diff --git a/application/auth/oauth2/manager.go b/application/auth/oauth2/manager.go
index fac0c40c..4c4244a6 100644
--- a/application/auth/oauth2/manager.go
+++ b/application/auth/oauth2/manager.go
@@ -83,7 +83,7 @@ func (c *client) MatchSecret(clientSecret string) error {
 		secret := pbkdf2.Key([]byte(clientSecret), salt, c.hashRule.iterations, c.hashRule.length, sha512.New)
 		clientSecret = base64.RawStdEncoding.EncodeToString(secret)
 	}
-	if c.clientSecret != clientSecret {
+	if c.hashRule.value != clientSecret {
 		return fmt.Errorf("fail to match secret,now: %s,hope: %s,client id is %s", clientSecret, c.hashRule.value, c.clientId)
 	}
 	return nil
diff --git a/drivers/plugins/oauth2/authorize.go b/drivers/plugins/oauth2/authorize.go
index c1feb11d..f348aa3e 100644
--- a/drivers/plugins/oauth2/authorize.go
+++ b/drivers/plugins/oauth2/authorize.go
@@ -35,7 +35,7 @@ func (e *executor) Authorize(ctx http_context.IHttpContext, client oauth2.IClien
 			break
 		}
 	}
-	if !matchScope {
+	if len(e.cfg.Scopes) > 0 && !matchScope {
 		return nil, fmt.Errorf("invalid scope,client id %s", client.ClientID())
 	}
 
diff --git a/drivers/plugins/oauth2/config.go b/drivers/plugins/oauth2/config.go
index 52ddea4a..529b7ff2 100644
--- a/drivers/plugins/oauth2/config.go
+++ b/drivers/plugins/oauth2/config.go
@@ -1,6 +1,9 @@
 package oauth2
 
 import (
+	"sync"
+
+	"github.com/eolinker/apinto/drivers"
 	"github.com/eolinker/eosc"
 )
 
@@ -28,5 +31,9 @@ type Config struct {
 }
 
 func Create(id, name string, conf *Config, workers map[eosc.RequireId]eosc.IWorker) (eosc.IWorker, error) {
-	return nil, nil
+	return &executor{
+		WorkerBase: drivers.Worker(id, name),
+		cfg:        conf,
+		once:       sync.Once{},
+	}, nil
 }
diff --git a/drivers/plugins/oauth2/executor.go b/drivers/plugins/oauth2/executor.go
index 4e420cbb..7ab718df 100644
--- a/drivers/plugins/oauth2/executor.go
+++ b/drivers/plugins/oauth2/executor.go
@@ -52,24 +52,29 @@ func (e *executor) DoHttpFilter(ctx http_service.IHttpContext, next eocontext.IC
 		}
 		return
 	}
+	defer func() {
+		if err != nil {
+			log.Error(err)
+			type errResp struct {
+				Message string `json:"message"`
+			}
+			msg, _ := json.Marshal(errResp{Message: "Unauthorized"})
+			ctx.Response().SetBody(msg)
+			ctx.Response().SetStatus(http.StatusUnauthorized, "unauthorized")
+		}
+	}()
 	client, has := oauth2.GetClient(clientId)
 	if !has {
 		err = fmt.Errorf("invalid client id")
-		ctx.Response().SetBody([]byte(err.Error()))
-		ctx.Response().SetStatus(http.StatusForbidden, "forbidden")
 		return
 	}
 
 	if strings.ToUpper(ctx.Request().URI().Scheme()) != "HTTPS" && !e.cfg.AcceptHttpIfAlreadyTerminated {
 		err = fmt.Errorf("invalid scheme")
-		ctx.Response().SetBody([]byte(err.Error()))
-		ctx.Response().SetStatus(http.StatusForbidden, "forbidden")
 		return
 	}
 	if client.Expire() > 0 && client.Expire() < time.Now().Unix() {
 		err = fmt.Errorf("client id is expired")
-		ctx.Response().SetBody([]byte("client id is expired"))
-		ctx.Response().SetStatus(http.StatusForbidden, "forbidden")
 		return
 	}
 
@@ -84,14 +89,7 @@ func (e *executor) DoHttpFilter(ctx http_service.IHttpContext, next eocontext.IC
 		data, err = e.Token(ctx, client, params)
 	}
 	if err != nil {
-		log.Error(err)
-		type errResp struct {
-			Message string `json:"message"`
-		}
-		msg, _ := json.Marshal(errResp{Message: "Unauthorized"})
-		ctx.Response().SetBody(msg)
-		ctx.Response().SetStatus(http.StatusUnauthorized, "unauthorized")
-		return err
+		return
 	}
 	ctx.Response().SetBody(data)
 	ctx.Response().SetStatus(http.StatusOK, "ok")