diff --git a/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/Auth0Client.cs b/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/Auth0Client.cs
index fa90476..674e8cd 100644
--- a/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/Auth0Client.cs
+++ b/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/Auth0Client.cs
@@ -56,7 +56,7 @@ public Uri GetAuthLoginUrl(OidcConfiguration oidcConfiguration, AccessService ac
         var additionalScopes = oidcConfiguration.Scopes?.Split(",", StringSplitOptions.RemoveEmptyEntries) ??
                                Array.Empty<string>();
 
-        /* don't use .WithRedirectUrl(Uri uri) ond instead pass string. The former uses .OriginalString and will always
+        /* don't use .WithRedirectUrl(Uri uri) and instead pass string. The former uses .OriginalString and will always
          * include the port number (so https://dlcs.digirati.io/ => https://dlcs.digirati.io:443/). This differs from
          * how the redirect URI is build for code exchange and causes 403 error */
         var authBuilder = new AuthorizationUrlBuilder(oidcConfiguration.Domain)
@@ -73,7 +73,7 @@ public Uri GetAuthLoginUrl(OidcConfiguration oidcConfiguration, AccessService ac
     }
 
     /// <summary>
-    /// Exchange authentication code for access tokens for logged in user
+    /// Exchange authentication code for access token for logged in user
     /// </summary>
     public async Task<IReadOnlyCollection<string>> GetDlcsRolesForCode(OidcConfiguration oidcConfiguration,
         AccessService accessService, string code, CancellationToken cancellationToken)
diff --git a/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/JwtTokenParser.cs b/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/JwtTokenParser.cs
index 8541301..14692ca 100644
--- a/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/JwtTokenParser.cs
+++ b/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/JwtTokenParser.cs
@@ -9,7 +9,7 @@ namespace IIIFAuth2.API.Infrastructure.Auth.RoleProvisioning.Oidc;
 public interface IJwtTokenHandler
 {
     /// <summary>
-    /// Validate JWT token and return <see cref="ClaimsPrincipal"/> if successfully parsed.
+    /// Validate JWT token and return <see cref="ClaimsPrincipal"/> if successful
     /// </summary>
     /// <param name="jwtToken">JWT id token string</param>
     /// <param name="jwksUri">Path where jwks can be found</param>
diff --git a/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/OidcRoleProviderHandler.cs b/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/OidcRoleProviderHandler.cs
index 9150e5f..f74c499 100644
--- a/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/OidcRoleProviderHandler.cs
+++ b/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/OidcRoleProviderHandler.cs
@@ -32,6 +32,9 @@ public OidcRoleProviderHandler(
         this.logger = logger;
     }
 
+    /// <summary>
+    /// Generate redirect link to send user to idp
+    /// </summary>
     public async Task<HandleRoleProvisionResponse> InitiateLoginRequest(int customerId, Uri requestOrigin,
         AccessService accessService, IProviderConfiguration providerConfiguration,
         CancellationToken cancellationToken = default)
@@ -46,8 +49,11 @@ public async Task<HandleRoleProvisionResponse> InitiateLoginRequest(int customer
         return HandleRoleProvisionResponse.Redirect(loginUrl);
     }
 
-    public async Task<HandleRoleProvisionResponse> HandleLoginCallback(int customerId, string roleProvisionToken, string authCode,
-        AccessService accessService, IProviderConfiguration providerConfiguration,
+    /// <summary>
+    /// Handle callback from idp, validate roleProvisionToken, exchange authCode for jwt + calculate DLCS roles
+    /// </summary>
+    public async Task<HandleRoleProvisionResponse> HandleLoginCallback(int customerId, string roleProvisionToken,
+        string authCode, AccessService accessService, IProviderConfiguration providerConfiguration,
         CancellationToken cancellationToken = default)
     {
         var configuration = providerConfiguration.SafelyGetTypedConfig<OidcConfiguration>();
@@ -66,12 +72,12 @@ public async Task<HandleRoleProvisionResponse> HandleLoginCallback(int customerI
         }
 
         var requestUri = new Uri(validateTokenResult.Value!.Origin);
-        
+
         // Get DLCS roles from authcode
         var roles = await auth0Client.GetDlcsRolesForCode(configuration, accessService, authCode, cancellationToken);
-        
+
         if (roles.IsNullOrEmpty()) return HandleRoleProvisionResponse.Error("Unable to get DLCS roles for user");
-        
+
         return await roleProvisionGranter.CompleteRequest(customerId, requestUri, providerConfiguration,
             () => Task.FromResult(roles), cancellationToken);
     }