From 4bb33d3d3c62516cfdb1ff5bba9216936a07d368 Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Tue, 30 Mar 2021 10:15:50 +0200
Subject: [PATCH 1/6] misc: apply black (#52457)

---
 debian/debian_config.py                       |   91 +-
 debian/multitenant/config.py                  |   46 +-
 debian/multitenant/debian_config.py           |   14 +-
 doc/conf.py                                   |  118 +-
 merge-coverage.py                             |  399 +-
 setup.py                                      |  156 +-
 src/authentic2/a2_rbac/admin.py               |   37 +-
 src/authentic2/a2_rbac/app_settings.py        |    1 +
 src/authentic2/a2_rbac/apps.py                |   28 +-
 src/authentic2/a2_rbac/fields.py              |   10 +-
 src/authentic2/a2_rbac/management.py          |   48 +-
 src/authentic2/a2_rbac/managers.py            |   65 +-
 .../a2_rbac/migrations/0001_initial.py        |  150 +-
 ...3_partial_unique_index_on_name_and_slug.py |   12 +-
 .../migrations/0004_auto_20150523_0028.py     |    6 +-
 .../migrations/0005_auto_20150526_1406.py     |    9 +-
 .../migrations/0008_auto_20150810_1953.py     |    6 +-
 ...0009_partial_unique_index_on_permission.py |   10 +-
 .../migrations/0010_auto_20160209_1417.py     |   27 +-
 .../migrations/0014_auto_20170711_1024.py     |    6 +-
 .../migrations/0016_auto_20171208_1429.py     |    6 +-
 ...nizationalunit_user_add_password_policy.py |    6 +-
 .../0020_partial_unique_index_on_name.py      |   11 +-
 .../migrations/0021_auto_20200317_1514.py     |    8 +-
 .../migrations/0022_auto_20200402_1101.py     |   22 +-
 .../migrations/0024_fix_self_admin_perm.py    |    4 +-
 src/authentic2/a2_rbac/models.py              |  239 +-
 src/authentic2/a2_rbac/signal_handlers.py     |   22 +-
 src/authentic2/a2_rbac/utils.py               |   14 +-
 src/authentic2/admin.py                       |   91 +-
 src/authentic2/api_mixins.py                  |    5 +-
 src/authentic2/api_urls.py                    |   14 +-
 src/authentic2/api_views.py                   |  435 +-
 src/authentic2/app.py                         |    4 +-
 src/authentic2/app_settings.py                |  330 +-
 .../apps/journal/migrations/0001_initial.py   |    2 +-
 src/authentic2/apps/journal/models.py         |   12 +-
 src/authentic2/apps/journal/search_engine.py  |    8 +-
 .../migrations/0001_initial.py                |  411 +-
 .../migrations/0002_auto_20150409_1840.py     |   15 +-
 .../migrations/0003_auto_20150526_2239.py     |    8 +-
 src/authentic2/attribute_kinds.py             |   19 +-
 src/authentic2/attributes_ng/engine.py        |   36 +-
 .../attributes_ng/sources/__init__.py         |    5 +-
 .../attributes_ng/sources/django_user.py      |    4 +-
 .../attributes_ng/sources/format.py           |   11 +-
 .../attributes_ng/sources/function.py         |   10 +-
 src/authentic2/attributes_ng/sources/ldap.py  |    4 +-
 .../attributes_ng/sources/service_roles.py    |   12 +-
 .../auth2_ssl/migrations/0001_initial.py      |   10 +-
 .../auth_migrations_18/0001_initial.py        |   89 +-
 .../0002_auto_20150323_1720.py                |   12 +-
 .../0003_auto_20150410_1657.py                |    2 +-
 .../auth_migrations_18/0004_user.py           |   81 +-
 .../0005_auto_20150526_2303.py                |   24 +-
 src/authentic2/authentication.py              |   25 +-
 src/authentic2/authenticators.py              |   22 +-
 src/authentic2/backends/ldap_backend.py       |  475 +-
 src/authentic2/backends/models_backend.py     |    9 +-
 src/authentic2/cbv.py                         |   40 +-
 src/authentic2/compat/cookies.py              |    1 +
 src/authentic2/compat/misc.py                 |    6 +
 src/authentic2/compat_lasso.py                |    2 +
 src/authentic2/context_processors.py          |    4 +-
 src/authentic2/cors.py                        |    2 -
 src/authentic2/crypto.py                      |   27 +-
 src/authentic2/csv_import.py                  |  140 +-
 src/authentic2/custom_user/apps.py            |   44 +-
 .../management/commands/changepassword.py     |    8 +-
 .../management/commands/fix-attributes.py     |    7 +-
 src/authentic2/custom_user/managers.py        |   61 +-
 .../custom_user/migrations/0001_initial.py    |  137 +-
 .../migrations/0002_auto_20150410_1823.py     |   32 +-
 .../migrations/0003_auto_20150504_1410.py     |    5 +-
 .../custom_user/migrations/0004_user_ou.py    |    4 +-
 .../migrations/0005_auto_20150522_1527.py     |    8 +-
 .../migrations/0006_auto_20150527_1212.py     |    6 +-
 .../migrations/0007_auto_20150610_1527.py     |    6 +-
 .../migrations/0009_auto_20150810_1953.py     |    6 +-
 .../migrations/0012_user_modified.py          |    7 +-
 .../migrations/0015_auto_20170707_1653.py     |    6 +-
 .../migrations/0017_auto_20200305_1645.py     |    7 +-
 .../migrations/0020_deleteduser.py            |   22 +-
 .../migrations/0022_index_email.py            |    2 +-
 .../migrations/0023_index_username.py         |    2 +-
 .../0024_index_email_by_trigrams.py           |    6 +-
 .../migrations/0026_remove_user_deleted.py    |    3 +-
 src/authentic2/custom_user/models.py          |  163 +-
 src/authentic2/data_transfer.py               |   82 +-
 src/authentic2/decorators.py                  |   55 +-
 .../disco_service/disco_responder.py          |   16 +-
 src/authentic2/exponential_retry_timeout.py   |   26 +-
 src/authentic2/forms/authentication.py        |   35 +-
 src/authentic2/forms/fields.py                |   20 +-
 src/authentic2/forms/mixins.py                |    3 +-
 src/authentic2/forms/passwords.py             |   22 +-
 src/authentic2/forms/profile.py               |   14 +-
 src/authentic2/forms/registration.py          |   10 +-
 src/authentic2/forms/widgets.py               |   52 +-
 src/authentic2/hashers.py                     |   72 +-
 src/authentic2/hooks.py                       |    8 +-
 src/authentic2/idp/interactions.py            |   12 +-
 src/authentic2/idp/migrations/0001_initial.py |  113 +-
 .../idp/migrations/0002_auto_20150526_2239.py |   24 +-
 src/authentic2/idp/saml/__init__.py           |   23 +-
 src/authentic2/idp/saml/app_settings.py       |   29 +-
 src/authentic2/idp/saml/backend.py            |   87 +-
 src/authentic2/idp/saml/saml2_endpoints.py    |  431 +-
 src/authentic2/idp/saml/urls.py               |   31 +-
 src/authentic2/idp/saml/views.py              |    3 +-
 src/authentic2/idp/urls.py                    |    3 +-
 src/authentic2/journal_event_types.py         |    6 +-
 src/authentic2/log_filters.py                 |    7 +-
 src/authentic2/logger.py                      |    6 +-
 .../management/commands/check-and-repair.py   |  168 +-
 .../commands/clean-unused-accounts.py         |   13 +-
 .../deactivate-orphaned-ldap-users.py         |    1 -
 .../management/commands/export_site.py        |    5 +-
 .../management/commands/import_site.py        |   22 +-
 .../management/commands/load-ldif.py          |   43 +-
 .../management/commands/resetpassword.py      |   16 +-
 .../management/commands/sync-ldap-users.py    |    1 +
 src/authentic2/manager/app_settings.py        |    2 +
 src/authentic2/manager/apps.py                |    5 +-
 src/authentic2/manager/fields.py              |   20 +-
 src/authentic2/manager/forms.py               |  197 +-
 src/authentic2/manager/journal_event_types.py |   12 +-
 src/authentic2/manager/ou_views.py            |   38 +-
 src/authentic2/manager/resources.py           |   20 +-
 src/authentic2/manager/role_views.py          |  266 +-
 src/authentic2/manager/service_views.py       |   14 +-
 src/authentic2/manager/tables.py              |   68 +-
 src/authentic2/manager/urls.py                |  249 +-
 src/authentic2/manager/user_import.py         |   15 +-
 src/authentic2/manager/user_views.py          |  285 +-
 src/authentic2/manager/views.py               |  181 +-
 src/authentic2/manager/widgets.py             |    9 +-
 src/authentic2/managers.py                    |    4 +
 src/authentic2/middleware.py                  |   31 +-
 src/authentic2/migrations/0001_initial.py     |  107 +-
 .../migrations/0003_auto_20150409_1840.py     |   12 +-
 src/authentic2/migrations/0004_service.py     |    5 +-
 src/authentic2/migrations/0005_service_ou.py  |    4 +-
 .../migrations/0006_conditional_slug_index.py |    7 +-
 .../migrations/0007_auto_20150523_0028.py     |    8 +-
 .../migrations/0008_auto_20160204_1415.py     |    4 +-
 .../migrations/0009_auto_20160211_2247.py     |    1 +
 .../migrations/0012_auto_20160211_2255.py     |    4 +-
 .../migrations/0013_auto_20160211_2258.py     |   12 +-
 .../migrations/0015_auto_20160621_1711.py     |    4 +-
 .../migrations/0018_auto_20170524_0842.py     |   17 +-
 .../migrations/0021_attribute_order.py        |    7 +-
 .../migrations/0022_attribute_scopes.py       |    8 +-
 .../migrations/0024_auto_20190617_1113.py     |    3 +-
 .../migrations/0025_auto_20191009_1047.py     |    7 +-
 src/authentic2/migrations/0026_token.py       |   16 +-
 .../migrations/0027_remove_deleteduser.py     |    5 +-
 .../migrations/0028_trigram_unaccent_index.py |    2 +-
 .../migrations/0029_auto_20201013_1614.py     |    6 +-
 .../0030_clean_admin_tools_tables.py          |   10 +-
 .../0031_add_search_vector_to_attributes.py   |   23 +-
 src/authentic2/migrations/__init__.py         |   26 +-
 src/authentic2/models.py                      |  196 +-
 .../nonce/migrations/0001_initial.py          |   11 +-
 src/authentic2/nonce/utils.py                 |   89 +-
 src/authentic2/passwords.py                   |   37 +-
 src/authentic2/plugins.py                     |   33 +-
 src/authentic2/saml/__init__.py               |    1 +
 src/authentic2/saml/admin.py                  |   42 +-
 src/authentic2/saml/admin_views.py            |   12 +-
 src/authentic2/saml/app_settings.py           |    4 +-
 src/authentic2/saml/common.py                 |  220 +-
 src/authentic2/saml/fields.py                 |   25 +-
 src/authentic2/saml/forms.py                  |   32 +-
 src/authentic2/saml/lasso_helper.py           |   13 +-
 .../saml/management/commands/mapping.py       | 4235 ++++++++---------
 .../saml/management/commands/sync-metadata.py |  157 +-
 src/authentic2/saml/managers.py               |   23 +-
 .../saml/migrations/0001_initial.py           |  562 ++-
 .../migrations/0002_auto_20150320_1245.py     |    8 +-
 .../0002_ease_federation_migration.py         |   15 +-
 src/authentic2/saml/migrations/0003_merge.py  |    3 +-
 .../migrations/0004_auto_20150410_1438.py     |    7 +-
 ...e_liberty_provider_inherit_from_service.py |    5 +-
 .../migrations/0006_restore_foreign_keys.py   |    3 +
 .../0007_copy_service_ptr_id_to_old_id.py     |   49 +-
 .../migrations/0008_alter_foreign_keys.py     |   16 +-
 src/authentic2/saml/migrations/0009_auto.py   |   18 +-
 src/authentic2/saml/migrations/0010_auto.py   |    4 +-
 src/authentic2/saml/migrations/0011_auto.py   |   28 +-
 .../migrations/0012_auto_20150526_2239.py     |   12 +-
 .../migrations/0013_auto_20150617_1004.py     |   10 +-
 .../migrations/0014_auto_20150617_1216.py     |    1 +
 .../migrations/0015_auto_20150915_2032.py     |   46 +-
 src/authentic2/saml/models.py                 |  303 +-
 src/authentic2/saml/saml2utils.py             |  117 +-
 src/authentic2/saml/shibboleth/utils.py       |    1 -
 src/authentic2/saml/utils.py                  |    2 -
 src/authentic2/saml/x509utils.py              |   34 +-
 src/authentic2/serializers.py                 |    1 +
 src/authentic2/settings.py                    |   31 +-
 src/authentic2/urls.py                        |  134 +-
 src/authentic2/user_login_failure.py          |    7 +-
 src/authentic2/utils/__init__.py              |  465 +-
 src/authentic2/utils/evaluate.py              |   70 +-
 src/authentic2/utils/lazy.py                  |    6 +-
 src/authentic2/utils/lookups.py               |    2 +
 src/authentic2/utils/service.py               |    3 +-
 src/authentic2/utils/switch_user.py           |    2 -
 src/authentic2/utils/views.py                 |   19 +-
 src/authentic2/validators.py                  |    8 +-
 src/authentic2/views.py                       |  487 +-
 src/authentic2_auth_fc/api_views.py           |    8 +-
 src/authentic2_auth_fc/app_settings.py        |   33 +-
 src/authentic2_auth_fc/apps.py                |   15 +-
 src/authentic2_auth_fc/authenticators.py      |   73 +-
 src/authentic2_auth_fc/backends.py            |   14 +-
 .../migrations/0001_initial.py                |   15 +-
 .../migrations/0002_auto_20200416_1439.py     |    4 +-
 .../migrations/0003_fcaccount_order1.py       |    6 +-
 src/authentic2_auth_fc/models.py              |   23 +-
 src/authentic2_auth_fc/utils.py               |   13 +-
 src/authentic2_auth_fc/views.py               |  166 +-
 src/authentic2_auth_oidc/admin.py             |   33 +-
 src/authentic2_auth_oidc/app_settings.py      |    2 +
 src/authentic2_auth_oidc/apps.py              |   36 +-
 src/authentic2_auth_oidc/authenticators.py    |   11 +-
 src/authentic2_auth_oidc/backends.py          |  162 +-
 .../commands/oidc-register-issuer.py          |   45 +-
 src/authentic2_auth_oidc/managers.py          |    2 +
 .../migrations/0001_initial.py                |  114 +-
 ..._oidcprovider_token_revocation_endpoint.py |    4 +-
 .../migrations/0004_auto_20171017_1522.py     |   10 +-
 src/authentic2_auth_oidc/models.py            |  166 +-
 src/authentic2_auth_oidc/utils.py             |  117 +-
 src/authentic2_auth_oidc/views.py             |  146 +-
 src/authentic2_auth_saml/adapters.py          |   28 +-
 src/authentic2_auth_saml/app_settings.py      |    2 +
 src/authentic2_auth_saml/apps.py              |   14 +-
 src/authentic2_auth_saml/authenticators.py    |   23 +-
 src/authentic2_auth_saml/backends.py          |    5 +-
 src/authentic2_auth_saml/urls.py              |    5 +-
 src/authentic2_idp_cas/admin.py               |   59 +-
 src/authentic2_idp_cas/app_settings.py        |    1 +
 src/authentic2_idp_cas/apps.py                |    1 -
 src/authentic2_idp_cas/constants.py           |   71 +-
 .../migrations/0001_initial.py                |  104 +-
 .../migrations/0002_auto_20150410_1438.py     |    9 +-
 .../migrations/0003_auto_20150415_2223.py     |    9 +-
 .../migrations/0004_create_services.py        |    6 +-
 .../0005_alter_field_service_ptr.py           |    1 +
 .../migrations/0006_copy_proxy_m2m.py         |    6 +-
 .../migrations/0007_alter_service.py          |   22 +-
 .../migrations/0008_alter_foreign_keys.py     |    3 +
 .../migrations/0009_alter_related_models.py   |    9 +-
 .../0010_copy_service_ptr_id_to_old_id.py     |    3 +
 .../0011_remove_old_id_restore_proxy.py       |    8 +-
 .../0012_copy_service_proxy_to_m2m.py         |    6 +-
 .../0013_delete_model_service_proxy2.py       |    2 +-
 .../migrations/0015_auto_20170406_1825.py     |    8 +-
 src/authentic2_idp_cas/models.py              |   33 +-
 src/authentic2_idp_cas/urls.py                |    6 +-
 src/authentic2_idp_cas/utils.py               |    2 +-
 src/authentic2_idp_cas/views.py               |  149 +-
 src/authentic2_idp_oidc/admin.py              |   37 +-
 src/authentic2_idp_oidc/app_settings.py       |   18 +-
 src/authentic2_idp_oidc/apps.py               |  237 +-
 .../migrations/0001_initial.py                |  129 +-
 .../migrations/0002_auto_20170121_2346.py     |    6 +-
 .../migrations/0003_auto_20170329_1259.py     |    7 +-
 .../migrations/0005_authorization_mode.py     |   14 +-
 .../migrations/0006_auto_20170720_1054.py     |   12 +-
 .../0008_oidcclient_idtoken_duration.py       |    6 +-
 .../migrations/0010_oidcclaim.py              |   28 +-
 .../migrations/0011_auto_20180808_1546.py     |   14 +-
 .../migrations/0012_auto_20200122_2258.py     |   14 +-
 .../migrations/0013_auto_20200630_1007.py     |    4 +-
 src/authentic2_idp_oidc/models.py             |  257 +-
 src/authentic2_idp_oidc/urls.py               |   24 +-
 src/authentic2_idp_oidc/utils.py              |   45 +-
 src/authentic2_idp_oidc/views.py              |  362 +-
 src/django_rbac/apps.py                       |   19 +-
 src/django_rbac/backends.py                   |   55 +-
 src/django_rbac/context_processors.py         |    1 +
 src/django_rbac/managers.py                   |   52 +-
 src/django_rbac/migrations/0001_initial.py    |   11 +-
 ...ionalunit_permission_role_roleparenting.py |  102 +-
 .../0003_add_max_aggregate_for_postgres.py    |    3 +-
 src/django_rbac/models.py                     |  167 +-
 src/django_rbac/signal_handlers.py            |    6 +-
 src/django_rbac/utils.py                      |   15 +-
 tests/auth_fc/conftest.py                     |   34 +-
 tests/auth_fc/test_auth_fc.py                 |    7 +-
 tests/cache_urls.py                           |    8 +-
 tests/conftest.py                             |  171 +-
 tests/test_a2_rbac.py                         |  134 +-
 tests/test_admin.py                           |   47 +-
 tests/test_all.py                             |  249 +-
 tests/test_api.py                             |  541 ++-
 tests/test_attribute_kinds.py                 |   55 +-
 tests/test_auth_oidc.py                       |  223 +-
 tests/test_auth_saml.py                       |   39 +-
 tests/test_commands.py                        |   94 +-
 tests/test_concurrency.py                     |   15 +-
 tests/test_crypto.py                          |    8 +-
 tests/test_csv_import.py                      |   41 +-
 tests/test_custom_user.py                     |   14 +-
 tests/test_customfields.py                    |   25 +-
 tests/test_data_transfer.py                   |  302 +-
 tests/test_fields.py                          |    6 +-
 tests/test_hashers.py                         |   14 +-
 tests/test_idp_cas.py                         |  310 +-
 tests/test_idp_oidc.py                        |  976 ++--
 tests/test_idp_saml2.py                       |  455 +-
 tests/test_import_export_site_cmd.py          |   46 +-
 tests/test_journal.py                         |   27 +-
 tests/test_large_userbase.py                  |   17 +-
 tests/test_ldap.py                            | 1083 +++--
 tests/test_login.py                           |   10 +-
 tests/test_manager.py                         |  134 +-
 tests/test_manager_journal.py                 |   66 +-
 tests/test_natural_key.py                     |   13 +-
 tests/test_ou_manager.py                      |   12 +-
 tests/test_password_reset.py                  |    1 +
 tests/test_passwords.py                       |    5 +-
 tests/test_profile.py                         |   91 +-
 tests/test_registration.py                    |   99 +-
 tests/test_role_manager.py                    |   65 +-
 tests/test_saml_x509utils.py                  |    5 +-
 tests/test_template.py                        |   12 +-
 tests/test_user_manager.py                    |  240 +-
 tests/test_user_model.py                      |    8 +-
 tests/test_utils.py                           |   15 +-
 tests/test_utils_evaluate.py                  |   14 +-
 tests/test_validators.py                      |   22 +-
 tests/test_views.py                           |   15 +-
 tests/utils.py                                |   57 +-
 tests_rbac/conftest.py                        |    4 +-
 tests_rbac/test_rbac.py                       |  124 +-
 339 files changed, 13976 insertions(+), 10737 deletions(-)

diff --git a/debian/debian_config.py b/debian/debian_config.py
index d1c0cc4c..530d00d9 100644
--- a/debian/debian_config.py
+++ b/debian/debian_config.py
@@ -27,14 +27,14 @@ LOGGING = {
     'disable_existing_loggers': True,
     'filters': {
         'cleaning': {
-            '()':  'authentic2.utils.CleanLogMessage',
+            '()': 'authentic2.utils.CleanLogMessage',
         },
         'request_context': {
-            '()':  'authentic2.log_filters.RequestContextFilter',
+            '()': 'authentic2.log_filters.RequestContextFilter',
         },
         'force_debug': {
             '()': 'authentic2.log_filters.ForceDebugFilter',
-        }
+        },
     },
     'formatters': {
         'syslog': {
@@ -124,29 +124,29 @@ A2_OPENED_SESSION_COOKIE_SECURE = True
 def extract_settings_from_environ():
     import json
     from django.core.exceptions import ImproperlyConfigured
-    global MANAGERS, DATABASES, SENTRY_TRANSPORT, SENTRY_DSN, INSTALLED_APPS, \
-            SECURE_PROXY_SSL_HEADER, CACHES, SESSION_ENGINE, LDAP_AUTH_SETTINGS
+
+    global MANAGERS, DATABASES, SENTRY_TRANSPORT, SENTRY_DSN, INSTALLED_APPS, SECURE_PROXY_SSL_HEADER, CACHES, SESSION_ENGINE, LDAP_AUTH_SETTINGS
 
     BOOLEAN_ENVS = (
-           'DEBUG',
-           'DEBUG_PROPAGATE_EXCEPTIONS',
-           'SESSION_EXPIRE_AT_BROWSER_CLOSE',
-           'SESSION_COOKIE_SECURE',
-           'EMAIL_USE_TLS',
-           'USE_X_FORWARDED_HOST',
-           'DISCO_SERVICE',
-           'DISCO_USE_OF_METADATA',
-           'SHOW_DISCO_IN_MD',
-           'SSLAUTH_CREATE_USER',
-           'PUSH_PROFILE_UPDATES',
-           'A2_ACCEPT_EMAIL_AUTHENTICATION',
-           'A2_CAN_RESET_PASSWORD',
-           'A2_REGISTRATION_CAN_DELETE_ACCOUNT',
-           'A2_REGISTRATION_EMAIL_IS_UNIQUE',
-           'REGISTRATION_OPEN',
-           'A2_AUTH_PASSWORD_ENABLE',
-           'SSLAUTH_ENABLE',
-           'A2_IDP_SAML2_ENABLE',
+        'DEBUG',
+        'DEBUG_PROPAGATE_EXCEPTIONS',
+        'SESSION_EXPIRE_AT_BROWSER_CLOSE',
+        'SESSION_COOKIE_SECURE',
+        'EMAIL_USE_TLS',
+        'USE_X_FORWARDED_HOST',
+        'DISCO_SERVICE',
+        'DISCO_USE_OF_METADATA',
+        'SHOW_DISCO_IN_MD',
+        'SSLAUTH_CREATE_USER',
+        'PUSH_PROFILE_UPDATES',
+        'A2_ACCEPT_EMAIL_AUTHENTICATION',
+        'A2_CAN_RESET_PASSWORD',
+        'A2_REGISTRATION_CAN_DELETE_ACCOUNT',
+        'A2_REGISTRATION_EMAIL_IS_UNIQUE',
+        'REGISTRATION_OPEN',
+        'A2_AUTH_PASSWORD_ENABLE',
+        'SSLAUTH_ENABLE',
+        'A2_IDP_SAML2_ENABLE',
     )
 
     def to_boolean(name, default=True):
@@ -215,12 +215,12 @@ def extract_settings_from_environ():
                 globals()[path_env] = tuple(os.environ[path_env].split(':')) + tuple(old)
 
     INT_ENVS = (
-            'SESSION_COOKIE_AGE',
-            'EMAIL_PORT',
-            'AUTHENTICATION_EVENT_EXPIRATION',
-            'LOCAL_METADATA_CACHE_TIMEOUT',
-            'ACCOUNT_ACTIVATION_DAYS',
-            'PASSWORD_RESET_TIMEOUT_DAYS',
+        'SESSION_COOKIE_AGE',
+        'EMAIL_PORT',
+        'AUTHENTICATION_EVENT_EXPIRATION',
+        'LOCAL_METADATA_CACHE_TIMEOUT',
+        'ACCOUNT_ACTIVATION_DAYS',
+        'PASSWORD_RESET_TIMEOUT_DAYS',
     )
 
     def to_int(name, default):
@@ -239,17 +239,17 @@ def extract_settings_from_environ():
             except ValueError:
                 raise ImproperlyConfigured('environement variable %s must be an integer' % int_env)
 
-
     ADMINS = ()
     if 'ADMINS' in os.environ:
         ADMINS = filter(None, os.environ.get('ADMINS').split(':'))
-        ADMINS = [ admin.split(';') for admin in ADMINS ]
+        ADMINS = [admin.split(';') for admin in ADMINS]
         for admin in ADMINS:
-            assert len(admin) == 2, 'ADMINS setting must be a colon separated list of name and emails separated by a semi-colon'
+            assert (
+                len(admin) == 2
+            ), 'ADMINS setting must be a colon separated list of name and emails separated by a semi-colon'
             assert '@' in admin[1], 'ADMINS setting pairs second value must be emails'
         MANAGERS = ADMINS
 
-
     for key in os.environ:
         if key.startswith('DATABASE_'):
             prefix, db_key = key.split('_', 1)
@@ -271,27 +271,30 @@ def extract_settings_from_environ():
         try:
             import memcache
         except:
-            raise ImproperlyConfigured('Python memcache library is not installed, please do: pip install memcache')
+            raise ImproperlyConfigured(
+                'Python memcache library is not installed, please do: pip install memcache'
+            )
         CACHES = {
-                'default': {
-                    'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
-                    'LOCATION': '127.0.0.1:11211',
-                    'KEY_PREFIX': 'authentic2',
-                    }
-                }
+            'default': {
+                'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
+                'LOCATION': '127.0.0.1:11211',
+                'KEY_PREFIX': 'authentic2',
+            }
+        }
         SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'
 
     # extract any key starting with setting
     for key in os.environ:
         if key.startswith('SETTING_'):
-            setting_key = key[len('SETTING_'):]
+            setting_key = key[len('SETTING_') :]
             value = os.environ[key]
             try:
-                 value = int(value)
+                value = int(value)
             except ValueError:
-                 pass
+                pass
             globals()[setting_key] = value
 
+
 extract_settings_from_environ()
 
 CONFIG_FILE = '/etc/authentic2/config.py'
diff --git a/debian/multitenant/config.py b/debian/multitenant/config.py
index d01a16c5..bafc87b3 100644
--- a/debian/multitenant/config.py
+++ b/debian/multitenant/config.py
@@ -15,56 +15,56 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = False
 
-#ADMINS = (
+# ADMINS = (
 #        # ('User 1', 'watchdog@example.net'),
 #        # ('User 2', 'janitor@example.net'),
-#)
+# )
 
 # ALLOWED_HOSTS must be correct in production!
 # See https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
 ALLOWED_HOSTS = [
-        '*',
+    '*',
 ]
 
 # Databases
 # Default: a local database named "authentic"
 # https://docs.djangoproject.com/en/1.7/ref/settings/#databases
 # Warning: don't change ENGINE
-#DATABASES['default']['NAME'] = 'authentic2_multitenant'
-#DATABASES['default']['USER'] = 'authentic-multitenant'
-#DATABASES['default']['PASSWORD'] = '******'
-#DATABASES['default']['HOST'] = 'localhost'
-#DATABASES['default']['PORT'] = '5432'
+# DATABASES['default']['NAME'] = 'authentic2_multitenant'
+# DATABASES['default']['USER'] = 'authentic-multitenant'
+# DATABASES['default']['PASSWORD'] = '******'
+# DATABASES['default']['HOST'] = 'localhost'
+# DATABASES['default']['PORT'] = '5432'
 
 LANGUAGE_CODE = 'fr-fr'
 TIME_ZONE = 'Europe/Paris'
 
 # Sentry / Raven configuration
-#RAVEN_CONFIG = {
+# RAVEN_CONFIG = {
 #    'dsn': '',
-#}
+# }
 
 # Email configuration
-#EMAIL_SUBJECT_PREFIX = '[authentic] '
-#SERVER_EMAIL = 'root@authentic.example.org'
-#DEFAULT_FROM_EMAIL = 'webmaster@authentic.example.org'
+# EMAIL_SUBJECT_PREFIX = '[authentic] '
+# SERVER_EMAIL = 'root@authentic.example.org'
+# DEFAULT_FROM_EMAIL = 'webmaster@authentic.example.org'
 
 # SMTP configuration
-#EMAIL_HOST = 'localhost'
-#EMAIL_HOST_USER = ''
-#EMAIL_HOST_PASSWORD = ''
-#EMAIL_PORT = 25
+# EMAIL_HOST = 'localhost'
+# EMAIL_HOST_USER = ''
+# EMAIL_HOST_PASSWORD = ''
+# EMAIL_PORT = 25
 
 # HTTPS Security
-#CSRF_COOKIE_SECURE = True
-#SESSION_COOKIE_SECURE = True
+# CSRF_COOKIE_SECURE = True
+# SESSION_COOKIE_SECURE = True
 
 # Idp
 # SAML 2.0 IDP
-#A2_IDP_SAML2_ENABLE = False
+# A2_IDP_SAML2_ENABLE = False
 # CAS 1.0 / 2.0 IDP
-#A2_IDP_CAS_ENABLE = False
+# A2_IDP_CAS_ENABLE = False
 
 # Authentifications
-#A2_AUTH_PASSWORD_ENABLE = True
-#A2_SSLAUTH_ENABLE = False
+# A2_AUTH_PASSWORD_ENABLE = True
+# A2_SSLAUTH_ENABLE = False
diff --git a/debian/multitenant/debian_config.py b/debian/multitenant/debian_config.py
index 6b9058a1..34502893 100644
--- a/debian/multitenant/debian_config.py
+++ b/debian/multitenant/debian_config.py
@@ -21,11 +21,13 @@ TENANT_SETTINGS_LOADERS = ('hobo.multitenant.settings_loaders.Authentic',) + TEN
 # Add authentic2 hobo agent
 INSTALLED_APPS = ('hobo.agent.authentic2',) + INSTALLED_APPS
 
-LOGGING['filters'].update({
-    'cleaning': {
-        '()':  'authentic2.utils.CleanLogMessage',
-    },
-})
+LOGGING['filters'].update(
+    {
+        'cleaning': {
+            '()': 'authentic2.utils.CleanLogMessage',
+        },
+    }
+)
 for handler in LOGGING['handlers'].values():
     handler.setdefault('filters', []).append('cleaning')
 
@@ -52,7 +54,7 @@ HOBO_ANONYMOUS_SERVICE_USER_CLASS = 'hobo.rest_authentication.AnonymousAuthentic
 
 HOBO_SKELETONS_DIR = os.path.join(VAR_DIR, 'skeletons')
 
-CONFIG_FILE='/etc/%s/config.py' % PROJECT_NAME
+CONFIG_FILE = '/etc/%s/config.py' % PROJECT_NAME
 if os.path.exists(CONFIG_FILE):
     with open(CONFIG_FILE) as fd:
         exec(fd.read())
diff --git a/doc/conf.py b/doc/conf.py
index 1662746a..1413d24e 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -16,16 +16,25 @@ import sys, os
 # If extensions (or modules to document with autodoc) are in another directory,
 # add these directories to sys.path here. If the directory is relative to the
 # documentation root, use os.path.abspath to make it absolute, like shown here.
-#sys.path.insert(0, os.path.abspath('.'))
+# sys.path.insert(0, os.path.abspath('.'))
 
 # -- General configuration -----------------------------------------------------
 
 # If your documentation needs a minimal Sphinx version, state it here.
-#needs_sphinx = '1.0'
+# needs_sphinx = '1.0'
 
 # Add any Sphinx extension module names here, as strings. They can be extensions
 # coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
-extensions = ['sphinx.ext.autodoc', 'sphinx.ext.doctest', 'sphinx.ext.intersphinx', 'sphinx.ext.todo', 'sphinx.ext.coverage', 'sphinx.ext.imgmath', 'sphinx.ext.ifconfig', 'sphinx.ext.viewcode']
+extensions = [
+    'sphinx.ext.autodoc',
+    'sphinx.ext.doctest',
+    'sphinx.ext.intersphinx',
+    'sphinx.ext.todo',
+    'sphinx.ext.coverage',
+    'sphinx.ext.imgmath',
+    'sphinx.ext.ifconfig',
+    'sphinx.ext.viewcode',
+]
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
@@ -34,7 +43,7 @@ templates_path = ['_templates']
 source_suffix = '.rst'
 
 # The encoding of source files.
-#source_encoding = 'utf-8-sig'
+# source_encoding = 'utf-8-sig'
 
 # The master toctree document.
 master_doc = 'index'
@@ -54,37 +63,37 @@ release = '2.0.2'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
-#language = None
+# language = None
 
 # There are two options for replacing |today|: either, you set today to some
 # non-false value, then it is used:
-#today = ''
+# today = ''
 # Else, today_fmt is used as the format for a strftime call.
-#today_fmt = '%B %d, %Y'
+# today_fmt = '%B %d, %Y'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
 exclude_patterns = ['_build']
 
 # The reST default role (used for this markup: `text`) to use for all documents.
-#default_role = None
+# default_role = None
 
 # If true, '()' will be appended to :func: etc. cross-reference text.
-#add_function_parentheses = True
+# add_function_parentheses = True
 
 # If true, the current module name will be prepended to all description
 # unit titles (such as .. function::).
-#add_module_names = True
+# add_module_names = True
 
 # If true, sectionauthor and moduleauthor directives will be shown in the
 # output. They are ignored by default.
-#show_authors = False
+# show_authors = False
 
 # The name of the Pygments (syntax highlighting) style to use.
 pygments_style = 'sphinx'
 
 # A list of ignored prefixes for module index sorting.
-#modindex_common_prefix = []
+# modindex_common_prefix = []
 
 
 # -- Options for HTML output ---------------------------------------------------
@@ -96,17 +105,17 @@ html_theme = 'default'
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
-#html_theme_options = {}
+# html_theme_options = {}
 
 # Add any paths that contain custom themes here, relative to this directory.
-#html_theme_path = []
+# html_theme_path = []
 
 # The name for this set of Sphinx documents.  If None, it defaults to
 # "<project> v<release> documentation".
-#html_title = None
+# html_title = None
 
 # A shorter title for the navigation bar.  Default is the same as html_title.
-#html_short_title = None
+# html_short_title = None
 
 # The name of an image file (relative to this directory) to place at the top
 # of the sidebar.
@@ -115,7 +124,7 @@ html_logo = 'pictures/eo_logo_t.png'
 # The name of an image file (within the static path) to use as favicon of the
 # docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
 # pixels large.
-#html_favicon = None
+# html_favicon = None
 
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
@@ -124,44 +133,44 @@ html_static_path = ['_static']
 
 # If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
 # using the given strftime format.
-#html_last_updated_fmt = '%b %d, %Y'
+# html_last_updated_fmt = '%b %d, %Y'
 
 # If true, SmartyPants will be used to convert quotes and dashes to
 # typographically correct entities.
-#html_use_smartypants = True
+# html_use_smartypants = True
 
 # Custom sidebar templates, maps document names to template names.
-#html_sidebars = {}
+# html_sidebars = {}
 
 # Additional templates that should be rendered to pages, maps page names to
 # template names.
-#html_additional_pages = {}
+# html_additional_pages = {}
 
 # If false, no module index is generated.
-#html_domain_indices = True
+# html_domain_indices = True
 
 # If false, no index is generated.
-#html_use_index = True
+# html_use_index = True
 
 # If true, the index is split into individual pages for each letter.
-#html_split_index = False
+# html_split_index = False
 
 # If true, links to the reST sources are added to the pages.
-#html_show_sourcelink = True
+# html_show_sourcelink = True
 
 # If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
-#html_show_sphinx = True
+# html_show_sphinx = True
 
 # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
-#html_show_copyright = True
+# html_show_copyright = True
 
 # If true, an OpenSearch description file will be output, and all pages will
 # contain a <link> tag referring to it.  The value of this option must be the
 # base URL from which the finished HTML is served.
-#html_use_opensearch = ''
+# html_use_opensearch = ''
 
 # This is the file name suffix for HTML files (e.g. ".xhtml").
-#html_file_suffix = None
+# html_file_suffix = None
 
 # Output file base name for HTML help builder.
 htmlhelp_basename = 'Authentic2doc'
@@ -170,21 +179,18 @@ htmlhelp_basename = 'Authentic2doc'
 # -- Options for LaTeX output --------------------------------------------------
 
 latex_elements = {
-# The paper size ('letterpaper' or 'a4paper').
-#'papersize': 'letterpaper',
-
-# The font size ('10pt', '11pt' or '12pt').
-#'pointsize': '10pt',
-
-# Additional stuff for the LaTeX preamble.
-#'preamble': '',
+    # The paper size ('letterpaper' or 'a4paper').
+    #'papersize': 'letterpaper',
+    # The font size ('10pt', '11pt' or '12pt').
+    #'pointsize': '10pt',
+    # Additional stuff for the LaTeX preamble.
+    #'preamble': '',
 }
 
 # Grouping the document tree into LaTeX files. List of tuples
 # (source start file, target name, title, author, documentclass [howto/manual]).
 latex_documents = [
-  ('index', 'Authentic2.tex', u'Authentic2 Documentation',
-   u'Entr\'ouvert', 'manual'),
+    ('index', 'Authentic2.tex', u'Authentic2 Documentation', u'Entr\'ouvert', 'manual'),
 ]
 
 # The name of an image file (relative to this directory) to place at the top of
@@ -193,32 +199,29 @@ latex_logo = 'pictures/eo_logo.png'
 
 # For "manual" documents, if this is true, then toplevel headings are parts,
 # not chapters.
-#latex_use_parts = False
+# latex_use_parts = False
 
 # If true, show page references after internal links.
-#latex_show_pagerefs = False
+# latex_show_pagerefs = False
 
 # If true, show URL addresses after external links.
-#latex_show_urls = False
+# latex_show_urls = False
 
 # Documents to append as an appendix to all manuals.
-#latex_appendices = []
+# latex_appendices = []
 
 # If false, no module index is generated.
-#latex_domain_indices = True
+# latex_domain_indices = True
 
 
 # -- Options for manual page output --------------------------------------------
 
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
-man_pages = [
-    ('index', 'authentic2', u'Authentic2 Documentation',
-     [u'Mikaël Ates'], 1)
-]
+man_pages = [('index', 'authentic2', u'Authentic2 Documentation', [u'Mikaël Ates'], 1)]
 
 # If true, show URL addresses after external links.
-#man_show_urls = False
+# man_show_urls = False
 
 
 # -- Options for Texinfo output ------------------------------------------------
@@ -227,18 +230,25 @@ man_pages = [
 # (source start file, target name, title, author,
 #  dir menu entry, description, category)
 texinfo_documents = [
-  ('index', 'Authentic2', u'Authentic2 Documentation', u'Mikaël Ates',
-   'Authentic2', 'One line description of project.', 'Miscellaneous'),
+    (
+        'index',
+        'Authentic2',
+        u'Authentic2 Documentation',
+        u'Mikaël Ates',
+        'Authentic2',
+        'One line description of project.',
+        'Miscellaneous',
+    ),
 ]
 
 # Documents to append as an appendix to all manuals.
-#texinfo_appendices = []
+# texinfo_appendices = []
 
 # If false, no module index is generated.
-#texinfo_domain_indices = True
+# texinfo_domain_indices = True
 
 # How to display URL addresses: 'footnote', 'no', or 'inline'.
-#texinfo_show_urls = 'footnote'
+# texinfo_show_urls = 'footnote'
 
 
 # Example configuration for intersphinx: refer to the Python standard library.
diff --git a/merge-coverage.py b/merge-coverage.py
index 33666664..15577d5f 100755
--- a/merge-coverage.py
+++ b/merge-coverage.py
@@ -9,35 +9,70 @@ import re
 from shutil import copyfile
 from optparse import OptionParser
 
-### This file came from the https://github.com/flow123d/flow123d repo they were nice enough to spend time to write this. 
+### This file came from the https://github.com/flow123d/flow123d repo they were nice enough to spend time to write this.
 ### It is copied here for other people to use on its own.
 
 # parse arguments
-newline = 10*'\t';
-parser = OptionParser(usage="%prog [options] [file1 file2 ... filen]", version="%prog 1.0",
-    epilog = "If no files are specified all xml files in current directory will be selected. \n" +
-             "Useful when there is not known precise file name only location")
-
-parser.add_option("-o", "--output",     dest="filename",    default="coverage-merged.xml",
-    help="output file xml name", metavar="FILE")
-parser.add_option("-p", "--path",       dest="path",        default="./",
-    help="xml location, default current directory", metavar="FILE")
-parser.add_option("-l", "--log",        dest="loglevel",    default="DEBUG",
-    help="Log level DEBUG, INFO, WARNING, ERROR, CRITICAL")
-parser.add_option("-f", "--filteronly", dest="filteronly",  default=False, action='store_true',
-    help="If set all files will be filtered by keep rules otherwise "+
-		 "all given files will be merged and filtered.")
-parser.add_option("-s", "--suffix",     dest="suffix",      default='',
-    help="Additional suffix which will be added to filtered files so they original files can be preserved")
-parser.add_option("-k", "--keep",       dest="packagefilters", default=None,  metavar="NAME", action="append",
-    help="preserves only specific packages. e.g.: " + newline + 
-         "'python merge.py -k src.la.*'" + newline + 
-         "will keep all packgages in folder " +
-         "src/la/ and all subfolders of this folders. " + newline +
-         "There can be mutiple rules e.g.:" + newline + 
-         "'python merge.py -k src.la.* -k unit_tests.la.'" + newline +
-         "Format of the rule is simple dot (.) separated names with wildcard (*) allowed, e.g: " + newline +
-         "package.subpackage.*")
+newline = 10 * '\t'
+parser = OptionParser(
+    usage="%prog [options] [file1 file2 ... filen]",
+    version="%prog 1.0",
+    epilog="If no files are specified all xml files in current directory will be selected. \n"
+    + "Useful when there is not known precise file name only location",
+)
+
+parser.add_option(
+    "-o",
+    "--output",
+    dest="filename",
+    default="coverage-merged.xml",
+    help="output file xml name",
+    metavar="FILE",
+)
+parser.add_option(
+    "-p", "--path", dest="path", default="./", help="xml location, default current directory", metavar="FILE"
+)
+parser.add_option(
+    "-l", "--log", dest="loglevel", default="DEBUG", help="Log level DEBUG, INFO, WARNING, ERROR, CRITICAL"
+)
+parser.add_option(
+    "-f",
+    "--filteronly",
+    dest="filteronly",
+    default=False,
+    action='store_true',
+    help="If set all files will be filtered by keep rules otherwise "
+    + "all given files will be merged and filtered.",
+)
+parser.add_option(
+    "-s",
+    "--suffix",
+    dest="suffix",
+    default='',
+    help="Additional suffix which will be added to filtered files so they original files can be preserved",
+)
+parser.add_option(
+    "-k",
+    "--keep",
+    dest="packagefilters",
+    default=None,
+    metavar="NAME",
+    action="append",
+    help="preserves only specific packages. e.g.: "
+    + newline
+    + "'python merge.py -k src.la.*'"
+    + newline
+    + "will keep all packgages in folder "
+    + "src/la/ and all subfolders of this folders. "
+    + newline
+    + "There can be mutiple rules e.g.:"
+    + newline
+    + "'python merge.py -k src.la.* -k unit_tests.la.'"
+    + newline
+    + "Format of the rule is simple dot (.) separated names with wildcard (*) allowed, e.g: "
+    + newline
+    + "package.subpackage.*",
+)
 (options, args) = parser.parse_args()
 
 
@@ -45,218 +80,216 @@ parser.add_option("-k", "--keep",       dest="packagefilters", default=None,  me
 path = options.path
 xmlfiles = args
 loglevel = getattr(logging, options.loglevel.upper())
-finalxml = os.path.join (path, options.filename)
+finalxml = os.path.join(path, options.filename)
 filteronly = options.filteronly
 filtersuffix = options.suffix
 packagefilters = options.packagefilters
-logging.basicConfig (level=loglevel, format='%(levelname)s %(asctime)s: %(message)s', datefmt='%x %X')
-
+logging.basicConfig(level=loglevel, format='%(levelname)s %(asctime)s: %(message)s', datefmt='%x %X')
 
 
 if not xmlfiles:
-	for filename in os.listdir (path):
-	    if not filename.endswith ('.xml'): continue
-	    fullname = os.path.join (path, filename)
-	    if fullname == finalxml: continue
-	    xmlfiles.append (fullname)
-
-	if not xmlfiles:
-		print('No xml files found!')
-		sys.exit (1)
+    for filename in os.listdir(path):
+        if not filename.endswith('.xml'):
+            continue
+        fullname = os.path.join(path, filename)
+        if fullname == finalxml:
+            continue
+        xmlfiles.append(fullname)
+
+    if not xmlfiles:
+        print('No xml files found!')
+        sys.exit(1)
 
 else:
-	xmlfiles=[path+filename for filename in xmlfiles]
-
+    xmlfiles = [path + filename for filename in xmlfiles]
 
 
 # constants
-PACKAGES_LIST = 'packages/package';
+PACKAGES_LIST = 'packages/package'
 PACKAGES_ROOT = 'packages'
-CLASSES_LIST = 'classes/class';
+CLASSES_LIST = 'classes/class'
 CLASSES_ROOT = 'classes'
-METHODS_LIST = 'methods/method';
+METHODS_LIST = 'methods/method'
 METHODS_ROOT = 'methods'
-LINES_LIST = 'lines/line';
+LINES_LIST = 'lines/line'
 LINES_ROOT = 'lines'
 
 
+def merge_xml(xmlfile1, xmlfile2, outputfile):
+    # parse
+    xml1 = ET.parse(xmlfile1)
+    xml2 = ET.parse(xmlfile2)
 
-def merge_xml (xmlfile1, xmlfile2, outputfile):
-	# parse
-	xml1 = ET.parse(xmlfile1)
-	xml2 = ET.parse(xmlfile2)
-
-	# get packages
-	packages1 = filter_xml(xml1)
-	packages2 = filter_xml(xml2)
+    # get packages
+    packages1 = filter_xml(xml1)
+    packages2 = filter_xml(xml2)
 
-	# find root
-	packages1root = xml1.find(PACKAGES_ROOT)
+    # find root
+    packages1root = xml1.find(PACKAGES_ROOT)
 
+    # merge packages
+    merge(packages1root, packages1, packages2, 'name', merge_packages)
 
-	# merge packages
-	merge (packages1root, packages1, packages2, 'name', merge_packages);
+    # write result to output file
+    xml1.write(outputfile, encoding="UTF-8", xml_declaration=True)
 
-	# write result to output file
-	xml1.write (outputfile,  encoding="UTF-8", xml_declaration=True)
 
+def filter_xml(xmlfile):
+    xmlroot = xmlfile.getroot()
+    packageroot = xmlfile.find(PACKAGES_ROOT)
+    packages = xmlroot.findall(PACKAGES_LIST)
 
-def filter_xml (xmlfile):
-	xmlroot = xmlfile.getroot()
-	packageroot = xmlfile.find(PACKAGES_ROOT)
-	packages = xmlroot.findall (PACKAGES_LIST)
+    # delete nodes from tree AND from list
+    included = []
+    if packagefilters:
+        logging.debug('excluding packages:')
+    for pckg in packages:
+        name = pckg.get('name')
+        if not include_package(name):
+            logging.debug('excluding package "{0}"'.format(name))
+            packageroot.remove(pckg)
+        else:
+            included.append(pckg)
+    return included
 
-	# delete nodes from tree AND from list
-	included = []
-	if packagefilters: logging.debug ('excluding packages:')
-	for pckg in packages:
-		name = pckg.get('name')
-		if not include_package (name):
-			logging.debug ('excluding package "{0}"'.format(name))
-			packageroot.remove (pckg)
-		else:
-			included.append (pckg)
-	return included
 
+def prepare_packagefilters():
+    if not packagefilters:
+        return None
 
-def prepare_packagefilters ():
-	if not packagefilters:
-		return None
+    # create simple regexp from given filter
+    for i in range(len(packagefilters)):
+        packagefilters[i] = '^' + packagefilters[i].replace('.', '\.').replace('*', '.*') + '$'
 
-	# create simple regexp from given filter
-	for i in range (len (packagefilters)):
-		packagefilters[i] = '^' + packagefilters[i].replace ('.', '\.').replace ('*', '.*') + '$'
 
+def include_package(name):
+    if not packagefilters:
+        return True
 
+    for packagefilter in packagefilters:
+        if re.search(packagefilter, name):
+            return True
+    return False
 
-def include_package (name):
-	if not packagefilters:
-		return True
 
-	for packagefilter in packagefilters:
-		if re.search(packagefilter, name):
-			return True
-	return False
+def get_attributes_chain(obj, attrs):
+    """Return a joined arguments of object based on given arguments"""
 
-def get_attributes_chain (obj, attrs):
-	"""Return a joined arguments of object based on given arguments"""
+    if type(attrs) is list:
+        result = ''
+        for attr in attrs:
+            result += obj.attrib[attr]
+        return result
+    else:
+        return obj.attrib[attrs]
 
-	if type(attrs) is list:
-		result = ''
-		for attr in attrs:
-			result += obj.attrib[attr]
-		return result
-	else:
-		return 	obj.attrib[attrs]
 
+def merge(root, list1, list2, attr, merge_function):
+    """Groups given lists based on group attributes. Process of merging items with same key is handled by
+    passed merge_function. Returns list1."""
+    for item2 in list2:
+        found = False
+        for item1 in list1:
+            if get_attributes_chain(item1, attr) == get_attributes_chain(item2, attr):
+                item1 = merge_function(item1, item2)
+                found = True
+                break
+        if found:
+            continue
+        else:
+            root.append(item2)
 
-def merge (root, list1, list2, attr, merge_function):
-	""" Groups given lists based on group attributes. Process of merging items with same key is handled by
-		passed merge_function. Returns list1. """
-	for item2 in list2:
-		found = False
-		for item1 in list1:
-			if get_attributes_chain(item1, attr) == get_attributes_chain(item2, attr):
-				item1 = merge_function (item1, item2)
-				found = True
-				break
-		if found:
-			continue
-		else:
-			root.append(item2)
 
+def merge_packages(package1, package2):
+    """Merges two packages. Returns package1."""
+    classes1 = package1.findall(CLASSES_LIST)
+    classes2 = package2.findall(CLASSES_LIST)
+    if classes1 or classes2:
+        merge(package1.find(CLASSES_ROOT), classes1, classes2, ['filename', 'name'], merge_classes)
 
-def merge_packages (package1, package2):
-	"""Merges two packages. Returns package1."""
-	classes1 = package1.findall (CLASSES_LIST);
-	classes2 = package2.findall (CLASSES_LIST);
-	if classes1 or classes2:
-		merge (package1.find (CLASSES_ROOT), classes1, classes2, ['filename','name'], merge_classes);
+    return package1
 
-	return package1
 
+def merge_classes(class1, class2):
+    """Merges two classes. Returns class1."""
 
-def merge_classes (class1, class2):
-	"""Merges two classes. Returns class1."""
+    lines1 = class1.findall(LINES_LIST)
+    lines2 = class2.findall(LINES_LIST)
+    if lines1 or lines2:
+        merge(class1.find(LINES_ROOT), lines1, lines2, 'number', merge_lines)
 
-	lines1 = class1.findall (LINES_LIST);
-	lines2 = class2.findall (LINES_LIST);
-	if lines1 or lines2:
-		merge (class1.find (LINES_ROOT), lines1, lines2, 'number', merge_lines);
+    methods1 = class1.findall(METHODS_LIST)
+    methods2 = class2.findall(METHODS_LIST)
+    if methods1 or methods2:
+        merge(class1.find(METHODS_ROOT), methods1, methods2, 'name', merge_methods)
 
-	methods1 = class1.findall (METHODS_LIST)
-	methods2 = class2.findall (METHODS_LIST)
-	if methods1 or methods2:
-		merge (class1.find (METHODS_ROOT), methods1, methods2, 'name', merge_methods);
+    return class1
 
-	return class1
 
+def merge_methods(method1, method2):
+    """Merges two methods. Returns method1."""
 
-def merge_methods (method1, method2):
-	"""Merges two methods. Returns method1."""
+    lines1 = method1.findall(LINES_LIST)
+    lines2 = method2.findall(LINES_LIST)
+    merge(method1.find(LINES_ROOT), lines1, lines2, 'number', merge_lines)
 
-	lines1 = method1.findall (LINES_LIST);
-	lines2 = method2.findall (LINES_LIST);
-	merge (method1.find (LINES_ROOT), lines1, lines2, 'number', merge_lines);
 
+def merge_lines(line1, line2):
+    """Merges two lines by summing their hits. Returns line1."""
 
-def merge_lines (line1, line2):
-	"""Merges two lines by summing their hits. Returns line1."""
+    # merge hits
+    value = int(line1.get('hits')) + int(line2.get('hits'))
+    line1.set('hits', str(value))
 
-	# merge hits
-	value = int (line1.get('hits')) + int (line2.get('hits'))
-	line1.set ('hits', str(value))
+    # merge conditionals
+    con1 = line1.get('condition-coverage')
+    con2 = line2.get('condition-coverage')
+    if con1 is not None and con2 is not None:
+        con1value = int(con1.split('%')[0])
+        con2value = int(con2.split('%')[0])
+        # bigger coverage on second line, swap their conditionals
+        if con2value > con1value:
+            line1.set('condition-coverage', str(con2))
+            line1.__setitem__(0, line2.__getitem__(0))
 
-	# merge conditionals
-	con1 = line1.get('condition-coverage')
-	con2 = line2.get('condition-coverage')
-	if (con1 is not None and con2 is not None):
-		con1value = int(con1.split('%')[0])
-		con2value = int(con2.split('%')[0])
-		# bigger coverage on second line, swap their conditionals
-		if (con2value > con1value):
-			line1.set ('condition-coverage', str(con2))
-			line1.__setitem__(0, line2.__getitem__(0))
+    return line1
 
-	return line1
 
 # prepare filters
-prepare_packagefilters ()
+prepare_packagefilters()
 
 
 if filteronly:
-	# filter all given files
-	currfile = 1
-	totalfiles = len (xmlfiles)
-	for xmlfile in xmlfiles:
-		xml = ET.parse(xmlfile)
-		filter_xml(xml)
-		logging.debug ('{1}/{2} filtering: {0}'.format (xmlfile, currfile, totalfiles))
-		xml.write (xmlfile + filtersuffix,  encoding="UTF-8", xml_declaration=True)
-		currfile += 1
+    # filter all given files
+    currfile = 1
+    totalfiles = len(xmlfiles)
+    for xmlfile in xmlfiles:
+        xml = ET.parse(xmlfile)
+        filter_xml(xml)
+        logging.debug('{1}/{2} filtering: {0}'.format(xmlfile, currfile, totalfiles))
+        xml.write(xmlfile + filtersuffix, encoding="UTF-8", xml_declaration=True)
+        currfile += 1
 else:
-	# merge all given files
-	totalfiles = len (xmlfiles)
-
-	# special case if only one file was given
-	# filter given file and save it
-	if (totalfiles == 1):
-		logging.warning ('Only one file given!')
-		xmlfile = xmlfiles.pop(0)
-		xml = ET.parse(xmlfile)
-		filter_xml(xml)
-		xml.write (finalxml,  encoding="UTF-8", xml_declaration=True)
-		sys.exit (0)
-
-
-	currfile = 1
-	logging.debug ('{2}/{3} merging: {0} & {1}'.format (xmlfiles[0], xmlfiles[1], currfile, totalfiles-1))
-	merge_xml (xmlfiles[0], xmlfiles[1], finalxml)
-
-
-	currfile = 2
-	for i in range (totalfiles-2):
-		xmlfile = xmlfiles[i+2]
-		logging.debug ('{2}/{3} merging: {0} & {1}'.format (finalxml, xmlfile, currfile, totalfiles-1))
-		merge_xml (finalxml, xmlfile, finalxml)
-		currfile += 1
+    # merge all given files
+    totalfiles = len(xmlfiles)
+
+    # special case if only one file was given
+    # filter given file and save it
+    if totalfiles == 1:
+        logging.warning('Only one file given!')
+        xmlfile = xmlfiles.pop(0)
+        xml = ET.parse(xmlfile)
+        filter_xml(xml)
+        xml.write(finalxml, encoding="UTF-8", xml_declaration=True)
+        sys.exit(0)
+
+    currfile = 1
+    logging.debug('{2}/{3} merging: {0} & {1}'.format(xmlfiles[0], xmlfiles[1], currfile, totalfiles - 1))
+    merge_xml(xmlfiles[0], xmlfiles[1], finalxml)
+
+    currfile = 2
+    for i in range(totalfiles - 2):
+        xmlfile = xmlfiles[i + 2]
+        logging.debug('{2}/{3} merging: {0} & {1}'.format(finalxml, xmlfile, currfile, totalfiles - 1))
+        merge_xml(finalxml, xmlfile, finalxml)
+        currfile += 1
diff --git a/setup.py b/setup.py
index d87a45b1..50dbe9c2 100755
--- a/setup.py
+++ b/setup.py
@@ -31,6 +31,7 @@ class compile_translations(Command):
         try:
             os.environ.pop('DJANGO_SETTINGS_MODULE', None)
             from django.core.management import call_command
+
             for dir in glob.glob('src/*'):
                 for path, dirs, files in os.walk(dir):
                     if 'locale' not in dirs:
@@ -74,15 +75,18 @@ class install_lib(_install_lib):
 
 
 def get_version():
-    '''Use the VERSION, if absent generates a version with git describe, if not
-       tag exists, take 0.0- and add the length of the commit log.
-    '''
+    """Use the VERSION, if absent generates a version with git describe, if not
+    tag exists, take 0.0- and add the length of the commit log.
+    """
     if os.path.exists('VERSION'):
         with open('VERSION', 'r') as v:
             return v.read()
     if os.path.exists('.git'):
-        p = subprocess.Popen(['git', 'describe', '--dirty=.dirty','--match=v*'], stdout=subprocess.PIPE,
-                             stderr=subprocess.PIPE)
+        p = subprocess.Popen(
+            ['git', 'describe', '--dirty=.dirty', '--match=v*'],
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+        )
         result = p.communicate()[0]
         if p.returncode == 0:
             result = result.decode('ascii').strip()[1:]  # strip spaces/newlines and initial v
@@ -93,77 +97,77 @@ def get_version():
                 version = result
             return version
         else:
-            return '0.0.post%s' % len(
-                subprocess.check_output(
-                    ['git', 'rev-list', 'HEAD']).splitlines())
+            return '0.0.post%s' % len(subprocess.check_output(['git', 'rev-list', 'HEAD']).splitlines())
     return '0.0'
 
 
-setup(name="authentic2",
-      version=get_version(),
-      license="AGPLv3+",
-      description="Authentic 2, a versatile identity management server",
-      url="http://dev.entrouvert.org/projects/authentic/",
-      author="Entr'ouvert",
-      author_email="authentic@listes.entrouvert.com",
-      maintainer="Benjamin Dauvergne",
-      maintainer_email="bdauvergne@entrouvert.com",
-      scripts=('authentic2-ctl',),
-      packages=find_packages('src'),
-      package_dir={
-          '': 'src',
-      },
-      include_package_data=True,
-      install_requires=[
-          'django>=1.11,<2.3',
-          'requests>=2.3',
-          'requests-oauthlib',
-          'django-model-utils>=2.4,<4',
-          'dnspython>=1.10',
-          'Django-Select2>5,<6',
-          'django-tables2>=1.0,<2.0',
-          'django-ratelimit',
-          'gadjo>=0.53',
-          'django-import-export>=1,<2',
-          'djangorestframework>=3.3,<3.10',
-          'six>=1',
-          'Markdown>=2.1',
-          'python-ldap',
-          'django-filter>1,<2.3',
-          'pycryptodomex',
-          'django-mellon>=1.22',
-          'ldaptools',
-          'jwcrypto>=0.3.1,<1',
-          'cryptography',
-          'XStatic-jQuery<2',
-          'XStatic-jquery-ui',
-          'xstatic-select2',
-          'pillow',
-          'tablib',
-          'chardet',
-          'attrs>17',
-          'atomicwrites',
-      ],
-      zip_safe=False,
-      classifiers=[
-          "Development Status :: 5 - Production/Stable",
-          "Environment :: Web Environment",
-          "Framework :: Django",
-          'Intended Audience :: End Users/Desktop',
-          'Intended Audience :: Developers',
-          'Intended Audience :: System Administrators',
-          'Intended Audience :: Information Technology',
-          'Intended Audience :: Legal Industry',
-          'Intended Audience :: Science/Research',
-          'Intended Audience :: Telecommunications Industry',
-          "License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)",
-          "Operating System :: OS Independent",
-          "Programming Language :: Python",
-          "Topic :: System :: Systems Administration :: Authentication/Directory",
-      ],
-      cmdclass={
-          'build': build,
-          'install_lib': install_lib,
-          'compile_translations': compile_translations,
-          'sdist': sdist,
-      })
+setup(
+    name="authentic2",
+    version=get_version(),
+    license="AGPLv3+",
+    description="Authentic 2, a versatile identity management server",
+    url="http://dev.entrouvert.org/projects/authentic/",
+    author="Entr'ouvert",
+    author_email="authentic@listes.entrouvert.com",
+    maintainer="Benjamin Dauvergne",
+    maintainer_email="bdauvergne@entrouvert.com",
+    scripts=('authentic2-ctl',),
+    packages=find_packages('src'),
+    package_dir={
+        '': 'src',
+    },
+    include_package_data=True,
+    install_requires=[
+        'django>=1.11,<2.3',
+        'requests>=2.3',
+        'requests-oauthlib',
+        'django-model-utils>=2.4,<4',
+        'dnspython>=1.10',
+        'Django-Select2>5,<6',
+        'django-tables2>=1.0,<2.0',
+        'django-ratelimit',
+        'gadjo>=0.53',
+        'django-import-export>=1,<2',
+        'djangorestframework>=3.3,<3.10',
+        'six>=1',
+        'Markdown>=2.1',
+        'python-ldap',
+        'django-filter>1,<2.3',
+        'pycryptodomex',
+        'django-mellon>=1.22',
+        'ldaptools',
+        'jwcrypto>=0.3.1,<1',
+        'cryptography',
+        'XStatic-jQuery<2',
+        'XStatic-jquery-ui',
+        'xstatic-select2',
+        'pillow',
+        'tablib',
+        'chardet',
+        'attrs>17',
+        'atomicwrites',
+    ],
+    zip_safe=False,
+    classifiers=[
+        "Development Status :: 5 - Production/Stable",
+        "Environment :: Web Environment",
+        "Framework :: Django",
+        'Intended Audience :: End Users/Desktop',
+        'Intended Audience :: Developers',
+        'Intended Audience :: System Administrators',
+        'Intended Audience :: Information Technology',
+        'Intended Audience :: Legal Industry',
+        'Intended Audience :: Science/Research',
+        'Intended Audience :: Telecommunications Industry',
+        "License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)",
+        "Operating System :: OS Independent",
+        "Programming Language :: Python",
+        "Topic :: System :: Systems Administration :: Authentication/Directory",
+    ],
+    cmdclass={
+        'build': build,
+        'install_lib': install_lib,
+        'compile_translations': compile_translations,
+        'sdist': sdist,
+    },
+)
diff --git a/src/authentic2/a2_rbac/admin.py b/src/authentic2/a2_rbac/admin.py
index b35745e2..1c5c46d8 100644
--- a/src/authentic2/a2_rbac/admin.py
+++ b/src/authentic2/a2_rbac/admin.py
@@ -27,8 +27,7 @@ class RoleParentInline(admin.TabularInline):
     fields = ['parent']
 
     def get_queryset(self, request):
-        return super(RoleParentInline, self).get_queryset(request) \
-            .filter(direct=True)
+        return super(RoleParentInline, self).get_queryset(request).filter(direct=True)
 
 
 class RoleChildInline(admin.TabularInline):
@@ -37,8 +36,7 @@ class RoleChildInline(admin.TabularInline):
     fields = ['child']
 
     def get_queryset(self, request):
-        return super(RoleChildInline, self).get_queryset(request) \
-            .filter(direct=True)
+        return super(RoleChildInline, self).get_queryset(request).filter(direct=True)
 
 
 class RoleAttributeInline(admin.TabularInline):
@@ -47,8 +45,18 @@ class RoleAttributeInline(admin.TabularInline):
 
 class RoleAdmin(admin.ModelAdmin):
     inlines = [RoleChildInline, RoleParentInline]
-    fields = ('uuid', 'name', 'slug', 'description', 'ou', 'members',
-              'permissions', 'admin_scope_ct', 'admin_scope_id', 'service')
+    fields = (
+        'uuid',
+        'name',
+        'slug',
+        'description',
+        'ou',
+        'members',
+        'permissions',
+        'admin_scope_ct',
+        'admin_scope_id',
+        'service',
+    )
     readonly_fields = ('uuid',)
     prepopulated_fields = {"slug": ("name",)}
     filter_horizontal = ('members', 'permissions')
@@ -59,9 +67,18 @@ class RoleAdmin(admin.ModelAdmin):
 
 
 class OrganizationalUnitAdmin(admin.ModelAdmin):
-    fields = ('uuid', 'name', 'slug', 'description', 'username_is_unique',
-              'email_is_unique', 'default', 'validate_emails',
-              'user_can_reset_password', 'user_add_password_policy')
+    fields = (
+        'uuid',
+        'name',
+        'slug',
+        'description',
+        'username_is_unique',
+        'email_is_unique',
+        'default',
+        'validate_emails',
+        'user_can_reset_password',
+        'user_add_password_policy',
+    )
     readonly_fields = ('uuid',)
     prepopulated_fields = {"slug": ("name",)}
     list_display = ('name', 'slug')
@@ -74,8 +91,10 @@ class PermissionAdmin(admin.ModelAdmin):
 
     def name(self, obj):
         return six.text_type(obj)
+
     name.short_description = _('name')
 
+
 admin.site.register(models.Role, RoleAdmin)
 admin.site.register(models.OrganizationalUnit, OrganizationalUnitAdmin)
 admin.site.register(models.Permission, PermissionAdmin)
diff --git a/src/authentic2/a2_rbac/app_settings.py b/src/authentic2/a2_rbac/app_settings.py
index 35f0ccfc..515e9972 100644
--- a/src/authentic2/a2_rbac/app_settings.py
+++ b/src/authentic2/a2_rbac/app_settings.py
@@ -28,6 +28,7 @@ class AppSettings(object):
 
     def _setting(self, name, dflt):
         from django.conf import settings
+
         return getattr(settings, name, dflt)
 
     def _setting_with_prefix(self, name, dflt):
diff --git a/src/authentic2/a2_rbac/apps.py b/src/authentic2/a2_rbac/apps.py
index 65cb2f00..737ea51f 100644
--- a/src/authentic2/a2_rbac/apps.py
+++ b/src/authentic2/a2_rbac/apps.py
@@ -27,26 +27,12 @@ class Authentic2RBACConfig(AppConfig):
         from authentic2.models import Service
 
         # update rbac on save to contenttype, ou and roles
-        post_save.connect(
-            signal_handlers.update_rbac_on_ou_post_save,
-            sender=models.OrganizationalUnit)
-        post_delete.connect(
-            signal_handlers.update_rbac_on_ou_post_delete,
-            sender=models.OrganizationalUnit)
+        post_save.connect(signal_handlers.update_rbac_on_ou_post_save, sender=models.OrganizationalUnit)
+        post_delete.connect(signal_handlers.update_rbac_on_ou_post_delete, sender=models.OrganizationalUnit)
         # keep service role and service ou field in sync
         for subclass in Service.__subclasses__():
-            post_save.connect(
-                signal_handlers.update_service_role_ou,
-                sender=subclass)
-        post_save.connect(
-            signal_handlers.update_service_role_ou,
-            sender=Service)
-        post_migrate.connect(
-            signal_handlers.create_default_ou,
-            sender=self)
-        post_migrate.connect(
-            signal_handlers.create_default_permissions,
-            sender=self)
-        post_migrate.connect(
-            signal_handlers.post_migrate_update_rbac,
-            sender=self)
+            post_save.connect(signal_handlers.update_service_role_ou, sender=subclass)
+        post_save.connect(signal_handlers.update_service_role_ou, sender=Service)
+        post_migrate.connect(signal_handlers.create_default_ou, sender=self)
+        post_migrate.connect(signal_handlers.create_default_permissions, sender=self)
+        post_migrate.connect(signal_handlers.post_migrate_update_rbac, sender=self)
diff --git a/src/authentic2/a2_rbac/fields.py b/src/authentic2/a2_rbac/fields.py
index c269d3bf..4b447f9b 100644
--- a/src/authentic2/a2_rbac/fields.py
+++ b/src/authentic2/a2_rbac/fields.py
@@ -19,9 +19,10 @@ from django import forms
 
 
 class UniqueBooleanField(NullBooleanField):
-    '''BooleanField allowing only one True value in the table, and preventing
-       problems with multiple False values by implicitely converting them to
-       None.'''
+    """BooleanField allowing only one True value in the table, and preventing
+    problems with multiple False values by implicitely converting them to
+    None."""
+
     def __init__(self, *args, **kwargs):
         kwargs['unique'] = True
         kwargs['blank'] = True
@@ -44,8 +45,7 @@ class UniqueBooleanField(NullBooleanField):
         return value
 
     def get_db_prep_value(self, value, connection, prepared=False):
-        value = super(UniqueBooleanField, self).get_db_prep_value(
-                value, connection, prepared=prepared)
+        value = super(UniqueBooleanField, self).get_db_prep_value(value, connection, prepared=prepared)
         if value is False:
             return None
         return value
diff --git a/src/authentic2/a2_rbac/management.py b/src/authentic2/a2_rbac/management.py
index 129e408d..030d701f 100644
--- a/src/authentic2/a2_rbac/management.py
+++ b/src/authentic2/a2_rbac/management.py
@@ -33,8 +33,7 @@ def update_ou_admin_roles(ou):
     Role = get_role_model()
 
     if app_settings.MANAGED_CONTENT_TYPES == ():
-        Role.objects.filter(slug='a2-managers-of-{ou.slug}'.format(ou=ou)) \
-            .delete()
+        Role.objects.filter(slug='a2-managers-of-{ou.slug}'.format(ou=ou)).delete()
     else:
         ou_admin_role = ou.get_admin_role()
 
@@ -55,14 +54,9 @@ def update_ou_admin_roles(ou):
             continue
         else:
             ou_ct_admin_role = Role.objects.get_admin_role(
-                instance=ct,
-                ou=ou,
-                name=name,
-                slug=ou_slug,
-                update_slug=True,
-                update_name=True)
-        if not app_settings.MANAGED_CONTENT_TYPES or \
-                key in app_settings.MANAGED_CONTENT_TYPES:
+                instance=ct, ou=ou, name=name, slug=ou_slug, update_slug=True, update_name=True
+            )
+        if not app_settings.MANAGED_CONTENT_TYPES or key in app_settings.MANAGED_CONTENT_TYPES:
             ou_ct_admin_role.add_child(ou_admin_role)
         else:
             ou_ct_admin_role.remove_child(ou_admin_role)
@@ -72,10 +66,10 @@ def update_ou_admin_roles(ou):
 
 
 def update_ous_admin_roles():
-    '''Create general admin roles linked to all organizational units,
-       they give general administrative rights to all mamanged content types
-       scoped to the given organizational unit.
-    '''
+    """Create general admin roles linked to all organizational units,
+    they give general administrative rights to all mamanged content types
+    scoped to the given organizational unit.
+    """
     OU = get_ou_model()
     ou_all = OU.objects.all()
     if len(ou_all) < 2:
@@ -85,6 +79,7 @@ def update_ous_admin_roles():
     for ou in ou_all:
         update_ou_admin_roles(ou)
 
+
 MANAGED_CT = {
     ('a2_rbac', 'role'): {
         'name': _('Manager of roles'),
@@ -108,9 +103,9 @@ MANAGED_CT = {
 
 
 def update_content_types_roles():
-    '''Create general and scoped management roles for all managed content
-       types.
-    '''
+    """Create general and scoped management roles for all managed content
+    types.
+    """
     cts = ContentType.objects.all()
     Role = get_role_model()
     view_user_perm = utils.get_view_user_perm()
@@ -120,10 +115,7 @@ def update_content_types_roles():
     if app_settings.MANAGED_CONTENT_TYPES == ():
         Role.objects.filter(slug=slug).delete()
     else:
-        admin_role, created = Role.objects.get_or_create(
-            slug=slug,
-            defaults=dict(
-                name=ugettext('Manager')))
+        admin_role, created = Role.objects.get_or_create(slug=slug, defaults=dict(name=ugettext('Manager')))
         admin_role.add_self_administration()
         if not created and admin_role.name != ugettext('Manager'):
             admin_role.name = ugettext('Manager')
@@ -136,15 +128,15 @@ def update_content_types_roles():
         # General admin role
         name = six.text_type(MANAGED_CT[ct_tuple]['name'])
         slug = '_a2-' + slugify(name)
-        if app_settings.MANAGED_CONTENT_TYPES is not None and ct_tuple not in \
-                app_settings.MANAGED_CONTENT_TYPES:
+        if (
+            app_settings.MANAGED_CONTENT_TYPES is not None
+            and ct_tuple not in app_settings.MANAGED_CONTENT_TYPES
+        ):
             Role.objects.filter(slug=slug).delete()
             continue
-        ct_admin_role = Role.objects.get_admin_role(instance=ct, name=name,
-                                                    slug=slug,
-                                                    update_name=True,
-                                                    update_slug=True,
-                                                    create=True)
+        ct_admin_role = Role.objects.get_admin_role(
+            instance=ct, name=name, slug=slug, update_name=True, update_slug=True, create=True
+        )
         if MANAGED_CT[ct_tuple].get('must_view_user'):
             ct_admin_role.permissions.add(view_user_perm)
         if MANAGED_CT[ct_tuple].get('must_manage_authorizations_user'):
diff --git a/src/authentic2/a2_rbac/managers.py b/src/authentic2/a2_rbac/managers.py
index 6aea627a..98066503 100644
--- a/src/authentic2/a2_rbac/managers.py
+++ b/src/authentic2/a2_rbac/managers.py
@@ -28,13 +28,27 @@ class OrganizationalUnitManager(AbstractBaseManager):
 
 
 class RoleManager(BaseRoleManager):
-    def get_admin_role(self, instance, name, slug, ou=None, operation=ADMIN_OP,
-                       update_name=False, update_slug=False, permissions=(),
-                       self_administered=False, create=True):
+    def get_admin_role(
+        self,
+        instance,
+        name,
+        slug,
+        ou=None,
+        operation=ADMIN_OP,
+        update_name=False,
+        update_slug=False,
+        permissions=(),
+        self_administered=False,
+        create=True,
+    ):
         '''Get or create the role of manager's of this object instance'''
         kwargs = {}
-        assert not ou or isinstance(instance, ContentType), (
-            'get_admin_role(ou=...) can only be used with ContentType instances: %s %s %s' % (name, ou, instance)
+        assert not ou or isinstance(
+            instance, ContentType
+        ), 'get_admin_role(ou=...) can only be used with ContentType instances: %s %s %s' % (
+            name,
+            ou,
+            instance,
         )
 
         # Does the permission need to be scoped by ou ? Yes if the target is a
@@ -57,14 +71,16 @@ class RoleManager(BaseRoleManager):
                 target_ct=ContentType.objects.get_for_model(instance),
                 target_id=instance.pk,
                 defaults=defaults,
-                **kwargs)
+                **kwargs,
+            )
         else:
             try:
                 perm = Permission.objects.get(
                     operation=op,
                     target_ct=ContentType.objects.get_for_model(instance),
                     target_id=instance.pk,
-                    **kwargs)
+                    **kwargs,
+                )
             except Permission.DoesNotExist:
                 return None
 
@@ -75,10 +91,15 @@ class RoleManager(BaseRoleManager):
             mirror_role_ou = instance.ou
         else:
             mirror_role_ou = None
-        admin_role = self.get_mirror_role(perm, name, slug, ou=mirror_role_ou,
-                                          update_name=update_name,
-                                          update_slug=update_slug,
-                                          create=create)
+        admin_role = self.get_mirror_role(
+            perm,
+            name,
+            slug,
+            ou=mirror_role_ou,
+            update_name=update_name,
+            update_slug=update_slug,
+            create=create,
+        )
 
         if not admin_role:
             return None
@@ -92,11 +113,12 @@ class RoleManager(BaseRoleManager):
             admin_role.permissions.set(permissions)
         return admin_role
 
