ValidateApiModel(ModelState, mp) && await oidcDiscoveryReadUpLogic.PopulateModelAsync(ModelState, mp));
 
         /// <summary>
         /// Delete OIDC up-party.
diff --git a/src/FoxIDs.Control/Controllers/Parties/TSamlUpPartyReadMetadataController.cs b/src/FoxIDs.Control/Controllers/Parties/TSamlUpPartyReadMetadataController.cs
index 3106bbcce..123ac0b5d 100644
--- a/src/FoxIDs.Control/Controllers/Parties/TSamlUpPartyReadMetadataController.cs
+++ b/src/FoxIDs.Control/Controllers/Parties/TSamlUpPartyReadMetadataController.cs
@@ -8,10 +8,12 @@
 using System.ComponentModel.DataAnnotations;
 using FoxIDs.Logic;
 using FoxIDs.Models;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TSamlUpPartyReadMetadataController : TenantApiController
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Party)]
+    public class TSamlUpPartyReadMetadataController : ApiController
     {
         private readonly IMapper mapper;
         private readonly SamlMetadataReadLogic samlMetadataReadLogic;
diff --git a/src/FoxIDs.Control/Controllers/TenantResources/TFilterResourceNameController.cs b/src/FoxIDs.Control/Controllers/TenantResources/TFilterResourceNameController.cs
index 450f18267..42d8038cf 100644
--- a/src/FoxIDs.Control/Controllers/TenantResources/TFilterResourceNameController.cs
+++ b/src/FoxIDs.Control/Controllers/TenantResources/TFilterResourceNameController.cs
@@ -11,10 +11,12 @@
 using ITfoxtec.Identity;
 using FoxIDs.Logic;
 using System;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TFilterResourceNameController : TenantApiController
+    [TenantScopeAuthorize]
+    public class TFilterResourceNameController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Tenants/TMyTenantController.cs b/src/FoxIDs.Control/Controllers/Tenants/TMyTenantController.cs
index 83a7a3283..d9bc83fed 100644
--- a/src/FoxIDs.Control/Controllers/Tenants/TMyTenantController.cs
+++ b/src/FoxIDs.Control/Controllers/Tenants/TMyTenantController.cs
@@ -10,10 +10,12 @@
 using FoxIDs.Logic;
 using System;
 using ITfoxtec.Identity;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TMyTenantController : TenantApiController
+    [TenantScopeAuthorize]
+    public class TMyTenantController :  ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Tenants/TMyTenantLogUsageController.cs b/src/FoxIDs.Control/Controllers/Tenants/TMyTenantLogUsageController.cs
index 4b94ea59b..e43df5c59 100644
--- a/src/FoxIDs.Control/Controllers/Tenants/TMyTenantLogUsageController.cs
+++ b/src/FoxIDs.Control/Controllers/Tenants/TMyTenantLogUsageController.cs
@@ -5,10 +5,12 @@
 using System.Threading.Tasks;
 using FoxIDs.Logic;
 using ITfoxtec.Identity;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TMyTenantLogUsageController : TenantApiController
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Usage)]
+    public class TMyTenantLogUsageController : ApiController
     {
         private readonly UsageLogLogic usageLogLogic;
 
diff --git a/src/FoxIDs.Control/Controllers/Tenants/TTenantLogUsageController.cs b/src/FoxIDs.Control/Controllers/Tenants/TTenantLogUsageController.cs
index e0e984d67..7737a17a2 100644
--- a/src/FoxIDs.Control/Controllers/Tenants/TTenantLogUsageController.cs
+++ b/src/FoxIDs.Control/Controllers/Tenants/TTenantLogUsageController.cs
@@ -11,7 +11,7 @@
 namespace FoxIDs.Controllers
 {
     [RequireMasterTenant]
-    [MasterScopeAuthorize]
+    [MasterScopeAuthorize(Constants.ControlApi.Segment.Usage)]
     public class TTenantLogUsageController : ApiController
     {
         private readonly UsageLogLogic usageLogLogic;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TFilterTrackController.cs b/src/FoxIDs.Control/Controllers/Tracks/TFilterTrackController.cs
index f6cd8ea01..17030acea 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TFilterTrackController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TFilterTrackController.cs
@@ -11,10 +11,12 @@
 using System.Linq;
 using ITfoxtec.Identity;
 using System;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TFilterTrackController : TenantApiController
+    [TenantScopeAuthorize]
+    public class TFilterTrackController : ApiController
     {
         private const string dataType = "track";
         private readonly TelemetryScopedLogger logger;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TFilterUserController.cs b/src/FoxIDs.Control/Controllers/Tracks/TFilterUserController.cs
index b6f59d317..738a3ea75 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TFilterUserController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TFilterUserController.cs
@@ -11,10 +11,12 @@
 using System.Linq;
 using ITfoxtec.Identity;
 using System;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TFilterUserController : TenantApiController
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.User)]
+    public class TFilterUserController : ApiController
     {
         private const string dataType = "user";
         private readonly TelemetryScopedLogger logger;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TMyUserController.cs b/src/FoxIDs.Control/Controllers/Tracks/TMyUserController.cs
new file mode 100644
index 000000000..f139096c9
--- /dev/null
+++ b/src/FoxIDs.Control/Controllers/Tracks/TMyUserController.cs
@@ -0,0 +1,93 @@
+using AutoMapper;
+using FoxIDs.Infrastructure;
+using FoxIDs.Repository;
+using FoxIDs.Models;
+using Api = FoxIDs.Models.Api;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using System.Threading.Tasks;
+using System.Net;
+using ITfoxtec.Identity;
+using System;
+using FoxIDs.Infrastructure.Security;
+
+namespace FoxIDs.Controllers
+{
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Base)]
+    public class TMyUserController : ApiController
+    {
+        private readonly TelemetryScopedLogger logger;
+        private readonly IMapper mapper;
+        private readonly ITenantRepository tenantRepository;
+
+        public TMyUserController(TelemetryScopedLogger logger, IMapper mapper, ITenantRepository tenantRepository) : base(logger)
+        {
+            this.logger = logger;
+            this.mapper = mapper;
+            this.tenantRepository = tenantRepository;
+        }
+
+        /// <summary>
+        /// Get my user.
+        /// </summary>
+        /// <returns>User.</returns>
+        [ProducesResponseType(typeof(Api.MyUser), StatusCodes.Status200OK)]
+        [ProducesResponseType(StatusCodes.Status404NotFound)]
+        public async Task<ActionResult<Api.MyUser>> GetMyUser()
+        {
+            var email = User.Claims.FindFirstOrDefaultValue(c => c.Type == JwtClaimTypes.Email);
+            try
+            {
+                if (email.IsNullOrWhiteSpace())
+                {
+                    throw new Exception("Authenticated users email claim is empty.");
+                }
+                var mUser = await tenantRepository.GetAsync<User>(await Models.User.IdFormatAsync(RouteBinding, email));
+                return Ok(mapper.Map<Api.MyUser>(mUser));
+            }
+            catch (CosmosDataException ex)
+            {
+                if (ex.StatusCode == HttpStatusCode.NotFound)
+                {
+                    logger.Warning(ex, $"NotFound, Get '{typeof(Api.MyUser).Name}' by email '{email}'.");
+                    return NotFound(typeof(Api.MyUser).Name, email);
+                }
+                throw;
+            }
+        }
+
+        /// <summary>
+        /// Update my user.
+        ///  - It is only possible to set the ChangePassword property.
+        /// </summary>
+        /// <param name="user">My user.</param>
+        /// <returns>My user.</returns>
+        [ProducesResponseType(typeof(Api.MyUser), StatusCodes.Status200OK)]
+        [ProducesResponseType(StatusCodes.Status404NotFound)]
+        public async Task<ActionResult<Api.MyUser>> PutMyUser([FromBody] Api.MyUser user)
+        {
+            var email = User.Claims.FindFirstOrDefaultValue(c => c.Type == JwtClaimTypes.Email);
+            try
+            {
+                if (email.IsNullOrWhiteSpace())
+                {
+                    throw new Exception("Authenticated users email claim is empty.");
+                }
+                var mUser = await tenantRepository.GetAsync<User>(await Models.User.IdFormatAsync(RouteBinding, email));
+                mUser.ChangePassword = user.ChangePassword;
+                await tenantRepository.UpdateAsync(mUser);
+
+                return Ok(mapper.Map<Api.MyUser>(mUser));
+            }
+            catch (CosmosDataException ex)
+            {
+                if (ex.StatusCode == HttpStatusCode.NotFound)
+                {
+                    logger.Warning(ex, $"NotFound, Update '{typeof(Api.MyUser).Name}' by email '{email}'.");
+                    return NotFound(typeof(Api.MyUser).Name, email, nameof(email));
+                }
+                throw;
+            }
+        }
+    }
+}
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackClaimMappingController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackClaimMappingController.cs
index 0e0850f6f..567e479b0 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TTrackClaimMappingController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackClaimMappingController.cs
@@ -10,10 +10,12 @@
 using System.Collections.Generic;
 using System.Linq;
 using FoxIDs.Logic;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TTrackClaimMappingController : TenantApiController
+    [TenantScopeAuthorize]
+    public class TTrackClaimMappingController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackController.cs
index de37ee59c..a5f6072b6 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TTrackController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackController.cs
@@ -10,10 +10,12 @@
 using FoxIDs.Logic;
 using ITfoxtec.Identity;
 using System;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TTrackController : TenantApiController
+    [TenantScopeAuthorize]
+    public class TTrackController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedController.cs
index 4b475a8fd..ed4ca0b4a 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedController.cs
@@ -10,10 +10,12 @@
 using System.ComponentModel.DataAnnotations;
 using ITfoxtec.Identity;
 using FoxIDs.Logic;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TTrackKeyContainedController : TenantApiController
+    [TenantScopeAuthorize]
+    public class TTrackKeyContainedController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedSwapController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedSwapController.cs
index 4f6d0caf2..4228a8a38 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedSwapController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedSwapController.cs
@@ -9,10 +9,12 @@
 using System.Net;
 using System.ComponentModel.DataAnnotations;
 using FoxIDs.Logic;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TTrackKeyContainedSwapController : TenantApiController
+    [TenantScopeAuthorize]
+    public class TTrackKeyContainedSwapController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyTypeController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyTypeController.cs
index 83d248447..b77971892 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyTypeController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyTypeController.cs
@@ -12,10 +12,12 @@
 using FoxIDs.Models.Config;
 using System.Collections.Generic;
 using FoxIDs.Logic;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TTrackKeyTypeController : TenantApiController
+    [TenantScopeAuthorize]
+    public class TTrackKeyTypeController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly FoxIDsControlSettings settings;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackLogController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackLogController.cs
index 78b8291a9..a322a25ed 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TTrackLogController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackLogController.cs
@@ -13,10 +13,12 @@
 using Azure.Monitor.Query;
 using Azure.Monitor.Query.Models;
 using Azure;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TTrackLogController : TenantApiController
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Log)]
+    public class TTrackLogController : ApiController
     {
         private const int maxQueryLogItems = 200;
         private const int maxResponseLogItems = 300;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackLogSettingController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackLogSettingController.cs
index 0f4b793a9..8e0d48ac7 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TTrackLogSettingController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackLogSettingController.cs
@@ -8,10 +8,12 @@
 using System.Threading.Tasks;
 using System.Net;
 using FoxIDs.Logic;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TTrackLogSettingController : TenantApiController
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Log)]
+    public class TTrackLogSettingController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackLogStreamsSettingsController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackLogStreamsSettingsController.cs
index 0266ad76a..1721e66b1 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TTrackLogStreamsSettingsController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackLogStreamsSettingsController.cs
@@ -9,10 +9,12 @@
 using System.Net;
 using System.Collections.Generic;
 using FoxIDs.Logic;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TTrackLogStreamsSettingsController : TenantApiController
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Log)]
+    public class TTrackLogStreamsSettingsController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackLogUsageController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackLogUsageController.cs
index b6b8d6e04..e2f12d805 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TTrackLogUsageController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackLogUsageController.cs
@@ -4,10 +4,12 @@
 using Microsoft.AspNetCore.Mvc;
 using System.Threading.Tasks;
 using FoxIDs.Logic;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TTrackLogUsageController : TenantApiController
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Usage)]
+    public class TTrackLogUsageController : ApiController
     {
         private readonly UsageLogLogic usageLogLogic;
 
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackResourceController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackResourceController.cs
index 78c5781de..837e3b788 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TTrackResourceController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackResourceController.cs
@@ -12,10 +12,12 @@
 using System.ComponentModel.DataAnnotations;
 using System;
 using FoxIDs.Logic;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TTrackResourceController : TenantApiController
+    [TenantScopeAuthorize]
+    public class TTrackResourceController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackResourceSettingController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackResourceSettingController.cs
index a510e63f8..c0852d12b 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TTrackResourceSettingController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackResourceSettingController.cs
@@ -8,10 +8,12 @@
 using System.Threading.Tasks;
 using System.Net;
 using FoxIDs.Logic;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TTrackResourceSettingController : TenantApiController
+    [TenantScopeAuthorize]
+    public class TTrackResourceSettingController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackSendEmailController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackSendEmailController.cs
index 93dccb5de..16dff3468 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TTrackSendEmailController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackSendEmailController.cs
@@ -9,10 +9,12 @@
 using System.Net;
 using System;
 using FoxIDs.Logic;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TTrackSendEmailController : TenantApiController
+    [TenantScopeAuthorize]
+    public class TTrackSendEmailController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TUserControlProfileController.cs b/src/FoxIDs.Control/Controllers/Tracks/TUserControlProfileController.cs
new file mode 100644
index 000000000..c1752ee3c
--- /dev/null
+++ b/src/FoxIDs.Control/Controllers/Tracks/TUserControlProfileController.cs
@@ -0,0 +1,124 @@
+using AutoMapper;
+using FoxIDs.Infrastructure;
+using FoxIDs.Repository;
+using FoxIDs.Models;
+using Api = FoxIDs.Models.Api;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using System.Threading.Tasks;
+using System.Net;
+using ITfoxtec.Identity;
+using System;
+using FoxIDs.Infrastructure.Security;
+
+namespace FoxIDs.Controllers
+{
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.Base)]
+    public class TUserControlProfileController : ApiController
+    {
+        private readonly TelemetryScopedLogger logger;
+        private readonly IMapper mapper;
+        private readonly ITenantRepository tenantRepository;
+
+        public TUserControlProfileController(TelemetryScopedLogger logger, IMapper mapper, ITenantRepository tenantRepository) : base(logger)
+        {
+            this.logger = logger;
+            this.mapper = mapper;
+            this.tenantRepository = tenantRepository;
+        }
+
+        /// <summary>
+        /// Get user control profile.
+        /// </summary>
+        /// <returns>User control profile.</returns>
+        [ProducesResponseType(typeof(Api.UserControlProfile), StatusCodes.Status200OK)]
+        [ProducesResponseType(StatusCodes.Status404NotFound)]
+        public async Task<ActionResult<Api.UserControlProfile>> GetUserControlProfile()
+        {
+            try
+            {
+                if(RouteBinding.TrackName != Constants.Routes.MasterTrackName)
+                {
+                    throw new Exception("User control profile only supported in master track.");
+                }
+
+                var userHashId = await User.Identity.Name.ToLower().Sha256HashBase64urlEncodedAsync();
+
+                var mUserControlProfile = await tenantRepository.GetAsync<UserControlProfile>(await UserControlProfile.IdFormatAsync(RouteBinding, userHashId));
+                return Ok(mapper.Map<Api.UserControlProfile>(mUserControlProfile));
+            }
+            catch (CosmosDataException ex)
+            {
+                if (ex.StatusCode == HttpStatusCode.NotFound)
+                {
+                    logger.Warning(ex, $"NotFound, Get '{typeof(Api.UserControlProfile).Name}' by user sub '{User?.Identity?.Name}'.");
+                    return NotFound(typeof(Api.UserControlProfile).Name, User?.Identity?.Name);
+                }
+                throw;
+            }
+        }
+
+        /// <summary>
+        /// Update user control profile.
+        /// </summary>
+        /// <param name="userControlProfile">User control profile.</param>
+        /// <returns>User control profile.</returns>
+        [ProducesResponseType(typeof(Api.UserControlProfile), StatusCodes.Status200OK)]
+        [ProducesResponseType(StatusCodes.Status404NotFound)]
+        public async Task<ActionResult<Api.UserControlProfile>> PutUserControlProfile([FromBody] Api.UserControlProfile userControlProfile)
+        {
+            try
+            {
+                if (RouteBinding.TrackName != Constants.Routes.MasterTrackName)
+                {
+                    throw new Exception("User control profile only supported in master track.");
+                }
+
+                var mUserControlProfile = mapper.Map<UserControlProfile>(userControlProfile);
+                mUserControlProfile.Id = await UserControlProfile.IdFormatAsync(RouteBinding, await User.Identity.Name.ToLower().Sha256HashBase64urlEncodedAsync());
+                await tenantRepository.SaveAsync(mUserControlProfile);
+
+                return Ok(mapper.Map<Api.UserControlProfile>(mUserControlProfile));
+            }
+            catch (CosmosDataException ex)
+            {
+                if (ex.StatusCode == HttpStatusCode.NotFound)
+                {
+                    logger.Warning(ex, $"NotFound, Update '{typeof(Api.UserControlProfile).Name}' by user sub '{User?.Identity?.Name}'.");
+                    return NotFound(typeof(Api.UserControlProfile).Name, User?.Identity?.Name);
+                }
+                throw;
+            }
+        }
+
+        /// <summary>
+        /// Delete user control profile.
+        /// </summary>
+        [ProducesResponseType(StatusCodes.Status204NoContent)]
+        [ProducesResponseType(StatusCodes.Status404NotFound)]
+        public async Task<IActionResult> DeleteUserControlProfile()
+        {
+            try
+            {
+                if (RouteBinding.TrackName != Constants.Routes.MasterTrackName)
+                {
+                    throw new Exception("User control profile only supported in master track.");
+                }
+
+                var userHashId = await User.Identity.Name.ToLower().Sha256HashBase64urlEncodedAsync();
+
+                _ = await tenantRepository.DeleteAsync<UserControlProfile>(await UserControlProfile.IdFormatAsync(RouteBinding, userHashId));
+                return NoContent();
+            }
+            catch (CosmosDataException ex)
+            {
+                if (ex.StatusCode == HttpStatusCode.NotFound)
+                {
+                    logger.Warning(ex, $"NotFound, Delete '{typeof(Api.UserControlProfile).Name}' by user sub '{User?.Identity?.Name}'.");
+                    return NotFound(typeof(Api.UserControlProfile).Name, User?.Identity?.Name);
+                }
+                throw;
+            }
+        }
+    }
+}
diff --git a/src/FoxIDs.Control/Controllers/Tracks/TUserController.cs b/src/FoxIDs.Control/Controllers/Tracks/TUserController.cs
index 575157eda..b0062ecff 100644
--- a/src/FoxIDs.Control/Controllers/Tracks/TUserController.cs
+++ b/src/FoxIDs.Control/Controllers/Tracks/TUserController.cs
@@ -13,10 +13,12 @@
 using ITfoxtec.Identity;
 using System;
 using System.Linq.Expressions;
+using FoxIDs.Infrastructure.Security;
 
 namespace FoxIDs.Controllers
 {
-    public class TUserController : TenantApiController
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.User)]
+    public class TUserController : ApiController
     {
         private readonly TelemetryScopedLogger logger;
         private readonly IMapper mapper;
diff --git a/src/FoxIDs.Control/FoxIDs.Control.csproj b/src/FoxIDs.Control/FoxIDs.Control.csproj
index b83a91048..fbfaa1d62 100644
--- a/src/FoxIDs.Control/FoxIDs.Control.csproj
+++ b/src/FoxIDs.Control/FoxIDs.Control.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net8.0</TargetFramework>
-		<Version>1.2.5.0</Version>
+		<Version>1.2.6.4</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
@@ -19,13 +19,13 @@
 	</PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="AutoMapper" Version="12.0.1" />
+    <PackageReference Include="AutoMapper" Version="13.0.1" />
 	<PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.3.0" />
 	<PackageReference Include="Azure.Identity" Version="1.10.4" />
     <PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.5.1" />
     <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.22.0" />
 	<PackageReference Include="Azure.Monitor.Query" Version="1.2.0" />
-	<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.0" />
+	<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.1" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="6.5.0" />
     <PackageReference Include="Swashbuckle.AspNetCore.Annotations" Version="6.5.0" />
   </ItemGroup>
@@ -36,4 +36,23 @@
     <ProjectReference Include="..\FoxIDs.Shared\FoxIDs.Shared.csproj" />
   </ItemGroup>
 
+  <ItemGroup>
+    <None Update="BuildInfo.tt">
+      <Generator>TextTemplatingFileGenerator</Generator>
+      <LastGenOutput>BuildInfo.g.cs</LastGenOutput>
+    </None>
+  </ItemGroup>
+
+  <ItemGroup>
+    <Service Include="{508349b6-6b84-4df5-91f0-309beebad82d}" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Compile Update="BuildInfo.g.cs">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>BuildInfo.tt</DependentUpon>
+    </Compile>
+  </ItemGroup>
+
 </Project>
diff --git a/src/FoxIDs.Control/Infrastructure/Hosting/FoxIDsApiExceptionMiddleware.cs b/src/FoxIDs.Control/Infrastructure/Hosting/FoxIDsApiExceptionMiddleware.cs
index 99740ab7d..6831d3dd8 100644
--- a/src/FoxIDs.Control/Infrastructure/Hosting/FoxIDsApiExceptionMiddleware.cs
+++ b/src/FoxIDs.Control/Infrastructure/Hosting/FoxIDsApiExceptionMiddleware.cs
@@ -70,7 +70,7 @@ private void LogError(TelemetryScopedLogger scopedLogger, Exception ex)
             scopedLogger.Error(ex);
             if (environment.IsDevelopment())
             {
-                Debug.WriteLine(ex.ToString());
+                Console.WriteLine(ex.ToString());
             }
         }
     }
diff --git a/src/FoxIDs.Control/Infrastructure/Hosting/ServiceCollectionExtensions.cs b/src/FoxIDs.Control/Infrastructure/Hosting/ServiceCollectionExtensions.cs
index 73680692e..1fae588fc 100644
--- a/src/FoxIDs.Control/Infrastructure/Hosting/ServiceCollectionExtensions.cs
+++ b/src/FoxIDs.Control/Infrastructure/Hosting/ServiceCollectionExtensions.cs
@@ -43,6 +43,7 @@ public static IServiceCollection AddLogic(this IServiceCollection services)
             services.AddTransient<UsageLogLogic>();            
 
             services.AddTransient<ValidateModelGenericPartyLogic>();
+            services.AddTransient<ValidateModelOAuthOidcPartyLogic>();
 
             services.AddTransient<ValidateApiModelGenericPartyLogic>();
             services.AddTransient<ValidateApiModelLoginPartyLogic>();
diff --git a/src/FoxIDs.Control/Infrastructure/Security/BaseAuthorizationRequirement.cs b/src/FoxIDs.Control/Infrastructure/Security/BaseAuthorizationRequirement.cs
new file mode 100644
index 000000000..31928c7f3
--- /dev/null
+++ b/src/FoxIDs.Control/Infrastructure/Security/BaseAuthorizationRequirement.cs
@@ -0,0 +1,73 @@
+using ITfoxtec.Identity;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Http;
+using System.Threading.Tasks;
+
+namespace FoxIDs.Infrastructure.Security
+{
+    public abstract class BaseAuthorizationRequirement<Tar, Tsc> : AuthorizationHandler<Tar>, IAuthorizationRequirement where Tar : IAuthorizationRequirement where Tsc : BaseScopeAuthorizeAttribute
+    {
+        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, Tar requirement)
+        {
+            if (context.User != null && context.Resource is HttpContext httpContext)
+            {
+                var executingEnpoint = httpContext.GetEndpoint();
+                var scopeAuthorizeAttribute = executingEnpoint.Metadata.OfType<Tsc>().FirstOrDefault();
+                if (scopeAuthorizeAttribute != null)
+                {
+                    var userScopes = context.User.Claims.Where(c => string.Equals(c.Type, JwtClaimTypes.Scope, StringComparison.OrdinalIgnoreCase)).Select(c => c.Value).FirstOrDefault().ToSpaceList();
+                    var userRoles = context.User.Claims.Where(c => string.Equals(c.Type, JwtClaimTypes.Role, StringComparison.OrdinalIgnoreCase)).Select(c => c.Value).ToList();
+                    if (userScopes?.Count() > 0 && userRoles?.Count > 0)
+                    {
+                        (var acceptedScopes, var acceptedRoles) = GetAcceptedScopesAndRoles(scopeAuthorizeAttribute.Segments, httpContext.GetRouteBinding()?.TrackName, httpContext.Request?.Method);
+
+                        if (userScopes.Where(us => acceptedScopes.Any(s => s.Equals(us, StringComparison.Ordinal))).Any() && userRoles.Where(ur => acceptedRoles.Any(r => r.Equals(ur, StringComparison.Ordinal))).Any())
+                        {
+                            context.Succeed(requirement);
+                        }
+                    }
+                }
+            }
+
+            return Task.CompletedTask;
+        }
+
+        protected abstract (List<string> acceptedScopes, List<string> acceptedRoles) GetAcceptedScopesAndRoles(IEnumerable<string> segments, string trackName, string httpMethod);
+
+        protected void AddScopeAndRole(List<string> acceptedScopes, List<string> acceptedRoles, string httpMethod, string scope, string role, string segment = "")
+        {
+            acceptedScopes.Add(scope);
+            acceptedRoles.Add(role);
+
+            if (segment != Constants.ControlApi.Segment.Usage)
+            {
+                if (httpMethod == HttpMethod.Get.Method)
+                {
+                    acceptedScopes.Add($"{scope}{Constants.ControlApi.AccessElement.Read}");
+                    acceptedRoles.Add($"{role}{Constants.ControlApi.AccessElement.Read}");
+                }
+                else if (httpMethod == HttpMethod.Post.Method)
+                {
+                    acceptedScopes.Add($"{scope}{Constants.ControlApi.AccessElement.Create}");
+                    acceptedRoles.Add($"{role}{Constants.ControlApi.AccessElement.Create}");
+
+                }
+                else if (httpMethod == HttpMethod.Put.Method)
+                {
+                    acceptedScopes.Add($"{scope}{Constants.ControlApi.AccessElement.Update}");
+                    acceptedRoles.Add($"{role}{Constants.ControlApi.AccessElement.Update}");
+
+                }
+                else if (httpMethod == HttpMethod.Delete.Method)
+                {
+                    acceptedScopes.Add($"{scope}{Constants.ControlApi.AccessElement.Delete}");
+                    acceptedRoles.Add($"{role}{Constants.ControlApi.AccessElement.Delete}");
+                }
+            }
+        }
+    }
+}
diff --git a/src/FoxIDs.Control/Infrastructure/Security/BaseScopeAuthorizeAttribute.cs b/src/FoxIDs.Control/Infrastructure/Security/BaseScopeAuthorizeAttribute.cs
new file mode 100644
index 000000000..7c31ff038
--- /dev/null
+++ b/src/FoxIDs.Control/Infrastructure/Security/BaseScopeAuthorizeAttribute.cs
@@ -0,0 +1,15 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace FoxIDs.Infrastructure.Security
+{
+    public abstract class BaseScopeAuthorizeAttribute : AuthorizeAttribute
+    {
+        public BaseScopeAuthorizeAttribute(string name, params string[] subSegments) : base(name)
+        {
+            AuthenticationSchemes = JwtBearerMultipleTenantsHandler.AuthenticationScheme;
+            Segments = subSegments;
+        }
+
+        public string[] Segments { get; }
+    }
+}
diff --git a/src/FoxIDs.Control/Infrastructure/Security/MasterAuthorizationRequirement.cs b/src/FoxIDs.Control/Infrastructure/Security/MasterAuthorizationRequirement.cs
new file mode 100644
index 000000000..aba71bb01
--- /dev/null
+++ b/src/FoxIDs.Control/Infrastructure/Security/MasterAuthorizationRequirement.cs
@@ -0,0 +1,25 @@
+using System.Collections.Generic;
+
+namespace FoxIDs.Infrastructure.Security
+{
+    public class MasterAuthorizationRequirement : BaseAuthorizationRequirement<MasterAuthorizationRequirement, MasterScopeAuthorizeAttribute>
+    {
+        protected override (List<string> acceptedScopes, List<string> acceptedRoles) GetAcceptedScopesAndRoles(IEnumerable<string> segments, string trackName, string httpMethod)
+        {
+            var acceptedScopes = new List<string>();
+            var acceptedRoles = new List<string>();
+
+            AddScopeAndRole(acceptedScopes, acceptedRoles, httpMethod, Constants.ControlApi.ResourceAndScope.Master, Constants.ControlApi.Access.Master);
+            acceptedRoles.Add(Constants.ControlApi.Access.TenantAdminRole);
+
+            foreach (var segment in segments)
+            {
+                var scope = $"{Constants.ControlApi.ResourceAndScope.Master}{segment}";
+                var role = $"{Constants.ControlApi.Access.Tenant}{segment}";
+                AddScopeAndRole(acceptedScopes, acceptedRoles, httpMethod, scope, role, segment);
+            }
+
+            return (acceptedScopes, acceptedRoles);
+        }
+    }
+}
diff --git a/src/FoxIDs.Control/Infrastructure/Security/MasterScopeAuthorizeAttribute.cs b/src/FoxIDs.Control/Infrastructure/Security/MasterScopeAuthorizeAttribute.cs
index 4ac22fdf5..48a5af445 100644
--- a/src/FoxIDs.Control/Infrastructure/Security/MasterScopeAuthorizeAttribute.cs
+++ b/src/FoxIDs.Control/Infrastructure/Security/MasterScopeAuthorizeAttribute.cs
@@ -1,25 +1,19 @@
-using ITfoxtec.Identity;
-using ITfoxtec.Identity.Models;
-using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization;
 
 namespace FoxIDs.Infrastructure.Security
 {
-    public class MasterScopeAuthorizeAttribute : AuthorizeAttribute
+    public class MasterScopeAuthorizeAttribute : BaseScopeAuthorizeAttribute
     {
         public const string Name = nameof(MasterScopeAuthorizeAttribute);
 
