diff --git a/Cargo.lock b/Cargo.lock
index 8677cc6..ffb75c4 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -86,6 +86,7 @@ dependencies = [
  "database",
  "hash",
  "id",
+ "openid",
  "thiserror",
  "url",
 ]
diff --git a/crates/apps/Cargo.toml b/crates/apps/Cargo.toml
index 22c7578..2c93719 100644
--- a/crates/apps/Cargo.toml
+++ b/crates/apps/Cargo.toml
@@ -12,3 +12,4 @@ url = { workspace = true }
 id = { path = "../id" }
 database = { path = "../database" }
 hash = { path = "../hash" }
+openid = { path = "../openid" }
\ No newline at end of file
diff --git a/crates/apps/src/database.rs b/crates/apps/src/database.rs
index 4f46f03..62a1412 100644
--- a/crates/apps/src/database.rs
+++ b/crates/apps/src/database.rs
@@ -42,11 +42,11 @@ impl App {
     }
 
     /// App needs to be not archived
-    pub async fn get_one(
+    pub(crate) async fn get_one(
         conn: impl SqliteExecutor<'_>,
         id: &str,
         redirect: &str,
-    ) -> Result<Option<Self>, Error> {
+    ) -> Result<Option<Self>, database::Error> {
         Ok(DatabaseApps::get_one(conn, id, redirect)
             .await?
             .map(Self::from))
diff --git a/crates/apps/src/get_valid.rs b/crates/apps/src/get_valid.rs
new file mode 100644
index 0000000..c1d8c38
--- /dev/null
+++ b/crates/apps/src/get_valid.rs
@@ -0,0 +1,42 @@
+// error
+#[derive(thiserror::Error)]
+// the rest
+#[derive(Debug)]
+pub enum Error {
+    #[error("Database: {0}")]
+    Database(#[from] database::Error),
+
+    #[error("Bad response types")]
+    ResponseTypes,
+
+    #[error("Invalid scopes")]
+    Scopes,
+
+    #[error("Invalid application")]
+    Application,
+}
+
+use super::App;
+use database::sqlx::SqliteExecutor;
+
+impl App {
+    pub async fn get_valid_app(
+        conn: impl SqliteExecutor<'_>,
+        response_type: &str,
+        scope: &str,
+        client_id: &str,
+        redirect_uri: &str,
+    ) -> Result<App, Error> {
+        // Check for valid response types
+        openid::parse_response_types(response_type).ok_or_else(|| Error::ResponseTypes)?;
+
+        // Check for supported scopes
+        if !openid::SupportedScopes::check_supported_scopes(scope) {
+            return Err(Error::Scopes);
+        }
+
+        Self::get_one(conn, client_id, redirect_uri)
+            .await?
+            .ok_or_else(|| Error::Application)
+    }
+}
diff --git a/crates/apps/src/lib.rs b/crates/apps/src/lib.rs
index d952366..0d06332 100644
--- a/crates/apps/src/lib.rs
+++ b/crates/apps/src/lib.rs
@@ -1,10 +1,12 @@
 mod database;
 mod error;
+mod get_valid;
 
 use chrono::{DateTime, Utc};
 use id::AppID;
 
 pub use crate::error::Error;
+pub use get_valid::Error as GetValidError;
 
 #[derive(Debug)]
 pub struct App {
diff --git a/crates/ezidam/src/error/conversion.rs b/crates/ezidam/src/error/conversion.rs
index 887d6e4..2ccb611 100644
--- a/crates/ezidam/src/error/conversion.rs
+++ b/crates/ezidam/src/error/conversion.rs
@@ -57,3 +57,14 @@ impl From<apps::Error> for Error {
         Error::internal_server_error(e)
     }
 }
+
+impl From<apps::GetValidError> for Error {
+    fn from(e: apps::GetValidError) -> Self {
+        match e {
+            apps::GetValidError::Database(e) => Error::internal_server_error(e),
+            apps::GetValidError::ResponseTypes
+            | apps::GetValidError::Scopes
+            | apps::GetValidError::Application => Error::bad_request(e),
+        }
+    }
+}
diff --git a/crates/ezidam/src/routes/oauth.rs b/crates/ezidam/src/routes/oauth.rs
index 1d81552..3372bfc 100644
--- a/crates/ezidam/src/routes/oauth.rs
+++ b/crates/ezidam/src/routes/oauth.rs
@@ -28,25 +28,17 @@ async fn authorize_page(
     flash: Option<FlashMessage<'_>>,
     auth_request: AuthenticationRequest<'_>,
 ) -> Result<Template> {
-    // Check for valid response types
-    openid::parse_response_types(auth_request.response_type)
-        .ok_or_else(|| Error::bad_request("Bad response types"))?;
-
-    // Check for supported scopes
-    if !openid::SupportedScopes::check_supported_scopes(auth_request.scope) {
-        return Err(Error::bad_request("Invalid scopes"));
-    }
-
     let mut transaction = db.begin().await?;
-    // TODO: wrap checking in function?
 
-    let app = App::get_one(
+    // Get app info
+    let app = App::get_valid_app(
         &mut transaction,
+        auth_request.response_type,
+        auth_request.scope,
         auth_request.client_id,
         auth_request.redirect_uri,
     )
-    .await?
-    .ok_or_else(|| Error::bad_request("Invalid application"))?;
+    .await?;
 
     let settings = Settings::get(&mut transaction).await?;
 
@@ -118,16 +110,23 @@ async fn authorize(
     mut db: Connection<Database>,
     auth_request: AuthenticationRequest<'_>,
 ) -> Result<Either<Redirect, Flash<Redirect>>> {
-    // TODO: check app and stuff before doing anything AGAIN, this is important
-    // TODO: check if request uri matches
+    let mut transaction = db.begin().await?;
+
+    // Get app info
+    let app = App::get_valid_app(
+        &mut transaction,
+        auth_request.response_type,
+        auth_request.scope,
+        auth_request.client_id,
+        auth_request.redirect_uri,
+    )
+    .await?;
 
     if form.login.is_empty() {
         return Ok(Either::Right(invalid_form(auth_request)));
     }
     let form = form.into_inner();
 
-    let mut transaction = db.begin().await?;
-
     // Get user
     let Some(user) = User::get_by_login(&mut transaction, form.login).await? else {
         return Ok(Either::Right(invalid_credentials(form.login, auth_request)));
@@ -154,9 +153,7 @@ async fn authorize(
     // TODO: refresh token + jwt
 
     // TODO: put more data
-    Ok(Either::Left(Redirect::to(
-        auth_request.redirect_uri.to_string(),
-    )))
+    Ok(Either::Left(Redirect::to(app.redirect_uri().to_string())))
 }
 
 // TODO: oauth redirect route for ezidam