-    def get_mirror_role(self, instance, name, slug, ou=None,
-                        update_name=False, update_slug=False, create=True):
-        '''Get or create a role which mirrors another model, for example a
-           permission.
-        '''
+    def get_mirror_role(
+        self, instance, name, slug, ou=None, update_name=False, update_slug=False, create=True
+    ):
+        """Get or create a role which mirrors another model, for example a
+        permission.
+        """
         ct = ContentType.objects.get_for_model(instance)
         update_fields = {}
         kwargs = {}
@@ -111,16 +133,13 @@ class RoleManager(BaseRoleManager):
 
         if create:
             role, _ = self.prefetch_related('permissions').update_or_create(
-                admin_scope_ct=ct,
-                admin_scope_id=instance.pk,
-                defaults=update_fields,
-                **kwargs)
+                admin_scope_ct=ct, admin_scope_id=instance.pk, defaults=update_fields, **kwargs
+            )
         else:
             try:
                 role = self.prefetch_related('permissions').get(
-                    admin_scope_ct=ct,
-                    admin_scope_id=instance.pk,
-                    **kwargs)
+                    admin_scope_ct=ct, admin_scope_id=instance.pk, **kwargs
+                )
             except self.model.DoesNotExist:
                 return None
             for field, value in update_fields.items():
diff --git a/src/authentic2/a2_rbac/migrations/0001_initial.py b/src/authentic2/a2_rbac/migrations/0001_initial.py
index 82d5808b..c6106014 100644
--- a/src/authentic2/a2_rbac/migrations/0001_initial.py
+++ b/src/authentic2/a2_rbac/migrations/0001_initial.py
@@ -20,12 +20,23 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='OrganizationalUnit',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('uuid', models.CharField(default=authentic2.utils.get_hex_uuid, unique=True, max_length=32, verbose_name='uuid')),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
+                (
+                    'uuid',
+                    models.CharField(
+                        default=authentic2.utils.get_hex_uuid, unique=True, max_length=32, verbose_name='uuid'
+                    ),
+                ),
                 ('name', models.CharField(max_length=256, verbose_name='name')),
                 ('slug', models.SlugField(max_length=256, verbose_name='slug')),
                 ('description', models.TextField(verbose_name='description', blank=True)),
-                ('default', authentic2.a2_rbac.fields.UniqueBooleanField(verbose_name='Default organizational unit')),
+                (
+                    'default',
+                    authentic2.a2_rbac.fields.UniqueBooleanField(verbose_name='Default organizational unit'),
+                ),
             ],
             options={
                 'verbose_name': 'organizational unit',
@@ -36,11 +47,33 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='Permission',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('target_id', models.PositiveIntegerField()),
-                ('operation', models.ForeignKey(verbose_name='operation', to='django_rbac.Operation', on_delete=models.CASCADE)),
-                ('ou', models.ForeignKey(related_name='scoped_permission', verbose_name='organizational unit', to=settings.RBAC_OU_MODEL, null=True, on_delete=models.CASCADE)),
-                ('target_ct', models.ForeignKey(related_name='+', to='contenttypes.ContentType', on_delete=models.CASCADE)),
+                (
+                    'operation',
+                    models.ForeignKey(
+                        verbose_name='operation', to='django_rbac.Operation', on_delete=models.CASCADE
+                    ),
+                ),
+                (
+                    'ou',
+                    models.ForeignKey(
+                        related_name='scoped_permission',
+                        verbose_name='organizational unit',
+                        to=settings.RBAC_OU_MODEL,
+                        null=True,
+                        on_delete=models.CASCADE,
+                    ),
+                ),
+                (
+                    'target_ct',
+                    models.ForeignKey(
+                        related_name='+', to='contenttypes.ContentType', on_delete=models.CASCADE
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'permission',
@@ -51,17 +84,65 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='Role',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('uuid', models.CharField(default=authentic2.utils.get_hex_uuid, unique=True, max_length=32, verbose_name='uuid')),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
+                (
+                    'uuid',
+                    models.CharField(
+                        default=authentic2.utils.get_hex_uuid, unique=True, max_length=32, verbose_name='uuid'
+                    ),
+                ),
                 ('name', models.CharField(max_length=256, verbose_name='name')),
                 ('slug', models.SlugField(max_length=256, verbose_name='slug')),
                 ('description', models.TextField(verbose_name='description', blank=True)),
-                ('admin_scope_id', models.PositiveIntegerField(null=True, verbose_name='administrative scope id', blank=True)),
-                ('admin_scope_ct', models.ForeignKey(verbose_name='administrative scope content type', blank=True, to='contenttypes.ContentType', null=True, on_delete=models.CASCADE)),
-                ('members', models.ManyToManyField(related_name='roles', to=settings.AUTH_USER_MODEL, blank=True)),
-                ('ou', models.ForeignKey(verbose_name='organizational unit', blank=True, to=settings.RBAC_OU_MODEL, null=True, on_delete=models.CASCADE)),
-                ('permissions', models.ManyToManyField(related_name='role', to=settings.RBAC_PERMISSION_MODEL, blank=True)),
-                ('service', models.ForeignKey(verbose_name='service', blank=True, to='authentic2.Service', null=True, on_delete=models.CASCADE)),
+                (
+                    'admin_scope_id',
+                    models.PositiveIntegerField(
+                        null=True, verbose_name='administrative scope id', blank=True
+                    ),
+                ),
+                (
+                    'admin_scope_ct',
+                    models.ForeignKey(
+                        verbose_name='administrative scope content type',
+                        blank=True,
+                        to='contenttypes.ContentType',
+                        null=True,
+                        on_delete=models.CASCADE,
+                    ),
+                ),
+                (
+                    'members',
+                    models.ManyToManyField(related_name='roles', to=settings.AUTH_USER_MODEL, blank=True),
+                ),
+                (
+                    'ou',
+                    models.ForeignKey(
+                        verbose_name='organizational unit',
+                        blank=True,
+                        to=settings.RBAC_OU_MODEL,
+                        null=True,
+                        on_delete=models.CASCADE,
+                    ),
+                ),
+                (
+                    'permissions',
+                    models.ManyToManyField(
+                        related_name='role', to=settings.RBAC_PERMISSION_MODEL, blank=True
+                    ),
+                ),
+                (
+                    'service',
+                    models.ForeignKey(
+                        verbose_name='service',
+                        blank=True,
+                        to='authentic2.Service',
+                        null=True,
+                        on_delete=models.CASCADE,
+                    ),
+                ),
             ],
             options={
                 'ordering': ('ou', 'service', 'name'),
@@ -73,11 +154,25 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='RoleAttribute',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(max_length=64, verbose_name='name')),
-                ('kind', models.CharField(max_length=32, verbose_name='kind', choices=[('string', 'string')])),
+                (
+                    'kind',
+                    models.CharField(max_length=32, verbose_name='kind', choices=[('string', 'string')]),
+                ),
                 ('value', models.TextField(verbose_name='value')),
-                ('role', models.ForeignKey(related_name='attributes', verbose_name='role', to=settings.RBAC_ROLE_MODEL, on_delete=models.CASCADE)),
+                (
+                    'role',
+                    models.ForeignKey(
+                        related_name='attributes',
+                        verbose_name='role',
+                        to=settings.RBAC_ROLE_MODEL,
+                        on_delete=models.CASCADE,
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'role attribute',
@@ -88,10 +183,23 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='RoleParenting',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('direct', models.BooleanField(blank=True, default=True)),
-                ('child', models.ForeignKey(related_name='parent_relation', to=settings.RBAC_ROLE_MODEL, on_delete=models.CASCADE)),
-                ('parent', models.ForeignKey(related_name='child_relation', to=settings.RBAC_ROLE_MODEL, on_delete=models.CASCADE)),
+                (
+                    'child',
+                    models.ForeignKey(
+                        related_name='parent_relation', to=settings.RBAC_ROLE_MODEL, on_delete=models.CASCADE
+                    ),
+                ),
+                (
+                    'parent',
+                    models.ForeignKey(
+                        related_name='child_relation', to=settings.RBAC_ROLE_MODEL, on_delete=models.CASCADE
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'role parenting relation',
diff --git a/src/authentic2/a2_rbac/migrations/0003_partial_unique_index_on_name_and_slug.py b/src/authentic2/a2_rbac/migrations/0003_partial_unique_index_on_name_and_slug.py
index 4e3d029f..1283a296 100644
--- a/src/authentic2/a2_rbac/migrations/0003_partial_unique_index_on_name_and_slug.py
+++ b/src/authentic2/a2_rbac/migrations/0003_partial_unique_index_on_name_and_slug.py
@@ -4,6 +4,7 @@ from __future__ import unicode_literals
 from django.db import models, migrations
 from authentic2.migrations import CreatePartialIndexes
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -11,7 +12,12 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        CreatePartialIndexes('Role', 'a2_rbac_role', 'a2_rbac_role_unique_idx',
-                             ('ou_id', 'service_id'), ('slug',),
-                             null_columns=('admin_scope_ct_id',)),
+        CreatePartialIndexes(
+            'Role',
+            'a2_rbac_role',
+            'a2_rbac_role_unique_idx',
+            ('ou_id', 'service_id'),
+            ('slug',),
+            null_columns=('admin_scope_ct_id',),
+        ),
     ]
diff --git a/src/authentic2/a2_rbac/migrations/0004_auto_20150523_0028.py b/src/authentic2/a2_rbac/migrations/0004_auto_20150523_0028.py
index 69f88a16..d6545dc8 100644
--- a/src/authentic2/a2_rbac/migrations/0004_auto_20150523_0028.py
+++ b/src/authentic2/a2_rbac/migrations/0004_auto_20150523_0028.py
@@ -13,7 +13,11 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='organizationalunit',
-            options={'ordering': ('name',), 'verbose_name': 'organizational unit', 'verbose_name_plural': 'organizational units'},
+            options={
+                'ordering': ('name',),
+                'verbose_name': 'organizational unit',
+                'verbose_name_plural': 'organizational units',
+            },
         ),
         migrations.AlterUniqueTogether(
             name='role',
diff --git a/src/authentic2/a2_rbac/migrations/0005_auto_20150526_1406.py b/src/authentic2/a2_rbac/migrations/0005_auto_20150526_1406.py
index 9a8ccef0..b64ac084 100644
--- a/src/authentic2/a2_rbac/migrations/0005_auto_20150526_1406.py
+++ b/src/authentic2/a2_rbac/migrations/0005_auto_20150526_1406.py
@@ -14,7 +14,14 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='role',
             name='service',
-            field=models.ForeignKey(related_name='roles', verbose_name='service', blank=True, to='authentic2.Service', null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                related_name='roles',
+                verbose_name='service',
+                blank=True,
+                to='authentic2.Service',
+                null=True,
+                on_delete=models.CASCADE,
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2/a2_rbac/migrations/0008_auto_20150810_1953.py b/src/authentic2/a2_rbac/migrations/0008_auto_20150810_1953.py
index 83d466d7..94507113 100644
--- a/src/authentic2/a2_rbac/migrations/0008_auto_20150810_1953.py
+++ b/src/authentic2/a2_rbac/migrations/0008_auto_20150810_1953.py
@@ -13,6 +13,10 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='organizationalunit',
-            options={'ordering': ('default', 'name'), 'verbose_name': 'organizational unit', 'verbose_name_plural': 'organizational units'},
+            options={
+                'ordering': ('default', 'name'),
+                'verbose_name': 'organizational unit',
+                'verbose_name_plural': 'organizational units',
+            },
         ),
     ]
diff --git a/src/authentic2/a2_rbac/migrations/0009_partial_unique_index_on_permission.py b/src/authentic2/a2_rbac/migrations/0009_partial_unique_index_on_permission.py
index 86365b19..ce496741 100644
--- a/src/authentic2/a2_rbac/migrations/0009_partial_unique_index_on_permission.py
+++ b/src/authentic2/a2_rbac/migrations/0009_partial_unique_index_on_permission.py
@@ -4,6 +4,7 @@ from __future__ import unicode_literals
 from django.db import models, migrations
 from authentic2.migrations import CreatePartialIndexes
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -11,6 +12,11 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        CreatePartialIndexes('Permission', 'a2_rbac_permission', 'a2_rbac_permission_null_ou_unique_idx',
-                             ('ou_id',), ('operation_id', 'target_ct_id', 'target_id'))
+        CreatePartialIndexes(
+            'Permission',
+            'a2_rbac_permission',
+            'a2_rbac_permission_null_ou_unique_idx',
+            ('ou_id',),
+            ('operation_id', 'target_ct_id', 'target_id'),
+        )
     ]
diff --git a/src/authentic2/a2_rbac/migrations/0010_auto_20160209_1417.py b/src/authentic2/a2_rbac/migrations/0010_auto_20160209_1417.py
index 73859577..1a0575b6 100644
--- a/src/authentic2/a2_rbac/migrations/0010_auto_20160209_1417.py
+++ b/src/authentic2/a2_rbac/migrations/0010_auto_20160209_1417.py
@@ -6,14 +6,13 @@ from django.db import migrations
 
 
 def deduplicate_admin_roles(apps, schema_editor):
-    '''Find duplicated admin roles, only keep the one with the lowest id and
-       copy all members, parent and children of other duplicated roles to it,
-       then delete duplicates with greater id.
-    '''
+    """Find duplicated admin roles, only keep the one with the lowest id and
+    copy all members, parent and children of other duplicated roles to it,
+    then delete duplicates with greater id.
+    """
     Role = apps.get_model('a2_rbac', 'Role')
     RoleParenting = apps.get_model('a2_rbac', 'RoleParenting')
-    qs = Role.objects.filter(admin_scope_ct__isnull=False,
-                             admin_scope_id__isnull=False).order_by('id')
+    qs = Role.objects.filter(admin_scope_ct__isnull=False, admin_scope_id__isnull=False).order_by('id')
 
     roles = defaultdict(lambda: [])
     for role in qs:
@@ -26,21 +25,13 @@ def deduplicate_admin_roles(apps, schema_editor):
         children = set()
         for role in duplicates:
             members |= set(role.members.all())
-            parents |= set(
-                rp.parent for rp in RoleParenting.objects.filter(child=role, direct=True))
-            children |= set(
-                rp.child for rp in RoleParenting.objects.filter(parent=role, direct=True))
+            parents |= set(rp.parent for rp in RoleParenting.objects.filter(child=role, direct=True))
+            children |= set(rp.child for rp in RoleParenting.objects.filter(parent=role, direct=True))
         duplicates[0].members = members
         for parent in parents:
-            RoleParenting.objects.get_or_crate(
-                parent=parent,
-                child=duplicates[0],
-                direct=True)
+            RoleParenting.objects.get_or_crate(parent=parent, child=duplicates[0], direct=True)
         for child in children:
-            RoleParenting.objects.get_or_create(
-                parent=duplicates[0],
-                child=child,
-                direct=True)
+            RoleParenting.objects.get_or_create(parent=duplicates[0], child=child, direct=True)
         for role in duplicates[1:]:
             role.delete()
 
diff --git a/src/authentic2/a2_rbac/migrations/0014_auto_20170711_1024.py b/src/authentic2/a2_rbac/migrations/0014_auto_20170711_1024.py
index 856099b6..aeb6a85a 100644
--- a/src/authentic2/a2_rbac/migrations/0014_auto_20170711_1024.py
+++ b/src/authentic2/a2_rbac/migrations/0014_auto_20170711_1024.py
@@ -13,6 +13,10 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='organizationalunit',
-            options={'ordering': ('-default', 'name'), 'verbose_name': 'organizational unit', 'verbose_name_plural': 'organizational units'},
+            options={
+                'ordering': ('-default', 'name'),
+                'verbose_name': 'organizational unit',
+                'verbose_name_plural': 'organizational units',
+            },
         ),
     ]
diff --git a/src/authentic2/a2_rbac/migrations/0016_auto_20171208_1429.py b/src/authentic2/a2_rbac/migrations/0016_auto_20171208_1429.py
index bbe52dfc..e8c4d7fa 100644
--- a/src/authentic2/a2_rbac/migrations/0016_auto_20171208_1429.py
+++ b/src/authentic2/a2_rbac/migrations/0016_auto_20171208_1429.py
@@ -13,6 +13,10 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='organizationalunit',
-            options={'ordering': ('name',), 'verbose_name': 'organizational unit', 'verbose_name_plural': 'organizational units'},
+            options={
+                'ordering': ('name',),
+                'verbose_name': 'organizational unit',
+                'verbose_name_plural': 'organizational units',
+            },
         ),
     ]
diff --git a/src/authentic2/a2_rbac/migrations/0018_organizationalunit_user_add_password_policy.py b/src/authentic2/a2_rbac/migrations/0018_organizationalunit_user_add_password_policy.py
index 72285beb..ac5ea45e 100644
--- a/src/authentic2/a2_rbac/migrations/0018_organizationalunit_user_add_password_policy.py
+++ b/src/authentic2/a2_rbac/migrations/0018_organizationalunit_user_add_password_policy.py
@@ -14,6 +14,10 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='organizationalunit',
             name='user_add_password_policy',
-            field=models.IntegerField(default=0, verbose_name='User creation password policy', choices=[(0, 'Send reset link'), (1, 'Manual password definition')]),
+            field=models.IntegerField(
+                default=0,
+                verbose_name='User creation password policy',
+                choices=[(0, 'Send reset link'), (1, 'Manual password definition')],
+            ),
         ),
     ]
diff --git a/src/authentic2/a2_rbac/migrations/0020_partial_unique_index_on_name.py b/src/authentic2/a2_rbac/migrations/0020_partial_unique_index_on_name.py
index 00e8d72c..039b710c 100644
--- a/src/authentic2/a2_rbac/migrations/0020_partial_unique_index_on_name.py
+++ b/src/authentic2/a2_rbac/migrations/0020_partial_unique_index_on_name.py
@@ -12,7 +12,12 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        CreatePartialIndexes('Role', 'a2_rbac_role', 'a2_rbac_role_name_unique_idx',
-                             ('ou_id',), ('name',),
-                             null_columns=('admin_scope_ct_id',)),
+        CreatePartialIndexes(
+            'Role',
+            'a2_rbac_role',
+            'a2_rbac_role_name_unique_idx',
+            ('ou_id',),
+            ('name',),
+            null_columns=('admin_scope_ct_id',),
+        ),
     ]
diff --git a/src/authentic2/a2_rbac/migrations/0021_auto_20200317_1514.py b/src/authentic2/a2_rbac/migrations/0021_auto_20200317_1514.py
index 759161f8..b08f6d5b 100644
--- a/src/authentic2/a2_rbac/migrations/0021_auto_20200317_1514.py
+++ b/src/authentic2/a2_rbac/migrations/0021_auto_20200317_1514.py
@@ -16,11 +16,15 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='organizationalunit',
             name='uuid',
-            field=models.CharField(default=django_rbac.utils.get_hex_uuid, max_length=32, unique=True, verbose_name='uuid'),
+            field=models.CharField(
+                default=django_rbac.utils.get_hex_uuid, max_length=32, unique=True, verbose_name='uuid'
+            ),
         ),
         migrations.AlterField(
             model_name='role',
             name='uuid',
-            field=models.CharField(default=django_rbac.utils.get_hex_uuid, max_length=32, unique=True, verbose_name='uuid'),
+            field=models.CharField(
+                default=django_rbac.utils.get_hex_uuid, max_length=32, unique=True, verbose_name='uuid'
+            ),
         ),
     ]
diff --git a/src/authentic2/a2_rbac/migrations/0022_auto_20200402_1101.py b/src/authentic2/a2_rbac/migrations/0022_auto_20200402_1101.py
index 7eb237b9..6b24a846 100644
--- a/src/authentic2/a2_rbac/migrations/0022_auto_20200402_1101.py
+++ b/src/authentic2/a2_rbac/migrations/0022_auto_20200402_1101.py
@@ -16,11 +16,29 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='organizationalunit',
             name='clean_unused_accounts_alert',
-            field=models.PositiveIntegerField(blank=True, null=True, validators=[django.core.validators.MinValueValidator(30, 'Ensure that this value is greater than 30 days, or leave blank for deactivating.')], verbose_name='Days after which the user receives an account deletion alert'),
+            field=models.PositiveIntegerField(
+                blank=True,
+                null=True,
+                validators=[
+                    django.core.validators.MinValueValidator(
+                        30, 'Ensure that this value is greater than 30 days, or leave blank for deactivating.'
+                    )
+                ],
+                verbose_name='Days after which the user receives an account deletion alert',
+            ),
         ),
         migrations.AddField(
             model_name='organizationalunit',
             name='clean_unused_accounts_deletion',
-            field=models.PositiveIntegerField(blank=True, null=True, validators=[django.core.validators.MinValueValidator(30, 'Ensure that this value is greater than 30 days, or leave blank for deactivating.')], verbose_name='Delay in days before cleaning unused accounts'),
+            field=models.PositiveIntegerField(
+                blank=True,
+                null=True,
+                validators=[
+                    django.core.validators.MinValueValidator(
+                        30, 'Ensure that this value is greater than 30 days, or leave blank for deactivating.'
+                    )
+                ],
+                verbose_name='Delay in days before cleaning unused accounts',
+            ),
         ),
     ]
diff --git a/src/authentic2/a2_rbac/migrations/0024_fix_self_admin_perm.py b/src/authentic2/a2_rbac/migrations/0024_fix_self_admin_perm.py
index 16261beb..05ff20c7 100644
--- a/src/authentic2/a2_rbac/migrations/0024_fix_self_admin_perm.py
+++ b/src/authentic2/a2_rbac/migrations/0024_fix_self_admin_perm.py
@@ -39,6 +39,4 @@ class Migration(migrations.Migration):
         ('a2_rbac', '0023_role_can_manage_members'),
     ]
 
-    operations = [
-        migrations.RunPython(update_self_administration_perm, migrations.RunPython.noop)
-    ]
+    operations = [migrations.RunPython(update_self_administration_perm, migrations.RunPython.noop)]
diff --git a/src/authentic2/a2_rbac/models.py b/src/authentic2/a2_rbac/models.py
index 9d7578b6..8c796e2d 100644
--- a/src/authentic2/a2_rbac/models.py
+++ b/src/authentic2/a2_rbac/models.py
@@ -23,20 +23,23 @@ from django.utils.text import slugify
 from django.db import models
 from django.contrib.contenttypes.models import ContentType
 
-from django_rbac.models import (RoleAbstractBase, PermissionAbstractBase,
-                                OrganizationalUnitAbstractBase, RoleParentingAbstractBase, VIEW_OP,
-                                Operation)
+from django_rbac.models import (
+    RoleAbstractBase,
+    PermissionAbstractBase,
+    OrganizationalUnitAbstractBase,
+    RoleParentingAbstractBase,
+    VIEW_OP,
+    Operation,
+)
 from django_rbac import utils as rbac_utils
 
 from authentic2.decorators import errorcollector
 
 try:
-    from django.contrib.contenttypes.fields import GenericForeignKey, \
-        GenericRelation
+    from django.contrib.contenttypes.fields import GenericForeignKey, GenericRelation
 except ImportError:
     # Django < 1.8
-    from django.contrib.contenttypes.generic import GenericForeignKey, \
-        GenericRelation
+    from django.contrib.contenttypes.generic import GenericForeignKey, GenericRelation
 
 from authentic2.decorators import GlobalCache
 
@@ -53,63 +56,55 @@ class OrganizationalUnit(OrganizationalUnitAbstractBase):
         (MANUAL_PASSWORD_POLICY, _('Manual password definition')),
     )
 
-    PolicyValue = namedtuple('PolicyValue', [
-        'generate_password', 'reset_password_at_next_login',
-        'send_mail', 'send_password_reset'])
+    PolicyValue = namedtuple(
+        'PolicyValue',
+        ['generate_password', 'reset_password_at_next_login', 'send_mail', 'send_password_reset'],
+    )
 
     USER_ADD_PASSWD_POLICY_VALUES = {
         RESET_LINK_POLICY: PolicyValue(False, False, False, True),
         MANUAL_PASSWORD_POLICY: PolicyValue(False, False, True, False),
     }
 
-    username_is_unique = models.BooleanField(
-        blank=True,
-        default=False,
-        verbose_name=_('Username is unique'))
-    email_is_unique = models.BooleanField(
-        blank=True,
-        default=False,
-        verbose_name=_('Email is unique'))
-    default = fields.UniqueBooleanField(
-        verbose_name=_('Default organizational unit'))
+    username_is_unique = models.BooleanField(blank=True, default=False, verbose_name=_('Username is unique'))
+    email_is_unique = models.BooleanField(blank=True, default=False, verbose_name=_('Email is unique'))
+    default = fields.UniqueBooleanField(verbose_name=_('Default organizational unit'))
 
-    validate_emails = models.BooleanField(
-        blank=True,
-        default=False,
-        verbose_name=_('Validate emails'))
+    validate_emails = models.BooleanField(blank=True, default=False, verbose_name=_('Validate emails'))
 
-    show_username = models.BooleanField(
-        blank=True,
-        default=True,
-        verbose_name=_('Show username'))
+    show_username = models.BooleanField(blank=True, default=True, verbose_name=_('Show username'))
 
-    admin_perms = GenericRelation(rbac_utils.get_permission_model_name(),
-                                  content_type_field='target_ct',
-                                  object_id_field='target_id')
+    admin_perms = GenericRelation(
+        rbac_utils.get_permission_model_name(), content_type_field='target_ct', object_id_field='target_id'
+    )
 
-    user_can_reset_password = models.NullBooleanField(
-        verbose_name=_('Users can reset password'))
+    user_can_reset_password = models.NullBooleanField(verbose_name=_('Users can reset password'))
 
     user_add_password_policy = models.IntegerField(
-        verbose_name=_('User creation password policy'),
-        choices=USER_ADD_PASSWD_POLICY_CHOICES,
-        default=0)
+        verbose_name=_('User creation password policy'), choices=USER_ADD_PASSWD_POLICY_CHOICES, default=0
+    )
 
     clean_unused_accounts_alert = models.PositiveIntegerField(
         verbose_name=_('Days after which the user receives an account deletion alert'),
-        validators=[MinValueValidator(
-            30, _('Ensure that this value is greater than 30 days, or leave blank for deactivating.')
-        )],
+        validators=[
+            MinValueValidator(
+                30, _('Ensure that this value is greater than 30 days, or leave blank for deactivating.')
+            )
+        ],
         null=True,
-        blank=True)
+        blank=True,
+    )
 
     clean_unused_accounts_deletion = models.PositiveIntegerField(
         verbose_name=_('Delay in days before cleaning unused accounts'),
-        validators=[MinValueValidator(
-            30, _('Ensure that this value is greater than 30 days, or leave blank for deactivating.')
-        )],
+        validators=[
+            MinValueValidator(
+                30, _('Ensure that this value is greater than 30 days, or leave blank for deactivating.')
+            )
+        ],
         null=True,
-        blank=True)
+        blank=True,
+    )
 
     objects = managers.OrganizationalUnitManager()
 
@@ -130,27 +125,38 @@ class OrganizationalUnit(OrganizationalUnitAbstractBase):
             if self.pk:
                 qs = qs.exclude(pk=self.pk)
             qs.update(default=None)
-        if self.pk and not self.default \
-           and self.__class__.objects.get(pk=self.pk).default:
-            raise ValidationError(_('You cannot unset this organizational '
-                                    'unit as the default, but you can set '
-                                    'another one as the default.'))
+        if self.pk and not self.default and self.__class__.objects.get(pk=self.pk).default:
+            raise ValidationError(
+                _(
+                    'You cannot unset this organizational '
+                    'unit as the default, but you can set '
+                    'another one as the default.'
+                )
+            )
         if bool(self.clean_unused_accounts_alert) ^ bool(self.clean_unused_accounts_deletion):
             raise ValidationError(_('Deletion and alert delays must be set together.'))
-        if self.clean_unused_accounts_alert and \
-                self.clean_unused_accounts_alert >= self.clean_unused_accounts_deletion:
+        if (
+            self.clean_unused_accounts_alert
+            and self.clean_unused_accounts_alert >= self.clean_unused_accounts_deletion
+        ):
             raise ValidationError(_('Deletion alert delay must be less than actual deletion delay.'))
         super(OrganizationalUnit, self).clean()
 
     def get_admin_role(self):
-        '''Get or create the generic admin role for this organizational
-           unit.
-        '''
+        """Get or create the generic admin role for this organizational
+        unit.
+        """
         name = _('Managers of "{ou}"').format(ou=self)
         slug = '_a2-managers-of-{ou.slug}'.format(ou=self)
         return Role.objects.get_admin_role(
-            instance=self, name=name, slug=slug, operation=VIEW_OP,
-            update_name=True, update_slug=True, create=True)
+            instance=self,
+            name=name,
+            slug=slug,
+            operation=VIEW_OP,
+            update_name=True,
+            update_slug=True,
+            create=True,
+        )
 
     def delete(self, *args, **kwargs):
         Permission.objects.filter(ou=self).delete()
@@ -166,11 +172,14 @@ class OrganizationalUnit(OrganizationalUnitAbstractBase):
 
     def export_json(self):
         return {
-            'uuid': self.uuid, 'slug': self.slug, 'name': self.name,
-            'description': self.description, 'default': self.default,
+            'uuid': self.uuid,
+            'slug': self.slug,
+            'name': self.name,
+            'description': self.description,
+            'default': self.default,
             'email_is_unique': self.email_is_unique,
             'username_is_unique': self.username_is_unique,
-            'validate_emails': self.validate_emails
+            'validate_emails': self.validate_emails,
         }
 
     def __str__(self):
@@ -185,9 +194,11 @@ class Permission(PermissionAbstractBase):
         verbose_name = _('permission')
         verbose_name_plural = _('permissions')
 
-    mirror_roles = GenericRelation(rbac_utils.get_role_model_name(),
-                                   content_type_field='admin_scope_ct',
-                                   object_id_field='admin_scope_id')
+    mirror_roles = GenericRelation(
+        rbac_utils.get_role_model_name(),
+        content_type_field='admin_scope_ct',
+        object_id_field='admin_scope_id',
+    )
 
 
 Permission._meta.natural_key = [
@@ -202,33 +213,29 @@ class Role(RoleAbstractBase):
         null=True,
         blank=True,
         verbose_name=_('administrative scope content type'),
-        on_delete=models.CASCADE)
+        on_delete=models.CASCADE,
+    )
     admin_scope_id = models.PositiveIntegerField(
-        verbose_name=_('administrative scope id'),
-        null=True,
-        blank=True)
-    admin_scope = GenericForeignKey(
-        'admin_scope_ct',
-        'admin_scope_id')
+        verbose_name=_('administrative scope id'), null=True, blank=True
+    )
+    admin_scope = GenericForeignKey('admin_scope_ct', 'admin_scope_id')
     service = models.ForeignKey(
         to='authentic2.Service',
         verbose_name=_('service'),
         null=True,
         blank=True,
         related_name='roles',
-        on_delete=models.CASCADE)
-    external_id = models.TextField(
-        verbose_name=_('external id'),
-        blank=True,
-        db_index=True)
+        on_delete=models.CASCADE,
+    )
+    external_id = models.TextField(verbose_name=_('external id'), blank=True, db_index=True)
 
-    admin_perms = GenericRelation(rbac_utils.get_permission_model_name(),
-                                  content_type_field='target_ct',
-                                  object_id_field='target_id')
+    admin_perms = GenericRelation(
+        rbac_utils.get_permission_model_name(), content_type_field='target_ct', object_id_field='target_id'
+    )
 
     can_manage_members = models.BooleanField(
-        default=True,
-        verbose_name=_('Allow adding or deleting role members'))
+        default=True, verbose_name=_('Allow adding or deleting role members')
+    )
 
     def get_admin_role(self, create=True):
         from . import utils
@@ -240,16 +247,15 @@ class Role(RoleAbstractBase):
 
         admin_role = self.__class__.objects.get_admin_role(
             self,
-            name=_('Managers of role "{role}"').format(
-                role=six.text_type(self)),
-            slug='_a2-managers-of-role-{role}'.format(
-                role=slugify(six.text_type(self))),
+            name=_('Managers of role "{role}"').format(role=six.text_type(self)),
+            slug='_a2-managers-of-role-{role}'.format(role=slugify(six.text_type(self))),
             permissions=(view_user_perm,),
             self_administered=True,
             update_name=True,
             update_slug=True,
             create=create,
-            operation=MANAGE_MEMBERS_OP)
+            operation=MANAGE_MEMBERS_OP,
+        )
         return admin_role
 
     def validate_unique(self, exclude=None):
@@ -294,7 +300,8 @@ class Role(RoleAbstractBase):
             operation=operation,
             target_ct=ContentType.objects.get_for_model(self),
             target_id=self.pk,
-            ou__is_null=True)
+            ou__is_null=True,
+        )
         return self.permissions.filter(pk=self_perm.pk).exists()
 
     def add_self_administration(self, op=None):
@@ -304,9 +311,8 @@ class Role(RoleAbstractBase):
         Permission = rbac_utils.get_permission_model()
         operation = rbac_utils.get_operation(op)
         self_perm, created = Permission.objects.get_or_create(
-            operation=operation,
-            target_ct=ContentType.objects.get_for_model(self),
-            target_id=self.pk)
+            operation=operation, target_ct=ContentType.objects.get_for_model(self), target_id=self.pk
+        )
         self.permissions.through.objects.get_or_create(role=self, permission=self_perm)
         return self_perm
 
@@ -318,10 +324,12 @@ class Role(RoleAbstractBase):
     class Meta:
         verbose_name = _('role')
         verbose_name_plural = _('roles')
-        ordering = ('ou', 'service', 'name',)
-        unique_together = (
-            ('admin_scope_ct', 'admin_scope_id'),
+        ordering = (
+            'ou',
+            'service',
+            'name',
         )
+        unique_together = (('admin_scope_ct', 'admin_scope_id'),)
 
     def natural_key(self):
         return [
@@ -344,10 +352,13 @@ class Role(RoleAbstractBase):
 
     def export_json(self, attributes=False, parents=False, permissions=False):
         d = {
-            'uuid': self.uuid, 'slug': self.slug, 'name': self.name,
-            'description': self.description, 'external_id': self.external_id,
+            'uuid': self.uuid,
+            'slug': self.slug,
+            'name': self.name,
+            'description': self.description,
+            'external_id': self.external_id,
             'ou': self.ou and self.ou.natural_key_json(),
-            'service': self.service and self.service.natural_key_json()
+            'service': self.service and self.service.natural_key_json(),
         }
 
         if attributes:
@@ -383,43 +394,30 @@ class RoleParenting(RoleParentingAbstractBase):
         verbose_name_plural = _('role parenting relations')
 
     def __str__(self):
-        return u'{0} {1}> {2}'.format(self.parent.name, '-' if self.direct else '~',
-                                      self.child.name)
+        return u'{0} {1}> {2}'.format(self.parent.name, '-' if self.direct else '~', self.child.name)
 
 
 class RoleAttribute(models.Model):
-    KINDS = (
-        ('string', _('string')),
-    )
+    KINDS = (('string', _('string')),)
     role = models.ForeignKey(
-        to=Role,
-        verbose_name=_('role'),
-        related_name='attributes',
-        on_delete=models.CASCADE)
-    name = models.CharField(
-        max_length=64,
-        verbose_name=_('name'))
-    kind = models.CharField(
-        max_length=32,
-        choices=KINDS,
-        verbose_name=_('kind'))
-    value = models.TextField(
-        verbose_name=_('value'))
+        to=Role, verbose_name=_('role'), related_name='attributes', on_delete=models.CASCADE
+    )
+    name = models.CharField(max_length=64, verbose_name=_('name'))
+    kind = models.CharField(max_length=32, choices=KINDS, verbose_name=_('kind'))
+    value = models.TextField(verbose_name=_('value'))
 
     class Meta:
-        verbose_name = ('role attribute')
+        verbose_name = 'role attribute'
         verbose_name_plural = _('role attributes')
-        unique_together = (
-            ('role', 'name', 'kind', 'value'),
-        )
+        unique_together = (('role', 'name', 'kind', 'value'),)
 
     def to_json(self):
         return {'name': self.name, 'kind': self.kind, 'value': self.value}
 
 
-GenericRelation(Permission,
-                content_type_field='target_ct',
-                object_id_field='target_id').contribute_to_class(ContentType, 'admin_perms')
+GenericRelation(Permission, content_type_field='target_ct', object_id_field='target_id').contribute_to_class(
+    ContentType, 'admin_perms'
+)
 
 
 CHANGE_PASSWORD_OP = Operation.register(name=_('Change password'), slug='change_password')
@@ -427,5 +425,4 @@ RESET_PASSWORD_OP = Operation.register(name=_('Password reset'), slug='reset_pas
 ACTIVATE_OP = Operation.register(name=_('Activation'), slug='activate')
 CHANGE_EMAIL_OP = Operation.register(name=pgettext_lazy('operation', 'Change email'), slug='change_email')
 MANAGE_MEMBERS_OP = Operation.register(name=_('Manage role members'), slug='manage_members')
-MANAGE_AUTHORIZATIONS_OP = Operation.register(
-    name=_('Manage service consents'), slug='manage_authorizations')
+MANAGE_AUTHORIZATIONS_OP = Operation.register(name=_('Manage service consents'), slug='manage_authorizations')
diff --git a/src/authentic2/a2_rbac/signal_handlers.py b/src/authentic2/a2_rbac/signal_handlers.py
index b4f4ef13..2bb81ac5 100644
--- a/src/authentic2/a2_rbac/signal_handlers.py
+++ b/src/authentic2/a2_rbac/signal_handlers.py
@@ -25,8 +25,7 @@ from django_rbac.utils import get_ou_model, get_role_model, get_operation
 from django_rbac.managers import defer_update_transitive_closure
 
 
-def create_default_ou(app_config, verbosity=2, interactive=True,
-                      using=DEFAULT_DB_ALIAS, **kwargs):
+def create_default_ou(app_config, verbosity=2, interactive=True, using=DEFAULT_DB_ALIAS, **kwargs):
     if not router.allow_migrate(using, get_ou_model()):
         return
     # be sure new objects names are localized using the default locale
@@ -40,7 +39,8 @@ def create_default_ou(app_config, verbosity=2, interactive=True,
             defaults={
                 'default': True,
                 'name': _('Default organizational unit'),
-            })
+            },
+        )
         # Update all existing models having an ou field to the default ou
         for app in apps.get_app_configs():
             for model in app.get_models():
@@ -50,8 +50,7 @@ def create_default_ou(app_config, verbosity=2, interactive=True,
                 model.objects.filter(ou__isnull=True).update(ou=default_ou)
 
 
-def post_migrate_update_rbac(app_config, verbosity=2, interactive=True,
-                             using=DEFAULT_DB_ALIAS, **kwargs):
+def post_migrate_update_rbac(app_config, verbosity=2, interactive=True, using=DEFAULT_DB_ALIAS, **kwargs):
     # be sure new objects names are localized using the default locale
     from .management import update_ous_admin_roles, update_content_types_roles
 
@@ -84,10 +83,15 @@ def update_service_role_ou(sender, instance, created, raw, **kwargs):
     get_role_model().objects.filter(service=instance).update(ou=instance.ou)
 
 
-def create_default_permissions(app_config, verbosity=2, interactive=True, using=DEFAULT_DB_ALIAS,
-                               **kwargs):
-    from .models import (CHANGE_PASSWORD_OP, RESET_PASSWORD_OP, ACTIVATE_OP, CHANGE_EMAIL_OP,
-                         MANAGE_MEMBERS_OP, MANAGE_AUTHORIZATIONS_OP)
+def create_default_permissions(app_config, verbosity=2, interactive=True, using=DEFAULT_DB_ALIAS, **kwargs):
+    from .models import (
+        CHANGE_PASSWORD_OP,
+        RESET_PASSWORD_OP,
+        ACTIVATE_OP,
+        CHANGE_EMAIL_OP,
+        MANAGE_MEMBERS_OP,
+        MANAGE_AUTHORIZATIONS_OP,
+    )
 
     if not router.allow_migrate(using, get_ou_model()):
         return
diff --git a/src/authentic2/a2_rbac/utils.py b/src/authentic2/a2_rbac/utils.py
index 8af2d4b27..468aed04 100644
--- a/src/authentic2/a2_rbac/utils.py
+++ b/src/authentic2/a2_rbac/utils.py
@@ -37,7 +37,9 @@ def get_view_user_perm(ou=None):
         operation=rbac_utils.get_operation(VIEW_OP),
         target_ct=ContentType.objects.get_for_model(ContentType),
         target_id=ContentType.objects.get_for_model(User).pk,
-        ou__isnull=ou is None, ou=ou)
+        ou__isnull=ou is None,
+        ou=ou,
+    )
     return view_user_perm
 
 
@@ -48,7 +50,8 @@ def get_search_ou_perm(ou=None):
             operation=rbac_utils.get_operation(SEARCH_OP),
             target_ct=ContentType.objects.get_for_model(ou),
             target_id=ou.pk,
-            ou__isnull=True)
+            ou__isnull=True,
+        )
     else:
         OU = rbac_utils.get_ou_model()
         Permission = rbac_utils.get_permission_model()
@@ -56,7 +59,8 @@ def get_search_ou_perm(ou=None):
             operation=rbac_utils.get_operation(SEARCH_OP),
             target_ct=ContentType.objects.get_for_model(ContentType),
             target_id=ContentType.objects.get_for_model(OU).pk,
-            ou__isnull=True)
+            ou__isnull=True,
+        )
     return view_ou_perm
 
 
@@ -67,5 +71,7 @@ def get_manage_authorizations_user_perm(ou=None):
         operation=rbac_utils.get_operation(models.MANAGE_AUTHORIZATIONS_OP),
         target_ct=ContentType.objects.get_for_model(ContentType),
         target_id=ContentType.objects.get_for_model(User).pk,
-        ou__isnull=ou is None, ou=ou)
+        ou__isnull=ou is None,
+        ou=ou,
+    )
     return manage_authorizations_user_perm
diff --git a/src/authentic2/admin.py b/src/authentic2/admin.py
index f003c45a..f0d07517 100644
--- a/src/authentic2/admin.py
+++ b/src/authentic2/admin.py
@@ -30,14 +30,15 @@ from django import forms
 from django.contrib.auth.forms import ReadOnlyPasswordHashField
 
 from .nonce.models import Nonce
-from . import (models, app_settings, decorators, attribute_kinds,
-               utils)
+from . import models, app_settings, decorators, attribute_kinds, utils
 from .forms.profile import BaseUserForm, modelform_factory
 from .custom_user.models import User, DeletedUser
 
 
 def cleanup_action(modeladmin, request, queryset):
     queryset.cleanup()
+
+
 cleanup_action.short_description = _('Cleanup expired objects')
 
 
@@ -52,18 +53,21 @@ class CleanupAdminMixin(admin.ModelAdmin):
 class NonceModelAdmin(admin.ModelAdmin):
     list_display = ("value", "context", "not_on_or_after")
 
+
 admin.site.register(Nonce, NonceModelAdmin)
 
 
 class AttributeValueAdmin(admin.ModelAdmin):
     list_display = ('content_type', 'owner', 'attribute', 'content')
 
+
 admin.site.register(models.AttributeValue, AttributeValueAdmin)
 
 
 class LogoutUrlAdmin(admin.ModelAdmin):
     list_display = ('provider', 'logout_url', 'logout_use_iframe', 'logout_use_iframe_timeout')
 
+
 admin.site.register(models.LogoutUrl, LogoutUrlAdmin)
 
 
@@ -73,6 +77,7 @@ class AuthenticationEventAdmin(admin.ModelAdmin):
     date_hierarchy = 'when'
     search_fields = ('who', 'nonce', 'how')
 
+
 admin.site.register(models.AuthenticationEvent, AuthenticationEventAdmin)
 
 
@@ -82,6 +87,7 @@ class UserExternalIdAdmin(admin.ModelAdmin):
     date_hierarchy = 'created'
     search_fields = ('user__username', 'source', 'external_id')
 
+
 admin.site.register(models.UserExternalId, UserExternalIdAdmin)
 
 
@@ -92,9 +98,11 @@ DB_SESSION_ENGINES = (
 )
 
 if settings.SESSION_ENGINE in DB_SESSION_ENGINES:
+
     class SessionAdmin(admin.ModelAdmin):
         def _session_data(self, obj):
             return pprint.pformat(obj.get_decoded()).replace('\n', '<br>\n')
+
         _session_data.allow_tags = True
         _session_data.short_description = _('session data')
         list_display = ['session_key', 'ips', 'user', '_session_data', 'expire_date']
@@ -107,11 +115,13 @@ if settings.SESSION_ENGINE in DB_SESSION_ENGINES:
             content = session.get_decoded()
             ips = content.get('ips', set())
             return ', '.join(ips)
+
         ips.short_description = _('IP adresses')
 
         def user(self, session):
             from django.contrib import auth
             from django.contrib.auth import models as auth_models
+
             content = session.get_decoded()
             if auth.SESSION_KEY not in content:
                 return
@@ -125,10 +135,12 @@ if settings.SESSION_ENGINE in DB_SESSION_ENGINES:
             except Exception:
                 user = _('deleted user %r') % user_id
             return user
+
         user.short_description = _('user')
 
         def clear_expired(self, request, queryset):
             queryset.filter(expire_date__lt=timezone.now()).delete()
+
         clear_expired.short_description = _('clear expired sessions')
 
     admin.site.register(Session, SessionAdmin)
@@ -140,10 +152,7 @@ class ExternalUserListFilter(admin.SimpleListFilter):
     parameter_name = 'external'
 
     def lookups(self, request, model_admin):
-        return (
-            ('1', _('Yes')),
-            ('0', _('No'))
-        )
+        return (('1', _('Yes')), ('0', _('No')))
 
     def queryset(self, request, queryset):
         """
@@ -194,9 +203,12 @@ class UserChangeForm(BaseUserForm):
 
     password = ReadOnlyPasswordHashField(
         label=_("Password"),
-        help_text=_("Raw passwords are not stored, so there is no way to see "
-                    "this user's password, but you can change the password "
-                    "using <a href=\"password/\">this form</a>."))
+        help_text=_(
+            "Raw passwords are not stored, so there is no way to see "
+            "this user's password, but you can change the password "
+            "using <a href=\"password/\">this form</a>."
+        ),
+    )
 
     class Meta:
         model = User
@@ -230,17 +242,17 @@ class UserCreationForm(BaseUserForm):
     A form that creates a user, with no privileges, from the given username and
     password.
     """
+
     error_messages = {
         'password_mismatch': _("The two password fields didn't match."),
         'missing_credential': _("You must at least give a username or an email to your user"),
     }
-    password1 = forms.CharField(
-        label=_("Password"),
-        widget=forms.PasswordInput)
+    password1 = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
     password2 = forms.CharField(
         label=_("Password confirmation"),
         widget=forms.PasswordInput,
-        help_text=_("Enter the same password as above, for verification."))
+        help_text=_("Enter the same password as above, for verification."),
+    )
 
     class Meta:
         model = User
@@ -275,14 +287,17 @@ class AuthenticUserAdmin(UserAdmin):
     fieldsets = (
         (None, {'fields': ('uuid', 'ou', 'password')}),
         (_('Personal info'), {'fields': ('username', 'first_name', 'last_name', 'email')}),
-        (_('Permissions'), {'fields': ('is_active', 'is_staff', 'is_superuser',
-                                       'groups')}),
+        (_('Permissions'), {'fields': ('is_active', 'is_staff', 'is_superuser', 'groups')}),
         (_('Important dates'), {'fields': ('last_login', 'date_joined', 'deactivation')}),
     )
     add_fieldsets = (
-        (None, {
-            'classes': ('wide',),
-            'fields': ('ou', 'username', 'first_name', 'last_name', 'email', 'password1', 'password2')}),
+        (
+            None,
+            {
+                'classes': ('wide',),
+                'fields': ('ou', 'username', 'first_name', 'last_name', 'email', 'password1', 'password2'),
+            },
+        ),
     )
     readonly_fields = ('uuid',)
     list_filter = UserAdmin.list_filter + (UserRealmListFilter, ExternalUserListFilter)
@@ -303,17 +318,22 @@ class AuthenticUserAdmin(UserAdmin):
             fieldsets = list(fieldsets)
             fieldsets.insert(
                 insertion_idx,
-                (_('Attributes'), {'fields': [at.name for at in qs if at.name not in
-                                              ['first_name', 'last_name']]}))
+                (
+                    _('Attributes'),
+                    {'fields': [at.name for at in qs if at.name not in ['first_name', 'last_name']]},
+                ),
+            )
         return fieldsets
 
     def get_form(self, request, obj=None, **kwargs):
-        self.form = modelform_factory(self.model, form=UserChangeForm,
-                                      fields=models.Attribute.objects.values_list('name',
-                                                                                  flat=True))
-        self.add_form = modelform_factory(self.model, form=UserCreationForm,
-                                          fields=models.Attribute.objects.filter(required=True)
-                                          .values_list('name', flat=True))
+        self.form = modelform_factory(
+            self.model, form=UserChangeForm, fields=models.Attribute.objects.values_list('name', flat=True)
+        )
+        self.add_form = modelform_factory(
+            self.model,
+            form=UserCreationForm,
+            fields=models.Attribute.objects.filter(required=True).values_list('name', flat=True),
+        )
         if 'fields' in kwargs:
             fields = kwargs.pop('fields')
         else:
@@ -332,8 +352,10 @@ class AuthenticUserAdmin(UserAdmin):
         timestamp = timezone.now()
         for user in queryset:
             user.mark_as_inactive(timestamp=timestamp)
+
     mark_as_inactive.short_description = _('Mark as inactive')
 
+
 admin.site.register(User, AuthenticUserAdmin)
 
 
@@ -355,13 +377,23 @@ class AttributeForm(forms.ModelForm):
 
 class AttributeAdmin(admin.ModelAdmin):
     form = AttributeForm
-    list_display = ('label', 'disabled', 'name', 'kind', 'order', 'required',
-                    'asked_on_registration', 'user_editable', 'user_visible')
+    list_display = (
+        'label',
+        'disabled',
+        'name',
+        'kind',
+        'order',
+        'required',
+        'asked_on_registration',
+        'user_editable',
+        'user_visible',
+    )
     list_editable = ('order',)
 
     def get_queryset(self, request):
         return self.model.all_objects.all()
 
+
 admin.site.register(models.Attribute, AttributeAdmin)
 
 
@@ -370,6 +402,7 @@ class DeletedUserAdmin(admin.ModelAdmin):
     date_hierarchy = 'deleted'
     search_fields = ['=old_user_id', '^old_uuid', 'old_email']
 
+
 admin.site.register(DeletedUser, DeletedUserAdmin)
 
 
@@ -377,6 +410,7 @@ admin.site.register(DeletedUser, DeletedUserAdmin)
 def login(request, extra_context=None):
     return utils.redirect_to_login(request, login_url=utils.get_manager_login_url())
 
+
 admin.site.login = login
 
 
@@ -384,6 +418,7 @@ admin.site.login = login
 def logout(request, extra_context=None):
     return utils.redirect_to_login(request, login_url='auth_logout')
 
+
 admin.site.logout = logout
 
 admin.site.register(models.PasswordReset)
diff --git a/src/authentic2/api_mixins.py b/src/authentic2/api_mixins.py
index 18896ec4..41d5df1e 100644
--- a/src/authentic2/api_mixins.py
+++ b/src/authentic2/api_mixins.py
@@ -55,8 +55,9 @@ class GetOrCreateMixinView(object):
         except qs.model.DoesNotExist:
             return None
         except qs.model.MultipleObjectsReturned:
-            raise Conflict('retrieved several instances of model %s for key attributes %s' % (
-                qs.model.__name__, kwargs))
+            raise Conflict(
+                'retrieved several instances of model %s for key attributes %s' % (qs.model.__name__, kwargs)
+            )
 
     def _validate_get_keys(self, keys):
         # Remove many-to-many relationships from validated_data.
diff --git a/src/authentic2/api_urls.py b/src/authentic2/api_urls.py
index 9aab37db..61734faf 100644
--- a/src/authentic2/api_urls.py
+++ b/src/authentic2/api_urls.py
@@ -22,10 +22,16 @@ urlpatterns = [
     url(r'^register/$', api_views.register, name='a2-api-register'),
     url(r'^password-change/$', api_views.password_change, name='a2-api-password-change'),
     url(r'^user/$', api_views.user, name='a2-api-user'),
-    url(r'^roles/(?P<role_uuid>[\w+]*)/members/(?P<member_uuid>[^/]+)/$', api_views.role_membership,
-        name='a2-api-role-member'),
-    url(r'^roles/(?P<role_uuid>[\w+]*)/relationships/members/$', api_views.role_memberships,
-        name='a2-api-role-members'),
+    url(
+        r'^roles/(?P<role_uuid>[\w+]*)/members/(?P<member_uuid>[^/]+)/$',
+        api_views.role_membership,
+        name='a2-api-role-member',
+    ),
+    url(
+        r'^roles/(?P<role_uuid>[\w+]*)/relationships/members/$',
+        api_views.role_memberships,
+        name='a2-api-role-members',
+    ),
     url(r'^check-password/$', api_views.check_password, name='a2-api-check-password'),
     url(r'^validate-password/$', api_views.validate_password, name='a2-api-validate-password'),
     url(r'^address-autocomplete/$', api_views.address_autocomplete, name='a2-api-address-autocomplete'),
diff --git a/src/authentic2/api_views.py b/src/authentic2/api_views.py
index 9485edf9..f92e7cf1 100644
--- a/src/authentic2/api_views.py
+++ b/src/authentic2/api_views.py
@@ -46,8 +46,7 @@ from rest_framework.routers import SimpleRouter
 from rest_framework.generics import GenericAPIView
 from rest_framework.response import Response
 from rest_framework import permissions, status, authentication
-from rest_framework.exceptions import (PermissionDenied, AuthenticationFailed,
-    ValidationError, NotFound)
+from rest_framework.exceptions import PermissionDenied, AuthenticationFailed, ValidationError, NotFound
 from rest_framework.fields import CreateOnlyDefault
 from authentic2.compat.drf import action
 from rest_framework.authentication import SessionAuthentication
@@ -61,8 +60,7 @@ from django_filters.utils import handle_timezone
 
 from .passwords import get_password_checker
 from .custom_user.models import User
-from . import (utils, decorators, attribute_kinds, app_settings, hooks,
-               api_mixins)
+from . import utils, decorators, attribute_kinds, app_settings, hooks, api_mixins
 from .models import Attribute, PasswordReset, Service
 from .a2_rbac.utils import get_default_ou
 from .journal_event_types import UserLogin, UserRegistration
@@ -73,6 +71,7 @@ from .utils.lookups import Unaccent
 if django.VERSION < (2,):
     import rest_framework.fields
     from . import validators
+
     rest_framework.fields.ProhibitNullCharactersValidator = validators.ProhibitNullCharactersValidator
 if django.VERSION < (1, 11):
     authentication.authenticate = utils.authenticate
@@ -128,23 +127,20 @@ class ExceptionHandlerMixin(object):
 
 class RegistrationSerializer(serializers.Serializer):
     '''Register RPC payload'''
-    email = serializers.EmailField(
-        required=False, allow_blank=True)
+
+    email = serializers.EmailField(required=False, allow_blank=True)
     ou = serializers.SlugRelatedField(
         queryset=get_ou_model().objects.all(),
         slug_field='slug',
         default=get_default_ou,
-        required=False, allow_null=True)
-    username = serializers.CharField(
-        required=False, allow_blank=True)
-    first_name = serializers.CharField(
-        required=False, allow_blank=True, default='')
-    last_name = serializers.CharField(
-        required=False, allow_blank=True, default='')
-    password = serializers.CharField(
-        required=False, allow_null=True)
-    no_email_validation = serializers.BooleanField(
-        required=False)
+        required=False,
+        allow_null=True,
+    )
+    username = serializers.CharField(required=False, allow_blank=True)
+    first_name = serializers.CharField(required=False, allow_blank=True, default='')
+    last_name = serializers.CharField(required=False, allow_blank=True, default='')
+    password = serializers.CharField(required=False, allow_null=True)
+    no_email_validation = serializers.BooleanField(required=False)
     return_url = serializers.URLField(required=False, allow_blank=True)
 
     def validate(self, data):
@@ -157,48 +153,34 @@ class RegistrationSerializer(serializers.Serializer):
             else:
                 authorized = request.user.has_perm(perm)
             if not authorized:
-                raise serializers.ValidationError(_('you are not authorized '
-                                                    'to create users in '
-                                                    'this ou'))
+                raise serializers.ValidationError(
+                    _('you are not authorized ' 'to create users in ' 'this ou')
+                )
         User = get_user_model()
         if ou:
-            if (app_settings.A2_EMAIL_IS_UNIQUE or
-                    app_settings.A2_REGISTRATION_EMAIL_IS_UNIQUE):
+            if app_settings.A2_EMAIL_IS_UNIQUE or app_settings.A2_REGISTRATION_EMAIL_IS_UNIQUE:
                 if 'email' not in data:
-                    raise serializers.ValidationError(
-                        _('Email is required'))
-                if User.objects.filter(
-                        email__iexact=data['email']).exists():
-                    raise serializers.ValidationError(
-                        _('Account already exists'))
+                    raise serializers.ValidationError(_('Email is required'))
+                if User.objects.filter(email__iexact=data['email']).exists():
+                    raise serializers.ValidationError(_('Account already exists'))
 
             if ou.email_is_unique:
                 if 'email' not in data:
-                    raise serializers.ValidationError(
-                        _('Email is required in this ou'))
-                if User.objects.filter(
-                        ou=ou, email__iexact=data['email']).exists():
-                    raise serializers.ValidationError(
-                        _('Account already exists in this ou'))
-
-            if (app_settings.A2_USERNAME_IS_UNIQUE or
-                    app_settings.A2_REGISTRATION_USERNAME_IS_UNIQUE):
+                    raise serializers.ValidationError(_('Email is required in this ou'))
+                if User.objects.filter(ou=ou, email__iexact=data['email']).exists():
+                    raise serializers.ValidationError(_('Account already exists in this ou'))
+
+            if app_settings.A2_USERNAME_IS_UNIQUE or app_settings.A2_REGISTRATION_USERNAME_IS_UNIQUE:
                 if 'username' not in data:
-                    raise serializers.ValidationError(
-                        _('Username is required'))
-                if User.objects.filter(
-                        username=data['username']).exists():
-                    raise serializers.ValidationError(
-                        _('Account already exists'))
+                    raise serializers.ValidationError(_('Username is required'))
+                if User.objects.filter(username=data['username']).exists():
+                    raise serializers.ValidationError(_('Account already exists'))
 
             if ou.username_is_unique:
                 if 'username' not in data:
-                    raise serializers.ValidationError(
-                        _('Username is required in this ou'))
-                if User.objects.filter(
-                        ou=ou, username=data['username']).exists():
-                    raise serializers.ValidationError(
-                        _('Account already exists in this ou'))
+                    raise serializers.ValidationError(_('Username is required in this ou'))
+                if User.objects.filter(ou=ou, username=data['username']).exists():
+                    raise serializers.ValidationError(_('Account already exists in this ou'))
         return data
 
 
@@ -218,27 +200,29 @@ class BaseRpcView(ExceptionHandlerMixin, RpcMixin, GenericAPIView):
 
 
 class Register(BaseRpcView):
-    '''Register the given email, send a mail to the user and return a
-       validation token.
-
-       A mail will be sent to the user to validate its email. On
-       validation of the mail the user will be logged and redirected to
-       `{return_url}?token={token}`. It's the durty of the requesting
-       service to finish the registration process on its side.
-
-       If email is unique and an account already exist the requesting
-       must enter in a process of registration through SSO, i.e. ask for
-       authentication of the user and then finish the registration
-       process for the received identity.
-    '''
+    """Register the given email, send a mail to the user and return a
+    validation token.
+
+    A mail will be sent to the user to validate its email. On
+    validation of the mail the user will be logged and redirected to
+    `{return_url}?token={token}`. It's the durty of the requesting
+    service to finish the registration process on its side.
+
+    If email is unique and an account already exist the requesting
+    must enter in a process of registration through SSO, i.e. ask for
+    authentication of the user and then finish the registration
+    process for the received identity.
+    """
+
     permission_classes = (permissions.IsAuthenticated,)
     serializer_class = RegistrationSerializer
 
     def rpc(self, request, serializer):
         validated_data = serializer.validated_data
         if not request.user.has_ou_perm('custom_user.add_user', validated_data['ou']):
-            raise PermissionDenied('You do not have permission to create users in ou %s' %
-                                   validated_data['ou'].slug)
+            raise PermissionDenied(
+                'You do not have permission to create users in ou %s' % validated_data['ou'].slug
+            )
         email = validated_data.get('email')
         registration_data = {}
         for field in ('first_name', 'last_name', 'password', 'username'):
@@ -255,28 +239,27 @@ class Register(BaseRpcView):
         final_return_url = None
         if validated_data.get('return_url'):
             token = utils.get_hex_uuid()[:16]
-            final_return_url = utils.make_url(validated_data['return_url'],
-                                              params={'token': token})
+            final_return_url = utils.make_url(validated_data['return_url'], params={'token': token})
         if email and not validated_data.get('no_email_validation'):
 
             registration_template = ['authentic2/activation_email']
             if validated_data['ou']:
-                registration_template.insert(0, 'authentic2/activation_email_%s' %
-                                             validated_data['ou'].slug)
+                registration_template.insert(0, 'authentic2/activation_email_%s' % validated_data['ou'].slug)
 
             try:
-                utils.send_registration_mail(self.request, email,
-                                             template_names=registration_template,
-                                             next_url=final_return_url,
-                                             ou=validated_data['ou'],
-                                             context=ctx,
-                                             **registration_data)
+                utils.send_registration_mail(
+                    self.request,
+                    email,
+                    template_names=registration_template,
+                    next_url=final_return_url,
+                    ou=validated_data['ou'],
+                    context=ctx,
+                    **registration_data,
+                )
             except smtplib.SMTPException as e:
                 response = {
                     'result': 0,
-                    'errors': {
-                        '__all__': ['Mail sending failed']
-                    },
+                    'errors': {'__all__': ['Mail sending failed']},
                     'exception': force_text(e),
                 }
                 response_status = status.HTTP_503_SERVICE_UNAVAILABLE
@@ -293,20 +276,20 @@ class Register(BaseRpcView):
             last_name = validated_data.get('last_name')
             password = validated_data.get('password')
             ou = validated_data.get('ou')
-            if not email and \
-               not username and \
-               not (first_name and last_name):
+            if not email and not username and not (first_name and last_name):
                 response = {
                     'result': 0,
                     'errors': {
-                        '__all__': ['You must set at least a username, an email or '
-                                    'a first name and a last name']
+                        '__all__': [
+                            'You must set at least a username, an email or ' 'a first name and a last name'
+                        ]
                     },
                 }
                 response_status = status.HTTP_400_BAD_REQUEST
             else:
-                new_user = User(email=email, username=username, ou=ou, first_name=first_name,
-                                last_name=last_name)
+                new_user = User(
+                    email=email, username=username, ou=ou, first_name=first_name, last_name=last_name
+                )
                 if password:
                     new_user.set_password(password)
                 new_user.save()
@@ -318,26 +301,26 @@ class Register(BaseRpcView):
                 }
                 if email:
                     response['validation_url'] = utils.build_activation_url(
-                        request, email, next_url=final_return_url, ou=ou, **registration_data)
+                        request, email, next_url=final_return_url, ou=ou, **registration_data
+                    )
                 if token:
                     response['token'] = token
                 response_status = status.HTTP_201_CREATED
         return response, response_status
 
+
 register = Register.as_view()
 
 
 class PasswordChangeSerializer(serializers.Serializer):
     '''Register RPC payload'''
+
     email = serializers.EmailField()
     ou = serializers.SlugRelatedField(
-        queryset=get_ou_model().objects.all(),
-        slug_field='slug',
-        required=False, allow_null=True)
-    old_password = serializers.CharField(
-        required=True, allow_null=True)
-    new_password = serializers.CharField(
-        required=True, allow_null=True)
+        queryset=get_ou_model().objects.all(), slug_field='slug', required=False, allow_null=True
+    )
+    old_password = serializers.CharField(required=True, allow_null=True)
+    new_password = serializers.CharField(required=True, allow_null=True)
 
     def validate(self, data):
         User = get_user_model()
@@ -364,6 +347,7 @@ class PasswordChange(BaseRpcView):
         serializer.user.save()
         return {'result': 1}, status.HTTP_200_OK
 
+
 password_change = PasswordChange.as_view()
 
 
@@ -378,14 +362,12 @@ def user(request):
 
 class BaseUserSerializer(serializers.ModelSerializer):
     ou = serializers.SlugRelatedField(
-        queryset=get_ou_model().objects.all(),
-        slug_field='slug',
-        required=False, default=get_default_ou)
+        queryset=get_ou_model().objects.all(), slug_field='slug', required=False, default=get_default_ou
+    )
     date_joined = serializers.DateTimeField(read_only=True)
     last_login = serializers.DateTimeField(read_only=True)
     dist = serializers.FloatField(read_only=True)
-    send_registration_email = serializers.BooleanField(write_only=True, required=False,
-                                                       default=False)
+    send_registration_email = serializers.BooleanField(write_only=True, required=False, default=False)
     send_registration_email_next_url = serializers.URLField(write_only=True, required=False)
     password = serializers.CharField(max_length=128, required=False)
     force_password_reset = serializers.BooleanField(write_only=True, required=False, default=False)
@@ -402,7 +384,8 @@ class BaseUserSerializer(serializers.ModelSerializer):
             else:
                 self.fields[at.name] = at.get_drf_field()
             self.fields[at.name + '_verified'] = serializers.BooleanField(
-                source='is_verified.%s' % at.name, required=False)
+                source='is_verified.%s' % at.name, required=False
+            )
         for key in self.fields:
             if key in app_settings.A2_REQUIRED_FIELDS:
                 self.fields[key].required = True
@@ -418,8 +401,7 @@ class BaseUserSerializer(serializers.ModelSerializer):
     def create(self, validated_data):
         original_data = validated_data.copy()
         send_registration_email = validated_data.pop('send_registration_email', False)
-        send_registration_email_next_url = validated_data.pop('send_registration_email_next_url',
-                                                              None)
+        send_registration_email_next_url = validated_data.pop('send_registration_email_next_url', None)
         force_password_reset = validated_data.pop('force_password_reset', False)
 
         attributes = validated_data.pop('attributes', {})
@@ -454,16 +436,20 @@ class BaseUserSerializer(serializers.ModelSerializer):
             try:
                 utils.send_password_reset_mail(
                     instance,
-                    template_names=['authentic2/api_user_create_registration_email',
-                                    'authentic2/password_reset'],
+                    template_names=[
+                        'authentic2/api_user_create_registration_email',
+                        'authentic2/password_reset',
+                    ],
                     request=self.context['request'],
                     next_url=send_registration_email_next_url,
                     context={
                         'data': original_data,
-                    })
+                    },
+                )
             except smtplib.SMTPException as e:
-                logging.getLogger(__name__).error(u'registration mail could not be sent to user %s '
-                                                  'created through API: %s', instance, e)
+                logging.getLogger(__name__).error(
+                    u'registration mail could not be sent to user %s ' 'created through API: %s', instance, e
+                )
         return instance
 
     def update(self, instance, validated_data):
@@ -479,8 +465,7 @@ class BaseUserSerializer(serializers.ModelSerializer):
         self.check_perm('custom_user.change_user', instance.ou)
         if 'ou' in validated_data:
             self.check_perm('custom_user.change_user', validated_data.get('ou'))
-        if validated_data.get('email') != instance.email and \
-                not validated_data.get('email_verified'):
+        if validated_data.get('email') != instance.email and not validated_data.get('email_verified'):
             instance.email_verified = False
         super(BaseUserSerializer, self).update(instance, validated_data)
         for key, value in attributes.items():
@@ -523,15 +508,15 @@ class BaseUserSerializer(serializers.ModelSerializer):
         update_or_create_fields = self.context['view'].request.GET.getlist('update_or_create')
 
         already_used = False
-        if ('email' not in get_or_create_fields
-                and 'email' not in update_or_create_fields
-                and data.get('email')
-                and (not self.instance or data.get('email') != self.instance.email)):
-            if app_settings.A2_EMAIL_IS_UNIQUE and qs.filter(
-                    email=data['email']).exists():
+        if (
+            'email' not in get_or_create_fields
+            and 'email' not in update_or_create_fields
+            and data.get('email')
+            and (not self.instance or data.get('email') != self.instance.email)
+        ):
+            if app_settings.A2_EMAIL_IS_UNIQUE and qs.filter(email=data['email']).exists():
                 already_used = True
-            if ou and ou.email_is_unique and qs.filter(
-                    ou=ou, email=data['email']).exists():
+            if ou and ou.email_is_unique and qs.filter(ou=ou, email=data['email']).exists():
                 already_used = True
 
         errors = {}
@@ -587,12 +572,11 @@ class RoleSerializer(serializers.ModelSerializer):
         required=False,
         default=CreateOnlyDefault(get_default_ou),
         queryset=get_ou_model().objects.all(),
-        slug_field='slug')
+        slug_field='slug',
+    )
     slug = serializers.SlugField(
-        required=False,
-        allow_blank=False,
-        max_length=256,
-        default=SlugFromNameDefault())
+        required=False, allow_blank=False, max_length=256, default=SlugFromNameDefault()
+    )
 
     @property
     def user(self):
@@ -626,17 +610,16 @@ class RoleSerializer(serializers.ModelSerializer):
 
     class Meta:
         model = get_role_model()
-        fields = ('uuid', 'name', 'slug', 'ou',)
+        fields = (
+            'uuid',
+            'name',
+            'slug',
+            'ou',
+        )
         extra_kwargs = {'uuid': {'read_only': True}}
         validators = [
-            UniqueTogetherValidator(
-                queryset=get_role_model().objects.all(),
-                fields=['name', 'ou']
-            ),
-            UniqueTogetherValidator(
-                queryset=get_role_model().objects.all(),
-                fields=['slug', 'ou']
-            )
+            UniqueTogetherValidator(queryset=get_role_model().objects.all(), fields=['name', 'ou']),
+            UniqueTogetherValidator(queryset=get_role_model().objects.all(), fields=['slug', 'ou']),
         ]
 
 
@@ -652,10 +635,12 @@ class IsoDateTimeField(IsoDateTimeField):
             return super(IsoDateTimeField, self).strptime(value, format)
         except AmbiguousTimeError:
             parsed = parse_datetime(value)
-            possible = sorted([
-                handle_timezone(parsed, is_dst=True),
-                handle_timezone(parsed, is_dst=False),
-            ])
+            possible = sorted(
+                [
+                    handle_timezone(parsed, is_dst=True),
+                    handle_timezone(parsed, is_dst=False),
+                ]
+            )
             if self.bound == 'lesser':
                 return possible[0]
             elif self.bound == 'upper':
@@ -680,10 +665,7 @@ class UsersFilter(FilterSet):
     class Meta:
         model = get_user_model()
         fields = {
-            'username': [
-                'exact',
-                'iexact'
-            ],
+            'username': ['exact', 'iexact'],
             'first_name': [
                 'exact',
                 'iexact',
@@ -728,8 +710,8 @@ class ChangeEmailSerializer(serializers.Serializer):
 
 
 class FreeTextSearchFilter(BaseFilterBackend):
-    """
-    """
+    """"""
+
     def filter_queryset(self, request, queryset, view):
         if 'q' in request.GET:
             queryset = queryset.free_text_search(request.GET['q'])
@@ -753,9 +735,9 @@ class UsersAPI(api_mixins.GetOrCreateMixinView, HookMixin, ExceptionHandlerMixin
 
     @property
     def ordering(self):
-       if 'q' in self.request.GET:
-           return ['dist', Unaccent('last_name'), Unaccent('first_name')]
-       return User._meta.ordering
+        if 'q' in self.request.GET:
+            return ['dist', Unaccent('last_name'), Unaccent('first_name')]
+        return User._meta.ordering
 
     def get_queryset(self):
         qs = super().get_queryset()
@@ -773,10 +755,11 @@ class UsersAPI(api_mixins.GetOrCreateMixinView, HookMixin, ExceptionHandlerMixin
         if 'service-slug' in self.request.GET:
             service_slug = self.request.GET['service-slug']
             service_ou = self.request.GET.get('service-ou', '')
-            service = Service.objects.filter(
-                slug=service_slug,
-                ou__slug=service_ou
-            ).prefetch_related('authorized_roles').first()
+            service = (
+                Service.objects.filter(slug=service_slug, ou__slug=service_ou)
+                .prefetch_related('authorized_roles')
+                .first()
+            )
             if service:
                 if service.authorized_roles.all():
                     qs = qs.filter(roles__in=service.authorized_roles.children())
@@ -809,15 +792,11 @@ class UsersAPI(api_mixins.GetOrCreateMixinView, HookMixin, ExceptionHandlerMixin
         known_uuids = User.objects.filter(uuid__in=uuids).values_list('uuid', flat=True)
         return set(uuids) - set(known_uuids)
 
-    @action(detail=False, methods=['post'],
-            permission_classes=(DjangoPermission('custom_user.search_user'),))
+    @action(detail=False, methods=['post'], permission_classes=(DjangoPermission('custom_user.search_user'),))
     def synchronization(self, request):
         serializer = self.SynchronizationSerializer(data=request.data)
         if not serializer.is_valid():
-            response = {
-                'result': 0,
-                'errors': serializer.errors
-            }
+            response = {'result': 0, 'errors': serializer.errors}
             return Response(response, status.HTTP_400_BAD_REQUEST)
         hooks.call_hooks('api_modify_serializer_after_validation', self, serializer)
         unknown_uuids = self.check_uuids(serializer.validated_data.get('known_uuids', []))
@@ -828,43 +807,40 @@ class UsersAPI(api_mixins.GetOrCreateMixinView, HookMixin, ExceptionHandlerMixin
         hooks.call_hooks('api_modify_response', self, 'synchronization', data)
         return Response(data)
 
-    @action(detail=True, methods=['post'], url_path='password-reset',
-                  permission_classes=(DjangoPermission('custom_user.reset_password_user'),))
+    @action(
+        detail=True,
+        methods=['post'],
+        url_path='password-reset',
+        permission_classes=(DjangoPermission('custom_user.reset_password_user'),),
+    )
     def password_reset(self, request, uuid):
         user = self.get_object()
         # An user without email cannot receive the token
         if not user.email:
-            return Response({'result': 0, 'reason': 'User has no mail'}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+            return Response(
+                {'result': 0, 'reason': 'User has no mail'}, status=status.HTTP_500_INTERNAL_SERVER_ERROR
+            )
 
         utils.send_password_reset_mail(user, request=request)
         return Response(status=status.HTTP_204_NO_CONTENT)
 
-    @action(detail=True, methods=['post'],
-                  permission_classes=(DjangoPermission('custom_user.change_user'),))
+    @action(detail=True, methods=['post'], permission_classes=(DjangoPermission('custom_user.change_user'),))
     def email(self, request, uuid):
         user = self.get_object()
         serializer = ChangeEmailSerializer(data=request.data)
         if not serializer.is_valid():
-            response = {
-                'result': 0,
-                'errors': serializer.errors
-            }
+            response = {'result': 0, 'errors': serializer.errors}
             return Response(response, status.HTTP_400_BAD_REQUEST)
         user.email_verified = False
         user.save()
         utils.send_email_change_email(user, serializer.validated_data['email'], request=request)
         return Response({'result': 1})
 
-    @action(detail=False, methods=['get'],
-            permission_classes=(DjangoPermission('custom_user.search_user'),))
+    @action(detail=False, methods=['get'], permission_classes=(DjangoPermission('custom_user.search_user'),))
     def find_duplicates(self, request):
         serializer = self.get_serializer(data=request.query_params, partial=True)
         if not serializer.is_valid():
-            response = {
-                'data': [],
-                'err': 1,
-                'err_desc': serializer.errors
-            }
+            response = {'data': [], 'err': 1, 'err_desc': serializer.errors}
             return Response(response, status.HTTP_400_BAD_REQUEST)
         data = serializer.validated_data
 
@@ -882,10 +858,12 @@ class UsersAPI(api_mixins.GetOrCreateMixinView, HookMixin, ExceptionHandlerMixin
         birthdate = attributes.get('birthdate')
         qs = User.objects.find_duplicates(first_name, last_name, birthdate=birthdate)
 
-        return Response({
-            'data': DuplicateUserSerializer(qs, many=True).data,
-            'err': 0,
-        })
+        return Response(
+            {
+                'data': DuplicateUserSerializer(qs, many=True).data,
+                'err': 0,
+            }
+        )
 
 
 class RolesAPI(api_mixins.GetOrCreateMixinView, ExceptionHandlerMixin, ModelViewSet):
@@ -919,13 +897,16 @@ class RoleMembershipAPI(ExceptionHandlerMixin, APIView):
 
     def post(self, request, *args, **kwargs):
         self.role.members.add(self.member)
-        return Response({'result': 1, 'detail': _('User successfully added to role')},
-                        status=status.HTTP_201_CREATED)
+        return Response(
+            {'result': 1, 'detail': _('User successfully added to role')}, status=status.HTTP_201_CREATED
+        )
 
     def delete(self, request, *args, **kwargs):
         self.role.members.remove(self.member)
-        return Response({'result': 1, 'detail': _('User successfully removed from role')},
-                        status=status.HTTP_200_OK)
+        return Response(
+            {'result': 1, 'detail': _('User successfully removed from role')}, status=status.HTTP_200_OK
+        )
+
 
 role_membership = RoleMembershipAPI.as_view()
 
@@ -956,16 +937,15 @@ class RoleMembershipsAPI(ExceptionHandlerMixin, APIView):
             try:
                 uuid = entry['uuid']
             except TypeError:
-                raise ValidationError(_("List elements of the 'data' dict "
-                        "entry must be dictionaries"))
+                raise ValidationError(_("List elements of the 'data' dict " "entry must be dictionaries"))
             except KeyError:
-                raise ValidationError(_("Missing 'uuid' key for dict entry %s "
-                        "of the 'data' payload") % entry)
+                raise ValidationError(
+                    _("Missing 'uuid' key for dict entry %s " "of the 'data' payload") % entry
+                )
             try:
                 self.members.append(User.objects.get(uuid=uuid))
             except User.DoesNotExist:
-                raise ValidationError(
-                        _('No known user for UUID %s') % entry['uuid'])
+                raise ValidationError(_('No known user for UUID %s') % entry['uuid'])
 
         if not len(self.members) and request.method in ('POST', 'DELETE'):
             raise ValidationError(_('No valid user UUID'))
@@ -973,43 +953,36 @@ class RoleMembershipsAPI(ExceptionHandlerMixin, APIView):
     def post(self, request, *args, **kwargs):
         self.role.members.add(*self.members)
         return Response(
-                {
-                    'result': 1,
-                    'detail': _('Users successfully added to role')
-                },
-                status=status.HTTP_201_CREATED)
+            {'result': 1, 'detail': _('Users successfully added to role')}, status=status.HTTP_201_CREATED
+        )
 
     def delete(self, request, *args, **kwargs):
         self.role.members.remove(*self.members)
         return Response(
-                {
-                    'result': 1,
-                    'detail': _('Users successfully removed from role')
-                },
-                status=status.HTTP_200_OK)
+            {'result': 1, 'detail': _('Users successfully removed from role')}, status=status.HTTP_200_OK
+        )
 
     def patch(self, request, *args, **kwargs):
         self.role.members.set(self.members)
         return Response(
-                {
-                    'result': 1,
-                    'detail': _('Users successfully assigned to role')
-                },
-                status=status.HTTP_200_OK)
+            {'result': 1, 'detail': _('Users successfully assigned to role')}, status=status.HTTP_200_OK
+        )
 
     def put(self, request, *args, **kwargs):
         return self.patch(request, *args, **kwargs)
 
+
 role_memberships = RoleMembershipsAPI.as_view()
 
 
 class BaseOrganizationalUnitSerializer(serializers.ModelSerializer):
     slug = serializers.SlugField(
-            required=False,
-            allow_blank=False,
-            max_length=256,
-            default=SlugFromNameDefault(),
-        )
+        required=False,
+        allow_blank=False,
+        max_length=256,
+        default=SlugFromNameDefault(),
+    )
+
     class Meta:
         model = get_ou_model()
         fields = '__all__'
@@ -1023,6 +996,7 @@ class OrganizationalUnitAPI(api_mixins.GetOrCreateMixinView, ExceptionHandlerMix
     def get_queryset(self):
         return get_ou_model().objects.all()
 
+
 router = SimpleRouter()
 router.register(r'users', UsersAPI, base_name='a2-api-users')
 router.register(r'ous', OrganizationalUnitAPI, base_name='a2-api-ous')
@@ -1046,7 +1020,8 @@ class CheckPasswordAPI(BaseRpcView):
             if hasattr(authenticator, 'authenticate_credentials'):
                 try:
                     user, oidc_client = authenticator.authenticate_credentials(
-                        username, password, request=request)
+                        username, password, request=request
+                    )
                     result['result'] = 1
                     if hasattr(user, 'oidc_client'):
                         result['oidc_client'] = True
@@ -1056,6 +1031,7 @@ class CheckPasswordAPI(BaseRpcView):
                     result['errors'] = [exc.detail]
         return result, status.HTTP_200_OK
 
+
 check_password = CheckPasswordAPI.as_view()
 
 
@@ -1080,13 +1056,16 @@ class ValidatePasswordAPI(BaseRpcView):
         ok = True
         for check in password_checker(serializer.validated_data['password']):
             ok = ok and check.result
-            checks.append({
-                'result': check.result,
-                'label': check.label,
-            })
+            checks.append(
+                {
+                    'result': check.result,
+                    'label': check.label,
+                }
+            )
         result['ok'] = ok
         return result, status.HTTP_200_OK
 
+
 validate_password = ValidatePasswordAPI.as_view()
 
 
@@ -1097,10 +1076,7 @@ class AddressAutocompleteAPI(APIView):
         if not getattr(settings, 'ADDRESS_AUTOCOMPLETE_URL', None):
             return Response({})
         try:
-            response = requests.get(
-                settings.ADDRESS_AUTOCOMPLETE_URL,
-                params=request.GET
-            )
+            response = requests.get(settings.ADDRESS_AUTOCOMPLETE_URL, params=request.GET)
             response.raise_for_status()
             return Response(response.json())
         except RequestException:
@@ -1119,11 +1095,7 @@ class ServiceOUField(serializers.ListField):
 
 
 class StatisticsSerializer(serializers.Serializer):
-    TIME_INTERVAL_CHOICES = [
-        ('day', _('Day')),
-        ('month', _('Month')),
-        ('year', _('Year'))
-    ]
+    TIME_INTERVAL_CHOICES = [('day', _('Day')), ('month', _('Month')), ('year', _('Year'))]
 
     time_interval = serializers.ChoiceField(choices=TIME_INTERVAL_CHOICES, default='month')
     service = ServiceOUField(child=serializers.SlugField(max_length=256), required=False)
@@ -1143,6 +1115,7 @@ def stat(**kwargs):
     def wraps(func):
         func.filters = filters
         return decorator(func)
+
     return wraps
 
 
@@ -1169,7 +1142,9 @@ class StatisticsAPI(ViewSet):
             {
                 'id': 'time_interval',
                 'label': _('Time interval'),
-                'options': [{'id': key, 'label': label} for key, label in time_interval_field.choices.items()],
+                'options': [
+                    {'id': key, 'label': label} for key, label in time_interval_field.choices.items()
+                ],
                 'required': True,
                 'default': time_interval_field.default,
             }
@@ -1195,19 +1170,17 @@ class StatisticsAPI(ViewSet):
             }
             statistics.append(data)
 
-        return Response({
-            'data': statistics,
-            'err': 0,
-        })
+        return Response(
+            {
+                'data': statistics,
+                'err': 0,
+            }
+        )
 
     def get_statistics(self, request, klass, method):
         serializer = StatisticsSerializer(data=request.query_params)
         if not serializer.is_valid():
-            response = {
-                'data': [],
-                'err': 1,
-                'err_desc': serializer.errors
-            }
+            response = {'data': [], 'err': 1, 'err_desc': serializer.errors}
             return Response(response, status.HTTP_400_BAD_REQUEST)
         data = serializer.validated_data
 
@@ -1231,10 +1204,12 @@ class StatisticsAPI(ViewSet):
         if users_ou and 'users_ou' in allowed_filters:
             kwargs['users_ou'] = get_object_or_404(get_ou_model(), slug=users_ou)
 
-        return Response({
-            'data': getattr(klass, method)(**kwargs),
-            'err': 0,
-        })
+        return Response(
+            {
+                'data': getattr(klass, method)(**kwargs),
+                'err': 0,
+            }
+        )
 
     @stat(name=_('Login count by authentication type'), filters=('services_ou', 'users_ou', 'service'))
     def login(self, request):
diff --git a/src/authentic2/app.py b/src/authentic2/app.py
index a02c23b8..a076f7b5 100644
--- a/src/authentic2/app.py
+++ b/src/authentic2/app.py
@@ -20,11 +20,11 @@ from django.views import debug
 
 from . import plugins
 
+
 class Authentic2Config(AppConfig):
     name = 'authentic2'
     verbose_name = 'Authentic2'
 
     def ready(self):
         plugins.init()
-        debug.HIDDEN_SETTINGS = re.compile(
-            'API|TOKEN|KEY|SECRET|PASS|PROFANITIES_LIST|SIGNATURE|LDAP')
+        debug.HIDDEN_SETTINGS = re.compile('API|TOKEN|KEY|SECRET|PASS|PROFANITIES_LIST|SIGNATURE|LDAP')
diff --git a/src/authentic2/app_settings.py b/src/authentic2/app_settings.py
index cab4ba15..56b7c72b 100644
--- a/src/authentic2/app_settings.py
+++ b/src/authentic2/app_settings.py
@@ -44,6 +44,7 @@ class AppSettings(object):
     def settings(self):
         if not hasattr(self, '_settings'):
             from django.conf import settings
+
             self._settings = settings
         return self._settings
 