-        public MasterScopeAuthorizeAttribute() : base(Name)
-        {
-            AuthenticationSchemes = JwtBearerMultipleTenantsHandler.AuthenticationScheme;
-        }
+        public MasterScopeAuthorizeAttribute(params string[] segments) : base(Name, segments)
+        { }
 
         public static void AddPolicy(AuthorizationOptions options)
         {
             options.AddPolicy(Name, policy =>
             {
-                policy.RequireScopeAndRoles(
-                    new ScopeAndRoles { Scope = Constants.ControlApi.ResourceAndScope.Master, Roles = new[] { Constants.ControlApi.Role.TenantAdmin } }
-                );
+                policy.Requirements.Add(new MasterAuthorizationRequirement());
             });
         }
     }
diff --git a/src/FoxIDs.Control/Infrastructure/Security/TenantAuthorizationRequirement.cs b/src/FoxIDs.Control/Infrastructure/Security/TenantAuthorizationRequirement.cs
new file mode 100644
index 000000000..a7e1c4b5f
--- /dev/null
+++ b/src/FoxIDs.Control/Infrastructure/Security/TenantAuthorizationRequirement.cs
@@ -0,0 +1,59 @@
+using ITfoxtec.Identity;
+using System.Collections.Generic;
+using System.Linq;
+
+namespace FoxIDs.Infrastructure.Security
+{
+    public class TenantAuthorizationRequirement : BaseAuthorizationRequirement<TenantAuthorizationRequirement, TenantScopeAuthorizeAttribute>
+    {
+        protected override (List<string> acceptedScopes, List<string> acceptedRoles) GetAcceptedScopesAndRoles(IEnumerable<string> segments, string trackName, string httpMethod)
+        {
+            var acceptedScopes = new List<string>();
+            var acceptedRoles = new List<string>();
+
+            AddScopeAndRole(acceptedScopes, acceptedRoles, httpMethod, Constants.ControlApi.ResourceAndScope.Tenant, Constants.ControlApi.Access.Tenant);
+            acceptedRoles.Add(Constants.ControlApi.Access.TenantAdminRole);
+
+            if (!trackName.IsNullOrWhiteSpace())
+            {
+                if (segments?.Count() > 0)
+                {
+                    foreach (var segment in segments)
+                    {
+                        if (segment == Constants.ControlApi.Segment.Base)
+                        {
+                            AddScopeAndRole(acceptedScopes, acceptedRoles, httpMethod,
+                                $"{Constants.ControlApi.ResourceAndScope.Tenant}{segment}",
+                                $"{Constants.ControlApi.Access.Tenant}{segment}");
+                        }
+                        else
+                        {
+                            AddScopeAndRoleByTrack(acceptedScopes, acceptedRoles, trackName, httpMethod, 
+                                    $"{Constants.ControlApi.ResourceAndScope.Tenant}{Constants.ControlApi.AccessElement.Track}", 
+                                    Constants.ControlApi.Access.Tenant,
+                                    segment);
+                        }       
+                    }
+                }
+                else
+                {
+                    AddScopeAndRoleByTrack(acceptedScopes, acceptedRoles, trackName, httpMethod, 
+                        $"{Constants.ControlApi.ResourceAndScope.Tenant}{Constants.ControlApi.AccessElement.Track}", 
+                        Constants.ControlApi.Access.Tenant);
+                }
+            }
+
+            return (acceptedScopes, acceptedRoles);
+        }
+
+        private void AddScopeAndRoleByTrack(List<string> acceptedScopes, List<string> acceptedRoles, string trackName, string httpMethod, string subScope, string subRole, string segment = "")
+        {
+            if (trackName != Constants.Routes.MasterTrackName)
+            {
+                AddScopeAndRole(acceptedScopes, acceptedRoles, httpMethod, $"{subScope}{segment}", $"{subRole}{segment}", segment);
+            }
+
+            AddScopeAndRole(acceptedScopes, acceptedRoles, httpMethod, $"{subScope}[{trackName}]{segment}", $"{subRole}[{trackName}]{segment}", segment);
+        }
+    }
+}
diff --git a/src/FoxIDs.Control/Infrastructure/Security/TenantScopeAuthorizeAttribute.cs b/src/FoxIDs.Control/Infrastructure/Security/TenantScopeAuthorizeAttribute.cs
index db9db6924..6ff61fa96 100644
--- a/src/FoxIDs.Control/Infrastructure/Security/TenantScopeAuthorizeAttribute.cs
+++ b/src/FoxIDs.Control/Infrastructure/Security/TenantScopeAuthorizeAttribute.cs
@@ -1,25 +1,19 @@
-using ITfoxtec.Identity;
-using ITfoxtec.Identity.Models;
-using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization;
 
 namespace FoxIDs.Infrastructure.Security
 {
-    public class TenantScopeAuthorizeAttribute : AuthorizeAttribute
+    public class TenantScopeAuthorizeAttribute : BaseScopeAuthorizeAttribute
     {
         public const string Name = nameof(TenantScopeAuthorizeAttribute);
 
-        public TenantScopeAuthorizeAttribute() : base(Name)
-        {
-            AuthenticationSchemes = JwtBearerMultipleTenantsHandler.AuthenticationScheme;
-        }
+        public TenantScopeAuthorizeAttribute(params string[] segments) : base(Name, segments)
+        { }
 
         public static void AddPolicy(AuthorizationOptions options)
         {
             options.AddPolicy(Name, policy =>
             {
-                policy.RequireScopeAndRoles(
-                   new ScopeAndRoles { Scope = Constants.ControlApi.ResourceAndScope.Tenant, Roles = new [] { Constants.ControlApi.Role.TenantAdmin } }
-                );
+                policy.Requirements.Add(new TenantAuthorizationRequirement());
             });
         }
     }
diff --git a/src/FoxIDs.Control/Logic/Seed/MasterTenantDocumentsSeedLogic.cs b/src/FoxIDs.Control/Logic/Seed/MasterTenantDocumentsSeedLogic.cs
index fd3e51621..8f54862fb 100644
--- a/src/FoxIDs.Control/Logic/Seed/MasterTenantDocumentsSeedLogic.cs
+++ b/src/FoxIDs.Control/Logic/Seed/MasterTenantDocumentsSeedLogic.cs
@@ -32,8 +32,8 @@ public async Task SeedAsync()
 
                 await masterTenantLogic.CreateMasterTrackDocumentAsync(Constants.Routes.MasterTenantName, TrackKeyTypes.KeyVaultRenewSelfSigned);
                 var mLoginUpParty = await masterTenantLogic.CreateMasterLoginDocumentAsync(Constants.Routes.MasterTenantName);
-                await masterTenantLogic.CreateFirstAdminUserDocumentAsync(Constants.Routes.MasterTenantName, Constants.DefaultAdminAccount.Email, Constants.DefaultAdminAccount.Password, true, false, false);
-                await masterTenantLogic.CreateMasterFoxIDsControlApiResourceDocumentAsync(Constants.Routes.MasterTenantName, includeMasterTenantScope: true);
+                await masterTenantLogic.CreateFirstAdminUserDocumentAsync(Constants.Routes.MasterTenantName, Constants.DefaultAdminAccount.Email, Constants.DefaultAdminAccount.Password, true, false, false, isMasterTenant: true);
+                await masterTenantLogic.CreateMasterFoxIDsControlApiResourceDocumentAsync(Constants.Routes.MasterTenantName, isMasterTenant: true);
                 await masterTenantLogic.CreateMasterControlClientDocmentAsync(Constants.Routes.MasterTenantName, settings.FoxIDsControlEndpoint, mLoginUpParty, includeMasterTenantScope: true);
             }
             catch (Exception ex)
diff --git a/src/FoxIDs.Control/Logic/ValidateApiModelOAuthOidcPartyLogic.cs b/src/FoxIDs.Control/Logic/ValidateApiModelOAuthOidcPartyLogic.cs
index f0dcccffd..ac43f6abb 100644
--- a/src/FoxIDs.Control/Logic/ValidateApiModelOAuthOidcPartyLogic.cs
+++ b/src/FoxIDs.Control/Logic/ValidateApiModelOAuthOidcPartyLogic.cs
@@ -76,6 +76,17 @@ public bool ValidateApiModel(ModelStateDictionary modelState, Api.OAuthDownParty
                 {
                     isValid = isValidRtResult;
                 }
+
+                if(party.Resource == null && party.Client.ResourceScopes?.Count() > 0)
+                {
+                    foreach (var rs in party.Client.ResourceScopes)
+                    {
+                        if (rs.Resource == party.Name)
+                        {
+                            rs.Scopes = null;
+                        }
+                    }
+                }
             }
             return isValid;
         }
@@ -94,6 +105,17 @@ public bool ValidateApiModel(ModelStateDictionary modelState, Api.OidcDownParty
                 {
                     isValid = isValidRtResult;
                 }
+
+                if (party.Resource == null && party.Client.ResourceScopes?.Count() > 0)
+                {
+                    foreach (var rs in party.Client.ResourceScopes)
+                    {
+                        if (rs.Resource == party.Name)
+                        {
+                            rs.Scopes = null;
+                        }
+                    }
+                }
             }
             return isValid;
         }
@@ -199,7 +221,7 @@ private List<string> OrderResponseTypes(List<string> responseTypes)
         private string OrderResponseType(string responseType)
         {
             var orderedResponseType = responseType.ToSpaceList()
-                .OrderBy(rt => Array.IndexOf(new string[] { IdentityConstants.ResponseTypes.Code, IdentityConstants.ResponseTypes.Token, IdentityConstants.ResponseTypes.IdToken }, rt));
+                .OrderBy(rt => Array.IndexOf([IdentityConstants.ResponseTypes.Code, IdentityConstants.ResponseTypes.Token, IdentityConstants.ResponseTypes.IdToken], rt));
 
             return orderedResponseType.ToSpaceList();
         }
@@ -217,7 +239,7 @@ private async Task<bool> ValidateClientResourceScopesAsync<TClient, TScope, TCla
                         throw new ValidationException($"Duplicated resource scope, resource '{duplicatedResourceScope.Key}'.");
                     }
 
-                    foreach (var resourceScope in oauthDownParty.Client.ResourceScopes.Where(rs => !rs.Resource.Equals(oauthDownParty.Name, System.StringComparison.Ordinal)))
+                    foreach (var resourceScope in oauthDownParty.Client.ResourceScopes.Where(rs => !rs.Resource.Equals(oauthDownParty.Name, StringComparison.Ordinal)))
                     {
                         var duplicatedScope = resourceScope.Scopes?.GroupBy(s => s).Where(g => g.Count() > 1).FirstOrDefault();
                         if (duplicatedScope != null)
@@ -232,7 +254,7 @@ private async Task<bool> ValidateClientResourceScopesAsync<TClient, TScope, TCla
                             {
                                 foreach (var scope in resourceScope.Scopes)
                                 {
-                                    if (!(resourceDownParty.Resource?.Scopes?.Where(s => s.Equals(scope, System.StringComparison.Ordinal)).Count() > 0))
+                                    if (!(resourceDownParty.Resource?.Scopes?.Where(s => s.Equals(scope, StringComparison.Ordinal)).Count() > 0))
                                     {
                                         throw new ValidationException($"Resource '{resourceScope.Resource}' scope '{scope}' not found.");
                                     }
diff --git a/src/FoxIDs.Control/Logic/ValidateApiModelSamlPartyLogic.cs b/src/FoxIDs.Control/Logic/ValidateApiModelSamlPartyLogic.cs
index fc71e7104..743030f97 100644
--- a/src/FoxIDs.Control/Logic/ValidateApiModelSamlPartyLogic.cs
+++ b/src/FoxIDs.Control/Logic/ValidateApiModelSamlPartyLogic.cs
@@ -46,7 +46,7 @@ private bool ValidateSignatureAlgorithmAndSigningKeys(ModelStateDictionary model
                 ValidateSigningKeys(modelState, nameof(samlDownParty.Keys), samlDownParty.Keys);
         }
 
-        private bool ValidateSigningKeys(ModelStateDictionary modelState, string propertyName, List<Api.JwtWithCertificateInfo> keys)
+        private bool ValidateSigningKeys(ModelStateDictionary modelState, string propertyName, List<Api.JwkWithCertificateInfo> keys)
         {
             var isValid = true;
             try
diff --git a/src/FoxIDs.Control/Logic/ValidateModelOAuthOidcPartyLogic.cs b/src/FoxIDs.Control/Logic/ValidateModelOAuthOidcPartyLogic.cs
new file mode 100644
index 000000000..de24b368b
--- /dev/null
+++ b/src/FoxIDs.Control/Logic/ValidateModelOAuthOidcPartyLogic.cs
@@ -0,0 +1,45 @@
+using Api = FoxIDs.Models.Api;
+using FoxIDs.Infrastructure;
+using FoxIDs.Models;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc.ModelBinding;
+using ITfoxtec.Identity;
+using System.ComponentModel.DataAnnotations;
+
+namespace FoxIDs.Logic
+{
+    public class ValidateModelOAuthOidcPartyLogic : LogicBase
+    {
+        private readonly TelemetryScopedLogger logger;
+
+        public ValidateModelOAuthOidcPartyLogic(TelemetryScopedLogger logger, IHttpContextAccessor httpContextAccessor) : base(httpContextAccessor)
+        {
+            this.logger = logger;
+        }
+
+        public bool ValidateApiModel(ModelStateDictionary modelState, OidcUpParty party)
+        {
+            var isValid = true;
+            try
+            {
+                if (party.Client != null)
+                {
+                    if (party.Client.ResponseType.Contains(IdentityConstants.ResponseTypes.Code) == true)
+                    {
+                        if (party.Client.ClientAuthenticationMethod != ClientAuthenticationMethods.PrivateKeyJwt && party.Client.ClientSecret.IsNullOrEmpty())
+                        {
+                            throw new ValidationException($"Require '{nameof(OidcUpParty.Client)}.{nameof(party.Client.ClientSecret)}' or '{nameof(OidcUpParty.Client)}.{nameof(party.Client.ClientAuthenticationMethod)}={ClientAuthenticationMethods.PrivateKeyJwt}' to execute '{IdentityConstants.ResponseTypes.Code}' response type.");
+                        }
+                    }
+                }
+            }
+            catch (ValidationException vex)
+            {
+                isValid = false;
+                logger.Warning(vex);
+                modelState.TryAddModelError($"{nameof(Api.OidcUpParty.Client)}.{nameof(Api.OidcUpParty.Client.ClientSecret)}".ToCamelCase(), vex.Message);
+            }
+            return isValid;
+        }
+    }
+}
diff --git a/src/FoxIDs.Control/MappingProfiles/TenantMappingProfiles.cs b/src/FoxIDs.Control/MappingProfiles/TenantMappingProfiles.cs
index 2064b377d..9ad8d9774 100644
--- a/src/FoxIDs.Control/MappingProfiles/TenantMappingProfiles.cs
+++ b/src/FoxIDs.Control/MappingProfiles/TenantMappingProfiles.cs
@@ -55,6 +55,11 @@ private void Mapping()
                 .ForMember(d => d.Email, opt => opt.MapFrom(s => s.Email.ToLower()))
                 .ForMember(d => d.Id, opt => opt.MapFrom(s => User.IdFormatAsync(RouteBinding, s.Email.ToLower()).GetAwaiter().GetResult()));
 
+            CreateMap<User, Api.MyUser>();
+
+            CreateMap<UserControlProfile, Api.UserControlProfile>()
+                .ReverseMap();
+
             CreateMap<ClaimAndValues, Api.ClaimAndValues>()
                 .ReverseMap();
 
@@ -78,7 +83,7 @@ private void Mapping()
             CreateMap<TrackKey, Api.TrackKey>()
                 .ReverseMap();
 
-            CreateMap<JsonWebKey, Api.JwtWithCertificateInfo>()
+            CreateMap<JsonWebKey, Api.JwkWithCertificateInfo>()
                 .ForMember(d => d.CertificateInfo, opt => opt.MapFrom(s => GetCertificateInfo(s)));
 
             CreateMap<ClientKey, Api.ClientKey>();
diff --git a/src/FoxIDs.Control/Startup.cs b/src/FoxIDs.Control/Startup.cs
index acd8495e3..8f82e83dd 100644
--- a/src/FoxIDs.Control/Startup.cs
+++ b/src/FoxIDs.Control/Startup.cs
@@ -96,7 +96,7 @@ public void Configure(IApplicationBuilder app)
             app.UseRouting();
             app.UseEndpoints(endpoints =>
             {
-                endpoints.MapFallbackToFile("index.html");
+                endpoints.MapFallbackToController("Index", "W");
             });
         }
     }
diff --git a/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj b/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj
index 40c9e8114..e5ee42c3d 100644
--- a/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj
+++ b/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net8.0</TargetFramework>
-		<Version>1.2.5.0</Version>
+		<Version>1.2.6.4</Version>
 		<RootNamespace>FoxIDs.Client</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
@@ -12,10 +12,11 @@
   <ItemGroup>
     <PackageReference Include="Blazored.Toast" Version="4.1.0" />
     <PackageReference Include="BlazorInputFile" Version="0.2.0" />
-    <PackageReference Include="ITfoxtec.Identity.BlazorWebAssembly.OpenidConnect" Version="1.6.5.2" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.0" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.0" PrivateAssets="all" />
+    <PackageReference Include="ITfoxtec.Identity.BlazorWebAssembly.OpenidConnect" Version="1.6.6.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.1" PrivateAssets="all" />
     <PackageReference Include="Tewr.Blazor.FileReader" Version="3.3.2.23201" />
+	<PackageReference Include="BuildBundlerMinifier" Version="3.2.449" />
   </ItemGroup>
 
 	<ItemGroup>
diff --git a/src/FoxIDs.ControlClient/Infrastructure/CheckResponseMessageHandler.cs b/src/FoxIDs.ControlClient/Infrastructure/CheckResponseMessageHandler.cs
index 5fa50b4d5..8cd2c6fed 100644
--- a/src/FoxIDs.ControlClient/Infrastructure/CheckResponseMessageHandler.cs
+++ b/src/FoxIDs.ControlClient/Infrastructure/CheckResponseMessageHandler.cs
@@ -19,6 +19,10 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
                 {
                     throw new FoxIDsApiException("Unauthorized", response.StatusCode, await GetResponseTextAsync(response), GetHeaders(response));
                 }
+                else if (response.StatusCode == HttpStatusCode.Forbidden)
+                {
+                    throw new FoxIDsApiException("Forbidden, you do not possess the required scope and role.", response.StatusCode, await GetResponseTextAsync(response), GetHeaders(response));
+                }
                 else if (response.StatusCode == HttpStatusCode.BadRequest)
                 {
                     throw new FoxIDsApiException("Bad request", response.StatusCode, await GetResponseTextAsync(response), GetHeaders(response));
diff --git a/src/FoxIDs.ControlClient/Infrastructure/Hosting/ServiceCollectionExtensions.cs b/src/FoxIDs.ControlClient/Infrastructure/Hosting/ServiceCollectionExtensions.cs
index c3d252082..da80dfe2a 100644
--- a/src/FoxIDs.ControlClient/Infrastructure/Hosting/ServiceCollectionExtensions.cs
+++ b/src/FoxIDs.ControlClient/Infrastructure/Hosting/ServiceCollectionExtensions.cs
@@ -25,6 +25,7 @@ public static IServiceCollection AddLogic(this IServiceCollection services)
         {
             services.AddScoped<RouteBindingLogic>();
             services.AddScoped<ControlClientSettingLogic>();
+            services.AddScoped<UserProfileLogic>();
             services.AddScoped<NotificationLogic>();
             services.AddScoped<TrackSelectedLogic>();
             services.AddScoped<ClipboardLogic>();
diff --git a/src/FoxIDs.ControlClient/Infrastructure/Security/TenantOpenidConnectPkce.cs b/src/FoxIDs.ControlClient/Infrastructure/Security/TenantOpenidConnectPkce.cs
index 416122418..8e3e74660 100644
--- a/src/FoxIDs.ControlClient/Infrastructure/Security/TenantOpenidConnectPkce.cs
+++ b/src/FoxIDs.ControlClient/Infrastructure/Security/TenantOpenidConnectPkce.cs
@@ -24,7 +24,7 @@ public TenantOpenidConnectPkce(IServiceProvider serviceProvider, RouteBindingLog
             this.clientSettings = clientSettings;
         }
 
-        public async Task TenantLoginAsync()
+        public async Task TenantLoginAsync(string prompt = null)
         {
             await controlClientSettingLogic.InitLoadAsync();
 
@@ -38,7 +38,7 @@ public async Task TenantLoginAsync()
                 LogoutCallBackPath = await ReplaceTenantNameAsync(clientSettings.LogoutCallBackPath)
             };
 
-            await LoginAsync(openidConnectPkceSettings);
+            await LoginAsync(openidConnectPkceSettings, prompt: prompt);
         }
 
         public async Task TenantLogoutAsync()
diff --git a/src/FoxIDs.ControlClient/Logic/TrackSelectedLogic.cs b/src/FoxIDs.ControlClient/Logic/TrackSelectedLogic.cs
index 1cbe7ec4d..ee5cd4818 100644
--- a/src/FoxIDs.ControlClient/Logic/TrackSelectedLogic.cs
+++ b/src/FoxIDs.ControlClient/Logic/TrackSelectedLogic.cs
@@ -10,26 +10,25 @@ public class TrackSelectedLogic
 
         public bool IsTrackSelected => Track != null;
 
+        public event Func<Track, Task> OnTrackSelectedAsync;
+        public event Func<Task> OnSelectTrackAsync;
+
         public async Task TrackSelectedAsync(Track track)
         {
             Track = track;
-            if(OnTrackSelectedAsync != null)
+            if (OnTrackSelectedAsync != null)
             {
                 await OnTrackSelectedAsync(track);
             }
         }
 
-        public event Func<Track, Task> OnTrackSelectedAsync;
-
-        public async Task ShowSelectTrackAsync()
+        public async Task SelectTrackAsync()
         {
             Track = null;
-            if (OnShowSelectTrackAsync != null)
+            if (OnSelectTrackAsync != null)
             {
-                await OnShowSelectTrackAsync();
+                await OnSelectTrackAsync();
             }
         }
-
-        public event Func<Task> OnShowSelectTrackAsync;
     }
 }
diff --git a/src/FoxIDs.ControlClient/Logic/UserProfileLogic.cs b/src/FoxIDs.ControlClient/Logic/UserProfileLogic.cs
new file mode 100644
index 000000000..24c613873
--- /dev/null
+++ b/src/FoxIDs.ControlClient/Logic/UserProfileLogic.cs
@@ -0,0 +1,59 @@
+using FoxIDs.Client.Services;
+using FoxIDs.Infrastructure;
+using FoxIDs.Models.Api;
+using System.Threading.Tasks;
+
+namespace FoxIDs.Client.Logic
+{
+    public class UserProfileLogic
+    {
+        private UserControlProfile userControlProfile;
+        private readonly UserService userService;
+
+        public UserProfileLogic(UserService UserService)
+        {
+            userService = UserService;
+        }
+
+        public async Task<UserControlProfile> GetUserProfileAsync()
+        {
+            if (userControlProfile == null)
+            {
+                try
+                {
+                    userControlProfile = await userService.GetUserControlProfileAsync();
+                }
+                catch (FoxIDsApiException ex)
+                {
+                    if (ex.StatusCode != System.Net.HttpStatusCode.NotFound)
+                    {
+                        throw;
+                    }
+                }
+            }
+             
+            return userControlProfile;
+        }
+
+        public async Task UpdateTrackAsync(string trackName)
+        {
+            if (userControlProfile != null && userControlProfile.LastTrackName == trackName)
+            {
+                return;
+            }
+
+            if (userControlProfile == null)
+            {
+                userControlProfile = new UserControlProfile();
+            }
+
+            userControlProfile.LastTrackName = trackName;
+            await UpdateUserProfileAsync();
+        }
+
+        private async Task UpdateUserProfileAsync()
+        {
+            await userService.UpdateUserControlProfileAsync(userControlProfile);
+        }
+    }
+}
diff --git a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/DownPartyOAuthTypes.cs b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/DownPartyOAuthTypes.cs
new file mode 100644
index 000000000..6bf5d1c32
--- /dev/null
+++ b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/DownPartyOAuthTypes.cs
@@ -0,0 +1,9 @@
+namespace FoxIDs.Client.Models.ViewModels
+{
+    public enum DownPartyOAuthTypes
+    {
+        Client,
+        Resource,
+        ClientAndResource
+    }
+}
diff --git a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/GeneralOAuthDownPartyViewModel.cs b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/GeneralOAuthDownPartyViewModel.cs
index 10a5d0bf0..cf3a19460 100644
--- a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/GeneralOAuthDownPartyViewModel.cs
+++ b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/GeneralOAuthDownPartyViewModel.cs
@@ -1,6 +1,7 @@
 using FoxIDs.Client.Shared.Components;
 using FoxIDs.Models.Api;
 using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
 
 namespace FoxIDs.Client.Models.ViewModels
 {
@@ -24,9 +25,8 @@ public GeneralOAuthDownPartyViewModel(DownParty downParty) : base(downParty)
 
         public OAuthSubPartyTypes SubPartyType { get; set; }
 
-        public bool EnableClientTab { get; set; }
-
-        public bool EnableResourceTab { get; set; } = true;
+        [Display(Name = "Down-party type")]
+        public DownPartyOAuthTypes DownPartyType { get; set; } = DownPartyOAuthTypes.Resource;
 
         public bool ShowClientTab { get; set; }
         public bool ShowResourceTab { get; set; } = true;
diff --git a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/GeneralOidcDownPartyViewModel.cs b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/GeneralOidcDownPartyViewModel.cs
index f0f56fbc1..0faffb3aa 100644
--- a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/GeneralOidcDownPartyViewModel.cs
+++ b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/GeneralOidcDownPartyViewModel.cs
@@ -1,6 +1,7 @@
 using FoxIDs.Client.Shared.Components;
 using FoxIDs.Models.Api;
 using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
 
 namespace FoxIDs.Client.Models.ViewModels
 {
@@ -22,9 +23,8 @@ public GeneralOidcDownPartyViewModel(DownParty downParty) : base(downParty)
 
         public string ClientCertificateFileStatus { get; set; } = DefaultClientCertificateFileStatus;
 
