diff --git a/config/settings.yml b/config/settings.yml
index c7f3018e2..bb8047209 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -128,8 +128,8 @@ database:
 
 auto-db-migrate: '_env:AUTO_DB_MIGRATE:true'
 
-# External sources used for authentication and userdata lookups
-user-source:
+# External sources used for user authentication and userdata lookups
+user-auth:
 # mode: single-source
   protocol: azureadv2
   config:
@@ -155,6 +155,7 @@ ldap-pool:
   timeout: "_env:LDAPTIMEOUT:20"
   limit:   "_env:LDAPLIMIT:10"
 
+# TODO: might move later
 # user-retest-failover: 60
 user-sync-within:   "_env:USER_SYNC_WITHIN:1209600" # 14 Tage in Sekunden
 user-sync-interval: "_env:USER_SYNC_INTERVAL:3600"  # jede Stunde
diff --git a/src/Settings.hs b/src/Settings.hs
index 45f1e0c89..74a07929b 100644
--- a/src/Settings.hs
+++ b/src/Settings.hs
@@ -141,21 +141,22 @@ instance FromJSON PWHashConf where
     return PWHashConf{..}
 
 
-data UserSource = UserSourceLdap LdapConf | UserSourceAzureAdV2 AzureConf
+data AuthSourceConf = AuthSourceConfLdap LdapConf | AuthSourceConfAzureAdV2 AzureConf
   deriving (Show)
 
-data UserSourceConf =
-      UserSourceConfSingleSource -- ^ use only one specific source
-      { usersrcSingleSource :: UserSource
+data UserAuthConf =
+      UserAuthConfSingleSource -- ^ use only one specific source
+      { userAuthConfSingleSource :: AuthSourceConf
       }
   -- TODO: other modes yet to be implemented
-  -- | UserFailover  -- ^ use only one user source at a time, but failover to the next-best database if the current source is unavailable
-  --   { usersrcFailoverSources :: PointedList UserSource
-  --   , usersrcFailoverRetest  :: NominalDiffTime
+  -- | UserAuthConfFailover  -- ^ use only one user source at a time, but failover to the next-best database if the current source is unavailable
+  --   { userAuthConfFailoverSources :: PointedList UserSource
+  --   , userAuthConfFailoverRetest  :: NominalDiffTime
   --   }
-  -- | UserMultiSource  -- ^ Multiple coequal user sources
-  --   { usersrcMultiSources :: Set UserSource
+  -- | UserAuthConfMultiSource  -- ^ Multiple coequal user sources
+  --   { userAuthConfMultiSources :: Set UserSource
   --   }
+  -- | UserAuthConfNoSource -- ^ allow no external sources at all -- TODO: either this, or make user-auth in settings.yml optional
   deriving (Show)
 
 data LmsConf = LmsConf
@@ -308,21 +309,21 @@ pathPieceJSONKey ''SettingBotMitigation
 makePrisms ''JobMode
 makeLenses_ ''JobMode
 
-makePrisms ''UserSource
-makeLenses_ ''UserSourceConf
-makePrisms ''UserSourceConf
+makePrisms ''AuthSourceConf
+makeLenses_ ''UserAuthConf
+makePrisms ''UserAuthConf
 
 deriveFromJSON defaultOptions
-  { constructorTagModifier = toLower . dropPrefix "UserSource"
+  { constructorTagModifier = toLower . dropPrefix "AuthSourceConf"
   , sumEncoding = TaggedObject "protocol" "config"
-  } ''UserSource
+  } ''AuthSourceConf
 
 deriveFromJSON defaultOptions
   { constructorTagModifier = camelToPathPiece' 3
-  , fieldLabelModifier = camelToPathPiece' 1
+  , fieldLabelModifier = camelToPathPiece' 3
   , sumEncoding = UntaggedValue -- TaggedObject "mode" "config"
   , unwrapUnaryRecords = True
-  } ''UserSourceConf
+  } ''UserAuthConf
 
 instance FromJSON HaskellNet.PortNumber where
   parseJSON = withScientific "PortNumber" $ \sciNum -> case Scientific.toBoundedInteger sciNum of
@@ -450,7 +451,7 @@ data AppSettings = AppSettings
     , appDatabaseConf           :: PostgresConf
     -- ^ Configuration settings for accessing the database.
     , appAutoDbMigrate          :: Bool
-    , appUserSourceConf         :: UserSourceConf
+    , appUserAuthConf           :: UserAuthConf
     -- ^ Configuration settings for CSV export/import to LMS (= Learn Management System)
     , appLmsConf                :: LmsConf
     -- ^ Configuration settings for accessing the LDAP-directory
@@ -627,7 +628,7 @@ instance FromJSON AppSettings where
         --       Ldap.Tls host _ -> not $ null host
         --       Ldap.Plain host -> not $ null host
         --     nonEmptyHost (UserDbOAuth2 OAuth2Conf{..}) = not $ or [ null oauth2TenantId, null oauth2ClientId, null oauth2ClientSecret ]
-        appUserSourceConf         <- o .: "user-source"
+        appUserAuthConf           <- o .: "user-auth"
         -- P.fromList . mapMaybe (assertM nonEmptyHost) <$> o .:? "user-database" .!= []
         appLdapPoolConf           <- o .:? "ldap-pool"
         appLmsConf                <- o .: "lms-direct"
diff --git a/src/Settings/OAuth2.hs b/src/Settings/OAuth2.hs
index a07bc606f..5242a776a 100644
--- a/src/Settings/OAuth2.hs
+++ b/src/Settings/OAuth2.hs
@@ -4,7 +4,7 @@
 
 module Settings.OAuth2
   ( AzureConf(..)
-  , _azureClientId, _azureClientSecret, _azureTenantId, _azureScopes
+  , _azureConfClientId, _azureConfClientSecret, _azureConfTenantId, _azureConfScopes
   ) where
 
 import ClassyPrelude
@@ -17,16 +17,15 @@ import Utils.Lens.TH
 import Utils.PathPiece (camelToPathPiece')
 
 
--- TODO: use better types
 data AzureConf = AzureConf
-  { azureClientId     :: UUID
-  , azureClientSecret :: Text
-  , azureTenantId     :: UUID
-  , azureScopes       :: Set Text -- TODO: use better type
+  { azureConfClientId     :: UUID
+  , azureConfClientSecret :: Text
+  , azureConfTenantId     :: UUID
+  , azureConfScopes       :: Set Text -- TODO: use AzureScopes type?
   } deriving (Show)
 
 makeLenses_ ''AzureConf
 
 deriveFromJSON defaultOptions
-  { fieldLabelModifier = camelToPathPiece' 1
+  { fieldLabelModifier = camelToPathPiece' 2
   } ''AzureConf