@@ -59,7 +60,9 @@ class AppSettings(object):
                     realms[realm] = realm
                 else:
                     realms[realm[0]] = realm[1]
+
         from django.contrib.auth import get_backends
+
         for backend in get_backends():
             if hasattr(backend, 'get_realms'):
                 add_realms(backend.get_realms())
@@ -87,7 +90,9 @@ class AppSettings(object):
         if self.defaults[key].has_default():
             return self.defaults[key].default
         raise ImproperlyConfigured(
-            'missing setting %s(%s) is mandatory' % (key, self.defaults[key].description))
+            'missing setting %s(%s) is mandatory' % (key, self.defaults[key].description)
+        )
+
 
 default_settings = dict(
     ATTRIBUTE_BACKENDS=Setting(
@@ -104,259 +109,220 @@ default_settings = dict(
     CAFILE=Setting(
         names=('AUTHENTIC2_CAFILE', 'CAFILE'),
         default=None,
-        definition='File containing certificate chains as PEM certificates'),
+        definition='File containing certificate chains as PEM certificates',
+    ),
     A2_REGISTRATION_CAN_DELETE_ACCOUNT=Setting(
-        default=True,
-        definition='Can user self delete their account and all their data'),
+        default=True, definition='Can user self delete their account and all their data'
+    ),
     A2_REGISTRATION_CAN_CHANGE_PASSWORD=Setting(
-        default=True,
-        definition='Allow user to change its own password'),
+        default=True, definition='Allow user to change its own password'
+    ),
     A2_REGISTRATION_EMAIL_BLACKLIST=Setting(
-        default=[],
-        definition='List of forbidden email wildcards, ex.: ^.*@ville.fr$'),
+        default=[], definition='List of forbidden email wildcards, ex.: ^.*@ville.fr$'
+    ),
     A2_REGISTRATION_REDIRECT=Setting(
         default=None,
         definition='Forced redirection after each redirect, NEXT_URL substring is replaced'
-        ' by the original next_url passed to /accounts/register/'),
-    A2_PROFILE_CAN_CHANGE_EMAIL=Setting(
-        default=True,
-        definition='Can user self change their email'),
-    A2_PROFILE_CAN_EDIT_PROFILE=Setting(
-        default=True,
-        definition='Can user self edit their profile'),
-    A2_PROFILE_CAN_MANAGE_FEDERATION=Setting(
-        default=True,
-        definition='Can user manage its federations'),
+        ' by the original next_url passed to /accounts/register/',
+    ),
+    A2_PROFILE_CAN_CHANGE_EMAIL=Setting(default=True, definition='Can user self change their email'),
+    A2_PROFILE_CAN_EDIT_PROFILE=Setting(default=True, definition='Can user self edit their profile'),
+    A2_PROFILE_CAN_MANAGE_FEDERATION=Setting(default=True, definition='Can user manage its federations'),
     A2_PROFILE_CAN_MANAGE_SERVICE_AUTHORIZATIONS=Setting(
-        default=True,
-        definition='Allow user to revoke granted services access to its account profile data'),
-    A2_PROFILE_DISPLAY_EMPTY_FIELDS=Setting(
-        default=False,
-        definition='Include empty fields in profile view'),
-    A2_HOMEPAGE_URL=Setting(
-        default=None,
-        definition='IdP has no homepage, redirect to this one.'),
-    A2_USER_CAN_RESET_PASSWORD=Setting(
-        default=None,
-        definition='Allow online reset of passwords'),
+        default=True, definition='Allow user to revoke granted services access to its account profile data'
+    ),
+    A2_PROFILE_DISPLAY_EMPTY_FIELDS=Setting(default=False, definition='Include empty fields in profile view'),
+    A2_HOMEPAGE_URL=Setting(default=None, definition='IdP has no homepage, redirect to this one.'),
+    A2_USER_CAN_RESET_PASSWORD=Setting(default=None, definition='Allow online reset of passwords'),
     A2_RESET_PASSWORD_ID_LABEL=Setting(
-        default=None,
-        definition='Alternate ID label for the password reset form'),
-    A2_EMAIL_IS_UNIQUE=Setting(
-        default=False,
-        definition='Email of users must be unique'),
+        default=None, definition='Alternate ID label for the password reset form'
+    ),
+    A2_EMAIL_IS_UNIQUE=Setting(default=False, definition='Email of users must be unique'),
     A2_REGISTRATION_EMAIL_IS_UNIQUE=Setting(
-        default=False,
-        definition='Email of registered accounts must be unique'),
+        default=False, definition='Email of registered accounts must be unique'
+    ),
     A2_REGISTRATION_FORM_USERNAME_REGEX=Setting(
-        default=r'^[\w.@+-]+$',
-        definition='Regex to validate usernames'),
+        default=r'^[\w.@+-]+$', definition='Regex to validate usernames'
+    ),
     A2_REGISTRATION_FORM_USERNAME_HELP_TEXT=Setting(
-        default=_('Required. At most 30 characters. Letters, digits, and @/./+/-/_ only.')),
-    A2_REGISTRATION_FORM_USERNAME_LABEL=Setting(
-        default=_('Username')),
+        default=_('Required. At most 30 characters. Letters, digits, and @/./+/-/_ only.')
+    ),
+    A2_REGISTRATION_FORM_USERNAME_LABEL=Setting(default=_('Username')),
     A2_REGISTRATION_REALM=Setting(
-        default=None,
-        definition='Default realm to assign to self-registrated users'),
-    A2_REGISTRATION_GROUPS=Setting(
-        default=(),
-        definition='Default groups for self-registered users'),
-    A2_PROFILE_FIELDS=Setting(
-        default=(),
-        definition='Fields to show to the user in the profile page'),
+        default=None, definition='Default realm to assign to self-registrated users'
+    ),
+    A2_REGISTRATION_GROUPS=Setting(default=(), definition='Default groups for self-registered users'),
+    A2_PROFILE_FIELDS=Setting(default=(), definition='Fields to show to the user in the profile page'),
     A2_REGISTRATION_FIELDS=Setting(
-        default=(),
-        definition='Fields from the user model that must appear on the registration form'),
-    A2_REQUIRED_FIELDS=Setting(
-        default=(),
-        definition='User fields that are required'),
+        default=(), definition='Fields from the user model that must appear on the registration form'
+    ),
+    A2_REQUIRED_FIELDS=Setting(default=(), definition='User fields that are required'),
     A2_REGISTRATION_REQUIRED_FIELDS=Setting(
-        default=(),
-        definition='Fields from the registration form that must be required'),
-    A2_PRE_REGISTRATION_FIELDS=Setting(
-        default=(),
-        definition='User fields to ask with email'),
-    A2_REALMS=Setting(
-        default=(),
-        definition='List of realms to search user accounts'),
-    A2_USERNAME_REGEX=Setting(
-        default=None,
-        definition='Regex that username must validate'),
-    A2_USERNAME_LABEL=Setting(
-        default=None,
-        definition='Alternate username label for the login form'),
+        default=(), definition='Fields from the registration form that must be required'
+    ),
+    A2_PRE_REGISTRATION_FIELDS=Setting(default=(), definition='User fields to ask with email'),
+    A2_REALMS=Setting(default=(), definition='List of realms to search user accounts'),
+    A2_USERNAME_REGEX=Setting(default=None, definition='Regex that username must validate'),
+    A2_USERNAME_LABEL=Setting(default=None, definition='Alternate username label for the login form'),
     A2_USERNAME_HELP_TEXT=Setting(
-        default=None,
-        definition='Help text to explain validation rules of usernames'),
-    A2_USERNAME_IS_UNIQUE=Setting(
-        default=True,
-        definition='Check username uniqueness'),
+        default=None, definition='Help text to explain validation rules of usernames'
+    ),
+    A2_USERNAME_IS_UNIQUE=Setting(default=True, definition='Check username uniqueness'),
     A2_LOGIN_FORM_OU_SELECTOR=Setting(
-        default=False,
-        definition='Whether to add an OU selector to the login form'),
-    A2_LOGIN_FORM_OU_SELECTOR_LABEL=Setting(
-        default=None,
-        definition='Label of OU field on login page'),
+        default=False, definition='Whether to add an OU selector to the login form'
+    ),
+    A2_LOGIN_FORM_OU_SELECTOR_LABEL=Setting(default=None, definition='Label of OU field on login page'),
     A2_REGISTRATION_USERNAME_IS_UNIQUE=Setting(
-        default=True,
-        definition='Check username uniqueness on registration'),
+        default=True, definition='Check username uniqueness on registration'
+    ),
     IDP_BACKENDS=(),
     AUTH_FRONTENDS=(),
     AUTH_FRONTENDS_KWARGS={},
-    VALID_REFERERS=Setting(
-        default=(),
-        definition='List of prefix to match referers'),
-    A2_OPENED_SESSION_COOKIE_NAME=Setting(
-        default='A2_OPENED_SESSION',
-        definition='Authentic session open'),
-    A2_OPENED_SESSION_COOKIE_DOMAIN=Setting(
-        default=None),
-    A2_OPENED_SESSION_COOKIE_SECURE=Setting(
-        default=False),
-    A2_ATTRIBUTE_KINDS=Setting(
-        default=(),
-        definition='List of other attribute kinds'),
+    VALID_REFERERS=Setting(default=(), definition='List of prefix to match referers'),
+    A2_OPENED_SESSION_COOKIE_NAME=Setting(default='A2_OPENED_SESSION', definition='Authentic session open'),
+    A2_OPENED_SESSION_COOKIE_DOMAIN=Setting(default=None),
+    A2_OPENED_SESSION_COOKIE_SECURE=Setting(default=False),
+    A2_ATTRIBUTE_KINDS=Setting(default=(), definition='List of other attribute kinds'),
     A2_ATTRIBUTE_KIND_PROFILE_IMAGE_SIZE=Setting(
-        default=200,
-        definition='Width and height for a profile image'),
+        default=200, definition='Width and height for a profile image'
+    ),
     A2_VALIDATE_EMAIL=Setting(
-        default=False,
-        definition='Validate user email server by doing an RCPT command'),
-    A2_VALIDATE_EMAIL_DOMAIN=Setting(
-        default=True,
-        definition='Validate user email domain'),
+        default=False, definition='Validate user email server by doing an RCPT command'
+    ),
+    A2_VALIDATE_EMAIL_DOMAIN=Setting(default=True, definition='Validate user email domain'),
     A2_PASSWORD_POLICY_MIN_CLASSES=Setting(
-        default=3,
-        definition='Minimum number of characters classes to be present in passwords'),
-    A2_PASSWORD_POLICY_MIN_LENGTH=Setting(
-        default=8,
-        definition='Minimum number of characters in a password'),
-    A2_PASSWORD_POLICY_REGEX=Setting(
-        default=None,
-        definition='Regular expression for validating passwords'),
+        default=3, definition='Minimum number of characters classes to be present in passwords'
+    ),
+    A2_PASSWORD_POLICY_MIN_LENGTH=Setting(default=8, definition='Minimum number of characters in a password'),
+    A2_PASSWORD_POLICY_REGEX=Setting(default=None, definition='Regular expression for validating passwords'),
     A2_PASSWORD_POLICY_REGEX_ERROR_MSG=Setting(
         default=None,
-        definition='Error message to show when the password do not validate the regular expression'),
+        definition='Error message to show when the password do not validate the regular expression',
+    ),
     A2_PASSWORD_POLICY_CLASS=Setting(
         default='authentic2.passwords.DefaultPasswordChecker',
-        definition='path of a class to validate passwords'),
+        definition='path of a class to validate passwords',
+    ),
     A2_PASSWORD_POLICY_SHOW_LAST_CHAR=Setting(
-        default=False,
-        definition='Show last character in password fields'),
+        default=False, definition='Show last character in password fields'
+    ),
     A2_AUTH_PASSWORD_ENABLE=Setting(
-        default=True,
-        definition='Activate login/password authentication', names=('AUTH_PASSWORD',)),
+        default=True, definition='Activate login/password authentication', names=('AUTH_PASSWORD',)
+    ),
     A2_SUGGESTED_EMAIL_DOMAINS=Setting(
-        default=['gmail.com', 'msn.com', 'hotmail.com', 'hotmail.fr',
-                 'wanadoo.fr', 'yahoo.fr', 'yahoo.com', 'laposte.net',
-                 'free.fr', 'orange.fr', 'numericable.fr'],
-        definition='List of suggested email domains'),
+        default=[
+            'gmail.com',
+            'msn.com',
+            'hotmail.com',
+            'hotmail.fr',
+            'wanadoo.fr',
+            'yahoo.fr',
+            'yahoo.com',
+            'laposte.net',
+            'free.fr',
+            'orange.fr',
+            'numericable.fr',
+        ],
+        definition='List of suggested email domains',
+    ),
     A2_LOGIN_FAILURE_COUNT_BEFORE_WARNING=Setting(
         default=0,
         definition='Failure count before logging a warning to '
         'authentic2.user_login_failure. No warning will be send if value is '
-        '0.'),
-    PUSH_PROFILE_UPDATES=Setting(
-        default=False,
-        definition='Push profile update to linked services'),
-    TEMPLATE_VARS=Setting(
-        default={},
-        definition='Variable to pass to templates'),
+        '0.',
+    ),
+    PUSH_PROFILE_UPDATES=Setting(default=False, definition='Push profile update to linked services'),
+    TEMPLATE_VARS=Setting(default={}, definition='Variable to pass to templates'),
     A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_FACTOR=Setting(
         default=1.8,
-        definition='exponential backoff factor duration as seconds until '
-        'next try after a login failure'),
+        definition='exponential backoff factor duration as seconds until ' 'next try after a login failure',
+    ),
     A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_DURATION=Setting(
         default=1,
         definition='exponential backoff base factor duration as seconds '
-        'until next try after a login failure'),
+        'until next try after a login failure',
+    ),
     A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MAX_DURATION=Setting(
         default=3600,
         definition='maximum exponential backoff maximum duration as seconds until '
-        'next try after a login failure'),
+        'next try after a login failure',
+    ),
     A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MIN_DURATION=Setting(
         default=10,
         definition='minimum exponential backoff maximum duration as seconds until '
-        'next try after a login failure'),
-    A2_VERIFY_SSL=Setting(
-        default=True,
-        definition='Verify SSL certificate in HTTP requests'),
-    A2_ATTRIBUTE_KIND_TITLE_CHOICES=Setting(
-        default=(),
-        definition='Choices for the title attribute kind'),
+        'next try after a login failure',
+    ),
+    A2_VERIFY_SSL=Setting(default=True, definition='Verify SSL certificate in HTTP requests'),
+    A2_ATTRIBUTE_KIND_TITLE_CHOICES=Setting(default=(), definition='Choices for the title attribute kind'),
     A2_CORS_WHITELIST=Setting(
-        default=(),
-        definition='List of origin URL to whitelist, must be scheme://netloc[:port]'),
+        default=(), definition='List of origin URL to whitelist, must be scheme://netloc[:port]'
+    ),
     A2_EMAIL_CHANGE_TOKEN_LIFETIME=Setting(
-        default=7200,
-        definition='Lifetime in seconds of the token sent to verify email adresses'),
+        default=7200, definition='Lifetime in seconds of the token sent to verify email adresses'
+    ),
     A2_DELETION_REQUEST_LIFETIME=Setting(
-        default=48*3600,
-        definition='Lifetime in seconds of the user account deletion request'),
+        default=48 * 3600, definition='Lifetime in seconds of the user account deletion request'
+    ),
     A2_REDIRECT_WHITELIST=Setting(
-        default=(),
-        definition='List of origins which are authorized to ask for redirection.'),
+        default=(), definition='List of origins which are authorized to ask for redirection.'
+    ),
     A2_API_USERS_REQUIRED_FIELDS=Setting(
-        default=(),
-        definition='List of fields to require on user\'s API, override other settings'),
+        default=(), definition='List of fields to require on user\'s API, override other settings'
+    ),
     A2_USER_FILTER=Setting(
         default={},
-        definition='Filters (as in QuerySet.filter() to apply to User queryset before '
-                   'authentication'),
+        definition='Filters (as in QuerySet.filter() to apply to User queryset before ' 'authentication',
+    ),
     A2_USER_EXCLUDE=Setting(
         default={},
         definition='Exclusion filter (as in QuerySet.exclude() to apply to User queryset before '
-                   'authentication'),
+        'authentication',
+    ),
     A2_USER_REMEMBER_ME=Setting(
         default=None,
         definition='Session duration as seconds when using the remember me '
-        'checkbox. Truthiness activates the checkbox.'),
+        'checkbox. Truthiness activates the checkbox.',
+    ),
     A2_LOGIN_REDIRECT_AUTHENTICATED_USERS_TO_HOMEPAGE=Setting(
-        default=False,
-        definition='Redirect authenticated users to homepage'),
+        default=False, definition='Redirect authenticated users to homepage'
+    ),
     A2_LOGIN_DISPLAY_A_CANCEL_BUTTON=Setting(
         default=False,
-        definition='Display a cancel button.'
-        'This is only applicable for Liberty single sign on requests'),
+        definition='Display a cancel button.' 'This is only applicable for Liberty single sign on requests',
+    ),
     A2_SET_RANDOM_PASSWORD_ON_RESET=Setting(
         default=True,
-        definition='Set a random password on request to reset the password from the front-office'),
-    A2_ACCOUNTS_URL=Setting(
-        default=None,
-        definition='IdP has no account page, redirect to this one.'),
-    A2_CACHE_ENABLED=Setting(
-        default=True,
-        definition='Disable all cache decorators for testing purpose.'),
-    A2_ACCEPT_EMAIL_AUTHENTICATION=Setting(
-        default=True,
-        definition='Enable authentication by email'),
+        definition='Set a random password on request to reset the password from the front-office',
+    ),
+    A2_ACCOUNTS_URL=Setting(default=None, definition='IdP has no account page, redirect to this one.'),
+    A2_CACHE_ENABLED=Setting(default=True, definition='Disable all cache decorators for testing purpose.'),
+    A2_ACCEPT_EMAIL_AUTHENTICATION=Setting(default=True, definition='Enable authentication by email'),
     A2_EMAILS_IP_RATELIMIT=Setting(
-        default='10/h',
-        definition='Maximum rate of email sendings triggered by the same IP address.'),
+        default='10/h', definition='Maximum rate of email sendings triggered by the same IP address.'
+    ),
     A2_EMAILS_ADDRESS_RATELIMIT=Setting(
-        default='3/d',
-        definition='Maximum rate of emails sent to the same email address.'),
+        default='3/d', definition='Maximum rate of emails sent to the same email address.'
+    ),
     A2_USER_DELETED_KEEP_DATA=Setting(
-        default=['email', 'uuid'],
-        definition='User data to keep after deletion'),
+        default=['email', 'uuid'], definition='User data to keep after deletion'
+    ),
     A2_USER_DELETED_KEEP_DATA_DAYS=Setting(
-        default=365,
-        definition='Number of days to keep data on deleted users'),
+        default=365, definition='Number of days to keep data on deleted users'
+    ),
     A2_TOKEN_EXISTS_WARNING=Setting(
-        default=True,
-        definition='If an active token exists, warn user before generating a new one.'),
+        default=True, definition='If an active token exists, warn user before generating a new one.'
+    ),
     A2_DUPLICATES_THRESHOLD=Setting(
-        default=0.7,
-        definition='Trigram similarity threshold for considering user as duplicate.'),
-    A2_FTS_THRESHOLD=Setting(
-        default=0.2,
-        definition='Trigram similarity threshold for free text search.'),
+        default=0.7, definition='Trigram similarity threshold for considering user as duplicate.'
+    ),
+    A2_FTS_THRESHOLD=Setting(default=0.2, definition='Trigram similarity threshold for free text search.'),
     A2_DUPLICATES_BIRTHDATE_BONUS=Setting(
-        default=0.3,
-        definition='Bonus in case of birthdate match (no bonus is 0, max is 1).'),
+        default=0.3, definition='Bonus in case of birthdate match (no bonus is 0, max is 1).'
+    ),
     A2_EMAIL_FORMAT=Setting(
         default='multipart/alternative',
-        definition='Send email as "multiplart/alternative" or limit to "text/plain" or "text/html".'),
+        definition='Send email as "multiplart/alternative" or limit to "text/plain" or "text/html".',
+    ),
 )
 
 app_settings = AppSettings(default_settings)
diff --git a/src/authentic2/apps/journal/migrations/0001_initial.py b/src/authentic2/apps/journal/migrations/0001_initial.py
index 2fb80e8b..7bcdc79d 100644
--- a/src/authentic2/apps/journal/migrations/0001_initial.py
+++ b/src/authentic2/apps/journal/migrations/0001_initial.py
@@ -113,6 +113,6 @@ class Migration(migrations.Migration):
                 'DROP INDEX journal_event_reference_ct_ids_idx;',
                 'DROP INDEX journal_event_reference_ids_idx;',
                 'DROP INDEX journal_event_timestamp_id_idx;',
-            ]
+            ],
         ),
     ]
diff --git a/src/authentic2/apps/journal/models.py b/src/authentic2/apps/journal/models.py
index 9d4b5119..9963432a 100644
--- a/src/authentic2/apps/journal/models.py
+++ b/src/authentic2/apps/journal/models.py
@@ -307,11 +307,15 @@ class Event(models.Model):
     type = models.ForeignKey(verbose_name=_('type'), to=EventType, on_delete=models.PROTECT)
 
     reference_ids = ArrayField(
-        verbose_name=_('reference ids'), base_field=models.BigIntegerField(), null=True,
+        verbose_name=_('reference ids'),
+        base_field=models.BigIntegerField(),
+        null=True,
     )
 
     reference_ct_ids = ArrayField(
-        verbose_name=_('reference ct ids'), base_field=models.IntegerField(), null=True,
+        verbose_name=_('reference ct ids'),
+        base_field=models.IntegerField(),
+        null=True,
     )
 
     data = JSONField(verbose_name=_('data'), null=True)
@@ -361,8 +365,8 @@ class Event(models.Model):
 
     @classmethod
     def cleanup(cls):
-        '''Expire old events by default retention days or customized at the
-           EventTypeDefinition level.'''
+        """Expire old events by default retention days or customized at the
+        EventTypeDefinition level."""
         event_types_by_retention_days = defaultdict(set)
         default_retention_days = getattr(settings, 'JOURNAL_DEFAULT_RETENTION_DAYS', 365 * 2)
         for event_type in EventType.objects.all():
diff --git a/src/authentic2/apps/journal/search_engine.py b/src/authentic2/apps/journal/search_engine.py
index fa01029b..58ef2205 100644
--- a/src/authentic2/apps/journal/search_engine.py
+++ b/src/authentic2/apps/journal/search_engine.py
@@ -80,12 +80,14 @@ class SearchEngine:
         if not hasattr(self, method_name):
             return
 
-        yield from getattr(self, method_name)(lexem[len(prefix) + 1:])
+        yield from getattr(self, method_name)(lexem[len(prefix) + 1 :])
 
     @classmethod
     def documentation(cls):
-        yield _('You can use colon terminated prefixes to make special searches, '
-                'and you can use quote around the suffix to preserve spaces.')
+        yield _(
+            'You can use colon terminated prefixes to make special searches, '
+            'and you can use quote around the suffix to preserve spaces.'
+        )
         for name in dir(cls):
             documentation = getattr(getattr(cls, name), 'documentation', None)
             if documentation:
diff --git a/src/authentic2/attribute_aggregator/migrations/0001_initial.py b/src/authentic2/attribute_aggregator/migrations/0001_initial.py
index aa178826..9ce675ea 100644
--- a/src/authentic2/attribute_aggregator/migrations/0001_initial.py
+++ b/src/authentic2/attribute_aggregator/migrations/0001_initial.py
@@ -15,10 +15,306 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='AttributeItem',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('attribute_name', models.CharField(default=('OpenLDAProotDSE', 'OpenLDAProotDSE'), max_length=100, verbose_name='Attribute name', choices=[('OpenLDAProotDSE', 'OpenLDAProotDSE'), ('aRecord', 'aRecord'), ('administrativeRole', 'administrativeRole'), ('alias', 'alias'), ('aliasedObjectName', 'aliasedObjectName'), ('altServer', 'altServer'), ('associatedDomain', 'associatedDomain'), ('associatedName', 'associatedName'), ('attributeTypes', 'attributeTypes'), ('audio', 'audio'), ('authPassword', 'authPassword'), ('authorityRevocationList', 'authorityRevocationList'), ('authzFrom', 'authzFrom'), ('authzTo', 'authzTo'), ('bootFile', 'bootFile'), ('bootParameter', 'bootParameter'), ('buildingName', 'buildingName'), ('businessCategory', 'businessCategory'), ('c', 'c'), ('cACertificate', 'cACertificate'), ('cNAMERecord', 'cNAMERecord'), ('carLicense', 'carLicense'), ('certificateRevocationList', 'certificateRevocationList'), ('children', 'children'), ('cn', 'cn'), ('co', 'co'), ('collectiveAttributeSubentries', 'collectiveAttributeSubentries'), ('collectiveAttributeSubentry', 'collectiveAttributeSubentry'), ('collectiveExclusions', 'collectiveExclusions'), ('configContext', 'configContext'), ('contextCSN', 'contextCSN'), ('createTimestamp', 'createTimestamp'), ('creatorsName', 'creatorsName'), ('crossCertificatePair', 'crossCertificatePair'), ('dITContentRules', 'dITContentRules'), ('dITRedirect', 'dITRedirect'), ('dITStructureRules', 'dITStructureRules'), ('dSAQuality', 'dSAQuality'), ('dc', 'dc'), ('deltaRevocationList', 'deltaRevocationList'), ('departmentNumber', 'departmentNumber'), ('description', 'description'), ('destinationIndicator', 'destinationIndicator'), ('displayName', 'displayName'), ('distinguishedName', 'distinguishedName'), ('dmdName', 'dmdName'), ('dnQualifier', 'dnQualifier'), ('documentAuthor', 'documentAuthor'), ('documentIdentifier', 'documentIdentifier'), ('documentLocation', 'documentLocation'), ('documentPublisher', 'documentPublisher'), ('documentTitle', 'documentTitle'), ('documentVersion', 'documentVersion'), ('drink', 'drink'), ('dynamicObject', 'dynamicObject'), ('dynamicSubtrees', 'dynamicSubtrees'), ('eduOrgHomePageURI', 'eduOrgHomePageURI'), ('eduOrgIdentityAuthNPolicyURI', 'eduOrgIdentityAuthNPolicyURI'), ('eduOrgLegalName', 'eduOrgLegalName'), ('eduOrgSuperiorURI', 'eduOrgSuperiorURI'), ('eduOrgWhitePagesURI', 'eduOrgWhitePagesURI'), ('eduPersonAffiliation', 'eduPersonAffiliation'), ('eduPersonAssurance', 'eduPersonAssurance'), ('eduPersonEntitlement', 'eduPersonEntitlement'), ('eduPersonNickname', 'eduPersonNickname'), ('eduPersonOrgDN', 'eduPersonOrgDN'), ('eduPersonOrgUnitDN', 'eduPersonOrgUnitDN'), ('eduPersonPrimaryAffiliation', 'eduPersonPrimaryAffiliation'), ('eduPersonPrimaryOrgUnitDN', 'eduPersonPrimaryOrgUnitDN'), ('eduPersonPrincipalName', 'eduPersonPrincipalName'), ('eduPersonScopedAffiliation', 'eduPersonScopedAffiliation'), ('eduPersonTargetedID', 'eduPersonTargetedID'), ('email', 'email'), ('employeeNumber', 'employeeNumber'), ('employeeType', 'employeeType'), ('enhancedSearchGuide', 'enhancedSearchGuide'), ('entry', 'entry'), ('entryCSN', 'entryCSN'), ('entryDN', 'entryDN'), ('entryTtl', 'entryTtl'), ('entryUUID', 'entryUUID'), ('extensibleObject', 'extensibleObject'), ('fax', 'fax'), ('gecos', 'gecos'), ('generationQualifier', 'generationQualifier'), ('gidNumber', 'gidNumber'), ('givenName', 'givenName'), ('glue', 'glue'), ('hasSubordinates', 'hasSubordinates'), ('homeDirectory', 'homeDirectory'), ('homePhone', 'homePhone'), ('homePostalAddress', 'homePostalAddress'), ('host', 'host'), ('houseIdentifier', 'houseIdentifier'), ('info', 'info'), ('initials', 'initials'), ('internationaliSDNNumber', 'internationaliSDNNumber'), ('ipHostNumber', 'ipHostNumber'), ('ipNetmaskNumber', 'ipNetmaskNumber'), ('ipNetworkNumber', 'ipNetworkNumber'), ('ipProtocolNumber', 'ipProtocolNumber'), ('ipServicePort', 'ipServicePort'), ('ipServiceProtocolSUPname', 'ipServiceProtocolSUPname'), ('janetMailbox', 'janetMailbox'), ('jpegPhoto', 'jpegPhoto'), ('knowledgeInformation', 'knowledgeInformation'), ('l', 'l'), ('labeledURI', 'labeledURI'), ('ldapSyntaxes', 'ldapSyntaxes'), ('loginShell', 'loginShell'), ('mDRecord', 'mDRecord'), ('mXRecord', 'mXRecord'), ('macAddress', 'macAddress'), ('mail', 'mail'), ('mailForwardingAddress', 'mailForwardingAddress'), ('mailHost', 'mailHost'), ('mailLocalAddress', 'mailLocalAddress'), ('mailPreferenceOption', 'mailPreferenceOption'), ('mailRoutingAddress', 'mailRoutingAddress'), ('manager', 'manager'), ('matchingRuleUse', 'matchingRuleUse'), ('matchingRules', 'matchingRules'), ('member', 'member'), ('memberNisNetgroup', 'memberNisNetgroup'), ('memberUid', 'memberUid'), ('mobile', 'mobile'), ('modifiersName', 'modifiersName'), ('modifyTimestamp', 'modifyTimestamp'), ('monitorContext', 'monitorContext'), ('nSRecord', 'nSRecord'), ('name', 'name'), ('nameForms', 'nameForms'), ('namingCSN', 'namingCSN'), ('namingContexts', 'namingContexts'), ('nisMapEntry', 'nisMapEntry'), ('nisMapNameSUPname', 'nisMapNameSUPname'), ('nisNetgroupTriple', 'nisNetgroupTriple'), ('o', 'o'), ('objectClass', 'objectClass'), ('objectClasses', 'objectClasses'), ('oncRpcNumber', 'oncRpcNumber'), ('organizationalStatus', 'organizationalStatus'), ('otherMailbox', 'otherMailbox'), ('ou', 'ou'), ('owner', 'owner'), ('pager', 'pager'), ('personalSignature', 'personalSignature'), ('personalTitle', 'personalTitle'), ('photo', 'photo'), ('physicalDeliveryOfficeName', 'physicalDeliveryOfficeName'), ('postOfficeBox', 'postOfficeBox'), ('postalAddress', 'postalAddress'), ('postalCode', 'postalCode'), ('preferredDeliveryMethod', 'preferredDeliveryMethod'), ('preferredLanguage', 'preferredLanguage'), ('presentationAddress', 'presentationAddress'), ('protocolInformation', 'protocolInformation'), ('pseudonym', 'pseudonym'), ('ref', 'ref'), ('referral', 'referral'), ('registeredAddress', 'registeredAddress'), ('rfc822MailMember', 'rfc822MailMember'), ('role', 'role'), ('roleOccupant', 'roleOccupant'), ('roomNumber', 'roomNumber'), ('sOARecord', 'sOARecord'), ('schacHomeOrganization', 'schacHomeOrganization'), ('schacHomeOrganizationType', 'schacHomeOrganizationType'), ('searchGuide', 'searchGuide'), ('secretary', 'secretary'), ('seeAlso', 'seeAlso'), ('serialNumber', 'serialNumber'), ('shadowExpire', 'shadowExpire'), ('shadowFlag', 'shadowFlag'), ('shadowInactive', 'shadowInactive'), ('shadowLastChange', 'shadowLastChange'), ('shadowMax', 'shadowMax'), ('shadowMin', 'shadowMin'), ('shadowWarning', 'shadowWarning'), ('singleLevelQuality', 'singleLevelQuality'), ('sn', 'sn'), ('st', 'st'), ('street', 'street'), ('structuralObjectClass', 'structuralObjectClass'), ('subentry', 'subentry'), ('subschema', 'subschema'), ('subschemaSubentry', 'subschemaSubentry'), ('subtreeMaximumQuality', 'subtreeMaximumQuality'), ('subtreeMinimumQuality', 'subtreeMinimumQuality'), ('subtreeSpecification', 'subtreeSpecification'), ('supannActivite', 'supannActivite'), ('supannAffectation', 'supannAffectation'), ('supannAliasLogin', 'supannAliasLogin'), ('supannAutreMail', 'supannAutreMail'), ('supannAutreTelephone', 'supannAutreTelephone'), ('supannCivilite', 'supannCivilite'), ('supannCodeEntite', 'supannCodeEntite'), ('supannCodeEntiteParent', 'supannCodeEntiteParent'), ('supannCodeINE', 'supannCodeINE'), ('supannEmpCorps', 'supannEmpCorps'), ('supannEmpId', 'supannEmpId'), ('supannEntiteAffectation', 'supannEntiteAffectation'), ('supannEntiteAffectationPrincipale', 'supannEntiteAffectationPrincipale'), ('supannEtablissement', 'supannEtablissement'), ('supannEtuAnneeInscription', 'supannEtuAnneeInscription'), ('supannEtuCursusAnnee', 'supannEtuCursusAnnee'), ('supannEtuDiplome', 'supannEtuDiplome'), ('supannEtuElementPedagogique', 'supannEtuElementPedagogique'), ('supannEtuEtape', 'supannEtuEtape'), ('supannEtuId', 'supannEtuId'), ('supannEtuInscription', 'supannEtuInscription'), ('supannEtuRegimeInscription', 'supannEtuRegimeInscription'), ('supannEtuSecteurDisciplinaire', 'supannEtuSecteurDisciplinaire'), ('supannEtuTypeDiplome', 'supannEtuTypeDiplome'), ('supannGroupeAdminDN', 'supannGroupeAdminDN'), ('supannGroupeDateFin', 'supannGroupeDateFin'), ('supannGroupeLecteurDN', 'supannGroupeLecteurDN'), ('supannListeRouge', 'supannListeRouge'), ('supannMailPerso', 'supannMailPerso'), ('supannOrganisme', 'supannOrganisme'), ('supannParrainDN', 'supannParrainDN'), ('supannRefId', 'supannRefId'), ('supannRole', 'supannRole'), ('supannRoleEntite', 'supannRoleEntite'), ('supannRoleGenerique', 'supannRoleGenerique'), ('supannTypeEntite', 'supannTypeEntite'), ('supannTypeEntiteAffectation', 'supannTypeEntiteAffectation'), ('superiorUUID', 'superiorUUID'), ('supportedAlgorithms', 'supportedAlgorithms'), ('supportedApplicationContext', 'supportedApplicationContext'), ('supportedAuthPasswordSchemes', 'supportedAuthPasswordSchemes'), ('supportedControl', 'supportedControl'), ('supportedExtension', 'supportedExtension'), ('supportedFeatures', 'supportedFeatures'), ('supportedLDAPVersion', 'supportedLDAPVersion'), ('supportedSASLMechanisms', 'supportedSASLMechanisms'), ('syncConsumerSubentry', 'syncConsumerSubentry'), ('syncProviderSubentry', 'syncProviderSubentry'), ('syncTimestamp', 'syncTimestamp'), ('syncreplCookie', 'syncreplCookie'), ('telephoneNumber', 'telephoneNumber'), ('teletexTerminalIdentifier', 'teletexTerminalIdentifier'), ('telexNumber', 'telexNumber'), ('textEncodedORAddress', 'textEncodedORAddress'), ('title', 'title'), ('top', 'top'), ('uid', 'uid'), ('uidNumber', 'uidNumber'), ('uniqueIdentifier', 'uniqueIdentifier'), ('uniqueMember', 'uniqueMember'), ('userCertificate', 'userCertificate'), ('userClass', 'userClass'), ('userPKCS12', 'userPKCS12'), ('userPassword', 'userPassword'), ('userSMIMECertificate', 'userSMIMECertificate'), ('vendorName', 'vendorName'), ('vendorVersion', 'vendorVersion'), ('x121Address', 'x121Address'), ('x500UniqueIdentifier', 'x500UniqueIdentifier')])),
-                ('output_name_format', models.CharField(default=('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'SAMLv2 URI'), max_length=100, verbose_name='Output name format', choices=[('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'SAMLv2 URI'), ('urn:oasis:names:tc:SAML:2.0:attrname-format:basic', 'SAMLv2 BASIC')])),
-                ('output_namespace', models.CharField(default=('Default', 'Default'), max_length=100, verbose_name='Output namespace', choices=[('Default', 'Default'), ('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims')])),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
+                (
+                    'attribute_name',
+                    models.CharField(
+                        default=('OpenLDAProotDSE', 'OpenLDAProotDSE'),
+                        max_length=100,
+                        verbose_name='Attribute name',
+                        choices=[
+                            ('OpenLDAProotDSE', 'OpenLDAProotDSE'),
+                            ('aRecord', 'aRecord'),
+                            ('administrativeRole', 'administrativeRole'),
+                            ('alias', 'alias'),
+                            ('aliasedObjectName', 'aliasedObjectName'),
+                            ('altServer', 'altServer'),
+                            ('associatedDomain', 'associatedDomain'),
+                            ('associatedName', 'associatedName'),
+                            ('attributeTypes', 'attributeTypes'),
+                            ('audio', 'audio'),
+                            ('authPassword', 'authPassword'),
+                            ('authorityRevocationList', 'authorityRevocationList'),
+                            ('authzFrom', 'authzFrom'),
+                            ('authzTo', 'authzTo'),
+                            ('bootFile', 'bootFile'),
+                            ('bootParameter', 'bootParameter'),
+                            ('buildingName', 'buildingName'),
+                            ('businessCategory', 'businessCategory'),
+                            ('c', 'c'),
+                            ('cACertificate', 'cACertificate'),
+                            ('cNAMERecord', 'cNAMERecord'),
+                            ('carLicense', 'carLicense'),
+                            ('certificateRevocationList', 'certificateRevocationList'),
+                            ('children', 'children'),
+                            ('cn', 'cn'),
+                            ('co', 'co'),
+                            ('collectiveAttributeSubentries', 'collectiveAttributeSubentries'),
+                            ('collectiveAttributeSubentry', 'collectiveAttributeSubentry'),
+                            ('collectiveExclusions', 'collectiveExclusions'),
+                            ('configContext', 'configContext'),
+                            ('contextCSN', 'contextCSN'),
+                            ('createTimestamp', 'createTimestamp'),
+                            ('creatorsName', 'creatorsName'),
+                            ('crossCertificatePair', 'crossCertificatePair'),
+                            ('dITContentRules', 'dITContentRules'),
+                            ('dITRedirect', 'dITRedirect'),
+                            ('dITStructureRules', 'dITStructureRules'),
+                            ('dSAQuality', 'dSAQuality'),
+                            ('dc', 'dc'),
+                            ('deltaRevocationList', 'deltaRevocationList'),
+                            ('departmentNumber', 'departmentNumber'),
+                            ('description', 'description'),
+                            ('destinationIndicator', 'destinationIndicator'),
+                            ('displayName', 'displayName'),
+                            ('distinguishedName', 'distinguishedName'),
+                            ('dmdName', 'dmdName'),
+                            ('dnQualifier', 'dnQualifier'),
+                            ('documentAuthor', 'documentAuthor'),
+                            ('documentIdentifier', 'documentIdentifier'),
+                            ('documentLocation', 'documentLocation'),
+                            ('documentPublisher', 'documentPublisher'),
+                            ('documentTitle', 'documentTitle'),
+                            ('documentVersion', 'documentVersion'),
+                            ('drink', 'drink'),
+                            ('dynamicObject', 'dynamicObject'),
+                            ('dynamicSubtrees', 'dynamicSubtrees'),
+                            ('eduOrgHomePageURI', 'eduOrgHomePageURI'),
+                            ('eduOrgIdentityAuthNPolicyURI', 'eduOrgIdentityAuthNPolicyURI'),
+                            ('eduOrgLegalName', 'eduOrgLegalName'),
+                            ('eduOrgSuperiorURI', 'eduOrgSuperiorURI'),
+                            ('eduOrgWhitePagesURI', 'eduOrgWhitePagesURI'),
+                            ('eduPersonAffiliation', 'eduPersonAffiliation'),
+                            ('eduPersonAssurance', 'eduPersonAssurance'),
+                            ('eduPersonEntitlement', 'eduPersonEntitlement'),
+                            ('eduPersonNickname', 'eduPersonNickname'),
+                            ('eduPersonOrgDN', 'eduPersonOrgDN'),
+                            ('eduPersonOrgUnitDN', 'eduPersonOrgUnitDN'),
+                            ('eduPersonPrimaryAffiliation', 'eduPersonPrimaryAffiliation'),
+                            ('eduPersonPrimaryOrgUnitDN', 'eduPersonPrimaryOrgUnitDN'),
+                            ('eduPersonPrincipalName', 'eduPersonPrincipalName'),
+                            ('eduPersonScopedAffiliation', 'eduPersonScopedAffiliation'),
+                            ('eduPersonTargetedID', 'eduPersonTargetedID'),
+                            ('email', 'email'),
+                            ('employeeNumber', 'employeeNumber'),
+                            ('employeeType', 'employeeType'),
+                            ('enhancedSearchGuide', 'enhancedSearchGuide'),
+                            ('entry', 'entry'),
+                            ('entryCSN', 'entryCSN'),
+                            ('entryDN', 'entryDN'),
+                            ('entryTtl', 'entryTtl'),
+                            ('entryUUID', 'entryUUID'),
+                            ('extensibleObject', 'extensibleObject'),
+                            ('fax', 'fax'),
+                            ('gecos', 'gecos'),
+                            ('generationQualifier', 'generationQualifier'),
+                            ('gidNumber', 'gidNumber'),
+                            ('givenName', 'givenName'),
+                            ('glue', 'glue'),
+                            ('hasSubordinates', 'hasSubordinates'),
+                            ('homeDirectory', 'homeDirectory'),
+                            ('homePhone', 'homePhone'),
+                            ('homePostalAddress', 'homePostalAddress'),
+                            ('host', 'host'),
+                            ('houseIdentifier', 'houseIdentifier'),
+                            ('info', 'info'),
+                            ('initials', 'initials'),
+                            ('internationaliSDNNumber', 'internationaliSDNNumber'),
+                            ('ipHostNumber', 'ipHostNumber'),
+                            ('ipNetmaskNumber', 'ipNetmaskNumber'),
+                            ('ipNetworkNumber', 'ipNetworkNumber'),
+                            ('ipProtocolNumber', 'ipProtocolNumber'),
+                            ('ipServicePort', 'ipServicePort'),
+                            ('ipServiceProtocolSUPname', 'ipServiceProtocolSUPname'),
+                            ('janetMailbox', 'janetMailbox'),
+                            ('jpegPhoto', 'jpegPhoto'),
+                            ('knowledgeInformation', 'knowledgeInformation'),
+                            ('l', 'l'),
+                            ('labeledURI', 'labeledURI'),
+                            ('ldapSyntaxes', 'ldapSyntaxes'),
+                            ('loginShell', 'loginShell'),
+                            ('mDRecord', 'mDRecord'),
+                            ('mXRecord', 'mXRecord'),
+                            ('macAddress', 'macAddress'),
+                            ('mail', 'mail'),
+                            ('mailForwardingAddress', 'mailForwardingAddress'),
+                            ('mailHost', 'mailHost'),
+                            ('mailLocalAddress', 'mailLocalAddress'),
+                            ('mailPreferenceOption', 'mailPreferenceOption'),
+                            ('mailRoutingAddress', 'mailRoutingAddress'),
+                            ('manager', 'manager'),
+                            ('matchingRuleUse', 'matchingRuleUse'),
+                            ('matchingRules', 'matchingRules'),
+                            ('member', 'member'),
+                            ('memberNisNetgroup', 'memberNisNetgroup'),
+                            ('memberUid', 'memberUid'),
+                            ('mobile', 'mobile'),
+                            ('modifiersName', 'modifiersName'),
+                            ('modifyTimestamp', 'modifyTimestamp'),
+                            ('monitorContext', 'monitorContext'),
+                            ('nSRecord', 'nSRecord'),
+                            ('name', 'name'),
+                            ('nameForms', 'nameForms'),
+                            ('namingCSN', 'namingCSN'),
+                            ('namingContexts', 'namingContexts'),
+                            ('nisMapEntry', 'nisMapEntry'),
+                            ('nisMapNameSUPname', 'nisMapNameSUPname'),
+                            ('nisNetgroupTriple', 'nisNetgroupTriple'),
+                            ('o', 'o'),
+                            ('objectClass', 'objectClass'),
+                            ('objectClasses', 'objectClasses'),
+                            ('oncRpcNumber', 'oncRpcNumber'),
+                            ('organizationalStatus', 'organizationalStatus'),
+                            ('otherMailbox', 'otherMailbox'),
+                            ('ou', 'ou'),
+                            ('owner', 'owner'),
+                            ('pager', 'pager'),
+                            ('personalSignature', 'personalSignature'),
+                            ('personalTitle', 'personalTitle'),
+                            ('photo', 'photo'),
+                            ('physicalDeliveryOfficeName', 'physicalDeliveryOfficeName'),
+                            ('postOfficeBox', 'postOfficeBox'),
+                            ('postalAddress', 'postalAddress'),
+                            ('postalCode', 'postalCode'),
+                            ('preferredDeliveryMethod', 'preferredDeliveryMethod'),
+                            ('preferredLanguage', 'preferredLanguage'),
+                            ('presentationAddress', 'presentationAddress'),
+                            ('protocolInformation', 'protocolInformation'),
+                            ('pseudonym', 'pseudonym'),
+                            ('ref', 'ref'),
+                            ('referral', 'referral'),
+                            ('registeredAddress', 'registeredAddress'),
+                            ('rfc822MailMember', 'rfc822MailMember'),
+                            ('role', 'role'),
+                            ('roleOccupant', 'roleOccupant'),
+                            ('roomNumber', 'roomNumber'),
+                            ('sOARecord', 'sOARecord'),
+                            ('schacHomeOrganization', 'schacHomeOrganization'),
+                            ('schacHomeOrganizationType', 'schacHomeOrganizationType'),
+                            ('searchGuide', 'searchGuide'),
+                            ('secretary', 'secretary'),
+                            ('seeAlso', 'seeAlso'),
+                            ('serialNumber', 'serialNumber'),
+                            ('shadowExpire', 'shadowExpire'),
+                            ('shadowFlag', 'shadowFlag'),
+                            ('shadowInactive', 'shadowInactive'),
+                            ('shadowLastChange', 'shadowLastChange'),
+                            ('shadowMax', 'shadowMax'),
+                            ('shadowMin', 'shadowMin'),
+                            ('shadowWarning', 'shadowWarning'),
+                            ('singleLevelQuality', 'singleLevelQuality'),
+                            ('sn', 'sn'),
+                            ('st', 'st'),
+                            ('street', 'street'),
+                            ('structuralObjectClass', 'structuralObjectClass'),
+                            ('subentry', 'subentry'),
+                            ('subschema', 'subschema'),
+                            ('subschemaSubentry', 'subschemaSubentry'),
+                            ('subtreeMaximumQuality', 'subtreeMaximumQuality'),
+                            ('subtreeMinimumQuality', 'subtreeMinimumQuality'),
+                            ('subtreeSpecification', 'subtreeSpecification'),
+                            ('supannActivite', 'supannActivite'),
+                            ('supannAffectation', 'supannAffectation'),
+                            ('supannAliasLogin', 'supannAliasLogin'),
+                            ('supannAutreMail', 'supannAutreMail'),
+                            ('supannAutreTelephone', 'supannAutreTelephone'),
+                            ('supannCivilite', 'supannCivilite'),
+                            ('supannCodeEntite', 'supannCodeEntite'),
+                            ('supannCodeEntiteParent', 'supannCodeEntiteParent'),
+                            ('supannCodeINE', 'supannCodeINE'),
+                            ('supannEmpCorps', 'supannEmpCorps'),
+                            ('supannEmpId', 'supannEmpId'),
+                            ('supannEntiteAffectation', 'supannEntiteAffectation'),
+                            ('supannEntiteAffectationPrincipale', 'supannEntiteAffectationPrincipale'),
+                            ('supannEtablissement', 'supannEtablissement'),
+                            ('supannEtuAnneeInscription', 'supannEtuAnneeInscription'),
+                            ('supannEtuCursusAnnee', 'supannEtuCursusAnnee'),
+                            ('supannEtuDiplome', 'supannEtuDiplome'),
+                            ('supannEtuElementPedagogique', 'supannEtuElementPedagogique'),
+                            ('supannEtuEtape', 'supannEtuEtape'),
+                            ('supannEtuId', 'supannEtuId'),
+                            ('supannEtuInscription', 'supannEtuInscription'),
+                            ('supannEtuRegimeInscription', 'supannEtuRegimeInscription'),
+                            ('supannEtuSecteurDisciplinaire', 'supannEtuSecteurDisciplinaire'),
+                            ('supannEtuTypeDiplome', 'supannEtuTypeDiplome'),
+                            ('supannGroupeAdminDN', 'supannGroupeAdminDN'),
+                            ('supannGroupeDateFin', 'supannGroupeDateFin'),
+                            ('supannGroupeLecteurDN', 'supannGroupeLecteurDN'),
+                            ('supannListeRouge', 'supannListeRouge'),
+                            ('supannMailPerso', 'supannMailPerso'),
+                            ('supannOrganisme', 'supannOrganisme'),
+                            ('supannParrainDN', 'supannParrainDN'),
+                            ('supannRefId', 'supannRefId'),
+                            ('supannRole', 'supannRole'),
+                            ('supannRoleEntite', 'supannRoleEntite'),
+                            ('supannRoleGenerique', 'supannRoleGenerique'),
+                            ('supannTypeEntite', 'supannTypeEntite'),
+                            ('supannTypeEntiteAffectation', 'supannTypeEntiteAffectation'),
+                            ('superiorUUID', 'superiorUUID'),
+                            ('supportedAlgorithms', 'supportedAlgorithms'),
+                            ('supportedApplicationContext', 'supportedApplicationContext'),
+                            ('supportedAuthPasswordSchemes', 'supportedAuthPasswordSchemes'),
+                            ('supportedControl', 'supportedControl'),
+                            ('supportedExtension', 'supportedExtension'),
+                            ('supportedFeatures', 'supportedFeatures'),
+                            ('supportedLDAPVersion', 'supportedLDAPVersion'),
+                            ('supportedSASLMechanisms', 'supportedSASLMechanisms'),
+                            ('syncConsumerSubentry', 'syncConsumerSubentry'),
+                            ('syncProviderSubentry', 'syncProviderSubentry'),
+                            ('syncTimestamp', 'syncTimestamp'),
+                            ('syncreplCookie', 'syncreplCookie'),
+                            ('telephoneNumber', 'telephoneNumber'),
+                            ('teletexTerminalIdentifier', 'teletexTerminalIdentifier'),
+                            ('telexNumber', 'telexNumber'),
+                            ('textEncodedORAddress', 'textEncodedORAddress'),
+                            ('title', 'title'),
+                            ('top', 'top'),
+                            ('uid', 'uid'),
+                            ('uidNumber', 'uidNumber'),
+                            ('uniqueIdentifier', 'uniqueIdentifier'),
+                            ('uniqueMember', 'uniqueMember'),
+                            ('userCertificate', 'userCertificate'),
+                            ('userClass', 'userClass'),
+                            ('userPKCS12', 'userPKCS12'),
+                            ('userPassword', 'userPassword'),
+                            ('userSMIMECertificate', 'userSMIMECertificate'),
+                            ('vendorName', 'vendorName'),
+                            ('vendorVersion', 'vendorVersion'),
+                            ('x121Address', 'x121Address'),
+                            ('x500UniqueIdentifier', 'x500UniqueIdentifier'),
+                        ],
+                    ),
+                ),
+                (
+                    'output_name_format',
+                    models.CharField(
+                        default=('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'SAMLv2 URI'),
+                        max_length=100,
+                        verbose_name='Output name format',
+                        choices=[
+                            ('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'SAMLv2 URI'),
+                            ('urn:oasis:names:tc:SAML:2.0:attrname-format:basic', 'SAMLv2 BASIC'),
+                        ],
+                    ),
+                ),
+                (
+                    'output_namespace',
+                    models.CharField(
+                        default=('Default', 'Default'),
+                        max_length=100,
+                        verbose_name='Output namespace',
+                        choices=[
+                            ('Default', 'Default'),
+                            (
+                                'http://schemas.xmlsoap.org/ws/2005/05/identity/claims',
+                                'http://schemas.xmlsoap.org/ws/2005/05/identity/claims',
+                            ),
+                        ],
+                    ),
+                ),
                 ('required', models.BooleanField(default=False, verbose_name='Required')),
             ],
             options={
@@ -30,9 +326,21 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='AttributeList',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(unique=True, max_length=100, verbose_name='Name')),
-                ('attributes', models.ManyToManyField(related_name='attributes of the list', null=True, verbose_name='Attributes', to='attribute_aggregator.AttributeItem', blank=True)),
+                (
+                    'attributes',
+                    models.ManyToManyField(
+                        related_name='attributes of the list',
+                        null=True,
+                        verbose_name='Attributes',
+                        to='attribute_aggregator.AttributeItem',
+                        blank=True,
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'attribute list',
@@ -43,9 +351,26 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='AttributeSource',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(unique=True, max_length=200, verbose_name='Name')),
-                ('namespace', models.CharField(default=('Default', 'Default'), max_length=100, verbose_name='Namespace', choices=[('Default', 'Default'), ('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims')])),
+                (
+                    'namespace',
+                    models.CharField(
+                        default=('Default', 'Default'),
+                        max_length=100,
+                        verbose_name='Namespace',
+                        choices=[
+                            ('Default', 'Default'),
+                            (
+                                'http://schemas.xmlsoap.org/ws/2005/05/identity/claims',
+                                'http://schemas.xmlsoap.org/ws/2005/05/identity/claims',
+                            ),
+                        ],
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'attribute source',
@@ -56,15 +381,31 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='LdapSource',
             fields=[
-                ('attributesource_ptr', models.OneToOneField(parent_link=True, auto_created=True, primary_key=True, serialize=False, to='attribute_aggregator.AttributeSource', on_delete=models.CASCADE)),
+                (
+                    'attributesource_ptr',
+                    models.OneToOneField(
+                        parent_link=True,
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        to='attribute_aggregator.AttributeSource',
+                        on_delete=models.CASCADE,
+                    ),
+                ),
                 ('server', models.CharField(unique=True, max_length=200, verbose_name='Server')),
                 ('user', models.CharField(max_length=200, null=True, verbose_name='User', blank=True)),
-                ('password', models.CharField(max_length=200, null=True, verbose_name='Password', blank=True)),
+                (
+                    'password',
+                    models.CharField(max_length=200, null=True, verbose_name='Password', blank=True),
+                ),
                 ('base', models.CharField(max_length=200, verbose_name='Base')),
                 ('port', models.IntegerField(default=389, verbose_name='Port')),
                 ('ldaps', models.BooleanField(default=False, verbose_name='LDAPS')),
                 ('certificate', models.TextField(verbose_name='Certificate', blank=True)),
-                ('is_auth_backend', models.BooleanField(default=False, verbose_name='Is it used for authentication?')),
+                (
+                    'is_auth_backend',
+                    models.BooleanField(default=False, verbose_name='Is it used for authentication?'),
+                ),
             ],
             options={
                 'verbose_name': 'ldap attribute source',
@@ -75,10 +416,28 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='UserAliasInSource',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(max_length=200, verbose_name='Name')),
-                ('source', models.ForeignKey(verbose_name='attribute source', to='attribute_aggregator.AttributeSource', on_delete=models.CASCADE)),
-                ('user', models.ForeignKey(related_name='user_alias_in_source', verbose_name='user', to='auth.User', on_delete=models.CASCADE)),
+                (
+                    'source',
+                    models.ForeignKey(
+                        verbose_name='attribute source',
+                        to='attribute_aggregator.AttributeSource',
+                        on_delete=models.CASCADE,
+                    ),
+                ),
+                (
+                    'user',
+                    models.ForeignKey(
+                        related_name='user_alias_in_source',
+                        verbose_name='user',
+                        to='auth.User',
+                        on_delete=models.CASCADE,
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'user alias from source',
@@ -89,9 +448,21 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='UserAttributeProfile',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('data', models.TextField(null=True, blank=True)),
-                ('user', models.OneToOneField(related_name='user_attribute_profile', null=True, blank=True, to='auth.User', on_delete=models.CASCADE)),
+                (
+                    'user',
+                    models.OneToOneField(
+                        related_name='user_attribute_profile',
+                        null=True,
+                        blank=True,
+                        to='auth.User',
+                        on_delete=models.CASCADE,
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'user attribute profile',
@@ -106,7 +477,13 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='attributeitem',
             name='source',
-            field=models.ForeignKey(verbose_name='Attribute source', blank=True, to='attribute_aggregator.AttributeSource', null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='Attribute source',
+                blank=True,
+                to='attribute_aggregator.AttributeSource',
+                null=True,
+                on_delete=models.CASCADE,
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2/attribute_aggregator/migrations/0002_auto_20150409_1840.py b/src/authentic2/attribute_aggregator/migrations/0002_auto_20150409_1840.py
index 6d38d0b8..23618254 100644
--- a/src/authentic2/attribute_aggregator/migrations/0002_auto_20150409_1840.py
+++ b/src/authentic2/attribute_aggregator/migrations/0002_auto_20150409_1840.py
@@ -16,13 +16,24 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='useraliasinsource',
             name='user',
-            field=models.ForeignKey(related_name='user_alias_in_source', verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                related_name='user_alias_in_source',
+                verbose_name='user',
+                to=settings.AUTH_USER_MODEL,
+                on_delete=models.CASCADE,
+            ),
             preserve_default=True,
         ),
         migrations.AlterField(
             model_name='userattributeprofile',
             name='user',
-            field=models.OneToOneField(related_name='user_attribute_profile', null=True, blank=True, to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE),
+            field=models.OneToOneField(
+                related_name='user_attribute_profile',
+                null=True,
+                blank=True,
+                to=settings.AUTH_USER_MODEL,
+                on_delete=models.CASCADE,
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2/attribute_aggregator/migrations/0003_auto_20150526_2239.py b/src/authentic2/attribute_aggregator/migrations/0003_auto_20150526_2239.py
index ef35097c..2d33df35 100644
--- a/src/authentic2/attribute_aggregator/migrations/0003_auto_20150526_2239.py
+++ b/src/authentic2/attribute_aggregator/migrations/0003_auto_20150526_2239.py
@@ -15,11 +15,15 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='attributelist',
             name='attributes',
-            field=models.ManyToManyField(to='attribute_aggregator.AttributeItem', verbose_name='Attributes', blank=True),
+            field=models.ManyToManyField(
+                to='attribute_aggregator.AttributeItem', verbose_name='Attributes', blank=True
+            ),
         ),
         migrations.AlterField(
             model_name='useraliasinsource',
             name='user',
-            field=models.ForeignKey(verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE
+            ),
         ),
     ]
diff --git a/src/authentic2/attribute_kinds.py b/src/authentic2/attribute_kinds.py
index 939b0916..920312f4 100644
--- a/src/authentic2/attribute_kinds.py
+++ b/src/authentic2/attribute_kinds.py
@@ -49,6 +49,7 @@ from .forms import widgets, fields
 def capfirst(value):
     return value and value[0].upper() + value[1:]
 
+
 DEFAULT_TITLE_CHOICES = (
     (pgettext_lazy('title', 'Mrs'), pgettext_lazy('title', 'Mrs')),
     (pgettext_lazy('title', 'Mr'), pgettext_lazy('title', 'Mr')),
@@ -140,9 +141,10 @@ class AddressAutocompleteField(forms.CharField):
 def get_title_choices():
     return app_settings.A2_ATTRIBUTE_KIND_TITLE_CHOICES or DEFAULT_TITLE_CHOICES
 
+
 validate_phone_number = RegexValidator(
-    r'^\+?\d{,20}$',
-    message=_('Phone number can start with a + and must contain only digits.'))
+    r'^\+?\d{,20}$', message=_('Phone number can start with a + and must contain only digits.')
+)
 
 
 def clean_number(number):
@@ -172,9 +174,7 @@ class PhoneNumberDRFField(serializers.CharField):
         return clean_number(super().to_internal_value(data))
 
 
-validate_fr_postcode = RegexValidator(
-    r'^\d{5}$',
-    message=_('The value must be a valid french postcode'))
+validate_fr_postcode = RegexValidator(r'^\d{5}$', message=_('The value must be a valid french postcode'))
 
 
 class FrPostcodeField(forms.CharField):
@@ -215,9 +215,7 @@ def profile_image_serialize(uploadedfile):
     for chunk in uploadedfile.chunks():
         h_computation.update(chunk)
     hexdigest = h_computation.hexdigest()
-    stored_file = default_storage.save(
-        os.path.join('profile-image', hexdigest + '.jpeg'),
-        uploadedfile)
+    stored_file = default_storage.save(os.path.join('profile-image', hexdigest + '.jpeg'), uploadedfile)
     return stored_file
 
 
@@ -229,8 +227,7 @@ def profile_image_deserialize(name):
 
 def profile_image_html_value(attribute, value):
     if value:
-        fragment = u'<a href="%s"><img class="%s" src="%s"/></a>' % (
-            value.url, attribute.name, value.url)
+        fragment = u'<a href="%s"><img class="%s" src="%s"/></a>' % (value.url, attribute.name, value.url)
         return html.mark_safe(fragment)
     return ''
 
@@ -276,7 +273,7 @@ DEFAULT_ATTRIBUTE_KINDS = [
         'kwargs': {
             'choices': get_title_choices(),
             'widget': forms.RadioSelect,
-        }
+        },
     },
     {
         'label': _('boolean'),
diff --git a/src/authentic2/attributes_ng/engine.py b/src/authentic2/attributes_ng/engine.py
index 09117d2f..c7f77545 100644
--- a/src/authentic2/attributes_ng/engine.py
+++ b/src/authentic2/attributes_ng/engine.py
@@ -25,11 +25,12 @@ __ALL__ = ['get_attribute_names', 'get_attributes', 'get_service_attributes']
 
 
 class UnsortableError(Exception):
-    '''
+    """
     Raise when topological_sort is unable to sort instance topologically.
     sorted_list contains the instances that could be sorted unsorted contains
     the instances that couldn't.
-    '''
+    """
+
     def __init__(self, sorted_list, unsortable_instances):
         self.sorted_list = sorted_list
         self.unsortable_instances = unsortable_instances
@@ -39,9 +40,9 @@ class UnsortableError(Exception):
 
 
 def topological_sort(source_and_instances, ctx, raise_on_unsortable=False):
-    '''
+    """
     Sort instances topologically based on their dependency declarations.
-    '''
+    """
     sorted_list = []
     variables = set(ctx.keys())
     unsorted = list(source_and_instances)
@@ -66,17 +67,21 @@ def topological_sort(source_and_instances, ctx, raise_on_unsortable=False):
                 for source, instance in unsorted:
                     dependencies = set(source.get_dependencies(instance, ctx))
                     sorted_list.append((source, instance))
-                    logger.debug('missing dependencies for instance %r of %r: %s', instance, source,
-                                 list(dependencies - variables))
+                    logger.debug(
+                        'missing dependencies for instance %r of %r: %s',
+                        instance,
+                        source,
+                        list(dependencies - variables),
+                    )
                 break
     return sorted_list
 
 
 @to_list
 def get_sources():
-    '''
+    """
     List all known sources
-    '''
+    """
     for path in app_settings.ATTRIBUTE_BACKENDS:
         yield utils.import_module_or_class(path)
     for plugin in plugins.get_plugins():
@@ -87,9 +92,9 @@ def get_sources():
 
 @to_list
 def get_attribute_names(ctx):
-    '''
+    """
     Return attribute names from all sources
-    '''
+    """
     for source in get_sources():
         for instance in source.get_instances(ctx):
             for attribute_name, attribute_description in source.get_attribute_names(instance, ctx):
@@ -97,12 +102,12 @@ def get_attribute_names(ctx):
 
 
 def get_attributes(ctx):
-    '''
+    """
     Traverse and sources instances and aggregate produced attributes.
 
     Traversal is done by respecting a topological sort of instances based on
     their declared dependencies
-    '''
+    """
     source_and_instances = []
     for source in get_sources():
         source_and_instances.extend(((source, instance) for instance in source.get_instances(ctx)))
@@ -116,5 +121,8 @@ def get_attributes(ctx):
 @to_iter
 def get_service_attributes(service):
     ctx = {'request': None, 'user': None, 'service': service}
-    return ([('', _('None'))] + get_attribute_names(ctx)
-            + [('@verified_attributes@', _('List of verified attributes'))])
+    return (
+        [('', _('None'))]
+        + get_attribute_names(ctx)
+        + [('@verified_attributes@', _('List of verified attributes'))]
+    )
diff --git a/src/authentic2/attributes_ng/sources/__init__.py b/src/authentic2/attributes_ng/sources/__init__.py
index a06b262d..1895f09e 100644
--- a/src/authentic2/attributes_ng/sources/__init__.py
+++ b/src/authentic2/attributes_ng/sources/__init__.py
@@ -21,9 +21,10 @@ from django.utils import six
 
 @six.add_metaclass(abc.ABCMeta)
 class BaseAttributeSource(object):
-    '''
+    """
     Base class for attribute sources
-    '''
+    """
+
     @abc.abstractmethod
     def get_instances(self, ctx):
         pass
diff --git a/src/authentic2/attributes_ng/sources/django_user.py b/src/authentic2/attributes_ng/sources/django_user.py
index 07392d21..0537016c 100644
--- a/src/authentic2/attributes_ng/sources/django_user.py
+++ b/src/authentic2/attributes_ng/sources/django_user.py
@@ -27,9 +27,9 @@ from ...decorators import to_list
 
 @to_list
 def get_instances(ctx):
-    '''
+    """
     Retrieve instances from settings
-    '''
+    """
     return [None]
 
 
diff --git a/src/authentic2/attributes_ng/sources/format.py b/src/authentic2/attributes_ng/sources/format.py
index dbe36118..507075aa 100644
--- a/src/authentic2/attributes_ng/sources/format.py
+++ b/src/authentic2/attributes_ng/sources/format.py
@@ -25,16 +25,18 @@ AUTHORIZED_KEYS = set(('name', 'label', 'template'))
 
 @to_list
 def get_field_refs(format_string):
-    '''
+    """
     Extract the base references from format_string
-    '''
+    """
     from string import Formatter
+
     l = Formatter().parse(format_string)  # noqa: E741
     for p in l:
         field_ref = p[1].split('[', 1)[0]
         field_ref = field_ref.split('.', 1)[0]
     yield field_ref
 
+
 UNEXPECTED_KEYS_ERROR = '{0}: unexpected ' 'key(s) {1} in configuration'
 FORMAT_STRING_ERROR = '{0}: template string must contain only keyword references: {1}'
 BAD_CONFIG_ERROR = 'template attribute source must contain a name and at least a template'
@@ -47,10 +49,11 @@ def config_error(fmt, *args):
 
 @to_list
 def get_instances(ctx):
-    '''
+    """
     Retrieve instances from settings
-    '''
+    """
     from django.conf import settings
+
     for kind, d in getattr(settings, 'ATTRIBUTE_SOURCES', []):
         if kind != 'template':
             continue
diff --git a/src/authentic2/attributes_ng/sources/function.py b/src/authentic2/attributes_ng/sources/function.py
index 69c06201..743095b9 100644
--- a/src/authentic2/attributes_ng/sources/function.py
+++ b/src/authentic2/attributes_ng/sources/function.py
@@ -35,10 +35,11 @@ def config_error(fmt, *args):
 
 @to_list
 def get_instances(ctx):
-    '''
+    """
     Retrieve instances from settings
-    '''
+    """
     from django.conf import settings
+
     for kind, d in getattr(settings, 'ATTRIBUTE_SOURCES', []):
         if kind != 'function':
             continue
@@ -50,8 +51,9 @@ def get_instances(ctx):
             missing = REQUIRED_KEYS - keys
             config_error(MISSING_KEYS_ERROR, missing)
         dependencies = d['dependencies']
-        if not isinstance(dependencies, (list, tuple)) or \
-                not all(isinstance(dep, str) for dep in dependencies):
+        if not isinstance(dependencies, (list, tuple)) or not all(
+            isinstance(dep, str) for dep in dependencies
+        ):
             config_error(DEPENDENCY_TYPE_ERROR)
 
         if not callable(d['function']):
diff --git a/src/authentic2/attributes_ng/sources/ldap.py b/src/authentic2/attributes_ng/sources/ldap.py
index bc095b1d..ce0256c5 100644
--- a/src/authentic2/attributes_ng/sources/ldap.py
+++ b/src/authentic2/attributes_ng/sources/ldap.py
@@ -21,9 +21,9 @@ from authentic2.backends.ldap_backend import LDAPBackend, LDAPUser
 
 @to_list
 def get_instances(ctx):
-    '''
+    """
     Retrieve instances from settings
-    '''
+    """
     return [None]
 
 
diff --git a/src/authentic2/attributes_ng/sources/service_roles.py b/src/authentic2/attributes_ng/sources/service_roles.py
index cc5ef5d1..b001857d 100644
--- a/src/authentic2/attributes_ng/sources/service_roles.py
+++ b/src/authentic2/attributes_ng/sources/service_roles.py
@@ -33,8 +33,7 @@ def get_attribute_names(instance, ctx):
     if not isinstance(service, Service):
         return
     names = []
-    for service_role in Role.objects.filter(service=service) \
-            .prefetch_related('attributes'):
+    for service_role in Role.objects.filter(service=service).prefetch_related('attributes'):
         for service_role_attribute in service_role.attributes.all():
             if service_role_attribute.name in names:
                 continue
@@ -45,7 +44,10 @@ def get_attribute_names(instance, ctx):
 
 
 def get_dependencies(instance, ctx):
-    return ('user', 'service',)
+    return (
+        'user',
+        'service',
+    )
 
 
 def get_attributes(instance, ctx):
@@ -54,9 +56,7 @@ def get_attributes(instance, ctx):
     if not user or not service:
         return ctx
     ctx = ctx.copy()
-    roles = Role.objects.for_user(user) \
-        .filter(service=service) \
-        .prefetch_related('attributes')
+    roles = Role.objects.for_user(user).filter(service=service).prefetch_related('attributes')
     for service_role in roles:
         for service_role_attribute in service_role.attributes.all():
             name = service_role_attribute.name
diff --git a/src/authentic2/auth2_auth/auth2_ssl/migrations/0001_initial.py b/src/authentic2/auth2_auth/auth2_ssl/migrations/0001_initial.py
index 34ba0765..2f330ca6 100644
--- a/src/authentic2/auth2_auth/auth2_ssl/migrations/0001_initial.py
+++ b/src/authentic2/auth2_auth/auth2_ssl/migrations/0001_initial.py
@@ -7,22 +7,24 @@ from django.db import models, migrations
 class Migration(migrations.Migration):
 
     dependencies = [
-            ('auth', '0002_auto_20150323_1720'),
+        ('auth', '0002_auto_20150323_1720'),
     ]
 
     operations = [
         migrations.CreateModel(
             name='ClientCertificate',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('serial', models.CharField(max_length=255, blank=True)),
                 ('subject_dn', models.CharField(max_length=255)),
                 ('issuer_dn', models.CharField(max_length=255)),
                 ('cert', models.TextField()),
                 ('user', models.ForeignKey(to='auth.User')),
             ],
-            options={
-            },
+            options={},
             bases=(models.Model,),
         ),
     ]
diff --git a/src/authentic2/auth_migrations_18/0001_initial.py b/src/authentic2/auth_migrations_18/0001_initial.py
index 74a0fbfd..916f2741 100644
--- a/src/authentic2/auth_migrations_18/0001_initial.py
+++ b/src/authentic2/auth_migrations_18/0001_initial.py
@@ -16,9 +16,15 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='Permission',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(max_length=50, verbose_name='name')),
-                ('content_type', models.ForeignKey(to='contenttypes.ContentType', to_field='id', on_delete=models.CASCADE)),
+                (
+                    'content_type',
+                    models.ForeignKey(to='contenttypes.ContentType', to_field='id', on_delete=models.CASCADE),
+                ),
                 ('codename', models.CharField(max_length=100, verbose_name='codename')),
             ],
             options={
@@ -30,9 +36,15 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='Group',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(unique=True, max_length=80, verbose_name='name')),
-                ('permissions', models.ManyToManyField(to='auth.Permission', verbose_name='permissions', blank=True)),
+                (
+                    'permissions',
+                    models.ManyToManyField(to='auth.Permission', verbose_name='permissions', blank=True),
+                ),
             ],
             options={
                 'verbose_name': 'group',
@@ -42,19 +54,74 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='User',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('password', models.CharField(max_length=128, verbose_name='password')),
                 ('last_login', models.DateTimeField(default=timezone.now, verbose_name='last login')),
-                ('is_superuser', models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status')),
-                ('username', models.CharField(help_text='Required. 30 characters or fewer. Letters, digits and @/./+/-/_ only.', unique=True, max_length=30, verbose_name='username', validators=[validators.RegexValidator('^[\\w.@+-]+$', 'Enter a valid username.', 'invalid')])),
+                (
+                    'is_superuser',
+                    models.BooleanField(
+                        default=False,
+                        help_text='Designates that this user has all permissions without explicitly assigning them.',
+                        verbose_name='superuser status',
+                    ),
+                ),
+                (
+                    'username',
+                    models.CharField(
+                        help_text='Required. 30 characters or fewer. Letters, digits and @/./+/-/_ only.',
+                        unique=True,
+                        max_length=30,
+                        verbose_name='username',
+                        validators=[
+                            validators.RegexValidator('^[\\w.@+-]+$', 'Enter a valid username.', 'invalid')
+                        ],
+                    ),
+                ),
                 ('first_name', models.CharField(max_length=30, verbose_name='first name', blank=True)),
                 ('last_name', models.CharField(max_length=30, verbose_name='last name', blank=True)),
                 ('email', models.EmailField(max_length=75, verbose_name='email address', blank=True)),
-                ('is_staff', models.BooleanField(default=False, help_text='Designates whether the user can log into this admin site.', verbose_name='staff status')),
-                ('is_active', models.BooleanField(default=True, help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.', verbose_name='active')),
+                (
+                    'is_staff',
+                    models.BooleanField(
+                        default=False,
+                        help_text='Designates whether the user can log into this admin site.',
+                        verbose_name='staff status',
+                    ),
+                ),
+                (
+                    'is_active',
+                    models.BooleanField(
+                        default=True,
+                        help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.',
+                        verbose_name='active',
+                    ),
+                ),
                 ('date_joined', models.DateTimeField(default=timezone.now, verbose_name='date joined')),
-                ('groups', models.ManyToManyField(to='auth.Group', verbose_name='groups', blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of his/her group.', related_name='+', related_query_name='+')),
-                ('user_permissions', models.ManyToManyField(to='auth.Permission', verbose_name='user permissions', blank=True, help_text='Specific permissions for this user.', related_name='+', related_query_name='+')),
+                (
+                    'groups',
+                    models.ManyToManyField(
+                        to='auth.Group',
+                        verbose_name='groups',
+                        blank=True,
+                        help_text='The groups this user belongs to. A user will get all permissions granted to each of his/her group.',
+                        related_name='+',
+                        related_query_name='+',
+                    ),
+                ),
+                (
+                    'user_permissions',
+                    models.ManyToManyField(
+                        to='auth.Permission',
+                        verbose_name='user permissions',
+                        blank=True,
+                        help_text='Specific permissions for this user.',
+                        related_name='+',
+                        related_query_name='+',
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'user',
diff --git a/src/authentic2/auth_migrations_18/0002_auto_20150323_1720.py b/src/authentic2/auth_migrations_18/0002_auto_20150323_1720.py
index 9e5439bc..a226231f 100644
--- a/src/authentic2/auth_migrations_18/0002_auto_20150323_1720.py
+++ b/src/authentic2/auth_migrations_18/0002_auto_20150323_1720.py
@@ -15,7 +15,17 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='user',
             name='username',
-            field=models.CharField(help_text='Required, 255 characters or fewer. Only letters, numbers, and @, ., +, -, or _ characters.', unique=True, max_length=255, verbose_name='username', validators=[django.core.validators.RegexValidator('^[\\w.@+-]+$', 'Enter a valid username.', 'invalid')]),
+            field=models.CharField(
+                help_text='Required, 255 characters or fewer. Only letters, numbers, and @, ., +, -, or _ characters.',
+                unique=True,
+                max_length=255,
+                verbose_name='username',
+                validators=[
+                    django.core.validators.RegexValidator(
+                        '^[\\w.@+-]+$', 'Enter a valid username.', 'invalid'
+                    )
+                ],
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2/auth_migrations_18/0003_auto_20150410_1657.py b/src/authentic2/auth_migrations_18/0003_auto_20150410_1657.py
index 223af006..0e547a69 100644
--- a/src/authentic2/auth_migrations_18/0003_auto_20150410_1657.py
+++ b/src/authentic2/auth_migrations_18/0003_auto_20150410_1657.py
@@ -13,5 +13,5 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-            migrations.DeleteModel('User'),
+        migrations.DeleteModel('User'),
     ]
diff --git a/src/authentic2/auth_migrations_18/0004_user.py b/src/authentic2/auth_migrations_18/0004_user.py
index b9de4ba6..2da7c25d 100644
--- a/src/authentic2/auth_migrations_18/0004_user.py
+++ b/src/authentic2/auth_migrations_18/0004_user.py
@@ -19,19 +19,82 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='User',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('password', models.CharField(max_length=128, verbose_name='password')),
-                ('last_login', models.DateTimeField(default=django.utils.timezone.now, verbose_name='last login')),
-                ('is_superuser', models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status')),
-                ('username', models.CharField(help_text='Required. 30 characters or fewer. Letters, digits and @/./+/-/_ only.', unique=True, max_length=30, verbose_name='username', validators=[django.core.validators.RegexValidator('^[\\w.@+-]+$', 'Enter a valid username.', 'invalid')])),
+                (
+                    'last_login',
+                    models.DateTimeField(default=django.utils.timezone.now, verbose_name='last login'),
+                ),
+                (
+                    'is_superuser',
+                    models.BooleanField(
+                        default=False,
+                        help_text='Designates that this user has all permissions without explicitly assigning them.',
+                        verbose_name='superuser status',
+                    ),
+                ),
+                (
+                    'username',
+                    models.CharField(
+                        help_text='Required. 30 characters or fewer. Letters, digits and @/./+/-/_ only.',
+                        unique=True,
+                        max_length=30,
+                        verbose_name='username',
+                        validators=[
+                            django.core.validators.RegexValidator(
+                                '^[\\w.@+-]+$', 'Enter a valid username.', 'invalid'
+                            )
+                        ],
+                    ),
+                ),
                 ('first_name', models.CharField(max_length=30, verbose_name='first name', blank=True)),
                 ('last_name', models.CharField(max_length=30, verbose_name='last name', blank=True)),
                 ('email', models.EmailField(max_length=75, verbose_name='email address', blank=True)),
-                ('is_staff', models.BooleanField(default=False, help_text='Designates whether the user can log into this admin site.', verbose_name='staff status')),
-                ('is_active', models.BooleanField(default=True, help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.', verbose_name='active')),
-                ('date_joined', models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined')),
-                ('groups', models.ManyToManyField(related_query_name='user', related_name='user_set', to='auth.Group', blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of his/her group.', verbose_name='groups')),
-                ('user_permissions', models.ManyToManyField(related_query_name='user', related_name='user_set', to='auth.Permission', blank=True, help_text='Specific permissions for this user.', verbose_name='user permissions')),
+                (
+                    'is_staff',
+                    models.BooleanField(
+                        default=False,
+                        help_text='Designates whether the user can log into this admin site.',
+                        verbose_name='staff status',
+                    ),
+                ),
+                (
+                    'is_active',
+                    models.BooleanField(
+                        default=True,
+                        help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.',
+                        verbose_name='active',
+                    ),
+                ),
+                (
+                    'date_joined',
+                    models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined'),
+                ),
+                (
+                    'groups',
+                    models.ManyToManyField(
+                        related_query_name='user',
+                        related_name='user_set',
+                        to='auth.Group',
+                        blank=True,
+                        help_text='The groups this user belongs to. A user will get all permissions granted to each of his/her group.',
+                        verbose_name='groups',
+                    ),
+                ),
+                (
+                    'user_permissions',
+                    models.ManyToManyField(
+                        related_query_name='user',
+                        related_name='user_set',
+                        to='auth.Permission',
+                        blank=True,
+                        help_text='Specific permissions for this user.',
+                        verbose_name='user permissions',
+                    ),
+                ),
             ],
             options={
                 'abstract': False,
diff --git a/src/authentic2/auth_migrations_18/0005_auto_20150526_2303.py b/src/authentic2/auth_migrations_18/0005_auto_20150526_2303.py
index c6b6f3fd..52c018d7 100644
--- a/src/authentic2/auth_migrations_18/0005_auto_20150526_2303.py
+++ b/src/authentic2/auth_migrations_18/0005_auto_20150526_2303.py
@@ -44,7 +44,14 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='user',
             name='groups',
-            field=models.ManyToManyField(related_query_name='user', related_name='user_set', to='auth.Group', blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.', verbose_name='groups'),
+            field=models.ManyToManyField(
+                related_query_name='user',
+                related_name='user_set',
+                to='auth.Group',
+                blank=True,
+                help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.',
+                verbose_name='groups',
+            ),
         ),
         migrations.AlterField(
             model_name='user',
@@ -54,6 +61,19 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='user',
             name='username',
-            field=models.CharField(error_messages={'unique': 'A user with that username already exists.'}, max_length=30, validators=[django.core.validators.RegexValidator('^[\\w.@+-]+$', 'Enter a valid username. This value may contain only letters, numbers and @/./+/-/_ characters.', 'invalid')], help_text='Required. 30 characters or fewer. Letters, digits and @/./+/-/_ only.', unique=True, verbose_name='username'),
+            field=models.CharField(
+                error_messages={'unique': 'A user with that username already exists.'},
+                max_length=30,
+                validators=[
+                    django.core.validators.RegexValidator(
+                        '^[\\w.@+-]+$',
+                        'Enter a valid username. This value may contain only letters, numbers and @/./+/-/_ characters.',
+                        'invalid',
+                    )
+                ],
+                help_text='Required. 30 characters or fewer. Letters, digits and @/./+/-/_ only.',
+                unique=True,
+                verbose_name='username',
+            ),
         ),
     ]
diff --git a/src/authentic2/authentication.py b/src/authentic2/authentication.py
index a0980ad5..6cfb3a3d 100644
--- a/src/authentic2/authentication.py
+++ b/src/authentic2/authentication.py
@@ -17,6 +17,7 @@
 import inspect
 
 from django.utils import six
+
 try:
     from django.utils.deprecation import CallableTrue
 except ImportError:
@@ -29,8 +30,7 @@ from rest_framework.authentication import BasicAuthentication
 
 
 class OIDCUser(object):
-    """ Fake user class to return in case OIDC authentication
-    """
+    """Fake user class to return in case OIDC authentication"""
 
     def __init__(self, oidc_client):
         self.oidc_client = oidc_client
@@ -54,26 +54,29 @@ class OIDCUser(object):
 
 
 class Authentic2Authentication(BasicAuthentication):
-
     def authenticate_credentials(self, userid, password, request=None):
         # try Simple OIDC Authentication
         try:
             client = OIDCClient.objects.get(client_id=userid, client_secret=password)
             if not client.has_api_access:
                 raise AuthenticationFailed('OIDC client does not have access to the API')
-            if client.identifier_policy not in (client.POLICY_UUID,
-                                                client.POLICY_PAIRWISE_REVERSIBLE):
-                raise AuthenticationFailed('OIDC Client identifier policy does not allow access to '
-                                           'the API')
+            if client.identifier_policy not in (client.POLICY_UUID, client.POLICY_PAIRWISE_REVERSIBLE):
+                raise AuthenticationFailed(
+                    'OIDC Client identifier policy does not allow access to ' 'the API'
+                )
             user = OIDCUser(client)
             user.authenticated = True
             return (user, True)
         except OIDCClient.DoesNotExist:
             pass
         # try BasicAuthentication
-        if (six.PY3
-                and 'request' in inspect.signature(
-                    super(Authentic2Authentication, self).authenticate_credentials).parameters):
+        if (
+            six.PY3
+            and 'request'
+            in inspect.signature(super(Authentic2Authentication, self).authenticate_credentials).parameters
+        ):
             # compatibility with DRF 3.4
-            return super(Authentic2Authentication, self).authenticate_credentials(userid, password, request=request)
+            return super(Authentic2Authentication, self).authenticate_credentials(
+                userid, password, request=request
+            )
         return super(Authentic2Authentication, self).authenticate_credentials(userid, password)
diff --git a/src/authentic2/authenticators.py b/src/authentic2/authenticators.py
index b92489ff..228fd3bf 100644
--- a/src/authentic2/authenticators.py
+++ b/src/authentic2/authenticators.py
@@ -32,7 +32,6 @@ logger = logging.getLogger(__name__)
 
 
 class BaseAuthenticator(object):
-
     def __init__(self, show_condition=None, **kwargs):
         self.show_condition = show_condition
 
