diff --git a/files/auth/on_update.sh b/files/auth/on_update.sh
index 7a13654e474b977a29cc3f2e1af013a944d5bf46..b347f4d5d581ba2b442cec1e840649e9a6cd6963 100644
--- a/files/auth/on_update.sh
+++ b/files/auth/on_update.sh
@@ -1,6 +1,5 @@
 #!/bin/bash
 
-run_as_broker=$(cat <<'EOF'
 cd
 # To make sure we have a decent GCC in our path.
 source /opt/rh/devtoolset-7/enable
@@ -17,12 +16,3 @@ cd
 mkdir -p bin/
 rm -f bin/auth
 cp src/auth/auth bin/
-EOF
-)
-
-# Compile as the auth user
-sudo --user auth --group auth --set-home -- bash -c "$run_as_broker"
-
-# Then, we can restart the services.
-systemctl restart aes_auth.service
-
diff --git a/manifests/aes_sw.pp b/manifests/aes_sw.pp
index 1177579eaeab8b8c27958671fc38988dc24041bc..f3b109a22993e4e4cdaed3a77ea2fba36f631f64 100644
--- a/manifests/aes_sw.pp
+++ b/manifests/aes_sw.pp
@@ -1,5 +1,5 @@
 # @summary
-#   Describe what this class do!
+#   Software for the AES system.
 #
 #   Detailed summary info if suitable
 #
diff --git a/manifests/auth.pp b/manifests/auth.pp
index 248720ef119bf12f3133e0360633da868bc7b200..db0d9b8b4aace1a2544f754e2e251160b5e19ea6 100644
--- a/manifests/auth.pp
+++ b/manifests/auth.pp
@@ -1,24 +1,19 @@
 # @summary
-#   Describe what this class do!
+#   Authentication service for the communication module.
 #
-#   Detailed summary info if suitable
+#   Sets up the authentication service for the communication module in the
+#   new exam system. Connects to the broker to authenticate users.
 #
 #
 # @param keytab_production_base64
-#   Describe keytab_production_base64
+#   Keytab contents (in base64) for the Kerberos host key used to authenticate
+#   in the production environment (aes-devel.edu.liu.se).
 #
 # @param keytab_devel_base64
-#   Describe keytab_devel_base64
+#   Keytab contents (in base64) for the Kerberos host key used to authenticate
+#   in the development environment (aes-devel.edu.liu.se).
 #
 class aes::auth (
-  # Comment out old keytab params but
-  # keep temporay for comparison
-  #
-  # # Existing keytabs
-  # Optional[String] $keytab_production = undef,
-  # Optional[String] $keytab_devel = undef
-  #
-  # new base64+pkcs7 keytabs
   Optional[String] $keytab_production_base64 = undef,
   Optional[String] $keytab_devel_base64 = undef
 ) {
@@ -131,14 +126,24 @@ class aes::auth (
     }
   }
 
-  exec { 'update-auth-repo' :
-    command     => "/opt/utils/update_repo.sh ${auth_home}/src https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git ${server_type}",
-    environment => ["REPO_USER=${auth_user}", "REPO_GROUP=${auth_group}", "REPO_ON_UPDATE=${auth_home}/on_update.sh"],
-    # This command will need to run "on_update" as root in order to restart the service.
-    user        => root,
-    group       => root,
-    cwd         => $auth_home,
-    require     => File["${auth_home}/on_update.sh"],
+  vcsrepo { "${auth_home}/src":
+    ensure   => latest,
+    provider => git,
+    source   => 'https://oauth2:F-agHaRXCdyFy38q4c-N@gitlab.liu.se/upp-aes/communication.git',
+    revision => $server_type,
+    owner    => $auth_user,
+    group    => $auth_group,
+    notify   => Exec['compile-auth-repo'],
+  }
+
+  exec { 'compile-auth-repo':
+    user        => $auth_user,
+    group       => $auth_group,
+    path        => $auth_home,
+    command     => "$auth_home/on_update.sh",
+    refreshonly => true,
+    require     => File["${auth_home/on_update.sh"],
+    notify      => Service[$auth_service],
   }
 
   service { $auth_service :