-        public bool EnableClientTab { get; set; } = true;
-
-        public bool EnableResourceTab { get; set; }
+        [Display(Name = "Down-party type")]
+        public DownPartyOAuthTypes DownPartyType { get; set; } = DownPartyOAuthTypes.Client;
 
         public bool ShowClientTab { get; set; } = true;
         public bool ShowResourceTab { get; set; }
diff --git a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/OAuthUpPartyViewModel.cs b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/OAuthUpPartyViewModel.cs
index 3ca14231a..b906927a1 100644
--- a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/OAuthUpPartyViewModel.cs
+++ b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/OAuthUpPartyViewModel.cs
@@ -50,7 +50,7 @@ public class OAuthUpPartyViewModel : IOAuthClaimTransformViewModel, IValidatable
         public string SpIssuer { get; set; }
 
         [Display(Name = "Keys")]
-        public List<JwtWithCertificateInfo> Keys { get; set; }
+        public List<JwkWithCertificateInfo> Keys { get; set; }
 
         /// <summary>
         /// OIDC up client.
diff --git a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/OidcUpClientViewModel.cs b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/OidcUpClientViewModel.cs
index 888db48ef..57780dafa 100644
--- a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/OidcUpClientViewModel.cs
+++ b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/OidcUpClientViewModel.cs
@@ -67,6 +67,7 @@ public class OidcUpClientViewModel : IClientAdditionalParameters, IValidatableOb
         [MaxLength(Constants.Models.SecretHash.SecretLength)]
         [Display(Name = "Client secret")]
         public string ClientSecret { get; set; }
+        public string ClientSecretLoaded { get; set; }
 
         [Display(Name = "Client certificate")]
         public KeyInfoViewModel PublicClientKeyInfo { get; set; }
diff --git a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/OidcUpPartyViewModel.cs b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/OidcUpPartyViewModel.cs
index 7a5b769a4..e4e8f784b 100644
--- a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/OidcUpPartyViewModel.cs
+++ b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/OidcUpPartyViewModel.cs
@@ -50,7 +50,7 @@ public class OidcUpPartyViewModel : IOAuthClaimTransformViewModel, IUpPartySessi
         public string SpIssuer { get; set; }
 
         [Display(Name = "Keys")]
-        public List<JwtWithCertificateInfo> Keys { get; set; }
+        public List<JwkWithCertificateInfo> Keys { get; set; }
 
         /// <summary>
         /// Default 10 hours.
diff --git a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/SamlDownPartyViewModel.cs b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/SamlDownPartyViewModel.cs
index b8a8d4222..280887f4e 100644
--- a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/SamlDownPartyViewModel.cs
+++ b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/SamlDownPartyViewModel.cs
@@ -128,10 +128,10 @@ public class SamlDownPartyViewModel : IValidatableObject, IAllowUpPartyNames, ID
         [ValidateComplexType]
         [ListLength(Constants.Models.SamlParty.Down.KeysMin, Constants.Models.SamlParty.KeysMax)]
         [Display(Name = "Optional one or more signature validation certificates")]
-        public List<JwtWithCertificateInfo> Keys { get; set; }
+        public List<JwkWithCertificateInfo> Keys { get; set; }
 
         [Display(Name = "Optional encryption certificate")]
-        public JwtWithCertificateInfo EncryptionKey { get; set; }
+        public JwkWithCertificateInfo EncryptionKey { get; set; }
         
         [Display(Name = "Add logout response location URL in metadata")]
         public bool MetadataAddLogoutResponseLocation { get; set; }
diff --git a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/SamlUpPartyViewModel.cs b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/SamlUpPartyViewModel.cs
index a55329ecc..87d68aa1d 100644
--- a/src/FoxIDs.ControlClient/Models/ViewModels/Parties/SamlUpPartyViewModel.cs
+++ b/src/FoxIDs.ControlClient/Models/ViewModels/Parties/SamlUpPartyViewModel.cs
@@ -105,7 +105,7 @@ public bool AutomaticUpdate
         [ValidateComplexType]
         [ListLength(0, Constants.Models.SamlParty.KeysMax)]
         [Display(Name = "One or more signature validation certificates")]
-        public List<JwtWithCertificateInfo> Keys { get; set; }
+        public List<JwkWithCertificateInfo> Keys { get; set; }
 
         [Display(Name = "Logout request binding")]
         public SamlBindingTypes LogoutRequestBinding { get; set; } = SamlBindingTypes.Post;
diff --git a/src/FoxIDs.ControlClient/Models/ViewModels/Tracks/GeneralTrackCertificateViewModel.cs b/src/FoxIDs.ControlClient/Models/ViewModels/Tracks/GeneralTrackCertificateViewModel.cs
index 3a84157c5..787acf597 100644
--- a/src/FoxIDs.ControlClient/Models/ViewModels/Tracks/GeneralTrackCertificateViewModel.cs
+++ b/src/FoxIDs.ControlClient/Models/ViewModels/Tracks/GeneralTrackCertificateViewModel.cs
@@ -13,7 +13,7 @@ public GeneralTrackCertificateViewModel(bool isPrimary)
             IsPrimary = isPrimary;
         }
 
-        public GeneralTrackCertificateViewModel(JwtWithCertificateInfo key, bool isPrimary) : this(isPrimary)
+        public GeneralTrackCertificateViewModel(JwkWithCertificateInfo key, bool isPrimary) : this(isPrimary)
         {
             Subject = key.CertificateInfo.Subject;
             ValidFrom = key.CertificateInfo.ValidFrom;
diff --git a/src/FoxIDs.ControlClient/Models/ViewModels/Tracks/KeyInfoViewModel.cs b/src/FoxIDs.ControlClient/Models/ViewModels/Tracks/KeyInfoViewModel.cs
index 3e2fe6690..dd118adb6 100644
--- a/src/FoxIDs.ControlClient/Models/ViewModels/Tracks/KeyInfoViewModel.cs
+++ b/src/FoxIDs.ControlClient/Models/ViewModels/Tracks/KeyInfoViewModel.cs
@@ -12,7 +12,7 @@ public class KeyInfoViewModel
         public bool IsValid { get; set; }
         public string Thumbprint { get; set; }
         public string KeyId { get; set; }
-        public JwtWithCertificateInfo Key { get; set; }
+        public JwkWithCertificateInfo Key { get; set; }
 
         [Display(Name = "Optional certificate password")]
         public string Password { get; set; }
diff --git a/src/FoxIDs.ControlClient/Pages/Certificates.cs b/src/FoxIDs.ControlClient/Pages/Certificates.cs
index 9dc2c604f..30d9a6c7a 100644
--- a/src/FoxIDs.ControlClient/Pages/Certificates.cs
+++ b/src/FoxIDs.ControlClient/Pages/Certificates.cs
@@ -195,9 +195,9 @@ private async Task OnCertificateFileSelectedAsync(GeneralTrackCertificateViewMod
                     }
 
                     var base64UrlEncodeCertificate = WebEncoders.Base64UrlEncode(certificateBytes);
-                    var jwtWithCertificateInfo = await HelpersService.ReadCertificateAsync(new CertificateAndPassword { EncodeCertificate = base64UrlEncodeCertificate, Password = generalCertificate.Form.Model.Password });
+                    var jwkWithCertificateInfo = await HelpersService.ReadCertificateAsync(new CertificateAndPassword { EncodeCertificate = base64UrlEncodeCertificate, Password = generalCertificate.Form.Model.Password });
                     
-                    if (!jwtWithCertificateInfo.HasPrivateKey())
+                    if (!jwkWithCertificateInfo.HasPrivateKey())
                     {
                         generalCertificate.Form.Model.Subject = null;
                         generalCertificate.Form.Model.Key = null;
@@ -206,12 +206,12 @@ private async Task OnCertificateFileSelectedAsync(GeneralTrackCertificateViewMod
                         return;
                     }
 
-                    generalCertificate.Form.Model.Subject = jwtWithCertificateInfo.CertificateInfo.Subject;
-                    generalCertificate.Form.Model.ValidFrom = jwtWithCertificateInfo.CertificateInfo.ValidFrom;
-                    generalCertificate.Form.Model.ValidTo = jwtWithCertificateInfo.CertificateInfo.ValidTo;
-                    generalCertificate.Form.Model.IsValid = jwtWithCertificateInfo.CertificateInfo.IsValid();
-                    generalCertificate.Form.Model.Thumbprint = jwtWithCertificateInfo.CertificateInfo.Thumbprint;
-                    generalCertificate.Form.Model.Key = jwtWithCertificateInfo;
+                    generalCertificate.Form.Model.Subject = jwkWithCertificateInfo.CertificateInfo.Subject;
+                    generalCertificate.Form.Model.ValidFrom = jwkWithCertificateInfo.CertificateInfo.ValidFrom;
+                    generalCertificate.Form.Model.ValidTo = jwkWithCertificateInfo.CertificateInfo.ValidTo;
+                    generalCertificate.Form.Model.IsValid = jwkWithCertificateInfo.CertificateInfo.IsValid();
+                    generalCertificate.Form.Model.Thumbprint = jwkWithCertificateInfo.CertificateInfo.Thumbprint;
+                    generalCertificate.Form.Model.Key = jwkWithCertificateInfo;
 
                     generalCertificate.CertificateFileStatus = GeneralTrackCertificateViewModel.DefaultCertificateFileStatus;
                 }
diff --git a/src/FoxIDs.ControlClient/Pages/Components/ELoginUpParty.razor b/src/FoxIDs.ControlClient/Pages/Components/ELoginUpParty.razor
index dbfb1bbfa..8c64e6ab7 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/ELoginUpParty.razor
+++ b/src/FoxIDs.ControlClient/Pages/Components/ELoginUpParty.razor
@@ -9,7 +9,7 @@
         <div>
             Login
         </div>
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => loginUpParty.ShowAdvanced = !loginUpParty.ShowAdvanced)">@(loginUpParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
+        <FInputSwitchAdvancedOptions @bind-Value="loginUpParty.ShowAdvanced" />
     </div>
     <div class="modal-body">
         @if (loginUpParty.CreateMode)
@@ -23,7 +23,10 @@
         {
             <FFieldText @bind-Value="loginUpParty.Form.Model.Name" For="@(() => loginUpParty.Form.Model.Name)" />
         }
-        <FInputText @bind-Value="loginUpParty.Form.Model.Note" For="@(() => loginUpParty.Form.Model.Note)" />
+        @if (loginUpParty.ShowAdvanced)
+        {
+            <FInputText @bind-Value="loginUpParty.Form.Model.Note" For="@(() => loginUpParty.Form.Model.Note)" />
+        }
 
         <ul class="nav nav-tabs">
             <li class="nav-item">
@@ -138,7 +141,6 @@
         </div>
     }
     <div class="modal-footer">
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => loginUpParty.ShowAdvanced = !loginUpParty.ShowAdvanced)">@(loginUpParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
         @if (!loginUpParty.CreateMode)
         {
             <button type="button" class="btn btn-link" @onclick="@(() => loginUpParty.DeleteAcknowledge = true)">Delete</button>
diff --git a/src/FoxIDs.ControlClient/Pages/Components/EOAuthDownParty.cs b/src/FoxIDs.ControlClient/Pages/Components/EOAuthDownParty.cs
index df8e04ff1..98a0b1ff4 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/EOAuthDownParty.cs
+++ b/src/FoxIDs.ControlClient/Pages/Components/EOAuthDownParty.cs
@@ -56,13 +56,24 @@ private OAuthDownPartyViewModel ToViewModel(GeneralOAuthDownPartyViewModel gener
         {
             return oauthDownParty.Map<OAuthDownPartyViewModel>(afterMap =>
             {
-                if (afterMap.Client == null)
+                if (afterMap.Client != null && afterMap.Resource != null)
                 {
-                    generalOAuthDownParty.EnableClientTab = false;
+                    generalOAuthDownParty.DownPartyType = DownPartyOAuthTypes.ClientAndResource;
                 }
                 else
                 {
-                    generalOAuthDownParty.EnableClientTab = true;
+                    if (afterMap.Client != null)
+                    {
+                        generalOAuthDownParty.DownPartyType = DownPartyOAuthTypes.Client;
+                    }
+                    else
+                    {
+                        generalOAuthDownParty.DownPartyType = DownPartyOAuthTypes.Resource;
+                    }
+                }
+
+                if (afterMap.Client != null)
+                {
                     afterMap.Client.ExistingSecrets = oauthDownSecrets.Select(s => new OAuthClientSecretViewModel { Name = s.Name, Info = s.Info }).ToList();
                     var defaultResourceScopeIndex = afterMap.Client.ResourceScopes.FindIndex(r => r.Resource.Equals(afterMap.Name, StringComparison.Ordinal));
                     if (defaultResourceScopeIndex > -1)
@@ -103,15 +114,6 @@ private OAuthDownPartyViewModel ToViewModel(GeneralOAuthDownPartyViewModel gener
                     }
                 }
 
-                if (afterMap.Resource == null)
-                {
-                    generalOAuthDownParty.EnableResourceTab = false;
-                }
-                else
-                {
-                    generalOAuthDownParty.EnableResourceTab = true;
-                }
-
                 if (afterMap.ClaimTransforms?.Count > 0)
                 {
                     afterMap.ClaimTransforms = afterMap.ClaimTransforms.MapClaimTransforms();
@@ -125,8 +127,7 @@ private void OAuthDownPartyViewModelAfterInit(GeneralOAuthDownPartyViewModel oau
             {
                 if (oauthDownParty.SubPartyType == OAuthSubPartyTypes.Resource)
                 {
-                    oauthDownParty.EnableClientTab = false;
-                    oauthDownParty.EnableResourceTab = true;
+                    oauthDownParty.DownPartyType = DownPartyOAuthTypes.Resource;
                     oauthDownParty.ShowClientTab = false;
                     oauthDownParty.ShowResourceTab = true;
 
@@ -134,28 +135,87 @@ private void OAuthDownPartyViewModelAfterInit(GeneralOAuthDownPartyViewModel oau
                 }
                 else if (oauthDownParty.SubPartyType == OAuthSubPartyTypes.ClientCredentialsGrant)
                 {
-                    oauthDownParty.EnableClientTab = true;
-                    oauthDownParty.EnableResourceTab = false;
+                    oauthDownParty.DownPartyType = DownPartyOAuthTypes.Client;
                     oauthDownParty.ShowClientTab = true;
                     oauthDownParty.ShowResourceTab = false;
 
-                    model.Client = new OAuthDownClientViewModel();
-
-                    model.Client.DefaultResourceScope = false;
-
-                    model.Client.RequirePkce = false;
-                    model.Client.Secrets = new List<string> { SecretGenerator.GenerateNewSecret() };
+                    model.Client = GetDefaultOAuthClientViewModel();
                 }
                 else
                 {
                     throw new NotSupportedException("OAuthSubPartyTypes not supported.");
                 }
             }
+            else
+            {
+                if (oauthDownParty.DownPartyType == DownPartyOAuthTypes.Resource)
+                {
+                    oauthDownParty.ShowClientTab = false;
+                    oauthDownParty.ShowResourceTab = true;
+                }
+                else
+                {
+                    oauthDownParty.ShowClientTab = true;
+                    oauthDownParty.ShowResourceTab = false;
+                }
+            }
         }
 
-        private void OnOAuthDownPartyClientTabChange(GeneralOAuthDownPartyViewModel oauthDownParty, bool enableTab) => oauthDownParty.Form.Model.Client = enableTab ? new OAuthDownClientViewModel() : null;
+        private OAuthDownClientViewModel GetDefaultOAuthClientViewModel()
+        {
+            var client = new OAuthDownClientViewModel();
+            client.DefaultResourceScope = false;
+            client.RequirePkce = false;
+            client.Secrets = new List<string> { SecretGenerator.GenerateNewSecret() };
+            return client;
+        }
 
-        private void OnOAuthDownPartyResourceTabChange(GeneralOAuthDownPartyViewModel oauthDownParty, bool enableTab) => oauthDownParty.Form.Model.Resource = enableTab ? new OAuthDownResource() : null;
+        private void OnOAuthDownPartyTypeChange(GeneralOAuthDownPartyViewModel oauthDownParty, DownPartyOAuthTypes downPartyType)
+        {
+            if (downPartyType == DownPartyOAuthTypes.Client)
+            {
+                if (oauthDownParty.Form.Model.Client == null)
+                {
+                    oauthDownParty.Form.Model.Client = GetDefaultOAuthClientViewModel();
+                }
+                if (oauthDownParty.Form.Model.Resource != null)
+                {
+                    oauthDownParty.Form.Model.Resource = null;
+                }
+                if (oauthDownParty.ShowResourceTab)
+                {
+                    oauthDownParty.ShowClientTab = true;
+                    oauthDownParty.ShowResourceTab = false;
+                }
+            }
+            else if (downPartyType == DownPartyOAuthTypes.Resource)
+            {
+                if (oauthDownParty.Form.Model.Client != null)
+                {
+                    oauthDownParty.Form.Model.Client = null;
+                }
+                if (oauthDownParty.Form.Model.Resource == null)
+                {
+                    oauthDownParty.Form.Model.Resource = new OAuthDownResource();
+                }
+                if (oauthDownParty.ShowClientTab)
+                {
+                    oauthDownParty.ShowClientTab = false;
+                    oauthDownParty.ShowResourceTab = true;
+                }
+            }
+            else if (downPartyType == DownPartyOAuthTypes.ClientAndResource)
+            {
+                if (oauthDownParty.Form.Model.Client == null)
+                {
+                    oauthDownParty.Form.Model.Client = GetDefaultOAuthClientViewModel();
+                }
+                if (oauthDownParty.Form.Model.Resource == null)
+                {
+                    oauthDownParty.Form.Model.Resource = new OAuthDownResource();
+                }
+            }
+        }
 
         private void AddOAuthScope(MouseEventArgs e, List<OAuthDownScopeViewModel> scopesViewModel)
         {
@@ -299,7 +359,7 @@ private async Task OnClientCertificateFileSelectedAsync(GeneralOAuthDownPartyVie
         {
             if (generalOAuthDownParty.Form.Model.Client.ClientKeys == null)
             {
-                generalOAuthDownParty.Form.Model.Client.ClientKeys = new List<JwtWithCertificateInfo>();
+                generalOAuthDownParty.Form.Model.Client.ClientKeys = new List<JwkWithCertificateInfo>();
             }
             generalOAuthDownParty.Form.ClearFieldError(nameof(generalOAuthDownParty.Form.Model.Client.ClientKeys));
             foreach (var file in files)
@@ -319,9 +379,9 @@ private async Task OnClientCertificateFileSelectedAsync(GeneralOAuthDownPartyVie
                     try
                     {
                         var base64UrlEncodeCertificate = WebEncoders.Base64UrlEncode(memoryStream.ToArray());
-                        var jwtWithCertificateInfo = await HelpersService.ReadCertificateAsync(new CertificateAndPassword { EncodeCertificate = base64UrlEncodeCertificate });
+                        var jwkWithCertificateInfo = await HelpersService.ReadCertificateAsync(new CertificateAndPassword { EncodeCertificate = base64UrlEncodeCertificate });
 
-                        if (generalOAuthDownParty.Form.Model.Client.ClientKeys.Any(k => k.X5t.Equals(jwtWithCertificateInfo.X5t, StringComparison.OrdinalIgnoreCase)))
+                        if (generalOAuthDownParty.Form.Model.Client.ClientKeys.Any(k => k.X5t.Equals(jwkWithCertificateInfo.X5t, StringComparison.OrdinalIgnoreCase)))
                         {
                             generalOAuthDownParty.Form.SetFieldError(nameof(generalOAuthDownParty.Form.Model.Client.ClientKeys), "Client certificates has duplicates.");
                             return;
@@ -329,14 +389,14 @@ private async Task OnClientCertificateFileSelectedAsync(GeneralOAuthDownPartyVie
 
                         generalOAuthDownParty.ClientKeyInfoList.Add(new KeyInfoViewModel
                         {
-                            Subject = jwtWithCertificateInfo.CertificateInfo.Subject,
-                            ValidFrom = jwtWithCertificateInfo.CertificateInfo.ValidFrom,
-                            ValidTo = jwtWithCertificateInfo.CertificateInfo.ValidTo,
-                            IsValid = jwtWithCertificateInfo.CertificateInfo.IsValid(),
-                            Thumbprint = jwtWithCertificateInfo.CertificateInfo.Thumbprint,
-                            Key = jwtWithCertificateInfo
+                            Subject = jwkWithCertificateInfo.CertificateInfo.Subject,
+                            ValidFrom = jwkWithCertificateInfo.CertificateInfo.ValidFrom,
+                            ValidTo = jwkWithCertificateInfo.CertificateInfo.ValidTo,
+                            IsValid = jwkWithCertificateInfo.CertificateInfo.IsValid(),
+                            Thumbprint = jwkWithCertificateInfo.CertificateInfo.Thumbprint,
+                            Key = jwkWithCertificateInfo
                         });
-                        generalOAuthDownParty.Form.Model.Client.ClientKeys.Add(jwtWithCertificateInfo);
+                        generalOAuthDownParty.Form.Model.Client.ClientKeys.Add(jwkWithCertificateInfo);
                     }
                     catch (Exception ex)
                     {
diff --git a/src/FoxIDs.ControlClient/Pages/Components/EOAuthDownParty.razor b/src/FoxIDs.ControlClient/Pages/Components/EOAuthDownParty.razor
index 08de00994..37fdb1c88 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/EOAuthDownParty.razor
+++ b/src/FoxIDs.ControlClient/Pages/Components/EOAuthDownParty.razor
@@ -9,15 +9,7 @@
         <div>
             OAuth 2.0
         </div>
-        <div class="header-input-group">
-            <div class="input-toggle">
-                <FInputToggle @bind-Value="oauthDownParty.EnableClientTab" OnValidChange="@(v => OnOAuthDownPartyClientTabChange(oauthDownParty, v))" TextType="Client&nbsp;on,Client&nbsp;off" TextWidth="110px" IncludeActiveFormGroup="false" IncludeLabelAndValidationMessage="false" />
-            </div>
-            <div class="input-toggle">
-                <FInputToggle @bind-Value="oauthDownParty.EnableResourceTab" OnValidChange="@(v => OnOAuthDownPartyResourceTabChange(oauthDownParty, v))" TextType="Resource&nbsp;on,Resource&nbsp;off" TextWidth="120px" IncludeActiveFormGroup="false" IncludeLabelAndValidationMessage="false" />
-            </div>
-        </div>
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => DownParty.ShowAdvanced = !DownParty.ShowAdvanced)">@(DownParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
+        <FInputSwitchAdvancedOptions @bind-Value="DownParty.ShowAdvanced" />
     </div>
     <div class="modal-body">
         @if (oauthDownParty.CreateMode)
@@ -28,10 +20,13 @@
         {
             <FFieldText @bind-Value="oauthDownParty.Form.Model.Name" For="@(() => oauthDownParty.Form.Model.Name)" />
         }
-        <FInputText @bind-Value="oauthDownParty.Form.Model.Note" For="@(() => oauthDownParty.Form.Model.Note)" />
+        @if (DownParty.ShowAdvanced)
+        {
+            <FInputText @bind-Value="oauthDownParty.Form.Model.Note" For="@(() => oauthDownParty.Form.Model.Note)" />
+        }
 
         <div class="mb-3 alert alert-info" role="alert">
-            @if (oauthDownParty.EnableClientTab || (!oauthDownParty.EnableClientTab && !oauthDownParty.EnableResourceTab))
+            @if (oauthDownParty.DownPartyType == DownPartyOAuthTypes.Client || oauthDownParty.DownPartyType == DownPartyOAuthTypes.ClientAndResource)
             {
                 (var clientAuthority, var clientOidcDiscovery) = GetAuthorityAndOIDCDiscovery(oauthDownParty.Form.Model.Name, true, oauthDownParty.Form.Model.PartyBindingPattern);
                 <div>Client Authority and OIDC Discovery<br /><i>You can selecting all up-parties with '*'. Or you can alternatively select a up-party by name e.g., 'login' or up to 4 up-party divided by comma e.g., 'login,xx,yy,xx'.</i></div>                 
@@ -39,12 +34,12 @@
                 <div>OIDC Discovery: <FTextLinkClipboard Text="@clientOidcDiscovery" /></div>
             }
             
-            @if (oauthDownParty.EnableClientTab && oauthDownParty.EnableResourceTab)
+            @if (oauthDownParty.DownPartyType == DownPartyOAuthTypes.ClientAndResource)
             {
                 <hr />
             }
 
-            @if (oauthDownParty.EnableResourceTab)
+            @if (oauthDownParty.DownPartyType == DownPartyOAuthTypes.Resource || oauthDownParty.DownPartyType == DownPartyOAuthTypes.ClientAndResource)
             {
                 (var resourceAuthority, var resourceOidcDiscovery) = GetAuthorityAndOIDCDiscovery(oauthDownParty.Form.Model.Name, false);
                 <div>Resource Authority and OIDC Discovery</div>
@@ -60,12 +55,18 @@
                 <option value="@PartyBindingPatterns.Tildes">Tildes pattern .../down-party~up-party~/...</option>
                 <option value="@PartyBindingPatterns.Dot">Dot pattern .../down-party.up-party./...</option>
             </FInputSelect>
+
+            <FInputSelect TValue="DownPartyOAuthTypes" @bind-Value="oauthDownParty.DownPartyType" For="@(() => oauthDownParty.DownPartyType)" OnValidChange="@((type) => OnOAuthDownPartyTypeChange(oauthDownParty, type))">
+                <option value="@DownPartyOAuthTypes.Client">OAuth 2.0 Client</option>
+                <option value="@DownPartyOAuthTypes.Resource">OAuth 2.0 Resource</option>
+                <option value="@DownPartyOAuthTypes.ClientAndResource">OAuth 2.0 Client and Resource</option>
+            </FInputSelect>
         }
 