@@ -71,7 +70,12 @@ class LoginPasswordAuthenticator(BaseAuthenticator):
         if not roles:
             return []
         service_ou_ids = []
-        qs = User.objects.filter(roles__in=roles).values_list('ou').annotate(count=Count('ou')).order_by('-count')
+        qs = (
+            User.objects.filter(roles__in=roles)
+            .values_list('ou')
+            .annotate(count=Count('ou'))
+            .order_by('-count')
+        )
         for ou_id, count in qs:
             if not ou_id:
                 continue
@@ -109,10 +113,8 @@ class LoginPasswordAuthenticator(BaseAuthenticator):
                 initial['ou'] = preferred_ous[0]
 
         form = authentication_forms.AuthenticationForm(
-            request=request,
-            data=data,
-            initial=initial,
-            preferred_ous=preferred_ous)
+            request=request, data=data, initial=initial, preferred_ous=preferred_ous
+        )
         if app_settings.A2_ACCEPT_EMAIL_AUTHENTICATION:
             form.fields['username'].label = _('Username or email')
         if app_settings.A2_USERNAME_LABEL:
@@ -131,11 +133,15 @@ class LoginPasswordAuthenticator(BaseAuthenticator):
                     request.session.set_expiry(app_settings.A2_USER_REMEMBER_ME)
                 response = utils.login(request, form.get_user(), how, service=service)
                 if 'ou' in form.fields:
-                    utils.prepend_remember_cookie(request, response, 'preferred-ous', form.cleaned_data['ou'].pk)
+                    utils.prepend_remember_cookie(
+                        request, response, 'preferred-ous', form.cleaned_data['ou'].pk
+                    )
 
                 if hasattr(request, 'needs_password_change'):
                     del request.needs_password_change
-                    return utils.redirect(request, 'password_change', params={'next': response.url}, resolve=True)
+                    return utils.redirect(
+                        request, 'password_change', params={'next': response.url}, resolve=True
+                    )
 
                 return response
             else:
diff --git a/src/authentic2/backends/ldap_backend.py b/src/authentic2/backends/ldap_backend.py
index a967174e..797bddbc 100644
--- a/src/authentic2/backends/ldap_backend.py
+++ b/src/authentic2/backends/ldap_backend.py
@@ -26,6 +26,7 @@ try:
     from ldap.controls import SimplePagedResultsControl, DecodeControlTuples
     from ldap.controls import ppolicy
     from pyasn1.codec.der import decoder
+
     PYTHON_LDAP3 = [int(x) for x in ldap.__version__.split('.')] >= [3]
     LDAPObject = NativeLDAPObject
 except ImportError:
@@ -97,16 +98,30 @@ def filter_non_unicode_values(atvs):
 
 
 if PYTHON_LDAP3 is True:
+
     class LDAPObject(NativeLDAPObject):
-        def __init__(self, uri, trace_level=0, trace_file=None,
-                     trace_stack_limit=5, bytes_mode=False,
-                     bytes_strictness=None, retry_max=1, retry_delay=60.0):
-            NativeLDAPObject.__init__(self, uri=uri, trace_level=trace_level,
-                                      trace_file=trace_file,
-                                      trace_stack_limit=trace_stack_limit,
-                                      bytes_mode=bytes_mode, bytes_strictness=bytes_strictness,
-                                      retry_max=retry_max,
-                                      retry_delay=retry_delay)
+        def __init__(
+            self,
+            uri,
+            trace_level=0,
+            trace_file=None,
+            trace_stack_limit=5,
+            bytes_mode=False,
+            bytes_strictness=None,
+            retry_max=1,
+            retry_delay=60.0,
+        ):
+            NativeLDAPObject.__init__(
+                self,
+                uri=uri,
+                trace_level=trace_level,
+                trace_file=trace_file,
+                trace_stack_limit=trace_stack_limit,
+                bytes_mode=bytes_mode,
+                bytes_strictness=bytes_strictness,
+                retry_max=retry_max,
+                retry_delay=retry_delay,
+            )
 
         @to_list
         def _convert_results_to_unicode(self, result_list):
@@ -119,11 +134,13 @@ if PYTHON_LDAP3 is True:
         def modify_s(self, dn, modlist):
             new_modlist = []
             for mod_op, mod_typ, mod_vals in modlist:
+
                 def convert(v):
                     if hasattr(v, 'isnumeric'):
                         # unicode case
                         v = v.encode('utf-8')
                     return v
+
                 if mod_vals is None:
                     pass
                 elif isinstance(mod_vals, list):
@@ -133,9 +150,24 @@ if PYTHON_LDAP3 is True:
                 new_modlist.append((mod_op, mod_typ, mod_vals))
             return NativeLDAPObject.modify_s(self, dn, new_modlist)
 
-        def result4(self, msgid=ldap.RES_ANY, all=1, timeout=None, add_ctrls=0,
-                    add_intermediates=0, add_extop=0, resp_ctrl_classes=None):
-            resp_type, resp_data, resp_msgid, decoded_resp_ctrls, resp_name, resp_value = NativeLDAPObject.result4(
+        def result4(
+            self,
+            msgid=ldap.RES_ANY,
+            all=1,
+            timeout=None,
+            add_ctrls=0,
+            add_intermediates=0,
+            add_extop=0,
+            resp_ctrl_classes=None,
+        ):
+            (
+                resp_type,
+                resp_data,
+                resp_msgid,
+                decoded_resp_ctrls,
+                resp_name,
+                resp_value,
+            ) = NativeLDAPObject.result4(
                 self,
                 msgid=msgid,
                 all=all,
@@ -143,27 +175,30 @@ if PYTHON_LDAP3 is True:
                 add_ctrls=add_ctrls,
                 add_intermediates=add_intermediates,
                 add_extop=add_extop,
-                resp_ctrl_classes=resp_ctrl_classes)
+                resp_ctrl_classes=resp_ctrl_classes,
+            )
             if resp_data:
                 resp_data = self._convert_results_to_unicode(resp_data)
             return resp_type, resp_data, resp_msgid, decoded_resp_ctrls, resp_name, resp_value
 
+
 elif PYTHON_LDAP3 is False:
+
     class LDAPObject(NativeLDAPObject):
         def simple_bind_s(self, who='', cred='', serverctrls=None, clientctrls=None):
             who = force_bytes(who)
             cred = force_bytes(cred)
-            return NativeLDAPObject.simple_bind_s(self, who=who, cred=cred,
-                                                  serverctrls=serverctrls,
-                                                  clientctrls=clientctrls)
+            return NativeLDAPObject.simple_bind_s(
+                self, who=who, cred=cred, serverctrls=serverctrls, clientctrls=clientctrls
+            )
 
         def passwd_s(self, dn, oldpw, newpw, serverctrls=None, clientctrls=None):
             dn = force_bytes(dn)
             oldpw = force_bytes(oldpw)
             newpw = force_bytes(newpw)
-            return NativeLDAPObject.passwd_s(self, dn, oldpw, newpw,
-                                             serverctrls=serverctrls,
-                                             clientctrls=clientctrls)
+            return NativeLDAPObject.passwd_s(
+                self, dn, oldpw, newpw, serverctrls=serverctrls, clientctrls=clientctrls
+            )
 
         @to_list
         def _convert_results_to_unicode(self, result_list):
@@ -173,21 +208,34 @@ elif PYTHON_LDAP3 is False:
                     attrs = {attribute: filter_non_unicode_values(attrs[attribute]) for attribute in attrs}
                     yield force_text(dn), attrs
 
-        def search_ext(self, base, scope, filterstr='(objectclass=*)',
-                       attrlist=None, attrsonly=0, serverctrls=None,
-                       clientctrls=None, timeout=-1, sizelimit=0):
+        def search_ext(
+            self,
+            base,
+            scope,
+            filterstr='(objectclass=*)',
+            attrlist=None,
+            attrsonly=0,
+            serverctrls=None,
+            clientctrls=None,
+            timeout=-1,
+            sizelimit=0,
+        ):
             base = force_bytes(base)
             filterstr = force_bytes(filterstr)
             if attrlist:
                 attrlist = [force_bytes(attr) for attr in attrlist]
-            return NativeLDAPObject.search_ext(self, base, scope,
-                                               filterstr=filterstr,
-                                               attrlist=attrlist,
-                                               attrsonly=attrsonly,
-                                               serverctrls=serverctrls,
-                                               clientctrls=clientctrls,
-                                               timeout=timeout,
-                                               sizelimit=sizelimit)
+            return NativeLDAPObject.search_ext(
+                self,
+                base,
+                scope,
+                filterstr=filterstr,
+                attrlist=attrlist,
+                attrsonly=attrsonly,
+                serverctrls=serverctrls,
+                clientctrls=clientctrls,
+                timeout=timeout,
+                sizelimit=sizelimit,
+            )
 
         def modify_s(self, dn, modlist):
             dn = force_bytes(dn)
@@ -200,6 +248,7 @@ elif PYTHON_LDAP3 is False:
                         # unicode case
                         v = force_bytes(v)
                     return v
+
                 if mod_vals is None:
                     pass
                 elif isinstance(mod_vals, list):
@@ -209,9 +258,24 @@ elif PYTHON_LDAP3 is False:
                 new_modlist.append((mod_op, mod_typ, mod_vals))
             return NativeLDAPObject.modify_s(self, dn, new_modlist)
 
-        def result4(self, msgid=ldap.RES_ANY, all=1, timeout=None, add_ctrls=0,
-                    add_intermediates=0, add_extop=0, resp_ctrl_classes=None):
-            resp_type, resp_data, resp_msgid, decoded_resp_ctrls, resp_name, resp_value = NativeLDAPObject.result4(
+        def result4(
+            self,
+            msgid=ldap.RES_ANY,
+            all=1,
+            timeout=None,
+            add_ctrls=0,
+            add_intermediates=0,
+            add_extop=0,
+            resp_ctrl_classes=None,
+        ):
+            (
+                resp_type,
+                resp_data,
+                resp_msgid,
+                decoded_resp_ctrls,
+                resp_name,
+                resp_value,
+            ) = NativeLDAPObject.result4(
                 self,
                 msgid=msgid,
                 all=all,
@@ -219,7 +283,8 @@ elif PYTHON_LDAP3 is False:
                 add_ctrls=add_ctrls,
                 add_intermediates=add_intermediates,
                 add_extop=add_extop,
-                resp_ctrl_classes=resp_ctrl_classes)
+                resp_ctrl_classes=resp_ctrl_classes,
+            )
             if resp_data:
                 resp_data = self._convert_results_to_unicode(resp_data)
             return resp_type, resp_data, resp_msgid, decoded_resp_ctrls, resp_name, resp_value
@@ -258,15 +323,20 @@ def password_policy_control_messages(ctrl):
 
     if ctrl.timeBeforeExpiration:
         expiration_date = time.asctime(time.localtime(time.time() + ctrl.timeBeforeExpiration))
-        messages.append(_('The password will expire at {expiration_date}.').format(
-            expiration_date=expiration_date))
+        messages.append(
+            _('The password will expire at {expiration_date}.').format(expiration_date=expiration_date)
+        )
     if ctrl.graceAuthNsRemaining:
-        messages.append(ngettext(
-            'This password expired: this is the last time it can be used.',
-            'This password expired and can only be used {graceAuthNsRemaining} times, including this one.',
-            ctrl.graceAuthNsRemaining).format(graceAuthNsRemaining=ctrl.graceAuthNsRemaining))
+        messages.append(
+            ngettext(
+                'This password expired: this is the last time it can be used.',
+                'This password expired and can only be used {graceAuthNsRemaining} times, including this one.',
+                ctrl.graceAuthNsRemaining,
+            ).format(graceAuthNsRemaining=ctrl.graceAuthNsRemaining)
+        )
     return messages
 
+
 class LDAPUser(User):
     SESSION_LDAP_DATA_KEY = 'ldap-data'
     _changed = False
@@ -295,13 +365,16 @@ class LDAPUser(User):
             # update dn case, can be removed in the future
             self.ldap_data['dn'] = self.ldap_data['dn'].lower()
             if self.ldap_data.get('password'):
-                self.ldap_data['password'] = {key.lower(): value for key, value in self.ldap_data['password'].items()}
+                self.ldap_data['password'] = {
+                    key.lower(): value for key, value in self.ldap_data['password'].items()
+                }
 
             # retrieve encrypted bind pw if necessary
             encrypted_bindpw = self.ldap_data.get('block', {}).get('encrypted_bindpw')
             if encrypted_bindpw:
-                decrypted = crypto.aes_base64_decrypt(settings.SECRET_KEY, encrypted_bindpw,
-                                                      raise_on_error=False)
+                decrypted = crypto.aes_base64_decrypt(
+                    settings.SECRET_KEY, encrypted_bindpw, raise_on_error=False
+                )
                 if decrypted:
                     decrypted = force_text(decrypted)
                     self.ldap_data['block']['bindpw'] = decrypted
@@ -312,8 +385,9 @@ class LDAPUser(User):
         data = dict(self.ldap_data)
         data['block'] = dict(data['block'])
         if data['block'].get('bindpw'):
-            data['block']['encrypted_bindpw'] = force_text(crypto.aes_base64_encrypt(
-                settings.SECRET_KEY, force_bytes(data['block']['bindpw'])))
+            data['block']['encrypted_bindpw'] = force_text(
+                crypto.aes_base64_encrypt(settings.SECRET_KEY, force_bytes(data['block']['bindpw']))
+            )
             del data['block']['bindpw']
         session[self.SESSION_LDAP_DATA_KEY] = data
 
@@ -346,8 +420,7 @@ class LDAPUser(User):
         cache = self.ldap_data.setdefault('password', {})
         if password is not None:
             # Prevent eavesdropping of the password through the session storage
-            password = force_text(crypto.aes_base64_encrypt(
-                    settings.SECRET_KEY, force_bytes(password)))
+            password = force_text(crypto.aes_base64_encrypt(settings.SECRET_KEY, force_bytes(password)))
         cache[self.dn] = password
         # ensure session is marked dirty
         self.update_request()
@@ -420,7 +493,9 @@ class LDAPUser(User):
         return self.ldap_backend.get_connection(self.block, credentials=credentials)
 
     def get_attributes(self, attribute_source, ctx):
-        cache_key = hashlib.md5((force_text(str(self.pk)) + ';' + force_text(self.dn)).encode('utf-8')).hexdigest()
+        cache_key = hashlib.md5(
+            (force_text(str(self.pk)) + ';' + force_text(self.dn)).encode('utf-8')
+        ).hexdigest()
         conn = self.get_connection()
         # prevents blocking on temporary LDAP failures
         if conn is not None:
@@ -506,7 +581,10 @@ class LDAPBackend(object):
         'update_username': False,
         # lookup existing user with an external id build with attributes
         'lookups': ('external_id', 'username'),
-        'external_id_tuples': (('uid',), ('dn:noquote',),),
+        'external_id_tuples': (
+            ('uid',),
+            ('dn:noquote',),
+        ),
         # clean all other existing external id for an user after linking the user
         # to an external id.
         'clean_external_id_on_update': True,
@@ -532,10 +610,8 @@ class LDAPBackend(object):
         'certfile': '',
         'keyfile': '',
         # LDAP library options
-        'ldap_options': {
-        },
-        'global_ldap_options': {
-        },
+        'ldap_options': {},
+        'global_ldap_options': {},
         # Use Password Modify extended operation
         'use_password_modify': True,
         # Target OU
@@ -551,10 +627,18 @@ class LDAPBackend(object):
     }
     _REQUIRED = ('url', 'basedn')
     _TO_ITERABLE = ('url', 'groupsu', 'groupstaff', 'groupactive')
-    _TO_LOWERCASE = ('fname_field', 'lname_field', 'email_field', 'attributes',
-                     'mandatory_attributes_values', 'member_of_attribute',
-                     'group_to_role_mapping', 'group_mapping',
-                     'attribute_mappings', 'external_id_tuples')
+    _TO_LOWERCASE = (
+        'fname_field',
+        'lname_field',
+        'email_field',
+        'attributes',
+        'mandatory_attributes_values',
+        'member_of_attribute',
+        'group_to_role_mapping',
+        'group_mapping',
+        'attribute_mappings',
+        'external_id_tuples',
+    )
     _VALID_CONFIG_KEYS = list(set(_REQUIRED).union(set(_DEFAULTS)))
 
     @classmethod
@@ -607,8 +691,7 @@ class LDAPBackend(object):
     def get_groups_dns(cls, conn, block):
         group_base_dn = block['group_basedn'] or block['basedn']
         # 1.1 is special attribute meaning, "no attribute requested"
-        results = conn.search_s(group_base_dn, ldap.SCOPE_SUBTREE,
-                                block['group_filter'], ['1.1'])
+        results = conn.search_s(group_base_dn, ldap.SCOPE_SUBTREE, block['group_filter'], ['1.1'])
         results = cls.normalize_ldap_results(results)
         return set([group_dn for group_dn, attrs in results])
 
@@ -638,8 +721,7 @@ class LDAPBackend(object):
                 if realm and block.get('realm') != realm:
                     continue
             if '%s' not in block['user_filter']:
-                log.error(
-                    "account name authentication filter doesn't contain '%s'")
+                log.error("account name authentication filter doesn't contain '%s'")
                 continue
             user = self.authenticate_block(request, block, uid, password)
             if user is not None:
@@ -667,11 +749,11 @@ class LDAPBackend(object):
                             try:
                                 query = filter_format(user_filter, (username,) * n)
                             except TypeError as e:
-                                log.error('user_filter syntax error %r: %s', block['user_filter'],
-                                          e)
+                                log.error('user_filter syntax error %r: %s', block['user_filter'], e)
                                 return
-                            log.debug('[%s] looking up dn for username %r using query %r', ldap_uri,
-                                      username, query)
+                            log.debug(
+                                '[%s] looking up dn for username %r using query %r', ldap_uri, username, query
+                            )
                             results = conn.search_s(user_basedn, ldap.SCOPE_SUBTREE, query, [u'1.1'])
                             results = self.normalize_ldap_results(results)
                             # remove search references
@@ -680,8 +762,12 @@ class LDAPBackend(object):
                             if len(results) == 0:
                                 log.debug('[%s] user lookup failed: no entry found, %s', ldap_uri, query)
                             elif not block['multimatch'] and len(results) > 1:
-                                log.error('[%s] user lookup failed: too many (%d) entries found: %s',
-                                          ldap_uri, len(results), query)
+                                log.error(
+                                    '[%s] user lookup failed: too many (%d) entries found: %s',
+                                    ldap_uri,
+                                    len(results),
+                                    query,
+                                )
                             else:
                                 authz_ids.extend(result[0] for result in results)
                         else:
@@ -719,7 +805,9 @@ class LDAPBackend(object):
                             break
                         except ldap.INVALID_CREDENTIALS as e:
                             if block.get('use_controls') and len(e.args) > 0 and 'ctrls' in e.args[0]:
-                                self.process_controls(request, authz_id, DecodeControlTuples(e.args[0]['ctrls']))
+                                self.process_controls(
+                                    request, authz_id, DecodeControlTuples(e.args[0]['ctrls'])
+                                )
                             attributes = self.get_ldap_attributes(block, conn, authz_id)
                             user = self.lookup_existing_user(authz_id, block, attributes)
                             if user and hasattr(request, 'failed_logins'):
@@ -738,8 +826,11 @@ class LDAPBackend(object):
                         break
                 return self._return_user(authz_id, password, conn, block)
             except ldap.CONNECT_ERROR:
-                log.error('connection to %r failed, did you forget to declare the TLS certificate '
-                          'in /etc/ldap/ldap.conf ?', block['url'])
+                log.error(
+                    'connection to %r failed, did you forget to declare the TLS certificate '
+                    'in /etc/ldap/ldap.conf ?',
+                    block['url'],
+                )
             except ldap.TIMEOUT:
                 log.error('connection to %r timed out', block['url'])
             except ldap.SERVER_DOWN:
@@ -767,8 +858,9 @@ class LDAPBackend(object):
     @classmethod
     def _parse_simple_config(self):
         if len(settings.LDAP_AUTH_SETTINGS) < 2:
-            raise ImproperlyConfigured('In a minimal configuration, you must at least specify '
-                                       'url and user DN')
+            raise ImproperlyConfigured(
+                'In a minimal configuration, you must at least specify ' 'url and user DN'
+            )
         return {'url': settings.LDAP_AUTH_SETTINGS[0], 'basedn': settings.LDAP_AUTH_SETTINGS[1]}
 
     def backend_name(self):
@@ -786,9 +878,11 @@ class LDAPBackend(object):
 
     def populate_user_attributes(self, user, block, attributes):
         # map legacy attributes (columns from Django user model)
-        for legacy_attribute, legacy_field in (('email', 'email_field'),
-                                               ('first_name', 'fname_field'),
-                                               ('last_name', 'lname_field')):
+        for legacy_attribute, legacy_field in (
+            ('email', 'email_field'),
+            ('first_name', 'fname_field'),
+            ('last_name', 'lname_field'),
+        ):
             ldap_attribute = block[legacy_field]
             if not ldap_attribute:
                 break
@@ -820,12 +914,14 @@ class LDAPBackend(object):
                 user._changed = True
 
     def populate_admin_flags_by_group(self, user, block, group_dns):
-        '''Attribute admin flags based on groups.
-
-           It supersedes is_staff, is_superuser and is_active.'''
-        for g, attr in (('groupsu', 'is_superuser'),
-                        ('groupstaff', 'is_staff'),
-                        ('groupactive', 'is_active')):
+        """Attribute admin flags based on groups.
+
+        It supersedes is_staff, is_superuser and is_active."""
+        for g, attr in (
+            ('groupsu', 'is_superuser'),
+            ('groupstaff', 'is_staff'),
+            ('groupactive', 'is_active'),
+        ):
             group_dns_to_match = block[g]
             if not group_dns_to_match:
                 continue
@@ -887,9 +983,9 @@ class LDAPBackend(object):
                     role.save()
 
     def get_ldap_group_dns(self, user, dn, conn, block, attributes):
-        '''Retrieve group DNs from the LDAP by attributes (memberOf) or by
-           filter.
-        '''
+        """Retrieve group DNs from the LDAP by attributes (memberOf) or by
+        filter.
+        """
         group_base_dn = block['group_basedn'] or block['basedn']
         member_of_attribute = block['member_of_attribute']
         group_filter = block['group_filter']
@@ -957,13 +1053,15 @@ class LDAPBackend(object):
                 try:
                     return Role.objects.get(name=slug, **kwargs), None
                 except Role.DoesNotExist:
-                    error = ('role %r does not exist' % role_id)
+                    error = 'role %r does not exist' % role_id
                 except Role.MultipleObjectsReturned:
                     error = 'multiple objects returned, identifier is imprecise'
             except Role.MultipleObjectsReturned:
                 error = 'multiple objects returned, identifier is imprecise'
         else:
-            error = 'invalid role identifier must be slug, (slug, ou__slug) or (slug, ou__slug, service__slug)'
+            error = (
+                'invalid role identifier must be slug, (slug, ou__slug) or (slug, ou__slug, service__slug)'
+            )
         return None, error
 
     def populate_mandatory_groups(self, user, block):
@@ -1018,8 +1116,8 @@ class LDAPBackend(object):
         self.populate_user_roles(user, dn, conn, block, attributes)
 
     def populate_user_ou(self, user, dn, conn, block, attributes):
-        '''Assign LDAP user to an ou, the default one if ou_slug setting is
-           None'''
+        """Assign LDAP user to an ou, the default one if ou_slug setting is
+        None"""
 
         ou_slug = block['ou_slug']
         OU = get_ou_model()
@@ -1052,13 +1150,11 @@ class LDAPBackend(object):
     def get_ldap_attributes_names(cls, block):
         attributes = set()
         attributes.update(map_text(block['attributes']))
-        for field in ('email_field', 'fname_field', 'lname_field',
-                      'member_of_attribute'):
+        for field in ('email_field', 'fname_field', 'lname_field', 'member_of_attribute'):
             if block[field]:
                 attributes.add(block[field])
         for external_id_tuple in map_text(block['external_id_tuples']):
-            attributes.update(cls.attribute_name_from_external_id_tuple(
-                external_id_tuple))
+            attributes.update(cls.attribute_name_from_external_id_tuple(external_id_tuple))
         for from_at, to_at in map_text(block['attribute_mappings']):
             attributes.add(to_at)
         for mapping in block['user_attributes']:
@@ -1076,8 +1172,8 @@ class LDAPBackend(object):
 
     @classmethod
     def get_ldap_attributes(cls, block, conn, dn):
-        '''Retrieve some attributes from LDAP, add mandatory values then apply
-           defined mappings between atrribute names'''
+        """Retrieve some attributes from LDAP, add mandatory values then apply
+        defined mappings between atrribute names"""
         attributes = cls.get_ldap_attributes_names(block)
         attribute_mappings = map_text(block['attribute_mappings'])
         mandatory_attributes_values = map_text(block['mandatory_attributes_values'])
@@ -1125,33 +1221,55 @@ class LDAPBackend(object):
             extra_attribute_config = block['extra_attributes'][extra_attribute_name]
             extra_attribute_values = []
             if 'loop_over_attribute' in extra_attribute_config:
-                extra_attribute_config['loop_over_attribute'] = extra_attribute_config['loop_over_attribute'].lower()
+                extra_attribute_config['loop_over_attribute'] = extra_attribute_config[
+                    'loop_over_attribute'
+                ].lower()
                 if extra_attribute_config['loop_over_attribute'] not in attribute_map:
-                    log.debug('loop_over_attribute %s not present (or empty) in user object attributes retreived. Pass.' % extra_attribute_config['loop_over_attribute'])
+                    log.debug(
+                        'loop_over_attribute %s not present (or empty) in user object attributes retreived. Pass.'
+                        % extra_attribute_config['loop_over_attribute']
+                    )
                     continue
                 if 'filter' not in extra_attribute_config and 'basedn' not in extra_attribute_config:
-                    log.warning('Extra attribute %s not correctly configured : you need to defined at least one of filter or basedn parameters' % extra_attribute_name)
+                    log.warning(
+                        'Extra attribute %s not correctly configured : you need to defined at least one of filter or basedn parameters'
+                        % extra_attribute_name
+                    )
                 for item in attribute_map[extra_attribute_config['loop_over_attribute']]:
-                    ldap_filter = extra_attribute_config.get('filter', 'objectClass=*').format(item=item, **attribute_map)
-                    ldap_basedn = extra_attribute_config.get('basedn', block.get('basedn')).format(item=item, **attribute_map)
-                    ldap_scope = ldap_scopes.get(extra_attribute_config.get('scope', 'sub'), ldap.SCOPE_SUBTREE)
+                    ldap_filter = extra_attribute_config.get('filter', 'objectClass=*').format(
+                        item=item, **attribute_map
+                    )
+                    ldap_basedn = extra_attribute_config.get('basedn', block.get('basedn')).format(
+                        item=item, **attribute_map
+                    )
+                    ldap_scope = ldap_scopes.get(
+                        extra_attribute_config.get('scope', 'sub'), ldap.SCOPE_SUBTREE
+                    )
                     ldap_attributes_mapping = extra_attribute_config.get('mapping', {})
-                    ldap_attributes_names = list(filter(lambda a: a != 'dn', ldap_attributes_mapping.values()))
+                    ldap_attributes_names = list(
+                        filter(lambda a: a != 'dn', ldap_attributes_mapping.values())
+                    )
                     try:
                         results = conn.search_s(ldap_basedn, ldap_scope, ldap_filter, ldap_attributes_names)
                     except ldap.LDAPError:
-                        log.exception('unable to retrieve extra attribute %s for item %s' % (extra_attribute_name, item))
+                        log.exception(
+                            'unable to retrieve extra attribute %s for item %s' % (extra_attribute_name, item)
+                        )
                         continue
                     else:
                         results = cls.normalize_ldap_results(results)
                     item_value = {}
                     for dn, attrs in results:
-                        log.debug(u'Object retrieved for extra attr %s with item %s : %s %s' % (
-                            extra_attribute_name, item, dn, attrs))
+                        log.debug(
+                            u'Object retrieved for extra attr %s with item %s : %s %s'
+                            % (extra_attribute_name, item, dn, attrs)
+                        )
                         for key in ldap_attributes_mapping:
                             item_value[key] = attrs.get(ldap_attributes_mapping[key].lower())
-                            log.debug('Object attribute %s value retrieved for extra attr %s with item %s : %s' % (
-                                ldap_attributes_mapping[key], extra_attribute_name, item, item_value[key]))
+                            log.debug(
+                                'Object attribute %s value retrieved for extra attr %s with item %s : %s'
+                                % (ldap_attributes_mapping[key], extra_attribute_name, item, item_value[key])
+                            )
                             if not item_value[key]:
                                 del item_value[key]
                             elif len(item_value[key]) == 1:
@@ -1165,14 +1283,17 @@ class LDAPBackend(object):
             elif extra_attribute_serialization == 'json':
                 attribute_map[extra_attribute_name] = json.dumps(extra_attribute_values)
             else:
-                log.warning('Invalid serialization type "%s" for extra attribute %s' % (extra_attribute_serialization, extra_attribute_name))
+                log.warning(
+                    'Invalid serialization type "%s" for extra attribute %s'
+                    % (extra_attribute_serialization, extra_attribute_name)
+                )
         return attribute_map
 
     @classmethod
     def external_id_to_filter(cls, external_id, external_id_tuple):
-        '''Split the external id, decode it and build an LDAP filter from it
-           and the external_id_tuple.
-        '''
+        """Split the external id, decode it and build an LDAP filter from it
+        and the external_id_tuple.
+        """
         splitted = external_id.split()
         if len(splitted) != len(external_id_tuple):
             return
@@ -1191,9 +1312,9 @@ class LDAPBackend(object):
         return u'(&{0})'.format(''.join(filters))
 
     def build_external_id(self, external_id_tuple, attributes):
-        '''Build the exernal id for the user, use attribute that eventually
-           never change like GUID or UUID.
-        '''
+        """Build the exernal id for the user, use attribute that eventually
+        never change like GUID or UUID.
+        """
         parts = []
         for attribute in external_id_tuple:
             quote = True
@@ -1221,16 +1342,23 @@ class LDAPBackend(object):
             if not external_id:
                 continue
             log.debug('lookup using external_id %r: %r', eid_tuple, external_id)
-            users = LDAPUser.objects.prefetch_related('groups').filter(
-                userexternalid__external_id__iexact=external_id,
-                userexternalid__source=force_text(block['realm'])).order_by('-last_login')
+            users = (
+                LDAPUser.objects.prefetch_related('groups')
+                .filter(
+                    userexternalid__external_id__iexact=external_id,
+                    userexternalid__source=force_text(block['realm']),
+                )
+                .order_by('-last_login')
+            )
             # ordering of NULLs cannot be done through the ORM
             users = sorted(users, reverse=True, key=lambda u: (u.last_login is not None, u.last_login))
             if users:
                 user = users[0]
                 if len(users) > 1:
-                    log.info('found %d users, collectings roles into the first one and deleting the other ones.',
-                             len(users))
+                    log.info(
+                        'found %d users, collectings roles into the first one and deleting the other ones.',
+                        len(users),
+                    )
                     for other in users[1:]:
                         for r in other.roles.all():
                             user.roles.add(r)
@@ -1255,23 +1383,23 @@ class LDAPBackend(object):
                 log_msg = 'updating username from %r to %r'
                 log.debug(log_msg, old_username, user.username)
         # if external_id lookup is used, update it
-        if 'external_id' in block['lookups'] \
-           and block.get('external_id_tuples') \
-           and block['external_id_tuples'][0]:
+        if (
+            'external_id' in block['lookups']
+            and block.get('external_id_tuples')
+            and block['external_id_tuples'][0]
+        ):
             if not user.pk:
                 user.save()
                 user._changed = False
-            external_id = self.build_external_id(
-                map_text(block['external_id_tuples'][0]),
-                attributes)
+            external_id = self.build_external_id(map_text(block['external_id_tuples'][0]), attributes)
             if external_id:
                 new, created = UserExternalId.objects.get_or_create(
-                    user=user, external_id=external_id, source=force_text(block['realm']))
+                    user=user, external_id=external_id, source=force_text(block['realm'])
+                )
                 if block['clean_external_id_on_update']:
-                    UserExternalId.objects \
-                        .exclude(id=new.id) \
-                        .filter(user=user, source=force_text(block['realm'])) \
-                        .delete()
+                    UserExternalId.objects.exclude(id=new.id).filter(
+                        user=user, source=force_text(block['realm'])
+                    ).delete()
 
     def _return_user(self, dn, password, conn, block, attributes=None):
         attributes = attributes or self.get_ldap_attributes(block, conn, dn)
@@ -1345,26 +1473,32 @@ class LDAPBackend(object):
             user_basedn = force_text(block.get('user_basedn') or block['basedn'])
             user_filter = cls.get_sync_ldap_user_filter(block)
             attribute_names = cls.get_ldap_attributes_names(block)
-            results = cls.paged_search(conn, user_basedn, ldap.SCOPE_SUBTREE, user_filter, attrlist=attribute_names)
+            results = cls.paged_search(
+                conn, user_basedn, ldap.SCOPE_SUBTREE, user_filter, attrlist=attribute_names
+            )
             backend = cls()
             for dn, attrs in results:
                 yield backend._return_user(dn, None, conn, block, attrs)
 
-
     @classmethod
     def deactivate_orphaned_users(cls):
         for block in cls.get_config():
             conn = cls.get_connection(block)
             if conn is None:
                 continue
-            eids = list(UserExternalId.objects.filter(user__is_active=True,
-                                                      source=block['realm']).values_list('external_id', flat=True))
+            eids = list(
+                UserExternalId.objects.filter(user__is_active=True, source=block['realm']).values_list(
+                    'external_id', flat=True
+                )
+            )
             basedn = force_text(block.get('user_basedn') or block['basedn'])
-            attribute_names = [a[0] for a in cls.attribute_name_from_external_id_tuple(block['external_id_tuples'])]
+            attribute_names = [
+                a[0] for a in cls.attribute_name_from_external_id_tuple(block['external_id_tuples'])
+            ]
             user_filter = cls.get_sync_ldap_user_filter(block)
-            results = cls.paged_search(conn, basedn, ldap.SCOPE_SUBTREE,
-                                       user_filter,
-                                       attrlist=attribute_names)
+            results = cls.paged_search(
+                conn, basedn, ldap.SCOPE_SUBTREE, user_filter, attrlist=attribute_names
+            )
             for dn, attrs in results:
                 data = attrs.copy()
                 data['dn'] = dn
@@ -1379,7 +1513,6 @@ class LDAPBackend(object):
             for eid in UserExternalId.objects.filter(external_id__in=eids):
                 eid.user.mark_as_inactive()
 
-
     @classmethod
     def ad_encoding(cls, s):
         '''Encode a string for AD consumption as a password'''
@@ -1398,7 +1531,7 @@ class LDAPBackend(object):
                 if old_password:
                     modlist = [
                         (ldap.MOD_DELETE, key, [cls.ad_encoding(old_password)]),
-                        (ldap.MOD_ADD, key, [value])
+                        (ldap.MOD_ADD, key, [value]),
                     ]
                 else:
                     modlist = [(ldap.MOD_REPLACE, key, [value])]
@@ -1438,8 +1571,9 @@ class LDAPBackend(object):
             if block['timeout'] > 0:
                 conn.set_option(ldap.OPT_NETWORK_TIMEOUT, block['timeout'])
                 conn.set_option(ldap.OPT_TIMEOUT, block['timeout'])
-            conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,
-                            getattr(ldap, 'OPT_X_TLS_' + block['require_cert'].upper()))
+            conn.set_option(
+                ldap.OPT_X_TLS_REQUIRE_CERT, getattr(ldap, 'OPT_X_TLS_' + block['require_cert'].upper())
+            )
             if block['cacertfile']:
                 conn.set_option(ldap.OPT_X_TLS_CACERTFILE, block['cacertfile'])
             if block['cacertdir']:
@@ -1458,15 +1592,21 @@ class LDAPBackend(object):
                     try:
                         conn.start_tls_s()
                     except ldap.CONNECT_ERROR:
-                        log.error('connection to %r failed when activating TLS, did you forget '
-                                  'to declare the TLS certificate in /etc/ldap/ldap.conf ?', url)
+                        log.error(
+                            'connection to %r failed when activating TLS, did you forget '
+                            'to declare the TLS certificate in /etc/ldap/ldap.conf ?',
+                            url,
+                        )
                         continue
             except ldap.TIMEOUT:
                 log.error('connection to %r timed out', url)
                 continue
             except ldap.CONNECT_ERROR:
-                log.error('connection to %r failed when activating TLS, did you forget to '
-                          'declare the TLS certificate in /etc/ldap/ldap.conf ?', url)
+                log.error(
+                    'connection to %r failed when activating TLS, did you forget to '
+                    'declare the TLS certificate in /etc/ldap/ldap.conf ?',
+                    url,
+                )
                 continue
             except ldap.SERVER_DOWN:
                 if block['replicas']:
@@ -1529,12 +1669,13 @@ class LDAPBackend(object):
             if key not in cls._VALID_CONFIG_KEYS and validate:
                 raise ImproperlyConfigured(
                     '"{}" : invalid LDAP_AUTH_SETTINGS key, available are {}'.format(
-                        key, cls._VALID_CONFIG_KEYS))
+                        key, cls._VALID_CONFIG_KEYS
+                    )
+                )
 
         for r in cls._REQUIRED:
             if r not in block:
-                raise ImproperlyConfigured(
-                    'LDAP_AUTH_SETTINGS: missing required configuration option %r' % r)
+                raise ImproperlyConfigured('LDAP_AUTH_SETTINGS: missing required configuration option %r' % r)
 
         # convert string to list of strings for settings accepting it
         for i in cls._TO_ITERABLE:
@@ -1549,26 +1690,21 @@ class LDAPBackend(object):
             else:
                 if isinstance(cls._DEFAULTS[d], six.string_types):
                     if not isinstance(block[d], six.string_types):
-                        raise ImproperlyConfigured(
-                            'LDAP_AUTH_SETTINGS: attribute %r must be a string' % d)
+                        raise ImproperlyConfigured('LDAP_AUTH_SETTINGS: attribute %r must be a string' % d)
                     try:
                         block[d] = force_text(block[d])
                     except UnicodeEncodeError:
-                        raise ImproperlyConfigured(
-                            'LDAP_AUTH_SETTINGS: attribute %r must be a string' % d)
+                        raise ImproperlyConfigured('LDAP_AUTH_SETTINGS: attribute %r must be a string' % d)
                 if isinstance(cls._DEFAULTS[d], bool) and not isinstance(block[d], bool):
+                    raise ImproperlyConfigured('LDAP_AUTH_SETTINGS: attribute %r must be a boolean' % d)
+                if isinstance(cls._DEFAULTS[d], (list, tuple)) and not isinstance(block[d], (list, tuple)):
                     raise ImproperlyConfigured(
-                        'LDAP_AUTH_SETTINGS: attribute %r must be a boolean' % d)
-                if (isinstance(cls._DEFAULTS[d], (list, tuple))
-                        and not isinstance(block[d], (list, tuple))):
-                    raise ImproperlyConfigured(
-                        'LDAP_AUTH_SETTINGS: attribute %r must be a list or a tuple' % d)
+                        'LDAP_AUTH_SETTINGS: attribute %r must be a list or a tuple' % d
+                    )
                 if isinstance(cls._DEFAULTS[d], dict) and not isinstance(block[d], dict):
-                    raise ImproperlyConfigured(
-                        'LDAP_AUTH_SETTINGS: attribute %r must be a dictionary' % d)
+                    raise ImproperlyConfigured('LDAP_AUTH_SETTINGS: attribute %r must be a dictionary' % d)
                 if not isinstance(cls._DEFAULTS[d], bool) and d in cls._REQUIRED and not block[d]:
-                    raise ImproperlyConfigured(
-                        'LDAP_AUTH_SETTINGS: attribute %r is required but is empty')
+                    raise ImproperlyConfigured('LDAP_AUTH_SETTINGS: attribute %r is required but is empty')
                 # force_bytes all strings in iterable or dict
                 if isinstance(block[d], (list, tuple, dict)):
                     block[d] = map_text(block[d])
@@ -1600,7 +1736,8 @@ class LDAPBackend(object):
             else:
                 raise NotImplementedError(
                     'LDAP setting %r cannot be converted to lowercase setting, its type is %r'
-                    % (key, type(block[key])))
+                    % (key, type(block[key]))
+                )
         # special case user_attributes
         user_attributes = []
         for mapping in block['user_attributes']:
@@ -1641,23 +1778,21 @@ class LDAPBackendPasswordLost(LDAPBackend):
                             results = conn.search_s(dn, ldap.SCOPE_BASE)
                         else:
                             ldap_filter = self.external_id_to_filter(external_id, external_id_tuple)
-                            results = conn.search_s(block['basedn'],
-                                                    ldap.SCOPE_SUBTREE, ldap_filter)
+                            results = conn.search_s(block['basedn'], ldap.SCOPE_SUBTREE, ldap_filter)
                             results = self.normalize_ldap_results(results)
                             if not results:
                                 log.warning(
-                                    u'unable to find user %r based on external id %s',
-                                    user, external_id)
+                                    u'unable to find user %r based on external id %s', user, external_id
+                                )
                                 continue
                             dn = results[0][0]
                     except ldap.LDAPError as e:
                         log.warning(
-                            u'unable to find user %r based on external id %s: %r',
-                            user,
-                            external_id,
-                            e)
+                            u'unable to find user %r based on external id %s: %r', user, external_id, e
+                        )
                         continue
                     return self._return_user(dn, None, conn, block)
 
+
 LDAPUser.ldap_backend = LDAPBackend
 LDAPBackendPasswordLost.ldap_backend = LDAPBackend
diff --git a/src/authentic2/backends/models_backend.py b/src/authentic2/backends/models_backend.py
index 774bf44d..04ba1332 100644
--- a/src/authentic2/backends/models_backend.py
+++ b/src/authentic2/backends/models_backend.py
@@ -31,6 +31,7 @@ def upn(username, realm):
     '''Build an UPN from a username and a realm'''
     return u'{0}@{1}'.format(username, realm)
 
+
 PROXY_USER_MODEL = None
 
 
@@ -44,8 +45,7 @@ class ModelBackend(ModelBackend):
         username_field = 'username'
         queries = []
         try:
-            if app_settings.A2_ACCEPT_EMAIL_AUTHENTICATION \
-                    and UserModel._meta.get_field('email'):
+            if app_settings.A2_ACCEPT_EMAIL_AUTHENTICATION and UserModel._meta.get_field('email'):
                 queries.append(models.Q(**{'email__iexact': username}))
         except models.FieldDoesNotExist:
             pass
@@ -55,8 +55,7 @@ class ModelBackend(ModelBackend):
             if '@' not in username:
                 if app_settings.REALMS:
                     for realm, desc in app_settings.REALMS:
-                        queries.append(models.Q(
-                            **{username_field: upn(username, realm)}))
+                        queries.append(models.Q(**{username_field: upn(username, realm)}))
         else:
             queries.append(models.Q(**{username_field: upn(username, realm)}))
         queries = six.moves.reduce(models.Q.__or__, queries)
@@ -66,6 +65,7 @@ class ModelBackend(ModelBackend):
 
     def must_reset_password(self, user):
         from .. import models
+
         return bool(models.PasswordReset.filter(user=user).count())
 
     def authenticate(self, request, username=None, password=None, realm=None, ou=None):
@@ -96,6 +96,7 @@ class ModelBackend(ModelBackend):
 
     def get_saml2_authn_context(self):
         import lasso
+
         return lasso.SAML2_AUTHN_CONTEXT_PASSWORD
 
 
diff --git a/src/authentic2/cbv.py b/src/authentic2/cbv.py
index b16d2ae8..b1edbbfa 100644
--- a/src/authentic2/cbv.py
+++ b/src/authentic2/cbv.py
@@ -26,12 +26,13 @@ from .utils.views import csrf_token_check
 
 
 class ValidateCSRFMixin(object):
-    '''Move CSRF token validation inside the form validation.
+    """Move CSRF token validation inside the form validation.
+
+    This mixin must always be the leftest one and if your class override
+    form_valid() dispatch() you should move those overrides in a base
+    class.
+    """
 
-       This mixin must always be the leftest one and if your class override
-       form_valid() dispatch() you should move those overrides in a base
-       class.
-    '''
     @method_decorator(csrf_exempt)
     @method_decorator(ensure_csrf_cookie)
     def dispatch(self, *args, **kwargs):
@@ -54,10 +55,11 @@ class RedirectToNextURLViewMixin(object):
 
 
 class NextURLViewMixin(RedirectToNextURLViewMixin):
-    '''Make a view handle a next parameter, if it's not present it is
-       automatically generated from the Referrer or from the value
-       returned by the method get_next_url_default().
-    '''
+    """Make a view handle a next parameter, if it's not present it is
+    automatically generated from the Referrer or from the value
+    returned by the method get_next_url_default().
+    """
+
     next_url_default = '..'
 
     def get_next_url_default(self):
@@ -67,15 +69,17 @@ class NextURLViewMixin(RedirectToNextURLViewMixin):
         if REDIRECT_FIELD_NAME in request.GET:
             pass
         else:
-            next_url = request.META.get('HTTP_REFERER') or \
-                self.next_url_default
-            return utils.redirect(request, request.path, keep_params=True,
-                                  params={
-                                      REDIRECT_FIELD_NAME: next_url,
-                                  },
-                                  status=303)
-        return super(NextURLViewMixin, self).dispatch(request, *args,
-                                                      **kwargs)
+            next_url = request.META.get('HTTP_REFERER') or self.next_url_default
+            return utils.redirect(
+                request,
+                request.path,
+                keep_params=True,
+                params={
+                    REDIRECT_FIELD_NAME: next_url,
+                },
+                status=303,
+            )
+        return super(NextURLViewMixin, self).dispatch(request, *args, **kwargs)
 
 
 class TemplateNamesMixin(object):
diff --git a/src/authentic2/compat/cookies.py b/src/authentic2/compat/cookies.py
index f426e928..ddb2e922 100644
--- a/src/authentic2/compat/cookies.py
+++ b/src/authentic2/compat/cookies.py
@@ -19,4 +19,5 @@ import django
 if django.VERSION < (2, 1):
     # Copied from Django >=2.1 / django.http.cookies
     from http import cookies
+
     cookies.Morsel._reserved.setdefault('samesite', 'SameSite')
diff --git a/src/authentic2/compat/misc.py b/src/authentic2/compat/misc.py
index c0e90aa9..bbb44dc8 100644
--- a/src/authentic2/compat/misc.py
+++ b/src/authentic2/compat/misc.py
@@ -24,10 +24,12 @@ try:
     from django.contrib.auth import get_user_model
 except ImportError:
     from django.contrib.auth.models import User
+
     get_user_model = lambda: User
 
 try:
     from django.db.transaction import atomic
+
     commit_on_success = atomic
 except ImportError:
     from django.db.transaction import commit_on_success
@@ -40,8 +42,12 @@ else:
     from binascii import Error as Base64Error
 
 if hasattr(inspect, 'signature'):
+
     def signature_parameters(func):
         return inspect.signature(func).parameters.keys()
+
+
 else:
+
     def signature_parameters(func):
         return inspect.getargspec(func)[0]
diff --git a/src/authentic2/compat_lasso.py b/src/authentic2/compat_lasso.py
index 3fb19764..2491f064 100644
--- a/src/authentic2/compat_lasso.py
+++ b/src/authentic2/compat_lasso.py
@@ -17,9 +17,11 @@
 try:
     import lasso
 except ImportError:
+
     class MockLasso(object):
         def __getattr__(self, key):
             if key[0].isupper():
                 return ''
             return AttributeError('Please install lasso')
+
     lasso = MockLasso()
diff --git a/src/authentic2/context_processors.py b/src/authentic2/context_processors.py
index 885ad91f..1f3dbbbb 100644
--- a/src/authentic2/context_processors.py
+++ b/src/authentic2/context_processors.py
@@ -23,11 +23,12 @@ from .models import Service
 
 class UserFederations(object):
     '''Provide access to all federations of the current user'''
+
     def __init__(self, request):
         self.request = request
 
     def __getattr__(self, name):
-        d = {'provider': None, 'links': [] }
+        d = {'provider': None, 'links': []}
         if name.startswith('service_'):
             try:
                 provider_id = int(name.split('_', 1)[1])
@@ -43,6 +44,7 @@ class UserFederations(object):
             return d
         return super(UserFederations, self).__getattr__(name)
 
+
 __AUTHENTIC2_DISTRIBUTION = None
 
 
diff --git a/src/authentic2/cors.py b/src/authentic2/cors.py
index 03c3d9f5..77d322fc 100644
--- a/src/authentic2/cors.py
+++ b/src/authentic2/cors.py
@@ -63,5 +63,3 @@ def check_origin(request, origin):
             if plugin.check_origin(request, origin):
                 return True
     return False
-
-
diff --git a/src/authentic2/crypto.py b/src/authentic2/crypto.py
index d369bca6..ab361efb 100644
--- a/src/authentic2/crypto.py
+++ b/src/authentic2/crypto.py
@@ -54,9 +54,9 @@ def get_hashclass(name):
 
 
 def aes_base64_encrypt(key, data):
-    '''Generate an AES key from any key material using PBKDF2, and encrypt data using CFB mode. A
-       new IV is generated each time, the IV is also used as salt for PBKDF2.
-    '''
+    """Generate an AES key from any key material using PBKDF2, and encrypt data using CFB mode. A
+    new IV is generated each time, the IV is also used as salt for PBKDF2.
+    """
     iv = Random.get_random_bytes(16)
     aes_key = PBKDF2(key, iv)
     aes = AES.new(aes_key, AES.MODE_CFB, iv=iv)
@@ -100,16 +100,15 @@ def add_padding(msg, block_size):
 def remove_padding(msg, block_size):
     '''Ignore padded zero bytes'''
     try:
-        msg_length, = struct.unpack('<h', msg[:2])
+        (msg_length,) = struct.unpack('<h', msg[:2])
     except struct.error:
         raise DecryptionError('wrong padding')
     if len(msg) % block_size != 0:
-        raise DecryptionError('message length is not a multiple of block size', len(msg),
-                              block_size)
-    unpadded = msg[2:2 + msg_length]
+        raise DecryptionError('message length is not a multiple of block size', len(msg), block_size)
+    unpadded = msg[2 : 2 + msg_length]
     if msg_length > len(msg) - 2:
         raise DecryptionError('wrong padding')
-    if len(msg[2 + msg_length:].strip(force_bytes('\0'))):
+    if len(msg[2 + msg_length :].strip(force_bytes('\0'))):
         raise DecryptionError('padding is not all zero')
     if len(unpadded) != msg_length:
         raise DecryptionError('wrong padding')
@@ -117,11 +116,11 @@ def remove_padding(msg, block_size):
 
 
 def aes_base64url_deterministic_encrypt(key, data, salt, hash_name='sha256', count=1):
-    '''Encrypt using AES-128 and sign using HMAC-SHA256 shortened to 64 bits.
+    """Encrypt using AES-128 and sign using HMAC-SHA256 shortened to 64 bits.
 
-       Count and algorithm are encoded in the final string for future evolution.
+    Count and algorithm are encoded in the final string for future evolution.
 
-    '''
+    """
     mode = 1  # AES128-SHA256
     hashmod = SHA256
     key_size = 16
@@ -200,7 +199,11 @@ def hmac_url(key, url):
         key = key.encode('utf-8')
     if hasattr(url, 'isnumeric'):
         url = url.encode('utf-8', 'replace')
-    return base64.b32encode(hmac.HMAC(key=key, msg=url, digestmod=hashlib.sha256).digest()).decode('ascii').strip('=')
+    return (
+        base64.b32encode(hmac.HMAC(key=key, msg=url, digestmod=hashlib.sha256).digest())
+        .decode('ascii')
+        .strip('=')
+    )
 
 
 def check_hmac_url(key, url, signature):
diff --git a/src/authentic2/csv_import.py b/src/authentic2/csv_import.py
index 47853634..ceac2194 100644
--- a/src/authentic2/csv_import.py
+++ b/src/authentic2/csv_import.py
@@ -257,23 +257,15 @@ SPECIAL_COLUMNS = SOURCE_COLUMNS | {ROLE_NAME, ROLE_SLUG, REGISTRATION, PASSWORD
 
 
 class ImportUserForm(BaseUserForm):
-    locals()[ROLE_NAME] = forms.CharField(
-        label=_('Role name'),
-        required=False)
-    locals()[ROLE_SLUG] = forms.CharField(
-        label=_('Role slug'),
-        required=False)
+    locals()[ROLE_NAME] = forms.CharField(label=_('Role name'), required=False)
+    locals()[ROLE_SLUG] = forms.CharField(label=_('Role slug'), required=False)
     choices = [
         (REGISTRATION_RESET_EMAIL, _('Email user so they can set a password')),
     ]
     locals()[REGISTRATION] = forms.ChoiceField(
-        choices=choices,
-        label=_('Registration option'),
-        required=False)
-    locals()[PASSWORD_HASH] = forms.CharField(
-        label=_('Password hash'),
-        required=False)
-
+        choices=choices, label=_('Registration option'), required=False
+    )
+    locals()[PASSWORD_HASH] = forms.CharField(label=_('Password hash'), required=False)
 
     def clean(self):
         super(BaseUserForm, self).clean()
@@ -296,9 +288,11 @@ class ImportUserFormWithExternalId(ImportUserForm):
             RegexValidator(
                 r'^[a-zA-Z0-9_-]+$',
                 _('_source_name must contain no spaces and only letters, digits, - and _'),
-                'invalid')])
-    locals()[SOURCE_ID] = forms.CharField(
-        label=_('Source external id'))
+                'invalid',
+            )
+        ],
+    )
+    locals()[SOURCE_ID] = forms.CharField(label=_('Source external id'))
 
 
 @attrs
@@ -410,11 +404,7 @@ class UserCsvImporter(object):
             except Simulate:
                 pass
 
-        for action in [
-                parse_csv,
-                self.parse_header_row,
-                self.parse_rows,
-                do_import]:
+        for action in [parse_csv, self.parse_header_row, self.parse_rows, do_import]:
             action()
             if self.errors:
                 break
@@ -454,20 +444,19 @@ class UserCsvImporter(object):
         header_names = set(self.headers_by_name)
         if header_names & SOURCE_COLUMNS and not SOURCE_COLUMNS.issubset(header_names):
             self.add_error(
-                Error('invalid-external-id-pair',
-                      _('You must have a _source_name and a _source_id column')))
+                Error('invalid-external-id-pair', _('You must have a _source_name and a _source_id column'))
+            )
         if ROLE_NAME in header_names and ROLE_SLUG in header_names:
             self.add_error(
-                Error('invalid-role-column',
-                      _('Either specify role names or role slugs, not both')))
+                Error('invalid-role-column', _('Either specify role names or role slugs, not both'))
+            )
 
     def parse_header(self, head, column):
         splitted = head.split()
         try:
             header = CsvHeader(column, splitted[0])
             if header.name in self.headers_by_name:
-                self.add_error(
-                    Error('duplicate-header', _('Header "%s" is duplicated') % header.name))
+                self.add_error(Error('duplicate-header', _('Header "%s" is duplicated') % header.name))
                 return
             self.headers_by_name[header.name] = header
         except IndexError:
@@ -503,19 +492,26 @@ class UserCsvImporter(object):
 
         self.headers.append(header)
 
-        if (not (header.field or header.attribute)
-                and header.name not in SPECIAL_COLUMNS):
-            self.add_error(LineError('unknown-or-missing-attribute',
-                                     _('unknown or missing attribute "%s"') % head,
-                                     line=1, column=column))
+        if not (header.field or header.attribute) and header.name not in SPECIAL_COLUMNS:
+            self.add_error(
+                LineError(
+                    'unknown-or-missing-attribute',
+                    _('unknown or missing attribute "%s"') % head,
+                    line=1,
+                    column=column,
+                )
+            )
             return
 
         for flag in splitted[1:]:
             if header.name in SOURCE_COLUMNS:
-                self.add_error(LineError(
-                    'flag-forbidden-on-source-columns',
-                    _('You cannot set flags on _source_name and _source_id columns'),
-                    line=1))
+                self.add_error(
+                    LineError(
+                        'flag-forbidden-on-source-columns',
+                        _('You cannot set flags on _source_name and _source_id columns'),
+                        line=1,
+                    )
+                )
                 break
             value = True
             if flag.startswith('no-'):
@@ -537,7 +533,7 @@ class UserCsvImporter(object):
         rows = self.rows = []
         for i, row in enumerate(self.csv_importer.rows[1:]):
             csv_row = self.parse_row(form_class, row, line=i + 2)
-            self.has_errors = self.has_errors or not(csv_row.is_valid)
+            self.has_errors = self.has_errors or not (csv_row.is_valid)
             rows.append(csv_row)
 
     def parse_row(self, form_class, row, line):
@@ -561,15 +557,13 @@ class UserCsvImporter(object):
                 header=header,
                 value=form.cleaned_data.get(header.name),
                 missing=header.name not in data,
-                errors=get_form_errors(form, header.name))
-            for header in self.headers]
+                errors=get_form_errors(form, header.name),
+            )
+            for header in self.headers
+        ]
         cell_errors = any(bool(cell.errors) for cell in cells)
         errors = get_form_errors(form, '__all__')
-        return CsvRow(
-            line=line,
-            cells=cells,
-            errors=errors,
-            is_valid=not bool(cell_errors or errors))
+        return CsvRow(line=line, cells=cells, errors=errors, is_valid=not bool(cell_errors or errors))
 
     @property
     def email_is_unique(self):
@@ -611,16 +605,22 @@ class UserCsvImporter(object):
                     row.user_first_seen = False
                 else:
                     errors.append(
-                        Error('unique-constraint-failed',
-                              _('Unique constraint on column "%(column)s" failed: '
-                                'value already appear on line %(line)d') % {
-                                    'column': header.name,
-                                    'line': unique_map[unique_key]}))
+                        Error(
+                            'unique-constraint-failed',
+                            _(
+                                'Unique constraint on column "%(column)s" failed: '
+                                'value already appear on line %(line)d'
+                            )
+                            % {'column': header.name, 'line': unique_map[unique_key]},
+                        )
+                    )
             else:
                 unique_map[unique_key] = row.line
 
         for cell in row:
-            if (not cell.header.globally_unique and not cell.header.unique) or (user and not cell.header.update):
+            if (not cell.header.globally_unique and not cell.header.unique) or (
+                user and not cell.header.update
+            ):
                 continue
             if not cell.value:
                 continue
@@ -637,8 +637,11 @@ class UserCsvImporter(object):
                     row.user_first_seen = False
                 else:
                     errors.append(
-                        Error('unique-constraint-failed',
-                              _('Unique constraint on column "%s" failed') % cell.header.name))
+                        Error(
+                            'unique-constraint-failed',
+                            _('Unique constraint on column "%s" failed') % cell.header.name,
+                        )
+                    )
         row.errors.extend(errors)
         row.is_valid = row.is_valid and not bool(errors)
         return not bool(errors)
@@ -680,8 +683,8 @@ class UserCsvImporter(object):
 
         if len(users) > 1:
             row.errors.append(
-                Error('key-matches-too-many-users',
-                      _('Key value "%s" matches too many users') % key_value))
+                Error('key-matches-too-many-users', _('Key value "%s" matches too many users') % key_value)
+            )
             return False
 
         user = None
@@ -701,7 +704,9 @@ class UserCsvImporter(object):
         for cell in row.cells:
             if not cell.header.field:
                 continue
-            if (row.action == 'create' and cell.header.create) or (row.action == 'update' and cell.header.update):
+            if (row.action == 'create' and cell.header.create) or (
+                row.action == 'update' and cell.header.update
+            ):
                 if getattr(user, cell.header.name) != cell.value:
                     setattr(user, cell.header.name, cell.value)
                     if cell.header.name == 'email' and cell.header.verified:
@@ -714,21 +719,21 @@ class UserCsvImporter(object):
 
         if header_key.name == SOURCE_ID and row.action == 'create':
             try:
-                UserExternalId.objects.create(user=user,
-                                              source=source_name,
-                                              external_id=source_id)
+                UserExternalId.objects.create(user=user, source=source_name, external_id=source_id)
             except IntegrityError:
                 # should never happen since we have a unique index...
                 source_full_id = '%s.%s' % (source_name, source_id)
                 row.errors.append(
-                    Error('external-id-already-exist',
-                          _('External id "%s" already exists') % source_full_id))
+                    Error('external-id-already-exist', _('External id "%s" already exists') % source_full_id)
+                )
                 raise CancelImport
 
         for cell in row.cells:
             if cell.header.field or not cell.header.attribute:
                 continue
-            if (row.action == 'create' and cell.header.create) or (row.action == 'update' and cell.header.update):
+            if (row.action == 'create' and cell.header.create) or (
+                row.action == 'update' and cell.header.update
+            ):
                 attributes = user.attributes
                 if cell.header.verified:
                     attributes = user.verified_attributes
@@ -762,9 +767,7 @@ class UserCsvImporter(object):
                 role = Role.objects.get(slug=cell.value, ou=self.ou)
         except Role.DoesNotExist:
             self._missing_roles.add(cell.value)
-            cell.errors.append(
-                Error('role-not-found',
-                      _('Role "%s" does not exist') % cell.value))
+            cell.errors.append(Error('role-not-found', _('Role "%s" does not exist') % cell.value))
             return False
         if cell.header.delete:
             user.roles.remove(role)
@@ -781,8 +784,11 @@ class UserCsvImporter(object):
         if cell.value == REGISTRATION_RESET_EMAIL:
             send_password_reset_mail(
                 user,
-                template_names=['authentic2/manager/user_create_registration_email',
-                                'authentic2/password_reset'],
+                template_names=[
+                    'authentic2/manager/user_create_registration_email',
+                    'authentic2/password_reset',
+                ],
                 next_url='/accounts/',
-                context={'user': user})
+                context={'user': user},
+            )
         return True
diff --git a/src/authentic2/custom_user/apps.py b/src/authentic2/custom_user/apps.py
index f0f888a2..8b8eec05 100644
--- a/src/authentic2/custom_user/apps.py
+++ b/src/authentic2/custom_user/apps.py
@@ -25,12 +25,11 @@ class CustomUserConfig(AppConfig):
     def ready(self):
         from django.db.models.signals import post_migrate
 
-        post_migrate.connect(
-            self.create_first_name_last_name_attributes,
-            sender=self)
+        post_migrate.connect(self.create_first_name_last_name_attributes, sender=self)
 
-    def create_first_name_last_name_attributes(self, app_config, verbosity=2, interactive=True,
-                                               using=DEFAULT_DB_ALIAS, **kwargs):
+    def create_first_name_last_name_attributes(
+        self, app_config, verbosity=2, interactive=True, using=DEFAULT_DB_ALIAS, **kwargs
+    ):
         from django.utils import translation
         from django.utils.translation import ugettext_lazy as _
         from django.conf import settings
@@ -52,20 +51,26 @@ class CustomUserConfig(AppConfig):
         attrs = {}
         attrs['first_name'], created = Attribute.objects.get_or_create(
             name='first_name',
-            defaults={'kind': 'string',
-                      'label': _('First name'),
-                      'required': True,
-                      'asked_on_registration': True,
-                      'user_editable': True,
-                      'user_visible': True})
+            defaults={
+                'kind': 'string',
+                'label': _('First name'),
+                'required': True,
+                'asked_on_registration': True,
+                'user_editable': True,
+                'user_visible': True,
+            },
+        )
         attrs['last_name'], created = Attribute.objects.get_or_create(
             name='last_name',
-            defaults={'kind': 'string',
-                      'label': _('Last name'),
-                      'required': True,
-                      'asked_on_registration': True,
-                      'user_editable': True,
-                      'user_visible': True})
+            defaults={
+                'kind': 'string',
+                'label': _('Last name'),
+                'required': True,
+                'asked_on_registration': True,
+                'user_editable': True,
+                'user_visible': True,
+            },
+        )
 
         serialize = get_kind('string').get('serialize')
         for user in User.objects.all():
@@ -77,5 +82,6 @@ class CustomUserConfig(AppConfig):
                     defaults={
                         'multiple': False,
                         'verified': False,
-                        'content': serialize(getattr(user, attr_name, None))
-                    })
+                        'content': serialize(getattr(user, attr_name, None)),
+                    },
+                )
diff --git a/src/authentic2/custom_user/management/commands/changepassword.py b/src/authentic2/custom_user/management/commands/changepassword.py
index fb7fbfb6..be045e1d 100644
--- a/src/authentic2/custom_user/management/commands/changepassword.py
+++ b/src/authentic2/custom_user/management/commands/changepassword.py
@@ -34,8 +34,12 @@ class Command(BaseCommand):
     def add_arguments(self, parser):
         parser.add_argument('username', nargs='?', type=str)
         parser.add_argument(
-            '--database', action='store', dest='database',
-            default=DEFAULT_DB_ALIAS, help='Specifies the database to use. Default is "default".')
+            '--database',
+            action='store',
+            dest='database',
+            default=DEFAULT_DB_ALIAS,
+            help='Specifies the database to use. Default is "default".',
+        )
 
     def _get_pass(self, prompt="Password: "):
         p = getpass.getpass(prompt=force_str(prompt))
diff --git a/src/authentic2/custom_user/management/commands/fix-attributes.py b/src/authentic2/custom_user/management/commands/fix-attributes.py
index c6916dd4..d6f7c0aa 100644
--- a/src/authentic2/custom_user/management/commands/fix-attributes.py
+++ b/src/authentic2/custom_user/management/commands/fix-attributes.py
@@ -31,11 +31,10 @@ class Command(BaseCommand):
 
         i = 0
         while True:
-            batch = user_ids[i * 100:i * 100 + 100]
+            batch = user_ids[i * 100 : i * 100 + 100]
             if not batch:
                 break
-            users = User.objects.prefetch_related('attribute_values__attribute').filter(
-                id__in=batch)
+            users = User.objects.prefetch_related('attribute_values__attribute').filter(id__in=batch)
             count = 0
             for user in users:
                 try:
@@ -70,5 +69,3 @@ class Command(BaseCommand):
                     count += 1
             i += 1
             print('Fixed %d users.' % count)
-
-
diff --git a/src/authentic2/custom_user/managers.py b/src/authentic2/custom_user/managers.py
index b59daf1a..18331906 100644
--- a/src/authentic2/custom_user/managers.py
+++ b/src/authentic2/custom_user/managers.py
@@ -46,9 +46,7 @@ class UserQuerySet(models.QuerySet):
 
         if '@' in search and len(search.split()) == 1:
             with connection.cursor() as cursor:
-                cursor.execute(
-                    "SET pg_trgm.similarity_threshold = %f" % app_settings.A2_FTS_THRESHOLD
-                )
+                cursor.execute("SET pg_trgm.similarity_threshold = %f" % app_settings.A2_FTS_THRESHOLD)
             qs = self.filter(email__icontains=search).order_by(Unaccent('last_name'), Unaccent('first_name'))
             if qs.exists():
                 return wrap_qs(qs)
@@ -74,7 +72,8 @@ class UserQuerySet(models.QuerySet):
             pass
         else:
             attribute_values = AttributeValue.objects.filter(
-                search_vector=SearchQuery(phone_number), attribute__kind='phone_number')
+                search_vector=SearchQuery(phone_number), attribute__kind='phone_number'
+            )
             qs = self.filter(attribute_values__in=attribute_values).order_by('last_name', 'first_name')
             if qs.exists():
                 return wrap_qs(qs)
@@ -85,27 +84,32 @@ class UserQuerySet(models.QuerySet):
             pass
         else:
             attribute_values = AttributeValue.objects.filter(
-                search_vector=SearchQuery(date.isoformat()), attribute__kind='birthdate')
+                search_vector=SearchQuery(date.isoformat()), attribute__kind='birthdate'
+            )
             qs = self.filter(attribute_values__in=attribute_values).order_by('last_name', 'first_name')
             if qs.exists():
                 return wrap_qs(qs)
 
         qs = self.find_duplicates(fullname=search, limit=None, threshold=app_settings.A2_FTS_THRESHOLD)
         extra_user_ids = set()
-        attribute_values = AttributeValue.objects.filter(search_vector=SearchQuery(search), attribute__searchable=True)
+        attribute_values = AttributeValue.objects.filter(
+            search_vector=SearchQuery(search), attribute__searchable=True
+        )
         extra_user_ids.update(self.filter(attribute_values__in=attribute_values).values_list('id', flat=True))
         if len(search.split()) == 1:
             extra_user_ids.update(
-                self.filter(
-                    Q(username__istartswith=search)
-                    | Q(email__istartswith=search)
-                ).values_list('id', flat=True))
+                self.filter(Q(username__istartswith=search) | Q(email__istartswith=search)).values_list(
+                    'id', flat=True
+                )
+            )
         if extra_user_ids:
             qs = qs | self.filter(id__in=extra_user_ids)
         qs = qs.order_by('dist', Unaccent('last_name'), Unaccent('first_name'))
         return qs
 
-    def find_duplicates(self, first_name=None, last_name=None, fullname=None, birthdate=None, limit=5, threshold=None):
+    def find_duplicates(
+        self, first_name=None, last_name=None, fullname=None, birthdate=None, limit=5, threshold=None
+    ):
         with connection.cursor() as cursor:
             cursor.execute(
                 "SET pg_trgm.similarity_threshold = %f" % (threshold or app_settings.A2_DUPLICATES_THRESHOLD)
@@ -133,20 +137,19 @@ class UserQuerySet(models.QuerySet):
                 object_id=OuterRef('pk'),
                 content_type=content_type,
                 attribute__kind='birthdate',
-                content=birthdate
+                content=birthdate,
             ).annotate(bonus=Value(1 - bonus, output_field=FloatField()))
-            qs = qs.annotate(dist=Coalesce(
-                Subquery(same_birthdate.values('bonus'), output_field=FloatField()) * F('dist'),
-                F('dist')
-            ))
+            qs = qs.annotate(
+                dist=Coalesce(
+                    Subquery(same_birthdate.values('bonus'), output_field=FloatField()) * F('dist'), F('dist')
+                )
+            )
 
         return qs
 
 
 class UserManager(BaseUserManager):
-
-    def _create_user(self, username, email, password,
-                     is_staff, is_superuser, **extra_fields):
+    def _create_user(self, username, email, password, is_staff, is_superuser, **extra_fields):
         """
         Creates and saves a User with the given username, email and password.
         """
@@ -154,21 +157,25 @@ class UserManager(BaseUserManager):
         if not username:
             raise ValueError('The given username must be set')
         email = self.normalize_email(email)
-        user = self.model(username=username, email=email,
-                          is_staff=is_staff, is_active=True,
-                          is_superuser=is_superuser, last_login=now,
-                          date_joined=now, **extra_fields)
+        user = self.model(
+            username=username,
+            email=email,
+            is_staff=is_staff,
+            is_active=True,
+            is_superuser=is_superuser,
+            last_login=now,
+            date_joined=now,
+            **extra_fields,
+        )
         user.set_password(password)
         user.save(using=self._db)
         return user
 
     def create_user(self, username, email=None, password=None, **extra_fields):
-        return self._create_user(username, email, password, False, False,
-                                 **extra_fields)
+        return self._create_user(username, email, password, False, False, **extra_fields)
 
     def create_superuser(self, username, email, password, **extra_fields):
-        return self._create_user(username, email, password, True, True,
-                                 **extra_fields)
+        return self._create_user(username, email, password, True, True, **extra_fields)
 
     def get_by_natural_key(self, uuid):
         return self.get(uuid=uuid)
diff --git a/src/authentic2/custom_user/migrations/0001_initial.py b/src/authentic2/custom_user/migrations/0001_initial.py
index 1027dfb1..371a5e38 100644
--- a/src/authentic2/custom_user/migrations/0001_initial.py
+++ b/src/authentic2/custom_user/migrations/0001_initial.py
@@ -6,15 +6,27 @@ import django.utils.timezone
 import authentic2.utils
 import authentic2.validators
 
+
 def noop(apps, schema_editor):
     pass
 
+
 def copy_old_users_to_custom_user_model(apps, schema_editor):
     OldUser = apps.get_model('auth', 'User')
     NewUser = apps.get_model('custom_user', 'User')
-    fields = ['id', 'username', 'email', 'first_name', 'last_name',
-            'is_staff', 'is_active', 'date_joined', 'is_superuser',
-            'last_login', 'password']
+    fields = [
+        'id',
+        'username',
+        'email',
+        'first_name',
+        'last_name',
+        'is_staff',
+        'is_active',
+        'date_joined',
+        'is_superuser',
+        'last_login',
+        'password',
+    ]
     old_users = OldUser.objects.prefetch_related('groups', 'user_permissions').order_by('id')
     new_users = []
     for old_user in old_users:
@@ -40,42 +52,123 @@ def copy_old_users_to_custom_user_model(apps, schema_editor):
     PermissionThrough.objects.bulk_create(new_permissions)
     # Reset sequences
     if schema_editor.connection.vendor == 'postgresql':
-        schema_editor.execute('SELECT setval(pg_get_serial_sequence(\'"custom_user_user_groups"\',\'id\'), coalesce(max("id"), 1), max("id") IS NOT null) FROM "custom_user_user_groups";')
-        schema_editor.execute('SELECT setval(pg_get_serial_sequence(\'"custom_user_user_user_permissions"\',\'id\'), coalesce(max("id"), 1), max("id") IS NOT null) FROM "custom_user_user_user_permissions";')
-        schema_editor.execute('SELECT setval(pg_get_serial_sequence(\'"custom_user_user"\',\'id\'), coalesce(max("id"), 1), max("id") IS NOT null) FROM "custom_user_user";')
+        schema_editor.execute(
+            'SELECT setval(pg_get_serial_sequence(\'"custom_user_user_groups"\',\'id\'), coalesce(max("id"), 1), max("id") IS NOT null) FROM "custom_user_user_groups";'
+        )
+        schema_editor.execute(
+            'SELECT setval(pg_get_serial_sequence(\'"custom_user_user_user_permissions"\',\'id\'), coalesce(max("id"), 1), max("id") IS NOT null) FROM "custom_user_user_user_permissions";'
+        )
+        schema_editor.execute(
+            'SELECT setval(pg_get_serial_sequence(\'"custom_user_user"\',\'id\'), coalesce(max("id"), 1), max("id") IS NOT null) FROM "custom_user_user";'
+        )
     elif schema_editor.connection.vendor == 'sqlite':
-        schema_editor.execute('UPDATE sqlite_sequence SET seq = (SELECT MAX(id) FROM custom_user_user) WHERE name = "custom_user_user";')
-        schema_editor.execute('UPDATE sqlite_sequence SET seq = (SELECT MAX(id) FROM custom_user_user_groups) WHERE name = "custom_user_user_groups";')
-        schema_editor.execute('UPDATE sqlite_sequence SET seq = (SELECT MAX(id) FROM custom_user_user_user_permissions) WHERE name = "custom_user_user_permissions";')
+        schema_editor.execute(
+            'UPDATE sqlite_sequence SET seq = (SELECT MAX(id) FROM custom_user_user) WHERE name = "custom_user_user";'
+        )
+        schema_editor.execute(
+            'UPDATE sqlite_sequence SET seq = (SELECT MAX(id) FROM custom_user_user_groups) WHERE name = "custom_user_user_groups";'
+        )
+        schema_editor.execute(
+            'UPDATE sqlite_sequence SET seq = (SELECT MAX(id) FROM custom_user_user_user_permissions) WHERE name = "custom_user_user_permissions";'
+        )
     else:
         raise NotImplementedError()
 
 
-
 class Migration(migrations.Migration):
 
     dependencies = [
-            ('auth', '__first__'),
+        ('auth', '__first__'),
     ]
 
     operations = [
         migrations.CreateModel(
             name='User',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('password', models.CharField(max_length=128, verbose_name='password')),
-                ('last_login', models.DateTimeField(default=django.utils.timezone.now, verbose_name='last login')),
-                ('is_superuser', models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status')),
-                ('uuid', models.CharField(default=authentic2.utils.get_hex_uuid, verbose_name='uuid', unique=True, max_length=32, editable=False)),
-                ('username', models.CharField(max_length=256, null=True, verbose_name='username', blank=True)),
+                (
+                    'last_login',
+                    models.DateTimeField(default=django.utils.timezone.now, verbose_name='last login'),
+                ),
+                (
+                    'is_superuser',
+                    models.BooleanField(
+                        default=False,
+                        help_text='Designates that this user has all permissions without explicitly assigning them.',
+                        verbose_name='superuser status',
+                    ),
+                ),
+                (
+                    'uuid',
+                    models.CharField(
+                        default=authentic2.utils.get_hex_uuid,
+                        verbose_name='uuid',
+                        unique=True,
+                        max_length=32,
+                        editable=False,
+                    ),
+                ),
+                (
+                    'username',
+                    models.CharField(max_length=256, null=True, verbose_name='username', blank=True),
+                ),
                 ('first_name', models.CharField(max_length=64, verbose_name='first name', blank=True)),
                 ('last_name', models.CharField(max_length=64, verbose_name='last name', blank=True)),
-                ('email', models.EmailField(blank=True, max_length=254, verbose_name='email address', validators=[authentic2.validators.EmailValidator])),
-                ('is_staff', models.BooleanField(default=False, help_text='Designates whether the user can log into this admin site.', verbose_name='staff status')),
-                ('is_active', models.BooleanField(default=True, help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.', verbose_name='active')),
-                ('date_joined', models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined')),
-                ('groups', models.ManyToManyField(related_query_name='user', related_name='user_set', to='auth.Group', blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of his/her group.', verbose_name='groups')),
-                ('user_permissions', models.ManyToManyField(related_query_name='user', related_name='user_set', to='auth.Permission', blank=True, help_text='Specific permissions for this user.', verbose_name='user permissions')),
+                (
+                    'email',
+                    models.EmailField(
+                        blank=True,
+                        max_length=254,
+                        verbose_name='email address',
+                        validators=[authentic2.validators.EmailValidator],
+                    ),
+                ),
+                (
+                    'is_staff',
+                    models.BooleanField(
+                        default=False,
+                        help_text='Designates whether the user can log into this admin site.',
+                        verbose_name='staff status',
+                    ),
+                ),
+                (
+                    'is_active',
+                    models.BooleanField(
+                        default=True,
+                        help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.',
+                        verbose_name='active',
+                    ),
+                ),
+                (
+                    'date_joined',
+                    models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined'),
+                ),
+                (
+                    'groups',
+                    models.ManyToManyField(
+                        related_query_name='user',
+                        related_name='user_set',
+                        to='auth.Group',
+                        blank=True,
+                        help_text='The groups this user belongs to. A user will get all permissions granted to each of his/her group.',
+                        verbose_name='groups',
+                    ),
+                ),
+                (
+                    'user_permissions',
+                    models.ManyToManyField(
+                        related_query_name='user',
+                        related_name='user_set',
+                        to='auth.Permission',
+                        blank=True,
+                        help_text='Specific permissions for this user.',
+                        verbose_name='user permissions',
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'user',
diff --git a/src/authentic2/custom_user/migrations/0002_auto_20150410_1823.py b/src/authentic2/custom_user/migrations/0002_auto_20150410_1823.py
index 50178a32..fa275996 100644
--- a/src/authentic2/custom_user/migrations/0002_auto_20150410_1823.py
+++ b/src/authentic2/custom_user/migrations/0002_auto_20150410_1823.py
@@ -4,6 +4,7 @@ from __future__ import unicode_literals
 from django.conf import settings
 from django.db import models, migrations
 
+
 class ThirdPartyAlterField(migrations.AlterField):
     def __init__(self, *args, **kwargs):
         self.app_label = kwargs.pop('app_label')
@@ -15,19 +16,20 @@ class ThirdPartyAlterField(migrations.AlterField):
     def database_forwards(self, app_label, schema_editor, from_state, to_state):
         if hasattr(from_state, 'clear_delayed_apps_cache'):
             from_state.clear_delayed_apps_cache()
-        super(ThirdPartyAlterField, self).database_forwards(self.app_label,
-                schema_editor, from_state, to_state)
+        super(ThirdPartyAlterField, self).database_forwards(
+            self.app_label, schema_editor, from_state, to_state
+        )
 
     def database_backwards(self, app_label, schema_editor, from_state, to_state):
         self.database_forwards(app_label, schema_editor, from_state, to_state)
 
     def __eq__(self, other):
         return (
-            (self.__class__ == other.__class__) and
-            (self.app_label == other.app_label) and
-            (self.name == other.name) and
-            (self.model_name.lower() == other.model_name.lower()) and
-            (self.field.deconstruct()[1:] == other.field.deconstruct()[1:])
+            (self.__class__ == other.__class__)
+            and (self.app_label == other.app_label)
+            and (self.name == other.name)
+            and (self.model_name.lower() == other.model_name.lower())
+            and (self.field.deconstruct()[1:] == other.field.deconstruct()[1:])
         )
 
     def references_model(self, *args, **kwargs):
@@ -48,12 +50,12 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-            # Django admin log
-            ThirdPartyAlterField(
-                app_label='admin',
-                model_name='logentry',
-                name='user',
-                field=models.ForeignKey(to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE),
-                preserve_default=True
-            ),
+        # Django admin log
+        ThirdPartyAlterField(
+            app_label='admin',
+            model_name='logentry',
+            name='user',
+            field=models.ForeignKey(to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE),
+            preserve_default=True,
+        ),
     ]
diff --git a/src/authentic2/custom_user/migrations/0003_auto_20150504_1410.py b/src/authentic2/custom_user/migrations/0003_auto_20150504_1410.py
index 209a4cf8..f1966513 100644
--- a/src/authentic2/custom_user/migrations/0003_auto_20150504_1410.py
+++ b/src/authentic2/custom_user/migrations/0003_auto_20150504_1410.py
@@ -13,6 +13,9 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='user',
-            options={'verbose_name': 'user', 'verbose_name_plural': 'users',},
+            options={
+                'verbose_name': 'user',
+                'verbose_name_plural': 'users',
+            },
         ),
     ]
diff --git a/src/authentic2/custom_user/migrations/0004_user_ou.py b/src/authentic2/custom_user/migrations/0004_user_ou.py
index bef7de66..6aab7d43 100644
--- a/src/authentic2/custom_user/migrations/0004_user_ou.py
+++ b/src/authentic2/custom_user/migrations/0004_user_ou.py
@@ -16,7 +16,9 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='user',
             name='ou',
-            field=models.ForeignKey(blank=True, to=settings.RBAC_OU_MODEL, null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                blank=True, to=settings.RBAC_OU_MODEL, null=True, on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2/custom_user/migrations/0005_auto_20150522_1527.py b/src/authentic2/custom_user/migrations/0005_auto_20150522_1527.py
index eb686db0..bcf37fa7 100644
--- a/src/authentic2/custom_user/migrations/0005_auto_20150522_1527.py
+++ b/src/authentic2/custom_user/migrations/0005_auto_20150522_1527.py
@@ -15,7 +15,13 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='user',
             name='ou',
-            field=models.ForeignKey(verbose_name='organizational unit', blank=True, to=settings.RBAC_OU_MODEL, null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='organizational unit',
+                blank=True,
+                to=settings.RBAC_OU_MODEL,
+                null=True,
+                on_delete=models.CASCADE,
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2/custom_user/migrations/0006_auto_20150527_1212.py b/src/authentic2/custom_user/migrations/0006_auto_20150527_1212.py
index e6a83b69..9ed54453 100644
--- a/src/authentic2/custom_user/migrations/0006_auto_20150527_1212.py
+++ b/src/authentic2/custom_user/migrations/0006_auto_20150527_1212.py
@@ -3,13 +3,15 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 def noop(apps, schema_editor):
     pass
 
+
 def set_last_login(apps, schema_editor):
     User = apps.get_model('custom_user', 'User')
-    User.objects.filter(last_login__isnull=True) \
-        .update(last_login=models.F('date_joined'))
+    User.objects.filter(last_login__isnull=True).update(last_login=models.F('date_joined'))
+
 
 class Migration(migrations.Migration):
 
diff --git a/src/authentic2/custom_user/migrations/0007_auto_20150610_1527.py b/src/authentic2/custom_user/migrations/0007_auto_20150610_1527.py
index 6d10ddba..32d6a800 100644
--- a/src/authentic2/custom_user/migrations/0007_auto_20150610_1527.py
+++ b/src/authentic2/custom_user/migrations/0007_auto_20150610_1527.py
@@ -3,13 +3,15 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 def noop(apps, schema_editor):
     pass
 
+
 def set_last_login(apps, schema_editor):
     User = apps.get_model('custom_user', 'User')
-    User.objects.filter(last_login__isnull=True) \
-        .update(last_login=models.F('date_joined'))
+    User.objects.filter(last_login__isnull=True).update(last_login=models.F('date_joined'))
+
 
 class Migration(migrations.Migration):
 
diff --git a/src/authentic2/custom_user/migrations/0009_auto_20150810_1953.py b/src/authentic2/custom_user/migrations/0009_auto_20150810_1953.py
index a7eab7bc..d36b8b51 100644
--- a/src/authentic2/custom_user/migrations/0009_auto_20150810_1953.py
+++ b/src/authentic2/custom_user/migrations/0009_auto_20150810_1953.py
@@ -13,6 +13,10 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='user',
-            options={'ordering': ('first_name', 'last_name', 'email', 'username'), 'verbose_name': 'user', 'verbose_name_plural': 'users',},
+            options={
+                'ordering': ('first_name', 'last_name', 'email', 'username'),
+                'verbose_name': 'user',
+                'verbose_name_plural': 'users',
+            },
         ),
     ]
diff --git a/src/authentic2/custom_user/migrations/0012_user_modified.py b/src/authentic2/custom_user/migrations/0012_user_modified.py
index 4b1aa2e3..8ad2bac5 100644
--- a/src/authentic2/custom_user/migrations/0012_user_modified.py
+++ b/src/authentic2/custom_user/migrations/0012_user_modified.py
@@ -16,7 +16,12 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='user',
             name='modified',
-            field=models.DateTimeField(default=datetime.datetime(2017, 3, 13, 14, 41, 7, 593150, tzinfo=utc), auto_now=True, verbose_name='Last modification time', db_index=True),
+            field=models.DateTimeField(
+                default=datetime.datetime(2017, 3, 13, 14, 41, 7, 593150, tzinfo=utc),
+                auto_now=True,
+                verbose_name='Last modification time',
+                db_index=True,
+            ),
             preserve_default=False,
         ),
     ]
diff --git a/src/authentic2/custom_user/migrations/0015_auto_20170707_1653.py b/src/authentic2/custom_user/migrations/0015_auto_20170707_1653.py
index 197e44c6..ccc9953a 100644
--- a/src/authentic2/custom_user/migrations/0015_auto_20170707_1653.py
+++ b/src/authentic2/custom_user/migrations/0015_auto_20170707_1653.py
@@ -13,6 +13,10 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='user',
-            options={'ordering': ('last_name', 'first_name', 'email', 'username'), 'verbose_name': 'user', 'verbose_name_plural': 'users',},
+            options={
+                'ordering': ('last_name', 'first_name', 'email', 'username'),
+                'verbose_name': 'user',
+                'verbose_name_plural': 'users',
+            },
         ),
     ]
diff --git a/src/authentic2/custom_user/migrations/0017_auto_20200305_1645.py b/src/authentic2/custom_user/migrations/0017_auto_20200305_1645.py
index 35e3a4be..76ebb37f 100644
--- a/src/authentic2/custom_user/migrations/0017_auto_20200305_1645.py
+++ b/src/authentic2/custom_user/migrations/0017_auto_20200305_1645.py
@@ -17,6 +17,11 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='user',
             name='email',
-            field=models.EmailField(blank=True, max_length=254, verbose_name='email address', validators=[authentic2.validators.email_validator]),
+            field=models.EmailField(
+                blank=True,
+                max_length=254,
+                verbose_name='email address',
+                validators=[authentic2.validators.email_validator],
+            ),
         ),
     ]
diff --git a/src/authentic2/custom_user/migrations/0020_deleteduser.py b/src/authentic2/custom_user/migrations/0020_deleteduser.py
index 7c9e679f..68dd9e1c 100644
--- a/src/authentic2/custom_user/migrations/0020_deleteduser.py
+++ b/src/authentic2/custom_user/migrations/0020_deleteduser.py
@@ -14,12 +14,26 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='DeletedUser',
             fields=[
-                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                (
+                    'id',
+                    models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID'),
+                ),
                 ('deleted', models.DateTimeField(verbose_name='Deletion date', auto_now_add=True)),
                 ('old_uuid', models.TextField(blank=True, null=True, verbose_name='Old UUID')),
-                ('old_user_id', models.PositiveIntegerField(blank=True, null=True, verbose_name='Old user id')),
-                ('old_email', models.EmailField(blank=True, max_length=254, null=True, verbose_name='Old email adress')),
-                ('old_data', django.contrib.postgres.fields.jsonb.JSONField(blank=True, null=True, verbose_name='Old data')),
+                (
+                    'old_user_id',
+                    models.PositiveIntegerField(blank=True, null=True, verbose_name='Old user id'),
+                ),
+                (
+                    'old_email',
+                    models.EmailField(blank=True, max_length=254, null=True, verbose_name='Old email adress'),
+                ),
+                (
+                    'old_data',
+                    django.contrib.postgres.fields.jsonb.JSONField(
+                        blank=True, null=True, verbose_name='Old data'
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'deleted user',
diff --git a/src/authentic2/custom_user/migrations/0022_index_email.py b/src/authentic2/custom_user/migrations/0022_index_email.py
index 55308e1e..797b069e 100644
--- a/src/authentic2/custom_user/migrations/0022_index_email.py
+++ b/src/authentic2/custom_user/migrations/0022_index_email.py
@@ -9,6 +9,6 @@ class Migration(migrations.Migration):
     operations = [
         migrations.RunSQL(
             sql=r'CREATE INDEX "custom_user_user_email_idx" ON "custom_user_user" (UPPER("email") text_pattern_ops);',
-            reverse_sql=r'DROP INDEX "custom_user_user_email_idx";'
+            reverse_sql=r'DROP INDEX "custom_user_user_email_idx";',
         ),
     ]
diff --git a/src/authentic2/custom_user/migrations/0023_index_username.py b/src/authentic2/custom_user/migrations/0023_index_username.py
index 97f8db7f..897befe3 100644
--- a/src/authentic2/custom_user/migrations/0023_index_username.py
+++ b/src/authentic2/custom_user/migrations/0023_index_username.py
@@ -9,6 +9,6 @@ class Migration(migrations.Migration):
     operations = [
         migrations.RunSQL(
             sql=r'CREATE INDEX "custom_user_user_username_idx" ON "custom_user_user" (UPPER("username") text_pattern_ops);',
-            reverse_sql=r'DROP INDEX "custom_user_user_username_idx";'
+            reverse_sql=r'DROP INDEX "custom_user_user_username_idx";',
         ),
     ]
diff --git a/src/authentic2/custom_user/migrations/0024_index_email_by_trigrams.py b/src/authentic2/custom_user/migrations/0024_index_email_by_trigrams.py
index ee7bcf66..e3b549c5 100644
--- a/src/authentic2/custom_user/migrations/0024_index_email_by_trigrams.py
+++ b/src/authentic2/custom_user/migrations/0024_index_email_by_trigrams.py
@@ -59,8 +59,10 @@ class Migration(migrations.Migration):
     operations = [
         TrigramExtension(),
         RunSQLIfExtension(
-            sql=["CREATE INDEX IF NOT EXISTS custom_user_user_email_trgm_idx ON custom_user_user USING gist "
-                 "(LOWER(email) public.gist_trgm_ops)"],
+            sql=[
+                "CREATE INDEX IF NOT EXISTS custom_user_user_email_trgm_idx ON custom_user_user USING gist "
+                "(LOWER(email) public.gist_trgm_ops)"
+            ],
             reverse_sql=['DROP INDEX custom_user_user_email_trgm_idx'],
         ),
     ]
diff --git a/src/authentic2/custom_user/migrations/0026_remove_user_deleted.py b/src/authentic2/custom_user/migrations/0026_remove_user_deleted.py
index ba05bd97..dee7570f 100644
--- a/src/authentic2/custom_user/migrations/0026_remove_user_deleted.py
+++ b/src/authentic2/custom_user/migrations/0026_remove_user_deleted.py
@@ -13,8 +13,7 @@ def delete_users(apps, schema_editor):
     DeletedUser = apps.get_model('custom_user', 'DeletedUser')
 
     def delete_user(self):
-        deleted_user = DeletedUser(
-            old_user_id=self.id)
+        deleted_user = DeletedUser(old_user_id=self.id)
         if 'email' in app_settings.A2_USER_DELETED_KEEP_DATA:
             deleted_user.old_email = self.email.rsplit('#', 1)[0]
         if 'uuid' in app_settings.A2_USER_DELETED_KEEP_DATA:
diff --git a/src/authentic2/custom_user/models.py b/src/authentic2/custom_user/models.py
index 33f137cc..7e39d771 100644
--- a/src/authentic2/custom_user/models.py
+++ b/src/authentic2/custom_user/models.py
@@ -28,6 +28,7 @@ from django.core.mail import send_mail
 from django.utils import six
 from django.utils.translation import ugettext_lazy as _
 from django.core.exceptions import ValidationError, MultipleObjectsReturned
+
 try:
     from django.contrib.contenttypes.fields import GenericRelation
 except ImportError:
@@ -88,9 +89,8 @@ class Attributes(object):
             else:
                 atv = self.values.get(name)
                 self.values[name] = attribute.set_value(
-                    self.owner, value,
-                    verified=bool(self.verified),
-                    attribute_value=atv)
+                    self.owner, value, verified=bool(self.verified), attribute_value=atv
+                )
 
             update_fields = ['modified']
             if name in ['first_name', 'last_name']:
@@ -128,10 +128,7 @@ class IsVerified(object):
 
     def __getattr__(self, name):
         v = getattr(self.user.attributes, name, None)
-        return (
-            v is not None
-            and v == getattr(self.user.verified_attributes, name, None)
-        )
+        return v is not None and v == getattr(self.user.verified_attributes, name, None)
 
 
 class IsVerifiedDescriptor(object):
@@ -146,53 +143,42 @@ class User(AbstractBaseUser, PermissionMixin):
 
     Username, password and email are required. Other fields are optional.
     """
-    uuid = models.CharField(
-        _('uuid'),
-        max_length=32,
-        default=utils.get_hex_uuid, editable=False, unique=True)
+
+    uuid = models.CharField(_('uuid'), max_length=32, default=utils.get_hex_uuid, editable=False, unique=True)
     username = models.CharField(_('username'), max_length=256, null=True, blank=True)
     first_name = models.CharField(_('first name'), max_length=128, blank=True)
     last_name = models.CharField(_('last name'), max_length=128, blank=True)
-    email = models.EmailField(
-        _('email address'),
-        blank=True,
-        max_length=254,
-        validators=[email_validator])
-    email_verified = models.BooleanField(
-        default=False,
-        verbose_name=_('email verified'))
+    email = models.EmailField(_('email address'), blank=True, max_length=254, validators=[email_validator])
+    email_verified = models.BooleanField(default=False, verbose_name=_('email verified'))
     is_staff = models.BooleanField(
         _('staff status'),
         default=False,
-        help_text=_('Designates whether the user can log into this admin '
-                    'site.'))
+        help_text=_('Designates whether the user can log into this admin ' 'site.'),
+    )
     is_active = models.BooleanField(
         _('active'),
         default=True,
-        help_text=_('Designates whether this user should be treated as '
-                    'active. Unselect this instead of deleting accounts.'))
+        help_text=_(
+            'Designates whether this user should be treated as '
+            'active. Unselect this instead of deleting accounts.'
+        ),
+    )
     ou = models.ForeignKey(
         verbose_name=_('organizational unit'),
         to='a2_rbac.OrganizationalUnit',
         blank=True,
         null=True,
         swappable=False,
-        on_delete=models.CASCADE)
+        on_delete=models.CASCADE,
+    )
 
     # events dates
     date_joined = models.DateTimeField(_('date joined'), default=timezone.now)
-    modified = models.DateTimeField(
-        verbose_name=_('Last modification time'),
-        db_index=True,
-        auto_now=True)
+    modified = models.DateTimeField(verbose_name=_('Last modification time'), db_index=True, auto_now=True)
     last_account_deletion_alert = models.DateTimeField(
-        verbose_name=_('Last account deletion alert'),
-        null=True,
-        blank=True)
-    deactivation = models.DateTimeField(
-        verbose_name=_('Deactivation datetime'),
-        null=True,
-        blank=True)
+        verbose_name=_('Last account deletion alert'), null=True, blank=True
+    )
+    deactivation = models.DateTimeField(verbose_name=_('Deactivation datetime'), null=True, blank=True)
 
     objects = UserManager.from_queryset(UserQuerySet)()
     attributes = AttributesDescriptor()
@@ -237,10 +223,10 @@ class User(AbstractBaseUser, PermissionMixin):
         qs = (qs1 | qs2).order_by('name').distinct()
         RoleParenting = get_role_parenting_model()
         rp_qs = RoleParenting.objects.filter(child__in=qs1)
-        qs = qs.prefetch_related(models.Prefetch(
-            'child_relation', queryset=rp_qs), 'child_relation__parent')
-        qs = qs.prefetch_related(models.Prefetch(
-            'members', queryset=self.__class__.objects.filter(pk=self.pk), to_attr='member'))
+        qs = qs.prefetch_related(models.Prefetch('child_relation', queryset=rp_qs), 'child_relation__parent')
+        qs = qs.prefetch_related(
+            models.Prefetch('members', queryset=self.__class__.objects.filter(pk=self.pk), to_attr='member')
+        )
         return qs
 
     def __str__(self):
@@ -252,11 +238,13 @@ class User(AbstractBaseUser, PermissionMixin):
         return '<User: %r>' % six.text_type(self)
 
     def clean(self):
-        if not (self.username
-                or self.email
-                or (self.first_name and self.last_name)):
-            raise ValidationError(_('An account needs at least one identifier: '
-                                    'username, email or a full name (first and last name).'))
+        if not (self.username or self.email or (self.first_name and self.last_name)):
+            raise ValidationError(
+                _(
+                    'An account needs at least one identifier: '
+                    'username, email or a full name (first and last name).'
+                )
+            )
 
     def validate_unique(self, exclude=None):
         errors = {}
@@ -271,8 +259,11 @@ class User(AbstractBaseUser, PermissionMixin):
         if self.pk:
             qs = qs.exclude(pk=self.pk)
 
-        if 'username' not in exclude and self.username and (app_settings.A2_USERNAME_IS_UNIQUE
-                                                            or (self.ou and self.ou.username_is_unique)):
+        if (
+            'username' not in exclude
+            and self.username
+            and (app_settings.A2_USERNAME_IS_UNIQUE or (self.ou and self.ou.username_is_unique))
+        ):
             username_qs = qs
             if not app_settings.A2_USERNAME_IS_UNIQUE:
                 username_qs = qs.filter(ou=self.ou)
@@ -285,10 +276,14 @@ class User(AbstractBaseUser, PermissionMixin):
                 pass
             else:
                 errors.setdefault('username', []).append(
-                    _('This username is already in use. Please supply a different username.'))
+                    _('This username is already in use. Please supply a different username.')
+                )
 
-        if 'email' not in exclude and self.email and (app_settings.A2_EMAIL_IS_UNIQUE
-                                                      or (self.ou and self.ou.email_is_unique)):
+        if (
+            'email' not in exclude
+            and self.email
+            and (app_settings.A2_EMAIL_IS_UNIQUE or (self.ou and self.ou.email_is_unique))
+        ):
             email_qs = qs
             if not app_settings.A2_EMAIL_IS_UNIQUE:
                 email_qs = qs.filter(ou=self.ou)
@@ -301,8 +296,8 @@ class User(AbstractBaseUser, PermissionMixin):
                 pass
             else:
                 errors.setdefault('email', []).append(
-                    _('This email address is already in use. Please supply a different email '
-                      'address.'))
+                    _('This email address is already in use. Please supply a different email ' 'address.')
+                )
         if errors:
             raise ValidationError(errors)
 
@@ -319,20 +314,24 @@ class User(AbstractBaseUser, PermissionMixin):
             attribute = attributes_map[av.attribute_id]
             drf_field = attribute.get_drf_field()
             d[str(attribute.name)] = drf_field.to_representation(av.to_python())
-        d.update({
-            'uuid': self.uuid,
-            'username': self.username,
-            'email': self.email,
-            'ou': self.ou.name if self.ou else None,
-            'ou__uuid': self.ou.uuid if self.ou else None,
-            'ou__slug': self.ou.slug if self.ou else None,
-            'ou__name': self.ou.name if self.ou else None,
-            'first_name': self.first_name,
-            'last_name': self.last_name,
-            'is_superuser': self.is_superuser,
-            'roles': [role.to_json() for role in self.roles_and_parents()],
-            'services': [service.to_json(roles=self.roles_and_parents()) for service in Service.objects.all()],
-        })
+        d.update(
+            {
+                'uuid': self.uuid,
+                'username': self.username,
+                'email': self.email,
+                'ou': self.ou.name if self.ou else None,
+                'ou__uuid': self.ou.uuid if self.ou else None,
+                'ou__slug': self.ou.slug if self.ou else None,
+                'ou__name': self.ou.name if self.ou else None,
+                'first_name': self.first_name,
+                'last_name': self.last_name,
+                'is_superuser': self.is_superuser,
+                'roles': [role.to_json() for role in self.roles_and_parents()],
+                'services': [
+                    service.to_json(roles=self.roles_and_parents()) for service in Service.objects.all()
+                ],
+            }
+        )
         return d
 
     def save(self, *args, **kwargs):
@@ -373,8 +372,7 @@ class User(AbstractBaseUser, PermissionMixin):
 
     @transaction.atomic
     def delete(self, **kwargs):
-        deleted_user = DeletedUser(
-            old_user_id=self.id)
+        deleted_user = DeletedUser(old_user_id=self.id)
         if 'email' in app_settings.A2_USER_DELETED_KEEP_DATA:
             deleted_user.old_email = self.email.rsplit('#', 1)[0]
         if 'uuid' in app_settings.A2_USER_DELETED_KEEP_DATA:
@@ -397,36 +395,25 @@ class User(AbstractBaseUser, PermissionMixin):
 
 
 class DeletedUser(models.Model):
-    deleted = models.DateTimeField(
-        verbose_name=_('Deletion date'),
-        auto_now_add=True)
-    old_uuid = models.TextField(
-        verbose_name=_('Old UUID'),
-        null=True,
-        blank=True)
-    old_user_id = models.PositiveIntegerField(
-        verbose_name=_('Old user id'),
-        null=True,
-        blank=True)
-    old_email = models.EmailField(
-        verbose_name=_('Old email adress'),
-        null=True,
-        blank=True)
-    old_data = JSONField(
-        verbose_name=_('Old data'),
-        null=True,
-        blank=True)
+    deleted = models.DateTimeField(verbose_name=_('Deletion date'), auto_now_add=True)
+    old_uuid = models.TextField(verbose_name=_('Old UUID'), null=True, blank=True)
+    old_user_id = models.PositiveIntegerField(verbose_name=_('Old user id'), null=True, blank=True)
+    old_email = models.EmailField(verbose_name=_('Old email adress'), null=True, blank=True)
+    old_data = JSONField(verbose_name=_('Old data'), null=True, blank=True)
 
     @classmethod
     def cleanup(cls, threshold=None, timestamp=None):
-        threshold = threshold or (timezone.now() - datetime.timedelta(days=app_settings.A2_USER_DELETED_KEEP_DATA_DAYS))
+        threshold = threshold or (
+            timezone.now() - datetime.timedelta(days=app_settings.A2_USER_DELETED_KEEP_DATA_DAYS)
+        )
         cls.objects.filter(deleted__lt=threshold).delete()
 
     def __str__(self):
         return 'DeletedUser(old_id=%s, old_uuid=%s…, old_email=%s)' % (
             self.old_user_id or '-',
             (self.old_uuid or '')[:6],
-            self.old_email or '-')
+            self.old_email or '-',
+        )
 
     class Meta:
         verbose_name = _('deleted user')
diff --git a/src/authentic2/data_transfer.py b/src/authentic2/data_transfer.py
index 3e77587e..b8c48bda 100644
--- a/src/authentic2/data_transfer.py
+++ b/src/authentic2/data_transfer.py
@@ -24,8 +24,7 @@ from django.utils.translation import ugettext_lazy as _
 from django.utils.text import format_lazy
 
 from django_rbac.models import Operation
-from django_rbac.utils import (
-    get_ou_model, get_role_model, get_role_parenting_model, get_permission_model)
+from django_rbac.utils import get_ou_model, get_role_model, get_role_parenting_model, get_permission_model
 
 from authentic2.decorators import errorcollector
 from authentic2.a2_rbac.models import RoleAttribute
@@ -57,8 +56,13 @@ def update_model(obj, d):
                             yield message.message
                         else:
                             yield message
+
                 for message in error_list(messages):
-                    errorlist.append(format_lazy(u'{}="{}": {}', obj.__class__._meta.get_field(key).verbose_name, value, message))
+                    errorlist.append(
+                        format_lazy(
+                            u'{}="{}": {}', obj.__class__._meta.get_field(key).verbose_name, value, message
+                        )
+                    )
         raise ValidationError(errorlist)
     obj.save()
 
@@ -99,12 +103,8 @@ def export_ous(context):
 
 
 def export_roles(context):
-    """ Serialize roles in role_queryset
-    """
-    return [
-        role.export_json(attributes=True, parents=True, permissions=True)
-        for role in context.role_qs
-    ]
+    """Serialize roles in role_queryset"""
+    return [role.export_json(attributes=True, parents=True, permissions=True) for role in context.role_qs]
 
 
 def search_ou(ou_d):
@@ -129,9 +129,8 @@ def search_role(role_d, ou=None):
         return role
 
 
-
 class ImportContext(object):
-    """ Holds information on how to perform the import.
+    """Holds information on how to perform the import.
 
     ou_delete_orphans: if True any existing ou that is not found in the export will
                        be deleted
@@ -152,15 +151,16 @@ class ImportContext(object):
     """
 
     def __init__(
-            self,
-            import_roles=True,
-            import_ous=True,
-            role_delete_orphans=False,
-            role_parentings_update=True,
-            role_permissions_update=True,
-            role_attributes_update=True,
-            ou_delete_orphans=False,
-            set_ou=None):
+        self,
+        import_roles=True,
+        import_ous=True,
+        role_delete_orphans=False,
+        role_parentings_update=True,
+        role_permissions_update=True,
+        role_attributes_update=True,
+        ou_delete_orphans=False,
+        set_ou=None,
+    ):
         self.import_roles = import_roles
         self.import_ous = import_ous
         self.role_delete_orphans = role_delete_orphans
@@ -196,10 +196,14 @@ class RoleDeserializer(object):
             try:
                 return func(self, *args, **kwargs)
             except ValidationError as e:
-                raise ValidationError(_('Role "%(name)s": %(errors)s') % {
-                    'name': self._role_d.get('name', self._role_d.get('slug')),
-                    'errors': lazy_join(', ', [v.message for v in e.error_list]),
-                })
+                raise ValidationError(
+                    _('Role "%(name)s": %(errors)s')
+                    % {
+                        'name': self._role_d.get('name', self._role_d.get('slug')),
+                        'errors': lazy_join(', ', [v.message for v in e.error_list]),
+                    }
+                )
+
         return f
 
     @wraps_validationerror
@@ -241,8 +245,7 @@ class RoleDeserializer(object):
 
     @wraps_validationerror
     def attributes(self):
-        """ Update attributes (delete everything then create)
-        """
+        """Update attributes (delete everything then create)"""
         created, deleted = [], []
         for attr in self._obj.attributes.all():
             attr.delete()
@@ -257,8 +260,7 @@ class RoleDeserializer(object):
 
     @wraps_validationerror
     def parentings(self):
-        """ Update parentings (delete everything then create)
-        """
+        """Update parentings (delete everything then create)"""
         created, deleted = [], []
         Parenting = get_role_parenting_model()
         for parenting in Parenting.objects.filter(child=self._obj, direct=True):
@@ -270,15 +272,13 @@ class RoleDeserializer(object):
                 parent = search_role(parent_d)
                 if not parent:
                     raise ValidationError(_("Could not find parent role: %s") % parent_d)
-                created.append(Parenting.objects.create(
-                    child=self._obj, direct=True, parent=parent))
+                created.append(Parenting.objects.create(child=self._obj, direct=True, parent=parent))
 
         return created, deleted
 
     @wraps_validationerror
     def permissions(self):
-        """ Update permissions (delete everything then create)
-        """
+        """Update permissions (delete everything then create)"""
         created, deleted = [], []
         for perm in self._obj.permissions.all():
             perm.delete()
@@ -287,12 +287,12 @@ class RoleDeserializer(object):
         if self._permissions:
             for perm in self._permissions:
                 op = Operation.objects.get_by_natural_key_json(perm['operation'])
-                ou = get_ou_model().objects.get_by_natural_key_json(
-                    perm['ou']) if perm['ou'] else None
+                ou = get_ou_model().objects.get_by_natural_key_json(perm['ou']) if perm['ou'] else None
                 ct = ContentType.objects.get_by_natural_key_json(perm['target_ct'])
                 target = ct.model_class().objects.get_by_natural_key_json(perm['target'])
                 perm = get_permission_model().objects.create(
-                    operation=op, ou=ou, target_ct=ct, target_id=target.pk)
+                    operation=op, ou=ou, target_ct=ct, target_id=target.pk
+                )
                 self._obj.permissions.add(perm)
                 created.append(perm)
 
@@ -300,7 +300,6 @@ class RoleDeserializer(object):
 
 
 class ImportResult(object):
-
     def __init__(self):
         self.roles = {'created': [], 'updated': []}
         self.ous = {'created': [], 'updated': []}
@@ -388,12 +387,15 @@ def import_site(json_d, import_context=None):
                 result.update_permissions(*ds.permissions())
 
         if import_context.ou_delete_orphans:
-            raise ValidationError(_("Unsupported context value for ou_delete_orphans : %s") % (
-                import_context.ou_delete_orphans))
+            raise ValidationError(
+                _("Unsupported context value for ou_delete_orphans : %s") % (import_context.ou_delete_orphans)
+            )
 
         if import_context.role_delete_orphans:
             # FIXME : delete each role that is in DB but not in the export
-            raise ValidationError(_("Unsupported context value for role_delete_orphans : %s") % (
-                import_context.role_delete_orphans))
+            raise ValidationError(
+                _("Unsupported context value for role_delete_orphans : %s")
+                % (import_context.role_delete_orphans)
+            )
 
     return result
diff --git a/src/authentic2/decorators.py b/src/authentic2/decorators.py
index 0eb3235b..d9ec93ae 100644
--- a/src/authentic2/decorators.py
+++ b/src/authentic2/decorators.py
@@ -29,6 +29,7 @@ from django.core.exceptions import ValidationError
 from django.utils import six
 
 from . import app_settings, middleware
+
 # XXX: import to_list for retrocompaibility
 from .utils import to_list, to_iter  # noqa: F401
 
@@ -39,13 +40,16 @@ class CacheUnusable(RuntimeError):
 
 def unless(test, message):
     '''Decorator returning a 404 status code if some condition is not met'''
+
     def decorator(func):
         @wraps(func)
         def f(request, *args, **kwargs):
             if not test():
                 return technical_404_response(request, Http404(message))
             return func(request, *args, **kwargs)
+
         return f
+
     return decorator
 
 
@@ -55,6 +59,7 @@ def setting_enabled(name, settings=app_settings):
 
     def test():
         return getattr(settings, name, False)
+
     return unless(test, 'please enable %s' % full_name)
 
 
@@ -62,14 +67,16 @@ def lasso_required():
     def test():
         try:
             import lasso  # noqa: F401
+
             return True
         except ImportError:
             return False
+
     return unless(test, 'please install lasso')
 
 
 def required(wrapping_functions, patterns_rslt):
-    '''
+    """
     Used to require 1..n decorators in any view returned by a url tree
 
     Usage:
@@ -77,8 +84,8 @@ def required(wrapping_functions, patterns_rslt):
       urlpatterns = required((func,func,func),patterns(...))
 
     Note:
-      Use functools.partial to pass keyword params to the required 
-      decorators. If you need to pass args you will have to write a 
+      Use functools.partial to pass keyword params to the required
+      decorators. If you need to pass args you will have to write a
       wrapper function.
 
     Example:
@@ -88,14 +95,11 @@ def required(wrapping_functions, patterns_rslt):
           partial(login_required,login_url='/accounts/login/'),
           patterns(...)
       )
-    '''
+    """
     if not hasattr(wrapping_functions, '__iter__'):
         wrapping_functions = (wrapping_functions,)
 
-    return [
-        _wrap_instance__resolve(wrapping_functions, instance)
-        for instance in patterns_rslt
-    ]
+    return [_wrap_instance__resolve(wrapping_functions, instance) for instance in patterns_rslt]
 
 
 def _wrap_instance__resolve(wrapping_functions, instance):
@@ -123,21 +127,23 @@ def _wrap_instance__resolve(wrapping_functions, instance):
 
 
 class CacheDecoratorBase(object):
-    '''Base class to build cache decorators.
+    """Base class to build cache decorators.
+
+    It helps for building keys from function arguments.
+    """
 
-       It helps for building keys from function arguments.
-    '''
     def __new__(cls, *args, **kwargs):
         if len(args) > 1:
             raise TypeError(
-                '%s got unexpected arguments, only one argument must be given, the function to decorate' % cls.__name__)
+                '%s got unexpected arguments, only one argument must be given, the function to decorate'
+                % cls.__name__
+            )
         if args:
             # Case of a decorator used directly
             return cls(**kwargs)(args[0])
         return super(CacheDecoratorBase, cls).__new__(cls)
 
-    def __init__(self, timeout=None, hostname_vary=True, args=None,
-                 kwargs=None):
+    def __init__(self, timeout=None, hostname_vary=True, args=None, kwargs=None):
         self.timeout = timeout
         self.hostname_vary = hostname_vary
         self.args = args
@@ -162,8 +168,7 @@ class CacheDecoratorBase(object):
                 key = self.key(*args, **kwargs)
                 value, tstamp = self.get(key)
                 if tstamp is not None:
-                    if (self.timeout is None
-                            or tstamp + self.timeout > now):
+                    if self.timeout is None or tstamp + self.timeout > now:
                         return value
                     if hasattr(self, 'delete'):
                         self.delete(key, (key, tstamp))
@@ -172,6 +177,7 @@ class CacheDecoratorBase(object):
                 return value
             except CacheUnusable:  # fallback when cache cannot be used
                 return func(*args, **kwargs)
+
         f.cache = self
         return f
 
@@ -199,10 +205,11 @@ class CacheDecoratorBase(object):
 
 
 class SimpleDictionnaryCacheMixin(object):
-    '''Default implementations of set, get and delete for a cache implemented
-       using a dictionary. The dictionnary must be returned by a property named
-       'cache'.
-    '''
+    """Default implementations of set, get and delete for a cache implemented
+    using a dictionary. The dictionnary must be returned by a property named
+    'cache'.
+    """
+
     def set(self, key, value):
         self.cache[key] = value
 
@@ -264,8 +271,7 @@ class PickleCacheMixin(object):
         return value
 
 
-class SessionCache(PickleCacheMixin, SimpleDictionnaryCacheMixin,
-                   CacheDecoratorBase):
+class SessionCache(PickleCacheMixin, SimpleDictionnaryCacheMixin, CacheDecoratorBase):
     @property
     def cache(self):
         request = middleware.StoreRequestMiddleware.get_request()
@@ -308,7 +314,9 @@ def json(func):
                 if variable in request.GET:
                     identifier = request.GET[variable]
                     if not re.match(r'^[$a-zA-Z_][0-9a-zA-Z_$]*$', identifier):
-                        return HttpResponseBadRequest('invalid JSONP callback name', content_type='text/plain')
+                        return HttpResponseBadRequest(
+                            'invalid JSONP callback name', content_type='text/plain'
+                        )
                     jsonp = True
                     break
         # 1. check origin
@@ -336,4 +344,5 @@ def json(func):
             response['Access-Control-Allow-Headers'] = 'x-requested-with'
         response.write(json_str)
         return response
+
     return f
diff --git a/src/authentic2/disco_service/disco_responder.py b/src/authentic2/disco_service/disco_responder.py
index f99c0e21..8a6e46a9 100644
--- a/src/authentic2/disco_service/disco_responder.py
+++ b/src/authentic2/disco_service/disco_responder.py
@@ -82,8 +82,9 @@ def get_disco_return_url_from_metadata(entity_id):
         logger.warn('get_disco_return_url_from_metadata: unknown service provider %s', entity_id)
         return None
     dom = parseString(liberty_provider.metadata.encode('utf8'))
-    endpoints = dom.getElementsByTagNameNS('urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol',
-                                           'DiscoveryResponse')
+    endpoints = dom.getElementsByTagNameNS(
+        'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol', 'DiscoveryResponse'
+    )
     if not endpoints:
         logger.warn('get_disco_return_url_from_metadata: no discovery service endpoint for %s', entity_id)
         return None
@@ -141,8 +142,7 @@ def disco(request):
 
     entityID = None
     _return = None
-    policy = \
-        "urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol:single",
+    policy = ("urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol:single",)
     returnIDParam = None
     isPassive = False
 
@@ -167,7 +167,9 @@ def disco(request):
         # Discovery request parameters
         entityID = request.GET.get('entityID', '')
         _return = request.GET.get('return', '')
-        policy = request.GET.get('idp_selected', 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol:single')
+        policy = request.GET.get(
+            'idp_selected', 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol:single'
+        )
         returnIDParam = request.GET.get('returnIDParam', 'entityID')
         # XXX: isPassive is unused
         isPassive = request.GET.get('isPassive', '')
@@ -199,7 +201,8 @@ def disco(request):
     # equal to returnIDParam. Else, it is an unconformant SP.
     if is_param_id_in_return_url(return_url, returnIDParam):
         message = _('invalid return url %(return_url)s for %(entity_id)s') % dict(
-            return_url=return_url, entity_id=entityID)
+            return_url=return_url, entity_id=entityID
+        )
         return error_page(request, message, logger=logger)
 
     # not back from selection interface
@@ -227,6 +230,7 @@ def idp_selection(request):
     idp_selected = urlquote('http://www.identity-hub.com/idp/saml2/metadata')
     return HttpResponseRedirect('%s?idp_selected=%s' % (reverse(disco), idp_selected))
 
+
 urlpatterns = [
     url(r'^disco$', disco),
     url(r'^idp_selection$', idp_selection),
diff --git a/src/authentic2/exponential_retry_timeout.py b/src/authentic2/exponential_retry_timeout.py
index 65bf8ac9..0968b8f2 100644
--- a/src/authentic2/exponential_retry_timeout.py
+++ b/src/authentic2/exponential_retry_timeout.py
@@ -29,12 +29,14 @@ class ExponentialRetryTimeout(object):
     KEY_PREFIX = 'exp-backoff-'
     CACHE_DURATION = 86400
 
-    def __init__(self,
-                 factor=FACTOR,
-                 duration=DURATION,
-                 max_duration=MAX_DURATION,
-                 key_prefix=None,
-                 cache_duration=CACHE_DURATION):
+    def __init__(
+        self,
+        factor=FACTOR,
+        duration=DURATION,
+        max_duration=MAX_DURATION,
+        key_prefix=None,
+        cache_duration=CACHE_DURATION,
+    ):
         self.factor = factor
         self.duration = duration
         self.max_duration = max_duration
@@ -48,9 +50,9 @@ class ExponentialRetryTimeout(object):
         return '%s%s' % (self.key_prefix or self.KEY_PREFIX, hashlib.md5(key).hexdigest())
 
     def seconds_to_wait(self, *keys):
-        '''Return the duration in seconds until the next time when an action can be
-           done.
-        '''
+        """Return the duration in seconds until the next time when an action can be
+        done.
+        """
         key = self.key(keys)
         if self.duration:
             now = time.time()
@@ -60,8 +62,7 @@ class ExponentialRetryTimeout(object):
         return 0
 
     def success(self, *keys):
-        '''Signal an action success, delete exponential backoff cache.
-        '''
+        """Signal an action success, delete exponential backoff cache."""
         key = self.key(keys)
         if not self.duration:
             return
@@ -69,8 +70,7 @@ class ExponentialRetryTimeout(object):
         self.logger.debug(u'success for %s', keys)
 
     def failure(self, *keys):
-        '''Signal an action failure, augment the exponential backoff one level.
-        '''
+        """Signal an action failure, augment the exponential backoff one level."""
         key = self.key(keys)
         if not self.duration:
             return
diff --git a/src/authentic2/forms/authentication.py b/src/authentic2/forms/authentication.py
index d970134a..ab4a5bc0 100644
--- a/src/authentic2/forms/authentication.py
+++ b/src/authentic2/forms/authentication.py
@@ -39,11 +39,13 @@ class AuthenticationForm(auth_forms.AuthenticationForm):
         initial=False,
         required=False,
         label=_('Remember me'),
-        help_text=_('Do not ask for authentication next time'))
+        help_text=_('Do not ask for authentication next time'),
+    )
     ou = forms.ModelChoiceField(
         label=lazy_label(_('Organizational unit'), lambda: app_settings.A2_LOGIN_FORM_OU_SELECTOR_LABEL),
         required=True,
-        queryset=OU.objects.all())
+        queryset=OU.objects.all(),
+    )
 
     def __init__(self, *args, **kwargs):
         preferred_ous = kwargs.pop('preferred_ous', [])
@@ -53,7 +55,8 @@ class AuthenticationForm(auth_forms.AuthenticationForm):
         self.exponential_backoff = ExponentialRetryTimeout(
             key_prefix='login-exp-backoff-',
             duration=app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_DURATION,
-            factor=app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_FACTOR)
+            factor=app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_FACTOR,
+        )
 
         if not app_settings.A2_USER_REMEMBER_ME:
             del self.fields['remember_me']
@@ -64,8 +67,7 @@ class AuthenticationForm(auth_forms.AuthenticationForm):
             if preferred_ous:
                 choices = self.fields['ou'].choices
                 new_choices = list(choices)[:1] + [
-                    (ugettext('Preferred organizational units'), [
-                        (ou.pk, ou.name) for ou in preferred_ous]),
+                    (ugettext('Preferred organizational units'), [(ou.pk, ou.name) for ou in preferred_ous]),
                     (ugettext('All organizational units'), list(choices)[1:]),
                 ]
                 self.fields['ou'].choices = new_choices
@@ -88,9 +90,11 @@ class AuthenticationForm(auth_forms.AuthenticationForm):
             seconds_to_wait = self.exponential_backoff.seconds_to_wait(*keys)
             if seconds_to_wait > app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MIN_DURATION:
                 seconds_to_wait -= app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MIN_DURATION
-                msg = _('You made too many login errors recently, you must '
-                        'wait <span class="js-seconds-until">%s</span> seconds '
-                        'to try again.')
+                msg = _(
+                    'You made too many login errors recently, you must '
+                    'wait <span class="js-seconds-until">%s</span> seconds '
+                    'to try again.'
+                )
                 msg = msg % int(math.ceil(seconds_to_wait))
                 msg = html.mark_safe(msg)
                 raise forms.ValidationError(msg)
@@ -140,16 +144,17 @@ class AuthenticationForm(auth_forms.AuthenticationForm):
         if app_settings.A2_USERNAME_LABEL:
             username_label = app_settings.A2_USERNAME_LABEL
         invalid_login_message = [
-                _('Incorrect %(username_label)s or password.') % {'username_label': username_label},
+            _('Incorrect %(username_label)s or password.') % {'username_label': username_label},
         ]
-        if app_settings.A2_USER_CAN_RESET_PASSWORD is not False and getattr(settings, 'REGISTRATION_OPEN', True):
+        if app_settings.A2_USER_CAN_RESET_PASSWORD is not False and getattr(
+            settings, 'REGISTRATION_OPEN', True
+        ):
             invalid_login_message.append(
-                    _('Try again, use the forgotten password link below, or create an account.'))
+                _('Try again, use the forgotten password link below, or create an account.')
+            )
         elif app_settings.A2_USER_CAN_RESET_PASSWORD is not False:
-            invalid_login_message.append(
-                    _('Try again or use the forgotten password link below.'))
+            invalid_login_message.append(_('Try again or use the forgotten password link below.'))
         elif getattr(settings, 'REGISTRATION_OPEN', True):
-            invalid_login_message.append(
-                    _('Try again or create an account.'))
+            invalid_login_message.append(_('Try again or create an account.'))
         error_messages['invalid_login'] = ' '.join([force_text(x) for x in invalid_login_message])
         return error_messages
diff --git a/src/authentic2/forms/fields.py b/src/authentic2/forms/fields.py
index 286384bd..13fdb534 100644
--- a/src/authentic2/forms/fields.py
+++ b/src/authentic2/forms/fields.py
@@ -24,9 +24,13 @@ from django.core.files import File
 
 from authentic2 import app_settings
 from authentic2.passwords import password_help_text, validate_password
-from authentic2.forms.widgets import (PasswordInput, NewPasswordInput,
-                                      CheckPasswordInput, ProfileImageInput,
-                                      EmailInput)
+from authentic2.forms.widgets import (
+    PasswordInput,
+    NewPasswordInput,
+    CheckPasswordInput,
+    ProfileImageInput,
+    EmailInput,
+)
 from authentic2.validators import email_validator
 
 import PIL.Image
@@ -49,7 +53,9 @@ class CheckPasswordField(CharField):
     widget = CheckPasswordInput
 
     def __init__(self, *args, **kwargs):
-        kwargs['help_text'] = u'''
+        kwargs[
+            'help_text'
+        ] = u'''
     <span class="a2-password-check-equality-default">%(default)s</span>
     <span class="a2-password-check-equality-matched">%(match)s</span>
     <span class="a2-password-check-equality-unmatched">%(nomatch)s</span>
@@ -85,11 +91,7 @@ class ProfileImageField(FileField):
         output = io.BytesIO()
         if image.mode != 'RGB':
             image = image.convert('RGB')
-        image.save(
-            output,
-            format='JPEG',
-            quality=99,
-            optimize=1)
+        image.save(output, format='JPEG', quality=99, optimize=1)
         output.seek(0)
         return File(output, name=name)
 
diff --git a/src/authentic2/forms/mixins.py b/src/authentic2/forms/mixins.py
index 79abbf62..fb86ec65 100644
--- a/src/authentic2/forms/mixins.py
+++ b/src/authentic2/forms/mixins.py
@@ -61,7 +61,8 @@ class LockedFieldFormMixin(object):
                 help_text=field.help_text,
                 initial=initial,
                 required=False,
-                widget=forms.TextInput(attrs={'readonly': ''}))
+                widget=forms.TextInput(attrs={'readonly': ''}),
+            )
         if not locked_fields:
             return
 
diff --git a/src/authentic2/forms/passwords.py b/src/authentic2/forms/passwords.py
index 8d62b400..f71ab7b7 100644
--- a/src/authentic2/forms/passwords.py
+++ b/src/authentic2/forms/passwords.py
@@ -37,8 +37,7 @@ logger = logging.getLogger(__name__)
 class PasswordResetForm(forms.Form):
     next_url = forms.CharField(widget=forms.HiddenInput, required=False)
 
-    email = forms.CharField(
-        label=_("Email"), max_length=254)
+    email = forms.CharField(label=_("Email"), max_length=254)
 
     def save(self):
         """
@@ -51,12 +50,10 @@ class PasswordResetForm(forms.Form):
         for user in active_users:
             # we don't set the password to a random string, as some users should not have
             # a password
-            set_random_password = (user.has_usable_password()
-                                   and app_settings.A2_SET_RANDOM_PASSWORD_ON_RESET)
+            set_random_password = user.has_usable_password() and app_settings.A2_SET_RANDOM_PASSWORD_ON_RESET
             utils.send_password_reset_mail(
-                user,
-                set_random_password=set_random_password,
-                next_url=self.cleaned_data.get('next_url'))
+                user, set_random_password=set_random_password, next_url=self.cleaned_data.get('next_url')
+            )
         for user in users.filter(is_active=False):
             logger.info('password reset failed for user "%r": account is disabled', user)
             utils.send_templated_mail(user, ['authentic2/password_reset_refused'])
@@ -68,8 +65,8 @@ class PasswordResetForm(forms.Form):
 
 
 class PasswordResetMixin(Form):
-    '''Remove all password reset object for the current user when password is
-       successfully changed.'''
+    """Remove all password reset object for the current user when password is
+    successfully changed."""
 
     def save(self, commit=True):
         ret = super(PasswordResetMixin, self).save(commit=commit)
@@ -82,6 +79,7 @@ class PasswordResetMixin(Form):
                 ret = old_save(*args, **kwargs)
                 models.PasswordReset.objects.filter(user=self.user).delete()
                 return ret
+
             self.user.save = save
         return ret
 
@@ -109,8 +107,9 @@ class SetPasswordForm(NotifyOfPasswordChange, PasswordResetMixin, auth_forms.Set
         return new_password1
 
 
-class PasswordChangeForm(NotifyOfPasswordChange, NextUrlFormMixin, PasswordResetMixin,
-                         auth_forms.PasswordChangeForm):
+class PasswordChangeForm(
+    NotifyOfPasswordChange, NextUrlFormMixin, PasswordResetMixin, auth_forms.PasswordChangeForm
+):
     old_password = PasswordField(label=_('Old password'))
     new_password1 = NewPasswordField(label=_('New password'))
     new_password2 = CheckPasswordField(label=_("New password confirmation"))
@@ -122,6 +121,7 @@ class PasswordChangeForm(NotifyOfPasswordChange, NextUrlFormMixin, PasswordReset
             raise ValidationError(_('New password must differ from old password'))
         return new_password1
 
+
 # make old_password the first field
 new_base_fields = OrderedDict()
 
diff --git a/src/authentic2/forms/profile.py b/src/authentic2/forms/profile.py
index e3f37701..f6f77ed0 100644
--- a/src/authentic2/forms/profile.py
+++ b/src/authentic2/forms/profile.py
@@ -50,8 +50,7 @@ class EmailChangeFormNoPassword(forms.Form):
 
 
 class EmailChangeForm(EmailChangeFormNoPassword):
-    password = forms.CharField(label=_("Password"),
-                               widget=forms.PasswordInput)
+    password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
 
     def clean_email(self):
         email = self.cleaned_data['email']
@@ -120,6 +119,7 @@ class BaseUserForm(LockedFieldFormMixin, forms.ModelForm):
             def save_m2m(*args, **kwargs):
                 old(*args, **kwargs)
                 self.save_attributes()
+
             self.save_m2m = save_m2m
         return result
 
@@ -129,10 +129,10 @@ class EditProfileForm(NextUrlFormMixin, BaseUserForm):
 
 
 def modelform_factory(model, **kwargs):
-    '''Build a modelform for the given model,
+    """Build a modelform for the given model,
 
-       For the user model also add attribute based fields.
-    '''
+    For the user model also add attribute based fields.
+    """
 
     form = kwargs.pop('form', None)
     fields = kwargs.get('fields') or []
@@ -159,15 +159,15 @@ def modelform_factory(model, **kwargs):
         form = forms.ModelForm
     modelform = None
     if required:
+
         def __init__(self, *args, **kwargs):
             super(modelform, self).__init__(*args, **kwargs)
             for field in required:
                 if field in self.fields:
                     self.fields[field].required = True
+
         d['__init__'] = __init__
     modelform = type(model.__name__ + 'ModelForm', (form,), d)
     kwargs['form'] = modelform
     modelform.required_css_class = 'form-field-required'
     return dj_modelform_factory(model, **kwargs)
-
-
diff --git a/src/authentic2/forms/registration.py b/src/authentic2/forms/registration.py
index 48bc8972..263a7a89 100644
--- a/src/authentic2/forms/registration.py
+++ b/src/authentic2/forms/registration.py
@@ -100,8 +100,9 @@ class RegistrationCompletionFormNoPassword(profile_forms.BaseUserForm):
                 else:
                     exist = True
                 if exist:
-                    raise ValidationError(_('This username is already in '
-                                            'use. Please supply a different username.'))
+                    raise ValidationError(
+                        _('This username is already in ' 'use. Please supply a different username.')
+                    )
             return username
 
     def clean_email(self):
@@ -118,8 +119,9 @@ class RegistrationCompletionFormNoPassword(profile_forms.BaseUserForm):
                 else:
                     exist = True
                 if exist:
-                    raise ValidationError(_('This email address is already in '
-                                            'use. Please supply a different email address.'))
+                    raise ValidationError(
+                        _('This email address is already in ' 'use. Please supply a different email address.')
+                    )
             return BaseUserManager.normalize_email(email)
 
     def save(self, commit=True):
diff --git a/src/authentic2/forms/widgets.py b/src/authentic2/forms/widgets.py
index d20478aa..9ce92e69 100644
--- a/src/authentic2/forms/widgets.py
+++ b/src/authentic2/forms/widgets.py
@@ -66,7 +66,7 @@ DATE_FORMAT_PY_JS_MAPPING = {
     '%Y': 'yyyy',
     '%y': 'yy',
     '%p': 'P',
-    '%S': 'ss'
+    '%S': 'ss',
 }
 
 DATE_FORMAT_TO_JS_REGEX = re.compile(r'(?<!\w)(' + '|'.join(DATE_FORMAT_PY_JS_MAPPING.keys()) + r')\b')
@@ -131,8 +131,8 @@ class PickerWidgetMixin(object):
         # with a default, and convert it to a Python data format for later string parsing
         date_format = self.options['format']
         self.format = DATE_FORMAT_TO_PYTHON_REGEX.sub(
-            lambda x: DATE_FORMAT_JS_PY_MAPPING[x.group()],
-            date_format)
+            lambda x: DATE_FORMAT_JS_PY_MAPPING[x.group()], date_format
+        )
 
         super(PickerWidgetMixin, self).__init__(attrs, format=self.format)
 
@@ -147,7 +147,8 @@ class PickerWidgetMixin(object):
         final_attrs = self.build_attrs(attrs)
         final_attrs['class'] = "controls input-append date"
         rendered_widget = super(PickerWidgetMixin, self).render(
-                name, value, attrs=final_attrs, renderer=renderer)
+            name, value, attrs=final_attrs, renderer=renderer
+        )
 
         # if not set, autoclose have to be true.
         self.options.setdefault('autoclose', True)
@@ -166,14 +167,18 @@ class PickerWidgetMixin(object):
         if not help_text:
             help_text = u'%s %s' % (_('Format:'), self.options['format'])
 
-        return mark_safe(self.render_template % dict(
-            id=id,
-            rendered_widget=rendered_widget,
-            clear_button=CLEAR_BTN_TEMPLATE if self.options.get('clearBtn') else '',
-            glyphicon=self.glyphicon,
-            language=get_language(),
-            options=js_options,
-            help_text=help_text))
+        return mark_safe(
+            self.render_template
+            % dict(
+                id=id,
+                rendered_widget=rendered_widget,
+                clear_button=CLEAR_BTN_TEMPLATE if self.options.get('clearBtn') else '',
+                glyphicon=self.glyphicon,
+                language=get_language(),
+                options=js_options,
+                help_text=help_text,
+            )
+        )
 
 
 class DateTimeWidget(PickerWidgetMixin, DateTimeInput):
@@ -255,13 +260,10 @@ class PasswordInput(BasePasswordInput):
             xstatic('jquery', 'jquery.min.js'),
             'authentic2/js/password.js',
         )
-        css = {
-            'all': ('authentic2/css/password.css',)
-        }
+        css = {'all': ('authentic2/css/password.css',)}
 
     def render(self, name, value, attrs=None, renderer=None):
-        output = super(PasswordInput, self).render(
-                name, value, attrs=attrs, renderer=renderer)
+        output = super(PasswordInput, self).render(name, value, attrs=attrs, renderer=renderer)
         if attrs and app_settings.A2_PASSWORD_POLICY_SHOW_LAST_CHAR:
             _id = attrs.get('id')
             if _id:
@@ -274,8 +276,7 @@ class NewPasswordInput(PasswordInput):
         if attrs is None:
             attrs = {}
         attrs['autocomplete'] = 'new-password'
-        output = super(NewPasswordInput, self).render(
-                name, value, attrs=attrs, renderer=renderer)
+        output = super(NewPasswordInput, self).render(name, value, attrs=attrs, renderer=renderer)
         if attrs:
             _id = attrs.get('id')
             if _id:
@@ -290,8 +291,7 @@ class CheckPasswordInput(PasswordInput):
         if attrs is None:
             attrs = {}
         attrs['autocomplete'] = 'new-password'
-        output = super(CheckPasswordInput, self).render(
-                name, value, attrs=attrs, renderer=renderer)
+        output = super(CheckPasswordInput, self).render(name, value, attrs=attrs, renderer=renderer)
         if attrs:
             _id = attrs.get('id')
             if _id and _id.endswith('2'):
@@ -326,8 +326,7 @@ class DatalistTextInput(TextInput):
         self.attrs.update({'list': self.name})
 
     def render(self, name, value, attrs=None, renderer=None):
-        output = super(DatalistTextInput, self).render(
-                name, value, attrs=attrs, renderer=renderer)
+        output = super(DatalistTextInput, self).render(name, value, attrs=attrs, renderer=renderer)
         datalist = '<datalist id="%s">' % self.name
         for element in self.data:
             datalist += '<option value="%s">' % element
@@ -348,14 +347,17 @@ class EmailInput(BaseEmailInput):
     def media(self):
         if app_settings.A2_SUGGESTED_EMAIL_DOMAINS:
             return forms.Media(
-                js = (
+                js=(
                     xstatic('jquery', 'jquery.min.js'),
                     'authentic2/js/email_domains_suggestions.js',
                 )
             )
+
     def get_context(self, *args, **kwargs):
         context = super(EmailInput, self).get_context(*args, **kwargs)
         if app_settings.A2_SUGGESTED_EMAIL_DOMAINS:
-            context['widget']['attrs']['data-suggested-domains'] = ':'.join(app_settings.A2_SUGGESTED_EMAIL_DOMAINS)
+            context['widget']['attrs']['data-suggested-domains'] = ':'.join(
+                app_settings.A2_SUGGESTED_EMAIL_DOMAINS
+            )
             context['domains_suggested'] = True
         return context
diff --git a/src/authentic2/hashers.py b/src/authentic2/hashers.py
index 14b80c34..d6e138a2 100644
--- a/src/authentic2/hashers.py
+++ b/src/authentic2/hashers.py
@@ -31,6 +31,7 @@ class Drupal7PasswordHasher(hashers.BasePasswordHasher):
     """
     Secure password hashing using the algorithm used by Drupal 7 (recommended)
     """
+
     algorithm = "drupal7_sha512"
     iterations = 10000
     digest = hashlib.sha512
@@ -49,20 +50,20 @@ class Drupal7PasswordHasher(hashers.BasePasswordHasher):
         while i < count:
             value = v[i]
             i += 1
-            out += self.i64toa(value & 0x3f)
+            out += self.i64toa(value & 0x3F)
             if i < count:
                 value |= v[i] << 8
-            out += self.i64toa((value >> 6) & 0x3f)
+            out += self.i64toa((value >> 6) & 0x3F)
             if i == count:
                 break
             i += 1
             if i < count:
                 value |= v[i] << 16
-            out += self.i64toa((value >> 12) & 0x3f)
+            out += self.i64toa((value >> 12) & 0x3F)
             if i == count:
                 break
             i += 1
-            out += self.i64toa((value >> 18) & 0x3f)
+            out += self.i64toa((value >> 18) & 0x3F)
         return out
 
     def from_drupal(self, encoded):
@@ -95,18 +96,21 @@ class Drupal7PasswordHasher(hashers.BasePasswordHasher):
     def safe_summary(self, encoded):
         algorithm, iterations, salt, hash = encoded.split('$', 3)
         assert algorithm == self.algorithm
-        return OrderedDict([
-            (_('algorithm'), algorithm),
-            (_('iterations'), iterations),
-            (_('salt'), hashers.mask_hash(salt)),
-            (_('hash'), hashers.mask_hash(hash)),
-        ])
+        return OrderedDict(
+            [
+                (_('algorithm'), algorithm),
+                (_('iterations'), iterations),
+                (_('salt'), hashers.mask_hash(salt)),
+                (_('hash'), hashers.mask_hash(hash)),
+            ]
+        )
 
 
 class CommonPasswordHasher(hashers.BasePasswordHasher):
     """
     The Salted MD5 password hashing algorithm (not recommended)
     """
+
     algorithm = None
     digest = None
 
@@ -125,34 +129,20 @@ class CommonPasswordHasher(hashers.BasePasswordHasher):
     def safe_summary(self, encoded):
         algorithm, salt, hash = encoded.split('$', 2)
         assert algorithm == self.algorithm
-        return OrderedDict([
-            (_('algorithm'), algorithm),
-            (_('salt'), hashers.mask_hash(salt, show=2)),
-            (_('hash'), hashers.mask_hash(hash)),
-        ])
+        return OrderedDict(
+            [
+                (_('algorithm'), algorithm),
+                (_('salt'), hashers.mask_hash(salt, show=2)),
+                (_('hash'), hashers.mask_hash(hash)),
+            ]
+        )
 
 
 OPENLDAP_ALGO_MAPPING = {
-    'SHA': (
-        'sha-oldap',
-        0,
-        True
-    ),
-    'SSHA': (
-        'ssha-oldap',
-        20,
-        True
-    ),
-    'MD5': (
-        'md5-oldap',
-        0,
-        True
-    ),
-    'SMD5': (
-        'md5-oldap',
-        16,
-        True
-    ),
+    'SHA': ('sha-oldap', 0, True),
+    'SSHA': ('ssha-oldap', 20, True),
+    'MD5': ('md5-oldap', 0, True),
+    'SMD5': ('md5-oldap', 16, True),
 }
 
 
@@ -301,7 +291,7 @@ class PloneSHA1PasswordHasher(hashers.SHA1PasswordHasher):
 
         # throw away the prefix
         if data.startswith(self._prefix):
-            data = data[len(self._prefix):]
+            data = data[len(self._prefix) :]
 
         # extract salt from encoded data
         intermediate = base64.b64decode(data)
@@ -313,7 +303,9 @@ class PloneSHA1PasswordHasher(hashers.SHA1PasswordHasher):
     def safe_summary(self, encoded):
         algorithm, hash = encoded.split('$', 1)
         assert algorithm == self.algorithm
-        return OrderedDict([
-            (_('algorithm'), algorithm),
-            (_('hash'), hashers.mask_hash(hash)),
-        ])
+        return OrderedDict(
+            [
+                (_('algorithm'), algorithm),
+                (_('hash'), hashers.mask_hash(hash)),
+            ]
+        )
diff --git a/src/authentic2/hooks.py b/src/authentic2/hooks.py
index 2125a280..2312ff7c 100644
--- a/src/authentic2/hooks.py
+++ b/src/authentic2/hooks.py
@@ -24,11 +24,11 @@ from . import decorators
 
 @decorators.GlobalCache
 def get_hooks(hook_name):
-    '''Return a list of defined hook named a2_hook<hook_name> on AppConfig classes of installed
-       Django applications.
+    """Return a list of defined hook named a2_hook<hook_name> on AppConfig classes of installed
+    Django applications.
 
-       Ordering of hooks can be defined using an orer field on the hook method.
-    '''
+    Ordering of hooks can be defined using an orer field on the hook method.
+    """
     hooks = []
     for app in apps.get_app_configs():
         name = 'a2_hook_' + hook_name
diff --git a/src/authentic2/idp/interactions.py b/src/authentic2/idp/interactions.py
index aeb36dfa..c16e5228 100644
--- a/src/authentic2/idp/interactions.py
+++ b/src/authentic2/idp/interactions.py
@@ -21,16 +21,18 @@ from django.shortcuts import render
 
 @login_required
 def consent_federation(request, nonce='', provider_id=None):
-    '''On a GET produce a form asking for consentment,
-       On a POST handle the form and redirect to next'''
+    """On a GET produce a form asking for consentment,
+    On a POST handle the form and redirect to next"""
     if request.method == "GET":
         return render(
-            request, 'interaction/consent_federation.html',
+            request,
+            'interaction/consent_federation.html',
             {
                 'provider_id': request.GET.get('provider_id', ''),
                 'nonce': request.GET.get('nonce', ''),
-                'next': request.GET.get('next', '')
-            })
+                'next': request.GET.get('next', ''),
+            },
+        )
     else:
         next_url = '/'
         if 'next' in request.POST:
diff --git a/src/authentic2/idp/migrations/0001_initial.py b/src/authentic2/idp/migrations/0001_initial.py
index 52e5e86d..0559d3d9 100644
--- a/src/authentic2/idp/migrations/0001_initial.py
+++ b/src/authentic2/idp/migrations/0001_initial.py
@@ -14,21 +14,108 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='AttributePolicy',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(unique=True, max_length=100)),
                 ('enabled', models.BooleanField(default=False, verbose_name='Enabled')),
-                ('ask_consent_attributes', models.BooleanField(default=True, verbose_name='Ask the user consent before forwarding attributes')),
-                ('allow_attributes_selection', models.BooleanField(default=True, verbose_name='Allow the user to select the forwarding attributes')),
-                ('forward_attributes_from_push_sources', models.BooleanField(default=False, verbose_name='Forward pushed attributes')),
-                ('map_attributes_from_push_sources', models.BooleanField(default=False, verbose_name='Map forwarded pushed attributes')),
-                ('output_name_format', models.CharField(default=('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'SAMLv2 URI'), max_length=100, verbose_name='Output name format', choices=[('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'SAMLv2 URI'), ('urn:oasis:names:tc:SAML:2.0:attrname-format:basic', 'SAMLv2 BASIC')])),
-                ('output_namespace', models.CharField(default=('Default', 'Default'), max_length=100, verbose_name='Output namespace', choices=[('Default', 'Default'), ('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims')])),
-                ('filter_source_of_filtered_attributes', models.BooleanField(default=False, verbose_name='Filter by source and per attribute the forwarded pushed attributes')),
-                ('map_attributes_of_filtered_attributes', models.BooleanField(default=False, verbose_name='Map filtered attributes')),
-                ('send_error_and_no_attrs_if_missing_required_attrs', models.BooleanField(default=False, verbose_name='Send an error when a required attribute is missing')),
-                ('attribute_filter_for_sso_from_push_sources', models.ForeignKey(related_name='filter attributes of push sources with list', verbose_name='Filter by attribute names the forwarded pushed attributes', blank=True, to='attribute_aggregator.AttributeList', null=True, on_delete=models.CASCADE)),
-                ('attribute_list_for_sso_from_pull_sources', models.ForeignKey(related_name='attributes from pull sources', verbose_name='Pull attributes list', blank=True, to='attribute_aggregator.AttributeList', null=True, on_delete=models.CASCADE)),
-                ('source_filter_for_sso_from_push_sources', models.ManyToManyField(related_name='filter attributes of push sources with sources', null=True, verbose_name='Filter by source the forwarded pushed attributes', to='attribute_aggregator.AttributeSource', blank=True)),
+                (
+                    'ask_consent_attributes',
+                    models.BooleanField(
+                        default=True, verbose_name='Ask the user consent before forwarding attributes'
+                    ),
+                ),
+                (
+                    'allow_attributes_selection',
+                    models.BooleanField(
+                        default=True, verbose_name='Allow the user to select the forwarding attributes'
+                    ),
+                ),
+                (
+                    'forward_attributes_from_push_sources',
+                    models.BooleanField(default=False, verbose_name='Forward pushed attributes'),
+                ),
+                (
+                    'map_attributes_from_push_sources',
+                    models.BooleanField(default=False, verbose_name='Map forwarded pushed attributes'),
+                ),
+                (
+                    'output_name_format',
+                    models.CharField(
+                        default=('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'SAMLv2 URI'),
+                        max_length=100,
+                        verbose_name='Output name format',
+                        choices=[
+                            ('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'SAMLv2 URI'),
+                            ('urn:oasis:names:tc:SAML:2.0:attrname-format:basic', 'SAMLv2 BASIC'),
+                        ],
+                    ),
+                ),
+                (
+                    'output_namespace',
+                    models.CharField(
+                        default=('Default', 'Default'),
+                        max_length=100,
+                        verbose_name='Output namespace',
+                        choices=[
+                            ('Default', 'Default'),
+                            (
+                                'http://schemas.xmlsoap.org/ws/2005/05/identity/claims',
+                                'http://schemas.xmlsoap.org/ws/2005/05/identity/claims',
+                            ),
+                        ],
+                    ),
+                ),
+                (
+                    'filter_source_of_filtered_attributes',
+                    models.BooleanField(
+                        default=False,
+                        verbose_name='Filter by source and per attribute the forwarded pushed attributes',
+                    ),
+                ),
+                (
+                    'map_attributes_of_filtered_attributes',
+                    models.BooleanField(default=False, verbose_name='Map filtered attributes'),
+                ),
+                (
+                    'send_error_and_no_attrs_if_missing_required_attrs',
+                    models.BooleanField(
+                        default=False, verbose_name='Send an error when a required attribute is missing'
+                    ),
+                ),
+                (
+                    'attribute_filter_for_sso_from_push_sources',
+                    models.ForeignKey(
+                        related_name='filter attributes of push sources with list',
+                        verbose_name='Filter by attribute names the forwarded pushed attributes',
+                        blank=True,
+                        to='attribute_aggregator.AttributeList',
+                        null=True,
+                        on_delete=models.CASCADE,
+                    ),
+                ),
+                (
+                    'attribute_list_for_sso_from_pull_sources',
+                    models.ForeignKey(
+                        related_name='attributes from pull sources',
+                        verbose_name='Pull attributes list',
+                        blank=True,
+                        to='attribute_aggregator.AttributeList',
+                        null=True,
+                        on_delete=models.CASCADE,
+                    ),
+                ),
+                (
+                    'source_filter_for_sso_from_push_sources',
+                    models.ManyToManyField(
+                        related_name='filter attributes of push sources with sources',
+                        null=True,
+                        verbose_name='Filter by source the forwarded pushed attributes',
+                        to='attribute_aggregator.AttributeSource',
+                        blank=True,
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'attribute policy',
diff --git a/src/authentic2/idp/migrations/0002_auto_20150526_2239.py b/src/authentic2/idp/migrations/0002_auto_20150526_2239.py
index e54b2b73..ce360ce5 100644
--- a/src/authentic2/idp/migrations/0002_auto_20150526_2239.py
+++ b/src/authentic2/idp/migrations/0002_auto_20150526_2239.py
@@ -14,16 +14,34 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='attributepolicy',
             name='attribute_filter_for_sso_from_push_sources',
-            field=models.ForeignKey(related_name='+', verbose_name='Filter by attribute names the forwarded pushed attributes', blank=True, to='attribute_aggregator.AttributeList', null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                related_name='+',
+                verbose_name='Filter by attribute names the forwarded pushed attributes',
+                blank=True,
+                to='attribute_aggregator.AttributeList',
+                null=True,
+                on_delete=models.CASCADE,
+            ),
         ),
         migrations.AlterField(
             model_name='attributepolicy',
             name='attribute_list_for_sso_from_pull_sources',
-            field=models.ForeignKey(related_name='+', verbose_name='Pull attributes list', blank=True, to='attribute_aggregator.AttributeList', null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                related_name='+',
+                verbose_name='Pull attributes list',
+                blank=True,
+                to='attribute_aggregator.AttributeList',
+                null=True,
+                on_delete=models.CASCADE,
+            ),
         ),
         migrations.AlterField(
             model_name='attributepolicy',
             name='source_filter_for_sso_from_push_sources',
-            field=models.ManyToManyField(to='attribute_aggregator.AttributeSource', verbose_name='Filter by source the forwarded pushed attributes', blank=True),
+            field=models.ManyToManyField(
+                to='attribute_aggregator.AttributeSource',
+                verbose_name='Filter by source the forwarded pushed attributes',
+                blank=True,
+            ),
         ),
     ]
diff --git a/src/authentic2/idp/saml/__init__.py b/src/authentic2/idp/saml/__init__.py
index 009d8b98..12694511 100644
--- a/src/authentic2/idp/saml/__init__.py
+++ b/src/authentic2/idp/saml/__init__.py
@@ -20,12 +20,11 @@ from django.apps import AppConfig
 
 
 class Plugin(object):
-
     def check_origin(self, request, origin):
         from authentic2.cors import make_origin
         from authentic2.saml.models import LibertySession
-        for session in LibertySession.objects.filter(
-                django_session_key=request.session.session_key):
+
+        for session in LibertySession.objects.filter(django_session_key=request.session.session_key):
             provider_origin = make_origin(session.provider_id)
             if origin == provider_origin:
                 return True
@@ -44,20 +43,26 @@ default_app_config = 'authentic2.idp.saml.SAML2IdPConfig'
 
 def check_authentic2_config(app_configs, **kwargs):
     from . import app_settings
+
     errors = []
 
-    if (not settings.DEBUG
-            and app_settings.ENABLE
-            and (app_settings.is_default('SIGNATURE_PUBLIC_KEY')
-                 or app_settings.is_default('SIGNATURE_PRIVATE_KEY'))):
+    if (
+        not settings.DEBUG
+        and app_settings.ENABLE
+        and (
+            app_settings.is_default('SIGNATURE_PUBLIC_KEY')
+            or app_settings.is_default('SIGNATURE_PRIVATE_KEY')
+        )
+    ):
         errors.append(
             Warning(
                 'You should not use default SAML keys in production',
                 hint='Generate new RSA keys and change the value of '
-                     'A2_IDP_SAML2_SIGNATURE_PUBLIC_KEY and '
-                     'A2_IDP_SAML2_SIGNATURE_PRIVATE_KEY in your setting file',
+                'A2_IDP_SAML2_SIGNATURE_PUBLIC_KEY and '
+                'A2_IDP_SAML2_SIGNATURE_PRIVATE_KEY in your setting file',
             )
         )
     return errors
 
+
 check_authentic2_config = register(Tags.security, deploy=True)(check_authentic2_config)
diff --git a/src/authentic2/idp/saml/app_settings.py b/src/authentic2/idp/saml/app_settings.py
index 0d460834..7f2d4e6d 100644
--- a/src/authentic2/idp/saml/app_settings.py
+++ b/src/authentic2/idp/saml/app_settings.py
@@ -80,6 +80,7 @@ TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA==
 
     def _setting(self, name, dflt):
         from django.conf import settings
+
         return getattr(settings, name, dflt)
 
     def _setting_with_prefix(self, name, dflt):
@@ -87,27 +88,30 @@ TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA==
 
     @property
     def ENABLE(self):
-        return self._setting_with_prefix('ENABLE',
-                                         self._setting('IDP_SAML2',
-                                                       self.__DEFAULTS['ENABLE']))
+        return self._setting_with_prefix('ENABLE', self._setting('IDP_SAML2', self.__DEFAULTS['ENABLE']))
 
     @property
     def SIGNATURE_PUBLIC_KEY(self):
-        return self._setting_with_prefix('SIGNATURE_PUBLIC_KEY',
-                                         self._setting('SAML_SIGNATURE_PUBLIC_KEY',
-                                                       self.__DEFAULTS['SIGNATURE_PUBLIC_KEY']))
+        return self._setting_with_prefix(
+            'SIGNATURE_PUBLIC_KEY',
+            self._setting('SAML_SIGNATURE_PUBLIC_KEY', self.__DEFAULTS['SIGNATURE_PUBLIC_KEY']),
+        )
 
     @property
     def SIGNATURE_PRIVATE_KEY(self):
-        return self._setting_with_prefix('SIGNATURE_PRIVATE_KEY',
-                                         self._setting('SAML_SIGNATURE_PRIVATE_KEY',
-                                                       self.__DEFAULTS['SIGNATURE_PRIVATE_KEY']))
+        return self._setting_with_prefix(
+            'SIGNATURE_PRIVATE_KEY',
+            self._setting('SAML_SIGNATURE_PRIVATE_KEY', self.__DEFAULTS['SIGNATURE_PRIVATE_KEY']),
+        )
 
     @property
     def AUTHN_CONTEXT_FROM_SESSION(self):
-        return self._setting_with_prefix('AUTHN_CONTEXT_FROM_SESSION',
-                                         self._setting('IDP_SAML2_AUTHN_CONTEXT_FROM_SESSION',
-                                                       self.__DEFAULTS['AUTHN_CONTEXT_FROM_SESSION']))
+        return self._setting_with_prefix(
+            'AUTHN_CONTEXT_FROM_SESSION',
+            self._setting(
+                'IDP_SAML2_AUTHN_CONTEXT_FROM_SESSION', self.__DEFAULTS['AUTHN_CONTEXT_FROM_SESSION']
+            ),
+        )
 
     def is_default(self, name):
         return getattr(self, name) == self.__DEFAULTS[name]
@@ -117,6 +121,7 @@ TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA==
             raise AttributeError(name)
         return self._setting_with_prefix(name, self.__DEFAULTS[name])
 
+
 # Ugly? Guido recommends this himself ...
 # http://mail.python.org/pipermail/python-ideas/2012-May/014969.html
 app_settings = AppSettings('A2_IDP_SAML2_')
diff --git a/src/authentic2/idp/saml/backend.py b/src/authentic2/idp/saml/backend.py
index d0edf59d..5dafc565 100644
--- a/src/authentic2/idp/saml/backend.py
+++ b/src/authentic2/idp/saml/backend.py
@@ -41,10 +41,10 @@ class SamlBackend(object):
         q = models.LibertyServiceProvider.objects.all()
         q = q.filter(
             Q(liberty_provider__authorized_roles__isnull=True)
-            | Q(liberty_provider__authorized_roles__in=request.user.roles_and_parents()))
+            | Q(liberty_provider__authorized_roles__in=request.user.roles_and_parents())
+        )
         ls = []
-        sessions = models.LibertySession.objects.filter(
-            django_session_key=request.session.session_key)
+        sessions = models.LibertySession.objects.filter(django_session_key=request.session.session_key)
         sessions_eids = set(session.provider_id for session in sessions)
         all_policy = common.get_sp_options_policy_all()
         default_policy = common.get_sp_options_policy_default()
@@ -53,23 +53,22 @@ class SamlBackend(object):
             queries.append(q)
             queries.append(q.filter(liberty_provider__entity_id__in=sessions_eids))
         else:
-            queries.append(q.filter(
-                sp_options_policy__enabled=True,
-                sp_options_policy__idp_initiated_sso=True))
+            queries.append(
+                q.filter(sp_options_policy__enabled=True, sp_options_policy__idp_initiated_sso=True)
+            )
             queries.append(
                 q.filter(
                     sp_options_policy__enabled=True,
                     sp_options_policy__accept_slo=True,
-                    liberty_provider__entity_id__in=sessions_eids))
+                    liberty_provider__entity_id__in=sessions_eids,
+                )
+            )
             if default_policy and default_policy.idp_initiated_sso:
-                queries.append(
-                    q.filter(
-                        sp_options_policy__isnull=True))
+                queries.append(q.filter(sp_options_policy__isnull=True))
             if default_policy and default_policy.accept_slo:
                 queries.append(
-                    q.filter(
-                        sp_options_policy__isnull=True,
-                        liberty_provider__entity_id__in=sessions_eids))
+                    q.filter(sp_options_policy__isnull=True, liberty_provider__entity_id__in=sessions_eids)
+                )
         qs = six.moves.reduce(operator.__or__, queries)
         # do some prefetching
         qs = qs.prefetch_related('liberty_provider')
@@ -78,8 +77,7 @@ class SamlBackend(object):
             liberty_provider = service_provider.liberty_provider
             if all_policy:
                 policy = all_policy
-            elif (service_provider.enable_following_sp_options_policy
-                    and service_provider.sp_options_policy):
+            elif service_provider.enable_following_sp_options_policy and service_provider.sp_options_policy:
                 policy = service_provider.sp_options_policy
             else:
                 policy = default_policy
@@ -89,32 +87,18 @@ class SamlBackend(object):
                 protocol = 'saml2'
                 if policy.idp_initiated_sso:
                     actions.append(
-                        (
-                            _('Login'), 'POST',
-                            '/idp/%s/idp_sso/' % protocol,
-                            (
-                                ('provider_id', entity_id),
-                            )
-                        )
+                        (_('Login'), 'POST', '/idp/%s/idp_sso/' % protocol, (('provider_id', entity_id),))
                     )
                 if policy.accept_slo and entity_id in sessions_eids:
                     actions.append(
-                        (
-                            _('Logout'), 'POST',
-                            '/idp/%s/idp_slo/' % protocol,
-                            (
-                                ('provider_id', entity_id),
-                            )
-                        )
+                        (_('Logout'), 'POST', '/idp/%s/idp_slo/' % protocol, (('provider_id', entity_id),))
                     )
                 if actions:
-                    ls.append(
-                        Service(url=None, name=liberty_provider.name, actions=actions))
+                    ls.append(Service(url=None, name=liberty_provider.name, actions=actions))
         return ls
 
     def logout_list(self, request):
-        all_sessions = models.LibertySession.objects.filter(
-            django_session_key=request.session.session_key)
+        all_sessions = models.LibertySession.objects.filter(django_session_key=request.session.session_key)
         self.logger.debug("all_sessions %r" % all_sessions)
         provider_ids = set([s.provider_id for s in all_sessions])
         self.logger.debug("provider_ids %r" % provider_ids)
@@ -137,13 +121,17 @@ class SamlBackend(object):
                     url = reverse(saml2_endpoints.idp_slo, args=[provider_id])
                     # add a nonce so this link is never cached
                     nonce = hex(random.getrandbits(128))
-                    url = '{0}?provider_id={1}&nonce={2}'.format(
-                        url, quote(provider_id), nonce)
+                    url = '{0}?provider_id={1}&nonce={2}'.format(url, quote(provider_id), nonce)
                     name = name or provider_id
-                    code = render_to_string('idp/saml/logout_fragment.html', {
-                        'needs_iframe': policy.needs_iframe_logout,
-                        'name': name, 'url': url,
-                        'iframe_timeout': policy.iframe_logout_timeout})
+                    code = render_to_string(
+                        'idp/saml/logout_fragment.html',
+                        {
+                            'needs_iframe': policy.needs_iframe_logout,
+                            'name': name,
+                            'url': url,
+                            'iframe_timeout': policy.iframe_logout_timeout,
+                        },
+                    )
                     result.append(code)
         return result
 
@@ -152,14 +140,10 @@ class SamlBackend(object):
             return ()
         user = request.user
         links = []
-        qs = models.LibertyFederation.objects.filter(
-            user=user,
-            sp__isnull=False)
+        qs = models.LibertyFederation.objects.filter(user=user, sp__isnull=False)
         qs = qs.select_related('sp')
         for federation in qs:
-            links.append(
-                (federation.sp.liberty_provider, federation.name_id_content)
-            )
+            links.append((federation.sp.liberty_provider, federation.name_id_content))
         return links
 
     def can_synchronous_logout(self, django_sessions_keys):
@@ -179,16 +163,15 @@ class SamlBackend(object):
                 'hidden_inputs': {
                     'next': next_url,
                 },
-                'buttons': (
-                    ('delete', _('Delete')),
-                ),
+                'buttons': (('delete', _('Delete')),),
                 'url': url,
             }
         qs = models.LibertyProvider.objects
         qs = qs.filter(service_provider__users_can_manage_federations=True)
         qs = qs.exclude(service_provider__libertyfederation__in=federations)
-        qs = qs.filter(Q(authorized_roles__isnull=True)
-                       | Q(authorized_roles__in=request.user.roles_and_parents()))
+        qs = qs.filter(
+            Q(authorized_roles__isnull=True) | Q(authorized_roles__in=request.user.roles_and_parents())
+        )
         qs = qs.select_related()
         for liberty_provider in qs:
             url = reverse('a2-idp-saml2-idp-sso')
@@ -198,8 +181,6 @@ class SamlBackend(object):
                     'provider_id': liberty_provider.entity_id,
                     'next': next_url,
                 },
-                'buttons': (
-                    ('create', _('Create')),
-                ),
+                'buttons': (('create', _('Create')),),
                 'url': url,
             }
diff --git a/src/authentic2/idp/saml/saml2_endpoints.py b/src/authentic2/idp/saml/saml2_endpoints.py
index b70fdd00..4076871d 100644
--- a/src/authentic2/idp/saml/saml2_endpoints.py
+++ b/src/authentic2/idp/saml/saml2_endpoints.py
@@ -46,8 +46,7 @@ from authentic2.compat_lasso import lasso
 from django.contrib.auth import get_user_model
 from django.contrib.auth.decorators import login_required
 from django.core.exceptions import ObjectDoesNotExist
-from django.http import HttpResponse, HttpResponseRedirect, \
-    HttpResponseForbidden, HttpResponseBadRequest
+from django.http import HttpResponse, HttpResponseRedirect, HttpResponseForbidden, HttpResponseBadRequest
 from django.utils import six
 from django.utils.translation import ugettext as _, ugettext_noop as N_
 from django.views.decorators.csrf import csrf_exempt
@@ -65,27 +64,48 @@ from django.contrib import messages
 
 import authentic2.views as a2_views
 from authentic2.saml.models import (
-    LibertyArtifact, LibertySession, LibertyFederation, nameid2kwargs,
-    saml2_urn_to_nidformat, nidformat_to_saml2_urn, save_key_values,
-    get_and_delete_key_values, LibertyProvider, LibertyServiceProvider,
-    SAMLAttribute, NAME_ID_FORMATS)
-from authentic2.saml.common import redirect_next, asynchronous_bindings, \
-    soap_bindings, load_provider, get_saml2_request_message, \
-    error_page, set_saml2_response_responder_status_code, \
-    AUTHENTIC_STATUS_CODE_MISSING_DESTINATION, \
-    load_federation, \
-    return_saml2_response, \
-    get_soap_message, soap_fault, return_saml_soap_response, \
-    AUTHENTIC_STATUS_CODE_UNKNOWN_PROVIDER, \
-    AUTHENTIC_STATUS_CODE_MISSING_NAMEID, \
-    AUTHENTIC_STATUS_CODE_MISSING_SESSION_INDEX, \
-    AUTHENTIC_STATUS_CODE_UNKNOWN_SESSION, \
-    AUTHENTIC_STATUS_CODE_INTERNAL_SERVER_ERROR, \
-    AUTHENTIC_STATUS_CODE_UNAUTHORIZED, \
-    send_soap_request, get_saml2_query_request, \
-    get_saml2_request_message_async_binding, create_saml2_server, \
-    get_saml2_metadata, get_sp_options_policy, \
-    get_entity_id, AUTHENTIC_SAME_ID_SENTINEL
+    LibertyArtifact,
+    LibertySession,
+    LibertyFederation,
+    nameid2kwargs,
+    saml2_urn_to_nidformat,
+    nidformat_to_saml2_urn,
+    save_key_values,
+    get_and_delete_key_values,
+    LibertyProvider,
+    LibertyServiceProvider,
+    SAMLAttribute,
+    NAME_ID_FORMATS,
+)
+from authentic2.saml.common import (
+    redirect_next,
+    asynchronous_bindings,
+    soap_bindings,
+    load_provider,
+    get_saml2_request_message,
+    error_page,
+    set_saml2_response_responder_status_code,
+    AUTHENTIC_STATUS_CODE_MISSING_DESTINATION,
+    load_federation,
+    return_saml2_response,
+    get_soap_message,
+    soap_fault,
+    return_saml_soap_response,
+    AUTHENTIC_STATUS_CODE_UNKNOWN_PROVIDER,
+    AUTHENTIC_STATUS_CODE_MISSING_NAMEID,
+    AUTHENTIC_STATUS_CODE_MISSING_SESSION_INDEX,
+    AUTHENTIC_STATUS_CODE_UNKNOWN_SESSION,
+    AUTHENTIC_STATUS_CODE_INTERNAL_SERVER_ERROR,
+    AUTHENTIC_STATUS_CODE_UNAUTHORIZED,
+    send_soap_request,
+    get_saml2_query_request,
+    get_saml2_request_message_async_binding,
+    create_saml2_server,
+    get_saml2_metadata,
+    get_sp_options_policy,
+    get_entity_id,
+    AUTHENTIC_SAME_ID_SENTINEL,
+)
 import authentic2.saml.saml2utils as saml2utils
 from authentic2.idp.saml.common import kill_django_sessions
 from authentic2.constants import NONCE_FIELD_NAME
@@ -93,8 +113,12 @@ from authentic2.constants import NONCE_FIELD_NAME
 from authentic2.idp import signals as idp_signals
 
 from authentic2.utils import (
-    make_url, get_backends as get_idp_backends, login_require,
-    find_authentication_event, datetime_to_xs_datetime)
+    make_url,
+    get_backends as get_idp_backends,
+    login_require,
+    find_authentication_event,
+    datetime_to_xs_datetime,
+)
 from authentic2 import utils
 from authentic2.attributes_ng.engine import get_attributes
 from authentic2 import hooks
@@ -111,11 +135,12 @@ def get_nonce():
     alphabet = string.ascii_letters + string.digits
     return '_' + ''.join(random.SystemRandom().choice(alphabet) for i in range(20))
 
+
 metadata_map = (
     (saml2utils.Saml2Metadata.SINGLE_SIGN_ON_SERVICE, asynchronous_bindings, '/sso'),
     (saml2utils.Saml2Metadata.SINGLE_LOGOUT_SERVICE, asynchronous_bindings, '/slo', '/slo_return'),
     (saml2utils.Saml2Metadata.SINGLE_LOGOUT_SERVICE, soap_bindings, '/slo/soap'),
-    (saml2utils.Saml2Metadata.ARTIFACT_RESOLUTION_SERVICE, lasso.SAML2_METADATA_BINDING_SOAP, '/artifact')
+    (saml2utils.Saml2Metadata.ARTIFACT_RESOLUTION_SERVICE, lasso.SAML2_METADATA_BINDING_SOAP, '/artifact'),
 )
 
 
@@ -127,19 +152,22 @@ def metadata(request):
 
 
 def log_assert(func, exception_classes=(AssertionError,)):
-    '''Convert assertion errors to warning logs and report them to the user
-       through the messages framework.
+    """Convert assertion errors to warning logs and report them to the user
+    through the messages framework.
+
+    Returns a redirect to homepage or the `next` query parameter.
+    """
 
-       Returns a redirect to homepage or the `next` query parameter.
-    '''
     @wraps(func)
     def f(request, *args, **kwargs):
         try:
             return func(request, *args, **kwargs)
         except exception_classes as e:
             return error_redirect(request, str(e))
+
     return f
 
+
 #####
 # SSO
 #####
@@ -150,12 +178,13 @@ def register_new_saml2_session(request, login):
     lib_session = LibertySession(
         provider_id=login.remoteProviderId,
         saml2_assertion=login.assertion,
-        django_session_key=request.session.session_key)
+        django_session_key=request.session.session_key,
+    )
     lib_session.save()
 
 
 def fill_assertion(request, saml_request, assertion, provider_id, nid_format):
-    '''Stuff an assertion with information extracted from the user record
+    """Stuff an assertion with information extracted from the user record
        and from the session, and eventually from transactions linked to the
        request, i.e. a login event or a consent event.
 