         <ul class="nav nav-tabs">
-            <li class="nav-item">
-                @if (oauthDownParty.EnableClientTab)
-                {
+            @if (oauthDownParty.DownPartyType != DownPartyOAuthTypes.Resource)
+            {
+                <li class="nav-item">
                     @if (oauthDownParty.ShowClientTab)
                     {
                         <a class="nav-link active">OAuth 2.0 Client</a>
@@ -74,11 +75,11 @@
                     {
                         <button type="button" class="btn btn-link nav-link" @onclick="@(() => ShowOAuthTab(oauthDownParty, OAuthTabTypes.Client))">OAuth 2.0 Client</button>
                     }
-                }
-            </li>
-            <li class="nav-item">
-                @if (oauthDownParty.EnableResourceTab)
-                {
+                </li>
+            }
+            @if (oauthDownParty.DownPartyType != DownPartyOAuthTypes.Client)
+            {
+                <li class="nav-item">
                     @if (oauthDownParty.ShowResourceTab)
                     {
                         <a class="nav-link active">OAuth 2.0 Resource</a>
@@ -87,8 +88,8 @@
                     {
                         <button type="button" class="btn btn-link nav-link" @onclick="@(() => ShowOAuthTab(oauthDownParty, OAuthTabTypes.Resource))">OAuth 2.0 Resource</button>
                     }
-                }
-            </li>
+                </li>
+            }
             <li class="nav-item">
                 @if (oauthDownParty.ShowClaimTransformTab)
                 {
@@ -104,18 +105,7 @@
         <div class="tab-content pt-3">
             @if (oauthDownParty.ShowClientTab)
             {
-                @if (!oauthDownParty.EnableClientTab)
-                {
-                    @if (oauthDownParty.EnableResourceTab)
-                    {
-                        oauthDownParty.ShowClientTab = false;
-                        StateHasChanged();
-                    }
-                    else
-                    {
-                        <i>Inactive</i>
-                    }
-                }
+                <ValidationMessage For="@(() => oauthDownParty.Form.Model.Client)" />
                 @if (oauthDownParty.Form.Model.Client != null)
                 {
                     <div class="mb-3 alert alert-info" role="alert">
@@ -319,18 +309,7 @@
             }
             else if (oauthDownParty.ShowResourceTab)
             {
-                @if (!oauthDownParty.EnableResourceTab)
-                {
-                    @if (oauthDownParty.EnableClientTab)
-                    {
-                        oauthDownParty.ShowClientTab = true;
-                        StateHasChanged();
-                    }
-                    else
-                    {
-                        <i>Inactive</i>
-                    }
-                }
+                <ValidationMessage For="@(() => oauthDownParty.Form.Model.Resource)" />
                 @if (oauthDownParty.Form.Model.Resource != null)
                 {
                     <FInputTextList @bind-ValueList="oauthDownParty.Form.Model.Resource.Scopes" For="@(() => oauthDownParty.Form.Model.Resource.Scopes)" />
@@ -361,7 +340,6 @@
         </div>
     }
     <div class="modal-footer">
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => DownParty.ShowAdvanced = !DownParty.ShowAdvanced)">@(DownParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
         @if (!DownParty.CreateMode)
         {
             <button type="button" class="btn btn-link" @onclick="@(() => DownParty.DeleteAcknowledge = true)">Delete</button>
diff --git a/src/FoxIDs.ControlClient/Pages/Components/EOAuthUpParty.razor b/src/FoxIDs.ControlClient/Pages/Components/EOAuthUpParty.razor
index 8d02f2ecb..3a89f7a3d 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/EOAuthUpParty.razor
+++ b/src/FoxIDs.ControlClient/Pages/Components/EOAuthUpParty.razor
@@ -9,7 +9,7 @@
         <div>
             OAuth 2.0
         </div>
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => UpParty.ShowAdvanced = !UpParty.ShowAdvanced)">@(UpParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
+        <FInputSwitchAdvancedOptions @bind-Value="UpParty.ShowAdvanced" />
     </div>
     <div class="modal-body">
         @if (oauthUpParty.Form.Model.IsManual)
@@ -27,7 +27,10 @@
         {
             <FFieldText @bind-Value="oauthUpParty.Form.Model.Name" For="@(() => oauthUpParty.Form.Model.Name)" />
         }
-        <FInputText @bind-Value="oauthUpParty.Form.Model.Note" For="@(() => oauthUpParty.Form.Model.Note)" />
+        @if (oauthUpParty.ShowAdvanced)
+        {
+            <FInputText @bind-Value="oauthUpParty.Form.Model.Note" For="@(() => oauthUpParty.Form.Model.Note)" />
+        }
 
         <FInputText @bind-Value="oauthUpParty.Form.Model.Authority" For="@(() => oauthUpParty.Form.Model.Authority)" Focus="@(oauthUpParty.CreateMode ? false : true)" />
 
@@ -162,7 +165,6 @@
         </div>
     }
     <div class="modal-footer">
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => UpParty.ShowAdvanced = !UpParty.ShowAdvanced)">@(UpParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
         @if (!UpParty.CreateMode)
         {
             <button type="button" class="btn btn-link" @onclick="@(() => UpParty.DeleteAcknowledge = true)">Delete</button>
diff --git a/src/FoxIDs.ControlClient/Pages/Components/EOidcDownParty.cs b/src/FoxIDs.ControlClient/Pages/Components/EOidcDownParty.cs
index d862b6a21..b7bd9f505 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/EOidcDownParty.cs
+++ b/src/FoxIDs.ControlClient/Pages/Components/EOidcDownParty.cs
@@ -58,11 +58,10 @@ private OidcDownPartyViewModel ToViewModel(GeneralOidcDownPartyViewModel general
             {
                 if (afterMap.Client == null)
                 {
-                    generalOidcDownParty.EnableClientTab = false;
+                    afterMap.Client = new OidcDownClientViewModel();
                 }
                 else
                 {
-                    generalOidcDownParty.EnableClientTab = true;
                     afterMap.Client.ExistingSecrets = oidcDownSecrets.Select(s => new OAuthClientSecretViewModel { Name = s.Name, Info = s.Info }).ToList();
                     var defaultResourceScopeIndex = afterMap.Client.ResourceScopes.FindIndex(r => r.Resource.Equals(afterMap.Name, StringComparison.Ordinal));
                     if (defaultResourceScopeIndex > -1)
@@ -103,13 +102,9 @@ private OidcDownPartyViewModel ToViewModel(GeneralOidcDownPartyViewModel general
                     }
                 }
 
-                if (afterMap.Resource == null)
+                if (afterMap.Resource != null)
                 {
-                    generalOidcDownParty.EnableResourceTab = false;
-                }
-                else
-                {
-                    generalOidcDownParty.EnableResourceTab = true;
+                    generalOidcDownParty.DownPartyType = DownPartyOAuthTypes.ClientAndResource;
                 }
 
                 if (afterMap.ClaimTransforms?.Count > 0)
@@ -123,8 +118,8 @@ private void OidcDownPartyViewModelAfterInit(GeneralOidcDownPartyViewModel oidcD
         {
             if (oidcDownParty.CreateMode)
             {
-                model.Client = oidcDownParty.EnableClientTab ? new OidcDownClientViewModel() : null;
-                model.Resource = oidcDownParty.EnableResourceTab ? new OAuthDownResource() : null;
+                model.Client = new OidcDownClientViewModel();
+                model.Resource = oidcDownParty.DownPartyType == DownPartyOAuthTypes.ClientAndResource ? new OAuthDownResource() : null;
 
                 if (model.Client != null)
                 {
@@ -132,10 +127,10 @@ private void OidcDownPartyViewModelAfterInit(GeneralOidcDownPartyViewModel oidcD
 
                     model.Client.Secrets = new List<string> { SecretGenerator.GenerateNewSecret() };
 
-                    model.Client.ScopesViewModel.Add(new OidcDownScopeViewModel { Scope = IdentityConstants.DefaultOidcScopes.OfflineAccess });
+                    model.Client.ScopesViewModel.Add(new OidcDownScopeViewModel { Scope = DefaultOidcScopes.OfflineAccess });
                     model.Client.ScopesViewModel.Add(new OidcDownScopeViewModel
                     {
-                        Scope = IdentityConstants.DefaultOidcScopes.Profile,
+                        Scope = DefaultOidcScopes.Profile,
                         VoluntaryClaims = new List<OidcDownClaim>
                         {
                             new OidcDownClaim { Claim = JwtClaimTypes.Name, InIdToken = true }, new OidcDownClaim { Claim = JwtClaimTypes.GivenName, InIdToken = true }, new OidcDownClaim { Claim = JwtClaimTypes.MiddleName, InIdToken = true }, new OidcDownClaim { Claim = JwtClaimTypes.FamilyName, InIdToken = true },
@@ -153,9 +148,28 @@ private void OidcDownPartyViewModelAfterInit(GeneralOidcDownPartyViewModel oidcD
             }
         }
 
-        private void OnOidcDownPartyClientTabChange(GeneralOidcDownPartyViewModel oidcDownParty, bool enableTab) => oidcDownParty.Form.Model.Client = enableTab ? new OidcDownClientViewModel() : null;
-
-        private void OnOidcDownPartyResourceTabChange(GeneralOidcDownPartyViewModel oidcDownParty, bool enableTab) => oidcDownParty.Form.Model.Resource = enableTab ? new OAuthDownResource() : null;
+        private void OnOidcDownPartyTypeChange(GeneralOidcDownPartyViewModel oidcDownParty, DownPartyOAuthTypes downPartyType)
+        {
+            if (downPartyType == DownPartyOAuthTypes.Client)
+            {
+                if (oidcDownParty.Form.Model.Resource != null)
+                {
+                    oidcDownParty.Form.Model.Resource = null;
+                }
+                if (oidcDownParty.ShowResourceTab)
+                {
+                    oidcDownParty.ShowClientTab = true;
+                    oidcDownParty.ShowResourceTab = false;
+                }
+            }
+            else if (downPartyType == DownPartyOAuthTypes.ClientAndResource)
+            {
+                if (oidcDownParty.Form.Model.Resource == null)
+                {
+                    oidcDownParty.Form.Model.Resource = new OAuthDownResource();
+                }
+            }
+        }
 
         private void AddOidcScope(MouseEventArgs e, List<OidcDownScopeViewModel> scopesViewModel)
         {
@@ -299,7 +313,7 @@ private async Task OnClientCertificateFileSelectedAsync(GeneralOidcDownPartyView
         {
             if (generalOidcDownParty.Form.Model.Client.ClientKeys == null)
             {
-                generalOidcDownParty.Form.Model.Client.ClientKeys = new List<JwtWithCertificateInfo>();
+                generalOidcDownParty.Form.Model.Client.ClientKeys = new List<JwkWithCertificateInfo>();
             }
             generalOidcDownParty.Form.ClearFieldError(nameof(generalOidcDownParty.Form.Model.Client.ClientKeys));
             foreach (var file in files)
@@ -319,9 +333,9 @@ private async Task OnClientCertificateFileSelectedAsync(GeneralOidcDownPartyView
                     try
                     {
                         var base64UrlEncodeCertificate = WebEncoders.Base64UrlEncode(memoryStream.ToArray());
-                        var jwtWithCertificateInfo = await HelpersService.ReadCertificateAsync(new CertificateAndPassword { EncodeCertificate = base64UrlEncodeCertificate });
+                        var jwkWithCertificateInfo = await HelpersService.ReadCertificateAsync(new CertificateAndPassword { EncodeCertificate = base64UrlEncodeCertificate });
 
-                        if (generalOidcDownParty.Form.Model.Client.ClientKeys.Any(k => k.X5t.Equals(jwtWithCertificateInfo.X5t, StringComparison.OrdinalIgnoreCase)))
+                        if (generalOidcDownParty.Form.Model.Client.ClientKeys.Any(k => k.X5t.Equals(jwkWithCertificateInfo.X5t, StringComparison.OrdinalIgnoreCase)))
                         {
                             generalOidcDownParty.Form.SetFieldError(nameof(generalOidcDownParty.Form.Model.Client.ClientKeys), "Client certificates has duplicates.");
                             return;
@@ -329,14 +343,14 @@ private async Task OnClientCertificateFileSelectedAsync(GeneralOidcDownPartyView
 
                         generalOidcDownParty.ClientKeyInfoList.Add(new KeyInfoViewModel
                         {
-                            Subject = jwtWithCertificateInfo.CertificateInfo.Subject,
-                            ValidFrom = jwtWithCertificateInfo.CertificateInfo.ValidFrom,
-                            ValidTo = jwtWithCertificateInfo.CertificateInfo.ValidTo,
-                            IsValid = jwtWithCertificateInfo.CertificateInfo.IsValid(),
-                            Thumbprint = jwtWithCertificateInfo.CertificateInfo.Thumbprint,
-                            Key = jwtWithCertificateInfo
+                            Subject = jwkWithCertificateInfo.CertificateInfo.Subject,
+                            ValidFrom = jwkWithCertificateInfo.CertificateInfo.ValidFrom,
+                            ValidTo = jwkWithCertificateInfo.CertificateInfo.ValidTo,
+                            IsValid = jwkWithCertificateInfo.CertificateInfo.IsValid(),
+                            Thumbprint = jwkWithCertificateInfo.CertificateInfo.Thumbprint,
+                            Key = jwkWithCertificateInfo
                         });
-                        generalOidcDownParty.Form.Model.Client.ClientKeys.Add(jwtWithCertificateInfo);
+                        generalOidcDownParty.Form.Model.Client.ClientKeys.Add(jwkWithCertificateInfo);
                     }
                     catch (Exception ex)
                     {
diff --git a/src/FoxIDs.ControlClient/Pages/Components/EOidcDownParty.razor b/src/FoxIDs.ControlClient/Pages/Components/EOidcDownParty.razor
index e81686d27..60f3ddeca 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/EOidcDownParty.razor
+++ b/src/FoxIDs.ControlClient/Pages/Components/EOidcDownParty.razor
@@ -9,15 +9,7 @@
         <div>
             OpenID Connect
         </div>
-        <div class="header-input-group">
-            <div class="input-toggle">
-                <FInputToggle @bind-Value="oidcDownParty.EnableClientTab" OnValidChange="@(v => OnOidcDownPartyClientTabChange(oidcDownParty, v))" TextType="Client&nbsp;on,Client&nbsp;off" TextWidth="110px" IncludeActiveFormGroup="false" IncludeLabelAndValidationMessage="false" />
-            </div>
-            <div class="input-toggle">
-                <FInputToggle @bind-Value="oidcDownParty.EnableResourceTab" OnValidChange="@(v => OnOidcDownPartyResourceTabChange(oidcDownParty, v))" TextType="Resource&nbsp;on,Resource&nbsp;off" TextWidth="120px" IncludeActiveFormGroup="false" IncludeLabelAndValidationMessage="false" />
-            </div>
-        </div>
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => DownParty.ShowAdvanced = !DownParty.ShowAdvanced)">@(DownParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
+        <FInputSwitchAdvancedOptions @bind-Value="DownParty.ShowAdvanced" />
     </div>
     <div class="modal-body">
         @if (oidcDownParty.CreateMode)
@@ -28,10 +20,13 @@
         {
             <FFieldText @bind-Value="oidcDownParty.Form.Model.Name" For="@(() => oidcDownParty.Form.Model.Name)" />
         }
-        <FInputText @bind-Value="oidcDownParty.Form.Model.Note" For="@(() => oidcDownParty.Form.Model.Note)" />
+        @if (oidcDownParty.ShowAdvanced)
+        {
+            <FInputText @bind-Value="oidcDownParty.Form.Model.Note" For="@(() => oidcDownParty.Form.Model.Note)" />
+        }
 
         <div class="mb-3 alert alert-info" role="alert">
-            @if (oidcDownParty.EnableClientTab || (!oidcDownParty.EnableClientTab && !oidcDownParty.EnableResourceTab))
+            @if (oidcDownParty.DownPartyType == DownPartyOAuthTypes.Client || oidcDownParty.DownPartyType == DownPartyOAuthTypes.ClientAndResource)
             {
                 (var clientAuthority, var clientOidcDiscovery) = GetAuthorityAndOIDCDiscovery(oidcDownParty.Form.Model.Name, true, oidcDownParty.Form.Model.PartyBindingPattern);
                 <div>Client Authority and OIDC Discovery<br /><i>Example for a up-party with the name 'login' as the target.</i></div>                 
@@ -39,12 +34,12 @@
                 <div>OIDC Discovery: <FTextLinkClipboard Text="@clientOidcDiscovery" /></div>
             }
 
-            @if (oidcDownParty.EnableClientTab && oidcDownParty.EnableResourceTab)
+            @if (oidcDownParty.DownPartyType == DownPartyOAuthTypes.ClientAndResource)
             {
                 <hr />
             }
 
-            @if (oidcDownParty.EnableResourceTab)
+            @if (oidcDownParty.DownPartyType == DownPartyOAuthTypes.ClientAndResource)
             {
                 (var resourceAuthority, var resourceOidcDiscovery) = GetAuthorityAndOIDCDiscovery(oidcDownParty.Form.Model.Name, false);
                 <div>Resource Authority and OIDC Discovery</div>
@@ -60,25 +55,27 @@
                 <option value="@PartyBindingPatterns.Tildes">Tildes pattern .../down-party~up-party~/...</option>
                 <option value="@PartyBindingPatterns.Dot">Dot pattern .../down-party.up-party./...</option>
             </FInputSelect>
+
+            <FInputSelect TValue="DownPartyOAuthTypes" @bind-Value="oidcDownParty.DownPartyType" For="@(() => oidcDownParty.DownPartyType)" OnValidChange="@((type) => OnOidcDownPartyTypeChange(oidcDownParty, type))">
+                <option value="@DownPartyOAuthTypes.Client">OpenID Connect Client</option>
+                <option value="@DownPartyOAuthTypes.ClientAndResource">OpenID Connect Client and OAuth 2.0 Resource</option>
+            </FInputSelect>
         }
 
         <ul class="nav nav-tabs">
             <li class="nav-item">
-                @if (oidcDownParty.EnableClientTab)
+                @if (oidcDownParty.ShowClientTab)
                 {
-                    @if (oidcDownParty.ShowClientTab)
-                    {
-                        <a class="nav-link active">OpenID Connect Client</a>
-                    }
-                    else
-                    {
-                        <button type="button" class="btn btn-link nav-link" @onclick="@(() => ShowOAuthTab(oidcDownParty, OAuthTabTypes.Client))">OpenID Connect Client</button>
-                    }
+                    <a class="nav-link active">OpenID Connect Client</a>
                 }
-            </li>
-            <li class="nav-item">
-                @if (oidcDownParty.EnableResourceTab)
+                else
                 {
+                    <button type="button" class="btn btn-link nav-link" @onclick="@(() => ShowOAuthTab(oidcDownParty, OAuthTabTypes.Client))">OpenID Connect Client</button>
+                }
+            </li>
+            @if (oidcDownParty.DownPartyType != DownPartyOAuthTypes.Client)
+            {
+                <li class="nav-item">
                     @if (oidcDownParty.ShowResourceTab)
                     {
                         <a class="nav-link active">OAuth 2.0 Resource</a>
@@ -87,8 +84,8 @@
                     {
                         <button type="button" class="btn btn-link nav-link" @onclick="@(() => ShowOAuthTab(oidcDownParty, OAuthTabTypes.Resource))">OAuth 2.0 Resource</button>
                     }
-                }
-            </li>
+                </li>
+            }
             <li class="nav-item">
                 @if (oidcDownParty.ShowClaimTransformTab)
                 {
@@ -105,18 +102,6 @@
             @if (oidcDownParty.ShowClientTab)
             {
                 <ValidationMessage For="@(() => oidcDownParty.Form.Model.Client)" />
-                @if (!oidcDownParty.EnableClientTab)
-                {
-                    @if (oidcDownParty.EnableResourceTab)
-                    {
-                        oidcDownParty.ShowClientTab = false;
-                        StateHasChanged();
-                    }
-                    else
-                    {
-                        <i>Inactive</i>
-                    }
-                }
                 @if (oidcDownParty.Form.Model.Client != null)
                 {
                     <SelectUpParty @ref="oidcDownParty.SelectAllowUpPartyName" EditDownPartyForm="oidcDownParty.Form" TModel="OidcDownPartyViewModel" OnAddUpPartyName="AddAllowUpPartyName" OnRemoveUpPartyName="RemoveAllowUpPartyName" />
@@ -360,18 +345,6 @@
             else if (oidcDownParty.ShowResourceTab)
             {
                 <ValidationMessage For="@(() => oidcDownParty.Form.Model.Resource)" />
-                @if (!oidcDownParty.EnableResourceTab)
-                {
-                    @if (oidcDownParty.EnableClientTab)
-                    {
-                        oidcDownParty.ShowClientTab = true;
-                        StateHasChanged();
-                    }
-                    else
-                    {
-                        <i>Inactive</i>
-                    }
-                }
                 @if (oidcDownParty.Form.Model.Resource != null)
                 {
                     <FInputTextList @bind-ValueList="oidcDownParty.Form.Model.Resource.Scopes" For="@(() => oidcDownParty.Form.Model.Resource.Scopes)" />
@@ -402,7 +375,6 @@
         </div>
     }
     <div class="modal-footer">
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => DownParty.ShowAdvanced = !DownParty.ShowAdvanced)">@(DownParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
         @if (!DownParty.CreateMode)
         {
             <button type="button" class="btn btn-link" @onclick="@(() => DownParty.DeleteAcknowledge = true)">Delete</button>
diff --git a/src/FoxIDs.ControlClient/Pages/Components/EOidcUpParty.cs b/src/FoxIDs.ControlClient/Pages/Components/EOidcUpParty.cs
index 02acb2a5b..84ea9a0c6 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/EOidcUpParty.cs
+++ b/src/FoxIDs.ControlClient/Pages/Components/EOidcUpParty.cs
@@ -82,6 +82,11 @@ private OidcUpPartyViewModel ToViewModel(GeneralOidcUpPartyViewModel generalOidc
                 {
                     afterMap.Client.Party = afterMap;
 
+                    if (afterMap.Client.ClientSecret != null)
+                    {
+                        afterMap.Client.ClientSecret = afterMap.Client.ClientSecretLoaded = afterMap.Client.ClientSecret.Length == 3 ? $"{afterMap.Client.ClientSecret}..." : afterMap.Client.ClientSecret;
+                    }
+
                     afterMap.Client.EnableFrontChannelLogout = !oidcUpParty.Client.DisableFrontChannelLogout;
 
                     if (clientKeyResponse?.PrimaryKey?.PublicKey != null)
@@ -187,6 +192,21 @@ private async Task OnEditOidcUpPartyValidSubmitAsync(GeneralOidcUpPartyViewModel
                 }
                 else
                 {
+                    if (oidcUpParty.Client != null)
+                    {
+                        if (oidcUpParty.Client.ClientSecret != generalOidcUpParty.Form.Model.Client.ClientSecretLoaded)
+                        {
+                            if (string.IsNullOrWhiteSpace(oidcUpParty.Client.ClientSecret))
+                            {
+                                await UpPartyService.DeleteOidcClientSecretUpPartyAsync(UpParty.Name);
+                            }
+                            else
+                            {
+                                await UpPartyService.UpdateOidcClientSecretUpPartyAsync(new OAuthClientSecretSingleRequest { PartyName = UpParty.Name, Secret = oidcUpParty.Client.ClientSecret });
+                            }
+                        }
+                        oidcUpParty.Client.ClientSecret = null;
+                    }
                     var oidcUpPartyResult = await UpPartyService.UpdateOidcUpPartyAsync(oidcUpParty);
                     var clientKeyResponse = await UpPartyService.GetOidcClientKeyUpPartyAsync(UpParty.Name);
                     generalOidcUpParty.Form.UpdateModel(ToViewModel(generalOidcUpParty, oidcUpPartyResult, clientKeyResponse));
diff --git a/src/FoxIDs.ControlClient/Pages/Components/EOidcUpParty.razor b/src/FoxIDs.ControlClient/Pages/Components/EOidcUpParty.razor
index a062f180f..0d83f328d 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/EOidcUpParty.razor
+++ b/src/FoxIDs.ControlClient/Pages/Components/EOidcUpParty.razor
@@ -9,7 +9,7 @@
         <div>
             OpenID Connect
         </div>
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => UpParty.ShowAdvanced = !UpParty.ShowAdvanced)">@(UpParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
+        <FInputSwitchAdvancedOptions @bind-Value="UpParty.ShowAdvanced" />
     </div>
     <div class="modal-body">
         @if (oidcUpParty.Form.Model.IsManual)
@@ -27,7 +27,10 @@
         {
             <FFieldText @bind-Value="oidcUpParty.Form.Model.Name" For="@(() => oidcUpParty.Form.Model.Name)" />
         }
-        <FInputText @bind-Value="oidcUpParty.Form.Model.Note" For="@(() => oidcUpParty.Form.Model.Note)" />
+        @if (oidcUpParty.ShowAdvanced)
+        {
+            <FInputText @bind-Value="oidcUpParty.Form.Model.Note" For="@(() => oidcUpParty.Form.Model.Note)" />
+        }
 
         @if (!oidcUpParty.Form.Model.DisableUserAuthenticationTrust)
         {
@@ -334,7 +337,6 @@
         </div>
     }
     <div class="modal-footer">
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => UpParty.ShowAdvanced = !UpParty.ShowAdvanced)">@(UpParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
         @if (!UpParty.CreateMode)
         {
             <button type="button" class="btn btn-link" @onclick="@(() => UpParty.DeleteAcknowledge = true)">Delete</button>
diff --git a/src/FoxIDs.ControlClient/Pages/Components/ESamlDownParty.cs b/src/FoxIDs.ControlClient/Pages/Components/ESamlDownParty.cs
index 4e95b23f3..e8788b2f5 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/ESamlDownParty.cs
+++ b/src/FoxIDs.ControlClient/Pages/Components/ESamlDownParty.cs
@@ -122,17 +122,17 @@ private async Task OnSamlDownPartyEncryptionCertificateFileSelectedAsync(General
                     try
                     {
                         var base64UrlEncodeCertificate = WebEncoders.Base64UrlEncode(memoryStream.ToArray());
-                        var jwtWithCertificateInfo = await HelpersService.ReadCertificateAsync(new CertificateAndPassword { EncodeCertificate = base64UrlEncodeCertificate });
+                        var jwkWithCertificateInfo = await HelpersService.ReadCertificateAsync(new CertificateAndPassword { EncodeCertificate = base64UrlEncodeCertificate });
 
                         generalSamlDownParty.EncryptionKeyInfo = new KeyInfoViewModel
                         {
-                            Subject = jwtWithCertificateInfo.CertificateInfo.Subject,
-                            ValidFrom = jwtWithCertificateInfo.CertificateInfo.ValidFrom,
-                            ValidTo = jwtWithCertificateInfo.CertificateInfo.ValidTo,
-                            Thumbprint = jwtWithCertificateInfo.CertificateInfo.Thumbprint,
-                            Key = jwtWithCertificateInfo
+                            Subject = jwkWithCertificateInfo.CertificateInfo.Subject,
+                            ValidFrom = jwkWithCertificateInfo.CertificateInfo.ValidFrom,
+                            ValidTo = jwkWithCertificateInfo.CertificateInfo.ValidTo,
+                            Thumbprint = jwkWithCertificateInfo.CertificateInfo.Thumbprint,
+                            Key = jwkWithCertificateInfo
                         };
-                        generalSamlDownParty.Form.Model.EncryptionKey = jwtWithCertificateInfo;
+                        generalSamlDownParty.Form.Model.EncryptionKey = jwkWithCertificateInfo;
                     }
                     catch (Exception ex)
                     {
@@ -156,7 +156,7 @@ private async Task OnSamlDownPartyCertificateFileSelectedAsync(GeneralSamlDownPa
         {
             if (generalSamlDownParty.Form.Model.Keys == null)
             {
-                generalSamlDownParty.Form.Model.Keys = new List<JwtWithCertificateInfo>();
+                generalSamlDownParty.Form.Model.Keys = new List<JwkWithCertificateInfo>();
             }
             generalSamlDownParty.Form.ClearFieldError(nameof(generalSamlDownParty.Form.Model.Keys));
             foreach (var file in files)
@@ -176,9 +176,9 @@ private async Task OnSamlDownPartyCertificateFileSelectedAsync(GeneralSamlDownPa
                     try
                     {
                         var base64UrlEncodeCertificate = WebEncoders.Base64UrlEncode(memoryStream.ToArray());
-                        var jwtWithCertificateInfo = await HelpersService.ReadCertificateAsync(new CertificateAndPassword { EncodeCertificate = base64UrlEncodeCertificate });
+                        var jwkWithCertificateInfo = await HelpersService.ReadCertificateAsync(new CertificateAndPassword { EncodeCertificate = base64UrlEncodeCertificate });
 
-                        if (generalSamlDownParty.Form.Model.Keys.Any(k => k.X5t.Equals(jwtWithCertificateInfo.X5t, StringComparison.OrdinalIgnoreCase)))
+                        if (generalSamlDownParty.Form.Model.Keys.Any(k => k.X5t.Equals(jwkWithCertificateInfo.X5t, StringComparison.OrdinalIgnoreCase)))
                         {
                             generalSamlDownParty.Form.SetFieldError(nameof(generalSamlDownParty.Form.Model.Keys), "Signature validation keys (certificates) has duplicates.");
                             return;
@@ -186,13 +186,13 @@ private async Task OnSamlDownPartyCertificateFileSelectedAsync(GeneralSamlDownPa
 