@@ -170,7 +199,7 @@ def fill_assertion(request, saml_request, assertion, provider_id, nid_format):
     # to the request id
     # TODO: use information from the consent event to specialize release of
     # attributes (user only authorized to give its email for email)
-       '''
+    """
     assert nid_format in NAME_ID_FORMATS
 
     logger.debug('initializing assertion %s', assertion.id)
@@ -220,11 +249,7 @@ def make_edu_person_targeted_id_value(provider, user):
     if attribute_value is None:
         return None
 
-    keys = [
-        force_bytes(salt),
-        force_bytes(provider.entity_id),
-        force_bytes(attribute_value)
-    ]
+    keys = [force_bytes(salt), force_bytes(provider.entity_id), force_bytes(attribute_value)]
     return '_' + hashlib.sha256(b''.join(keys)).hexdigest().upper()
 
 
@@ -259,8 +284,12 @@ def add_attributes(request, entity_id, assertion, provider, nid_format):
         # sequence from lasso are always tuple, so convert to list
         attributes[(name, name_format)] = attribute, list(attribute.attributeValue)
         for atv in attribute.attributeValue:
-            if atv.any and len(atv.any) == 1 and isinstance(atv.any[0], lasso.MiscTextNode) and \
-                    atv.any[0].textChild:
+            if (
+                atv.any
+                and len(atv.any) == 1
+                and isinstance(atv.any[0], lasso.MiscTextNode)
+                and atv.any[0].textChild
+            ):
                 seen.add((name, name_format, force_text(atv.any[0].content)))
     definitions = list(qs)
 
@@ -273,7 +302,9 @@ def add_attributes(request, entity_id, assertion, provider, nid_format):
                     name=edu_name,
                     name_format='uri',
                     attribute_name='edupersontargetedid',
-                    friendly_name='eduPersonTargetedID'))
+                    friendly_name='eduPersonTargetedID',
+                )
+            )
 
     for definition in definitions:
         name = definition.name
@@ -386,7 +417,7 @@ def saml2_add_attribute_values(assertion, attributes):
 
 def build_assertion(request, login, provider, nid_format='transient'):
     """After a successfully validated authentication request, build an
-       authentication assertion
+    authentication assertion
     """
     entity_id = get_entity_id(request)
     now = datetime.datetime.utcnow()
@@ -414,8 +445,7 @@ def build_assertion(request, login, provider, nid_format='transient'):
             if how == 'password':
                 authn_context = lasso.SAML2_AUTHN_CONTEXT_PASSWORD
             elif how == 'password-on-https':
-                authn_context = \
-                    lasso.SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT
+                authn_context = lasso.SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT
             elif how.startswith('oath-totp'):
                 authn_context = lasso.SAML2_AUTHN_CONTEXT_TIME_SYNC_TOKEN
             else:
@@ -429,7 +459,8 @@ def build_assertion(request, login, provider, nid_format='transient'):
         now.isoformat() + 'Z',
         'unused',  # reauthenticateOnOrAfter is only for ID-FF 1.2
         notBefore.isoformat() + 'Z',
-        notOnOrAfter.isoformat() + 'Z')
+        notOnOrAfter.isoformat() + 'Z',
+    )
     assertion = login.assertion
     assertion.conditions.notOnOrAfter = notOnOrAfter.isoformat() + 'Z'
     # Set SessionNotOnOrAfter to expiry date of the current session, so we are sure no session on
@@ -449,11 +480,11 @@ def build_assertion(request, login, provider, nid_format='transient'):
         if kwargs.get('name_id_sp_name_qualifier') == login.remoteProviderId:
             kwargs['name_id_sp_name_qualifier'] = AUTHENTIC_SAME_ID_SENTINEL
         service_provider = LibertyServiceProvider.objects.get(
-            liberty_provider__entity_id=login.remoteProviderId)
+            liberty_provider__entity_id=login.remoteProviderId
+        )
         federation, new = LibertyFederation.objects.get_or_create(
-            sp=service_provider,
-            user=request.user,
-            **kwargs)
+            sp=service_provider, user=request.user, **kwargs
+        )
         if new:
             logger.debug('nameID persistent, new federation')
             federation.save()
@@ -465,8 +496,10 @@ def build_assertion(request, login, provider, nid_format='transient'):
         kwargs = nameid2kwargs(login.assertion.subject.nameID)
     kwargs['entity_id'] = login.remoteProviderId
     kwargs['user'] = request.user
-    logger.debug(u'sending nameID %(name_id_format)r: %(name_id_content)r to '
-                 u'%(entity_id)s for user %(user)s' % kwargs)
+    logger.debug(
+        u'sending nameID %(name_id_format)r: %(name_id_content)r to '
+        u'%(entity_id)s for user %(user)s' % kwargs
+    )
     register_new_saml2_session(request, login)
     add_attributes(request, entity_id, assertion, provider, nid_format)
     return kwargs['name_id_content']
@@ -477,8 +510,8 @@ def build_assertion(request, login, provider, nid_format='transient'):
 @log_assert
 def sso(request):
     """Endpoint for receiving saml2:AuthnRequests by POST, Redirect or SOAP.
-       For SOAP a session must be established previously through the login
-       page. No authentication through the SOAP request is supported.
+    For SOAP a session must be established previously through the login
+    page. No authentication through the SOAP request is supported.
     """
     if request.method == "GET":
         logger.debug('called by GET')
@@ -490,8 +523,9 @@ def sso(request):
     message = get_saml2_request_message(request, login)
     # 1. Process the request, separate POST and GET treatment
     if not message:
-        return HttpResponseForbidden('A SAMLv2 Single Sign On request need a query string',
-                                     content_type='text/plain')
+        return HttpResponseForbidden(
+            'A SAMLv2 Single Sign On request need a query string', content_type='text/plain'
+        )
     logger.debug('processing sso request %r', message)
     policy = None
     signed = True
@@ -504,18 +538,26 @@ def sso(request):
             break
         except (lasso.ProfileInvalidMsgError, lasso.ProfileMissingIssuerError) as e:
             logger.warning(
-                'invalid message for WebSSO profile with HTTP-Redirect binding: '
-                '%r exception: %s', message, e, extra={'request': request})
+                'invalid message for WebSSO profile with HTTP-Redirect binding: ' '%r exception: %s',
+                message,
+                e,
+                extra={'request': request},
+            )
             return HttpResponseBadRequest(
-                _("SAMLv2 Single Sign On: invalid message for WebSSO profile with HTTP-Redirect "
-                  "binding: %r") % message, content_type='text/plain')
+                _(
+                    "SAMLv2 Single Sign On: invalid message for WebSSO profile with HTTP-Redirect "
+                    "binding: %r"
+                )
+                % message,
+                content_type='text/plain',
+            )
         except lasso.ProfileInvalidProtocolprofileError:
             log_info_authn_request_details(login)
             message = _(
                 "SAMLv2 Single Sign On: the request cannot be "
-                "answered because no valid protocol binding could be found")
-            logger.warning(
-                'the request cannot be answered because no valid protocol binding could be found')
+                "answered because no valid protocol binding could be found"
+            )
+            logger.warning('the request cannot be answered because no valid protocol binding could be found')
             return HttpResponseBadRequest(message, content_type='text/plain')
         except lasso.ProviderMissingPublicKeyError as e:
             log_info_authn_request_details(login)
@@ -527,8 +569,7 @@ def sso(request):
             logger.warning('digital signature treatment error: %s', e)
             login.response.status.statusMessage = 'Signature validation failed'
             return return_login_response(request, login)
-        except (lasso.ServerProviderNotFoundError,
-                lasso.ProfileUnknownProviderError):
+        except (lasso.ServerProviderNotFoundError, lasso.ProfileUnknownProviderError):
             logger.debug('processAuthnRequestMsg not successful')
             log_info_authn_request_details(login)
             provider_id = login.remoteProviderId
@@ -543,14 +584,12 @@ def sso(request):
                     {
                         'entity_id': provider_id,
                         'add_url': add_url,
-                    })
+                    },
+                )
             else:
                 policy = get_sp_options_policy(provider_loaded)
                 if not policy:
-                    return error_page(
-                        request,
-                        _('sso: No SP policy defined'),
-                        logger=logger, warning=True)
+                    return error_page(request, _('sso: No SP policy defined'), logger=logger, warning=True)
                 logger.debug('provider %s loaded with success', provider_id)
             if policy.authn_request_signed:
                 verify_hint = lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE
@@ -561,14 +600,14 @@ def sso(request):
 
     if signed and not check_destination(request, login.request):
         logger.warning('wrong or absent destination')
-        return return_login_error(
-            request, login,
-            AUTHENTIC_STATUS_CODE_MISSING_DESTINATION)
+        return return_login_error(request, login, AUTHENTIC_STATUS_CODE_MISSING_DESTINATION)
     # Check NameIDPolicy or force the NameIDPolicy
     name_id_policy = login.request.nameIdPolicy
-    if (name_id_policy
-            and name_id_policy.format
-            and name_id_policy.format != lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED):
+    if (
+        name_id_policy
+        and name_id_policy.format
+        and name_id_policy.format != lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED
+    ):
         logger.debug('nameID policy is %s', force_text(name_id_policy.dump()))
         nid_format = saml2_urn_to_nidformat(name_id_policy.format, accepted=policy.accepted_name_id_format)
         logger.debug('nameID format %s', nid_format)
@@ -576,9 +615,10 @@ def sso(request):
         logger.debug('default nameID format %s', default_nid_format)
         accepted_nid_format = policy.accepted_name_id_format
         logger.debug('nameID format accepted %s', accepted_nid_format)
-        if (not nid_format or nid_format not in accepted_nid_format) and \
-           default_nid_format != nid_format:
-            set_saml2_response_responder_status_code(login.response, lasso.SAML2_STATUS_CODE_INVALID_NAME_ID_POLICY)
+        if (not nid_format or nid_format not in accepted_nid_format) and default_nid_format != nid_format:
+            set_saml2_response_responder_status_code(
+                login.response, lasso.SAML2_STATUS_CODE_INVALID_NAME_ID_POLICY
+            )
             logger.warning('NameID format required is not accepted')
             return finish_sso(request, login)
     else:
@@ -595,14 +635,19 @@ def sso(request):
 
 def need_login(request, login, nid_format, service):
     """Redirect to the login page with a nonce parameter to verify later that
-       the login form was submitted
+    the login form was submitted
     """
     nonce = login.request.id or get_nonce()
     save_key_values(nonce, force_text(login.dump()), False, nid_format)
     next_url = make_url(continue_sso, params={NONCE_FIELD_NAME: nonce})
     logger.debug('redirect to login page with next url %s', next_url)
-    return login_require(request, next_url=next_url, params={NONCE_FIELD_NAME: nonce},
-                         service=service, login_hint=get_login_hints_extension(login))
+    return login_require(
+        request,
+        next_url=next_url,
+        params={NONCE_FIELD_NAME: nonce},
+        service=service,
+        login_hint=get_login_hints_extension(login),
+    )
 
 
 def get_url_with_nonce(request, function, nonce):
@@ -615,17 +660,19 @@ def need_consent_for_federation(request, login, nid_format):
     save_key_values(nonce, force_text(login.dump()), False, nid_format)
     display_name = None
     try:
-        provider = \
-            LibertyProvider.objects.get(entity_id=login.request.issuer.content)
+        provider = LibertyProvider.objects.get(entity_id=login.request.issuer.content)
         display_name = provider.name
     except ObjectDoesNotExist:
         pass
     if not display_name:
         display_name = quote(login.request.issuer.content)
-    url = '%s?%s=%s&next=%s&provider_id=%s' \
-        % (reverse('a2-consent-federation'), NONCE_FIELD_NAME,
-            nonce, get_url_with_nonce(request, continue_sso, nonce),
-            display_name)
+    url = '%s?%s=%s&next=%s&provider_id=%s' % (
+        reverse('a2-consent-federation'),
+        NONCE_FIELD_NAME,
+        nonce,
+        get_url_with_nonce(request, continue_sso, nonce),
+        display_name,
+    )
     logger.debug('redirect to url %s', url)
     return HttpResponseRedirect(url)
 
@@ -639,8 +686,7 @@ def continue_sso(request):
         consent_answer = request.GET.get('consent_answer', '')
         if consent_answer:
             logger.debug('back from the consent page for federation with answer %s', consent_answer)
-        consent_attribute_answer = \
-            request.GET.get('consent_attribute_answer', '')
+        consent_attribute_answer = request.GET.get('consent_attribute_answer', '')
         if consent_attribute_answer:
             logger.debug(u'back from the consent page for attributes %s', consent_attribute_answer)
     nonce = request.GET.get(NONCE_FIELD_NAME, '')
@@ -660,7 +706,9 @@ def continue_sso(request):
     if not login:
         return error_page(request, _('continue_sso: error loading login'), logger=logger)
     if not load_provider(request, login.remoteProviderId, server=login.server, autoload=True):
-        return error_page(request, _('continue_sso: unknown provider %s') % login.remoteProviderId, logger=logger)
+        return error_page(
+            request, _('continue_sso: unknown provider %s') % login.remoteProviderId, logger=logger
+        )
     if 'cancel' in request.GET:
         logger.debug('login canceled')
         set_saml2_response_responder_status_code(login.response, lasso.SAML2_STATUS_CODE_REQUEST_DENIED)
@@ -677,7 +725,8 @@ def continue_sso(request):
         login,
         consent_obtained=consent_obtained,
         consent_attribute_answer=consent_attribute_answer,
-        nid_format=nid_format)
+        nid_format=nid_format,
+    )
 
 
 def needs_persistence(nid_format):
@@ -691,6 +740,7 @@ def get_extensions(profile):
     element = ctree.fromstring(xml_string)
     return list(element)
 
+
 EO_NS = 'https://www.entrouvert.com/'
 LOGIN_HINT = '{%s}login-hint' % EO_NS
 
@@ -708,15 +758,21 @@ def get_login_hints_extension(profile):
     return hints
 
 
-def sso_after_process_request(request, login, consent_obtained=False,
-                              consent_attribute_answer=False, user=None,
-                              nid_format='transient', return_profile=False):
+def sso_after_process_request(
+    request,
+    login,
+    consent_obtained=False,
+    consent_attribute_answer=False,
+    user=None,
+    nid_format='transient',
+    return_profile=False,
+):
     """Common path for sso and idp_initiated_sso.
 
-       consent_obtained: whether the user has given his consent to this
-       federation
-       user: the user which must be federated, if None, current user is the
-       default.
+    consent_obtained: whether the user has given his consent to this
+    federation
+    user: the user which must be federated, if None, current user is the
+    default.
     """
     nonce = login.request.id
     user = user or request.user
@@ -729,10 +785,10 @@ def sso_after_process_request(request, login, consent_obtained=False,
 
     # check if user is authorized through this service
     service = LibertyServiceProvider.objects.get(
-        liberty_provider__entity_id=login.remoteProviderId).liberty_provider
+        liberty_provider__entity_id=login.remoteProviderId
+    ).liberty_provider
 
-    if not passive and \
-            (user.is_anonymous or (force_authn and not did_auth)):
+    if not passive and (user.is_anonymous or (force_authn and not did_auth)):
         logger.debug('login required')
         return need_login(request, login, nid_format, service)
 
@@ -752,10 +808,8 @@ def sso_after_process_request(request, login, consent_obtained=False,
         transient = True
 
     decisions = idp_signals.authorize_service.send(
-        sender=None,
-        request=request, user=request.user,
-        audience=login.remoteProviderId,
-        attributes={})
+        sender=None, request=request, user=request.user, audience=login.remoteProviderId, attributes={}
+    )
     logger.debug('signal authorize_service sent')
 
     # You don't dream. By default, access granted.
@@ -777,17 +831,13 @@ def sso_after_process_request(request, login, consent_obtained=False,
     if not access_granted:
         logger.debug('access denied, return answer to the requester')
         set_saml2_response_responder_status_code(
-            login.response,
-            lasso.SAML2_STATUS_CODE_REQUEST_DENIED,
-            msg=six.text_type(dic['message']))
+            login.response, lasso.SAML2_STATUS_CODE_REQUEST_DENIED, msg=six.text_type(dic['message'])
+        )
         return finish_sso(request, login)
 
     provider = load_provider(request, login.remoteProviderId, server=login.server)
     if not provider:
-        return error_page(
-            request,
-            _('Provider %s is unknown') % login.remoteProviderId,
-            logger=logger)
+        return error_page(request, _('Provider %s is unknown') % login.remoteProviderId, logger=logger)
     saml_policy = get_sp_options_policy(provider)
     if not saml_policy:
         return error_page(request, _('No service provider policy defined'), logger=logger)
@@ -850,8 +900,8 @@ def sso_after_process_request(request, login, consent_obtained=False,
     if needs_persistence(nid_format):
         try:
             LibertyFederation.objects.get(
-                user=request.user,
-                sp__liberty_provider__entity_id=login.remoteProviderId)
+                user=request.user, sp__liberty_provider__entity_id=login.remoteProviderId
+            )
             logger.debug('consent already given (existing federation) for %s', login.remoteProviderId)
             consent_obtained = True
             '''This is abusive since a federation may exist even if we have
@@ -862,18 +912,16 @@ def sso_after_process_request(request, login, consent_obtained=False,
 
     if not consent_obtained and not transient:
         logger.debug('signal avoid_consent sent')
-        avoid_consent = idp_signals.avoid_consent.send(sender=None,
-                                                       request=request,
-                                                       user=request.user,
-                                                       audience=login.remoteProviderId)
+        avoid_consent = idp_signals.avoid_consent.send(
+            sender=None, request=request, user=request.user, audience=login.remoteProviderId
+        )
         for c in avoid_consent:
             logger.debug('avoid_consent connected to function %s', c[0].__name__)
             if c[1] and 'avoid_consent' in c[1] and c[1]['avoid_consent']:
                 logger.debug('avoid consent by signal')
                 consent_obtained = True
                 # The user consent is bypassed by the signal
-                consent_value = \
-                    'urn:oasis:names:tc:SAML:2.0:consent:unspecified'
+                consent_value = 'urn:oasis:names:tc:SAML:2.0:consent:unspecified'
 
     if not consent_obtained and not transient:
         logger.debug('ask the user consent now')
@@ -939,9 +987,8 @@ def finish_sso(request, login, user=None, return_profile=False):
 def save_artifact(request, login):
     '''Remember an artifact message for later retrieving'''
     LibertyArtifact(
-        artifact=login.artifact,
-        content=force_text(login.artifactMessage),
-        provider_id=login.remoteProviderId).save()
+        artifact=login.artifact, content=force_text(login.artifactMessage), provider_id=login.remoteProviderId
+    ).save()
     logger.debug('artifact saved')
 
 
@@ -960,8 +1007,7 @@ def reload_artifact(login):
 @never_cache
 @csrf_exempt
 def artifact(request):
-    '''Resolve a SAMLv2 ArtifactResolve request
-    '''
+    """Resolve a SAMLv2 ArtifactResolve request"""
     soap_message = get_soap_message(request)
     server = create_server(request)
     login = lasso.Login(server)
@@ -984,10 +1030,7 @@ def artifact(request):
         logger.debug('resolve response %r', login.msgBody)
     except Exception:
         logger.exception('resolve error')
-        return soap_fault(
-            request,
-            faultcode='soap:Server',
-            faultstring='Internal Server Error')
+        return soap_fault(request, faultcode='soap:Server', faultstring='Internal Server Error')
     logger.debug('treatment ended, return answer')
     return return_saml_soap_response(login)
 
@@ -1001,8 +1044,7 @@ def check_delegated_authentication_permission(request):
 @csrf_exempt
 @login_required
 def idp_sso(request, provider_id=None, return_profile=False):
-    '''Initiate an SSO toward provider_id without a prior AuthnRequest
-    '''
+    """Initiate an SSO toward provider_id without a prior AuthnRequest"""
     if not provider_id:
         provider_id = request.POST.get('provider_id')
     if not provider_id:
@@ -1019,7 +1061,10 @@ def idp_sso(request, provider_id=None, return_profile=False):
             return error_redirect(
                 request,
                 N_('%r tried to log as %r on %r but was forbidden'),
-                request.user, username, provider_id)
+                request.user,
+                username,
+                provider_id,
+            )
         try:
             user = User.objects.get_by_natural_key(username=username)
         except User.DoesNotExist:
@@ -1053,9 +1098,14 @@ def idp_sso(request, provider_id=None, return_profile=False):
     logger.debug('binding %r', binding)
     logger.debug('authentication request initialized toward provider_id %r', provider_id)
 
-    return sso_after_process_request(request, login, consent_obtained=False,
-                                     user=user, nid_format=nid_format,
-                                     return_profile=return_profile)
+    return sso_after_process_request(
+        request,
+        login,
+        consent_obtained=False,
+        user=user,
+        nid_format=nid_format,
+        return_profile=return_profile,
+    )
 
 
 @never_cache
@@ -1072,8 +1122,7 @@ def finish_slo(request):
     logout = lasso.Logout.newFromDump(server, force_str(logout_dump))
     load_provider(request, logout.remoteProviderId, server=logout.server)
     # Clean all session
-    all_sessions = \
-        LibertySession.objects.filter(django_session_key=session_key)
+    all_sessions = LibertySession.objects.filter(django_session_key=session_key)
     try:
         logout.buildResponseMsg()
     except lasso.ProfileUnknownProfileUrlError:
@@ -1085,8 +1134,7 @@ def finish_slo(request):
         return redirect('auth_homepage')
     if all_sessions.exists():
         all_sessions.delete()
-        set_saml2_response_responder_status_code(logout.response,
-                                                 lasso.SAML2_STATUS_CODE_PARTIAL_LOGOUT)
+        set_saml2_response_responder_status_code(logout.response, lasso.SAML2_STATUS_CODE_PARTIAL_LOGOUT)
         logger.warning('partial logout')
         logout.buildResponseMsg()
     provider = LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
@@ -1114,8 +1162,7 @@ def process_logout_request(request, message, binding):
     try:
         try:
             logout.processRequestMsg(force_str(message))
-        except (lasso.ServerProviderNotFoundError,
-                lasso.ProfileUnknownProviderError):
+        except (lasso.ServerProviderNotFoundError, lasso.ProfileUnknownProviderError):
             logger.debug('loading provider %s', logout.remoteProviderId)
             p = load_provider(request, logout.remoteProviderId, server=logout.server)
             if not p:
@@ -1169,12 +1216,14 @@ def logout_synchronous_other_backends(request, logout, django_sessions_keys):
 
 def get_only_last_session(issuer_id, provider_id, name_id, session_indexes):
     """Try to have a decent behaviour when receiving a logout request with
-       multiple session indexes.
+    multiple session indexes.
 
-       Enumerate all emitted assertions for the given session, and for each
-       provider only keep the more recent one.
+    Enumerate all emitted assertions for the given session, and for each
+    provider only keep the more recent one.
     """
-    lib_session1 = LibertySession.get_for_nameid_and_session_indexes(issuer_id, provider_id, name_id, session_indexes)
+    lib_session1 = LibertySession.get_for_nameid_and_session_indexes(
+        issuer_id, provider_id, name_id, session_indexes
+    )
     django_session_keys = [s.django_session_key for s in lib_session1]
     lib_session = LibertySession.objects.filter(django_session_key__in=django_session_keys)
     providers = set([s.provider_id for s in lib_session])
@@ -1190,16 +1239,18 @@ def get_only_last_session(issuer_id, provider_id, name_id, session_indexes):
 
 
 def build_session_dump(liberty_sessions):
-    '''Build a session dump from a list of pairs
-       (provider_id,assertion_content)'''
+    """Build a session dump from a list of pairs
+    (provider_id,assertion_content)"""
     session = [
         u'<Session xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"'
         u' xmlns="http://www.entrouvert.org/namespaces/lasso/0.0" Version="2">',
     ]
     for liberty_session in liberty_sessions:
-        session.append(u'<NidAndSessionIndex ProviderID="{0.provider_id}" '
-                       u'AssertionID="xxx" '
-                       u'SessionIndex="{0.session_index}">'.format(liberty_session))
+        session.append(
+            u'<NidAndSessionIndex ProviderID="{0.provider_id}" '
+            u'AssertionID="xxx" '
+            u'SessionIndex="{0.session_index}">'.format(liberty_session)
+        )
         session.append(u'<saml:NameID Format="{0.name_id_format}" '.format(liberty_session))
         if liberty_session.name_id_qualifier:
             session.append(u'NameQualifier="{0.name_id_qualifier}" '.format(liberty_session))
@@ -1214,8 +1265,8 @@ def build_session_dump(liberty_sessions):
 
 
 def set_session_dump_from_liberty_sessions(profile, lib_sessions):
-    '''Extract all assertion from a list of lib_sessions, and create a session
-    dump from them'''
+    """Extract all assertion from a list of lib_sessions, and create a session
+    dump from them"""
     session_dump = build_session_dump(lib_sessions)
     profile.setSessionFromDump(session_dump)
 
@@ -1237,8 +1288,7 @@ def slo_soap(request):
         return error
 
     try:
-        provider = \
-            LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
+        provider = LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
     except ObjectDoesNotExist:
         logger.warning('provider %r unknown', logout.remoteProviderId)
         return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
@@ -1255,7 +1305,8 @@ def slo_soap(request):
         logout.server.providerId,
         logout.remoteProviderId,
         logout.request.nameId,
-        logout.request.sessionIndexes)
+        logout.request.sessionIndexes,
+    )
     if not found:
         logger.debug('no third SP session found')
     else:
@@ -1278,16 +1329,20 @@ def slo_soap(request):
         try:
             logout.validateRequest()
         except lasso.LogoutUnsupportedProfileError:
-            '''
-                If one provider does not support SLO by SOAP,
-                continue with others!
-            '''
-            logger.warning('one provider does not support SOAP among %s', [s.provider_id for s in lib_sessions])
+            """
+            If one provider does not support SLO by SOAP,
+            continue with others!
+            """
+            logger.warning(
+                'one provider does not support SOAP among %s', [s.provider_id for s in lib_sessions]
+            )
         except Exception as e:
             logger.warning('slo, unknown error %s', e)
             logout.buildResponseMsg()
             provider = LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
-            return return_saml2_response(request, logout, title=_('You are being redirected to "%s"') % provider.name)
+            return return_saml2_response(
+                request, logout, title=_('You are being redirected to "%s"') % provider.name
+            )
         for lib_session in lib_sessions:
             try:
                 logger.debug('slo, relaying logout to provider %s', lib_session.provider_id)
@@ -1323,16 +1378,14 @@ def slo_soap(request):
 @never_cache
 @csrf_exempt
 def slo(request):
-    """Endpoint for receiving SLO by POST, Redirect.
-    """
+    """Endpoint for receiving SLO by POST, Redirect."""
     message = get_saml2_request_message_async_binding(request)
     logout, response = process_logout_request(request, message, request.method)
     if response:
         return response
 
     try:
-        provider = \
-            LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
+        provider = LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
     except ObjectDoesNotExist:
         logger.debug('provider %r unknown', logout.remoteProviderId)
         return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
@@ -1354,16 +1407,22 @@ def slo(request):
         logger.warning('signature error %s', e)
         logout.buildResponseMsg()
         provider = LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
-        return return_saml2_response(request, logout, title=_('You are being redirected to "%s"') % provider.name)
+        return return_saml2_response(
+            request, logout, title=_('You are being redirected to "%s"') % provider.name
+        )
     except (lasso.ProfileInvalidMsgError, lasso.ProfileMissingIssuerError):
         return error_page(request, _('Invalid logout request'), logger=logger, warning=True)
     session_indexes = logout.request.sessionIndexes
     if len(session_indexes) == 0:
-        logger.warning('slo received a request from %s without any SessionIndex, it is forbidden',
-                       logout.remoteProviderId)
+        logger.warning(
+            'slo received a request from %s without any SessionIndex, it is forbidden',
+            logout.remoteProviderId,
+        )
         logout.buildResponseMsg()
         provider = LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
-        return return_saml2_response(request, logout, title=_('You are being redirected to "%s"') % provider.name)
+        return return_saml2_response(
+            request, logout, title=_('You are being redirected to "%s"') % provider.name
+        )
     logger.debug('asynchronous slo from %s', logout.remoteProviderId)
     # Filter sessions
     if not logout.request.nameId:
@@ -1373,7 +1432,8 @@ def slo(request):
         logout.server.providerId,
         logout.remoteProviderId,
         logout.request.nameId,
-        logout.request.sessionIndexes)
+        logout.request.sessionIndexes,
+    )
     if not all_sessions.exists():
         logger.warning('slo refused, since no session exists with the requesting provider')
         return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_UNKNOWN_SESSION)
@@ -1390,8 +1450,8 @@ def slo(request):
         return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_INTERNAL_SERVER_ERROR)
     # Now clean sessions for this provider
     LibertySession.objects.filter(
-        provider_id=logout.remoteProviderId,
-        django_session_key=request.session.session_key).delete()
+        provider_id=logout.remoteProviderId, django_session_key=request.session.session_key
+    ).delete()
     # Save some values for cleaning up
     save_key_values(logout.request.id, force_text(logout.dump()), request.session.session_key)
 
@@ -1451,15 +1511,14 @@ def idp_slo(request, provider_id=None):
         return redirect_next(request, next) or ko_icon(request)
 
     lib_sessions = LibertySession.objects.filter(
-        django_session_key=request.session.session_key,
-        provider_id=provider_id)
+        django_session_key=request.session.session_key, provider_id=provider_id
+    )
     if lib_sessions:
         logger.debug('%d lib_sessions found', lib_sessions.count())
         set_session_dump_from_liberty_sessions(logout, [lib_sessions[0]])
     try:
         logout.initRequest(provider_id, policy.http_method_for_slo_request)
-    except (lasso.ProfileMissingAssertionError,
-            lasso.ProfileSessionNotFoundError):
+    except (lasso.ProfileMissingAssertionError, lasso.ProfileSessionNotFoundError):
         logger.debug('slo failed because no sessions exists for %r', provider_id)
         return redirect_next(request, next) or ko_icon(request)
     if all is not None:
@@ -1496,8 +1555,8 @@ def process_logout_response(request, logout, soap_response, next):
         logger.warning('slo error: %s', e)
     else:
         LibertySession.objects.filter(
-            django_session_key=request.session.session_key,
-            provider_id=logout.remoteProviderId).delete()
+            django_session_key=request.session.session_key, provider_id=logout.remoteProviderId
+        ).delete()
         logger.debug('deleted session to %s', logout.remoteProviderId)
     return redirect_next(request, next) or ok_icon(request)
 
@@ -1509,8 +1568,7 @@ def slo_return(request):
         return error_redirect(request, N_('slo no relay state in response'), default_url=icon_url('ko'))
     logger.debug('relay_state %r', relay_state)
     try:
-        logout_dump, provider_id, next = \
-            get_and_delete_key_values(relay_state)
+        logout_dump, provider_id, next = get_and_delete_key_values(relay_state)
     except KeyError:
         return error_redirect(request, N_('unknown relay state %r'), relay_state, default_url=icon_url('ko'))
     server = create_server(request)
@@ -1526,6 +1584,7 @@ def slo_return(request):
         logger.warning('failed to load provider %s', provider_id)
     return process_logout_response(request, logout, get_saml2_query_request(request), next)
 
+
 # Helpers
 
 # Mapping to generate the metadata file, must be kept in sync with the url
@@ -1542,11 +1601,11 @@ def get_options():
 
 
 def create_server(request, provider_id=None):
-    '''Build a lasso.Server object using current settings for the IdP
+    """Build a lasso.Server object using current settings for the IdP
 
     The built lasso.Server is cached for later use it should work until
     multithreading is used, then thread local storage should be used.
-    '''
+    """
     options = get_options()
     __cached_server = create_saml2_server(request, idp_map=metadata_map, options=options)
     return __cached_server
@@ -1581,11 +1640,11 @@ def check_destination(request, req_or_res):
 
 
 def error_redirect(request, msg, *args, **kwargs):
-    '''Log a warning message, register it with the messages framework, then
-       redirect the user to the homepage.
+    """Log a warning message, register it with the messages framework, then
+    redirect the user to the homepage.
 
-       It will redirect to Authentic2 homepage unless a next query parameter was used.
-    '''
+    It will redirect to Authentic2 homepage unless a next query parameter was used.
+    """
     default_kwargs = {
         'log_level': logging.WARNING,
         'msg_level': messages.WARNING,
diff --git a/src/authentic2/idp/saml/urls.py b/src/authentic2/idp/saml/urls.py
index cc8c309a..de2b9d12 100644
--- a/src/authentic2/idp/saml/urls.py
+++ b/src/authentic2/idp/saml/urls.py
@@ -17,10 +17,18 @@
 from django.conf.urls import url
 
 from . import views
-from authentic2.idp.saml.saml2_endpoints import (metadata, sso, continue_sso,
-                                                 slo, slo_soap, idp_slo,
-                                                 slo_return, finish_slo,
-                                                 artifact, idp_sso)
+from authentic2.idp.saml.saml2_endpoints import (
+    metadata,
+    sso,
+    continue_sso,
+    slo,
+    slo_soap,
+    idp_slo,
+    slo_return,
+    finish_slo,
+    artifact,
+    idp_sso,
+)
 
 urlpatterns = [
     url(r'^metadata$', metadata, name='a2-idp-saml-metadata'),
@@ -33,15 +41,8 @@ urlpatterns = [
     url(r'^finish_slo$', finish_slo, name='a2-idp-saml-finish-slo'),
     url(r'^artifact$', artifact, name='a2-idp-saml-artifact'),
     # legacy endpoint, now it's prefered to pass the entity_id in a parameter
-    url(r'^idp_sso/(.+)$',
-        idp_sso, name='a2-idp-saml-idp-sso-named'),
-    url(r'^idp_sso/$',
-        idp_sso,
-        name='a2-idp-saml2-idp-sso'),
-    url(r'^federations/create/(?P<pk>\d+)/$',
-        views.create_federation,
-        name='a2-idp-saml2-federation-create'),
-    url(r'^federations/(?P<pk>\d+)/delete/$',
-        views.delete_federation,
-        name='a2-idp-saml2-federation-delete'),
+    url(r'^idp_sso/(.+)$', idp_sso, name='a2-idp-saml-idp-sso-named'),
+    url(r'^idp_sso/$', idp_sso, name='a2-idp-saml2-idp-sso'),
+    url(r'^federations/create/(?P<pk>\d+)/$', views.create_federation, name='a2-idp-saml2-federation-create'),
+    url(r'^federations/(?P<pk>\d+)/delete/$', views.delete_federation, name='a2-idp-saml2-federation-delete'),
 ]
diff --git a/src/authentic2/idp/saml/views.py b/src/authentic2/idp/saml/views.py
index fab8fd2d..e267932e 100644
--- a/src/authentic2/idp/saml/views.py
+++ b/src/authentic2/idp/saml/views.py
@@ -41,8 +41,7 @@ class FederationDeleteView(DeleteView):
         self.object = self.get_object()
         self.object.user = None
         self.object.save()
-        messages.info(request, _('Federation to {0} deleted').format(
-            self.object.sp.liberty_provider.name))
+        messages.info(request, _('Federation to {0} deleted').format(self.object.sp.liberty_provider.name))
         return HttpResponseRedirect(self.get_success_url())
 
     def get_success_url(self):
diff --git a/src/authentic2/idp/urls.py b/src/authentic2/idp/urls.py
index 9c560768..b8f7c578 100644
--- a/src/authentic2/idp/urls.py
+++ b/src/authentic2/idp/urls.py
@@ -18,6 +18,5 @@ from django.conf.urls import url
 from authentic2.idp.interactions import consent_federation
 
 urlpatterns = [
-    url(r'^consent_federation', consent_federation,
-        name='a2-consent-federation'),
+    url(r'^consent_federation', consent_federation, name='a2-consent-federation'),
 ]
diff --git a/src/authentic2/journal_event_types.py b/src/authentic2/journal_event_types.py
index b1164582..27c1a56f 100644
--- a/src/authentic2/journal_event_types.py
+++ b/src/authentic2/journal_event_types.py
@@ -53,7 +53,9 @@ class EventTypeWithHow(EventTypeWithService):
         super().record(user=user, session=session, service=service, data={'how': how})
 
     @classmethod
-    def get_method_statistics(cls, group_by_time, service=None, services_ou=None, users_ou=None, start=None, end=None):
+    def get_method_statistics(
+        cls, group_by_time, service=None, services_ou=None, users_ou=None, start=None, end=None
+    ):
         if services_ou and not service:
             service = Service.objects.filter(ou=services_ou)
 
@@ -63,7 +65,7 @@ class EventTypeWithHow(EventTypeWithService):
             which_references=service,
             users_ou=users_ou,
             start=start,
-            end=end
+            end=end,
         )
         stats = Statistics(qs, time_interval=group_by_time)
 
diff --git a/src/authentic2/log_filters.py b/src/authentic2/log_filters.py
index fba18806..b8bf29f1 100644
--- a/src/authentic2/log_filters.py
+++ b/src/authentic2/log_filters.py
@@ -24,11 +24,12 @@ class RequestContextFilter(logging.Filter):
     DEFAULT_REQUEST_ID = '-'
 
     def filter(self, record):
-        '''Add username, ip and request ID to the log record.
+        """Add username, ip and request ID to the log record.
 
-           Inspired by django-log-request-id
-        '''
+        Inspired by django-log-request-id
+        """
         from . import middleware
+
         request = record.request = getattr(record, 'request', middleware.StoreRequestMiddleware.get_request())
         if not hasattr(request, 'META'):
             record.request = None
diff --git a/src/authentic2/logger.py b/src/authentic2/logger.py
index fba62579..a4d91cd4 100644
--- a/src/authentic2/logger.py
+++ b/src/authentic2/logger.py
@@ -19,8 +19,7 @@ import logging
 
 class SettingsLogLevel(int):
     def __new__(cls, default_log_level, debug_setting='DEBUG'):
-        return super(SettingsLogLevel, cls).__new__(
-            cls, getattr(logging, default_log_level))
+        return super(SettingsLogLevel, cls).__new__(cls, getattr(logging, default_log_level))
 
     def __init__(self, default_log_level, debug_setting='DEBUG'):
         self.debug_setting = debug_setting
@@ -32,15 +31,18 @@ class DjangoLogger(logging.getLoggerClass()):
         level = super(DjangoLogger, self).getEffectiveLevel()
         if isinstance(level, SettingsLogLevel):
             from django.conf import settings
+
             debug = getattr(settings, level.debug_setting, False)
             if debug:
                 return logging.DEBUG
         return level
 
+
 logging.setLoggerClass(DjangoLogger)
 
 
 class DjangoRootLogger(DjangoLogger, logging.RootLogger):
     pass
 
+
 logging.root.__class__ = DjangoRootLogger
diff --git a/src/authentic2/management/commands/check-and-repair.py b/src/authentic2/management/commands/check-and-repair.py
index d7a3440b..47131da0 100644
--- a/src/authentic2/management/commands/check-and-repair.py
+++ b/src/authentic2/management/commands/check-and-repair.py
@@ -35,6 +35,7 @@ from django_rbac.utils import get_operation
 
 from authentic2 import app_settings
 from authentic2.a2_rbac.models import OrganizationalUnit as OU, Role, Permission
+
 try:
     from authentic2.a2_rbac.models import MANAGE_MEMBERS_OP
 except ImportError:
@@ -83,15 +84,11 @@ class Command(BaseCommand):
     help = 'Check and repair authentic2 datas'
 
     def add_arguments(self, parser):
-        parser.add_argument('--repair', action='store_true',
-                            help='repair what\'s broken', default=False)
-        parser.add_argument('--noinput', action='store_true',
-                            help='do not ask questions', default=False)
-        parser.add_argument('--fake', action='store_true',
-                            help='fake repair', default=False)
+        parser.add_argument('--repair', action='store_true', help='repair what\'s broken', default=False)
+        parser.add_argument('--noinput', action='store_true', help='do not ask questions', default=False)
+        parser.add_argument('--fake', action='store_true', help='fake repair', default=False)
         if MULTITENANT:
-            parser.add_argument('-d', '--domain', dest='domain_name',
-                                help='specify tenant domain name')
+            parser.add_argument('-d', '--domain', dest='domain_name', help='specify tenant domain name')
         for key in dir(self):
             if not key.startswith('check_'):
                 continue
@@ -100,11 +97,13 @@ class Command(BaseCommand):
             method = getattr(self, key)
             if callable(method) and method.__name__.startswith('check_'):
                 slug = method.__name__.replace('_', '-')
-                parser.add_argument('--no-%s' % slug,
-                                    action='store_false',
-                                    default=True,
-                                    dest=method.__name__,
-                                    help='disable check %s' % slug)
+                parser.add_argument(
+                    '--no-%s' % slug,
+                    action='store_false',
+                    default=True,
+                    dest=method.__name__,
+                    help='disable check %s' % slug,
+                )
 
     def handle(self, verbosity=0, repair=False, noinput=False, fake=False, domain_name=None, **options):
         self.verbosity = verbosity
@@ -162,14 +161,14 @@ class Command(BaseCommand):
     @atomic
     def check_and_repair(self, options):
         for method in [
-                self.check_roles_with_lost_admin_scope,
-                self.check_duplicate_manage_members_permissions,
-                self.check_duplicate_permissions,
-                self.check_unused_permissions,
-                self.check_instance_permission_ou,
-                self.check_admin_roles_ou,
-                self.check_manager_of_roles,
-                self.check_identifiers_uniqueness,
+            self.check_roles_with_lost_admin_scope,
+            self.check_duplicate_manage_members_permissions,
+            self.check_duplicate_permissions,
+            self.check_unused_permissions,
+            self.check_instance_permission_ou,
+            self.check_admin_roles_ou,
+            self.check_manager_of_roles,
+            self.check_identifiers_uniqueness,
         ]:
             if not options[method.__name__]:
                 continue
@@ -203,12 +202,9 @@ class Command(BaseCommand):
 
         used_permission_ids = set()
         used_permission_ids.update(
-            Role.objects.filter(
-                admin_scope_ct=permission_ct).values_list(
-                    'admin_scope_id', flat=True))
-        used_permission_ids.update(
-            Role.permissions.through.objects.values_list(
-                'permission_id', flat=True))
+            Role.objects.filter(admin_scope_ct=permission_ct).values_list('admin_scope_id', flat=True)
+        )
+        used_permission_ids.update(Role.permissions.through.objects.values_list('permission_id', flat=True))
 
         qs = Permission.objects.exclude(id__in=used_permission_ids)
         count = qs.count()
@@ -231,8 +227,7 @@ class Command(BaseCommand):
         manage_members_op = get_operation(MANAGE_MEMBERS_OP)
         permissions = Permission.objects.exclude(target_ct=ct_ct).filter(operation=manage_members_op)
         targets_with_duplicates = set(
-            permissions
-            .values_list('operation_id', 'target_ct_id', 'target_id')
+            permissions.values_list('operation_id', 'target_ct_id', 'target_id')
             .annotate(count=Count(('operation_id', 'target_ct_id', 'target_id')))
             .filter(count__gt=1)
             .values_list('operation_id', 'target_ct_id', 'target_id')
@@ -243,17 +238,24 @@ class Command(BaseCommand):
                 for operation_id, target_ct_id, target_id in targets_with_duplicates:
                     qs = Permission.objects.filter(target_ct_id=target_ct_id, target_id=target_id)
                     for perm in qs:
-                        linked_admin_role = Role.objects.get(admin_scope_ct=permission_ct, admin_scope_id=perm.id)
-                    target = ContentType.objects.get_for_id(target_ct_id).model_class().objects.get(pk=target_id)
+                        linked_admin_role = Role.objects.get(
+                            admin_scope_ct=permission_ct, admin_scope_id=perm.id
+                        )
+                    target = (
+                        ContentType.objects.get_for_id(target_ct_id).model_class().objects.get(pk=target_id)
+                    )
                     self.notice(' - %s: [%s]', target, '; '.join(map(str, qs)))
             if self.do_repair():
                 self.notice('Deleting duplicate manage members permissions...', ending=' ')
                 for operation_id, target_ct_id, target_id in targets_with_duplicates:
-                    qs = Permission.objects.filter(target_ct_id=target_ct_id, target_id=target_id).order_by('id')
+                    qs = Permission.objects.filter(target_ct_id=target_ct_id, target_id=target_id).order_by(
+                        'id'
+                    )
                     role_perms = []
                     for perm in qs:
                         linked_admin_role = Role.objects.filter(
-                            admin_scope_ct=permission_ct, admin_scope_id=perm.id).first()
+                            admin_scope_ct=permission_ct, admin_scope_id=perm.id
+                        ).first()
                         if linked_admin_role:
                             role_perms.append((perm, linked_admin_role))
                         else:
@@ -276,8 +278,7 @@ class Command(BaseCommand):
         ct_ct = ContentType.objects.get_for_model(ContentType)
         permissions = Permission.objects.exclude(target_ct=ct_ct)
         targets_with_duplicates = set(
-            permissions
-            .values_list('operation_id', 'target_ct_id', 'target_id')
+            permissions.values_list('operation_id', 'target_ct_id', 'target_id')
             .annotate(count=Count(('operation_id', 'target_ct_id', 'target_id')))
             .filter(count__gt=1)
             .values_list('operation_id', 'target_ct_id', 'target_id')
@@ -287,14 +288,20 @@ class Command(BaseCommand):
             if self.repair:
                 for operation_id, target_ct_id, target_id in targets_with_duplicates:
                     qs = Permission.objects.filter(
-                        operation_id=operation_id, target_ct_id=target_ct_id, target_id=target_id)
-                    target = ContentType.objects.get_for_id(target_ct_id).model_class().objects.get(pk=target_id)
+                        operation_id=operation_id, target_ct_id=target_ct_id, target_id=target_id
+                    )
+                    target = (
+                        ContentType.objects.get_for_id(target_ct_id).model_class().objects.get(pk=target_id)
+                    )
                     self.notice(' - %s: [%s]', target, '; '.join(map(str, qs)))
             if self.do_repair():
                 self.notice('Deleting duplicate permissions...', ending=' ')
                 for operation_id, target_ct_id, target_id in targets_with_duplicates:
-                    qs = list(Permission.objects.filter(
-                        operation_id=operation_id, target_ct_id=target_ct_id, target_id=target_id).order_by('id'))
+                    qs = list(
+                        Permission.objects.filter(
+                            operation_id=operation_id, target_ct_id=target_ct_id, target_id=target_id
+                        ).order_by('id')
+                    )
                     first_perm = qs[0]
                     for perm in qs[1:]:
                         perm.delete()
@@ -322,9 +329,11 @@ class Command(BaseCommand):
         for ou in OU.objects.all():
             roles = Role.objects.exclude(admin_scope_ct=permission_ct).filter(ou=ou)
             permissions = Permission.objects.filter(
-                operation=manage_members_op, target_ct=role_ct, target_id__in=roles.values_list('id'))
+                operation=manage_members_op, target_ct=role_ct, target_id__in=roles.values_list('id')
+            )
             wrong_ou_roles = Role.objects.filter(
-                admin_scope_ct=permission_ct, admin_scope_id__in=permissions.values_list('id')).exclude(ou=ou)
+                admin_scope_ct=permission_ct, admin_scope_id__in=permissions.values_list('id')
+            ).exclude(ou=ou)
             if wrong_ou_roles:
                 self.warning('Found %4d admin role with wrong ou in ou %s', wrong_ou_roles.count(), ou)
                 roles_to_fix[ou] = wrong_ou_roles
@@ -347,11 +356,15 @@ class Command(BaseCommand):
         roles = Role.objects.exclude(slug__startswith='_a2-managers-of-role-')
 
         for role in roles:
-            manager_perms = Permission.objects.filter(operation__in=operations, target_ct=role_ct, target_id=role.id)
+            manager_perms = Permission.objects.filter(
+                operation__in=operations, target_ct=role_ct, target_id=role.id
+            )
             manager_perms_ids = manager_perms.values_list('id', flat=True)
-            manager_roles = Role.objects.filter(slug__startswith='_a2-managers-of-role-',
-                                                admin_scope_ct=permission_ct,
-                                                admin_scope_id__in=manager_perms_ids)
+            manager_roles = Role.objects.filter(
+                slug__startswith='_a2-managers-of-role-',
+                admin_scope_ct=permission_ct,
+                admin_scope_id__in=manager_perms_ids,
+            )
             role_shown = False
             to_delete = []
             to_change_ou = []
@@ -362,7 +375,10 @@ class Command(BaseCommand):
                     if list(manager_roles)[0].ou != role.ou:
                         self.warning(
                             '- "%s" detected wrong ou, should be "%s" and is "%s"',
-                            admin_role, role.ou, admin_role.ou)
+                            admin_role,
+                            role.ou,
+                            admin_role.ou,
+                        )
                         to_change_ou.append((admin_role, role.ou))
                     continue
                 add_members = set()
@@ -374,8 +390,8 @@ class Command(BaseCommand):
                     direct_members = manager_role.members.all()
                     direct_members_count = direct_members.count()
                     direct_children = Role.objects.filter(
-                        parent_relation__parent=manager_role,
-                        parent_relation__direct=True)
+                        parent_relation__parent=manager_role, parent_relation__direct=True
+                    )
                     direct_children_count = direct_children.count()
                     show = members_count or self.verbosity > 1
                     if show:
@@ -384,8 +400,8 @@ class Command(BaseCommand):
                             self.notice('- "%s" has problematic manager roles', role)
                         self.warning('  - %s', manager_role, ending=' ')
                     direct_parents = Role.objects.filter(
-                        child_relation__child=manager_role,
-                        child_relation__direct=True)
+                        child_relation__child=manager_role, child_relation__direct=True
+                    )
                     if show:
                         self.warning('DELETE', ending=' ')
                     to_delete.append(manager_role)
@@ -439,8 +455,7 @@ class Command(BaseCommand):
             if not admin_role.admin_scope:
                 self.warning('invalid admin role "%s": no admin scope', admin_role)
             admin_permissions = (
-                admin_role.permissions
-                .filter(operation__in=operations, target_ct=role_ct)
+                admin_role.permissions.filter(operation__in=operations, target_ct=role_ct)
                 .select_related('ou')
                 .prefetch_related('target__ou')
             )
@@ -453,27 +468,40 @@ class Command(BaseCommand):
                     self.notice(' - %s', admin_permission)
             for admin_permission in admin_permissions:
                 if MANAGE_MEMBERS_OP and admin_permission.operation != manage_members_op:
-                    self.warning('invalid admin role "%s" invalid permission "%s": not manage_members operation',
-                                 admin_role, admin_permission)
+                    self.warning(
+                        'invalid admin role "%s" invalid permission "%s": not manage_members operation',
+                        admin_role,
+                        admin_permission,
+                    )
                 if not (
-                        (admin_permission.target != admin_role and admin_permission == admin_role.admin_scope)
-                        or (admin_permission.target == admin_role)):
+                    (admin_permission.target != admin_role and admin_permission == admin_role.admin_scope)
+                    or (admin_permission.target == admin_role)
+                ):
                     self.warning(
                         'invalid admin role "%s" invalid permission "%s": '
                         'not admin_scope and not self manage permission',
-                        admin_role, admin_permission)
+                        admin_role,
+                        admin_permission,
+                    )
                 if admin_permission.ou is not None:
-                    self.warning('invalid admin role "%s" invalid permission "%s": wrong ou "%s"',
-                                 admin_role, admin_permission, admin_permission.ou)
+                    self.warning(
+                        'invalid admin role "%s" invalid permission "%s": wrong ou "%s"',
+                        admin_role,
+                        admin_permission,
+                        admin_permission.ou,
+                    )
                     admin_permission.target.get_admin_role()
                 if admin_permission.target.ou != admin_role.ou:
-                    self.warning('invalid admin role "%s" wrong ou, should be "%s" is "%s"',
-                                 admin_role, admin_permission.target.ou, admin_role.ou)
+                    self.warning(
+                        'invalid admin role "%s" wrong ou, should be "%s" is "%s"',
+                        admin_role,
+                        admin_permission.target.ou,
+                        admin_role.ou,
+                    )
 
     def duplicate_emails(self, user_qs):
         return (
-            user_qs
-            .order_by()
+            user_qs.order_by()
             .values(iemail=Lower('email'))
             .annotate(count_id=Count('id'))
             .filter(count_id__gt=1)
@@ -483,8 +511,7 @@ class Command(BaseCommand):
 
     def duplicate_username(self, user_qs):
         return (
-            user_qs
-            .order_by()
+            user_qs.order_by()
             .values('username')
             .exclude(Q(username__isnull=True) | Q(username=''))
             .annotate(count_id=Count('id'))
@@ -519,15 +546,20 @@ class Command(BaseCommand):
             self.notice('  * "%s" %s ', user.get_full_name(), user, ending=' ')
             self.notice('(created %s', localtime(user.date_joined).strftime('%Y-%m-%dT%H:%M:%S'), ending=' ')
             if user.last_login:
-                self.notice(', last login %s', localtime(user.last_login).strftime('%Y-%m-%dT%H:%M:%S'), ending='')
+                self.notice(
+                    ', last login %s', localtime(user.last_login).strftime('%Y-%m-%dT%H:%M:%S'), ending=''
+                )
             else:
                 self.notice(', never logged in', ending='')
             external_ids = list(user.userexternalid_set.all())
             if external_ids:
                 self.notice(
                     ', external-ids: %s',
-                    ', '.join(external_id.source + '#' + external_id.external_id for external_id in external_ids),
-                    ending='')
+                    ', '.join(
+                        external_id.source + '#' + external_id.external_id for external_id in external_ids
+                    ),
+                    ending='',
+                )
             self.notice(')')
 
     def _check_username_uniqueness(self, qs, msg):
diff --git a/src/authentic2/management/commands/clean-unused-accounts.py b/src/authentic2/management/commands/clean-unused-accounts.py
index a7e595fe..67b3a574 100644
--- a/src/authentic2/management/commands/clean-unused-accounts.py
+++ b/src/authentic2/management/commands/clean-unused-accounts.py
@@ -66,9 +66,7 @@ class Command(BaseCommand):
         # exclude user from LDAP directories based on their source name (or realm)
         realms = [block['realm'] for block in LDAPBackend.get_config() if block.get('realm')]
         self.user_qs = (
-            User.objects.all()
-            .exclude(oidc_account__isnull=False)
-            .exclude(userexternalid__source__in=realms)
+            User.objects.all().exclude(oidc_account__isnull=False).exclude(userexternalid__source__in=realms)
         )
 
         translation.activate(settings.LANGUAGE_CODE)
@@ -99,12 +97,14 @@ class Command(BaseCommand):
             inactive_users_to_delete = inactive_users.filter(
                 last_login__lte=self.now - deletion_delay,
                 # ensure respect of alert delay before deletion
-                last_account_deletion_alert__lte=self.now - (deletion_delay - alert_delay)
+                last_account_deletion_alert__lte=self.now - (deletion_delay - alert_delay),
             )
             for user in inactive_users_to_delete:
                 logger.info(
-                    '%s last login more than %d days ago, deleting user', user,
-                    ou.clean_unused_accounts_deletion)
+                    '%s last login more than %d days ago, deleting user',
+                    user,
+                    ou.clean_unused_accounts_deletion,
+                )
                 self.delete_user(user)
 
     def send_alert(self, user, days_to_deletion):
@@ -128,6 +128,7 @@ class Command(BaseCommand):
 
                 def send_mail():
                     send_templated_mail(email, prefix, ctx)
+
                 transaction.on_commit(send_mail)
 
     def delete_user(self, user):
diff --git a/src/authentic2/management/commands/deactivate-orphaned-ldap-users.py b/src/authentic2/management/commands/deactivate-orphaned-ldap-users.py
index dbc07eef..951fc726 100644
--- a/src/authentic2/management/commands/deactivate-orphaned-ldap-users.py
+++ b/src/authentic2/management/commands/deactivate-orphaned-ldap-users.py
@@ -20,6 +20,5 @@ from authentic2.backends.ldap_backend import LDAPBackend
 
 
 class Command(BaseCommand):
-
     def handle(self, *args, **kwargs):
         LDAPBackend.deactivate_orphaned_users()
diff --git a/src/authentic2/management/commands/export_site.py b/src/authentic2/management/commands/export_site.py
index 9cd533f2..2f075e07 100644
--- a/src/authentic2/management/commands/export_site.py
+++ b/src/authentic2/management/commands/export_site.py
@@ -26,8 +26,9 @@ class Command(BaseCommand):
     help = 'Export site'
 
     def add_arguments(self, parser):
-        parser.add_argument('--output', metavar='FILE', default=None,
-                            help='name of a file to write output to')
+        parser.add_argument(
+            '--output', metavar='FILE', default=None, help='name of a file to write output to'
+        )
 
     def handle(self, *args, **options):
         if options['output']:
diff --git a/src/authentic2/management/commands/import_site.py b/src/authentic2/management/commands/import_site.py
index d18bd28b..9ef8b7bf 100644
--- a/src/authentic2/management/commands/import_site.py
+++ b/src/authentic2/management/commands/import_site.py
@@ -47,6 +47,7 @@ def create_context_args(options):
 def provision_contextm(dry_run, settings):
     if dry_run and 'hobo.agent.authentic2' in settings.INSTALLED_APPS:
         import hobo.agent.authentic2
+
         with hobo.agent.authentic2.provisionning.Provisionning():
             yield
     else:
@@ -57,16 +58,23 @@ class Command(BaseCommand):
     help = 'Import site'
 
     def add_arguments(self, parser):
+        parser.add_argument('filename', metavar='FILENAME', type=str, help='name of file to import')
         parser.add_argument(
-            'filename', metavar='FILENAME', type=str, help='name of file to import')
-        parser.add_argument(
-            '--dry-run', action='store_true', dest='dry_run',
-            help='Do not actually perform the import')
+            '--dry-run', action='store_true', dest='dry_run', help='Do not actually perform the import'
+        )
         parser.add_argument(
-            '-o', '--option', action='append', help='Import context options',
+            '-o',
+            '--option',
+            action='append',
+            help='Import context options',
             choices=[
-                'role-delete-orphans', 'ou-delete-orphans', 'no-role-permissions-update',
-                'no-role-attributes-update', 'no-role-parentings-update'])
+                'role-delete-orphans',
+                'ou-delete-orphans',
+                'no-role-permissions-update',
+                'no-role-attributes-update',
+                'no-role-parentings-update',
+            ],
+        )
 
     def handle(self, filename, **options):
         translation.activate(settings.LANGUAGE_CODE)
diff --git a/src/authentic2/management/commands/load-ldif.py b/src/authentic2/management/commands/load-ldif.py
index e65744c5..d3687a29 100644
--- a/src/authentic2/management/commands/load-ldif.py
+++ b/src/authentic2/management/commands/load-ldif.py
@@ -77,8 +77,11 @@ class DjangoUserLDIFParser(ldif.LDIFParser):
         if self.callback:
             m.extend(self.callback(u, dn, entry, self.options, d))
         if 'username' not in d:
-            self.log.warning('cannot load dn %s, username cannot be initialized from the field %s',
-                             dn, self.options['username'])
+            self.log.warning(
+                'cannot load dn %s, username cannot be initialized from the field %s',
+                dn,
+                self.options['username'],
+            )
             return
         try:
             old = User.objects.get(username=d['username'])
@@ -97,7 +100,6 @@ class DjangoUserLDIFParser(ldif.LDIFParser):
 
 
 class ExtraAttributeAction(argparse.Action):
-
     def __call__(self, parser, namespace, values, option_string=None):
         ldap_attribute, django_attribute = values
         try:
@@ -111,39 +113,38 @@ class ExtraAttributeAction(argparse.Action):
 
 class Command(BaseCommand):
     '''Load LDAP ldif file'''
+
     can_import_django_settings = True
     requires_system_checks = True
     help = 'Load/update LDIF files as users'
 
     def add_arguments(self, parser):
         parser.add_argument('ldif_file', nargs='+')
-        parser.add_argument(
-            '--first-name', default='givenName', help='attribute used to set the first name')
-        parser.add_argument(
-            '--last-name', default='sn', help='attribute used to set the last name')
+        parser.add_argument('--first-name', default='givenName', help='attribute used to set the first name')
+        parser.add_argument('--last-name', default='sn', help='attribute used to set the last name')
         parser.add_argument('--email', default='mail', help='attribute used to set the email')
         parser.add_argument('--username', default='uid', help='attribute used to set the username')
         parser.add_argument(
-            '--password', default='userPassword',
-            help='attribute to extract the password from, '
-                 'OpenLDAP hashing algorithm are recognized'
+            '--password',
+            default='userPassword',
+            help='attribute to extract the password from, ' 'OpenLDAP hashing algorithm are recognized',
         )
+        parser.add_argument('--object-class', default='inetOrgPerson', help='object class of records to load')
         parser.add_argument(
-            '--object-class', default='inetOrgPerson', help='object class of records to load')
-        parser.add_argument(
-            '--extra-attribute', default={}, action=ExtraAttributeAction, nargs=2,
-            help='object class of records to load'
-        )
-        parser.add_argument(
-            '--result', default=None, help='file to store a JSON log of created users')
-        parser.add_argument(
-            '--fake', action='store_true', help='file to store a JSON log of created users'
+            '--extra-attribute',
+            default={},
+            action=ExtraAttributeAction,
+            nargs=2,
+            help='object class of records to load',
         )
+        parser.add_argument('--result', default=None, help='file to store a JSON log of created users')
+        parser.add_argument('--fake', action='store_true', help='file to store a JSON log of created users')
         parser.add_argument('--realm', default=None, help='realm for the new users')
         parser.add_argument(
-            '--callback', default=None,
+            '--callback',
+            default=None,
             help='python file containing a function callback(user, dn, entry, options, dump)'
-                 ' it can return models that will be saved'
+            ' it can return models that will be saved',
         )
         parser.add_argument('--callback-arg', action='append', help='arguments for the callback')
 
diff --git a/src/authentic2/management/commands/resetpassword.py b/src/authentic2/management/commands/resetpassword.py
index b9e45b6e..60431180 100644
--- a/src/authentic2/management/commands/resetpassword.py
+++ b/src/authentic2/management/commands/resetpassword.py
@@ -35,8 +35,12 @@ class Command(BaseCommand):
     def add_arguments(self, parser):
         parser.add_argument('username', nargs='?', type=str)
         parser.add_argument(
-            '--database', action='store', dest='database',
-            default=DEFAULT_DB_ALIAS, help='Specifies the database to use. Default is "default".')
+            '--database',
+            action='store',
+            dest='database',
+            default=DEFAULT_DB_ALIAS,
+            help='Specifies the database to use. Default is "default".',
+        )
 
     def _get_pass(self, prompt="Password: "):
         p = getpass.getpass(prompt=prompt)
@@ -50,9 +54,7 @@ class Command(BaseCommand):
             username = getpass.getuser()
 
         try:
-            u = User._default_manager.using(options.get('database')).get(**{
-                User.USERNAME_FIELD: username
-            })
+            u = User._default_manager.using(options.get('database')).get(**{User.USERNAME_FIELD: username})
         except User.DoesNotExist:
             raise CommandError("user '%s' does not exist" % username)
 
@@ -63,5 +65,5 @@ class Command(BaseCommand):
         PasswordReset.objects.get_or_create(user=u)
         return (
             'Password changed successfully for user "%s", on next login he '
-            'will be forced to change its password.' % u)
-
+            'will be forced to change its password.' % u
+        )
diff --git a/src/authentic2/management/commands/sync-ldap-users.py b/src/authentic2/management/commands/sync-ldap-users.py
index d398813f..dc2d3420 100644
--- a/src/authentic2/management/commands/sync-ldap-users.py
+++ b/src/authentic2/management/commands/sync-ldap-users.py
@@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from __future__ import print_function
+
 try:
     import ldap
     from ldap.filter import filter_format  # noqa: F401
diff --git a/src/authentic2/manager/app_settings.py b/src/authentic2/manager/app_settings.py
index 3a2f338f..000ea976 100644
--- a/src/authentic2/manager/app_settings.py
+++ b/src/authentic2/manager/app_settings.py
@@ -33,10 +33,12 @@ class AppSettings(object):
 
     def __getattr__(self, name):
         from django.conf import settings
+
         if name not in self.__DEFAULTS:
             raise AttributeError
         return getattr(settings, self.__PREFIX + name, self.__DEFAULTS[name])
 
+
 app_settings = AppSettings()
 app_settings.__name__ = __name__
 sys.modules[__name__] = app_settings
diff --git a/src/authentic2/manager/apps.py b/src/authentic2/manager/apps.py
index 3dd6413c..7d36b468 100644
--- a/src/authentic2/manager/apps.py
+++ b/src/authentic2/manager/apps.py
@@ -25,10 +25,9 @@ class AppConfig(AppConfig):
         from django.db.models.signals import post_save
         from django_rbac.utils import get_ou_model
 
-        post_save.connect(
-            self.post_save_ou,
-            sender=get_ou_model())
+        post_save.connect(self.post_save_ou, sender=get_ou_model())
 
     def post_save_ou(self, *args, **kwargs):
         from . import utils
+
         utils.get_ou_count.cache.clear()
diff --git a/src/authentic2/manager/fields.py b/src/authentic2/manager/fields.py
index fdcbcada..03114fee 100644
--- a/src/authentic2/manager/fields.py
+++ b/src/authentic2/manager/fields.py
@@ -44,11 +44,19 @@ for key in dir(widgets):
         continue
     if issubclass(cls, widgets.ModelSelect2MultipleWidget):
         cls_name = key.replace('Widget', 'Field')
-        vars()[cls_name] = type(cls_name, (Select2ModelMultipleChoiceField,), {
-            'widget': cls,
-        })
+        vars()[cls_name] = type(
+            cls_name,
+            (Select2ModelMultipleChoiceField,),
+            {
+                'widget': cls,
+            },
+        )
     elif issubclass(cls, widgets.ModelSelect2Widget):
         cls_name = key.replace('Widget', 'Field')
-        vars()[cls_name] = type(cls_name, (Select2ModelChoiceField,), {
-            'widget': cls,
-        })
+        vars()[cls_name] = type(
+            cls_name,
+            (Select2ModelChoiceField,),
+            {
+                'widget': cls,
+            },
+        )
diff --git a/src/authentic2/manager/forms.py b/src/authentic2/manager/forms.py
index 69c4b325..f07263bb 100644
--- a/src/authentic2/manager/forms.py
+++ b/src/authentic2/manager/forms.py
@@ -76,8 +76,7 @@ class SlugMixin(forms.ModelForm):
                 instance.slug += str(i)
                 i += 1
         if len(instance.slug) > 256:
-            instance.slug = instance.slug[:252] + \
-                hashlib.md5(instance.slug).hexdigest()[:4]
+            instance.slug = instance.slug[:252] + hashlib.md5(instance.slug).hexdigest()[:4]
         return super(SlugMixin, self).save(commit=commit)
 
 
@@ -88,9 +87,10 @@ class PrefixFormMixin(object):
 
 
 class LimitQuerysetFormMixin(FormWithRequest):
-    '''Limit queryset of all model choice field based on the objects
-       viewable by the user.
-    '''
+    """Limit queryset of all model choice field based on the objects
+    viewable by the user.
+    """
+
     def __init__(self, *args, **kwargs):
         super(LimitQuerysetFormMixin, self).__init__(*args, **kwargs)
         if self.request and not self.request.user.is_anonymous:
@@ -155,26 +155,15 @@ class ChooseUserAuthorizationsForm(CssClass, forms.Form):
 
 
 class ChoosePermissionForm(CssClass, forms.Form):
-    operation = forms.ModelChoiceField(
-        required=False,
-        label=_('Operation'),
-        queryset=Operation.objects)
+    operation = forms.ModelChoiceField(required=False, label=_('Operation'), queryset=Operation.objects)
     ou = forms.ModelChoiceField(
-        label=_('Organizational unit'),
-        queryset=get_ou_model().objects,
-        required=False)
-    target = forms.ModelChoiceField(
-        label=_('Target object'),
-        required=False,
-        queryset=ContentType.objects)
-    action = forms.CharField(
-        initial='add',
-        required=False,
-        widget=forms.HiddenInput)
+        label=_('Organizational unit'), queryset=get_ou_model().objects, required=False
+    )
+    target = forms.ModelChoiceField(label=_('Target object'), required=False, queryset=ContentType.objects)
+    action = forms.CharField(initial='add', required=False, widget=forms.HiddenInput)
     permission = forms.ModelChoiceField(
-        queryset=get_permission_model().objects,
-        required=False,
-        widget=forms.HiddenInput)
+        queryset=get_permission_model().objects, required=False, widget=forms.HiddenInput
+    )
 
 
 class UserEditForm(LimitQuerysetFormMixin, CssClass, BaseUserForm):
@@ -207,16 +196,14 @@ class UserEditForm(LimitQuerysetFormMixin, CssClass, BaseUserForm):
 
     class Meta:
         model = User
-        exclude = ('is_staff', 'groups', 'user_permissions', 'last_login',
-                   'date_joined', 'password')
+        exclude = ('is_staff', 'groups', 'user_permissions', 'last_login', 'date_joined', 'password')
 
 
 class UserChangePasswordForm(CssClass, forms.ModelForm):
     error_messages = {
         'password_mismatch': _("The two password fields didn't match."),
     }
-    notification_template_prefix = \
-        'authentic2/manager/change-password-notification'
+    notification_template_prefix = 'authentic2/manager/change-password-notification'
     require_password = True
 
     def clean_password2(self):
@@ -231,20 +218,23 @@ class UserChangePasswordForm(CssClass, forms.ModelForm):
 
     def clean(self):
         super(UserChangePasswordForm, self).clean()
-        if (self.require_password
-                and not self.cleaned_data.get('generate_password')
-                and not self.cleaned_data.get('password1')
-                and not self.cleaned_data.get('send_password_reset')):
+        if (
+            self.require_password
+            and not self.cleaned_data.get('generate_password')
+            and not self.cleaned_data.get('password1')
+            and not self.cleaned_data.get('send_password_reset')
+        ):
             raise forms.ValidationError(
-                _('You must choose password generation or type a new'
-                  '  one or send a password reset mail'))
-        if (not self.has_email()
-                and (self.cleaned_data.get('send_mail')
-                     or self.cleaned_data.get('generate_password')
-                     or self.cleaned_data.get('send_password_reset'))):
+                _('You must choose password generation or type a new' '  one or send a password reset mail')
+            )
+        if not self.has_email() and (
+            self.cleaned_data.get('send_mail')
+            or self.cleaned_data.get('generate_password')
+            or self.cleaned_data.get('send_password_reset')
+        ):
             raise forms.ValidationError(
-                _('User does not have a mail, we cannot send the '
-                  'informations to him.'))
+                _('User does not have a mail, we cannot send the ' 'informations to him.')
+            )
 
     def has_email(self):
         return bool(self.instance and self.instance.email)
@@ -271,23 +261,14 @@ class UserChangePasswordForm(CssClass, forms.ModelForm):
                 send_templated_mail(
                     user,
                     self.notification_template_prefix,
-                    context={'new_password': new_password, 'user': user})
+                    context={'new_password': new_password, 'user': user},
+                )
         return user
 
-    generate_password = forms.BooleanField(
-        initial=False,
-        label=_('Generate new password'),
-        required=False)
-    password1 = NewPasswordField(
-        label=_("Password"),
-        required=False)
-    password2 = CheckPasswordField(
-        label=_("Confirmation"),
-        required=False)
-    send_mail = forms.BooleanField(
-        initial=False,
-        label=_('Send informations to user'),
-        required=False)
+    generate_password = forms.BooleanField(initial=False, label=_('Generate new password'), required=False)
+    password1 = NewPasswordField(label=_("Password"), required=False)
+    password2 = CheckPasswordField(label=_("Confirmation"), required=False)
+    send_mail = forms.BooleanField(initial=False, label=_('Send informations to user'), required=False)
 
     class Meta:
         model = User
@@ -299,17 +280,14 @@ class UserAddForm(UserChangePasswordForm, UserEditForm):
     form_id = "id_user_add_form"
     require_password = False
 
-    notification_template_prefix = \
-        'authentic2/manager/new-account-notification'
+    notification_template_prefix = 'authentic2/manager/new-account-notification'
     reset_password_at_next_login = forms.BooleanField(
-        initial=False,
-        label=_('Ask for password reset on next login'),
-        required=False)
+        initial=False, label=_('Ask for password reset on next login'), required=False
+    )
 
     send_password_reset = forms.BooleanField(
-        initial=False,
-        label=_('Send mail to user to make it choose a password'),
-        required=False)
+        initial=False, label=_('Send mail to user to make it choose a password'), required=False
+    )
 
     def __init__(self, *args, **kwargs):
         self.ou = kwargs.pop('ou', None)
@@ -323,13 +301,13 @@ class UserAddForm(UserChangePasswordForm, UserEditForm):
         has_password = (
             self.cleaned_data.get('new_password1')
             or self.cleaned_data.get('generate_password')
-            or self.cleaned_data.get('send_password_reset'))
+            or self.cleaned_data.get('send_password_reset')
+        )
 
-        if (has_password
-                and not self.cleaned_data.get('username')
-                and not self.cleaned_data.get('email')):
+        if has_password and not self.cleaned_data.get('username') and not self.cleaned_data.get('email'):
             raise forms.ValidationError(
-                _('You must set a username or an email to set a password or send an activation link.'))
+                _('You must set a username or an email to set a password or send an activation link.')
+            )
 
         if not has_password:
             self.instance.set_random_password()
@@ -348,21 +326,26 @@ class UserAddForm(UserChangePasswordForm, UserEditForm):
                 def save(*args, **kwargs):
                     old_save(*args, **kwargs)
                     PasswordReset.objects.get_or_create(user=user)
+
                 user.save = save
         if self.cleaned_data.get('send_password_reset'):
             try:
                 send_password_reset_mail(
                     user,
-                    template_names=['authentic2/manager/user_create_registration_email',
-                                    'authentic2/password_reset'],
+                    template_names=[
+                        'authentic2/manager/user_create_registration_email',
+                        'authentic2/password_reset',
+                    ],
                     request=self.request,
                     next_url='/accounts/',
                     context={
                         'user': user,
-                    })
+                    },
+                )
             except smtplib.SMTPException as e:
-                logger.error(u'registration mail could not be sent to user %s created through '
-                             u'manager: %s', user, e)
+                logger.error(
+                    u'registration mail could not be sent to user %s created through ' u'manager: %s', user, e
+                )
         return user
 
     class Meta:
@@ -374,13 +357,8 @@ class UserAddForm(UserChangePasswordForm, UserEditForm):
 class ServiceRoleSearchForm(CssClass, PrefixFormMixin, FormWithRequest):
     prefix = 'search'
 
-    text = forms.CharField(
-        label=_('Name'),
-        required=False)
-    internals = forms.BooleanField(
-        initial=False,
-        label=_('Show internal roles'),
-        required=False)
+    text = forms.CharField(label=_('Name'), required=False)
+    internals = forms.BooleanField(initial=False, label=_('Show internal roles'), required=False)
 
     def __init__(self, *args, **kwargs):
         super(ServiceRoleSearchForm, self).__init__(*args, **kwargs)
@@ -448,10 +426,11 @@ class OUSearchForm(FormWithRequest):
                 # we were passed an explicit list of objects linked to OUs by a field named 'ou',
                 # get possible OUs from this list
                 related_query_name = self.queryset.model._meta.get_field('ou').related_query_name()
-                objects_ou_qs = get_ou_model().objects.filter(
-                    **{"%s__in" % related_query_name: self.queryset}).distinct()
+                objects_ou_qs = (
+                    get_ou_model().objects.filter(**{"%s__in" % related_query_name: self.queryset}).distinct()
+                )
                 # to combine queryset with distinct, each queryset must have the distinct flag
-                self.ou_qs = (self.ou_qs.distinct() | objects_ou_qs)
+                self.ou_qs = self.ou_qs.distinct() | objects_ou_qs
 
             # even if default ordering is by name on the model, we are not sure it's kept after the
             # ORing in the previous if condition, so we sort it again.
@@ -574,9 +553,7 @@ class UserSearchForm(OUSearchForm, CssClass, PrefixFormMixin, FormWithRequest):
     ou_permission = 'custom_user.search_user'
     prefix = 'search'
 
-    text = forms.CharField(
-        label=_('Free text'),
-        required=False)
+    text = forms.CharField(label=_('Free text'), required=False)
 
     def __init__(self, *args, **kwargs):
         self.minimum_chars = kwargs.pop('minimum_chars', 0)
@@ -606,9 +583,7 @@ class UserAddChooseOUForm(OUSearchForm):
 class NameSearchForm(CssClass, PrefixFormMixin, FormWithRequest):
     prefix = 'search'
 
-    text = forms.CharField(
-        label=_('Name'),
-        required=False)
+    text = forms.CharField(label=_('Name'), required=False)
 
     def filter(self, qs):
         if self.cleaned_data.get('text'):
@@ -616,10 +591,10 @@ class NameSearchForm(CssClass, PrefixFormMixin, FormWithRequest):
         return qs
 
 
-class RoleEditForm(SlugMixin, HideOUFieldMixin, LimitQuerysetFormMixin, CssClass,
-                   forms.ModelForm):
-    ou = forms.ModelChoiceField(queryset=get_ou_model().objects,
-                                required=True, label=_('Organizational unit'))
+class RoleEditForm(SlugMixin, HideOUFieldMixin, LimitQuerysetFormMixin, CssClass, forms.ModelForm):
+    ou = forms.ModelChoiceField(
+        queryset=get_ou_model().objects, required=True, label=_('Organizational unit')
+    )
 
     class Meta:
         model = get_role_model()
@@ -634,9 +609,17 @@ class OUEditForm(SlugMixin, CssClass, forms.ModelForm):
     class Meta:
         model = get_ou_model()
         fields = (
-            'name', 'slug', 'default', 'username_is_unique', 'email_is_unique', 'validate_emails',
-            'show_username', 'user_can_reset_password', 'user_add_password_policy',
-            'clean_unused_accounts_alert', 'clean_unused_accounts_deletion'
+            'name',
+            'slug',
+            'default',
+            'username_is_unique',
+            'email_is_unique',
+            'validate_emails',
+            'show_username',
+            'user_can_reset_password',
+            'user_add_password_policy',
+            'clean_unused_accounts_alert',
+            'clean_unused_accounts_deletion',
         )
 
 
@@ -664,7 +647,8 @@ class UserChangeEmailForm(CssClass, FormWithRequest, forms.ModelForm):
             self.instance,
             new_email,
             request=self.request,
-            template_names=['authentic2/manager/user_change_email_notification'])
+            template_names=['authentic2/manager/user_change_email_notification'],
+        )
         return self.instance
 
     class Meta:
@@ -700,9 +684,7 @@ class RolesImportForm(LimitQuerysetFormMixin, SiteImportForm):
             self.fields['ou'].widget = forms.HiddenInput()
 
     ou = forms.ModelChoiceField(
-        label=_('Organizational unit'),
-        queryset=get_ou_model().objects,
-        initial=lambda: get_default_ou().pk
+        label=_('Organizational unit'), queryset=get_ou_model().objects, initial=lambda: get_default_ou().pk
     )
 
 
@@ -714,15 +696,9 @@ ENCODINGS = [
 
 
 class UserImportForm(forms.Form):
-    import_file = forms.FileField(
-        label=_('Import file'),
-        help_text=_('A CSV file'))
-    encoding = forms.ChoiceField(
-        label=_('Encoding'),
-        choices=ENCODINGS)
-    ou = forms.ModelChoiceField(
-        label=_('Organizational Unit'),
-        queryset=OU.objects.all())
+    import_file = forms.FileField(label=_('Import file'), help_text=_('A CSV file'))
+    encoding = forms.ChoiceField(label=_('Encoding'), choices=ENCODINGS)
+    ou = forms.ModelChoiceField(label=_('Organizational Unit'), queryset=OU.objects.all())
 
     @staticmethod
     def raise_validation_error(error_message):
@@ -749,8 +725,8 @@ class UserNewImportForm(UserImportForm):
         import_file = self.cleaned_data['import_file']
         import_file.open()
         new_import = user_import.UserImport.new(
-            import_file=import_file,
-            encoding=self.cleaned_data['encoding'])
+            import_file=import_file, encoding=self.cleaned_data['encoding']
+        )
         with new_import.meta_update as meta:
             meta['filename'] = import_file.name
             meta['ou'] = self.cleaned_data['ou']
@@ -769,6 +745,7 @@ class UserEditImportForm(UserImportForm):
 
     def clean(self):
         from authentic2.csv_import import CsvImporter
+
         encoding = self.cleaned_data['encoding']
         with self.user_import.import_file as fd:
             importer = CsvImporter()
diff --git a/src/authentic2/manager/journal_event_types.py b/src/authentic2/manager/journal_event_types.py
index 5e3fa34c..bccb9c46 100644
--- a/src/authentic2/manager/journal_event_types.py
+++ b/src/authentic2/manager/journal_event_types.py
@@ -249,7 +249,8 @@ class ManagerUserSSOAuthorizationDeletion(EventTypeWithService):
         service_name = cls.get_service_name(event)
         if context and context == user:
             return _('deletion of authorization of single sign on with "{service}" by administrator').format(
-                service=service_name)
+                service=service_name
+            )
         elif user:
             return _('deletion of authorization of single sign on with "{service}" of user "{user}"').format(
                 service=service_name,
@@ -264,11 +265,12 @@ class RoleEventsMixin(EventTypeDefinition):
         references = references or []
         references = [role] + references
         data = data or {}
-        data.update(
-            {'role_name': str(role), 'role_uuid': role.uuid}
-        )
+        data.update({'role_name': str(role), 'role_uuid': role.uuid})
         super().record(
-            user=user, session=session, references=references, data=data,
+            user=user,
+            session=session,
+            references=references,
+            data=data,
         )
 
 
diff --git a/src/authentic2/manager/ou_views.py b/src/authentic2/manager/ou_views.py
index 7f3d78d3..aa65b4cb 100644
--- a/src/authentic2/manager/ou_views.py
+++ b/src/authentic2/manager/ou_views.py
@@ -39,6 +39,7 @@ class OrganizationalUnitView(views.BaseTableView):
     permissions = ['a2_rbac.search_organizationalunit']
     title = _('Organizational units')
 
+
 listing = OrganizationalUnitView.as_view()
 
 
@@ -50,12 +51,12 @@ class OrganizationalUnitAddView(views.BaseAddView):
     exclude_fields = ('slug',)
 
     def get_fields(self):
-        return [x for x in self.form_class.base_fields.keys()
-                if x not in self.exclude_fields]
+        return [x for x in self.form_class.base_fields.keys() if x not in self.exclude_fields]
 
     def get_success_url(self):
         return '..'
 