                         generalSamlDownParty.KeyInfoList.Add(new KeyInfoViewModel
                         {
-                            Subject = jwtWithCertificateInfo.CertificateInfo.Subject,
-                            ValidFrom = jwtWithCertificateInfo.CertificateInfo.ValidFrom,
-                            ValidTo = jwtWithCertificateInfo.CertificateInfo.ValidTo,
-                            Thumbprint = jwtWithCertificateInfo.CertificateInfo.Thumbprint,
-                            Key = jwtWithCertificateInfo
+                            Subject = jwkWithCertificateInfo.CertificateInfo.Subject,
+                            ValidFrom = jwkWithCertificateInfo.CertificateInfo.ValidFrom,
+                            ValidTo = jwkWithCertificateInfo.CertificateInfo.ValidTo,
+                            Thumbprint = jwkWithCertificateInfo.CertificateInfo.Thumbprint,
+                            Key = jwkWithCertificateInfo
                         });
-                        generalSamlDownParty.Form.Model.Keys.Add(jwtWithCertificateInfo);
+                        generalSamlDownParty.Form.Model.Keys.Add(jwkWithCertificateInfo);
                     }
                     catch (Exception ex)
                     {
diff --git a/src/FoxIDs.ControlClient/Pages/Components/ESamlDownParty.razor b/src/FoxIDs.ControlClient/Pages/Components/ESamlDownParty.razor
index 32e04c72e..7737ef605 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/ESamlDownParty.razor
+++ b/src/FoxIDs.ControlClient/Pages/Components/ESamlDownParty.razor
@@ -10,7 +10,7 @@
         <div>
             SAML 2.0
         </div>
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => DownParty.ShowAdvanced = !DownParty.ShowAdvanced)">@(DownParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
+        <FInputSwitchAdvancedOptions @bind-Value="DownParty.ShowAdvanced" />
     </div>
     <div class="modal-body">
         @if (samlDownParty.CreateMode)
@@ -21,7 +21,10 @@
         {
             <FFieldText @bind-Value="samlDownParty.Form.Model.Name" For="@(() => samlDownParty.Form.Model.Name)" />
         }
-        <FInputText @bind-Value="samlDownParty.Form.Model.Note" For="@(() => samlDownParty.Form.Model.Note)" />
+        @if (samlDownParty.ShowAdvanced)
+        {
+            <FInputText @bind-Value="samlDownParty.Form.Model.Note" For="@(() => samlDownParty.Form.Model.Note)" />
+        }
 
         <div class="mb-3 alert alert-info" role="alert">
             <i>SAML 2.0 Metadata selecting all up-parties with '*'. You can alternatively select a up-party by name e.g., 'login' or up to 4 up-party divided by comma e.g., 'login,xx,yy,xx'.</i>
@@ -225,7 +228,6 @@
         </div>
     }
     <div class="modal-footer">
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => DownParty.ShowAdvanced = !DownParty.ShowAdvanced)">@(DownParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
         @if (!DownParty.CreateMode)
         {
             <button type="button" class="btn btn-link" @onclick="@(() => DownParty.DeleteAcknowledge = true)">Delete</button>
diff --git a/src/FoxIDs.ControlClient/Pages/Components/ESamlUpParty.cs b/src/FoxIDs.ControlClient/Pages/Components/ESamlUpParty.cs
index 0786d1f3e..e3d88a766 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/ESamlUpParty.cs
+++ b/src/FoxIDs.ControlClient/Pages/Components/ESamlUpParty.cs
@@ -156,7 +156,7 @@ private async Task OnReadMetadataFileAsync(GeneralSamlUpPartyViewModel generalSa
                 }
     
                 generalSamlUpParty.KeyInfoList = new List<KeyInfoViewModel>();
-                generalSamlUpParty.Form.Model.Keys = new List<JwtWithCertificateInfo>();
+                generalSamlUpParty.Form.Model.Keys = new List<JwkWithCertificateInfo>();
 
                 if (samlUpParty.Keys?.Count() > 0)
                 {
@@ -187,7 +187,7 @@ private async Task OnSamlUpPartyCertificateFileSelectedAsync(GeneralSamlUpPartyV
         {
             if (generalSamlUpParty.Form.Model.Keys == null)
             {
-                generalSamlUpParty.Form.Model.Keys = new List<JwtWithCertificateInfo>();
+                generalSamlUpParty.Form.Model.Keys = new List<JwkWithCertificateInfo>();
             }
             generalSamlUpParty.Form.ClearFieldError(nameof(generalSamlUpParty.Form.Model.Keys));
             foreach (var file in files)
@@ -207,9 +207,9 @@ private async Task OnSamlUpPartyCertificateFileSelectedAsync(GeneralSamlUpPartyV
                     try
                     {
                         var base64UrlEncodeCertificate = WebEncoders.Base64UrlEncode(memoryStream.ToArray());
-                        var jwtWithCertificateInfo = await HelpersService.ReadCertificateAsync(new CertificateAndPassword { EncodeCertificate = base64UrlEncodeCertificate });
+                        var jwkWithCertificateInfo = await HelpersService.ReadCertificateAsync(new CertificateAndPassword { EncodeCertificate = base64UrlEncodeCertificate });
 
-                        if (generalSamlUpParty.Form.Model.Keys.Any(k => k.X5t.Equals(jwtWithCertificateInfo.X5t, StringComparison.OrdinalIgnoreCase)))
+                        if (generalSamlUpParty.Form.Model.Keys.Any(k => k.X5t.Equals(jwkWithCertificateInfo.X5t, StringComparison.OrdinalIgnoreCase)))
                         {
                             generalSamlUpParty.Form.SetFieldError(nameof(generalSamlUpParty.Form.Model.Keys), "Signature validation keys (certificates) has duplicates.");
                             return;
@@ -217,14 +217,14 @@ private async Task OnSamlUpPartyCertificateFileSelectedAsync(GeneralSamlUpPartyV
 
                         generalSamlUpParty.KeyInfoList.Add(new KeyInfoViewModel
                         {
-                            Subject = jwtWithCertificateInfo.CertificateInfo.Subject,
-                            ValidFrom = jwtWithCertificateInfo.CertificateInfo.ValidFrom,
-                            ValidTo = jwtWithCertificateInfo.CertificateInfo.ValidTo,
-                            IsValid = jwtWithCertificateInfo.CertificateInfo.IsValid(),
-                            Thumbprint = jwtWithCertificateInfo.CertificateInfo.Thumbprint,
-                            Key = jwtWithCertificateInfo
+                            Subject = jwkWithCertificateInfo.CertificateInfo.Subject,
+                            ValidFrom = jwkWithCertificateInfo.CertificateInfo.ValidFrom,
+                            ValidTo = jwkWithCertificateInfo.CertificateInfo.ValidTo,
+                            IsValid = jwkWithCertificateInfo.CertificateInfo.IsValid(),
+                            Thumbprint = jwkWithCertificateInfo.CertificateInfo.Thumbprint,
+                            Key = jwkWithCertificateInfo
                         });
-                        generalSamlUpParty.Form.Model.Keys.Add(jwtWithCertificateInfo);
+                        generalSamlUpParty.Form.Model.Keys.Add(jwkWithCertificateInfo);
                     }
                     catch (Exception ex)
                     {
diff --git a/src/FoxIDs.ControlClient/Pages/Components/ESamlUpParty.razor b/src/FoxIDs.ControlClient/Pages/Components/ESamlUpParty.razor
index 7dc3c1259..14832384d 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/ESamlUpParty.razor
+++ b/src/FoxIDs.ControlClient/Pages/Components/ESamlUpParty.razor
@@ -10,7 +10,7 @@
             SAML 2.0
         </div>
         <div class="d-flex">
-            <button type="button" class="btn btn-link btn-xs" @onclick="@(() => samlUpParty.ShowAdvanced = !samlUpParty.ShowAdvanced)">@(samlUpParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
+            <FInputSwitchAdvancedOptions @bind-Value="samlUpParty.ShowAdvanced" />
         </div>
     </div>
     <div class="modal-body">
@@ -22,7 +22,10 @@
         {
             <FFieldText @bind-Value="samlUpParty.Form.Model.Name" For="@(() => samlUpParty.Form.Model.Name)" />
         }
-        <FInputText @bind-Value="samlUpParty.Form.Model.Note" For="@(() => samlUpParty.Form.Model.Note)" />
+        @if (samlUpParty.ShowAdvanced)
+        {
+            <FInputText @bind-Value="samlUpParty.Form.Model.Note" For="@(() => samlUpParty.Form.Model.Note)" />
+        }
 
         @if (!samlUpParty.Form.Model.DisableUserAuthenticationTrust)
         {
@@ -362,7 +365,6 @@
         </div>
     }
     <div class="modal-footer">
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => samlUpParty.ShowAdvanced = !samlUpParty.ShowAdvanced)">@(samlUpParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
         @if (!UpParty.CreateMode)
         {
             <button type="button" class="btn btn-link" @onclick="@(() => UpParty.DeleteAcknowledge = true)">Delete</button>
diff --git a/src/FoxIDs.ControlClient/Pages/Components/ETrackLinkDownParty.razor b/src/FoxIDs.ControlClient/Pages/Components/ETrackLinkDownParty.razor
index 98d361be7..45823c798 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/ETrackLinkDownParty.razor
+++ b/src/FoxIDs.ControlClient/Pages/Components/ETrackLinkDownParty.razor
@@ -9,7 +9,7 @@
         <div>
             Track link
         </div>
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => DownParty.ShowAdvanced = !DownParty.ShowAdvanced)">@(DownParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
+        <FInputSwitchAdvancedOptions @bind-Value="DownParty.ShowAdvanced" />
     </div>
     <div class="modal-body">
         @if (trackLinkDownParty.CreateMode)
@@ -20,7 +20,10 @@
         {
             <FFieldText @bind-Value="trackLinkDownParty.Form.Model.Name" For="@(() => trackLinkDownParty.Form.Model.Name)" />
         }
-        <FInputText @bind-Value="trackLinkDownParty.Form.Model.Note" For="@(() => trackLinkDownParty.Form.Model.Note)" />
+        @if (trackLinkDownParty.ShowAdvanced)
+        {
+            <FInputText @bind-Value="trackLinkDownParty.Form.Model.Note" For="@(() => trackLinkDownParty.Form.Model.Note)" />
+        }
 
         <div class="mb-3 alert alert-info" role="alert">
             <div>Please add a corresponding up-party track link in the track you want to connect to.</div>
@@ -123,7 +126,6 @@
         </div>
     }
     <div class="modal-footer">
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => DownParty.ShowAdvanced = !DownParty.ShowAdvanced)">@(DownParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
         @if (!DownParty.CreateMode)
         {
             <button type="button" class="btn btn-link" @onclick="@(() => DownParty.DeleteAcknowledge = true)">Delete</button>
diff --git a/src/FoxIDs.ControlClient/Pages/Components/ETrackLinkUpParty.razor b/src/FoxIDs.ControlClient/Pages/Components/ETrackLinkUpParty.razor
index ac78fa0e1..3af320f8f 100644
--- a/src/FoxIDs.ControlClient/Pages/Components/ETrackLinkUpParty.razor
+++ b/src/FoxIDs.ControlClient/Pages/Components/ETrackLinkUpParty.razor
@@ -9,7 +9,7 @@
         <div>
             Track link
         </div>
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => UpParty.ShowAdvanced = !UpParty.ShowAdvanced)">@(UpParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
+        <FInputSwitchAdvancedOptions @bind-Value="UpParty.ShowAdvanced" />
     </div>
     <div class="modal-body">
         @if (trackLinkUpParty.CreateMode)
@@ -20,8 +20,10 @@
         {
             <FFieldText @bind-Value="trackLinkUpParty.Form.Model.Name" For="@(() => trackLinkUpParty.Form.Model.Name)" />
         }
-
-        <FInputText @bind-Value="trackLinkUpParty.Form.Model.Note" For="@(() => trackLinkUpParty.Form.Model.Note)" />
+        @if (trackLinkUpParty.ShowAdvanced)
+        {
+            <FInputText @bind-Value="trackLinkUpParty.Form.Model.Note" For="@(() => trackLinkUpParty.Form.Model.Note)" />
+        }
 
         @if (trackLinkUpParty.ShowAdvanced)
         {
@@ -119,7 +121,6 @@
         </div>
     }
     <div class="modal-footer">
-        <button type="button" class="btn btn-link btn-xs" @onclick="@(() => UpParty.ShowAdvanced = !UpParty.ShowAdvanced)">@(UpParty.ShowAdvanced ? "Hide" : "Show") advanced settings</button>
         @if (!UpParty.CreateMode)
         {
             <button type="button" class="btn btn-link" @onclick="@(() => UpParty.DeleteAcknowledge = true)">Delete</button>
diff --git a/src/FoxIDs.ControlClient/Pages/TrackSettings.cs b/src/FoxIDs.ControlClient/Pages/TrackSettings.cs
index f853f21c3..5000fa28e 100644
--- a/src/FoxIDs.ControlClient/Pages/TrackSettings.cs
+++ b/src/FoxIDs.ControlClient/Pages/TrackSettings.cs
@@ -99,7 +99,7 @@ private async Task DeleteTrackAsync()
             try
             {
                 await TrackService.DeleteTrackAsync(TrackSelectedLogic.Track.Name);
-                await TrackSelectedLogic.ShowSelectTrackAsync();
+                await TrackSelectedLogic.SelectTrackAsync();
             }
             catch (TokenUnavailableException)
             {
diff --git a/src/FoxIDs.ControlClient/Services/HelpersService.cs b/src/FoxIDs.ControlClient/Services/HelpersService.cs
index 5c1bae334..ef56d44a1 100644
--- a/src/FoxIDs.ControlClient/Services/HelpersService.cs
+++ b/src/FoxIDs.ControlClient/Services/HelpersService.cs
@@ -12,6 +12,6 @@ public class HelpersService : BaseService
         public HelpersService(IHttpClientFactory httpClientFactory, RouteBindingLogic routeBindingLogic, TrackSelectedLogic trackSelectedLogic) : base(httpClientFactory, routeBindingLogic, trackSelectedLogic)
         { }
 
-        public async Task<JwtWithCertificateInfo> ReadCertificateAsync(CertificateAndPassword certificateAndPassword) => await PostResponseAsync<CertificateAndPassword, JwtWithCertificateInfo>(readcertificateApiUri, certificateAndPassword);
+        public async Task<JwkWithCertificateInfo> ReadCertificateAsync(CertificateAndPassword certificateAndPassword) => await PostResponseAsync<CertificateAndPassword, JwkWithCertificateInfo>(readcertificateApiUri, certificateAndPassword);
     }
 }
diff --git a/src/FoxIDs.ControlClient/Services/UpPartyService.cs b/src/FoxIDs.ControlClient/Services/UpPartyService.cs
index dd5b4e708..7a32d70e1 100644
--- a/src/FoxIDs.ControlClient/Services/UpPartyService.cs
+++ b/src/FoxIDs.ControlClient/Services/UpPartyService.cs
@@ -12,6 +12,7 @@ public class UpPartyService : BaseService
         private const string loginApiUri = "api/{tenant}/{track}/!loginupparty";
         private const string oauthApiUri = "api/{tenant}/{track}/!oauthupparty";
         private const string oidcApiUri = "api/{tenant}/{track}/!oidcupparty";
+        private const string oidcClientSecretApiUri = "api/{tenant}/{track}/!oidcclientsecretupparty";
         private const string oidcClientKeyApiUri = "api/{tenant}/{track}/!oidcclientkeyupparty";
         private const string samlApiUri = "api/{tenant}/{track}/!samlupparty";
         private const string samlReadMetadataApiUri = "api/{tenant}/{track}/!samluppartyreadmetadata";
@@ -37,6 +38,10 @@ public UpPartyService(IHttpClientFactory httpClientFactory, RouteBindingLogic ro
         public async Task<OidcUpParty> UpdateOidcUpPartyAsync(OidcUpParty party) => await PutResponseAsync<OidcUpParty, OidcUpParty>(oidcApiUri, party);
         public async Task DeleteOidcUpPartyAsync(string name) => await DeleteAsync(oidcApiUri, name);
 
+        public async Task<OAuthClientSecretSingleResponse> GetOidcClientSecretUpPartyAsync(string partyName) => await GetAsync<OAuthClientSecretSingleResponse>(oidcClientSecretApiUri, partyName, parmName: nameof(partyName));
+        public async Task<OAuthClientSecretSingleResponse> UpdateOidcClientSecretUpPartyAsync(OAuthClientSecretSingleRequest secretRequest) => await PutResponseAsync<OAuthClientSecretSingleRequest, OAuthClientSecretSingleResponse>(oidcClientSecretApiUri, secretRequest);
+        public async Task DeleteOidcClientSecretUpPartyAsync(string name) => await DeleteAsync(oidcClientSecretApiUri, name, parmName: nameof(name));
+
         public async Task<OAuthClientKeyResponse> GetOidcClientKeyUpPartyAsync(string partyName) => await GetAsync<OAuthClientKeyResponse>(oidcClientKeyApiUri, partyName, parmName: nameof(partyName));
         public async Task<OAuthClientKeyResponse> CreateOidcClientKeyUpPartyAsync(OAuthClientKeyRequest keyRequest) => await PostResponseAsync<OAuthClientKeyRequest, OAuthClientKeyResponse>(oidcClientKeyApiUri, keyRequest);
         public async Task DeleteOidcClientKeyUpPartyAsync(string name) => await DeleteAsync(oidcClientKeyApiUri, name, parmName: nameof(name));
diff --git a/src/FoxIDs.ControlClient/Services/UserService.cs b/src/FoxIDs.ControlClient/Services/UserService.cs
index a78f573a8..7c9c29d88 100644
--- a/src/FoxIDs.ControlClient/Services/UserService.cs
+++ b/src/FoxIDs.ControlClient/Services/UserService.cs
@@ -10,6 +10,8 @@ public class UserService : BaseService
     {
         private const string apiUri = "api/{tenant}/{track}/!user";
         private const string filterApiUri = "api/{tenant}/{track}/!filteruser";
+        private const string myUserApiUri = "api/{tenant}/master/!myuser";
+        private const string userControlProfileApiUri = "api/{tenant}/master/!usercontrolprofile";
 
         public UserService(IHttpClientFactory httpClientFactory, RouteBindingLogic routeBindingLogic, TrackSelectedLogic trackSelectedLogic) : base(httpClientFactory, routeBindingLogic, trackSelectedLogic)
         { }
@@ -21,5 +23,11 @@ public UserService(IHttpClientFactory httpClientFactory, RouteBindingLogic route
         public async Task<User> UpdateUserAsync(UserRequest user) => await PutResponseAsync<UserRequest, User>(apiUri, user);
         public async Task DeleteUserAsync(string email) => await DeleteAsync(apiUri, email, parmName: nameof(email));
 
+        public async Task<MyUser> GetMyUserAsync() => await GetAsync<MyUser>(myUserApiUri);
+        public async Task<MyUser> UpdateMyUserAsync(MyUser myUser) => await PutResponseAsync<MyUser, MyUser>(myUserApiUri, myUser);
+
+        public async Task<UserControlProfile> GetUserControlProfileAsync() => await GetAsync<UserControlProfile>(userControlProfileApiUri);
+        public async Task<UserControlProfile> UpdateUserControlProfileAsync(UserControlProfile userControlProfile) => await PutResponseAsync<UserControlProfile, UserControlProfile>(userControlProfileApiUri, userControlProfile);
+        public async Task DeleteUserControlProfileAsync() => await DeleteAsync(userControlProfileApiUri);
     }
 }
diff --git a/src/FoxIDs.ControlClient/Shared/ActivateLogin.razor b/src/FoxIDs.ControlClient/Shared/ActivateLogin.razor
new file mode 100644
index 000000000..7ae9e22ea
--- /dev/null
+++ b/src/FoxIDs.ControlClient/Shared/ActivateLogin.razor
@@ -0,0 +1,14 @@
+@inherits PageBase
+
+<p>Authentication is in progress...</p>
+
+@code {
+    [Inject]
+    public OpenidConnectPkce OpenidConnectPkce { get; set; }
+
+    protected override async Task OnParametersSetAsync()
+    {
+        await (OpenidConnectPkce as TenantOpenidConnectPkce).TenantLoginAsync();
+        await base.OnParametersSetAsync();
+    }
+}
\ No newline at end of file
diff --git a/src/FoxIDs.ControlClient/Shared/Components/FInputBase.cs b/src/FoxIDs.ControlClient/Shared/Components/FInputBase.cs
index 52752dfc6..ab0e26f66 100644
--- a/src/FoxIDs.ControlClient/Shared/Components/FInputBase.cs
+++ b/src/FoxIDs.ControlClient/Shared/Components/FInputBase.cs
@@ -20,12 +20,15 @@ public class FInputBase<TValue> : InputBase<TValue>
         [Parameter]
         public Expression<Func<object>> For { get; set; }
 
+        public event Func<TValue, Task> OnValueParsedAsync;
+
         protected override bool TryParseValueFromString(string value, out TValue result, out string validationErrorMessage)
         {
             if (typeof(TValue) == typeof(string))
             {
                 result = (TValue)Convert.ChangeType(value, typeof(TValue));
                 validationErrorMessage = null;
+                OnValueParsedAsync.Invoke(result);
                 return true;
             }
             else if (typeof(TValue) == typeof(int))
@@ -35,6 +38,7 @@ protected override bool TryParseValueFromString(string value, out TValue result,
                 {
                     result = (TValue)Convert.ChangeType(intResult, typeof(TValue));
                     validationErrorMessage = null;
+                    OnValueParsedAsync.Invoke(result);
                     return true;
                 }
                 else
@@ -51,6 +55,7 @@ protected override bool TryParseValueFromString(string value, out TValue result,
                 {
                     result = (TValue)Convert.ChangeType(boolResult, typeof(TValue));
                     validationErrorMessage = null;
+                    OnValueParsedAsync.Invoke(result);
                     return true;
                 }
                 else
@@ -66,6 +71,7 @@ protected override bool TryParseValueFromString(string value, out TValue result,
                 {
                     result = (TValue)Enum.Parse(typeof(TValue), value);
                     validationErrorMessage = null;
+                    OnValueParsedAsync.Invoke(result);
                     return true;
                 }
                 catch (ArgumentException)
diff --git a/src/FoxIDs.ControlClient/Shared/Components/FInputSelect.razor b/src/FoxIDs.ControlClient/Shared/Components/FInputSelect.razor
index 8b3a4f7a5..bb1ac0567 100644
--- a/src/FoxIDs.ControlClient/Shared/Components/FInputSelect.razor
+++ b/src/FoxIDs.ControlClient/Shared/Components/FInputSelect.razor
@@ -22,4 +22,24 @@
 
     [Parameter]
     public RenderFragment ChildContent { get; set; }
+
+    [Parameter]
+    public EventCallback<TValue> OnValidChange { get; set; }
+
+    protected override void OnInitialized()
+    {
+        OnValueParsedAsync += OnValueParsedEventAsync;
+    }
+
+    private async Task OnValueParsedEventAsync(TValue value)
+    {
+        await OnValidChange.InvokeAsync(value);
+        StateHasChanged();
+    }
+
+    protected override void Dispose(bool disposing)
+    {
+        OnValueParsedAsync -= OnValueParsedEventAsync;
+        base.Dispose(disposing);
+    }
 }
\ No newline at end of file
diff --git a/src/FoxIDs.ControlClient/Shared/Components/FInputSwitchAdvancedOptions.razor b/src/FoxIDs.ControlClient/Shared/Components/FInputSwitchAdvancedOptions.razor
new file mode 100644
index 000000000..9b35f6c66
--- /dev/null
+++ b/src/FoxIDs.ControlClient/Shared/Components/FInputSwitchAdvancedOptions.razor
@@ -0,0 +1,27 @@
+<div>
+    <input type="checkbox" id="@id" @bind="Value" />
+    <label for="@id">Advanced options</label>
+</div>
+
+
+@code {
+    private string id = Guid.NewGuid().ToString().Replace("-", "");
+
+    [Parameter]
+    public EventCallback<bool> ValueChanged { get; set; }
+
+    private bool _value;
+    [Parameter]
+    public bool Value
+    {
+        get { return _value; }
+        set
+        {
+            if (_value != value)
+            {
+                _value = value;
+                ValueChanged.InvokeAsync(_value);
+            }
+        }
+    }
+} 
\ No newline at end of file
diff --git a/src/FoxIDs.ControlClient/Shared/Components/FInputSwitchAdvancedOptions.razor.css b/src/FoxIDs.ControlClient/Shared/Components/FInputSwitchAdvancedOptions.razor.css
new file mode 100644
index 000000000..597e344ac
--- /dev/null
+++ b/src/FoxIDs.ControlClient/Shared/Components/FInputSwitchAdvancedOptions.razor.css
@@ -0,0 +1,37 @@
+input {
+    position: relative;
+    height: 15px;
+    width: 30px;
+    -webkit-appearance: none;
+    background: #6c757d;
+    outline: none;
+    border-radius: 15px;
+    vertical-align: middle;
+    margin-bottom: 4px;
+}
+
+    input:checked {
+        background: #df8935;
+    }
+
+    input:before {
+        cursor: pointer;
+        content: '';
+        position: absolute;
+        top: 0;
+        left: 0;
+        width: 15px;
+        height: 15px;
+        transform: scale(0.85);
+        border-radius: 50%;
+        background: white;
+        transition: .5s;
+    }
+
+    input:checked:before {
+        left: 15px;
+    }
+
+label {
+    margin-left: 0.3rem;
+}
\ No newline at end of file
diff --git a/src/FoxIDs.ControlClient/Shared/Components/SelectUpParty.razor b/src/FoxIDs.ControlClient/Shared/Components/SelectUpParty.razor
index 4a10005c4..b464a6cc2 100644
--- a/src/FoxIDs.ControlClient/Shared/Components/SelectUpParty.razor
+++ b/src/FoxIDs.ControlClient/Shared/Components/SelectUpParty.razor
@@ -36,13 +36,13 @@
 
     <ul class="navbar-nav mr-auto">
         <li class="nav-item dropdown">
-            <button type="button" class="nav-link dropdown-toggle btn btn-link btn-xs" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"  @onclick="@(async () => await LoadDefaultUpPartyFilter())">
+            <button type="button" class="dropdown-toggle btn btn-link btn-xs" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"  @onclick="@(async () => await LoadDefaultUpPartyFilter())">
                 <span class="oi oi-plus" aria-hidden="true"></span> Add allow up-party
             </button>
 
-            <div class="dropdown-menu searchDropdown" aria-labelledby="allowUpPartyNamesDropdown">
+            <div class="dropdown-menu search-dropdown px-3 pb-3" aria-labelledby="allowUpPartyNamesDropdown">
                 <PageEditForm @ref="upPartyNamesFilterForm" TModel="FilterUpPartyViewModel" OnValidSubmit="OnUpPartyNamesFilterValidSubmitAsync">
-                    <div class="form-group active-group pb-0">
+                    <div class="form-group active-group pb-2">
                         <FInputTextFilter @bind-Value="upPartyNamesFilterForm.Model.FilterName" For="@(() => upPartyNamesFilterForm.Model.FilterName)" IncludeActiveFormGroup="false" />
                     </div>
                 </PageEditForm>
@@ -50,7 +50,7 @@
                 {
                     @foreach (var upPartyFilter in upPartyFilters)
                     {
-                        <button type="button" class="dropdown-item btn btn-link" @onclick="@(() => OnAddUpPartyNameAsync(upPartyFilter.Name))">
+                        <button type="button" class="dropdown-item btn btn-link pl-1 pr-1" @onclick="@(() => OnAddUpPartyNameAsync(upPartyFilter.Name))">
                             @upPartyFilter.Name, type: @upPartyFilter.Type
                         </button>
                     }
diff --git a/src/FoxIDs.ControlClient/Shared/MainLayout.cs b/src/FoxIDs.ControlClient/Shared/MainLayout.cs
index f76d6fa4b..3b4a15ae9 100644
--- a/src/FoxIDs.ControlClient/Shared/MainLayout.cs
+++ b/src/FoxIDs.ControlClient/Shared/MainLayout.cs
@@ -14,6 +14,8 @@
 using ITfoxtec.Identity.BlazorWebAssembly.OpenidConnect;
 using FoxIDs.Client.Infrastructure.Security;
 using FoxIDs.Client.Models.Config;
+using System.Linq;
+using ITfoxtec.Identity;
 
 namespace FoxIDs.Client.Shared
 {
@@ -21,18 +23,21 @@ public partial class MainLayout
     {
         private Modal createTenantModal;
         private PageEditForm<CreateTenantViewModel> createTenantForm;
+        private bool createTenantWorking;
         private bool createTenantDone;
         private List<string> createTenantReceipt = new List<string>();
         private Modal createTrackModal;
         private PageEditForm<CreateTrackViewModel> createTrackForm;
+        private bool createTrackWorking;
         private bool createTrackDone;
         private List<string> createTrackReceipt = new List<string>();
         private PageEditForm<FilterTrackViewModel> selectTrackFilterForm;
-        private Modal selectTrackModal;
         private bool selectTrackInitialized = false;
         private string selectTrackError;
         private IEnumerable<Track> selectTrackTasks;
         private Modal myProfileModal;
+        private bool myProfileMasterMasterLogin;
+        private bool showMyProfileClaims;
         private IEnumerable<Claim> myProfileClaims;
         private Modal notAccessModal;
 