+
 add = OrganizationalUnitAddView.as_view()
 
 
@@ -73,6 +74,7 @@ class OrganizationalUnitDetailView(views.BaseDetailView):
         super(OrganizationalUnitDetailView, self).authorize(request, *args, **kwargs)
         self.can_delete = self.can_delete and not self.object.default
 
+
 detail = OrganizationalUnitDetailView.as_view()
 
 
@@ -83,6 +85,7 @@ class OrganizationalUnitEditView(views.BaseEditView):
     template_name = 'authentic2/manager/ou_edit.html'
     title = _('Edit organizational unit')
 
+
 edit = OrganizationalUnitEditView.as_view()
 
 
@@ -94,14 +97,18 @@ class OrganizationalUnitDeleteView(views.BaseDeleteView):
 
     def dispatch(self, request, *args, **kwargs):
         if self.get_object().default:
-            messages.warning(request, _('You cannot delete the default '
-                                        'organizational unit, you must first '
-                                        'set another default organiational '
-                                        'unit.'))
-            return self.return_ajax_response(
-                request, HttpResponseRedirect(self.get_success_url()))
-        return super(OrganizationalUnitDeleteView, self).dispatch(request, *args,
-                                                                  **kwargs)
+            messages.warning(
+                request,
+                _(
+                    'You cannot delete the default '
+                    'organizational unit, you must first '
+                    'set another default organiational '
+                    'unit.'
+                ),
+            )
+            return self.return_ajax_response(request, HttpResponseRedirect(self.get_success_url()))
+        return super(OrganizationalUnitDeleteView, self).dispatch(request, *args, **kwargs)
+
 
 delete = OrganizationalUnitDeleteView.as_view()
 
@@ -111,18 +118,17 @@ class OusExportView(views.ExportMixin, OrganizationalUnitView):
 
     def get(self, request, *args, **kwargs):
         export = data_transfer.export_site(
-            data_transfer.ExportContext(
-                ou_qs=self.get_table_data(),
-                export_roles=False,
-                export_ous=True))
+            data_transfer.ExportContext(ou_qs=self.get_table_data(), export_roles=False, export_ous=True)
+        )
         return self.export_response(json.dumps(export, indent=4), 'application/json', 'json')
 
 
 export = OusExportView.as_view()
 
 
-class OusImportView(views.PermissionMixin, views.TitleMixin, views.MediaMixin, views.FormNeedsRequest,
-                      FormView):
+class OusImportView(
+    views.PermissionMixin, views.TitleMixin, views.MediaMixin, views.FormNeedsRequest, FormView
+):
     form_class = forms.OusImportForm
     model = get_ou_model()
     template_name = 'authentic2/manager/import_form.html'
diff --git a/src/authentic2/manager/resources.py b/src/authentic2/manager/resources.py
index 8989d69b..6df47c39 100644
--- a/src/authentic2/manager/resources.py
+++ b/src/authentic2/manager/resources.py
@@ -47,18 +47,26 @@ class UserResource(ModelResource):
 
     class Meta:
         model = User
-        exclude = ('password', 'user_permissions', 'is_staff',
-                   'is_superuser', 'groups')
-        export_order = ('ou', 'uuid', 'id', 'username', 'email',
-                        'first_name', 'last_name', 'last_login',
-                        'date_joined', 'roles')
+        exclude = ('password', 'user_permissions', 'is_staff', 'is_superuser', 'groups')
+        export_order = (
+            'ou',
+            'uuid',
+            'id',
+            'username',
+            'email',
+            'first_name',
+            'last_name',
+            'last_login',
+            'date_joined',
+            'roles',
+        )
         widgets = {
             'roles': {
                 'field': 'name',
             },
             'ou': {
                 'field': 'name',
-            }
+            },
         }
 
 
diff --git a/src/authentic2/manager/role_views.py b/src/authentic2/manager/role_views.py
index bba2dbca..0ab50a2f 100644
--- a/src/authentic2/manager/role_views.py
+++ b/src/authentic2/manager/role_views.py
@@ -55,20 +55,22 @@ class RolesMixin(object):
         permission_ct = ContentType.objects.get_for_model(Permission)
         ct_ct = ContentType.objects.get_for_model(ContentType)
         ou_ct = ContentType.objects.get_for_model(OU)
-        permission_qs = Permission.objects.filter(target_ct_id__in=[ct_ct.id, ou_ct.id]) \
-            .values_list('id', flat=True)
+        permission_qs = Permission.objects.filter(target_ct_id__in=[ct_ct.id, ou_ct.id]).values_list(
+            'id', flat=True
+        )
         # only non role-admin roles, they are accessed through the
         # RoleManager views
         if not self.admin_roles:
             qs = qs.filter(
-                Q(admin_scope_ct__isnull=True) | Q(admin_scope_ct=permission_ct, admin_scope_id__in=permission_qs))
+                Q(admin_scope_ct__isnull=True)
+                | Q(admin_scope_ct=permission_ct, admin_scope_id__in=permission_qs)
+            )
         if not self.service_roles:
             qs = qs.filter(service__isnull=True)
         return qs
 
 
-class RolesView(views.SearchOUMixin, views.HideOUColumnMixin, RolesMixin,
-                views.BaseTableView):
+class RolesView(views.SearchOUMixin, views.HideOUColumnMixin, RolesMixin, views.BaseTableView):
     template_name = 'authentic2/manager/roles.html'
     model = get_role_model()
     table_class = tables.RoleTable
@@ -86,6 +88,7 @@ class RolesView(views.SearchOUMixin, views.HideOUColumnMixin, RolesMixin,
         kwargs['queryset'] = self.get_queryset()
         return kwargs
 
+
 listing = RolesView.as_view()
 
 
@@ -110,8 +113,9 @@ class RoleAddView(views.BaseAddView):
 
     def form_valid(self, form):
         response = super(RoleAddView, self).form_valid(form)
-        hooks.call_hooks('event', name='manager-add-role', user=self.request.user,
-                         instance=form.instance, form=form)
+        hooks.call_hooks(
+            'event', name='manager-add-role', user=self.request.user, instance=form.instance, form=form
+        )
         self.request.journal.record('manager.role.creation', role=form.instance)
         return response
 
@@ -128,9 +132,9 @@ class RolesExportView(views.ExportMixin, RolesView):
         if export_format == 'json':
             export = data_transfer.export_site(
                 data_transfer.ExportContext(
-                    role_qs=self.get_table_data(),
-                    export_roles=True,
-                    export_ous=False))
+                    role_qs=self.get_table_data(), export_roles=True, export_ous=False
+                )
+            )
             return self.export_response(json.dumps(export, indent=4), 'application/json', 'json')
         return super(RolesExportView, self).get(request, *args, **kwargs)
 
@@ -151,11 +155,13 @@ class RoleEditView(RoleViewMixin, views.BaseEditView):
 
     def form_valid(self, form):
         response = super(RoleEditView, self).form_valid(form)
-        hooks.call_hooks('event', name='manager-edit-role', user=self.request.user,
-                         instance=form.instance, form=form)
+        hooks.call_hooks(
+            'event', name='manager-edit-role', user=self.request.user, instance=form.instance, form=form
+        )
         self.request.journal.record('manager.role.edit', role=form.instance, form=form)
         return response
 
+
 edit = RoleEditView.as_view()
 
 
@@ -193,17 +199,31 @@ class RoleMembersView(views.HideOUColumnMixin, RoleViewMixin, views.BaseSubTable
                     messages.warning(self.request, _('User already in this role.'))
                 else:
                     self.object.members.add(user)
-                    hooks.call_hooks('event', name='manager-add-role-member',
-                                     user=self.request.user, role=self.object, member=user)
-                    self.request.journal.record('manager.role.membership.grant', role=self.object, member=user)
+                    hooks.call_hooks(
+                        'event',
+                        name='manager-add-role-member',
+                        user=self.request.user,
+                        role=self.object,
+                        member=user,
+                    )
+                    self.request.journal.record(
+                        'manager.role.membership.grant', role=self.object, member=user
+                    )
             elif action == 'remove':
                 if not self.object.members.filter(pk=user.pk).exists():
                     messages.warning(self.request, _('User was not in this role.'))
                 else:
                     self.object.members.remove(user)
-                    hooks.call_hooks('event', name='manager-remove-role-member',
-                                     user=self.request.user, role=self.object, member=user)
-                    self.request.journal.record('manager.role.membership.removal', role=self.object, member=user)
+                    hooks.call_hooks(
+                        'event',
+                        name='manager-remove-role-member',
+                        user=self.request.user,
+                        role=self.object,
+                        member=user,
+                    )
+                    self.request.journal.record(
+                        'manager.role.membership.removal', role=self.object, member=user
+                    )
         else:
             messages.warning(self.request, _('You are not authorized'))
         return super(RoleMembersView, self).form_valid(form)
@@ -217,20 +237,24 @@ class RoleMembersView(views.HideOUColumnMixin, RoleViewMixin, views.BaseSubTable
 
     def get_context_data(self, **kwargs):
         ctx = super(RoleMembersView, self).get_context_data(**kwargs)
-        ctx['children'] = views.filter_view(self.request,
-                                            self.object.children(include_self=False, annotate=True))
-        ctx['parents'] = views.filter_view(self.request, self.object.parents(
-            include_self=False, annotate=True).order_by(F('ou').asc(nulls_first=True), 'name'))
+        ctx['children'] = views.filter_view(
+            self.request, self.object.children(include_self=False, annotate=True)
+        )
+        ctx['parents'] = views.filter_view(
+            self.request,
+            self.object.parents(include_self=False, annotate=True).order_by(
+                F('ou').asc(nulls_first=True), 'name'
+            ),
+        )
         ctx['has_multiple_ou'] = OU.objects.count() > 1
-        ctx['admin_roles'] = views.filter_view(self.request,
-                                               self.object.get_admin_role().children(include_self=False,
-                                                                                     annotate=True))
+        ctx['admin_roles'] = views.filter_view(
+            self.request, self.object.get_admin_role().children(include_self=False, annotate=True)
+        )
         ctx['from_ldap'] = self._can_manage_members and not self.can_manage_members
         return ctx
 
     def is_ou_specified(self):
-        return self.search_form.is_valid() \
-            and self.search_form.cleaned_data.get('ou')
+        return self.search_form.is_valid() and self.search_form.cleaned_data.get('ou')
 
     def get_table(self, **kwargs):
         show_username = has_show_username()
@@ -265,6 +289,7 @@ class RoleDeleteView(RoleViewMixin, views.BaseDeleteView):
         self.request.journal.record('manager.role.deletion', role=role)
         return super(RoleDeleteView, self).delete(request, *args, **kwargs)
 
+
 delete = RoleDeleteView.as_view()
 
 
@@ -287,14 +312,20 @@ class RolePermissionsView(RoleViewMixin, views.BaseSubTableView):
             action = form.cleaned_data.get('action')
             Permission = get_permission_model()
             if action == 'add' and operation and target:
-                perm, created = Permission.objects \
-                    .get_or_create(operation=operation, ou=ou,
-                                   target_ct=ContentType.objects.get_for_model(
-                                       target),
-                                   target_id=target.pk)
+                perm, created = Permission.objects.get_or_create(
+                    operation=operation,
+                    ou=ou,
+                    target_ct=ContentType.objects.get_for_model(target),
+                    target_id=target.pk,
+                )
                 self.object.permissions.add(perm)
-                hooks.call_hooks('event', name='manager-add-permission', user=self.request.user,
-                                 role=self.object, permission=perm)
+                hooks.call_hooks(
+                    'event',
+                    name='manager-add-permission',
+                    user=self.request.user,
+                    role=self.object,
+                    permission=perm,
+                )
             elif action == 'remove':
                 try:
                     permission_id = int(self.request.POST.get('permission', ''))
@@ -304,12 +335,18 @@ class RolePermissionsView(RoleViewMixin, views.BaseSubTableView):
                 else:
                     if self.object.permissions.filter(id=permission_id).exists():
                         self.object.permissions.remove(perm)
-                        hooks.call_hooks('event', name='manager-remove-permission',
-                                         user=self.request.user, role=self.object, permission=perm)
+                        hooks.call_hooks(
+                            'event',
+                            name='manager-remove-permission',
+                            user=self.request.user,
+                            role=self.object,
+                            permission=perm,
+                        )
         else:
             messages.warning(self.request, _('You are not authorized'))
         return super(RolePermissionsView, self).form_valid(form)
 
+
 permissions = RolePermissionsView.as_view()
 
 
@@ -320,12 +357,18 @@ class RoleMembersExportView(views.ExportMixin, RoleMembersView):
     def get_data(self):
         return self.get_table_data()
 
+
 members_export = RoleMembersExportView.as_view()
 
 
-class RoleAddChildView(views.AjaxFormViewMixin, views.TitleMixin,
-                       views.PermissionMixin, views.FormNeedsRequest,
-                       SingleObjectMixin, FormView):
+class RoleAddChildView(
+    views.AjaxFormViewMixin,
+    views.TitleMixin,
+    views.PermissionMixin,
+    views.FormNeedsRequest,
+    SingleObjectMixin,
+    FormView,
+):
     title = _('Add child role')
     model = get_role_model()
     form_class = forms.RolesForm
@@ -341,16 +384,19 @@ class RoleAddChildView(views.AjaxFormViewMixin, views.TitleMixin,
         parent = self.get_object()
         for role in form.cleaned_data['roles']:
             parent.add_child(role)
-            hooks.call_hooks('event', name='manager-add-child-role', user=self.request.user,
-                             parent=parent, child=role)
+            hooks.call_hooks(
+                'event', name='manager-add-child-role', user=self.request.user, parent=parent, child=role
+            )
             self.request.journal.record('manager.role.inheritance.addition', parent=parent, child=role)
         return super(RoleAddChildView, self).form_valid(form)
 
+
 add_child = RoleAddChildView.as_view()
 
 
-class RoleAddParentView(views.AjaxFormViewMixin, views.TitleMixin,
-                        views.FormNeedsRequest, SingleObjectMixin, FormView):
+class RoleAddParentView(
+    views.AjaxFormViewMixin, views.TitleMixin, views.FormNeedsRequest, SingleObjectMixin, FormView
+):
     title = _('Add parent role')
     model = get_role_model()
     form_class = forms.RoleParentsForm
@@ -367,16 +413,17 @@ class RoleAddParentView(views.AjaxFormViewMixin, views.TitleMixin,
         child = self.get_object()
         for role in form.cleaned_data['roles']:
             child.add_parent(role)
-            hooks.call_hooks('event', name='manager-add-child-role', user=self.request.user,
-                             parent=role, child=child)
+            hooks.call_hooks(
+                'event', name='manager-add-child-role', user=self.request.user, parent=role, child=child
+            )
             self.request.journal.record('manager.role.inheritance.addition', parent=role, child=child)
         return super(RoleAddParentView, self).form_valid(form)
 
+
 add_parent = RoleAddParentView.as_view()
 
 
-class RoleRemoveChildView(views.AjaxFormViewMixin, SingleObjectMixin,
-                          views.PermissionMixin, TemplateView):
+class RoleRemoveChildView(views.AjaxFormViewMixin, SingleObjectMixin, views.PermissionMixin, TemplateView):
     title = _('Remove child role')
     model = get_role_model()
     success_url = '../..'
@@ -395,16 +442,21 @@ class RoleRemoveChildView(views.AjaxFormViewMixin, SingleObjectMixin,
 
     def post(self, request, *args, **kwargs):
         self.object.remove_child(self.child)
-        hooks.call_hooks('event', name='manager-remove-child-role', user=self.request.user,
-                         parent=self.object, child=self.child)
+        hooks.call_hooks(
+            'event',
+            name='manager-remove-child-role',
+            user=self.request.user,
+            parent=self.object,
+            child=self.child,
+        )
         self.request.journal.record('manager.role.inheritance.removal', parent=self.object, child=self.child)
         return redirect(self.request, self.success_url)
 
+
 remove_child = RoleRemoveChildView.as_view()
 
 
-class RoleRemoveParentView(views.AjaxFormViewMixin, SingleObjectMixin,
-                           TemplateView):
+class RoleRemoveParentView(views.AjaxFormViewMixin, SingleObjectMixin, TemplateView):
     title = _('Remove parent role')
     model = get_role_model()
     success_url = '../..'
@@ -426,17 +478,28 @@ class RoleRemoveParentView(views.AjaxFormViewMixin, SingleObjectMixin,
         if not self.request.user.has_perm('a2_rbac.manage_members_role', self.parent):
             raise PermissionDenied
         self.object.remove_parent(self.parent)
-        hooks.call_hooks('event', name='manager-remove-child-role', user=self.request.user,
-                         parent=self.parent, child=self.object)
+        hooks.call_hooks(
+            'event',
+            name='manager-remove-child-role',
+            user=self.request.user,
+            parent=self.parent,
+            child=self.object,
+        )
         self.request.journal.record('manager.role.inheritance.removal', parent=self.parent, child=self.object)
         return redirect(self.request, self.success_url)
 
+
 remove_parent = RoleRemoveParentView.as_view()
 
 
-class RoleAddAdminRoleView(views.AjaxFormViewMixin, views.TitleMixin,
-                           views.PermissionMixin, views.FormNeedsRequest,
-                           SingleObjectMixin, FormView):
+class RoleAddAdminRoleView(
+    views.AjaxFormViewMixin,
+    views.TitleMixin,
+    views.PermissionMixin,
+    views.FormNeedsRequest,
+    SingleObjectMixin,
+    FormView,
+):
     title = _('Add admin role')
     model = get_role_model()
     form_class = forms.RolesForm
@@ -452,18 +515,25 @@ class RoleAddAdminRoleView(views.AjaxFormViewMixin, views.TitleMixin,
         administered_role = self.get_object()
         for role in form.cleaned_data['roles']:
             administered_role.get_admin_role().add_child(role)
-            hooks.call_hooks('event', name='manager-add-admin-role', user=self.request.user,
-                             role=administered_role, admin_role=role)
-            self.request.journal.record('manager.role.administrator.role.addition',
-                                        role=administered_role, admin_role=role)
+            hooks.call_hooks(
+                'event',
+                name='manager-add-admin-role',
+                user=self.request.user,
+                role=administered_role,
+                admin_role=role,
+            )
+            self.request.journal.record(
+                'manager.role.administrator.role.addition', role=administered_role, admin_role=role
+            )
         return super(RoleAddAdminRoleView, self).form_valid(form)
 
+
 add_admin_role = RoleAddAdminRoleView.as_view()
 
 
-class RoleRemoveAdminRoleView(views.TitleMixin, views.AjaxFormViewMixin,
-                              SingleObjectMixin, views.PermissionMixin,
-                              TemplateView):
+class RoleRemoveAdminRoleView(
+    views.TitleMixin, views.AjaxFormViewMixin, SingleObjectMixin, views.PermissionMixin, TemplateView
+):
     title = _('Remove admin role')
     model = get_role_model()
     success_url = '../..'
@@ -482,18 +552,30 @@ class RoleRemoveAdminRoleView(views.TitleMixin, views.AjaxFormViewMixin,
 
     def post(self, request, *args, **kwargs):
         self.object.get_admin_role().remove_child(self.child)
-        hooks.call_hooks('event', name='manager-remove-admin-role',
-                         user=self.request.user, role=self.object, admin_role=self.child)
-        self.request.journal.record('manager.role.administrator.role.removal',
-                                    role=self.object, admin_role=self.child)
+        hooks.call_hooks(
+            'event',
+            name='manager-remove-admin-role',
+            user=self.request.user,
+            role=self.object,
+            admin_role=self.child,
+        )
+        self.request.journal.record(
+            'manager.role.administrator.role.removal', role=self.object, admin_role=self.child
+        )
         return redirect(self.request, self.success_url)
 
+
 remove_admin_role = RoleRemoveAdminRoleView.as_view()
 
 
-class RoleAddAdminUserView(views.AjaxFormViewMixin, views.TitleMixin,
-                           views.PermissionMixin, views.FormNeedsRequest,
-                           SingleObjectMixin, FormView):
+class RoleAddAdminUserView(
+    views.AjaxFormViewMixin,
+    views.TitleMixin,
+    views.PermissionMixin,
+    views.FormNeedsRequest,
+    SingleObjectMixin,
+    FormView,
+):
     title = _('Add admin user')
     model = get_role_model()
     form_class = forms.UsersForm
@@ -509,18 +591,25 @@ class RoleAddAdminUserView(views.AjaxFormViewMixin, views.TitleMixin,
         administered_role = self.get_object()
         for user in form.cleaned_data['users']:
             administered_role.get_admin_role().members.add(user)
-            hooks.call_hooks('event', name='manager-add-admin-role-user', user=self.request.user,
-                             role=administered_role, admin=user)
-            self.request.journal.record('manager.role.administrator.user.addition',
-                                        role=administered_role, admin_user=user)
+            hooks.call_hooks(
+                'event',
+                name='manager-add-admin-role-user',
+                user=self.request.user,
+                role=administered_role,
+                admin=user,
+            )
+            self.request.journal.record(
+                'manager.role.administrator.user.addition', role=administered_role, admin_user=user
+            )
         return super(RoleAddAdminUserView, self).form_valid(form)
 
+
 add_admin_user = RoleAddAdminUserView.as_view()
 
 
-class RoleRemoveAdminUserView(views.TitleMixin, views.AjaxFormViewMixin,
-                              SingleObjectMixin, views.PermissionMixin,
-                              TemplateView):
+class RoleRemoveAdminUserView(
+    views.TitleMixin, views.AjaxFormViewMixin, SingleObjectMixin, views.PermissionMixin, TemplateView
+):
     title = _('Remove admin user')
     model = get_role_model()
     success_url = '../..'
@@ -539,17 +628,25 @@ class RoleRemoveAdminUserView(views.TitleMixin, views.AjaxFormViewMixin,
 
     def post(self, request, *args, **kwargs):
         self.object.get_admin_role().members.remove(self.user)
-        hooks.call_hooks('event', name='remove-remove-admin-role-user', user=self.request.user,
-                         role=self.object, admin=self.user)
-        self.request.journal.record('manager.role.administrator.user.removal',
-                                    role=self.object, admin_user=self.user)
+        hooks.call_hooks(
+            'event',
+            name='remove-remove-admin-role-user',
+            user=self.request.user,
+            role=self.object,
+            admin=self.user,
+        )
+        self.request.journal.record(
+            'manager.role.administrator.user.removal', role=self.object, admin_user=self.user
+        )
         return redirect(self.request, self.success_url)
 
+
 remove_admin_user = RoleRemoveAdminUserView.as_view()
 
 
-class RolesImportView(views.PermissionMixin, views.TitleMixin, views.MediaMixin, views.FormNeedsRequest,
-                      FormView):
+class RolesImportView(
+    views.PermissionMixin, views.TitleMixin, views.MediaMixin, views.FormNeedsRequest, FormView
+):
     form_class = forms.RolesImportForm
     model = get_role_model()
     template_name = 'authentic2/manager/import_form.html'
@@ -582,7 +679,7 @@ class RolesImportView(views.PermissionMixin, views.TitleMixin, views.MediaMixin,
     def get_success_url(self):
         messages.success(
             self.request,
-            _('Roles have been successfully imported inside "%s" organizational unit.') % self.ou
+            _('Roles have been successfully imported inside "%s" organizational unit.') % self.ou,
         )
         return reverse('a2-manager-roles') + '?search-ou=%s' % self.ou.pk
 
@@ -604,6 +701,7 @@ class RoleJournal(views.PermissionMixin, JournalViewWithContext, BaseJournalView
         ctx['object'] = self.context
         return ctx
 
+
 journal = RoleJournal.as_view()
 
 
diff --git a/src/authentic2/manager/service_views.py b/src/authentic2/manager/service_views.py
index a839a10b..39044495 100644
--- a/src/authentic2/manager/service_views.py
+++ b/src/authentic2/manager/service_views.py
@@ -31,11 +31,17 @@ class ServicesView(views.HideOUColumnMixin, views.BaseTableView):
     permissions = ['authentic2.search_service']
     title = _('Services')
 
+
 listing = ServicesView.as_view()
 
 
-class ServiceView(views.SimpleSubTableView, role_views.RoleViewMixin,
-                  views.MediaMixin, views.FormNeedsRequest, views.FormView):
+class ServiceView(
+    views.SimpleSubTableView,
+    role_views.RoleViewMixin,
+    views.MediaMixin,
+    views.FormNeedsRequest,
+    views.FormView,
+):
     search_form_class = forms.NameSearchForm
     model = Service
     pk_url_kwarg = 'service_pk'
@@ -63,8 +69,7 @@ class ServiceView(views.SimpleSubTableView, role_views.RoleViewMixin,
         if self.can_change:
             if action == 'add':
                 if self.object.authorized_roles.filter(pk=role.pk).exists():
-                    messages.warning(self.request, _('Role already authorized in this '
-                                     'service.'))
+                    messages.warning(self.request, _('Role already authorized in this ' 'service.'))
                 else:
                     self.object.add_authorized_role(role)
             elif action == 'remove':
@@ -92,4 +97,5 @@ class ServiceEditView(views.BaseEditView):
     fields = ['name', 'slug', 'ou', 'unauthorized_url']
     success_url = '..'
 
+
 edit = ServiceEditView.as_view()
diff --git a/src/authentic2/manager/tables.py b/src/authentic2/manager/tables.py
index aa1c0390..7739bc8a 100644
--- a/src/authentic2/manager/tables.py
+++ b/src/authentic2/manager/tables.py
@@ -23,8 +23,7 @@ from django.utils.translation import ugettext_noop
 import django_tables2 as tables
 from django_tables2.utils import A
 
-from django_rbac.utils import get_role_model, get_permission_model, \
-    get_ou_model
+from django_rbac.utils import get_role_model, get_permission_model, get_ou_model
 
 from authentic2.models import Service
 from authentic2.middleware import StoreRequestMiddleware
@@ -52,9 +51,7 @@ class VerifiableEmailColumn(tables.Column):
         verified = user.email_verified
         value = user.email
         if value and verified:
-            return html.format_html(
-                    '<span class="verified">{value}</span>',
-                    value=value)
+            return html.format_html('<span class="verified">{value}</span>', value=value)
         return value
 
 
@@ -64,12 +61,11 @@ class UserLinkColumn(PermissionLinkColumn):
         value = super().render(**kwargs)
         if not user.is_active:
             value = html.format_html(
-                '<span class="disabled">{value} ({disabled})</span>',
-                value=value, disabled=_('disabled'))
+                '<span class="disabled">{value} ({disabled})</span>', value=value, disabled=_('disabled')
+            )
         return value
 
 
-
 class UserTable(tables.Table):
     link = UserLinkColumn(
         viewname='a2-manager-user-detail',
@@ -77,7 +73,8 @@ class UserTable(tables.Table):
         verbose_name=_('User'),
         accessor='get_full_name',
         order_by=('last_name', 'first_name', 'email', 'username'),
-        kwargs={'pk': A('pk')})
+        kwargs={'pk': A('pk')},
+    )
     username = tables.Column()
     email = VerifiableEmailColumn()
     ou = tables.Column()
@@ -85,34 +82,33 @@ class UserTable(tables.Table):
     class Meta:
         model = User
         attrs = {'class': 'main', 'id': 'user-table'}
-        fields = ('username', 'email', 'first_name',
-                  'last_name', 'ou')
+        fields = ('username', 'email', 'first_name', 'last_name', 'ou')
         sequence = ('link', '...')
         empty_text = _('None')
 
 
 class RoleMembersTable(UserTable):
-    direct = tables.BooleanColumn(verbose_name=_('Direct member'),
-                                  orderable=False)
+    direct = tables.BooleanColumn(verbose_name=_('Direct member'), orderable=False)
     via = tables.TemplateColumn(
         '{% for role in record.via %}'
         '<a href="{% url "a2-manager-role-members" pk=role.pk %}">{{ role }}</a>{% if not forloop.last %}, {% endif %}'
         '{% endfor %}',
-        verbose_name=_('Inherited from'), orderable=False)
+        verbose_name=_('Inherited from'),
+        orderable=False,
+    )
 
     class Meta(UserTable.Meta):
         pass
 
 
 class RoleTable(tables.Table):
-    name = tables.LinkColumn(viewname='a2-manager-role-members',
-                             kwargs={'pk': A('pk')},
-                             accessor='name', verbose_name=_('label'))
+    name = tables.LinkColumn(
+        viewname='a2-manager-role-members', kwargs={'pk': A('pk')}, accessor='name', verbose_name=_('label')
+    )
     ou = tables.Column()
-    member_count = tables.Column(verbose_name=_('Direct member count'),
-                                 orderable=False)
+    member_count = tables.Column(verbose_name=_('Direct member count'), orderable=False)
 
-    def render_name (self, record, bound_column):
+    def render_name(self, record, bound_column):
         content = bound_column.column.render(record.name, record, bound_column)
         if not record.can_manage_members:
             content = SafeText('%s (%s)' % (content, _('LDAP')))
@@ -148,12 +144,14 @@ class OUTable(tables.Table):
 
 
 class OuUserRolesTable(tables.Table):
-    name = tables.LinkColumn(viewname='a2-manager-role-members',
-                             kwargs={'pk': A('pk')},
-                             accessor='name', verbose_name=_('label'))
+    name = tables.LinkColumn(
+        viewname='a2-manager-role-members', kwargs={'pk': A('pk')}, accessor='name', verbose_name=_('label')
+    )
     via = tables.TemplateColumn(
         '''{% for rel in record.via %}{{ rel.child }} {% if not forloop.last %}, {% endif %}{% endfor %}''',
-        verbose_name=_('Inherited from'), orderable=False)
+        verbose_name=_('Inherited from'),
+        orderable=False,
+    )
     member = tables.TemplateColumn(
         '{%% load i18n %%}<input class="role-member{%% if not record.member and record.via %%} '
         'indeterminate{%% endif %%}"'
@@ -161,11 +159,16 @@ class OuUserRolesTable(tables.Table):
         '{%% if not record.has_perm %%}disabled '
         'title="{%% trans "%s" %%}"{%% endif %%} '
         '{%% if not record.can_manage_members %%}disabled '
-        'title="{%% trans "%s" %%}"{%% endif %%}/>' % (ugettext_noop('You are not authorized to manage this role'), ugettext_noop('This role is synchronised from LDAP, changing members is not allowed.')),
+        'title="{%% trans "%s" %%}"{%% endif %%}/>'
+        % (
+            ugettext_noop('You are not authorized to manage this role'),
+            ugettext_noop('This role is synchronised from LDAP, changing members is not allowed.'),
+        ),
         verbose_name=_('Member'),
-        order_by=('member', 'via', 'name'))
+        order_by=('member', 'via', 'name'),
+    )
 
-    def render_name (self, record, bound_column):
+    def render_name(self, record, bound_column):
         content = bound_column.column.render(record.name, record, bound_column)
         if not record.can_manage_members:
             content = SafeText('%s (%s)' % (content, _('LDAP')))
@@ -180,18 +183,19 @@ class OuUserRolesTable(tables.Table):
 
 
 class UserRolesTable(tables.Table):
-    name = tables.LinkColumn(viewname='a2-manager-role-members',
-                             kwargs={'pk': A('pk')},
-                             accessor='name', verbose_name=_('label'))
+    name = tables.LinkColumn(
+        viewname='a2-manager-role-members', kwargs={'pk': A('pk')}, accessor='name', verbose_name=_('label')
+    )
     ou = tables.Column()
     via = tables.TemplateColumn(
         '{% if not record.member %}{% for rel in record.child_relation.all %}'
         '{{ rel.child }} {% if not forloop.last %}, {% endif %}{% endfor %}'
         '{% endif %}',
         verbose_name=_('Inherited from'),
-        orderable=False)
+        orderable=False,
+    )
 
-    def render_name (self, record, bound_column):
+    def render_name(self, record, bound_column):
         content = bound_column.column.render(record.name, record, bound_column)
         if not record.can_manage_members:
             content = SafeText('%s (%s)' % (content, _('LDAP')))
diff --git a/src/authentic2/manager/urls.py b/src/authentic2/manager/urls.py
index 244f242d..763d0e32 100644
--- a/src/authentic2/manager/urls.py
+++ b/src/authentic2/manager/urls.py
@@ -29,157 +29,154 @@ def manager_login_required(func):
 
 
 urlpatterns = required(
-    manager_login_required, [
+    manager_login_required,
+    [
         # homepage
         url(r'^$', views.homepage, name='a2-manager-homepage'),
         url(r'^me/$', user_views.me, name='a2-manager-me'),
-
         # Authentic2 users
         url(r'^users/$', user_views.users, name='a2-manager-users'),
-        url(r'^users/export/(?P<format>csv)/$',
-            user_views.users_export, name='a2-manager-users-export'),
-        url(r'^users/add/$', user_views.user_add_default_ou,
-            name='a2-manager-user-add-default-ou'),
-        url(r'^users/add/choose-ou/$', user_views.user_add_choose_ou,
-            name='a2-manager-user-add-choose-ou'),
-        url(r'^users/import/$',
-            user_views.user_imports, name='a2-manager-users-imports'),
-        url(r'^users/import/(?P<uuid>[a-z0-9]+)/download/(?P<filename>.*)$',
-            user_views.user_import, name='a2-manager-users-import-download'),
-        url(r'^users/import/(?P<uuid>[a-z0-9]+)/$',
-            user_views.user_import, name='a2-manager-users-import'),
-        url(r'^users/import/(?P<import_uuid>[a-z0-9]+)/(?P<report_uuid>[a-z0-9]+)/$',
-            user_views.user_import_report, name='a2-manager-users-import-report'),
-        url(r'^users/(?P<ou_pk>\d+)/add/$', user_views.user_add,
-            name='a2-manager-user-add'),
-        url(r'^users/(?P<pk>\d+)/$', user_views.user_detail,
-            name='a2-manager-user-detail'),
-        url(r'^users/(?P<pk>\d+)/edit/$', user_views.user_edit,
-            name='a2-manager-user-edit'),
-        url(r'^users/(?P<pk>\d+)/delete/$', user_views.user_delete,
-            name='a2-manager-user-delete'),
-        url(r'^users/(?P<pk>\d+)/roles/$',
-            user_views.roles,
-            name='a2-manager-user-roles'),
-        url(r'^users/(?P<pk>\d+)/change-password/$',
+        url(r'^users/export/(?P<format>csv)/$', user_views.users_export, name='a2-manager-users-export'),
+        url(r'^users/add/$', user_views.user_add_default_ou, name='a2-manager-user-add-default-ou'),
+        url(r'^users/add/choose-ou/$', user_views.user_add_choose_ou, name='a2-manager-user-add-choose-ou'),
+        url(r'^users/import/$', user_views.user_imports, name='a2-manager-users-imports'),
+        url(
+            r'^users/import/(?P<uuid>[a-z0-9]+)/download/(?P<filename>.*)$',
+            user_views.user_import,
+            name='a2-manager-users-import-download',
+        ),
+        url(r'^users/import/(?P<uuid>[a-z0-9]+)/$', user_views.user_import, name='a2-manager-users-import'),
+        url(
+            r'^users/import/(?P<import_uuid>[a-z0-9]+)/(?P<report_uuid>[a-z0-9]+)/$',
+            user_views.user_import_report,
+            name='a2-manager-users-import-report',
+        ),
+        url(r'^users/(?P<ou_pk>\d+)/add/$', user_views.user_add, name='a2-manager-user-add'),
+        url(r'^users/(?P<pk>\d+)/$', user_views.user_detail, name='a2-manager-user-detail'),
+        url(r'^users/(?P<pk>\d+)/edit/$', user_views.user_edit, name='a2-manager-user-edit'),
+        url(r'^users/(?P<pk>\d+)/delete/$', user_views.user_delete, name='a2-manager-user-delete'),
+        url(r'^users/(?P<pk>\d+)/roles/$', user_views.roles, name='a2-manager-user-roles'),
+        url(
+            r'^users/(?P<pk>\d+)/change-password/$',
             user_views.user_change_password,
-            name='a2-manager-user-change-password'),
-        url(r'^users/(?P<pk>\d+)/change-email/$',
+            name='a2-manager-user-change-password',
+        ),
+        url(
+            r'^users/(?P<pk>\d+)/change-email/$',
             user_views.user_change_email,
-            name='a2-manager-user-change-email'),
-        url(r'^users/(?P<pk>\d+)/su/$', user_views.su,
-            name='a2-manager-user-su'),
-        url(r'^users/(?P<pk>\d+)/authorizations/$',
+            name='a2-manager-user-change-email',
+        ),
+        url(r'^users/(?P<pk>\d+)/su/$', user_views.su, name='a2-manager-user-su'),
+        url(
+            r'^users/(?P<pk>\d+)/authorizations/$',
             user_views.user_authorizations,
-            name='a2-manager-user-authorizations'),
-        url(r'^users/(?P<pk>\d+)/journal/$',
-            user_views.user_journal,
-            name='a2-manager-user-journal'),
+            name='a2-manager-user-authorizations',
+        ),
+        url(r'^users/(?P<pk>\d+)/journal/$', user_views.user_journal, name='a2-manager-user-journal'),
         # by uuid
-        url(r'^users/uuid:(?P<slug>[a-z0-9]+)/$', user_views.user_detail,
-            name='a2-manager-user-by-uuid-detail'),
-        url(r'^users/uuid:(?P<slug>[a-z0-9]+)/edit/$', user_views.user_edit,
-            name='a2-manager-user-by-uuid-edit'),
-        url(r'^users/uuid:(?P<slug>[a-z0-9]+)/roles/$',
-            user_views.roles,
-            name='a2-manager-user-by-uuid-roles'),
-        url(r'^users/uuid:(?P<slug>[a-z0-9]+)/change-password/$',
+        url(
+            r'^users/uuid:(?P<slug>[a-z0-9]+)/$',
+            user_views.user_detail,
+            name='a2-manager-user-by-uuid-detail',
+        ),
+        url(
+            r'^users/uuid:(?P<slug>[a-z0-9]+)/edit/$',
+            user_views.user_edit,
+            name='a2-manager-user-by-uuid-edit',
+        ),
+        url(
+            r'^users/uuid:(?P<slug>[a-z0-9]+)/roles/$', user_views.roles, name='a2-manager-user-by-uuid-roles'
+        ),
+        url(
+            r'^users/uuid:(?P<slug>[a-z0-9]+)/change-password/$',
             user_views.user_change_password,
-            name='a2-manager-user-by-uuid-change-password'),
-        url(r'^users/uuid:(?P<slug>[a-z0-9]+)/change-email/$',
+            name='a2-manager-user-by-uuid-change-password',
+        ),
+        url(
+            r'^users/uuid:(?P<slug>[a-z0-9]+)/change-email/$',
             user_views.user_change_email,
-            name='a2-manager-user-by-uuid-change-email'),
-        url(r'^users/uuid:(?P<slug>[a-z0-9]+)/journal/$',
+            name='a2-manager-user-by-uuid-change-email',
+        ),
+        url(
+            r'^users/uuid:(?P<slug>[a-z0-9]+)/journal/$',
             user_views.user_journal,
-            name='a2-manager-user-journal'),
-
+            name='a2-manager-user-journal',
+        ),
         # Authentic2 roles
-        url(r'^roles/$', role_views.listing,
-            name='a2-manager-roles'),
-        url(r'^roles/import/$', role_views.roles_import,
-            name='a2-manager-roles-import'),
-        url(r'^roles/add/$', role_views.add,
-            name='a2-manager-role-add'),
-        url(r'^roles/export/(?P<format>csv|json)/$',
-            role_views.export, name='a2-manager-roles-export'),
-        url(r'^roles/journal/$', role_views.roles_journal,
-            name='a2-manager-roles-journal'),
-        url(r'^roles/(?P<pk>\d+)/$', role_views.members,
-            name='a2-manager-role-members'),
-        url(r'^roles/(?P<pk>\d+)/add-child/$', role_views.add_child,
-            name='a2-manager-role-add-child'),
-        url(r'^roles/(?P<pk>\d+)/add-parent/$', role_views.add_parent,
-            name='a2-manager-role-add-parent'),
-        url(r'^roles/(?P<pk>\d+)/remove-child/(?P<child_pk>\d+)/$',
-            role_views.remove_child, name='a2-manager-role-remove-child'),
-        url(r'^roles/(?P<pk>\d+)/remove-parent/(?P<parent_pk>\d+)/$',
-            role_views.remove_parent, name='a2-manager-role-remove-parent'),
-
-        url(r'^roles/(?P<pk>\d+)/add-admin-user/$', role_views.add_admin_user,
-            name='a2-manager-role-add-admin-user'),
-        url(r'^roles/(?P<pk>\d+)/remove-admin-user/(?P<user_pk>\d+)/$',
-            role_views.remove_admin_user, name='a2-manager-role-remove-admin-user'),
-
-        url(r'^roles/(?P<pk>\d+)/add-admin-role/$', role_views.add_admin_role,
-            name='a2-manager-role-add-admin-role'),
-        url(r'^roles/(?P<pk>\d+)/remove-admin-role/(?P<role_pk>\d+)/$',
-            role_views.remove_admin_role, name='a2-manager-role-remove-admin-role'),
-
-        url(r'^roles/(?P<pk>\d+)/export/(?P<format>csv)/$',
+        url(r'^roles/$', role_views.listing, name='a2-manager-roles'),
+        url(r'^roles/import/$', role_views.roles_import, name='a2-manager-roles-import'),
+        url(r'^roles/add/$', role_views.add, name='a2-manager-role-add'),
+        url(r'^roles/export/(?P<format>csv|json)/$', role_views.export, name='a2-manager-roles-export'),
+        url(r'^roles/journal/$', role_views.roles_journal, name='a2-manager-roles-journal'),
+        url(r'^roles/(?P<pk>\d+)/$', role_views.members, name='a2-manager-role-members'),
+        url(r'^roles/(?P<pk>\d+)/add-child/$', role_views.add_child, name='a2-manager-role-add-child'),
+        url(r'^roles/(?P<pk>\d+)/add-parent/$', role_views.add_parent, name='a2-manager-role-add-parent'),
+        url(
+            r'^roles/(?P<pk>\d+)/remove-child/(?P<child_pk>\d+)/$',
+            role_views.remove_child,
+            name='a2-manager-role-remove-child',
+        ),
+        url(
+            r'^roles/(?P<pk>\d+)/remove-parent/(?P<parent_pk>\d+)/$',
+            role_views.remove_parent,
+            name='a2-manager-role-remove-parent',
+        ),
+        url(
+            r'^roles/(?P<pk>\d+)/add-admin-user/$',
+            role_views.add_admin_user,
+            name='a2-manager-role-add-admin-user',
+        ),
+        url(
+            r'^roles/(?P<pk>\d+)/remove-admin-user/(?P<user_pk>\d+)/$',
+            role_views.remove_admin_user,
+            name='a2-manager-role-remove-admin-user',
+        ),
+        url(
+            r'^roles/(?P<pk>\d+)/add-admin-role/$',
+            role_views.add_admin_role,
+            name='a2-manager-role-add-admin-role',
+        ),
+        url(
+            r'^roles/(?P<pk>\d+)/remove-admin-role/(?P<role_pk>\d+)/$',
+            role_views.remove_admin_role,
+            name='a2-manager-role-remove-admin-role',
+        ),
+        url(
+            r'^roles/(?P<pk>\d+)/export/(?P<format>csv)/$',
             role_views.members_export,
-            name='a2-manager-role-members-export'),
-        url(r'^roles/(?P<pk>\d+)/delete/$', role_views.delete,
-            name='a2-manager-role-delete'),
-        url(r'^roles/(?P<pk>\d+)/edit/$', role_views.edit,
-            name='a2-manager-role-edit'),
-        url(r'^roles/(?P<pk>\d+)/permissions/$', role_views.permissions,
-            name='a2-manager-role-permissions'),
-        url(r'^roles/(?P<pk>\d+)/journal/$', role_views.journal,
-            name='a2-manager-role-journal'),
-
-
+            name='a2-manager-role-members-export',
+        ),
+        url(r'^roles/(?P<pk>\d+)/delete/$', role_views.delete, name='a2-manager-role-delete'),
+        url(r'^roles/(?P<pk>\d+)/edit/$', role_views.edit, name='a2-manager-role-edit'),
+        url(r'^roles/(?P<pk>\d+)/permissions/$', role_views.permissions, name='a2-manager-role-permissions'),
+        url(r'^roles/(?P<pk>\d+)/journal/$', role_views.journal, name='a2-manager-role-journal'),
         # Authentic2 organizational units
-        url(r'^organizational-units/$', ou_views.listing,
-            name='a2-manager-ous'),
-        url(r'^organizational-units/add/$', ou_views.add,
-            name='a2-manager-ou-add'),
-        url(r'^organizational-units/(?P<pk>\d+)/$', ou_views.detail,
-            name='a2-manager-ou-detail'),
-        url(r'^organizational-units/(?P<pk>\d+)/edit/$', ou_views.edit,
-            name='a2-manager-ou-edit'),
-        url(r'^organizational-units/(?P<pk>\d+)/delete/$', ou_views.delete,
-            name='a2-manager-ou-delete'),
-        url(r'^organizational-units/export/(?P<format>json)/$',
-            ou_views.export,
-            name='a2-manager-ou-export'),
-        url(r'^organizational-units/import/$',
-            ou_views.ous_import,
-            name='a2-manager-ous-import'),
-
+        url(r'^organizational-units/$', ou_views.listing, name='a2-manager-ous'),
+        url(r'^organizational-units/add/$', ou_views.add, name='a2-manager-ou-add'),
+        url(r'^organizational-units/(?P<pk>\d+)/$', ou_views.detail, name='a2-manager-ou-detail'),
+        url(r'^organizational-units/(?P<pk>\d+)/edit/$', ou_views.edit, name='a2-manager-ou-edit'),
+        url(r'^organizational-units/(?P<pk>\d+)/delete/$', ou_views.delete, name='a2-manager-ou-delete'),
+        url(r'^organizational-units/export/(?P<format>json)/$', ou_views.export, name='a2-manager-ou-export'),
+        url(r'^organizational-units/import/$', ou_views.ous_import, name='a2-manager-ous-import'),
         # Services
-        url(r'^services/$', service_views.listing,
-            name='a2-manager-services'),
-        url(r'^services/(?P<service_pk>\d+)/$', service_views.roles,
-            name='a2-manager-service'),
-        url(r'^services/(?P<service_pk>\d+)/edit/$', service_views.edit,
-            name='a2-manager-service-edit'),
-
+        url(r'^services/$', service_views.listing, name='a2-manager-services'),
+        url(r'^services/(?P<service_pk>\d+)/$', service_views.roles, name='a2-manager-service'),
+        url(r'^services/(?P<service_pk>\d+)/edit/$', service_views.edit, name='a2-manager-service-edit'),
         # Journal
-        url(r'^journal/$', journal_views.journal,
-            name='a2-manager-journal'),
-
+        url(r'^journal/$', journal_views.journal, name='a2-manager-journal'),
         # backoffice menu as json
         url(r'^menu.json$', views.menu_json),
-
         # general management
         url(r'^site-export/$', views.site_export, name='a2-manager-site-export'),
         url(r'^site-import/$', views.site_import, name='a2-manager-site-import'),
-    ]
+    ],
 )
 
 urlpatterns += [
-    url(r'^jsi18n/$',
+    url(
+        r'^jsi18n/$',
         JavaScriptCatalog.as_view(packages=['authentic2.manager']),
-        name='a2-manager-javascript-catalog'),
+        name='a2-manager-javascript-catalog',
+    ),
     url(r'^select2.json$', views.select2, name='django_select2-json'),
 ]
diff --git a/src/authentic2/manager/user_import.py b/src/authentic2/manager/user_import.py
index f3edbe6e..82b3b31e 100644
--- a/src/authentic2/manager/user_import.py
+++ b/src/authentic2/manager/user_import.py
@@ -44,10 +44,7 @@ logger = logging.getLogger(__name__)
 
 
 def new_id():
-    return (base64.b32encode(uuid.uuid4().bytes)
-            .strip(b'=')
-            .lower()
-            .decode('ascii'))
+    return base64.b32encode(uuid.uuid4().bytes).strip(b'=').lower().decode('ascii')
 
 
 class UserImport(object):
@@ -224,10 +221,9 @@ class Report(object):
                     data['tid'] = gettid()
                 try:
                     with publik_provisionning():
-                        importer.run(fd,
-                                     encoding=self.data['encoding'],
-                                     ou=self.data['ou'],
-                                     simulate=simulate)
+                        importer.run(
+                            fd, encoding=self.data['encoding'], ou=self.data['ou'], simulate=simulate
+                        )
                 except Exception as e:
                     logger.exception('error during report %s:%s run', self.user_import.uuid, self.uuid)
                     state = self.STATE_ERROR
@@ -250,6 +246,7 @@ class Report(object):
                     data['exception'] = exception
                     data['importer'] = importer
                     data['duration'] = duration
+
         t = threading.Thread(target=thread_worker)
         t.daemon = True
         if start:
@@ -286,6 +283,6 @@ class Reports(object):
         for name in os.listdir(self.user_import.path):
             if name.startswith(self.PREFIX):
                 try:
-                    yield self[name[len(self.PREFIX):]]
+                    yield self[name[len(self.PREFIX) :]]
                 except KeyError:
                     pass
diff --git a/src/authentic2/manager/user_views.py b/src/authentic2/manager/user_views.py
index ef79c2cb..338d0b29 100644
--- a/src/authentic2/manager/user_views.py
+++ b/src/authentic2/manager/user_views.py
@@ -47,15 +47,37 @@ from authentic2.apps.journal.views import JournalViewWithContext
 
 from django_rbac.utils import get_role_model, get_role_parenting_model, get_ou_model
 
-from .views import (BaseTableView, BaseAddView, BaseEditView, ActionMixin,
-                    OtherActionsMixin, Action, ExportMixin, BaseSubTableView,
-                    HideOUColumnMixin, BaseDeleteView, BaseDetailView,
-                    TitleMixin, PermissionMixin, MediaMixin, FormNeedsRequest)
+from .views import (
+    BaseTableView,
+    BaseAddView,
+    BaseEditView,
+    ActionMixin,
+    OtherActionsMixin,
+    Action,
+    ExportMixin,
+    BaseSubTableView,
+    HideOUColumnMixin,
+    BaseDeleteView,
+    BaseDetailView,
+    TitleMixin,
+    PermissionMixin,
+    MediaMixin,
+    FormNeedsRequest,
+)
 from .tables import UserTable, UserRolesTable, OuUserRolesTable, UserAuthorizationsTable
-from .forms import (UserSearchForm, UserAddForm, UserEditForm,
-                    UserChangePasswordForm, ChooseUserRoleForm,
-                    UserRoleSearchForm, UserChangeEmailForm, UserNewImportForm,
-                    UserEditImportForm, ChooseUserAuthorizationsForm, UserAddChooseOUForm)
+from .forms import (
+    UserSearchForm,
+    UserAddForm,
+    UserEditForm,
+    UserChangePasswordForm,
+    ChooseUserRoleForm,
+    UserRoleSearchForm,
+    UserChangeEmailForm,
+    UserNewImportForm,
+    UserEditImportForm,
+    ChooseUserAuthorizationsForm,
+    UserAddChooseOUForm,
+)
 from .resources import UserResource
 from .utils import get_ou_count, has_show_username
 from .journal_views import BaseJournalView
@@ -74,8 +96,7 @@ class UsersView(HideOUColumnMixin, BaseTableView):
     title = _('Users')
 
     def is_ou_specified(self):
-        return self.search_form.is_valid() \
-            and self.search_form.cleaned_data.get('ou')
+        return self.search_form.is_valid() and self.search_form.cleaned_data.get('ou')
 
     def get_queryset(self):
         qs = super(UsersView, self).get_queryset()
@@ -106,8 +127,7 @@ class UsersView(HideOUColumnMixin, BaseTableView):
         table = super(UsersView, self).get_table(**kwargs)
         if self.search_form.not_enough_chars():
             user_qs = self.search_form.filter_by_ou(self.get_queryset())
-            table.empty_text = _('Enter at least %(limit)d characters '
-                                 '(%(user_count)d users)') % {
+            table.empty_text = _('Enter at least %(limit)d characters ' '(%(user_count)d users)') % {
                 'limit': self.search_form.minimum_chars,
                 'user_count': user_qs.count(),
             }
@@ -127,10 +147,12 @@ class UsersView(HideOUColumnMixin, BaseTableView):
                 self.can_add = False
         extra_actions = ctx['extra_actions'] = []
         if self.request.user.has_perm('custom_user.admin_user'):
-            extra_actions.append({
-                'url': reverse('a2-manager-users-imports'),
-                'label': _('Import users'),
-            })
+            extra_actions.append(
+                {
+                    'url': reverse('a2-manager-users-imports'),
+                    'label': _('Import users'),
+                }
+            )
         return ctx
 
 
@@ -150,7 +172,8 @@ class UserAddView(BaseAddView):
         'password1',
         'password2',
         'reset_password_at_next_login',
-        'send_mail']
+        'send_mail',
+    ]
     form_class = UserAddForm
     permissions = ['custom_user.add_user']
     template_name = 'authentic2/manager/user_add.html'
@@ -174,8 +197,7 @@ class UserAddView(BaseAddView):
         if not self.ou.show_username:
             fields.remove('username')
         i = fields.index('generate_password')
-        if self.request.user.is_superuser and \
-                'is_superuser' not in self.fields:
+        if self.request.user.is_superuser and 'is_superuser' not in self.fields:
             fields.insert(i, 'is_superuser')
             i += 1
         for attribute in Attribute.objects.all():
@@ -190,14 +212,12 @@ class UserAddView(BaseAddView):
             include_post=True,
             replace={
                 '$UUID': self.object.uuid,
-            })
+            },
+        )
 
     def get_context_data(self, **kwargs):
         context = super(UserAddView, self).get_context_data(**kwargs)
-        context['cancel_url'] = select_next_url(
-            self.request,
-            default='../..',
-            field_name='cancel')
+        context['cancel_url'] = select_next_url(self.request, default='../..', field_name='cancel')
         context['next'] = select_next_url(self.request, default=None, include_post=True)
         context['ou'] = self.ou
         context['duplicate_users'] = self.duplicate_users
@@ -219,8 +239,9 @@ class UserAddView(BaseAddView):
                 return self.form_invalid(form)
 
         response = super(UserAddView, self).form_valid(form)
-        hooks.call_hooks('event', name='manager-add-user', user=self.request.user,
-                         instance=form.instance, form=form)
+        hooks.call_hooks(
+            'event', name='manager-add-user', user=self.request.user, instance=form.instance, form=form
+        )
         self.request.journal.record('manager.user.creation', form=form)
         return response
 
@@ -234,6 +255,7 @@ class UserAddView(BaseAddView):
         value = ou.user_add_password_policy
         return ou.USER_ADD_PASSWD_POLICY_VALUES[value]._asdict()
 
+
 user_add = UserAddView.as_view()
 
 
@@ -287,31 +309,38 @@ class UserDetailView(OtherActionsMixin, BaseDetailView):
     def get_other_actions(self):
         for action in super(UserDetailView, self).get_other_actions():
             yield action
-        yield Action('password_reset', _('Reset password'),
-                     permission='custom_user.reset_password_user')
+        yield Action('password_reset', _('Reset password'), permission='custom_user.reset_password_user')
         if self.object.is_active:
-            yield Action('deactivate', _('Suspend'),
-                         permission='custom_user.activate_user')
+            yield Action('deactivate', _('Suspend'), permission='custom_user.activate_user')
         else:
-            yield Action('activate', _('Activate'),
-                         permission='custom_user.activate_user')
+            yield Action('activate', _('Activate'), permission='custom_user.activate_user')
         if PasswordReset.objects.filter(user=self.object).exists():
-            yield Action('delete_password_reset', _('Do not force password change on next login'),
-                         permission='custom_user.reset_password_user')
+            yield Action(
+                'delete_password_reset',
+                _('Do not force password change on next login'),
+                permission='custom_user.reset_password_user',
+            )
         else:
-            yield Action('force_password_change', _('Force password change on '
-                         'next login'),
-                         permission='custom_user.reset_password_user')
-        yield Action('change_password', _('Change user password'),
-                     url_name='a2-manager-user-change-password',
-                     permission='custom_user.change_password_user')
+            yield Action(
+                'force_password_change',
+                _('Force password change on ' 'next login'),
+                permission='custom_user.reset_password_user',
+            )
+        yield Action(
+            'change_password',
+            _('Change user password'),
+            url_name='a2-manager-user-change-password',
+            permission='custom_user.change_password_user',
+        )
         if self.request.user.is_superuser:
-            yield Action('su', _('Impersonate this user'),
-                         url_name='a2-manager-user-su')
+            yield Action('su', _('Impersonate this user'), url_name='a2-manager-user-su')
         if self.object.ou and self.object.ou.validate_emails:
-            yield Action('change_email', _('Change user email'),
-                         url_name='a2-manager-user-change-email',
-                         permission='custom_user.change_email_user')
+            yield Action(
+                'change_email',
+                _('Change user email'),
+                url_name='a2-manager-user-change-email',
+                permission='custom_user.change_email_user',
+            )
 
     def action_force_password_change(self, request, *args, **kwargs):
         PasswordReset.objects.get_or_create(user=self.object)
@@ -324,8 +353,7 @@ class UserDetailView(OtherActionsMixin, BaseDetailView):
 
     def action_deactivate(self, request, *args, **kwargs):
         if request.user == self.object:
-            messages.warning(request, _('You cannot desactivate your own '
-                             'user'))
+            messages.warning(request, _('You cannot desactivate your own ' 'user'))
         else:
             self.object.mark_as_inactive()
             request.journal.record('manager.user.deactivation', target_user=self.object)
@@ -333,9 +361,10 @@ class UserDetailView(OtherActionsMixin, BaseDetailView):
     def action_password_reset(self, request, *args, **kwargs):
         user = self.object
         if not user.email:
-            messages.info(request, _('User has no email, it\'not possible to '
-                                     'send him am email to reset its '
-                                     'password'))
+            messages.info(
+                request,
+                _('User has no email, it\'not possible to ' 'send him am email to reset its ' 'password'),
+            )
             return
         send_password_reset_mail(user, request=request)
         messages.info(request, _('A mail was sent to %s') % self.object.email)
@@ -346,12 +375,12 @@ class UserDetailView(OtherActionsMixin, BaseDetailView):
         request.journal.record('manager.user.password.change.unforce', target_user=self.object)
 
     def action_su(self, request, *args, **kwargs):
-        return redirect(request, 'auth_logout',
-                        params={REDIRECT_FIELD_NAME: switch_user.build_url(self.object)})
+        return redirect(
+            request, 'auth_logout', params={REDIRECT_FIELD_NAME: switch_user.build_url(self.object)}
+        )
 
     # Copied from PasswordResetForm implementation
-    def send_mail(self, subject_template_name, email_template_name,
-                  context, to_email):
+    def send_mail(self, subject_template_name, email_template_name, context, to_email):
         """
         Sends a django.core.mail.EmailMultiAlternatives to `to_email`.
         """
@@ -371,8 +400,7 @@ class UserDetailView(OtherActionsMixin, BaseDetailView):
             if attribute.name == 'address_autocomplete':
                 continue
             fields.append(attribute.name)
-        if self.request.user.is_superuser and \
-                'is_superuser' not in self.fields:
+        if self.request.user.is_superuser and 'is_superuser' not in self.fields:
             fields.append('is_superuser')
         return fields
 
@@ -410,12 +438,14 @@ class UserDetailView(OtherActionsMixin, BaseDetailView):
         # show modify roles button only if something is possible
         kwargs['can_change_roles'] = self.has_perm_on_roles(self.request.user, self.object)
         user_data = []
-        user_data += [data for datas in hooks.call_hooks('manager_user_data', self, self.object)
-                      for data in datas]
+        user_data += [
+            data for datas in hooks.call_hooks('manager_user_data', self, self.object) for data in datas
+        ]
         kwargs['user_data'] = user_data
         ctx = super(UserDetailView, self).get_context_data(**kwargs)
         return ctx
 
+
 user_detail = UserDetailView.as_view()
 
 
@@ -437,8 +467,7 @@ class UserEditView(OtherActionsMixin, ActionMixin, BaseEditView):
             fields.append('email')
         for attribute in Attribute.objects.all():
             fields.append(attribute.name)
-        if self.request.user.is_superuser and \
-                'is_superuser' not in self.fields:
+        if self.request.user.is_superuser and 'is_superuser' not in self.fields:
             fields.append('is_superuser')
         return fields
 
@@ -446,7 +475,8 @@ class UserEditView(OtherActionsMixin, ActionMixin, BaseEditView):
         return select_next_url(
             self.request,
             default=reverse('a2-manager-user-detail', kwargs={'pk': self.object.pk}),
-            include_post=True)
+            include_post=True,
+        )
 
     def get_context_data(self, **kwargs):
         context = super(UserEditView, self).get_context_data(**kwargs)
@@ -464,11 +494,13 @@ class UserEditView(OtherActionsMixin, ActionMixin, BaseEditView):
             self.object.save()
         response = super(UserEditView, self).form_valid(form)
         if form.has_changed():
-            hooks.call_hooks('event', name='manager-edit-user', user=self.request.user,
-                             instance=form.instance, form=form)
+            hooks.call_hooks(
+                'event', name='manager-edit-user', user=self.request.user, instance=form.instance, form=form
+            )
             self.request.journal.record('manager.user.profile.edit', form=form)
         return response
 
+
 user_edit = UserEditView.as_view()
 
 
@@ -491,9 +523,11 @@ class UsersExportView(ExportMixin, UsersView):
         headers = fields + tuple(['attribute_%s' % attr for attr in attributes])
 
         at_mapping = {a.id: a for a in Attribute.objects.all()}
-        avs = AttributeValue.objects.filter(
-            content_type=ContentType.objects.get_for_model(get_user_model()))\
-            .filter(attribute__disabled=False).values()
+        avs = (
+            AttributeValue.objects.filter(content_type=ContentType.objects.get_for_model(get_user_model()))
+            .filter(attribute__disabled=False)
+            .values()
+        )
 
         user_attrs = collections.defaultdict(dict)
         for av in avs:
@@ -551,8 +585,9 @@ class UserChangePasswordView(BaseEditView):
 
     def form_valid(self, form):
         response = super(UserChangePasswordView, self).form_valid(form)
-        hooks.call_hooks('event', name='manager-change-password', user=self.request.user,
-                         instance=form.instance, form=form)
+        hooks.call_hooks(
+            'event', name='manager-change-password', user=self.request.user, instance=form.instance, form=form
+        )
         self.request.journal.record('manager.user.password.change', form=form)
         return response
 
@@ -583,9 +618,11 @@ class UserChangeEmailView(BaseEditView):
             user=self.request.user,
             instance=form.instance,
             form=form,
-            email=new_email)
+            email=new_email,
+        )
         return response
 
+
 user_change_email = UserChangeEmailView.as_view()
 
 
@@ -618,8 +655,7 @@ class UserRolesView(HideOUColumnMixin, BaseSubTableView):
 
     def is_ou_specified(self):
         '''Differentiate view of all user's roles from view of roles by OU'''
-        return (self.search_form.is_valid()
-                and self.search_form.cleaned_data.get('ou_filter') != 'all')
+        return self.search_form.is_valid() and self.search_form.cleaned_data.get('ou_filter') != 'all'
 
     def get_table_queryset(self):
         if self.is_ou_specified():
@@ -629,11 +665,10 @@ class UserRolesView(HideOUColumnMixin, BaseSubTableView):
             RoleParenting = get_role_parenting_model()
             rp_qs = RoleParenting.objects.filter(child__in=roles)
             qs = Role.objects.all()
-            qs = qs.prefetch_related(models.Prefetch(
-                'child_relation', queryset=rp_qs, to_attr='via'))
-            qs = qs.prefetch_related(models.Prefetch(
-                'members', queryset=User.objects.filter(pk=self.object.pk),
-                to_attr='member'))
+            qs = qs.prefetch_related(models.Prefetch('child_relation', queryset=rp_qs, to_attr='via'))
+            qs = qs.prefetch_related(
+                models.Prefetch('members', queryset=User.objects.filter(pk=self.object.pk), to_attr='member')
+            )
             qs2 = self.request.user.filter_by_perm('a2_rbac.manage_members_role', qs)
             managable_ids = [str(pk) for pk in qs2.values_list('pk', flat=True)]
             qs = qs.extra(select={'has_perm': 'a2_rbac_role.id in (%s)' % ', '.join(managable_ids)})
@@ -662,19 +697,20 @@ class UserRolesView(HideOUColumnMixin, BaseSubTableView):
         if action == 'add':
             if user.roles.filter(pk=role.pk):
                 messages.warning(
-                    self.request,
-                    _('User {user} has already the role {role}.')
-                    .format(user=user, role=role))
+                    self.request, _('User {user} has already the role {role}.').format(user=user, role=role)
+                )
             else:
                 user.roles.add(role)
-                hooks.call_hooks('event', name='manager-add-role-member',
-                                 user=self.request.user, role=role, member=user)
+                hooks.call_hooks(
+                    'event', name='manager-add-role-member', user=self.request.user, role=role, member=user
+                )
                 self.request.journal.record('manager.role.membership.grant', member=user, role=role)
         elif action == 'remove':
             if user.roles.filter(pk=role.pk).exists():
                 user.roles.remove(role)
-                hooks.call_hooks('event', name='manager-remove-role-member', user=self.request.user,
-                                 role=role, member=user)
+                hooks.call_hooks(
+                    'event', name='manager-remove-role-member', user=self.request.user, role=role, member=user
+                )
                 self.request.journal.record('manager.role.membership.removal', member=user, role=role)
         return super(UserRolesView, self).form_valid(form)
 
@@ -684,7 +720,9 @@ class UserRolesView(HideOUColumnMixin, BaseSubTableView):
         kwargs['user'] = self.object
         kwargs['role_members_from_ou'] = app_settings.ROLE_MEMBERS_FROM_OU
         kwargs['show_all_ou'] = app_settings.SHOW_ALL_OU
-        kwargs['queryset'] = self.request.user.filter_by_perm('a2_rbac.view_role', get_role_model().objects.all())
+        kwargs['queryset'] = self.request.user.filter_by_perm(
+            'a2_rbac.view_role', get_role_model().objects.all()
+        )
         if self.object.ou_id:
             initial = kwargs.setdefault('initial', {})
             initial['ou'] = str(self.object.ou_id)
@@ -711,8 +749,7 @@ class UserDeleteView(BaseDeleteView):
     def delete(self, request, *args, **kwargs):
         request.journal.record('manager.user.deletion', target_user=self.object)
         response = super().delete(request, *args, **kwargs)
-        hooks.call_hooks('event', name='manager-delete-user', user=request.user,
-                         instance=self.object)
+        hooks.call_hooks('event', name='manager-delete-user', user=request.user, instance=self.object)
         return response
 
 
@@ -745,7 +782,9 @@ class UserImportsView(MediaMixin, PermissionMixin, FormView):
         from authentic2.manager import user_import
 
         ctx = super(UserImportsView, self).get_context_data(**kwargs)
-        ctx['imports'] = sorted(user_import.UserImport.all(), key=operator.attrgetter('created'), reverse=True)
+        ctx['imports'] = sorted(
+            user_import.UserImport.all(), key=operator.attrgetter('created'), reverse=True
+        )
         help_columns = []
         field_columns = ['username', 'email', 'first_name', 'last_name']
         key = 'username'
@@ -756,36 +795,48 @@ class UserImportsView(MediaMixin, PermissionMixin, FormView):
             field = User._meta.get_field(field_column)
             if Attribute.objects.filter(name=field.name).exists():
                 continue
-            help_columns.append({
-                'label': field.verbose_name,
-                'name': field.name,
-                'key': field.name == key,
-            })
+            help_columns.append(
+                {
+                    'label': field.verbose_name,
+                    'name': field.name,
+                    'key': field.name == key,
+                }
+            )
         for attribute in Attribute.objects.all():
             kind = attribute.get_kind()
             if not kind.get('csv_importable', True):
                 continue
-            help_columns.append({
-                'label': attribute.label,
-                'name': attribute.name,
-                'key': attribute.name == key,
-            })
-        help_columns.append({
-            'label': _('Password hash'),
-            'name': 'password_hash',
-            'key': False,
-        })
+            help_columns.append(
+                {
+                    'label': attribute.label,
+                    'name': attribute.name,
+                    'key': attribute.name == key,
+                }
+            )
+        help_columns.append(
+            {
+                'label': _('Password hash'),
+                'name': 'password_hash',
+                'key': False,
+            }
+        )
         ctx['help_columns'] = help_columns
-        example_data = u','.join(column['name'] + (' key' if column['key'] else '') for column in help_columns) + '\n'
-        example_url = 'data:text/csv;base64,%s' % base64.b64encode(example_data.encode('utf-8')).decode('ascii')
+        example_data = (
+            u','.join(column['name'] + (' key' if column['key'] else '') for column in help_columns) + '\n'
+        )
+        example_url = 'data:text/csv;base64,%s' % base64.b64encode(example_data.encode('utf-8')).decode(
+            'ascii'
+        )
         ctx['form'].fields['import_file'].help_text = format_html(
             _('{0}. {1} <a download="{3}" href="{2}">{3}</a>'),
             ctx['form'].fields['import_file'].help_text,
             _('ex.:'),
             example_url,
-            _('users.csv'))
+            _('users.csv'),
+        )
         return ctx
 
+
 user_imports = UserImportsView.as_view()
 
 
@@ -797,6 +848,7 @@ class UserImportView(MediaMixin, PermissionMixin, FormView):
 
     def dispatch(self, request, uuid, **kwargs):
         from authentic2.manager.user_import import UserImport
+
         self.user_import = UserImport(uuid)
         if not self.user_import.exists():
             raise Http404
@@ -846,6 +898,7 @@ class UserImportView(MediaMixin, PermissionMixin, FormView):
         ctx['reports'] = sorted(self.user_import.reports, key=operator.attrgetter('created'), reverse=True)
         return ctx
 
+
 user_import = UserImportView.as_view()
 
 
@@ -857,6 +910,7 @@ class UserImportReportView(MediaMixin, PermissionMixin, TemplateView):
 
     def dispatch(self, request, import_uuid, report_uuid):
         from authentic2.manager.user_import import UserImport
+
         self.user_import = UserImport(import_uuid)
         if not self.user_import.exists():
             raise Http404
@@ -876,6 +930,7 @@ class UserImportReportView(MediaMixin, PermissionMixin, TemplateView):
             ctx['report_title'] = _('Execution')
         return ctx
 
+
 user_import_report = UserImportReportView.as_view()
 
 
@@ -893,9 +948,7 @@ class UserSuView(MediaMixin, TitleMixin, PermissionMixin, DetailView):
     duration = 30  # seconds
 
     class Media:
-        js = (
-            'authentic2/js/js_seconds_until.js',
-        )
+        js = ('authentic2/js/js_seconds_until.js',)
 
     def dispatch(self, request, *args, **kwargs):
         if not request.user.is_superuser:
@@ -906,18 +959,20 @@ class UserSuView(MediaMixin, TitleMixin, PermissionMixin, DetailView):
         ctx = super(UserSuView, self).get_context_data(**kwargs)
         ctx['su_url'] = make_url(
             'auth_logout',
-
             params={REDIRECT_FIELD_NAME: switch_user.build_url(self.object, self.duration)},
             request=self.request,
-            absolute=True)
+            absolute=True,
+        )
         ctx['duration'] = self.duration
         return ctx
 
+
 su = UserSuView.as_view()
 
 
-class UserAuthorizationsView(FormNeedsRequest, BaseFormView, SingleObjectMixin,
-                             BaseTableView, PermissionMixin):
+class UserAuthorizationsView(
+    FormNeedsRequest, BaseFormView, SingleObjectMixin, BaseTableView, PermissionMixin
+):
     permissions = ['custom_user.view_user']
     template_name = 'authentic2/manager/user_authorizations.html'
     title = pgettext_lazy('manager', 'Consent Management')
@@ -929,8 +984,7 @@ class UserAuthorizationsView(FormNeedsRequest, BaseFormView, SingleObjectMixin,
 
     @property
     def can_manage_authorizations(self):
-        return self.request.user.has_perm(
-            'custom_user.manage_authorizations_user', self.get_object())
+        return self.request.user.has_perm('custom_user.manage_authorizations_user', self.get_object())
 
     def get_table_data(self):
         qs = OIDCAuthorization.objects.filter(user=self.get_object())
@@ -948,7 +1002,8 @@ class UserAuthorizationsView(FormNeedsRequest, BaseFormView, SingleObjectMixin,
                 self.request.journal.record(
                     'manager.user.sso.authorization.deletion',
                     service=oidc_authorization.client,
-                    target_user=self.object)
+                    target_user=self.object,
+                )
         return response
 
 
diff --git a/src/authentic2/manager/views.py b/src/authentic2/manager/views.py
index 76c691c4..1d2641a7 100644
--- a/src/authentic2/manager/views.py
+++ b/src/authentic2/manager/views.py
@@ -23,8 +23,7 @@ from django.core import signing
 from django.core.exceptions import PermissionDenied, ValidationError
 from django.db import transaction
 from django.views.generic.base import ContextMixin
-from django.views.generic import (FormView, UpdateView, CreateView, DeleteView, TemplateView,
-                                  DetailView, View)
+from django.views.generic import FormView, UpdateView, CreateView, DeleteView, TemplateView, DetailView, View
 from django.views.generic.detail import SingleObjectMixin
 from django.views.generic.edit import FormMixin
 from django.http import HttpResponse, Http404
@@ -62,6 +61,7 @@ class MediaMixinBase(MediaDefiningClass, FormMixin):
 
 class MultipleOUMixin(object):
     '''Tell templates if there are multiple OU for adaptation in breadcrumbs for example'''
+
     def get_context_data(self, **kwargs):
         kwargs['multiple_ou'] = utils.get_ou_count() > 1
         return super(MultipleOUMixin, self).get_context_data(**kwargs)
@@ -70,6 +70,7 @@ class MultipleOUMixin(object):
 @six.add_metaclass(MediaMixinBase)
 class MediaMixin(object):
     '''Expose needed CSS and JS files as a media object'''
+
     class Media:
         js = (
             xstatic('jquery.js', 'jquery.min.js'),
@@ -81,11 +82,7 @@ class MediaMixin(object):
             'authentic2/js/purl.js',
             'authentic2/manager/js/manager.js',
         )
-        css = {
-            'all': (
-                'authentic2/manager/css/style.css',
-            )
-        }
+        css = {'all': ('authentic2/manager/css/style.css',)}
 
     def get_context_data(self, **kwargs):
         kwargs['media'] = self.media
@@ -97,6 +94,7 @@ class MediaMixin(object):
 
 class PermissionMixin(object):
     '''Control access to views based on permissions'''
+
     permissions = None
     permissions_global = False
 
@@ -106,23 +104,18 @@ class PermissionMixin(object):
             model_name = self.model._meta.model_name
             add_perm = '%s.add_%s' % (app_label, model_name)
             self.can_add = request.user.has_perm_any(add_perm)
-            if hasattr(self, 'get_object') \
-                    and ((hasattr(self, 'pk_url_kwarg')
-                          and self.pk_url_kwarg in self.kwargs)
-                         or (hasattr(self, 'slug_url_kwarg')
-                             and self.slug_url_kwarg in self.kwargs)):
+            if hasattr(self, 'get_object') and (
+                (hasattr(self, 'pk_url_kwarg') and self.pk_url_kwarg in self.kwargs)
+                or (hasattr(self, 'slug_url_kwarg') and self.slug_url_kwarg in self.kwargs)
+            ):
                 self.object = self.get_object()
                 permissions = ('view', 'change', 'delete', 'manage_members')
                 for permission in permissions:
                     perm = '%s.%s_%s' % (app_label, permission, model_name)
-                    setattr(self, 'can_' + permission,
-                            request.user.has_perm(perm, self.object))
-                if self.permissions \
-                        and not request.user.has_perms(
-                            self.permissions, self.object):
+                    setattr(self, 'can_' + permission, request.user.has_perm(perm, self.object))
+                if self.permissions and not request.user.has_perms(self.permissions, self.object):
                     raise PermissionDenied
-            elif self.permissions \
-                    and not request.user.has_perm_any(self.permissions):
+            elif self.permissions and not request.user.has_perm_any(self.permissions):
                 raise PermissionDenied
         else:
             if self.permissions:
@@ -167,9 +160,9 @@ class TableQuerysetMixin(object):
 
 
 class SearchFormMixin(object):
-    '''Handle a search form on the current table view.
+    """Handle a search form on the current table view.
 