@@ -54,6 +59,9 @@ public partial class MainLayout
         [Inject]
         public NotificationLogic NotificationLogic { get; set; }
 
+        [Inject]
+        public UserProfileLogic UserProfileLogic { get; set; }
+
         [Inject]
         public TrackSelectedLogic TrackSelectedLogic { get; set; }
 
@@ -63,20 +71,29 @@ public partial class MainLayout
         [Inject]
         public TrackService TrackService { get; set; }
 
+        [Inject]
+        public UserService UserService { get; set; }
+
         protected override async Task OnInitializedAsync()
         {
             await RouteBindingLogic.InitRouteBindingAsync();
             await base.OnInitializedAsync();
-            TrackSelectedLogic.OnShowSelectTrackAsync += OnShowSelectTrackAsync;
+            TrackSelectedLogic.OnSelectTrackAsync += OnSelectTrackAsync;
         }
 
         protected override async Task OnParametersSetAsync()
         {
             var user = (await authenticationStateTask).User;
-            if (user.Identity.IsAuthenticated && user.IsInRole(Constants.ControlApi.Role.TenantAdmin))
+            if (user.Identity.IsAuthenticated)
             {
-                await ShowSelectTrackModalAsync();
+                await LoadAndSelectTracAsync();
                 myProfileClaims = user.Claims;
+                if (user.Claims.Where(c => c.Type == Constants.JwtClaimTypes.UpPartyType && c.Value == Constants.DefaultLogin.Name).Any() &&
+                    user.Claims.Where(c => c.Type == Constants.JwtClaimTypes.UpParty && c.Value == Constants.DefaultLogin.Name).Any() &&
+                    user.Claims.Where(c => c.Type == JwtClaimTypes.Email).Any())
+                {
+                    myProfileMasterMasterLogin = true;
+                }
             }
             else if(notAccessModal != null)
             {
@@ -92,6 +109,7 @@ private async Task LogoutAsync()
 
         private void ShowCreateTenantModal()
         {
+            createTenantWorking = false;
             createTenantDone = false;
             createTenantReceipt = new List<string>();
             createTenantForm.Init(); 
@@ -102,6 +120,11 @@ private async Task OnCreateTenantValidSubmitAsync(EditContext editContext)
         {
             try
             {
+                if (createTenantWorking)
+                {
+                    return;
+                }
+                createTenantWorking = true;
                 await TenantService.CreateTenantAsync(createTenantForm.Model.Map<CreateTenantRequest>(afterMap =>
                 {
                     afterMap.ControlClientBaseUri = RouteBindingLogic.GetBaseUri();
@@ -120,6 +143,7 @@ await TenantService.CreateTenantAsync(createTenantForm.Model.Map<CreateTenantReq
             }
             catch (FoxIDsApiException ex)
             {
+                createTenantWorking = false;
                 if (ex.StatusCode == System.Net.HttpStatusCode.Conflict)
                 {
                     createTenantForm.SetFieldError(nameof(createTenantForm.Model.Name), ex.Message);
@@ -133,6 +157,7 @@ await TenantService.CreateTenantAsync(createTenantForm.Model.Map<CreateTenantReq
 
         private void ShowCreateTrackModal()
         {
+            createTrackWorking = false;
             createTrackDone = false;
             createTrackReceipt = new List<string>();
             createTrackForm.Init();
@@ -143,6 +168,11 @@ private async Task OnCreateTrackValidSubmitAsync(EditContext editContext)
         {
             try
             {
+                if(createTrackWorking)
+                {
+                    return;
+                }
+                createTrackWorking = true;
                 var track = createTrackForm.Model.Map<Track>();
                 await TrackService.CreateTrackAsync(track);
                 createTrackDone = true;
@@ -156,9 +186,11 @@ private async Task OnCreateTrackValidSubmitAsync(EditContext editContext)
                 }
                 await LoadSelectTrackAsync();
                 await TrackSelectedLogic.TrackSelectedAsync(track);
+                await UserProfileLogic.UpdateTrackAsync(track.Name);
             }
             catch (FoxIDsApiException ex)
             {
+                createTrackWorking = false;
                 if (ex.StatusCode == System.Net.HttpStatusCode.Conflict)
                 {
                     createTrackForm.SetFieldError(nameof(createTrackForm.Model.Name), ex.Message);
@@ -170,15 +202,15 @@ private async Task OnCreateTrackValidSubmitAsync(EditContext editContext)
             }
         }
 
-        private async Task OnShowSelectTrackAsync()
+        private async Task OnSelectTrackAsync()
         {
-            await ShowSelectTrackModalAsync(true);
+            await LoadAndSelectTracAsync(forceSelect: true);
             StateHasChanged();
         }
 
-        private async Task ShowSelectTrackModalAsync(bool forceSelect = false)
+        private async Task LoadAndSelectTracAsync(bool forceSelect = false)
         {
-            if (!forceSelect && (selectTrackModal == null || selectTrackInitialized || TrackSelectedLogic.IsTrackSelected))
+            if (!forceSelect && (selectTrackInitialized || TrackSelectedLogic.IsTrackSelected))
             {
                 return;
             }
@@ -198,8 +230,28 @@ private async Task ShowSelectTrackModalAsync(bool forceSelect = false)
             else
             {
                 selectTrackError = null;
-                selectTrackModal.Show();
                 await LoadSelectTrackAsync();
+
+                var userProfile = await UserProfileLogic.GetUserProfileAsync();
+                if (!string.IsNullOrWhiteSpace(userProfile?.LastTrackName) && await SelectTrackAsync(userProfile.LastTrackName))
+                {
+                    return;
+                }
+
+                if (await SelectTrackAsync("test") || await SelectTrackAsync("dev") || await SelectTrackAsync("-"))
+                {
+                    return;
+                }
+                else if (selectTrackTasks.Count() > 1)
+                {
+                    await SelectTrackAsync(selectTrackTasks.Where(t => t.Name != Constants.Routes.MasterTrackName).First());
+                    return;
+                }
+                else
+                {
+                    await SelectTrackAsync(selectTrackTasks.First());
+                    return;
+                }
             }
         }
 
@@ -209,6 +261,7 @@ private async Task LoadSelectTrackAsync()
             {
                 selectTrackError = null;
                 selectTrackTasks = await TrackService.FilterTrackAsync(null);
+                
             }
             catch (TokenUnavailableException)
             {
@@ -239,10 +292,31 @@ private async Task OnSelectTrackFilterValidSubmitAsync(EditContext editContext)
             }
         }
 
+        private async Task<bool> SelectTrackAsync(string trackName)
+        {
+            var track = selectTrackTasks.Where(t => t.Name == trackName).FirstOrDefault();
+            if (track != null)
+            {
+                await SelectTrackAsync(track);
+                return true;
+            }
+            return false;
+        }
+
         private async Task SelectTrackAsync(Track track)
         {
+            if (!RouteBindingLogic.IsMasterTenant)
+            {
+                await UserProfileLogic.UpdateTrackAsync(track.Name);
+            }
             await TrackSelectedLogic.TrackSelectedAsync(track);
-            selectTrackModal.Hide();
+        }
+
+        public async Task ChangeMyPasswordAsync()
+        {
+            await UserService.UpdateMyUserAsync(new MyUser { ChangePassword = true });
+
+            await (OpenidConnectPkce as TenantOpenidConnectPkce).TenantLoginAsync(prompt: IdentityConstants.AuthorizationServerPrompt.Login);
         }
     }
 }
diff --git a/src/FoxIDs.ControlClient/Shared/MainLayout.razor b/src/FoxIDs.ControlClient/Shared/MainLayout.razor
index 93c94fff2..8f36b6a18 100644
--- a/src/FoxIDs.ControlClient/Shared/MainLayout.razor
+++ b/src/FoxIDs.ControlClient/Shared/MainLayout.razor
@@ -6,69 +6,66 @@
                 justify-content-between">
     <div class=container-fluid>
 
-        <nav class="navbar navbar-expand navbar-light bg-light navbar-main">
-            <a class="navbar-brand">Fox<span class="navbar-subbrand">ID</span>s</a>
+        <nav class="navbar navbar-expand navbar-light bg-light navbar-main nav-fill">
+            <a class="navbar-brand mr-auto">Fox<span class="navbar-subbrand">ID</span>s</a>
             <AuthorizeView>
                 <Authorized>
-                    <ul class="navbar-nav mr-auto">
+                    <ul class="navbar-nav nav-item dropdown-nav-item">
                         @if (RouteBindingLogic.IsMasterTenant)
                         {
-                            <li class="nav-item">
-                                <i>Master tenant and track</i>
+                            <li class="nav-item pt-2">
+                                <strong class="align-middle">Master tenant</strong>
+                                <button class="btn btn-link" @onclick="ShowCreateTenantModal"><span class="oi oi-plus" aria-hidden="true"></span> Create Tenant</button>
                             </li>
                         }
                         else if (TrackSelectedLogic.IsTrackSelected)
                         {
                             <li class="nav-item dropdown">
-                                <a class="nav-link dropdown-toggle" id="trackNavbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
-                                    @TrackSelectedLogic.Track.Name <small class="text-muted">@TrackSelectedLogic.Track.Name.GetProdTrackName()</small>
-                                </a>
-                                <div class="dropdown-menu searchDropdown px-3 pb-3" aria-labelledby="trackNavbarDropdown">
-                                    <PageEditForm @ref="selectTrackFilterForm" TModel="FilterTrackViewModel" OnValidSubmit="OnSelectTrackFilterValidSubmitAsync">
-                                        <div class="form-group active-group pb-2">
-                                            <FInputTextFilter @bind-Value="selectTrackFilterForm.Model.FilterName" For="@(() => selectTrackFilterForm.Model.FilterName)" IncludeActiveFormGroup="false" />
+                                @if (!selectTrackError.IsNullOrWhiteSpace())
+                                {
+                                    <div class="alert alert-danger" role="alert">
+                                        @selectTrackError
+                                    </div>
+                                }
+                                <div class=" form-group active-group active">
+                                    <label class="label-control">Track</label>
+                                    <div class="card">
+                                        <div class="nav-link dropdown-toggle card-body px-3 py-2 text-left" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+                                            <span style="width: 100%">@TrackSelectedLogic.Track.Name <small class="text-muted">@TrackSelectedLogic.Track.Name.GetProdTrackName()</small></span>
                                         </div>
-                                    </PageEditForm>
+                                        <div class="dropdown-menu search-dropdown px-3 pb-3" aria-labelledby="trackNavbarDropdown">
+                                            <PageEditForm @ref="selectTrackFilterForm" TModel="FilterTrackViewModel" OnValidSubmit="OnSelectTrackFilterValidSubmitAsync">
+                                                <div class="form-group mb-1 text-right">
+                                                    <button class="btn btn-link pr-0" @onclick="ShowCreateTrackModal"><span class="oi oi-plus" aria-hidden="true"></span> Create Track</button>
+                                                </div>
+                                                <div class="form-group active-group pb-2">
+                                                    <FInputTextFilter @bind-Value="selectTrackFilterForm.Model.FilterName" For="@(() => selectTrackFilterForm.Model.FilterName)" IncludeActiveFormGroup="false" />
+                                                </div>
+                                            </PageEditForm>
 
-                                    @if (!selectTrackError.IsNullOrWhiteSpace())
-                                    {
-                                        <div class="alert alert-danger" role="alert">
-                                            @selectTrackError
-                                        </div>
-                                    }
+                                            @if (selectTrackTasks != null)
+                                            {
+                                                @foreach (var track in selectTrackTasks)
+                                                {
+                                                    <button class="dropdown-item btn btn-link pl-1 pr-1" @onclick="@(() => SelectTrackAsync(track))">
+                                                        @track.Name <small class="text-muted">@track.Name.GetProdTrackName()</small>
+                                                    </button>
+                                                }
+                                            }
 
-                                    @if (selectTrackTasks != null)
-                                    {
-                                        @foreach (var track in selectTrackTasks)
-                                        {
-                                            <button class="dropdown-item btn btn-link" @onclick="@(() => SelectTrackAsync(track))">
-                                                @track.Name <small class="text-muted">@track.Name.GetProdTrackName()</small>
-                                            </button>
-                                        }
-                                    }
+                                        </div>
+                                    </div>
                                 </div>
                             </li>
                         }
                     </ul>
                     <ul class="navbar-nav">
-                        @if (RouteBindingLogic.IsMasterTenant)
-                        {
-                            <li class="nav-item">
-                                <button class="nav-link btn btn-link" @onclick="ShowCreateTenantModal"><span class="oi oi-plus" aria-hidden="true"></span> Create Tenant</button>
-                            </li>
-                        }
-                        else
-                        {
-                            <li class="nav-item">
-                                <button class="nav-link btn btn-link" @onclick="ShowCreateTrackModal"><span class="oi oi-plus" aria-hidden="true"></span> Create Track</button>
-                            </li>
-                        }
                         <li class="nav-item dropdown">
                             <a class="nav-link dropdown-toggle" id="meNavbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                                 <span class="oi oi-person" aria-hidden="true"></span>
                             </a>
                             <div class="dropdown-menu dropdown-menu-right" aria-labelledby="meNavbarDropdown">
-                                <button class="dropdown-item btn btn-link" @onclick="@(() => { myProfileModal.Show(); })">
+                                <button class="dropdown-item btn btn-link" @onclick="@(() => { showMyProfileClaims = false; myProfileModal.Show(); })">
                                     My Profile<br />
                                     <small>@context.User.Claims.Where(c => c.Type == JwtClaimTypes.Email).Select(c => c.Value).FirstOrDefault()</small>
                                 </button>
@@ -148,8 +145,8 @@
                         <div class="modal-footer">
                             @if (!createTenantDone)
                             {
-                                <button type="submit" class="btn btn-primary">Create</button>
-                                <button type="button" class="btn btn-secondary" @onclick="@(() => createTenantModal.Hide())">Cancel</button>
+                                <button type="submit" class="btn btn-primary @(createTenantWorking ? "disabled" : "")">Create</button>
+                                <button type="button" class="btn btn-secondary @(createTenantWorking ? "disabled" : "")" @onclick="@(() => createTenantModal.Hide())">Cancel</button>
                             }
                             else
                             {
@@ -159,39 +156,6 @@
                     </PageEditForm>
                 </Modal>
 
-                <Modal @ref="selectTrackModal" Title="Select Track" DisableClose="true">
-                    <div class="modal-body">
-                        <PageEditForm @ref="selectTrackFilterForm" TModel="FilterTrackViewModel" OnValidSubmit="OnSelectTrackFilterValidSubmitAsync">
-                            <FInputTextFilter @bind-Value="selectTrackFilterForm.Model.FilterName" For="@(() => selectTrackFilterForm.Model.FilterName)" />
-                        </PageEditForm>
-
-                        @if (!selectTrackError.IsNullOrWhiteSpace())
-                        {
-                            <div class="alert alert-danger" role="alert">
-                                @selectTrackError
-                            </div>
-                        }
-
-                        <ul class="list-group list-group-flush">
-                            @if (selectTrackTasks != null)
-                            {
-                                @foreach (var track in selectTrackTasks)
-                                {
-                                    <li class="list-group-item">
-                                        <button class="btn btn-link" @onclick="@(() => SelectTrackAsync(track))">
-                                            @track.Name <small class="text-muted">@track.Name.GetProdTrackName()</small>
-                                        </button>
-                                    </li>
-                                }
-                            }
-                            else
-                            {
-                                <i>Loading...</i>
-                            }
-                        </ul>
-                    </div>
-                </Modal>
-
                 <Modal @ref="createTrackModal" Title="Create Track">
                     <PageEditForm @ref="createTrackForm" TModel="CreateTrackViewModel" OnValidSubmit="OnCreateTrackValidSubmitAsync">
                         <div class="modal-body">
@@ -207,8 +171,8 @@
                         <div class="modal-footer">
                             @if (!createTrackDone)
                             {
-                                <button type="submit" class="btn btn-primary">Create</button>
-                                <button type="button" class="btn btn-secondary" @onclick="@(() => createTrackModal.Hide())">Cancel</button>
+                                <button type="submit" class="btn btn-primary @(createTrackWorking ? "disabled" : "")">Create</button>
+                                <button type="button" class="btn btn-secondary @(createTrackWorking ? "disabled" : "")" @onclick="@(() => createTrackModal.Hide())">Cancel</button>
                             }
                             else
                             {
@@ -218,17 +182,42 @@
                     </PageEditForm>
                 </Modal>
 
-                <Modal @ref="myProfileModal" Title="My Profile - show claims">
+                <Modal @ref="myProfileModal" Title="My Profile">
                     <div class="modal-body">
-                        <ul class="list-group list-group-flush">
-                            @if (myProfileClaims != null)
+                        @if (myProfileClaims != null)
+                        {
+                            @if (myProfileMasterMasterLogin)
                             {
-                                @foreach (var claim in myProfileClaims)
-                                {
-                                    <li class="list-group-item">@claim.Type: @claim.Value</li>
-                                }
+                                <div class="form-group active-group active">
+                                    <button type="button" class="btn btn-secondary" @onclick="ChangeMyPasswordAsync">Change your password</button>
+                                </div>
                             }
-                        </ul>
+                            else
+                            {
+                                <div class="alert alert-info" role="alert">
+                                    Your user is federated and do not have any profile settings.
+                                </div>
+                            }
+
+                            <div class="pt-3">
+                                <div class="form-group active-group active">
+                                    <label class="label-control">My claims</label>
+                                    @if (!showMyProfileClaims)
+                                    {
+                                        <button class="btn btn-link" type="button" @onclick="@(() => { showMyProfileClaims = true; })">Show my claims</button>
+                                    }
+                                    else
+                                    {
+                                        @foreach (var claim in myProfileClaims)
+                                        {
+                                            <ul class="list-group list-group-flush">
+                                                <li class="list-group-item py-1">@claim.Type: <i>@claim.Value</i></li>
+                                            </ul>
+                                        }
+                                    }
+                                </div>
+                            </div>
+                        }
                     </div>
                 </Modal>
 
@@ -249,11 +238,14 @@
 
         <div class="container-lg main-container">
             <AuthorizeView>
-                <NotAuthorized>
-                    <p>Authentication is in progress...</p>
+                <NotAuthorized >
+                    <ActivateLogin />
                 </NotAuthorized>
             </AuthorizeView>
-            @Body
+            @if (RouteBindingLogic.IsMasterTenant || TrackSelectedLogic.IsTrackSelected)
+            {
+                @Body
+            }            
         </div>
     </div>
 
diff --git a/src/FoxIDs.ControlClient/bundleconfig.json b/src/FoxIDs.ControlClient/bundleconfig.json
new file mode 100644
index 000000000..148370f3e
--- /dev/null
+++ b/src/FoxIDs.ControlClient/bundleconfig.json
@@ -0,0 +1,30 @@
+[
+  {
+    "outputFileName": "wwwroot/css/app.min.css",
+    "inputFiles": [
+      "wwwroot/css/app.css"
+    ]
+  },
+  {
+    "outputFileName": "wwwroot/js/site.min.js",
+    "inputFiles": [
+      "wwwroot/js/site.js"
+    ],
+    "minify": {
+      "enabled": true,
+      "renameLocals": true
+    },
+    "sourceMap": false
+  },
+  {
+    "outputFileName": "wwwroot/js/save-cert-file.min.js",
+    "inputFiles": [
+      "wwwroot/js/save-cert-file.js"
+    ],
+    "minify": {
+      "enabled": true,
+      "renameLocals": true
+    },
+    "sourceMap": false
+  }
+]
\ No newline at end of file
diff --git a/src/FoxIDs.ControlClient/wwwroot/css/app.css b/src/FoxIDs.ControlClient/wwwroot/css/app.css
index 14ebec87a..5b9a15cdb 100644
--- a/src/FoxIDs.ControlClient/wwwroot/css/app.css
+++ b/src/FoxIDs.ControlClient/wwwroot/css/app.css
@@ -97,21 +97,79 @@ h4 {
 
 /*Navbar*/ 
 .navbar.navbar-main {
-    border-bottom: 3px solid #fc7e01;
+    border-bottom: 2px solid #fc7e01;
     background-color: #ffffff !important;
+   /* padding: 0.8rem 1rem*/
 }
 
 .navbar .navbar-brand {
-    font-size: 1.5rem;
+    font-size: 2rem;
     color: #ef8310 !important;
+    padding-top: 0.2125rem;
+    padding-bottom: 0.4125rem;
 }
 
 .navbar .navbar-subbrand {
     color: #bbbbbb !important;
 }
 
-.navbar .searchDropdown {
-    min-width: 400px;
+.navbar .card {
+    border-bottom-left-radius: unset;
+    border-bottom-right-radius: unset;
+    border-top: 2px solid #fc7e01;
+    border-left: 2px solid #fc7e01;
+    border-right: 2px solid #fc7e01;
+    border-bottom: unset;
+}
+
+.navbar .dropdown-toggle::after {
+    float: right;
+    margin-top: 10px;
+}
+
+.navbar .dropdown-nav-item {
+    z-index: 100;
+    position: absolute;
+    min-width: 100px;
+    right: auto;
+    left: 50%;
+    top: 14px;
+    -webkit-transform: translate(-50%, 0);
+    -o-transform: translate(-50%, 0);
+    transform: translate(-50%, 0);
+}
+
+.navbar .search-dropdown {    
+    min-width: 100px;
+    right: auto;
+    left: 50%;
+    -webkit-transform: translate(-50%, 0);
+    -o-transform: translate(-50%, 0);
+    transform: translate(-50%, 0);
+}
+
+@media (min-width: 520px) {
+    .navbar .dropdown-nav-item {
+        min-width: 250px;
+    }
+
+    .navbar .search-dropdown {
+        min-width: 250px;
+    }
+}
+
+@media (min-width: 800px) {
+    .navbar .dropdown-nav-item {
+        min-width: 320px;
+    }
+
+    .navbar .search-dropdown {
+        min-width: 320px;
+    }
+}
+
+.navbar .dropdown-menu {
+    margin: 0px 0;
 }
 
 .navbar-light .navbar-nav .nav-link {
@@ -134,6 +192,41 @@ h4 {
         padding: .5rem 0rem;
     }
 
+.nav-tabs {
+    border-bottom: 1px solid #f19031;
+}
+    .nav-tabs .nav-link {
+        color: #d87513;
+        border-top-color: #dee2e6;
+        border-left-color: #dee2e6;
+        border-right-color: #dee2e6;
+        border-bottom-left-radius: 0.25rem;
+        border-bottom-right-radius: 0.25rem;
+    }
+
+        .nav-tabs .nav-link:hover, .nav-tabs .nav-link:focus {
+            text-decoration: underline;
+            border-top-color: #d3d6da;
+            border-left-color: #d3d6da;
+            border-right-color: #d3d6da;
+            border-bottom-color: #f19031;
+        }
+
+        .nav-tabs .nav-link:focus {
+            box-shadow: 0 0 0 0.2rem rgba(223, 137, 53, 0.25);
+        }
+
+        .nav-tabs .nav-link.active, .nav-tabs .nav-item.show .nav-link {
+            color: #495057;
+            text-decoration: none !important;
+            border-top-color: #f19031;
+            border-left-color: #f19031;
+            border-right-color: #f19031;
+            border-bottom-color: #ffffff;
+            border-bottom-left-radius: unset;
+            border-bottom-right-radius: unset;
+        }
+
 .dropdown-item.active, .dropdown-item:active {
     color: #fff;
     background-color: #ea7c0f;
@@ -229,7 +322,7 @@ h4 {
     width: 2.2rem;
 }
 */
-    .form-control:focus {
+.form-control:focus {
     border-color: #df8935;
     box-shadow: 0 0 0 0.2rem rgba(223, 137, 53, 0.25);
 }
@@ -261,6 +354,13 @@ h4 {
 .card-body.active, .card-body:active {
     color: inherit;
     background-color: #fff;
+    border-radius: 0.25rem;
+    border-color: #df8935;
+    box-shadow: 0 0 0 0.2rem rgba(223, 137, 53, 0.25);
+}
+
+.card-body:focus {
+    border-radius: 0.25rem;
     border-color: #df8935;
     box-shadow: 0 0 0 0.2rem rgba(223, 137, 53, 0.25);
 }
diff --git a/src/FoxIDs.ControlClient/wwwroot/css/app.min.css b/src/FoxIDs.ControlClient/wwwroot/css/app.min.css
new file mode 100644
index 000000000..119b1cf91
--- /dev/null
+++ b/src/FoxIDs.ControlClient/wwwroot/css/app.min.css
@@ -0,0 +1 @@
+@import url('open-iconic/font/css/open-iconic-bootstrap.min.css');a{color:#df8935}a:hover{color:#d87513}.btn-link{color:#df8935}.btn-link:hover{color:#d87513}h3{font-weight:300;padding-bottom:8px}h4{font-weight:300;padding-bottom:8px}.blazored-toast-container{z-index:100}@media(min-width:576px){.blazored-toast{width:22rem}}.blazored-toast-body .blazored-toast-header h5{font-size:inherit !important;line-height:inherit !important}.blazored-toast-body .blazored-toast-header .blazored-toast-close{font-size:inherit !important}.container-fluid{padding:0 !important}.main-container{padding-top:30px}.footer-container{padding-top:10px;width:100%;height:30px;line-height:60px;color:#6c757d;font-family:MarkOT;font-size:11px;font-weight:normal;font-style:normal;font-stretch:normal;line-height:normal;letter-spacing:normal}.footer-content{padding-left:1rem;z-index:-1}#blazor-error-ui{background:#ffffe0;bottom:0;box-shadow:0 -1px 2px rgba(0,0,0,.2);display:none;left:0;padding:.6rem 1.25rem .7rem 1.25rem;position:fixed;width:100%;z-index:1000}#blazor-error-ui .dismiss{cursor:pointer;position:absolute;right:.75rem;top:.5rem}.navbar.navbar-main{border-bottom:2px solid #fc7e01;background-color:#fff !important}.navbar .navbar-brand{font-size:2rem;color:#ef8310 !important;padding-top:.2125rem;padding-bottom:.4125rem}.navbar .navbar-subbrand{color:#bbb !important}.navbar .card{border-bottom-left-radius:unset;border-bottom-right-radius:unset;border-top:2px solid #fc7e01;border-left:2px solid #fc7e01;border-right:2px solid #fc7e01;border-bottom:unset}.navbar .dropdown-toggle::after{float:right;margin-top:10px}.navbar .dropdown-nav-item{z-index:100;position:absolute;min-width:100px;right:auto;left:50%;top:14px;-webkit-transform:translate(-50%,0);-o-transform:translate(-50%,0);transform:translate(-50%,0)}.navbar .search-dropdown{min-width:100px;right:auto;left:50%;-webkit-transform:translate(-50%,0);-o-transform:translate(-50%,0);transform:translate(-50%,0)}@media(min-width:520px){.navbar .dropdown-nav-item{min-width:250px}.navbar .search-dropdown{min-width:250px}}@media(min-width:800px){.navbar .dropdown-nav-item{min-width:320px}.navbar .search-dropdown{min-width:320px}}.navbar .dropdown-menu{margin:0 0}.navbar-light .navbar-nav .nav-link{color:rgba(0,0,0,.9)}.oi.oi-plus{font-size:12px}.navbar.navbar-second{padding:0 1rem}.navbar.navbar-second .active{border-bottom:1px solid #fc7e01}.navbar.navbar-second .nav-item{padding:.5rem 0}.nav-tabs{border-bottom:1px solid #f19031}.nav-tabs .nav-link{color:#d87513;border-top-color:#dee2e6;border-left-color:#dee2e6;border-right-color:#dee2e6;border-bottom-left-radius:.25rem;border-bottom-right-radius:.25rem}.nav-tabs .nav-link:hover,.nav-tabs .nav-link:focus{text-decoration:underline;border-top-color:#d3d6da;border-left-color:#d3d6da;border-right-color:#d3d6da;border-bottom-color:#f19031}.nav-tabs .nav-link:focus{box-shadow:0 0 0 .2rem rgba(223,137,53,.25)}.nav-tabs .nav-link.active,.nav-tabs .nav-item.show .nav-link{color:#495057;text-decoration:none !important;border-top-color:#f19031;border-left-color:#f19031;border-right-color:#f19031;border-bottom-color:#fff;border-bottom-left-radius:unset;border-bottom-right-radius:unset}.dropdown-item.active,.dropdown-item:active{color:#fff;background-color:#ea7c0f}.btn:focus,.btn.focus{outline:0;box-shadow:0 0 0 .2rem rgba(223,137,53,.25)}.btn-primary{background-color:#f19031;border-color:#f19031}.btn-primary:hover{color:#fff;background-color:#ea7c0f;border-color:#ea7c0f}.btn-primary.focus,.btn-primary:focus{color:#fff;background-color:#ea7c0f;border-color:#ea7c0f}.btn-primary.disabled,.btn-primary:disabled{color:#fff;background-color:#e4b485;border-color:#e4b485}.btn-primary:not(:disabled):not(.disabled).active:focus,.btn-primary:not(:disabled):not(.disabled):active:focus,.show>.btn-primary.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(223,137,53,.25)}.btn-primary:not(:disabled):not(.disabled).active,.btn-primary:not(:disabled):not(.disabled):active,.show>.btn-primary.dropdown-toggle{background-color:#ea7c0f;border-color:#ea7c0f}.btn.btn-icon-xs{color:#788489 !important;padding:0 0 0 .1rem;border:0;font-size:.875rem;line-height:1}.btn.btn-icon-xs .oi.oi-xs{top:-1px}.btn-outline-primary{color:#788489 !important;border-color:#f19031 !important}.btn-outline-primary:hover,.btn-outline-primary.focus,.btn-outline-primary:focus{color:#788489 !important;background-color:#fff !important;border-color:#f19031 !important}.toggle.btn-outline-primary .toggle-handle{background-color:#f19031 !important;border-color:#f19031 !important}.btn-outline-secondary{color:#788489 !important;border:1px solid #ced4da !important}.btn-outline-secondary:hover,.btn-outline-secondary.focus,.btn-outline-secondary:focus{color:#788489 !important;background-color:#fff !important}.toggle.btn-outline-secondary .toggle-handle{background-color:#6c757d !important;border-color:#6c757d !important}.form-group{margin-bottom:1.3rem}.form-control:focus{border-color:#df8935;box-shadow:0 0 0 .2rem rgba(223,137,53,.25)}.button-group{padding-top:15px;margin-top:15px}.list-group-item{background-color:inherit}.list-group-item.active,.list-group-item:active{color:inherit;background-color:inherit;border-color:#df8935;box-shadow:0 0 0 .2rem rgba(223,137,53,.25)}.list-group-item .btn-link{text-align:left}.list-group-stripes>.list-group-item:nth-child(even){background-color:#f8f9fa}.card-body.active,.card-body:active{color:inherit;background-color:#fff;border-radius:.25rem;border-color:#df8935;box-shadow:0 0 0 .2rem rgba(223,137,53,.25)}.card-body:focus{border-radius:.25rem;border-color:#df8935;box-shadow:0 0 0 .2rem rgba(223,137,53,.25)}.active-group{position:relative;padding:15px 0;margin:5px 0}.active-group .input-control{z-index:1;box-flex:1;flex-grow:1;flex-shrink:1;background-color:transparent}.active-group .label-control{display:block;color:#788489;padding-left:.8rem;top:1.35rem;transition:transform 150ms cubic-bezier(.4,0,.2,1),opacity 150ms cubic-bezier(.4,0,.2,1);z-index:1;-moz-transform-origin:bottom left;transform-origin:bottom left;-moz-transition:all .3s cubic-bezier(.4,0,.2,1);transition:all .3s cubic-bezier(.4,0,.2,1);-moz-transition-property:color,bottom,transform;transition-property:color,bottom,transform;pointer-events:none;position:absolute}.active-group .input-control:focus~.label-control{-webkit-transform:scale(.85) translateY(-2.4rem);transform:scale(.85) translateY(-2.4rem);color:#df8935}.active-group.active .label-control{-webkit-transform:scale(.85) translateY(-2.4rem);transform:scale(.85) translateY(-2.4rem)}.active-group .input-control:not(:focus):-webkit-autofill~.label-control{-webkit-transform:scale(.85) translateY(-2.4rem);transform:scale(.85) translateY(-2.4rem)}.active-group .input-group{position:initial}.active-group-outline{margin-bottom:5px}.active-group-outline .active-group{margin-bottom:0}.input-control.invalid{border-color:#a94442;-webkit-animation:borderFadein 1.5s;animation:borderFadein 1.5s}.validation-message{color:#a94442}.validation-errors{color:#a94442}.modal-header .header-input-group{margin-top:-7px;margin-right:auto;display:flex;justify-content:space-between}.modal-header .header-input-group .input-toggle{padding-left:8px}.modal-dialog-scrollable .modal-content{overflow:auto}.drag-drop-zone{border:2px dashed #df8935;padding:.5rem .3rem .5rem .3rem;display:flex;align-items:center;justify-content:center;background-color:#eee;box-shadow:inset 0 0 8px rgba(0,0,0,.2);color:#aeaeae;font-size:1rem;cursor:pointer;position:relative}.drag-drop-zone:hover{background-color:#f5f5f5}.drag-drop-zone input[type=file]{position:absolute;width:100%;height:100%;opacity:0;cursor:pointer}
\ No newline at end of file
diff --git a/src/FoxIDs.ControlClient/wwwroot/index.html b/src/FoxIDs.ControlClient/wwwroot/index.html
index 03521e76d..3772c830b 100644
--- a/src/FoxIDs.ControlClient/wwwroot/index.html
+++ b/src/FoxIDs.ControlClient/wwwroot/index.html
@@ -1,32 +1,29 @@
 <!DOCTYPE html>
 <html>
+    <head>
+        <meta charset="utf-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
+        <title>FoxIDs</title>
+        <base href="/" />
+        <link href="lib/bootstrap/bootstrap.min.css?v={version}" rel="stylesheet" />
+        <link href="lib/bootstrap-toggle/bootstrap4-toggle.min.css?v={version}" rel="stylesheet" />
+        <link href="FoxIDs.ControlClient.styles.css?v={version}" rel="stylesheet">
+        <link href="css/app{min}.css?v={version}" rel="stylesheet" />
+    </head>
+    <body>
+        <div id="app">Loading...</div>
 
-<head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
-    <title>FoxIDs</title>
-    <base href="/" />
-    <link href="lib/bootstrap/bootstrap.min.css" rel="stylesheet" />
-    <link href="lib/bootstrap-toggle/bootstrap4-toggle.min.css" rel="stylesheet" />
-    <link href="FoxIDs.ControlClient.styles.css" rel="stylesheet">
-    <link href="css/app.css" rel="stylesheet" />
-</head>
-
-<body>
-    <div id="app">Loading...</div>
-
-    <div id="blazor-error-ui">
-        An unhandled error has occurred.
-        <a href="" class="reload">Reload</a>
-        <a class="dismiss">🗙</a>
-    </div>
-    <script src="lib/jquery/jquery-3.5.1.min.js"></script>
-    <script src="lib/popper/popper.min.js"></script>
-    <script src="lib/bootstrap/bootstrap.bundle.min.js"></script>
-    <script src="js/save-cert-file.js"></script>
-    <script src="js/site.js"></script>
-    <script src="_content/BlazorInputFile/inputfile.js"></script>
-    <script src="_framework/blazor.webassembly.js"></script>
-</body>
-
+        <div id="blazor-error-ui">
+            An unhandled error has occurred.
+            <a href="" class="reload">Reload</a>
+            <a class="dismiss">🗙</a>
+        </div>
+        <script src="lib/jquery/jquery-3.5.1.min.js"></script>
+        <script src="lib/popper/popper.min.js?v={version}"></script>
+        <script src="lib/bootstrap/bootstrap.bundle.min.js?v={version}"></script>
+        <script src="js/save-cert-file{min}.js?v={version}"></script>
+        <script src="js/site{min}.js?v={version}"></script>
+        <script src="_content/BlazorInputFile/inputfile.js?v={version}"></script>
+        <script src="_framework/blazor.webassembly.js?v={version}"></script>
+    </body>
 </html>
diff --git a/src/FoxIDs.ControlClient/wwwroot/js/save-cert-file.min.js b/src/FoxIDs.ControlClient/wwwroot/js/save-cert-file.min.js
new file mode 100644
index 000000000..bc1f81ec8
--- /dev/null
+++ b/src/FoxIDs.ControlClient/wwwroot/js/save-cert-file.min.js
@@ -0,0 +1 @@
+function saveCertFile(n,t){var i=document.createElement("a");i.download=n;i.href="data:application/pkix-cert;charset=utf-8,"+encodeURIComponent("-----BEGIN CERTIFICATE-----\n"+t+"\n-----END CERTIFICATE-----");document.body.appendChild(i);i.click();document.body.removeChild(i)}
\ No newline at end of file
diff --git a/src/FoxIDs.ControlClient/wwwroot/js/site.min.js b/src/FoxIDs.ControlClient/wwwroot/js/site.min.js
new file mode 100644
index 000000000..cf14f1829
--- /dev/null
+++ b/src/FoxIDs.ControlClient/wwwroot/js/site.min.js
@@ -0,0 +1 @@
+(function(){function n(){$(".input-control:not(.active)").each(function(){var t=$(this),n;t.val()&&(n=t.closest(".active-group"),n&&n.addClass("active"))})}window.SetElementFocus=n=>{n.focus()};$(".input-control").each(function(){var t=$(this),n=t.closest(".active-group");t.val()&&n&&n.addClass("active");t.blur(function(){t.val()?n&&n.addClass("active"):n&&n.removeClass("active")})});setInterval(n,100)})();
\ No newline at end of file
diff --git a/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj b/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj
index 646e33bd7..0ba5eb295 100644
--- a/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj
+++ b/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net8.0</TargetFramework>
-		<Version>1.2.5.0</Version>
+		<Version>1.2.6.4</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
diff --git a/src/FoxIDs.ControlShared/Models/Api/JwtWithCertificateInfo.cs b/src/FoxIDs.ControlShared/Models/Api/JwtWithCertificateInfo.cs
index e818a4a5e..2e432853b 100644
--- a/src/FoxIDs.ControlShared/Models/Api/JwtWithCertificateInfo.cs
+++ b/src/FoxIDs.ControlShared/Models/Api/JwtWithCertificateInfo.cs
@@ -2,7 +2,7 @@
 
 namespace FoxIDs.Models.Api
 {
-    public class JwtWithCertificateInfo : JsonWebKey
+    public class JwkWithCertificateInfo : JsonWebKey
     {
         public CertificateInfo CertificateInfo { get; set; }
     }
diff --git a/src/FoxIDs.ControlShared/Models/Api/Parties/ClientKey.cs b/src/FoxIDs.ControlShared/Models/Api/Parties/ClientKey.cs
index e84523fd3..2ad1c66d8 100644
--- a/src/FoxIDs.ControlShared/Models/Api/Parties/ClientKey.cs
+++ b/src/FoxIDs.ControlShared/Models/Api/Parties/ClientKey.cs
@@ -12,6 +12,6 @@ public class ClientKey
         public string ExternalName { get; set; }
 
         [Required]
-        public JwtWithCertificateInfo PublicKey { get; set; }
+        public JwkWithCertificateInfo PublicKey { get; set; }
     }
 }
diff --git a/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthClientSecretSingleRequest.cs b/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthClientSecretSingleRequest.cs
new file mode 100644
index 000000000..eb6ff42eb
--- /dev/null
+++ b/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthClientSecretSingleRequest.cs
@@ -0,0 +1,25 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace FoxIDs.Models.Api
+{
+    /// <summary>
+    /// OAuth 2.0 client secret request - one secret.
+    /// </summary>
+    public class OAuthClientSecretSingleRequest
+    {
+        /// <summary>
+        /// OAuth 2.0 party name.
+        /// </summary>
+        [Required]
+        [MaxLength(Constants.Models.Party.NameLength)]
+        [RegularExpression(Constants.Models.Party.NameRegExPattern)]
+        public string PartyName { get; set; }
+
+        /// <summary>
+        /// Secret.
+        /// </summary>
+        [Required]
+        [MaxLength(Constants.Models.SecretHash.SecretLength)]
+        public string Secret { get; set; }
+    }
+}
diff --git a/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthClientSecretSingleResponse.cs b/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthClientSecretSingleResponse.cs
new file mode 100644
index 000000000..d08bff6de
--- /dev/null
+++ b/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthClientSecretSingleResponse.cs
@@ -0,0 +1,16 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace FoxIDs.Models.Api
+{
+    /// <summary>
+    /// OAuth 2.0 client secret response - one secret.
+    /// </summary>
+    public class OAuthClientSecretSingleResponse
+    {
+        /// <summary>
+        /// Secret info.
+        /// </summary>
+        [MaxLength(Constants.Models.SecretHash.InfoLength)]
+        public string Info { get; set; }
+    }
+}
diff --git a/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthDownClient.cs b/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthDownClient.cs
index ab1b9b2b6..44fb6ab66 100644
--- a/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthDownClient.cs
+++ b/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthDownClient.cs
@@ -36,7 +36,7 @@ public class OAuthDownClient : IValidatableObject
 
         [ListLength(Constants.Models.OAuthDownParty.Client.ClientKeysMin, Constants.Models.OAuthDownParty.Client.ClientKeysMax)]
         [Display(Name = "Client certificates")]
-        public List<JwtWithCertificateInfo> ClientKeys { get; set; }
+        public List<JwkWithCertificateInfo> ClientKeys { get; set; }
 
         /// <summary>
         /// Require PKCE, default true.
diff --git a/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthUpParty.cs b/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthUpParty.cs
index e6f1cbf67..aef2975fd 100644
--- a/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthUpParty.cs
+++ b/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthUpParty.cs
@@ -39,7 +39,7 @@ public class OAuthUpParty : IValidatableObject, INameValue, IClaimTransform<OAut
         public string SpIssuer { get; set; }
 
         [ListLength(Constants.Models.OAuthUpParty.KeysApiMin, Constants.Models.OAuthUpParty.KeysMax)]
-        public List<JwtWithCertificateInfo> Keys { get; set; }
+        public List<JwkWithCertificateInfo> Keys { get; set; }
 
         /// <summary>
         /// OAuth up client.
diff --git a/src/FoxIDs.ControlShared/Models/Api/Parties/OidcDownClient.cs b/src/FoxIDs.ControlShared/Models/Api/Parties/OidcDownClient.cs
index f138c1a3f..58428127b 100644
--- a/src/FoxIDs.ControlShared/Models/Api/Parties/OidcDownClient.cs
+++ b/src/FoxIDs.ControlShared/Models/Api/Parties/OidcDownClient.cs
@@ -46,7 +46,7 @@ public class OidcDownClient : IValidatableObject
 
         [ListLength(Constants.Models.OAuthDownParty.Client.ClientKeysMin, Constants.Models.OAuthDownParty.Client.ClientKeysMax)]
         [Display(Name = "Client certificates")]
-        public List<JwtWithCertificateInfo> ClientKeys { get; set; }
+        public List<JwkWithCertificateInfo> ClientKeys { get; set; }
 
         /// <summary>
         /// Require PKCE, default true.
diff --git a/src/FoxIDs.ControlShared/Models/Api/Parties/OidcUpClient.cs b/src/FoxIDs.ControlShared/Models/Api/Parties/OidcUpClient.cs
index b2a26c7fd..7eaf9aa5e 100644
--- a/src/FoxIDs.ControlShared/Models/Api/Parties/OidcUpClient.cs
+++ b/src/FoxIDs.ControlShared/Models/Api/Parties/OidcUpClient.cs
@@ -92,14 +92,7 @@ public IEnumerable<ValidationResult> ValidateFromParty(PartyUpdateStates updateS
                 {
                     results.Add(new ValidationResult($"Require '{IdentityConstants.ResponseTypes.Code}' response type with PKCE.", new[] { $"{nameof(OidcUpParty.Client)}.{nameof(EnablePkce)}" }));
                 }
-                if (ResponseType.Contains(IdentityConstants.ResponseTypes.Code) == true)
-                {
-                    if (ClientAuthenticationMethod != ClientAuthenticationMethods.PrivateKeyJwt && ClientSecret.IsNullOrEmpty())
-                    {
-                        results.Add(new ValidationResult($"Require '{nameof(OidcUpParty.Client)}.{nameof(ClientSecret)}' or '{nameof(OidcUpParty.Client)}.{nameof(ClientAuthenticationMethod)}={ClientAuthenticationMethods.PrivateKeyJwt}' to execute '{IdentityConstants.ResponseTypes.Code}' response type.", new[] { $"{nameof(OidcUpParty.Client)}.{nameof(ClientSecret)}" }));
-                    }
-                }
-
+   
                 if (updateState == PartyUpdateStates.Manual && ResponseType.Contains(IdentityConstants.ResponseTypes.Code) == true)
                 {
                     if (TokenUrl.IsNullOrEmpty())
diff --git a/src/FoxIDs.ControlShared/Models/Api/Parties/OidcUpParty.cs b/src/FoxIDs.ControlShared/Models/Api/Parties/OidcUpParty.cs
index 4489c6a24..2b1d26030 100644
--- a/src/FoxIDs.ControlShared/Models/Api/Parties/OidcUpParty.cs
+++ b/src/FoxIDs.ControlShared/Models/Api/Parties/OidcUpParty.cs
@@ -40,7 +40,7 @@ public class OidcUpParty : IValidatableObject, INameValue, IClaimTransform<OAuth
         public string SpIssuer { get; set; }
 
         [ListLength(Constants.Models.OAuthUpParty.KeysApiMin, Constants.Models.OAuthUpParty.KeysMax)]
-        public List<JwtWithCertificateInfo> Keys { get; set; }
+        public List<JwkWithCertificateInfo> Keys { get; set; }
 
         /// <summary>
         /// Default 10 hours.
diff --git a/src/FoxIDs.ControlShared/Models/Api/Parties/SamlDownParty.cs b/src/FoxIDs.ControlShared/Models/Api/Parties/SamlDownParty.cs
index 8559b350c..f3c837a72 100644
--- a/src/FoxIDs.ControlShared/Models/Api/Parties/SamlDownParty.cs
+++ b/src/FoxIDs.ControlShared/Models/Api/Parties/SamlDownParty.cs
@@ -108,9 +108,9 @@ public class SamlDownParty : IDownParty, INameValue, IValidatableObject, IClaimT
         public string LoggedOutUrl { get; set; }
 
         [ListLength(Constants.Models.SamlParty.Down.KeysMin, Constants.Models.SamlParty.KeysMax)]
-        public List<JwtWithCertificateInfo> Keys { get; set; }
+        public List<JwkWithCertificateInfo> Keys { get; set; }
 
-        public JwtWithCertificateInfo EncryptionKey { get; set; }
+        public JwkWithCertificateInfo EncryptionKey { get; set; }
 
         public bool MetadataAddLogoutResponseLocation { get; set; }
 
diff --git a/src/FoxIDs.ControlShared/Models/Api/Parties/SamlUpParty.cs b/src/FoxIDs.ControlShared/Models/Api/Parties/SamlUpParty.cs
index 32fff8c55..a7763a2fd 100644
--- a/src/FoxIDs.ControlShared/Models/Api/Parties/SamlUpParty.cs
+++ b/src/FoxIDs.ControlShared/Models/Api/Parties/SamlUpParty.cs
@@ -75,7 +75,7 @@ public class SamlUpParty : INameValue, IValidatableObject, IClaimTransform<SamlC
         public bool SignAuthnRequest { get; set; }
 
         [ListLength(0, Constants.Models.SamlParty.KeysMax)]
-        public List<JwtWithCertificateInfo> Keys { get; set; }
+        public List<JwkWithCertificateInfo> Keys { get; set; }
 
         public SamlBindingTypes? LogoutRequestBinding { get; set; }
 
diff --git a/src/FoxIDs.ControlShared/Models/Api/Tracks/MyUser.cs b/src/FoxIDs.ControlShared/Models/Api/Tracks/MyUser.cs
new file mode 100644
index 000000000..86bf0ee6f
--- /dev/null
+++ b/src/FoxIDs.ControlShared/Models/Api/Tracks/MyUser.cs
@@ -0,0 +1,20 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace FoxIDs.Models.Api
+{
+    public class MyUser
+    {
+        [MaxLength(Constants.Models.User.EmailLength)]
+        [EmailAddress]
+        [RegularExpression(Constants.Models.User.EmailRegExPattern)]
+        [Display(Name = "Email")]
+        public string Email { get; set; }
+
+        [MaxLength(Constants.Models.User.UserIdLength)]
+        [Display(Name = "User id (unique and persistent)")]
+        public string UserId { get; set; }
+
+        [Display(Name = "User must change password")]
+        public bool ChangePassword { get; set; }
+    }
+}
diff --git a/src/FoxIDs.ControlShared/Models/Api/Tracks/TrackKeyItemsContained.cs b/src/FoxIDs.ControlShared/Models/Api/Tracks/TrackKeyItemsContained.cs
index b6ad2fcda..6743f8f06 100644
--- a/src/FoxIDs.ControlShared/Models/Api/Tracks/TrackKeyItemsContained.cs
+++ b/src/FoxIDs.ControlShared/Models/Api/Tracks/TrackKeyItemsContained.cs
@@ -1,5 +1,4 @@
-using ITfoxtec.Identity.Models;
-using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations;
 
 namespace FoxIDs.Models.Api
 {
@@ -11,8 +10,8 @@ public class TrackKeyItemsContained : INameValue
         public string Name { get; set; }
 
         [Required]
-        public JwtWithCertificateInfo PrimaryKey { get; set; }
+        public JwkWithCertificateInfo PrimaryKey { get; set; }
 
-        public JwtWithCertificateInfo SecondaryKey { get; set; }
+        public JwkWithCertificateInfo SecondaryKey { get; set; }
     }
 }
diff --git a/src/FoxIDs.ControlShared/Models/Api/Tracks/UserControlProfile.cs b/src/FoxIDs.ControlShared/Models/Api/Tracks/UserControlProfile.cs
new file mode 100644
index 000000000..29695d65b
--- /dev/null
+++ b/src/FoxIDs.ControlShared/Models/Api/Tracks/UserControlProfile.cs
@@ -0,0 +1,13 @@
+using Newtonsoft.Json;
+using System.ComponentModel.DataAnnotations;
+
+namespace FoxIDs.Models.Api
+{
+    public class UserControlProfile
+    {
+        [MaxLength(Constants.Models.Track.NameLength)]
+        [RegularExpression(Constants.Models.Track.NameDbRegExPattern)]
+        [Display(Name = "Last track")]
+        public string LastTrackName { get; set; }        
+    }
+}
diff --git a/src/FoxIDs.ResourceTranslateTool/FoxIDs.ResourceTranslateTool.csproj b/src/FoxIDs.ResourceTranslateTool/FoxIDs.ResourceTranslateTool.csproj
index 2696cd560..8d7d27d39 100644
--- a/src/FoxIDs.ResourceTranslateTool/FoxIDs.ResourceTranslateTool.csproj
+++ b/src/FoxIDs.ResourceTranslateTool/FoxIDs.ResourceTranslateTool.csproj
@@ -23,7 +23,7 @@
 
   <ItemGroup>
     <PackageReference Include="DeepL.net" Version="1.8.0" />
-    <PackageReference Include="Google.Cloud.Translate.V3" Version="3.3.0" />
+    <PackageReference Include="Google.Cloud.Translate.V3" Version="3.4.0" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/FoxIDs.Shared/FoxIDs.Shared.csproj b/src/FoxIDs.Shared/FoxIDs.Shared.csproj
index 58aa6e718..df2a5843e 100644
--- a/src/FoxIDs.Shared/FoxIDs.Shared.csproj
+++ b/src/FoxIDs.Shared/FoxIDs.Shared.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net8.0</TargetFramework>
-		<Version>1.2.5.0</Version>
+		<Version>1.2.6.4</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
@@ -26,11 +26,11 @@
 	<ItemGroup>
 		<FrameworkReference Include="Microsoft.AspNetCore.App" />
 		<PackageReference Include="Microsoft.ApplicationInsights" Version="2.22.0" />
-		<PackageReference Include="Microsoft.Azure.Cosmos" Version="3.37.0" />
+		<PackageReference Include="Microsoft.Azure.Cosmos" Version="3.38.1" />
 		<PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.5.0" />
 		<PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.5.1" />	
-		<PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="8.0.0" />
-		<PackageReference Include="SendGrid" Version="9.28.1" />
+		<PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="8.0.1" />
+		<PackageReference Include="SendGrid" Version="9.29.1" />
 	</ItemGroup>
 
 	<ItemGroup>
diff --git a/src/FoxIDs.Shared/Logic/MasterTenantLogic.cs b/src/FoxIDs.Shared/Logic/MasterTenantLogic.cs
index 06227c32f..fe5ba635a 100644
--- a/src/FoxIDs.Shared/Logic/MasterTenantLogic.cs
+++ b/src/FoxIDs.Shared/Logic/MasterTenantLogic.cs
@@ -101,13 +101,13 @@ public async Task<LoginUpParty> CreateLoginDocumentAsync(string tenantName, stri
             return mLoginUpParty;
         }
 
-        public async Task CreateFirstAdminUserDocumentAsync(string tenantName, string email, string password, bool changePassword, bool checkUserAndPasswordPolicy, bool confirmAccount)
+        public async Task CreateFirstAdminUserDocumentAsync(string tenantName, string email, string password, bool changePassword, bool checkUserAndPasswordPolicy, bool confirmAccount, bool isMasterTenant = false)
         {
-            var claims = new List<Claim> { new Claim(JwtClaimTypes.Role, Constants.ControlApi.Role.TenantAdmin) };
+            var claims = new List<Claim> { new Claim(JwtClaimTypes.Role, isMasterTenant ? Constants.ControlApi.Access.TenantAdminRole : Constants.ControlApi.Access.Tenant) };
             await accountLogic.CreateUser(email, password, changePassword: changePassword, claims: claims, tenantName: tenantName?.ToLower(), trackName: Constants.Routes.MasterTrackName, checkUserAndPasswordPolicy: checkUserAndPasswordPolicy, confirmAccount: confirmAccount);
         }
 
-        public async Task CreateMasterFoxIDsControlApiResourceDocumentAsync(string tenantName, bool includeMasterTenantScope = false)
+        public async Task CreateMasterFoxIDsControlApiResourceDocumentAsync(string tenantName, bool isMasterTenant = false)
         {
             var mControlApiResourceDownParty = new OAuthDownParty
             {
@@ -116,10 +116,51 @@ public async Task CreateMasterFoxIDsControlApiResourceDocumentAsync(string tenan
             var partyIdKey = new Party.IdKey { TenantName = tenantName?.ToLower(), TrackName = Constants.Routes.MasterTrackName, PartyName = Constants.ControlApi.ResourceName };
             await mControlApiResourceDownParty.SetIdAsync(partyIdKey);
            
-            var scopes = new List<string> { Constants.ControlApi.Scope.Tenant };
-            if (includeMasterTenantScope)
+            var scopes = new List<string>
+            {
+                Constants.ControlApi.Access.Tenant,
+                $"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Read}",
+
+                $"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.Segment.Base}",
+                $"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.Segment.Base}{Constants.ControlApi.AccessElement.Read}",
+
+
+                $"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}[{Constants.Routes.MasterTrackName}]",
+                $"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}[{Constants.Routes.MasterTrackName}]{Constants.ControlApi.AccessElement.Read}",
+
+                $"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}[{Constants.Routes.MasterTrackName}]{Constants.ControlApi.Segment.Usage}",
+
+                $"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}[{Constants.Routes.MasterTrackName}]{Constants.ControlApi.Segment.Log}",
+                $"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}[{Constants.Routes.MasterTrackName}]{Constants.ControlApi.Segment.Log}{Constants.ControlApi.AccessElement.Read}",
+
+                $"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}[{Constants.Routes.MasterTrackName}]{Constants.ControlApi.Segment.User}",
+                $"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}[{Constants.Routes.MasterTrackName}]{Constants.ControlApi.Segment.User}{Constants.ControlApi.AccessElement.Read}",
+
+                $"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}[{Constants.Routes.MasterTrackName}]{Constants.ControlApi.Segment.Party}",
+                $"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}[{Constants.Routes.MasterTrackName}]{Constants.ControlApi.Segment.Party}{Constants.ControlApi.AccessElement.Read}"
+            };
+
+            if (!isMasterTenant)
+            {
+                scopes.Add($"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}");
+                scopes.Add($"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}{Constants.ControlApi.AccessElement.Read}");
+
+                scopes.Add($"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}{Constants.ControlApi.Segment.Usage}");
+
+                scopes.Add($"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}{Constants.ControlApi.Segment.Log}");
+                scopes.Add($"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}{Constants.ControlApi.Segment.Log}{Constants.ControlApi.AccessElement.Read}");
+
+                scopes.Add($"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}{Constants.ControlApi.Segment.User}");
+                scopes.Add($"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}{Constants.ControlApi.Segment.User}{Constants.ControlApi.AccessElement.Read}");
+
+                scopes.Add($"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}{Constants.ControlApi.Segment.Party}");
+                scopes.Add($"{Constants.ControlApi.Access.Tenant}{Constants.ControlApi.AccessElement.Track}{Constants.ControlApi.Segment.Party}{Constants.ControlApi.AccessElement.Read}");
+            }
+            else
             {
-                scopes.Add(Constants.ControlApi.Scope.Master);
+                scopes.Add(Constants.ControlApi.Access.Master);
+                scopes.Add($"{Constants.ControlApi.Access.Master}{Constants.ControlApi.AccessElement.Read}");
+                scopes.Add($"{Constants.ControlApi.Access.Master}{Constants.ControlApi.Segment.Usage}");
             }
             mControlApiResourceDownParty.Resource = new OAuthDownResource()
             {
@@ -142,10 +183,10 @@ public async Task CreateMasterControlClientDocmentAsync(string tenantName, strin
             mControlClientDownParty.AllowUpParties = new List<UpPartyLink> { new UpPartyLink { Name = loginUpParty.Name?.ToLower(), Type = loginUpParty.Type } };
             mControlClientDownParty.AllowCorsOrigins = GetControlClientAllowCorsOrigins(controlClientBaseUri);
 
-            var scopes = new List<string> { Constants.ControlApi.Scope.Tenant };
+            var scopes = new List<string> { Constants.ControlApi.Access.Tenant };
             if (includeMasterTenantScope)
             {
-                scopes.Add(Constants.ControlApi.Scope.Master);
+                scopes.Add(Constants.ControlApi.Access.Master);
             }
             mControlClientDownParty.Client = new OidcDownClient
             {
diff --git a/src/FoxIDs.Shared/Models/Tracks/UserControlProfile.cs b/src/FoxIDs.Shared/Models/Tracks/UserControlProfile.cs
new file mode 100644
index 000000000..40f53a401
--- /dev/null
+++ b/src/FoxIDs.Shared/Models/Tracks/UserControlProfile.cs
@@ -0,0 +1,51 @@
+using Newtonsoft.Json;
+using System;
+using System.ComponentModel.DataAnnotations;
+using System.Threading.Tasks;
+
+namespace FoxIDs.Models
+{
+    public class UserControlProfile : DataDocument
+    {
+        public static async Task<string> IdFormatAsync(IdKey idKey)
+        {
+            if (idKey == null) new ArgumentNullException(nameof(idKey));
+            await idKey.ValidateObjectAsync();
+
+            return $"ucp:{idKey.TenantName}:{idKey.TrackName}:{idKey.UserHashId}";
+        }
+
+        public static async Task<string> IdFormatAsync(RouteBinding routeBinding, string userHashId)
+        {
+            if (routeBinding == null) new ArgumentNullException(nameof(routeBinding));
+            if (userHashId == null) new ArgumentNullException(nameof(userHashId));
+
+            var idKey = new IdKey
+            {
+                TenantName = routeBinding.TenantName,
+                TrackName = routeBinding.TrackName,
+                UserHashId = userHashId
+            };
+
+            return await IdFormatAsync(idKey);
+        }
+
+        [Required]
+        [MaxLength(Constants.Models.User.IdLength)]
+        [RegularExpression(Constants.Models.User.IdRegExPattern)]
+        [JsonProperty(PropertyName = "id")]
+        public override string Id { get; set; }
+
+        [MaxLength(Constants.Models.Track.NameLength)]
+        [RegularExpression(Constants.Models.Track.NameDbRegExPattern)]
+        [JsonProperty(PropertyName = "last_track_name")]
+        public string LastTrackName { get; set; }        
+
+        public class IdKey : Track.IdKey
+        {
+            [Required]
+            [MaxLength(Constants.Models.UserControlProfile.UserHashIdLength)]
+            public string UserHashId { get; set; }
+        }
+    }
+}
diff --git a/src/FoxIDs.SharedBase/Constants.cs b/src/FoxIDs.SharedBase/Constants.cs
index 18d69b052..3f74bb272 100644
--- a/src/FoxIDs.SharedBase/Constants.cs
+++ b/src/FoxIDs.SharedBase/Constants.cs
@@ -1,6 +1,7 @@
 using FoxI = ITfoxtec.Identity;
 using System.Security.Claims;
 using ITfoxtec.Identity.Saml2.Claims;
+using System.Net.Http;
 
 namespace FoxIDs
 {
@@ -271,6 +272,11 @@ public static class User
                 public const int TwoFactorAppCodeLength = 50;
             }
 
+            public static class UserControlProfile
+            {
+                public const int UserHashIdLength = 50;
+            }
+
             public static class DynamicElements
             {
                 public const int ElementsMin = 0;
@@ -342,7 +348,7 @@ public static class OAuthDownParty
                 public const int AllowCorsOriginLength = 200;
 
                 public const int ScopeLength = 50;
-                public const string ScopeRegExPattern = @"^[\w:\-.]*$";
+                public const string ScopeRegExPattern = @"^[\w:;.,=\[\]\-_]*$";
 
                 public static class Grant
                 {
@@ -544,25 +550,42 @@ public static class ControlClient
         public static class ControlApi
         {
             public const string Version = "v1";
-            public readonly static string[] SupportedApiHttpMethods = { "GET", "PUT", "POST", "DELETE" };
+            public readonly static string[] SupportedApiHttpMethods = { HttpMethod.Get.Method, HttpMethod.Post.Method, HttpMethod.Put.Method, HttpMethod.Delete.Method };
 
             public const string ResourceName = "foxids_control_api";
 
             public static class ResourceAndScope
             {
-                public readonly static string Master = $"{ResourceName}:{Scope.Master}";
-                public readonly static string Tenant = $"{ResourceName}:{Scope.Tenant}";
+                public readonly static string Master = $"{ResourceName}:{Access.Master}";
+                public readonly static string Tenant = $"{ResourceName}:{Access.Tenant}";
+            }
+
+            public static class Access
+            {
+                public readonly static string Master = $"foxids{AccessElement.Master}";
+                public readonly static string Tenant = $"foxids{AccessElement.Tenant}";
+                public readonly static string TenantAdminRole = $"{Tenant}{AccessElement.Admin}";
             }
 
-            public static class Scope
+            public static class AccessElement
             {
-                public const string Master = "foxids:master";
-                public const string Tenant = "foxids:tenant";
+                public const string Master = ":master";
+                public const string Tenant = ":tenant";
+                public const string Track = ":track";
+                public const string Admin = ".admin";
+                public const string Read = ".read";
+                public const string Create = ".create";
+                public const string Update = ".update";
+                public const string Delete = ".delete";
             }
 
-            public static class Role
+            public static class Segment
             {
-                public const string TenantAdmin = "foxids:tenant.admin";
+                public const string Base = ":base"; 
+                public const string Usage = ":usage";
+                public const string Log = ":log";
+                public const string User = ":user";
+                public const string Party = ":party";
             }
         }
 
diff --git a/src/FoxIDs.SharedBase/Extensions/ListExtensions.cs b/src/FoxIDs.SharedBase/Extensions/ListExtensions.cs
index 84640ea79..aab44f6e4 100644
--- a/src/FoxIDs.SharedBase/Extensions/ListExtensions.cs
+++ b/src/FoxIDs.SharedBase/Extensions/ListExtensions.cs
@@ -8,7 +8,7 @@ namespace FoxIDs
     /// <summary>
     /// Extension methods for arrays and dictionary's.
     /// </summary>
-    public static class ListExtensions
+    public static class List
     {
         /// <summary>
         /// Converts a string list to a dot separated list.
diff --git a/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj b/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj
index 9c3083455..0bebe803b 100644
--- a/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj
+++ b/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net8.0</TargetFramework>
-		<Version>1.2.5.0</Version>
+		<Version>1.2.6.4</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
@@ -10,7 +10,7 @@
 	</PropertyGroup>
 
 	<ItemGroup>
-		<PackageReference Include="ITfoxtec.Identity" Version="2.5.42" />
+		<PackageReference Include="ITfoxtec.Identity" Version="2.5.43" />
 		<PackageReference Include="ITfoxtec.Identity.Saml2" Version="4.10.8" />
 		<PackageReference Include="Microsoft.AspNetCore.Components.DataAnnotations.Validation" Version="3.2.0-rc1.20223.4" />
 		<PackageReference Include="System.Net.Http.Json" Version="8.0.0" />
diff --git a/src/FoxIDs/Controllers/LoginController.cs b/src/FoxIDs/Controllers/LoginController.cs
index fc73c1cca..b7ded0f64 100644
--- a/src/FoxIDs/Controllers/LoginController.cs
+++ b/src/FoxIDs/Controllers/LoginController.cs
@@ -183,12 +183,21 @@ private async Task<IActionResult> IdentifierInternalAsync()
                 securityHeaderLogic.AddImgSrc(loginUpParty.IconUrl);
                 securityHeaderLogic.AddImgSrcFromCss(loginUpParty.Css);
 
-                var redirectAction = await CheckSessionReturnRedirectAction(sequenceData, loginUpParty);
+                (var validSession, var email, var redirectAction) = await CheckSessionReturnRedirectAction(sequenceData, loginUpParty);
                 if (redirectAction != null)
                 {
                     return redirectAction;
                 }
 
+                if (validSession && sequenceData.LoginAction == LoginAction.SessionUserRequireLogin)
+                {
+                    sequenceData.DoLoginIdentifierStep = false;
+                    sequenceData.Email = email;
+                    sequenceData.DoSessionUserRequireLogin = true;
+                    await sequenceLogic.SaveSequenceDataAsync(sequenceData);
+                    return await PasswordInternalAsync();
+                }
+
                 logger.ScopeTrace(() => "Show identifier dialog.");
                 return base.View("Identifier", new IdentifierViewModel
                 {
@@ -197,7 +206,7 @@ private async Task<IActionResult> IdentifierInternalAsync()
                     IconUrl = loginUpParty.IconUrl,
                     Css = loginUpParty.Css,
                     EnableCancelLogin = loginUpParty.EnableCancelLogin,
-                    EnableCreateUser = loginUpParty.EnableCreateUser,
+                    EnableCreateUser = loginUpParty.EnableCreateUser,                    
                     Email = sequenceData.Email.IsNullOrWhiteSpace() ? string.Empty : sequenceData.Email,
                     ShowEmailSelection = ShowEmailSelection(loginUpParty.Name, sequenceData),
                     UpPatries = GetToUpPartiesToShow(loginUpParty.Name, sequenceData)
@@ -354,7 +363,7 @@ private async Task<IActionResult> PasswordInternalAsync()
 
         private async Task<IActionResult> StartPasswordInternal(LoginUpSequenceData sequenceData, LoginUpParty loginUpParty)
         {
-            var redirectAction = await CheckSessionReturnRedirectAction(sequenceData, loginUpParty);
+            (var validSession, var email, var redirectAction) = await CheckSessionReturnRedirectAction(sequenceData, loginUpParty);
             if (redirectAction != null)
             {
                 return redirectAction;
@@ -374,26 +383,27 @@ private async Task<IActionResult> StartPasswordInternal(LoginUpSequenceData sequ
                 Css = loginUpParty.Css,
                 EnableCancelLogin = loginUpParty.EnableCancelLogin,
                 EnableResetPassword = !loginUpParty.DisableResetPassword,
-                EnableCreateUser = loginUpParty.EnableCreateUser,
+                EnableCreateUser = !sequenceData.DoSessionUserRequireLogin && loginUpParty.EnableCreateUser,
+                DisableChangeEmail = sequenceData.DoSessionUserRequireLogin,
                 Email = sequenceData.Email,
             });
         }
 
-        private async Task<IActionResult> CheckSessionReturnRedirectAction(LoginUpSequenceData sequenceData, LoginUpParty loginUpParty)
+        private async Task<(bool validSession, string email, IActionResult actionResult)> CheckSessionReturnRedirectAction(LoginUpSequenceData sequenceData, LoginUpParty loginUpParty)
         {
             (var session, var user) = await sessionLogic.GetAndUpdateSessionCheckUserAsync(loginUpParty, loginPageLogic.GetDownPartyLink(loginUpParty, sequenceData));
             var validSession = session != null && ValidSessionUpAgainstSequence(sequenceData, session, loginPageLogic.GetRequereMfa(user, loginUpParty, sequenceData));
-            if (validSession && sequenceData.LoginAction != LoginAction.RequireLogin)
+            if (validSession && sequenceData.LoginAction != LoginAction.RequireLogin && sequenceData.LoginAction != LoginAction.SessionUserRequireLogin)
             {
-                return await loginPageLogic.LoginResponseUpdateSessionAsync(loginUpParty, sequenceData.DownPartyLink, session);
+                return (validSession, user?.Email, await loginPageLogic.LoginResponseUpdateSessionAsync(loginUpParty, sequenceData.DownPartyLink, session));
             }
 
             if (sequenceData.LoginAction == LoginAction.ReadSession)
             {
-                return await loginUpLogic.LoginResponseErrorAsync(sequenceData, LoginSequenceError.LoginRequired);
+                return (validSession, user?.Email, await loginUpLogic.LoginResponseErrorAsync(sequenceData, LoginSequenceError.LoginRequired));
             }
 
-            return null;
+            return (validSession, user?.Email, null);
         }        
 
         private bool ValidSessionUpAgainstSequence(LoginUpSequenceData sequenceData, SessionLoginUpPartyCookie session, bool requereMfa = false)
@@ -446,7 +456,8 @@ private async Task<IActionResult> PasswordInternalAsync(LoginViewModel login)
                         Css = loginUpParty.Css,
                         EnableCancelLogin = loginUpParty.EnableCancelLogin,
                         EnableResetPassword = !loginUpParty.DisableResetPassword,
-                        EnableCreateUser = loginUpParty.EnableCreateUser,
+                        EnableCreateUser = !sequenceData.DoSessionUserRequireLogin && loginUpParty.EnableCreateUser,
+                        DisableChangeEmail = sequenceData.DoSessionUserRequireLogin,
                         Email = sequenceData.Email
                     };
                     return View("Password", password);
diff --git a/src/FoxIDs/FoxIDs.csproj b/src/FoxIDs/FoxIDs.csproj
index 8da60c6f8..66e042586 100644
--- a/src/FoxIDs/FoxIDs.csproj
+++ b/src/FoxIDs/FoxIDs.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 	<PropertyGroup>
 		<TargetFramework>net8.0</TargetFramework>
-		<Version>1.2.5.0</Version>
+		<Version>1.2.6.4</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
@@ -30,12 +30,12 @@
 		<PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.3.0" />
 		<PackageReference Include="Azure.Identity" Version="1.10.4" />
 		<PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.5.1" />
-		<PackageReference Include="GoogleAuthenticator" Version="3.1.1" />
+		<PackageReference Include="GoogleAuthenticator" Version="3.2.0" />
 		<PackageReference Include="ITfoxtec.Identity.Saml2.MvcCore" Version="4.10.8" />
 		<PackageReference Include="BuildBundlerMinifier" Version="3.2.449" />
-		<PackageReference Include="Microsoft.AspNetCore.DataProtection.StackExchangeRedis" Version="8.0.0" />
-		<PackageReference Include="Microsoft.AspNetCore.Cryptography.KeyDerivation" Version="8.0.0" />
-		<PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="8.0.0" />
+		<PackageReference Include="Microsoft.AspNetCore.DataProtection.StackExchangeRedis" Version="8.0.1" />
+		<PackageReference Include="Microsoft.AspNetCore.Cryptography.KeyDerivation" Version="8.0.1" />
+		<PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="8.0.1" />
 		<PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.22.0" />
 		<PackageReference Include="RSAKeyVaultProvider" Version="2.1.1" />
 		<PackageReference Include="System.Runtime.InteropServices" Version="4.3.0" />
diff --git a/src/FoxIDs/Logic/Login/LoginPageLogic.cs b/src/FoxIDs/Logic/Login/LoginPageLogic.cs
index 7b35ccf85..a4369f4a3 100644
--- a/src/FoxIDs/Logic/Login/LoginPageLogic.cs
+++ b/src/FoxIDs/Logic/Login/LoginPageLogic.cs
@@ -108,6 +108,11 @@ public async Task<IActionResult> LoginResponseSequenceAsync(LoginUpSequenceData
 
         private async Task<SessionLoginUpPartyCookie> ValidateSessionAndRequestedUserAsync(LoginUpSequenceData sequenceData, LoginUpParty loginUpParty, User user)
         {
+            if (sequenceData.LoginAction == LoginAction.RequireLogin)
+            {
+                return null;
+            }
+
             var session = await sessionLogic.GetSessionAsync(loginUpParty);
             if (session != null && user.UserId != session.UserId)
             {
diff --git a/src/FoxIDs/Logic/Oidc/OidcAuthDownLogic.cs b/src/FoxIDs/Logic/Oidc/OidcAuthDownLogic.cs
index f6176e429..a2e586faa 100644
--- a/src/FoxIDs/Logic/Oidc/OidcAuthDownLogic.cs
+++ b/src/FoxIDs/Logic/Oidc/OidcAuthDownLogic.cs
@@ -129,9 +129,9 @@ private async Task<LoginRequest> GetLoginRequestAsync(TParty party, Authenticati
         {
             var loginRequest = new LoginRequest { DownPartyLink = new DownPartySessionLink { SupportSingleLogout = !string.IsNullOrWhiteSpace(party.Client?.FrontChannelLogoutUri), Id = party.Id, Type = party.Type } };
 
-            loginRequest.LoginAction = !authenticationRequest.Prompt.IsNullOrWhiteSpace() && authenticationRequest.Prompt.Contains(IdentityConstants.AuthorizationServerPrompt.None) ? LoginAction.ReadSession : LoginAction.ReadSessionOrLogin;
+            loginRequest.LoginAction = GetLoginAction(authenticationRequest);
 
-            if(authenticationRequest.MaxAge.HasValue)
+            if (authenticationRequest.MaxAge.HasValue)
             {
                 loginRequest.MaxAge = authenticationRequest.MaxAge.Value;
             }
@@ -159,6 +159,27 @@ private async Task<LoginRequest> GetLoginRequestAsync(TParty party, Authenticati
             return loginRequest;
         }
 
+        private LoginAction GetLoginAction(AuthenticationRequest authenticationRequest)
+        {
+            if (!authenticationRequest.Prompt.IsNullOrWhiteSpace())
+            {
+                if (authenticationRequest.Prompt.Contains(IdentityConstants.AuthorizationServerPrompt.None))
+                {
+                    return LoginAction.ReadSession;
+                }
+                else if (authenticationRequest.Prompt.Contains(IdentityConstants.AuthorizationServerPrompt.Login))
+                {
+                    return LoginAction.SessionUserRequireLogin;
+                }
+                else if (authenticationRequest.Prompt.Contains(IdentityConstants.AuthorizationServerPrompt.SelectAccount))
+                {
+                    return LoginAction.RequireLogin;
+                }
+            }
+
+            return LoginAction.ReadSessionOrLogin;
+        }
+
         private void ValidateAuthenticationRequest(OidcDownClient client, AuthenticationRequest authenticationRequest, CodeChallengeSecret codeChallengeSecret)
         {
             try
diff --git a/src/FoxIDs/Logic/Oidc/OidcAuthUpLogic.cs b/src/FoxIDs/Logic/Oidc/OidcAuthUpLogic.cs
index 549f49eed..c30182f1a 100644
--- a/src/FoxIDs/Logic/Oidc/OidcAuthUpLogic.cs
+++ b/src/FoxIDs/Logic/Oidc/OidcAuthUpLogic.cs
@@ -124,9 +124,12 @@ public async Task<IActionResult> AuthenticationRequestAsync(string partyId)
                 case LoginAction.ReadSession:
                     authenticationRequest.Prompt = IdentityConstants.AuthorizationServerPrompt.None;
                     break;
-                case LoginAction.RequireLogin:
+                case LoginAction.SessionUserRequireLogin:
                     authenticationRequest.Prompt = IdentityConstants.AuthorizationServerPrompt.Login;
                     break;
+                case LoginAction.RequireLogin:
+                    authenticationRequest.Prompt = IdentityConstants.AuthorizationServerPrompt.SelectAccount;
+                    break;
                 default:
                     break;
             }
diff --git a/src/FoxIDs/Logic/Saml/SamlAuthnDownLogic.cs b/src/FoxIDs/Logic/Saml/SamlAuthnDownLogic.cs
index 41974fdf9..9062ca339 100644
--- a/src/FoxIDs/Logic/Saml/SamlAuthnDownLogic.cs
+++ b/src/FoxIDs/Logic/Saml/SamlAuthnDownLogic.cs
@@ -170,7 +170,7 @@ private LoginRequest GetLoginRequestAsync(SamlDownParty party, Saml2AuthnRequest
 
             if(saml2AuthnRequest.ForceAuthn.HasValue && saml2AuthnRequest.ForceAuthn.Value)
             {
-                loginRequest.LoginAction = LoginAction.RequireLogin;
+                loginRequest.LoginAction = LoginAction.SessionUserRequireLogin;
             }
             else if(saml2AuthnRequest.IsPassive.HasValue && saml2AuthnRequest.IsPassive.Value)
             {
diff --git a/src/FoxIDs/Logic/Saml/SamlAuthnUpLogic.cs b/src/FoxIDs/Logic/Saml/SamlAuthnUpLogic.cs
index 72b2e39bd..ee03f00f8 100644
--- a/src/FoxIDs/Logic/Saml/SamlAuthnUpLogic.cs
+++ b/src/FoxIDs/Logic/Saml/SamlAuthnUpLogic.cs
@@ -119,6 +119,7 @@ private async Task<IActionResult> AuthnRequestAsync(SamlUpParty party, Saml2Bind
                 case LoginAction.ReadSession:
                     saml2AuthnRequest.IsPassive = true;
                     break;
+                case LoginAction.SessionUserRequireLogin:
                 case LoginAction.RequireLogin:
                     saml2AuthnRequest.ForceAuthn = true;
                     break;
diff --git a/src/FoxIDs/Models/Logic/LoginAction.cs b/src/FoxIDs/Models/Logic/LoginAction.cs
index 0d3ba41f3..2d591923c 100644
--- a/src/FoxIDs/Models/Logic/LoginAction.cs
+++ b/src/FoxIDs/Models/Logic/LoginAction.cs
@@ -7,7 +7,9 @@ public enum LoginAction
         [EnumMember(Value = "read_session")]
         ReadSession,
         [EnumMember(Value = "read_session_or_login")]
-        ReadSessionOrLogin,
+        ReadSessionOrLogin,     
+        [EnumMember(Value = "session_user_require_login")]
+        SessionUserRequireLogin,
         [EnumMember(Value = "require_login")]
         RequireLogin,
     }
diff --git a/src/FoxIDs/Models/Sequences/LoginUpSequenceData.cs b/src/FoxIDs/Models/Sequences/LoginUpSequenceData.cs
index 90dce18a9..3da609b32 100644
--- a/src/FoxIDs/Models/Sequences/LoginUpSequenceData.cs
+++ b/src/FoxIDs/Models/Sequences/LoginUpSequenceData.cs
@@ -14,6 +14,9 @@ public class LoginUpSequenceData : UpSequenceData
         [JsonProperty(PropertyName = "lr")]
         public bool PostLogoutRedirect { get; set; }
 
+        [JsonProperty(PropertyName = "srl")]
+        public bool DoSessionUserRequireLogin { get; set; }
+
         [JsonProperty(PropertyName = "e")]
         public string Email { get; set; }
 
@@ -43,6 +46,5 @@ public class LoginUpSequenceData : UpSequenceData
 
         [JsonProperty(PropertyName = "frc")]
         public string TwoFactorAppRecoveryCode { get; set; }
-
     }
 }
diff --git a/src/FoxIDs/Models/ViewModels/Login/PasswordViewModel.cs b/src/FoxIDs/Models/ViewModels/Login/PasswordViewModel.cs
index ca22fa2b3..95e951db7 100644
--- a/src/FoxIDs/Models/ViewModels/Login/PasswordViewModel.cs
+++ b/src/FoxIDs/Models/ViewModels/Login/PasswordViewModel.cs
@@ -12,6 +12,8 @@ public class PasswordViewModel : ViewModel
 
         public bool EnableCreateUser { get; set; }
 
+        public bool DisableChangeEmail { get; set; }
+
         [Display(Name = "Email")]
         [MaxLength(Constants.Models.User.EmailLength)]
         [EmailAddress]
diff --git a/src/FoxIDs/Views/Login/Password.cshtml b/src/FoxIDs/Views/Login/Password.cshtml
index 66b40d41e..be53d4afe 100644
--- a/src/FoxIDs/Views/Login/Password.cshtml
+++ b/src/FoxIDs/Views/Login/Password.cshtml
@@ -16,11 +16,17 @@
             <div class="form-group active-group active">
                 <div class="base-for-overlap">
                     <input asp-for="Email" id="showEmail" disabled autocomplete="off" class="form-control input-control bg-light" />
-                    <div class="overlap" onclick="location.href = '../_@Model.SequenceString';"></div>
+                    @if (!Model.DisableChangeEmail)
+                    {
+                        <div class="overlap" onclick="location.href = '../_@Model.SequenceString';"></div>
+                    }
                 </div>
                 <label asp-for="Email" id="showEmail" class="label-control"></label>
                 <span asp-validation-for="Email"></span>
-                <a href="../_@Model.SequenceString" class="btn btn-link btn-xs">@Localizer["Change email"]</a>
+                @if (!Model.DisableChangeEmail)
+                {
+                   <a href="../_@Model.SequenceString" class="btn btn-link btn-xs">@Localizer["Change email"]</a>
+                }
             </div>    
             <div class="form-group active-group">
                 <input asp-for="Password" autocomplete="current-password" class="form-control input-control" autofocus />
diff --git a/test/FoxIDs.UnitTests/FoxIDs.UnitTests.csproj b/test/FoxIDs.UnitTests/FoxIDs.UnitTests.csproj
index 0176e0b4e..0b7d9396c 100644
--- a/test/FoxIDs.UnitTests/FoxIDs.UnitTests.csproj
+++ b/test/FoxIDs.UnitTests/FoxIDs.UnitTests.csproj
@@ -6,11 +6,11 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.0" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="8.0.1" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="Moq" Version="4.20.70" />
-    <PackageReference Include="xunit" Version="2.6.4" />
+    <PackageReference Include="xunit" Version="2.6.6" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.5.6">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>