-       The search form class must implement a .filter(qs) method returning a new queryset.'''
+    The search form class must implement a .filter(qs) method returning a new queryset."""
 
     search_form_class = None
 
@@ -219,6 +212,7 @@ class FormatsContextData(object):
 
 class Action(object):
     '''Describe an action for view supporting multiples actions.'''
+
     name = None
     title = None
     confirm = None
@@ -227,8 +221,9 @@ class Action(object):
     popup = True
     permission = None
 
-    def __init__(self, name=None, title=None, confirm=None, url_name=None, url=None,
-                 popup=None, permission=None):
+    def __init__(
+        self, name=None, title=None, confirm=None, url_name=None, url=None, popup=None, permission=None
+    ):
         if name is not None:
             self.name = name
         if title is not None:
@@ -252,11 +247,11 @@ class Action(object):
 
 class AjaxFormViewMixin(object):
     '''Implement a JSON response for view which can be included in an AJAX popup'''
+
     success_url = '.'
 
     def dispatch(self, request, *args, **kwargs):
-        response = super(AjaxFormViewMixin, self).dispatch(request, *args,
-                                                           **kwargs)
+        response = super(AjaxFormViewMixin, self).dispatch(request, *args, **kwargs)
         return self.return_ajax_response(request, response)
 
     def return_ajax_response(self, request, response):
@@ -268,9 +263,11 @@ class AjaxFormViewMixin(object):
             # empty location means that the view can be used from anywhere
             # and so the redirect URL should not be used
             # otherwise compute an absolute URI from the relative URI
-            if location and (not location.startswith('http://')
-                             or not location.startswith('https://')
-                             or not location.startswith('/')):
+            if location and (
+                not location.startswith('http://')
+                or not location.startswith('https://')
+                or not location.startswith('/')
+            ):
                 location = request.build_absolute_uri(location)
             data['location'] = location
         if hasattr(response, 'render'):
@@ -281,6 +278,7 @@ class AjaxFormViewMixin(object):
 
 class TitleMixin(object):
     '''Mixin to provide a title to the view's template'''
+
     title = ''
 
     def get_context_data(self, **kwargs):
@@ -292,6 +290,7 @@ class TitleMixin(object):
 
 class ActionMixin(object):
     '''Describe the main action implementd by a view'''
+
     action = None
 
     def get_context_data(self, **kwargs):
@@ -303,6 +302,7 @@ class ActionMixin(object):
 
 class OtherActionsMixin(object):
     '''Describe secondary actions possible on a view'''
+
     other_actions = None
 
     def get_context_data(self, **kwargs):
@@ -336,8 +336,13 @@ class OtherActionsMixin(object):
                     method = getattr(self, 'action_' + action.name, None)
                     if method:
                         response = method(request, *args, **kwargs)
-                hooks.call_hooks('event', name='manager-action', user=self.request.user,
-                                 action=action, instance=self.object)
+                hooks.call_hooks(
+                    'event',
+                    name='manager-action',
+                    user=self.request.user,
+                    action=action,
+                    instance=self.object,
+                )
                 if response:
                     return response
                 self.request.method = 'GET'
@@ -350,6 +355,7 @@ class OtherActionsMixin(object):
 
 class ExportMixin(object):
     '''Help in implementd export views'''
+
     http_method_names = ['get', 'head', 'options']
     export_prefix = ''
 
@@ -379,15 +385,12 @@ class ExportMixin(object):
 
     def export_response(self, content, content_type, export_format):
         response = HttpResponse(content, content_type=content_type)
-        filename = '%s%s.%s' % (self.get_export_prefix(), now().strftime('%Y%m%d_%H%M%S'),
-                                export_format)
-        response['Content-Disposition'] = 'attachment; filename="%s"' \
-            % filename
+        filename = '%s%s.%s' % (self.get_export_prefix(), now().strftime('%Y%m%d_%H%M%S'), export_format)
+        response['Content-Disposition'] = 'attachment; filename="%s"' % filename
         return response
 
 
 class FormNeedsRequest(object):
-
     def get_form_kwargs(self):
         kwargs = super(FormNeedsRequest, self).get_form_kwargs()
         if getattr(self.get_form_class(), 'need_request', False):
@@ -418,23 +421,43 @@ class TableHookMixin(object):
     def get_table(self, **kwargs):
         table = super(TableHookMixin, self).get_table(**kwargs)
         import copy
+
         table = copy.deepcopy(table)
         hooks.call_hooks('manager_modify_table', self, table)
         return table
 
 
-class BaseTableView(MultipleOUMixin, TitleMixin, TableHookMixin, FormatsContextData, ModelNameMixin,
-                    PermissionMixin, SearchFormMixin, FilterQuerysetByPermMixin, TableQuerysetMixin,
-                    SingleTableView):
+class BaseTableView(
+    MultipleOUMixin,
+    TitleMixin,
+    TableHookMixin,
+    FormatsContextData,
+    ModelNameMixin,
+    PermissionMixin,
+    SearchFormMixin,
+    FilterQuerysetByPermMixin,
+    TableQuerysetMixin,
+    SingleTableView,
+):
     '''Base class for views showing a table of objects'''
+
     pass
 
 
-class SubTableViewMixin(TableHookMixin, FormatsContextData, ModelNameMixin, PermissionMixin,
-                        SearchFormMixin, FilterTableQuerysetByPermMixin,
-                        TableQuerysetMixin, SingleObjectMixin,
-                        SingleTableMixin, ContextMixin):
+class SubTableViewMixin(
+    TableHookMixin,
+    FormatsContextData,
+    ModelNameMixin,
+    PermissionMixin,
+    SearchFormMixin,
+    FilterTableQuerysetByPermMixin,
+    TableQuerysetMixin,
+    SingleObjectMixin,
+    SingleTableMixin,
+    ContextMixin,
+):
     '''Helper class for views showing a table of objects related to one object'''
+
     context_object_name = 'object'
     paginate_by = None
 
@@ -445,15 +468,15 @@ class SimpleSubTableView(TitleMixin, SubTableViewMixin, TemplateView):
     pass
 
 
-class BaseSubTableView(MultipleOUMixin, TitleMixin, SubTableViewMixin,
-                       FormNeedsRequest, FormView):
+class BaseSubTableView(MultipleOUMixin, TitleMixin, SubTableViewMixin, FormNeedsRequest, FormView):
     '''Base class for views showing a table of objects related to one object'''
+
     success_url = '.'
 
 
-class BaseDeleteView(TitleMixin, ModelNameMixin, PermissionMixin,
-                     AjaxFormViewMixin, DeleteView):
+class BaseDeleteView(TitleMixin, ModelNameMixin, PermissionMixin, AjaxFormViewMixin, DeleteView):
     '''Base class for views implementing deletion of an object'''
+
     template_name = 'authentic2/manager/delete.html'
     context_object_name = 'object'
 
@@ -473,6 +496,7 @@ class BaseDeleteView(TitleMixin, ModelNameMixin, PermissionMixin,
 
 class ModelFormView(MediaMixin, FormNeedsRequest):
     '''Base class for views showing a form for a model'''
+
     fields = None
     form_class = None
 
@@ -480,8 +504,7 @@ class ModelFormView(MediaMixin, FormNeedsRequest):
         return self.fields
 
     def get_form_class(self):
-        return modelform_factory(self.model, form=self.form_class,
-                                 fields=self.get_fields())
+        return modelform_factory(self.model, form=self.form_class, fields=self.get_fields())
 
     def get_form(self, form_class=None):
         form = super(ModelFormView, self).get_form(form_class=form_class)
@@ -489,8 +512,7 @@ class ModelFormView(MediaMixin, FormNeedsRequest):
         return form
 
 
-class BaseDetailView(MultipleOUMixin, TitleMixin, ModelNameMixin, PermissionMixin, ModelFormView,
-                     DetailView):
+class BaseDetailView(MultipleOUMixin, TitleMixin, ModelNameMixin, PermissionMixin, ModelFormView, DetailView):
     context_object_name = 'object'
     form_class = None
 
@@ -521,9 +543,11 @@ class BaseDetailView(MultipleOUMixin, TitleMixin, ModelNameMixin, PermissionMixi
         return ctx
 
 
-class BaseAddView(MultipleOUMixin, TitleMixin, ModelNameMixin, PermissionMixin,
-                  AjaxFormViewMixin, ModelFormView, CreateView):
+class BaseAddView(
+    MultipleOUMixin, TitleMixin, ModelNameMixin, PermissionMixin, AjaxFormViewMixin, ModelFormView, CreateView
+):
     '''Base class for views for adding an instance of a model'''
+
     template_name = 'authentic2/manager/form.html'
     success_view_name = None
     context_object_name = 'object'
@@ -542,9 +566,18 @@ class BaseAddView(MultipleOUMixin, TitleMixin, ModelNameMixin, PermissionMixin,
         return reverse(self.success_view_name, kwargs={'pk': self.object.pk})
 
 
-class BaseEditView(MultipleOUMixin, SuccessMessageMixin, TitleMixin, ModelNameMixin,
-                   PermissionMixin, AjaxFormViewMixin, ModelFormView, UpdateView):
+class BaseEditView(
+    MultipleOUMixin,
+    SuccessMessageMixin,
+    TitleMixin,
+    ModelNameMixin,
+    PermissionMixin,
+    AjaxFormViewMixin,
+    ModelFormView,
+    UpdateView,
+):
     '''Base class for views for editing an instance of a model'''
+
     template_name = 'authentic2/manager/form.html'
     context_object_name = 'object'
 
@@ -564,8 +597,12 @@ class BaseEditView(MultipleOUMixin, SuccessMessageMixin, TitleMixin, ModelNameMi
 
 class HomepageView(TitleMixin, PermissionMixin, MediaMixin, TemplateView):
     template_name = 'authentic2/manager/homepage.html'
-    permissions = ['a2_rbac.search_role', 'a2_rbac.search_organizationalunit',
-                   'auth.search_group', 'custom_user.search_user']
+    permissions = [
+        'a2_rbac.search_role',
+        'a2_rbac.search_organizationalunit',
+        'auth.search_group',
+        'custom_user.search_user',
+    ]
     default_entries = [
         {
             'class': 'icon-organizational-units',
@@ -609,8 +646,8 @@ class HomepageView(TitleMixin, PermissionMixin, MediaMixin, TemplateView):
     def get_homepage_entries(self):
         entries = []
         for hook_entries in itertools.chain(
-                self.default_entries,
-                hooks.call_hooks('manager_homepage_entries', self)):
+            self.default_entries, hooks.call_hooks('manager_homepage_entries', self)
+        ):
             if not hasattr(hook_entries, 'append'):
                 hook_entries = [hook_entries]
             for entry in hook_entries:
@@ -640,11 +677,13 @@ class MenuJson(HomepageView):
         for entry in self.get_homepage_entries():
             if entry.get('slug') == 'journal':
                 continue
-            menu_entries.append({
-                'label': six.text_type(entry['label']),
-                'slug': entry.get('slug', ''),
-                'url': request.build_absolute_uri(six.text_type(entry['href'])),
-            })
+            menu_entries.append(
+                {
+                    'label': six.text_type(entry['label']),
+                    'slug': entry.get('slug', ''),
+                    'url': request.build_absolute_uri(six.text_type(entry['href'])),
+                }
+            )
         return menu_entries
 
 
@@ -657,9 +696,11 @@ class HideOUColumnMixin(object):
     def get_table(self, **kwargs):
         OU = get_ou_model()
         exclude_ou = False
-        if (hasattr(self, 'search_form')
-                and self.search_form.is_valid()
-                and self.search_form.cleaned_data.get('ou') is not None):
+        if (
+            hasattr(self, 'search_form')
+            and self.search_form.is_valid()
+            and self.search_form.cleaned_data.get('ou') is not None
+        ):
             exclude_ou = True
         if OU.objects.count() < 2:
             exclude_ou = True
@@ -685,7 +726,9 @@ class Select2View(AutoResponseView):
         if not widget_class or not hasattr(widgets, widget_class):
             raise Http404('Missing or unknown widget class.')
         widget = getattr(widgets, widget_class)()
-        if not isinstance(widget, (widgets.SimpleModelSelect2Widget, widgets.SimpleModelSelect2MultipleWidget)):
+        if not isinstance(
+            widget, (widgets.SimpleModelSelect2Widget, widgets.SimpleModelSelect2MultipleWidget)
+        ):
             raise Http404('Reference to invalid widget class')
         qs = widget.get_queryset()
         qs.query.where = pickle.loads(base64.b64decode(field_data['where_clause']))
@@ -701,12 +744,10 @@ select2 = Select2View.as_view()
 
 
 class SiteExport(View):
-
     def get(self, request, *args, **kwargs):
         if not request.user.is_superuser:
             raise PermissionDenied
-        return HttpResponse(
-            json.dumps(export_site(), indent=4), content_type='application/json')
+        return HttpResponse(json.dumps(export_site(), indent=4), content_type='application/json')
 
 
 site_export = SiteExport.as_view()
diff --git a/src/authentic2/manager/widgets.py b/src/authentic2/manager/widgets.py
index 59b42252..2ef63e70 100644
--- a/src/authentic2/manager/widgets.py
+++ b/src/authentic2/manager/widgets.py
@@ -76,8 +76,10 @@ class SimpleModelSelect2MultipleWidget(Select2Mixin, ModelSelect2MultipleWidget)
 class SearchUserWidgetMixin(SplitTermMixin):
     model = get_user_model()
     search_fields = [
-        'username__icontains', 'first_name__icontains',
-        'last_name__icontains', 'email__icontains'
+        'username__icontains',
+        'first_name__icontains',
+        'last_name__icontains',
+        'email__icontains',
     ]
 
     def label_from_instance(self, user):
@@ -104,8 +106,7 @@ class SearchRoleWidgetMixin(SplitTermMixin):
     def label_from_instance(self, obj):
         label = six.text_type(obj)
         if obj.ou and utils.get_ou_count() > 1:
-            label = u'{ou} - {obj}'.format(
-                ou=obj.ou, obj=obj)
+            label = u'{ou} - {obj}'.format(ou=obj.ou, obj=obj)
         return label
 
 
diff --git a/src/authentic2/managers.py b/src/authentic2/managers.py
index 9ba16c93..fed9280c 100644
--- a/src/authentic2/managers.py
+++ b/src/authentic2/managers.py
@@ -35,6 +35,7 @@ class GetBySlugQuerySet(QuerySet):
     def get_by_natural_key(self, slug):
         return self.get(slug=slug)
 
+
 GetBySlugManager = GetBySlugQuerySet.as_manager
 
 
@@ -42,6 +43,7 @@ class GetByNameQuerySet(QuerySet):
     def get_by_natural_key(self, name):
         return self.get(name=name)
 
+
 GetByNameManager = GetByNameQuerySet.as_manager
 
 
@@ -62,6 +64,7 @@ class GenericQuerySet(QuerySet):
         content_type = ContentType.objects.get_for_model(model)
         return self.filter(content_type=content_type, object_id=model.pk)
 
+
 GenericManager = models.Manager.from_queryset(GenericQuerySet)
 
 
@@ -72,6 +75,7 @@ class AttributeValueQuerySet(QuerySet):
 
     def get_by_natural_key(self, ct_nk, owner_nk, attribute_nk):
         from .models import Attribute, AttributeValue
+
         try:
             ct = ContentType.objects.get_by_natural_key(*ct_nk)
         except ContentType.DoesNotExist:
diff --git a/src/authentic2/middleware.py b/src/authentic2/middleware.py
index e5aeb4f0..d1e2c0e4 100644
--- a/src/authentic2/middleware.py
+++ b/src/authentic2/middleware.py
@@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import time
+
 try:
     import threading
 except ImportError:
@@ -60,8 +61,13 @@ class OpenedSessionCookieMiddleware(MiddlewareMixin):
         else:
             domain = app_settings.A2_OPENED_SESSION_COOKIE_DOMAIN
         if hasattr(request, 'user') and request.user.is_authenticated:
-            response.set_cookie(name, value='1', max_age=None, domain=domain,
-                                secure=app_settings.A2_OPENED_SESSION_COOKIE_SECURE)
+            response.set_cookie(
+                name,
+                value='1',
+                max_age=None,
+                domain=domain,
+                secure=app_settings.A2_OPENED_SESSION_COOKIE_SECURE,
+            )
         elif app_settings.A2_OPENED_SESSION_COOKIE_NAME in request.COOKIES:
             response.delete_cookie(name, domain=domain)
         return response
@@ -129,10 +135,11 @@ class ViewRestrictionMiddleware(MiddlewareMixin):
 
 
 class XForwardedForMiddleware(MiddlewareMixin):
-    '''Copy the first address from X-Forwarded-For header to the REMOTE_ADDR meta.
+    """Copy the first address from X-Forwarded-For header to the REMOTE_ADDR meta.
+
+    This middleware should only be used if you are sure the header cannot be
+    forged (behind a reverse proxy for example)."""
 
-       This middleware should only be used if you are sure the header cannot be
-       forged (behind a reverse proxy for example).'''
     def process_request(self, request):
         if 'HTTP_X_FORWARDED_FOR' in request.META:
             request.META['REMOTE_ADDR'] = request.META['HTTP_X_FORWARDED_FOR'].split(",")[0].strip()
@@ -140,9 +147,10 @@ class XForwardedForMiddleware(MiddlewareMixin):
 
 
 class DisplayMessageBeforeRedirectMiddleware(MiddlewareMixin):
-    '''Verify if messages are currently stored and if there is a redirection to another domain, in
-       this case show an intermediate page.
-    '''
+    """Verify if messages are currently stored and if there is a redirection to another domain, in
+    this case show an intermediate page.
+    """
+
     def process_response(self, request, response):
         # Check if response is a redirection
         if response.status_code not in (301, 302, 303, 307, 308):
@@ -157,8 +165,9 @@ class DisplayMessageBeforeRedirectMiddleware(MiddlewareMixin):
         if not parsed_url.scheme and not parsed_url.netloc:
             return response
         parsed_request_url = urlparse.urlparse(request.build_absolute_uri())
-        if (parsed_request_url.scheme == parsed_url.scheme or not parsed_url.scheme) and \
-                (parsed_request_url.netloc == parsed_url.netloc):
+        if (parsed_request_url.scheme == parsed_url.scheme or not parsed_url.scheme) and (
+            parsed_request_url.netloc == parsed_url.netloc
+        ):
             return response
         # Check if there is some messages to show
         storage = messages.get_messages(request)
@@ -206,6 +215,7 @@ def journal_middleware(get_response):
     def middleware(request):
         request.journal = journal.Journal(request=request)
         return get_response(request)
+
     return middleware
 
 
@@ -226,4 +236,5 @@ def null_character_middleware(get_response):
                 return http.HttpResponseBadRequest('null character in form data')
 
         return get_response(request)
+
     return middleware
diff --git a/src/authentic2/migrations/0001_initial.py b/src/authentic2/migrations/0001_initial.py
index 3130cd8b..69254de6 100644
--- a/src/authentic2/migrations/0001_initial.py
+++ b/src/authentic2/migrations/0001_initial.py
@@ -15,16 +15,32 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='Attribute',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('label', models.CharField(unique=True, max_length=63, verbose_name='label')),
                 ('description', models.TextField(verbose_name='description', blank=True)),
                 ('name', models.SlugField(unique=True, max_length=256, verbose_name='name')),
                 ('required', models.BooleanField(blank=True, default=False, verbose_name='required')),
-                ('asked_on_registration', models.BooleanField(blank=True, default=False, verbose_name='asked on registration')),
-                ('user_editable', models.BooleanField(blank=True, default=False, verbose_name='user editable')),
+                (
+                    'asked_on_registration',
+                    models.BooleanField(blank=True, default=False, verbose_name='asked on registration'),
+                ),
+                (
+                    'user_editable',
+                    models.BooleanField(blank=True, default=False, verbose_name='user editable'),
+                ),
                 ('user_visible', models.BooleanField(blank=True, default=False, verbose_name='user visible')),
                 ('multiple', models.BooleanField(blank=True, default=False, verbose_name='multiple')),
-                ('kind', models.CharField(max_length=16, verbose_name='kind', choices=[('string', '<django.utils.functional.__proxy__ object at 0x303d350>')])),
+                (
+                    'kind',
+                    models.CharField(
+                        max_length=16,
+                        verbose_name='kind',
+                        choices=[('string', '<django.utils.functional.__proxy__ object at 0x303d350>')],
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'attribute definition',
@@ -35,11 +51,24 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='AttributeValue',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('object_id', models.PositiveIntegerField(verbose_name='object identifier')),
                 ('content', models.TextField(verbose_name='content')),
-                ('attribute', models.ForeignKey(verbose_name='attribute', to='authentic2.Attribute', on_delete=models.CASCADE)),
-                ('content_type', models.ForeignKey(verbose_name='content type', to='contenttypes.ContentType', on_delete=models.CASCADE)),
+                (
+                    'attribute',
+                    models.ForeignKey(
+                        verbose_name='attribute', to='authentic2.Attribute', on_delete=models.CASCADE
+                    ),
+                ),
+                (
+                    'content_type',
+                    models.ForeignKey(
+                        verbose_name='content type', to='contenttypes.ContentType', on_delete=models.CASCADE
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'attribute value',
@@ -50,7 +79,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='AuthenticationEvent',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('when', models.DateTimeField(auto_now=True, verbose_name='when')),
                 ('who', models.CharField(max_length=80, verbose_name='who')),
                 ('how', models.CharField(max_length=32, verbose_name='how')),
@@ -65,7 +97,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='DeletedUser',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('creation', models.DateTimeField(auto_now_add=True, verbose_name='creation date')),
                 ('user', models.ForeignKey(verbose_name='user', to='auth.User', on_delete=models.CASCADE)),
             ],
@@ -78,7 +113,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='FederatedId',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('provider', models.CharField(max_length=255, verbose_name='provider')),
                 ('about', models.CharField(max_length=255, verbose_name='about')),
                 ('service', models.CharField(max_length=255, verbose_name='service')),
@@ -94,12 +132,41 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='LogoutUrl',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('logout_url', models.URLField(help_text='you can use a {} to pass the URL of the success icon, ex.: http://example.com/logout?next={}', max_length=255, null=True, verbose_name='url', blank=True)),
-                ('logout_use_iframe', models.BooleanField(default=False, verbose_name='use an iframe instead of an img tag for logout')),
-                ('logout_use_iframe_timeout', models.PositiveIntegerField(default=300, help_text="if iframe logout is used, it's the time between the onload event for this iframe and the moment we consider its loading to be really finished", verbose_name='iframe logout timeout (ms)')),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
+                (
+                    'logout_url',
+                    models.URLField(
+                        help_text='you can use a {} to pass the URL of the success icon, ex.: http://example.com/logout?next={}',
+                        max_length=255,
+                        null=True,
+                        verbose_name='url',
+                        blank=True,
+                    ),
+                ),
+                (
+                    'logout_use_iframe',
+                    models.BooleanField(
+                        default=False, verbose_name='use an iframe instead of an img tag for logout'
+                    ),
+                ),
+                (
+                    'logout_use_iframe_timeout',
+                    models.PositiveIntegerField(
+                        default=300,
+                        help_text="if iframe logout is used, it's the time between the onload event for this iframe and the moment we consider its loading to be really finished",
+                        verbose_name='iframe logout timeout (ms)',
+                    ),
+                ),
                 ('object_id', models.PositiveIntegerField(verbose_name='object identifier')),
-                ('content_type', models.ForeignKey(verbose_name='content type', to='contenttypes.ContentType', on_delete=models.CASCADE)),
+                (
+                    'content_type',
+                    models.ForeignKey(
+                        verbose_name='content type', to='contenttypes.ContentType', on_delete=models.CASCADE
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'logout URL',
@@ -110,7 +177,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='PasswordReset',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('user', models.ForeignKey(verbose_name='user', to='auth.User', on_delete=models.CASCADE)),
             ],
             options={
@@ -122,7 +192,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='UserExternalId',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('source', models.URLField(max_length=256, verbose_name='source')),
                 ('external_id', models.CharField(max_length=256, verbose_name='external id')),
                 ('created', models.DateTimeField(auto_now_add=True, verbose_name='creation date')),
diff --git a/src/authentic2/migrations/0003_auto_20150409_1840.py b/src/authentic2/migrations/0003_auto_20150409_1840.py
index 5f666040..d8a52fe4 100644
--- a/src/authentic2/migrations/0003_auto_20150409_1840.py
+++ b/src/authentic2/migrations/0003_auto_20150409_1840.py
@@ -16,19 +16,25 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='deleteduser',
             name='user',
-            field=models.ForeignKey(verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
         migrations.AlterField(
             model_name='passwordreset',
             name='user',
-            field=models.ForeignKey(verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
         migrations.AlterField(
             model_name='userexternalid',
             name='user',
-            field=models.ForeignKey(verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2/migrations/0004_service.py b/src/authentic2/migrations/0004_service.py
index c2066513..d5c68454 100644
--- a/src/authentic2/migrations/0004_service.py
+++ b/src/authentic2/migrations/0004_service.py
@@ -14,7 +14,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='Service',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(max_length=128, verbose_name='name')),
                 ('slug', models.SlugField(max_length=128, verbose_name='slug')),
             ],
diff --git a/src/authentic2/migrations/0005_service_ou.py b/src/authentic2/migrations/0005_service_ou.py
index 9a6a7770..dd2134e0 100644
--- a/src/authentic2/migrations/0005_service_ou.py
+++ b/src/authentic2/migrations/0005_service_ou.py
@@ -16,7 +16,9 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='service',
             name='ou',
-            field=models.ForeignKey(blank=True, to=settings.RBAC_OU_MODEL, null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                blank=True, to=settings.RBAC_OU_MODEL, null=True, on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
         migrations.AlterUniqueTogether(
diff --git a/src/authentic2/migrations/0006_conditional_slug_index.py b/src/authentic2/migrations/0006_conditional_slug_index.py
index 0f80b690..12be4e26 100644
--- a/src/authentic2/migrations/0006_conditional_slug_index.py
+++ b/src/authentic2/migrations/0006_conditional_slug_index.py
@@ -4,6 +4,7 @@ from __future__ import unicode_literals
 from django.db import migrations
 from authentic2.migrations import CreatePartialIndexes
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -11,7 +12,7 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        CreatePartialIndexes('Service', 'authentic2_service',
-                             'authentic2_service_uniq_idx', ('ou_id',),
-                             ('slug',)),
+        CreatePartialIndexes(
+            'Service', 'authentic2_service', 'authentic2_service_uniq_idx', ('ou_id',), ('slug',)
+        ),
     ]
diff --git a/src/authentic2/migrations/0007_auto_20150523_0028.py b/src/authentic2/migrations/0007_auto_20150523_0028.py
index 6857988a..5c08a792 100644
--- a/src/authentic2/migrations/0007_auto_20150523_0028.py
+++ b/src/authentic2/migrations/0007_auto_20150523_0028.py
@@ -15,7 +15,13 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='service',
             name='ou',
-            field=models.ForeignKey(verbose_name='organizational unit', blank=True, to=settings.RBAC_OU_MODEL, null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='organizational unit',
+                blank=True,
+                to=settings.RBAC_OU_MODEL,
+                null=True,
+                on_delete=models.CASCADE,
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2/migrations/0008_auto_20160204_1415.py b/src/authentic2/migrations/0008_auto_20160204_1415.py
index e7b9a613..a606ae1e 100644
--- a/src/authentic2/migrations/0008_auto_20160204_1415.py
+++ b/src/authentic2/migrations/0008_auto_20160204_1415.py
@@ -15,7 +15,9 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='passwordreset',
             name='user',
-            field=models.ForeignKey(verbose_name='user', to=settings.AUTH_USER_MODEL, unique=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='user', to=settings.AUTH_USER_MODEL, unique=True, on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2/migrations/0009_auto_20160211_2247.py b/src/authentic2/migrations/0009_auto_20160211_2247.py
index 9ca22430..af4abb26 100644
--- a/src/authentic2/migrations/0009_auto_20160211_2247.py
+++ b/src/authentic2/migrations/0009_auto_20160211_2247.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 def deduplicate_attribute_values(apps, schema_editor):
     AttributeValue = apps.get_model('authentic2', 'AttributeValue')
     seen = set()
diff --git a/src/authentic2/migrations/0012_auto_20160211_2255.py b/src/authentic2/migrations/0012_auto_20160211_2255.py
index 62a5b6c3..e747e893 100644
--- a/src/authentic2/migrations/0012_auto_20160211_2255.py
+++ b/src/authentic2/migrations/0012_auto_20160211_2255.py
@@ -15,6 +15,8 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='attributevalue',
             name='multiple',
-            field=models.NullBooleanField(default=False) if django.VERSION < (2,) else models.BooleanField(default=False, null=True),
+            field=models.NullBooleanField(default=False)
+            if django.VERSION < (2,)
+            else models.BooleanField(default=False, null=True),
         ),
     ]
diff --git a/src/authentic2/migrations/0013_auto_20160211_2258.py b/src/authentic2/migrations/0013_auto_20160211_2258.py
index 15dabf7c..5607e2d3 100644
--- a/src/authentic2/migrations/0013_auto_20160211_2258.py
+++ b/src/authentic2/migrations/0013_auto_20160211_2258.py
@@ -17,8 +17,12 @@ class Migration(migrations.Migration):
             name='attributevalue',
             unique_together=set([('content_type', 'object_id', 'attribute', 'multiple', 'content')]),
         ),
-        CreatePartialIndexes('AttributeValue', 'authentic2_attributevalue',
-                             'authentic2_attribute_value_partial_unique_idx',
-                             (), ('content_type_id', 'object_id', 'attribute_id'),
-                             where=(('multiple = %s', (False,)),))
+        CreatePartialIndexes(
+            'AttributeValue',
+            'authentic2_attributevalue',
+            'authentic2_attribute_value_partial_unique_idx',
+            (),
+            ('content_type_id', 'object_id', 'attribute_id'),
+            where=(('multiple = %s', (False,)),),
+        ),
     ]
diff --git a/src/authentic2/migrations/0015_auto_20160621_1711.py b/src/authentic2/migrations/0015_auto_20160621_1711.py
index 80d1bee8..f6179625 100644
--- a/src/authentic2/migrations/0015_auto_20160621_1711.py
+++ b/src/authentic2/migrations/0015_auto_20160621_1711.py
@@ -15,6 +15,8 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='passwordreset',
             name='user',
-            field=models.OneToOneField(verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE),
+            field=models.OneToOneField(
+                verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE
+            ),
         ),
     ]
diff --git a/src/authentic2/migrations/0018_auto_20170524_0842.py b/src/authentic2/migrations/0018_auto_20170524_0842.py
index 813d4af2..56f33eb7 100644
--- a/src/authentic2/migrations/0018_auto_20170524_0842.py
+++ b/src/authentic2/migrations/0018_auto_20170524_0842.py
@@ -16,14 +16,19 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='AuthorizedRole',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('role', models.ForeignKey(to=settings.RBAC_ROLE_MODEL, on_delete=models.CASCADE)),
             ],
         ),
         migrations.AddField(
             model_name='service',
             name='unauthorized_url',
-            field=models.URLField(max_length=256, null=True, verbose_name='callback url when unauthorized', blank=True),
+            field=models.URLField(
+                max_length=256, null=True, verbose_name='callback url when unauthorized', blank=True
+            ),
         ),
         migrations.AddField(
             model_name='authorizedrole',
@@ -33,6 +38,12 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='service',
             name='authorized_roles',
-            field=models.ManyToManyField(related_name='allowed_services', verbose_name='authorized services', to=settings.RBAC_ROLE_MODEL, through='authentic2.AuthorizedRole', blank=True),
+            field=models.ManyToManyField(
+                related_name='allowed_services',
+                verbose_name='authorized services',
+                to=settings.RBAC_ROLE_MODEL,
+                through='authentic2.AuthorizedRole',
+                blank=True,
+            ),
         ),
     ]
diff --git a/src/authentic2/migrations/0021_attribute_order.py b/src/authentic2/migrations/0021_attribute_order.py
index 3bec9649..48c2a945 100644
--- a/src/authentic2/migrations/0021_attribute_order.py
+++ b/src/authentic2/migrations/0021_attribute_order.py
@@ -19,7 +19,12 @@ class Migration(migrations.Migration):
         ),
         migrations.AlterModelOptions(
             name='attribute',
-            options={'base_manager_name': 'all_objects', 'ordering': ('order', 'id'), 'verbose_name': 'attribute definition', 'verbose_name_plural': 'attribute definitions'},
+            options={
+                'base_manager_name': 'all_objects',
+                'ordering': ('order', 'id'),
+                'verbose_name': 'attribute definition',
+                'verbose_name_plural': 'attribute definitions',
+            },
         ),
         migrations.AlterModelManagers(
             name='attribute',
diff --git a/src/authentic2/migrations/0022_attribute_scopes.py b/src/authentic2/migrations/0022_attribute_scopes.py
index c96591c8..1ad53db6 100644
--- a/src/authentic2/migrations/0022_attribute_scopes.py
+++ b/src/authentic2/migrations/0022_attribute_scopes.py
@@ -14,6 +14,12 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='attribute',
             name='scopes',
-            field=models.CharField(default='', help_text='scopes separated by spaces', max_length=256, verbose_name='scopes', blank=True),
+            field=models.CharField(
+                default='',
+                help_text='scopes separated by spaces',
+                max_length=256,
+                verbose_name='scopes',
+                blank=True,
+            ),
         ),
     ]
diff --git a/src/authentic2/migrations/0024_auto_20190617_1113.py b/src/authentic2/migrations/0024_auto_20190617_1113.py
index 0168bee9..d637fd41 100644
--- a/src/authentic2/migrations/0024_auto_20190617_1113.py
+++ b/src/authentic2/migrations/0024_auto_20190617_1113.py
@@ -15,8 +15,7 @@ class Migration(migrations.Migration):
     operations = [
         migrations.CreateModel(
             name='LDAPUser',
-            fields=[
-            ],
+            fields=[],
             options={
                 'proxy': True,
             },
diff --git a/src/authentic2/migrations/0025_auto_20191009_1047.py b/src/authentic2/migrations/0025_auto_20191009_1047.py
index e0c33de4..1937bc3a 100644
--- a/src/authentic2/migrations/0025_auto_20191009_1047.py
+++ b/src/authentic2/migrations/0025_auto_20191009_1047.py
@@ -17,6 +17,11 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='deleteduser',
             name='user',
-            field=models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, related_name='deletion', to=settings.AUTH_USER_MODEL, verbose_name='user'),
+            field=models.OneToOneField(
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name='deletion',
+                to=settings.AUTH_USER_MODEL,
+                verbose_name='user',
+            ),
         ),
     ]
diff --git a/src/authentic2/migrations/0026_token.py b/src/authentic2/migrations/0026_token.py
index 731d2f78..66ca9304 100644
--- a/src/authentic2/migrations/0026_token.py
+++ b/src/authentic2/migrations/0026_token.py
@@ -17,9 +17,21 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='Token',
             fields=[
-                ('uuid', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False, verbose_name='Identifier')),
+                (
+                    'uuid',
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='Identifier',
+                    ),
+                ),
                 ('kind', models.CharField(max_length=32, verbose_name='Kind')),
-                ('content', django.contrib.postgres.fields.jsonb.JSONField(blank=True, verbose_name='Content')),
+                (
+                    'content',
+                    django.contrib.postgres.fields.jsonb.JSONField(blank=True, verbose_name='Content'),
+                ),
                 ('created', models.DateTimeField(verbose_name='Creation date', auto_now_add=True)),
                 ('expires', models.DateTimeField(verbose_name='Expires')),
             ],
diff --git a/src/authentic2/migrations/0027_remove_deleteduser.py b/src/authentic2/migrations/0027_remove_deleteduser.py
index acf48490..2999e364 100644
--- a/src/authentic2/migrations/0027_remove_deleteduser.py
+++ b/src/authentic2/migrations/0027_remove_deleteduser.py
@@ -9,7 +9,10 @@ def fill_deleted(apps, schema_editor):
     DeletedUser = apps.get_model('authentic2', 'DeletedUser')
     User = apps.get_model('custom_user', 'User')
     User.objects.update(
-        deleted=models.Subquery(DeletedUser.objects.filter(user_id=models.OuterRef('id')).values_list('creation')[:1]))
+        deleted=models.Subquery(
+            DeletedUser.objects.filter(user_id=models.OuterRef('id')).values_list('creation')[:1]
+        )
+    )
 
 
 class Migration(migrations.Migration):
diff --git a/src/authentic2/migrations/0028_trigram_unaccent_index.py b/src/authentic2/migrations/0028_trigram_unaccent_index.py
index 2b0d4e11..fc6c5be4 100644
--- a/src/authentic2/migrations/0028_trigram_unaccent_index.py
+++ b/src/authentic2/migrations/0028_trigram_unaccent_index.py
@@ -17,7 +17,7 @@ class Migration(migrations.Migration):
                 "CREATE OR REPLACE FUNCTION public.immutable_unaccent(text) RETURNS varchar AS $$ "
                 "SELECT public.unaccent('public.unaccent',$1::text); $$ LANGUAGE 'sql' IMMUTABLE",
                 "CREATE INDEX custom_user_name_gist_idx ON custom_user_user USING gist "
-                "(LOWER(public.immutable_unaccent(first_name || ' ' || last_name)) public.gist_trgm_ops)"
+                "(LOWER(public.immutable_unaccent(first_name || ' ' || last_name)) public.gist_trgm_ops)",
             ],
             reverse_sql=[
                 "DROP INDEX IF EXISTS custom_user_name_gist_idx",
diff --git a/src/authentic2/migrations/0029_auto_20201013_1614.py b/src/authentic2/migrations/0029_auto_20201013_1614.py
index 8edb34fd..6be8083b 100644
--- a/src/authentic2/migrations/0029_auto_20201013_1614.py
+++ b/src/authentic2/migrations/0029_auto_20201013_1614.py
@@ -14,6 +14,10 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='attributevalue',
-            options={'ordering': ('attribute__order', 'id'), 'verbose_name': 'attribute value', 'verbose_name_plural': 'attribute values'},
+            options={
+                'ordering': ('attribute__order', 'id'),
+                'verbose_name': 'attribute value',
+                'verbose_name_plural': 'attribute values',
+            },
         ),
     ]
diff --git a/src/authentic2/migrations/0030_clean_admin_tools_tables.py b/src/authentic2/migrations/0030_clean_admin_tools_tables.py
index 1b3bec33..3d73374d 100644
--- a/src/authentic2/migrations/0030_clean_admin_tools_tables.py
+++ b/src/authentic2/migrations/0030_clean_admin_tools_tables.py
@@ -9,11 +9,13 @@ def noop(apps, schema_editor):
 def clean_admin_tools_tables(apps, schema_editor):
     try:
         with schema_editor.connection.cursor() as cursor:
-            cursor.execute("SELECT table_name FROM information_schema.tables "
-                           "WHERE table_schema = current_schema() "
-                           "AND table_name LIKE 'admin_tools%'")
+            cursor.execute(
+                "SELECT table_name FROM information_schema.tables "
+                "WHERE table_schema = current_schema() "
+                "AND table_name LIKE 'admin_tools%'"
+            )
             rows = cursor.fetchall()
-            for table_name, in rows:
+            for (table_name,) in rows:
                 cursor.execute('DROP TABLE "%s" CASCADE' % table_name)
     except Exception:
         logging.getLogger(__name__).exception('migration authentic2.0030 failed')
diff --git a/src/authentic2/migrations/0031_add_search_vector_to_attributes.py b/src/authentic2/migrations/0031_add_search_vector_to_attributes.py
index 8fc668ae..0d2007f0 100644
--- a/src/authentic2/migrations/0031_add_search_vector_to_attributes.py
+++ b/src/authentic2/migrations/0031_add_search_vector_to_attributes.py
@@ -6,23 +6,29 @@ from django.db import migrations
 def create_trigger(apps, schema_editor):
     with schema_editor.connection.cursor() as cursor:
         cursor.execute('SHOW default_text_search_config')
-        default_text_search_config, = cursor.fetchone()
-        cursor.execute('''CREATE OR REPLACE FUNCTION authentic2_update_atv_search_vector() RETURNS TRIGGER AS $$
+        (default_text_search_config,) = cursor.fetchone()
+        cursor.execute(
+            '''CREATE OR REPLACE FUNCTION authentic2_update_atv_search_vector() RETURNS TRIGGER AS $$
 BEGIN
     IF TG_OP = 'INSERT' OR (TG_OP = 'UPDATE' AND NEW.content <> OLD.content) THEN
         NEW.search_vector = to_tsvector(NEW.content);
     END IF;
     RETURN NEW;
-END; $$ LANGUAGE plpgsql''')
-        cursor.execute('''CREATE TRIGGER authentic2_attributevalue_search_vector_trigger
+END; $$ LANGUAGE plpgsql'''
+        )
+        cursor.execute(
+            '''CREATE TRIGGER authentic2_attributevalue_search_vector_trigger
 BEFORE INSERT OR UPDATE OF content
 ON authentic2_attributevalue
-FOR EACH ROW EXECUTE PROCEDURE authentic2_update_atv_search_vector()''')
+FOR EACH ROW EXECUTE PROCEDURE authentic2_update_atv_search_vector()'''
+        )
 
 
 def drop_trigger(apps, schema_editor):
     with schema_editor.connection.cursor() as cursor:
-        cursor.execute('DROP TRIGGER IF EXISTS authentic2_attributevalue_search_vector_trigger ON authentic2_attributevalue')
+        cursor.execute(
+            'DROP TRIGGER IF EXISTS authentic2_attributevalue_search_vector_trigger ON authentic2_attributevalue'
+        )
         cursor.execute('DROP FUNCTION IF EXISTS authentic2_update_atv_search_vector')
 
 
@@ -39,8 +45,9 @@ class Migration(migrations.Migration):
         ),
         migrations.AddIndex(
             model_name='attributevalue',
-            index=django.contrib.postgres.indexes.GinIndex(fields=['search_vector'], name='authentic2_atv_tsvector_idx')
+            index=django.contrib.postgres.indexes.GinIndex(
+                fields=['search_vector'], name='authentic2_atv_tsvector_idx'
+            ),
         ),
         migrations.RunPython(create_trigger, drop_trigger),
-
     ]
diff --git a/src/authentic2/migrations/__init__.py b/src/authentic2/migrations/__init__.py
index 91449d1a..3bc8d854 100644
--- a/src/authentic2/migrations/__init__.py
+++ b/src/authentic2/migrations/__init__.py
@@ -7,8 +7,16 @@ from django.utils import six
 class CreatePartialIndexes(Operation):
     reversible = True
 
-    def __init__(self, model_name, table_name, index_name, nullable_columns, non_null_columns,
-                 null_columns=None, where=None):
+    def __init__(
+        self,
+        model_name,
+        table_name,
+        index_name,
+        nullable_columns,
+        non_null_columns,
+        null_columns=None,
+        where=None,
+    ):
         self.model_name = model_name
         self.table_name = table_name
         self.index_name = index_name
@@ -58,17 +66,19 @@ class CreatePartialIndexes(Operation):
                         clause, params = clause
                         assert isinstance(clause, six.string_types)
                         assert isinstance(params, tuple)
-                        clause = clause % tuple(schema_editor.quote_value(param) for param in
-                                                 params)
+                        clause = clause % tuple(schema_editor.quote_value(param) for param in params)
                     assert isinstance(clause, six.string_types)
                     clauses.append(clause)
                 where_clause = ' AND '.join(clauses)
                 # SQLite does not accept parameters in partial index creations, don't ask why :/
-                schema_editor.execute('CREATE UNIQUE INDEX "%s_%s" ON %s (%s) WHERE %s' %
-                                      (self.index_name, i, self.table_name, index, where_clause))
+                schema_editor.execute(
+                    'CREATE UNIQUE INDEX "%s_%s" ON %s (%s) WHERE %s'
+                    % (self.index_name, i, self.table_name, index, where_clause)
+                )
             else:
-                schema_editor.execute('CREATE UNIQUE INDEX "%s_%s" ON %s (%s)' %
-                                      (self.index_name, i, self.table_name, index))
+                schema_editor.execute(
+                    'CREATE UNIQUE INDEX "%s_%s" ON %s (%s)' % (self.index_name, i, self.table_name, index)
+                )
 
     def database_backwards(self, app_label, schema_editor, from_state, to_state):
         if not self.allowed(app_label, schema_editor, to_state):
diff --git a/src/authentic2/models.py b/src/authentic2/models.py
index 12c39357..70dbf0b4 100644
--- a/src/authentic2/models.py
+++ b/src/authentic2/models.py
@@ -44,16 +44,14 @@ except ImportError:
     from django.contrib.contenttypes.generic import GenericForeignKey
 
 from . import managers
+
 # install our natural_key implementation
 from . import natural_key as unused_natural_key  # noqa: F401
 from .utils import ServiceAccessDenied
 
 
 class UserExternalId(models.Model):
-    user = models.ForeignKey(
-        settings.AUTH_USER_MODEL,
-        verbose_name=_('user'),
-        on_delete=models.CASCADE)
+    user = models.ForeignKey(settings.AUTH_USER_MODEL, verbose_name=_('user'), on_delete=models.CASCADE)
     source = models.CharField(max_length=256, verbose_name=_('source'))
     external_id = models.CharField(max_length=256, verbose_name=_('external id'))
     created = models.DateTimeField(auto_now_add=True, verbose_name=_('creation date'))
@@ -63,10 +61,12 @@ class UserExternalId(models.Model):
         return u'{0} is {1} on {2}'.format(self.user, self.external_id, self.source)
 
     def __repr__(self):
-        return '<UserExternalId user: {0!r} source: {1!r} ' \
-               'external_id: {2!r} created: {3} updated: {4}' \
-               .format(self.user_id, self.source, self.external_id,
-                       self.created, self.updated)
+        return (
+            '<UserExternalId user: {0!r} source: {1!r} '
+            'external_id: {2!r} created: {3} updated: {4}'.format(
+                self.user_id, self.source, self.external_id, self.created, self.updated
+            )
+        )
 
     class Meta:
         verbose_name = _('user external id')
@@ -78,6 +78,7 @@ class UserExternalId(models.Model):
 
 class AuthenticationEvent(models.Model):
     '''Record authentication events whatever the source'''
+
     when = models.DateTimeField(auto_now=True, verbose_name=_('when'))
     who = models.CharField(max_length=80, verbose_name=_('who'))
     how = models.CharField(max_length=32, verbose_name=_('how'))
@@ -90,32 +91,37 @@ class AuthenticationEvent(models.Model):
         verbose_name_plural = _('authentication logs')
 
     def __str__(self):
-        return _('Authentication of %(who)s by %(how)s at %(when)s') % \
-            self.__dict__
+        return _('Authentication of %(who)s by %(how)s at %(when)s') % self.__dict__
 
 
 class LogoutUrlAbstract(models.Model):
     logout_url = models.URLField(
         verbose_name=_('url'),
-        help_text=_('you can use a {} to pass the URL of the success icon, '
-                    'ex.: http://example.com/logout?next={}'),
+        help_text=_(
+            'you can use a {} to pass the URL of the success icon, ' 'ex.: http://example.com/logout?next={}'
+        ),
         max_length=255,
         blank=True,
-        null=True)
+        null=True,
+    )
     logout_use_iframe = models.BooleanField(
-        verbose_name=_('use an iframe instead of an img tag for logout'),
-        default=False)
+        verbose_name=_('use an iframe instead of an img tag for logout'), default=False
+    )
     logout_use_iframe_timeout = models.PositiveIntegerField(
         verbose_name=_('iframe logout timeout (ms)'),
-        help_text=_('if iframe logout is used, it\'s the time between the '
-                    'onload event for this iframe and the moment we consider its '
-                    'loading to be really finished'),
-        default=300)
+        help_text=_(
+            'if iframe logout is used, it\'s the time between the '
+            'onload event for this iframe and the moment we consider its '
+            'loading to be really finished'
+        ),
+        default=300,
+    )
 
     def get_logout_url(self, request):
         ok_icon_url = (
             request.build_absolute_uri(urlparse.urljoin(settings.STATIC_URL, 'authentic2/images/ok.png'))
-            + '?nonce=%s' % time.time())
+            + '?nonce=%s' % time.time()
+        )
         return self.logout_url.format(urlquote(ok_icon_url))
 
     class Meta:
@@ -123,10 +129,7 @@ class LogoutUrlAbstract(models.Model):
 
 
 class LogoutUrl(LogoutUrlAbstract):
-    content_type = models.ForeignKey(
-        ContentType,
-        verbose_name=_('content type'),
-        on_delete=models.CASCADE)
+    content_type = models.ForeignKey(ContentType, verbose_name=_('content type'), on_delete=models.CASCADE)
     object_id = models.PositiveIntegerField(verbose_name=_('object identifier'))
     provider = GenericForeignKey('content_type', 'object_id')
 
@@ -140,7 +143,9 @@ class Attribute(models.Model):
     description = models.TextField(verbose_name=_('description'), blank=True)
     name = models.SlugField(verbose_name=_('name'), max_length=256, unique=True)
     required = models.BooleanField(verbose_name=_('required'), blank=True, default=False)
-    asked_on_registration = models.BooleanField(verbose_name=_('asked on registration'), blank=True, default=False)
+    asked_on_registration = models.BooleanField(
+        verbose_name=_('asked on registration'), blank=True, default=False
+    )
     user_editable = models.BooleanField(verbose_name=_('user editable'), blank=True, default=False)
     user_visible = models.BooleanField(verbose_name=_('user visible'), blank=True, default=False)
     multiple = models.BooleanField(verbose_name=_('multiple'), blank=True, default=False)
@@ -153,11 +158,10 @@ class Attribute(models.Model):
         help_text=_('scopes separated by spaces'),
         blank=True,
         default='',
-        max_length=256)
+        max_length=256,
+    )
 
-    order = models.PositiveIntegerField(
-        verbose_name=_('order'),
-        default=0)
+    order = models.PositiveIntegerField(verbose_name=_('order'), default=0)
 
     all_objects = managers.AttributeManager()
     objects = managers.AttributeManager(disabled=False)
@@ -167,6 +171,7 @@ class Attribute(models.Model):
 
     def get_form_field(self, **kwargs):
         from . import attribute_kinds
+
         kwargs['label'] = self.label
         kwargs['required'] = self.required
         if self.description:
@@ -180,10 +185,12 @@ class Attribute(models.Model):
         kind = self.get_kind()
         field_class = kind['rest_framework_field_class']
         base_kwargs = (kind.get('rest_framework_field_kwargs') or {}).copy()
-        base_kwargs.update({
-            'source': 'attributes.%s' % self.name,
-            'required': self.required,
-        })
+        base_kwargs.update(
+            {
+                'source': 'attributes.%s' % self.name,
+                'required': self.required,
+            }
+        )
         if not self.required:
             # setting an attribute to null will delete it
             # NullBooleanField and BooleanField does not support allow_null
@@ -193,11 +200,9 @@ class Attribute(models.Model):
                 base_kwargs['allow_null'] = True
             # if not stated otherwise by the definition of the kind, string alike fields
             # accept blank values when not required
-            if (issubclass(field_class, serializers.CharField) and 'allow_blank' not in
-                    base_kwargs):
+            if issubclass(field_class, serializers.CharField) and 'allow_blank' not in base_kwargs:
                 base_kwargs['allow_blank'] = True
-            elif (issubclass(field_class, DateRestField) and 'allow_blank' not in
-                    base_kwargs):
+            elif issubclass(field_class, DateRestField) and 'allow_blank' not in base_kwargs:
                 base_kwargs['allow_blank'] = True
         elif issubclass(field_class, serializers.CharField):
             base_kwargs['allow_blank'] = False
@@ -209,6 +214,7 @@ class Attribute(models.Model):
 
     def get_kind(self):
         from . import attribute_kinds
+
         return attribute_kinds.get_kind(self.kind)
 
     def contribute_to_form(self, form, **kwargs):
@@ -251,12 +257,13 @@ class Attribute(models.Model):
                 for value in values:
                     content = serialize(value)
                     av, created = AttributeValue.objects.get_or_create(
-                            content_type=ContentType.objects.get_for_model(owner),
-                            object_id=owner.pk,
-                            attribute=self,
-                            multiple=True,
-                            content=content,
-                            defaults={'verified': verified})
+                        content_type=ContentType.objects.get_for_model(owner),
+                        object_id=owner.pk,
+                        attribute=self,
+                        multiple=True,
+                        content=content,
+                        defaults={'verified': verified},
+                    )
                     if not created:
                         av.verified = verified
                         av.save()
@@ -267,7 +274,7 @@ class Attribute(models.Model):
                     attribute=self,
                     content_type=ContentType.objects.get_for_model(owner),
                     object_id=owner.pk,
-                    multiple=True
+                    multiple=True,
                 ).exclude(content__in=content_list).delete()
                 return avs
             else:
@@ -280,7 +287,8 @@ class Attribute(models.Model):
                         object_id=owner.pk,
                         attribute=self,
                         multiple=False,
-                        defaults={'content': content, 'verified': verified})
+                        defaults={'content': content, 'verified': verified},
+                    )
                 if not created and (av.content != content or av.verified != verified):
                     av.content = content
                     av.verified = verified
@@ -305,16 +313,12 @@ class Attribute(models.Model):
 
 class AttributeValue(models.Model):
     content_type = models.ForeignKey(
-        'contenttypes.ContentType',
-        verbose_name=_('content type'),
-        on_delete=models.CASCADE)
+        'contenttypes.ContentType', verbose_name=_('content type'), on_delete=models.CASCADE
+    )
     object_id = models.PositiveIntegerField(verbose_name=_('object identifier'), db_index=True)
     owner = GenericForeignKey('content_type', 'object_id')
 
-    attribute = models.ForeignKey(
-        'Attribute',
-        verbose_name=_('attribute'),
-        on_delete=models.CASCADE)
+    attribute = models.ForeignKey('Attribute', verbose_name=_('attribute'), on_delete=models.CASCADE)
     if django.VERSION < (2,):
         multiple = models.NullBooleanField(default=False)
     else:
@@ -334,26 +338,20 @@ class AttributeValue(models.Model):
     def natural_key(self):
         if not hasattr(self.owner, 'natural_key'):
             return self.id
-        return (self.content_type.natural_key(), self.owner.natural_key(),
-                self.attribute.natural_key())
+        return (self.content_type.natural_key(), self.owner.natural_key(), self.attribute.natural_key())
 
     class Meta:
         verbose_name = _('attribute value')
         ordering = ('attribute__order', 'id')
         verbose_name_plural = _('attribute values')
-        unique_together = (
-            ('content_type', 'object_id', 'attribute', 'multiple', 'content'),
-        )
+        unique_together = (('content_type', 'object_id', 'attribute', 'multiple', 'content'),)
         indexes = [
             GinIndex(fields=['search_vector'], name='authentic2_atv_tsvector_idx'),
         ]
 
 
 class PasswordReset(models.Model):
-    user = models.OneToOneField(
-        settings.AUTH_USER_MODEL,
-        verbose_name=_('user'),
-        on_delete=models.CASCADE)
+    user = models.OneToOneField(settings.AUTH_USER_MODEL, verbose_name=_('user'), on_delete=models.CASCADE)
 
     def save(self, *args, **kwargs):
         if self.user_id and not self.user.has_usable_password():
@@ -370,51 +368,48 @@ class PasswordReset(models.Model):
 
 
 class Service(models.Model):
-    name = models.CharField(
-        verbose_name=_('name'),
-        max_length=128)
-    slug = models.SlugField(
-        verbose_name=_('slug'),
-        max_length=128)
+    name = models.CharField(verbose_name=_('name'), max_length=128)
+    slug = models.SlugField(verbose_name=_('slug'), max_length=128)
     ou = models.ForeignKey(
         verbose_name=_('organizational unit'),
         to='a2_rbac.OrganizationalUnit',
         null=True,
         blank=True,
         swappable=False,
-        on_delete=models.CASCADE)
+        on_delete=models.CASCADE,
+    )
     authorized_roles = models.ManyToManyField(
-        get_role_model_name(), verbose_name=_('authorized services'),
-        through='AuthorizedRole', through_fields=('service', 'role'),
-        related_name='allowed_services', blank=True)
+        get_role_model_name(),
+        verbose_name=_('authorized services'),
+        through='AuthorizedRole',
+        through_fields=('service', 'role'),
+        related_name='allowed_services',
+        blank=True,
+    )
     unauthorized_url = models.URLField(
-        verbose_name=_('callback url when unauthorized'),
-        max_length=256, null=True, blank=True)
+        verbose_name=_('callback url when unauthorized'), max_length=256, null=True, blank=True
+    )
 
     objects = managers.ServiceManager()
 
     def clean(self):
         errors = {}
 
-        if self.ou is None and self.__class__.objects.exclude(pk=self.pk) \
-               .filter(slug=self.slug, ou__isnull=True):
-            errors['slug'] = ValidationError(
-                _('The slug must be unique for this ou'),
-                code='duplicate-slug')
-        if self.ou is None and self.__class__.objects.exclude(pk=self.pk) \
-               .filter(name=self.name, ou__isnull=True):
-            errors['name'] = ValidationError(
-                _('The name must be unique for this ou'),
-                code='duplicate-name')
+        if self.ou is None and self.__class__.objects.exclude(pk=self.pk).filter(
+            slug=self.slug, ou__isnull=True
+        ):
+            errors['slug'] = ValidationError(_('The slug must be unique for this ou'), code='duplicate-slug')
+        if self.ou is None and self.__class__.objects.exclude(pk=self.pk).filter(
+            name=self.name, ou__isnull=True
+        ):
+            errors['name'] = ValidationError(_('The name must be unique for this ou'), code='duplicate-name')
         if errors:
             raise ValidationError(errors)
 
     class Meta:
         verbose_name = _('base service model')
         verbose_name_plural = _('base service models')
-        unique_together = (
-            ('slug', 'ou'),
-        )
+        unique_together = (('slug', 'ou'),)
         base_manager_name = 'objects'
 
     def natural_key(self):
@@ -434,8 +429,7 @@ class Service(models.Model):
         raise ServiceAccessDenied(service=self)
 
     def add_authorized_role(self, role):
-        authorization, created = AuthorizedRole.objects.get_or_create(
-            service=self, role=role)
+        authorization, created = AuthorizedRole.objects.get_or_create(service=self, role=role)
         return authorization
 
     def remove_authorized_role(self, role):
@@ -471,21 +465,12 @@ class AuthorizedRole(models.Model):
 
 class Token(models.Model):
     uuid = models.UUIDField(
-        verbose_name=_('Identifier'),
-        primary_key=True,
-        default=uuid.uuid4,
-        editable=False)
-    kind = models.CharField(
-        verbose_name=_('Kind'),
-        max_length=32)
-    content = jsonb.JSONField(
-        verbose_name=_('Content'),
-        blank=True)
-    created = models.DateTimeField(
-        verbose_name=_('Creation date'),
-        auto_now_add=True)
-    expires = models.DateTimeField(
-        verbose_name=_('Expires'))
+        verbose_name=_('Identifier'), primary_key=True, default=uuid.uuid4, editable=False
+    )
+    kind = models.CharField(verbose_name=_('Kind'), max_length=32)
+    content = jsonb.JSONField(verbose_name=_('Content'), blank=True)
+    created = models.DateTimeField(verbose_name=_('Creation date'), auto_now_add=True)
+    expires = models.DateTimeField(verbose_name=_('Expires'))
 
     class Meta:
         ordering = ('-expires', 'kind', 'uuid')
@@ -497,10 +482,7 @@ class Token(models.Model):
     @classmethod
     def create(cls, kind, content, expires=None, duration=60):
         expires = expires or (timezone.now() + datetime.timedelta(seconds=duration))
-        return cls.objects.create(
-            kind=kind,
-            content=content,
-            expires=expires)
+        return cls.objects.create(kind=kind, content=content, expires=expires)
 
     @classmethod
     def _decode_uuid(cls, _uuid):
diff --git a/src/authentic2/nonce/migrations/0001_initial.py b/src/authentic2/nonce/migrations/0001_initial.py
index 3443b1ec..37539773 100644
--- a/src/authentic2/nonce/migrations/0001_initial.py
+++ b/src/authentic2/nonce/migrations/0001_initial.py
@@ -6,20 +6,21 @@ from django.db import models, migrations
 
 class Migration(migrations.Migration):
 
-    dependencies = [
-    ]
+    dependencies = []
 
     operations = [
         migrations.CreateModel(
             name='Nonce',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('value', models.CharField(max_length=256)),
                 ('context', models.CharField(max_length=256, null=True, blank=True)),
                 ('not_on_or_after', models.DateTimeField(null=True, blank=True)),
             ],
-            options={
-            },
+            options={},
             bases=(models.Model,),
         ),
     ]
diff --git a/src/authentic2/nonce/utils.py b/src/authentic2/nonce/utils.py
index c20b7d92..89d5cb7e 100644
--- a/src/authentic2/nonce/utils.py
+++ b/src/authentic2/nonce/utils.py
@@ -40,6 +40,7 @@ def compute_not_on_or_after(now, not_on_or_after):
             pass
     return not_on_or_after
 
+
 # For the nonce filesystem storage the policy is to catch any OSerror when
 # errno == ENOENT and to handle this case gracefully as there can be many race
 # condition errors.  But any other OSError is problematic and should be
@@ -55,10 +56,10 @@ def unlink_if_exists(path):
 
 
 def accept_nonce_file_storage(path, now, value, context=None, not_on_or_after=None):
-    '''
-       Use a directory as a storage for nonce-context values. The last
-       modification time is used to store the expiration timestamp.
-    '''
+    """
+    Use a directory as a storage for nonce-context values. The last
+    modification time is used to store the expiration timestamp.
+    """
     now = dt.datetime.now()
     filename = '%s_%s' % (value.encode('base64'), context.encode('base64'))
     file_path = os.path.join(path, filename)
@@ -133,14 +134,14 @@ def cleanup_nonces_file_storage(dir_path, now):
 
 
 def cleanup_nonces(now=None):
-    '''
-       Cleanup stored nonce whose timestamp has expired, i.e.
-       nonce.not_on_or_after < now.
-
-       :param now:
-           a datetime value to define what is the current time, if None is
-           given, datetime.now() is used. It can be used for unit testing.
-    '''
+    """
+    Cleanup stored nonce whose timestamp has expired, i.e.
+    nonce.not_on_or_after < now.
+
+    :param now:
+        a datetime value to define what is the current time, if None is
+        given, datetime.now() is used. It can be used for unit testing.
+    """
     import models
 
     now = now or dt.datetime.now()
@@ -150,47 +151,49 @@ def cleanup_nonces(now=None):
     if mode == STORAGE_MODEL:
         pass
     if mode.startswith(STORAGE_FILESYSTEM):
-        dir_path = mode[len(STORAGE_FILESYSTEM):]
+        dir_path = mode[len(STORAGE_FILESYSTEM) :]
         return cleanup_nonces_file_storage(dir_path, now)
     else:
         raise ValueError('Invalid NONCE_STORAGE setting: %r' % mode)
 
 
 def accept_nonce(value, context=None, not_on_or_after=None, now=None):
-    '''
-       Verify that the given nonce value has not already been seen in the
-       context. If not, remember it for ever or until not_on_or_after if is
-       not None.
-
-       Depending on the backend storage used there can be limitation on the
-       acceptable length for the value and the context. For example the model
-       storage backend limits the length of those strings to 256 bytes.
-
-       :param value:
-           a string representing a nonce value.
-       :param context:
-           a string giving context to the nonce value
-       :param not_on_or_after:
-           an integer, a datetime.timedelta or datetime.datetime value. If not
-           none it is used to compute the expiration time for remembering this
-           nonce value.  If an integer is given it is interpreted as relative
-           number of seconds since now, if a timedelta object is given it is
-           used as an offset from now, and if a datetime is given it is used
-           as an absolute value for the expiration time.
-       :param now:
-           a datetime value to define what is the current time, if None is
-           given, datetime.now() is used. It can be used for unit testing.
-       :returns:
-           a boolean, if True the nonce has never been seen before, or it
-           expired since the last time seen, otherwise the nonce has already
-           been seen and is invalid.
-    '''
+    """
+    Verify that the given nonce value has not already been seen in the
+    context. If not, remember it for ever or until not_on_or_after if is
+    not None.
+
+    Depending on the backend storage used there can be limitation on the
+    acceptable length for the value and the context. For example the model
+    storage backend limits the length of those strings to 256 bytes.
+
+    :param value:
+        a string representing a nonce value.
+    :param context:
+        a string giving context to the nonce value
+    :param not_on_or_after:
+        an integer, a datetime.timedelta or datetime.datetime value. If not
+        none it is used to compute the expiration time for remembering this
+        nonce value.  If an integer is given it is interpreted as relative
+        number of seconds since now, if a timedelta object is given it is
+        used as an offset from now, and if a datetime is given it is used
+        as an absolute value for the expiration time.
+    :param now:
+        a datetime value to define what is the current time, if None is
+        given, datetime.now() is used. It can be used for unit testing.
+    :returns:
+        a boolean, if True the nonce has never been seen before, or it
+        expired since the last time seen, otherwise the nonce has already
+        been seen and is invalid.
+    """
     now = now or dt.datetime.now()
     mode = getattr(settings, 'NONCE_STORAGE', STORAGE_MODEL)
     if mode == STORAGE_MODEL:
         return accept_nonce_model(now, value, context=context, not_on_or_after=not_on_or_after)
     elif mode.startswith(STORAGE_FILESYSTEM):
-        dir_path = mode[len(STORAGE_FILESYSTEM):]
-        return accept_nonce_file_storage(dir_path, now, value, context=context, not_on_or_after=not_on_or_after)
+        dir_path = mode[len(STORAGE_FILESYSTEM) :]
+        return accept_nonce_file_storage(
+            dir_path, now, value, context=context, not_on_or_after=not_on_or_after
+        )
     else:
         raise ValueError('Invalid NONCE_STORAGE setting: %r' % mode)
diff --git a/src/authentic2/passwords.py b/src/authentic2/passwords.py
index 65d13889..0bc2bfe5 100644
--- a/src/authentic2/passwords.py
+++ b/src/authentic2/passwords.py
@@ -30,10 +30,10 @@ from . import app_settings
 
 
 def generate_password():
-    '''Generate a password that validates current password policy.
+    """Generate a password that validates current password policy.
 
-       Beware that A2_PASSWORD_POLICY_REGEX cannot be validated.
-    '''
+    Beware that A2_PASSWORD_POLICY_REGEX cannot be validated.
+    """
     digits = string.digits
     lower = string.ascii_lowercase
     upper = string.ascii_uppercase
@@ -63,8 +63,8 @@ class PasswordChecker(object):
 
     @abc.abstractmethod
     def __call__(self, password, **kwargs):
-        '''Return an iterable of Check objects giving the list of checks and
-           their result.'''
+        """Return an iterable of Check objects giving the list of checks and
+        their result."""
         return []
 
 
@@ -96,28 +96,20 @@ class DefaultPasswordChecker(PasswordChecker):
     def __call__(self, password, **kwargs):
         if self.min_length:
             yield self.Check(
-                result=len(password) >= self.min_length,
-                label=_('%s characters') % self.min_length)
+                result=len(password) >= self.min_length, label=_('%s characters') % self.min_length
+            )
 
         if self.at_least_one_lowercase:
-            yield self.Check(
-                result=any(c.islower() for c in password),
-                label=_('1 lowercase letter'))
+            yield self.Check(result=any(c.islower() for c in password), label=_('1 lowercase letter'))
 
         if self.at_least_one_digit:
-            yield self.Check(
-                result=any(c.isdigit() for c in password),
-                label=_('1 digit'))
+            yield self.Check(result=any(c.isdigit() for c in password), label=_('1 digit'))
 
         if self.at_least_one_uppercase:
-            yield self.Check(
-                result=any(c.isupper() for c in password),
-                label=_('1 uppercase letter'))
+            yield self.Check(result=any(c.isupper() for c in password), label=_('1 uppercase letter'))
 
         if self.regexp and self.regexp_label:
-            yield self.Check(
-                result=bool(re.match(self.regexp, password)),
-                label=self.regexp_label)
+            yield self.Check(result=bool(re.match(self.regexp, password)), label=self.regexp_label)
 
 
 def get_password_checker(*args, **kwargs):
@@ -135,9 +127,12 @@ def password_help_text(password='', only_errors=False):
     criteria = [check.label for check in password_checker(password) if not (only_errors and check.result)]
     if criteria:
         html_criteria = [u'<span class="a2-password-policy-rule">%s</span>' % criter for criter in criteria]
-        return _('In order to create a secure password, please use at least: '
-                 '<span class="a2-password-policy-container">%s</span>') % (''.join(html_criteria))
+        return _(
+            'In order to create a secure password, please use at least: '
+            '<span class="a2-password-policy-container">%s</span>'
+        ) % (''.join(html_criteria))
     else:
         return ''
 
+
 password_help_text = lazy(password_help_text, six.text_type)
diff --git a/src/authentic2/plugins.py b/src/authentic2/plugins.py
index 8447f52c..3b31acfe 100644
--- a/src/authentic2/plugins.py
+++ b/src/authentic2/plugins.py
@@ -37,13 +37,14 @@ PLUGIN_CACHE = {}
 class PluginError(Exception):
     pass
 
+
 DEFAULT_GROUP_NAME = 'authentic2.plugin'
 
 
 def get_plugins(group_name=DEFAULT_GROUP_NAME, use_cache=True, *args, **kwargs):
-    '''Traverse all entry points for group_name and instantiate them using args
-       and kwargs.
-    '''
+    """Traverse all entry points for group_name and instantiate them using args
+    and kwargs.
+    """
     # XXX: necessary with tox under python3 for py2 env, dont know why...
     pkg_resources.get_distribution('authentic2')
     global PLUGIN_CACHE
@@ -68,13 +69,13 @@ def get_plugins(group_name=DEFAULT_GROUP_NAME, use_cache=True, *args, **kwargs):
 
 
 def register_plugins_urls(urlpatterns, group_name=DEFAULT_GROUP_NAME):
-    '''Call get_before_urls and get_after_urls on all plugins providing them
-       and add those urls to the given urlpatterns.
+    """Call get_before_urls and get_after_urls on all plugins providing them
+    and add those urls to the given urlpatterns.
 
-       URLs returned by get_before_urls() are added to the head of urlpatterns
-       and those returned by get_after_urls() are added to the tail of
-       urlpatterns.
-    '''
+    URLs returned by get_before_urls() are added to the head of urlpatterns
+    and those returned by get_after_urls() are added to the tail of
+    urlpatterns.
+    """
     plugins = get_plugins(group_name)
     before_urls = []
     after_urls = []
@@ -90,11 +91,11 @@ def register_plugins_urls(urlpatterns, group_name=DEFAULT_GROUP_NAME):
 
 
 def register_plugins_installed_apps(installed_apps, group_name=DEFAULT_GROUP_NAME):
-    '''Call get_apps() on all plugins of group_name and add the returned
-       applications path to the installed_apps sequence.
+    """Call get_apps() on all plugins of group_name and add the returned
+    applications path to the installed_apps sequence.
 
-       Applications already present are ignored.
-    '''
+    Applications already present are ignored.
+    """
     installed_apps = list(installed_apps)
     for plugin in get_plugins(group_name):
         if hasattr(plugin, 'get_apps'):
@@ -155,9 +156,9 @@ def register_plugins_idp_backends(idp_backends, group_name=DEFAULT_GROUP_NAME):
 
 
 def collect_from_plugins(name, *args, **kwargs):
-    '''
-        Collect a property or the result of a function from plugins.
-    '''
+    """
+    Collect a property or the result of a function from plugins.
+    """
     accumulator = []
     for plugin in get_plugins():
         if not hasattr(plugin, name):
diff --git a/src/authentic2/saml/__init__.py b/src/authentic2/saml/__init__.py
index 01e41b30..46503b2f 100644
--- a/src/authentic2/saml/__init__.py
+++ b/src/authentic2/saml/__init__.py
@@ -24,4 +24,5 @@ class A2SAMLAppConfig(AppConfig):
 
     def a2_hook_good_next_url(self, next_url):
         from .utils import saml_good_next_url
+
         return saml_good_next_url(next_url)
diff --git a/src/authentic2/saml/admin.py b/src/authentic2/saml/admin.py
index b894a8e6..23c45af6 100644
--- a/src/authentic2/saml/admin.py
+++ b/src/authentic2/saml/admin.py
@@ -25,14 +25,21 @@ from django.forms import ModelForm
 from django import forms
 from django.contrib import messages
 from django.core.exceptions import ValidationError
+
 try:
     from django.contrib.contenttypes.admin import GenericTabularInline
 except ImportError:
     from django.contrib.contenttypes.generic import GenericTabularInline
 
-from authentic2.saml.models import (LibertyProvider, LibertyServiceProvider,
-                                    SPOptionsIdPPolicy, LibertyFederation,
-                                    KeyValue, LibertySession, SAMLAttribute)
+from authentic2.saml.models import (
+    LibertyProvider,
+    LibertyServiceProvider,
+    SPOptionsIdPPolicy,
+    LibertyFederation,
+    KeyValue,
+    LibertySession,
+    SAMLAttribute,
+)
 
 from authentic2.attributes_ng.engine import get_service_attributes
 
@@ -98,14 +105,13 @@ def update_metadata(modeladmin, request, queryset):
         try:
             provider.update_metadata()
         except ValidationError as e:
-            params = {
-                'name': provider,
-                'error_msg': u', '.join(e.messages)
-            }
+            params = {'name': provider, 'error_msg': u', '.join(e.messages)}
             messages.error(request, _('Updating SAML provider %(name)s failed: ' '%(error_msg)s') % params)
         else:
             count += 1
-    messages.info(request, _('%(count)d on %(total)d SAML providers updated') % {'count': count, 'total': total})
+    messages.info(
+        request, _('%(count)d on %(total)d SAML providers updated') % {'count': count, 'total': total}
+    )
 
 
 class SAMLAttributeInlineForm(forms.ModelForm):
@@ -138,6 +144,7 @@ class SAMLAttributeInlineAdmin(GenericTabularInline):
             def __init__(self, *args, **kwargs):
                 kwargs['service'] = obj
                 super(NewForm, self).__init__(*args, **kwargs)
+
         kwargs['form'] = NewForm
         return super(SAMLAttributeInlineAdmin, self).get_formset(request, obj=obj, **kwargs)
 
@@ -148,12 +155,8 @@ class LibertyProviderAdmin(admin.ModelAdmin):
     search_fields = ('name', 'entity_id')
     readonly_fields = ('entity_id', 'protocol_conformance', 'entity_id_sha1', 'federation_source')
     fieldsets = (
-        (None, {
-            'fields': ('name', 'slug', 'ou', 'entity_id', 'entity_id_sha1', 'federation_source')
-        }),
-        (_('Metadata files'), {
-            'fields': ('metadata_url', 'metadata')
-        }),
+        (None, {'fields': ('name', 'slug', 'ou', 'entity_id', 'entity_id_sha1', 'federation_source')}),
+        (_('Metadata files'), {'fields': ('metadata_url', 'metadata')}),
     )
     inlines = [
         LibertyServiceProviderInline,
@@ -169,9 +172,13 @@ class LibertyProviderAdmin(admin.ModelAdmin):
     def get_urls(self):
         urls = super(LibertyProviderAdmin, self).get_urls()
         urls = [
-            url(r'^add-from-url/$',
-                self.admin_site.admin_view(admin_views.AddLibertyProviderFromUrlView.as_view(model_admin=self)),
-                name='saml_libertyprovider_add_from_url'),
+            url(
+                r'^add-from-url/$',
+                self.admin_site.admin_view(
+                    admin_views.AddLibertyProviderFromUrlView.as_view(model_admin=self)
+                ),
+                name='saml_libertyprovider_add_from_url',
+            ),
         ] + urls
         return urls
 
@@ -208,6 +215,7 @@ class SPOptionsIdPPolicyAdmin(admin.ModelAdmin):
         'http_method_for_slo_request',
     )
 
+
 admin.site.register(SPOptionsIdPPolicy, SPOptionsIdPPolicyAdmin)
 admin.site.register(LibertyProvider, LibertyProviderAdmin)
 
diff --git a/src/authentic2/saml/admin_views.py b/src/authentic2/saml/admin_views.py
index cd192f0d..0bc3ec63 100644
--- a/src/authentic2/saml/admin_views.py
+++ b/src/authentic2/saml/admin_views.py
@@ -25,11 +25,13 @@ class AdminAddFormViewMixin(object):
 
     def get_context_data(self, **kwargs):
         ctx = super(AdminAddFormViewMixin, self).get_context_data(**kwargs)
-        ctx.update({
-            'app_label': self.model_admin.model._meta.app_label,
-            'has_change_permission': self.model_admin.has_change_permission(self.request),
-            'opts': self.model_admin.model._meta
-        })
+        ctx.update(
+            {
+                'app_label': self.model_admin.model._meta.app_label,
+                'has_change_permission': self.model_admin.has_change_permission(self.request),
+                'opts': self.model_admin.model._meta,
+            }
+        )
         return ctx
 
 
diff --git a/src/authentic2/saml/app_settings.py b/src/authentic2/saml/app_settings.py
index 072c2101..262f8de0 100644
--- a/src/authentic2/saml/app_settings.py
+++ b/src/authentic2/saml/app_settings.py
@@ -29,8 +29,7 @@ class AppSettings(object):
         EXPLICIT = 0
         IMPLICIT = 1
 
-        choices = ((EXPLICIT, _('explicit')),
-                   (IMPLICIT, _('implicit')))
+        choices = ((EXPLICIT, _('explicit')), (IMPLICIT, _('implicit')))
 
         @classmethod
         def get_choices(cls, app_settings):
@@ -64,6 +63,7 @@ class AppSettings(object):
     def __getattr__(self, name):
         return self.__settings(name)
 
+
 app_settings = AppSettings()
 app_settings.__name__ = __name__
 sys.modules[__name__] = app_settings
diff --git a/src/authentic2/saml/common.py b/src/authentic2/saml/common.py
index 629c3648..ec4f907e 100644
--- a/src/authentic2/saml/common.py
+++ b/src/authentic2/saml/common.py
@@ -31,8 +31,12 @@ from django.utils.six.moves.urllib import parse as urlparse
 from django.core.exceptions import ValidationError
 from django.urls import reverse
 
-from authentic2.saml.models import (LibertyFederation, LibertyProvider,
-                                    LibertyServiceProvider, SPOptionsIdPPolicy)
+from authentic2.saml.models import (
+    LibertyFederation,
+    LibertyProvider,
+    LibertyServiceProvider,
+    SPOptionsIdPPolicy,
+)
 from authentic2.saml import models
 from authentic2.saml import saml2utils
 
@@ -54,17 +58,18 @@ AUTHENTIC_STATUS_CODE_UNAUTHORIZED = AUTHENTIC_STATUS_CODE_NS + "Unauthorized"
 logger = logging.getLogger(__name__)
 
 # timeout for messages and assertions issue instant
-NONCE_TIMEOUT = getattr(
-    settings, 'SAML2_NONCE_TIMEOUT', getattr(settings, 'NONCE_TIMEOUT', 30))
+NONCE_TIMEOUT = getattr(settings, 'SAML2_NONCE_TIMEOUT', getattr(settings, 'NONCE_TIMEOUT', 30))
 # do we check id on SAML2 messages ?
 CHECKS_ID = getattr(settings, 'SAML2_CHECKS_ID', True)
 
 
 def get_soap_message(request):
     '''Verify that POST content looks like a SOAP message and returns it'''
-    assert request.method == 'POST' \
-        and 'CONTENT_TYPE' in request.META \
-        and 'text/xml' in request.META['CONTENT_TYPE'], 'not a SOAP message'
+    assert (
+        request.method == 'POST'
+        and 'CONTENT_TYPE' in request.META
+        and 'text/xml' in request.META['CONTENT_TYPE']
+    ), 'not a SOAP message'
     return request.body
 
 
@@ -73,37 +78,34 @@ def get_http_binding(request):
         return 'GET'
     elif request.method == 'POST':
         # disambiguate SOAP and form POST
-        if request.META.get('CONTENT_TYPE') in ['application/x-www-form-urlencoded',
-                                                'multipart/form-data']:
+        if request.META.get('CONTENT_TYPE') in ['application/x-www-form-urlencoded', 'multipart/form-data']:
             return 'POST'
         else:
             return 'SOAP'
 
+
 # SAMLv2 methods
 
 
 def get_base_path(request):
-    '''Get endpoints base path given metadata path
-    '''
+    """Get endpoints base path given metadata path"""
     metadata = reverse('a2-idp-saml-metadata')
     return request.build_absolute_uri(os.path.dirname(metadata))
 
 
 def get_entity_id(request):
-    '''Return the EntityID, given metadata absolute path
-    '''
+    """Return the EntityID, given metadata absolute path"""
     metadata = reverse('a2-idp-saml-metadata')
     return request.build_absolute_uri(metadata)
 
-asynchronous_bindings = [lasso.SAML2_METADATA_BINDING_REDIRECT,
-                         lasso.SAML2_METADATA_BINDING_POST]
+
+asynchronous_bindings = [lasso.SAML2_METADATA_BINDING_REDIRECT, lasso.SAML2_METADATA_BINDING_POST]
 soap_bindings = [lasso.SAML2_METADATA_BINDING_SOAP]
 all_bindings = asynchronous_bindings + [lasso.SAML2_METADATA_BINDING_SOAP]
 
 
 def get_saml2_metadata(request, idp_map=None, sp_map=None, options={}):
-    metagen = saml2utils.Saml2Metadata(get_entity_id(request),
-                                       url_prefix=get_base_path(request))
+    metagen = saml2utils.Saml2Metadata(get_entity_id(request), url_prefix=get_base_path(request))
     if idp_map:
         metagen.add_idp_descriptor(idp_map, options)
     if sp_map:
@@ -111,24 +113,24 @@ def get_saml2_metadata(request, idp_map=None, sp_map=None, options={}):
     return str(metagen)
 
 
-def create_saml2_server(request, idp_map=None, sp_map=None,
-                        options={}):
+def create_saml2_server(request, idp_map=None, sp_map=None, options={}):
     '''Create a lasso Server object for using with a profile'''
     if app_settings.ADD_CERTIFICATE_TO_KEY_INFO:
         certificate_content = options.get('key')
     else:
         certificate_content = None
     server = lasso.Server.newFromBuffers(
-        get_saml2_metadata(request, idp_map=idp_map, sp_map=sp_map,
-                           options=options),
-        options.get('private_key'), certificate_content=certificate_content)
+        get_saml2_metadata(request, idp_map=idp_map, sp_map=sp_map, options=options),
+        options.get('private_key'),
+        certificate_content=certificate_content,
+    )
     if app_settings.SIGNATURE_METHOD:
-            signature_method = app_settings.SIGNATURE_METHOD
-            symbol_name = 'SIGNATURE_METHOD_' + signature_method.replace('-', '_').upper()
-            if hasattr(lasso, symbol_name):
-                server.signatureMethod = getattr(lasso, symbol_name)
-            else:
-                logger.warning('idp_saml: unable to set signature method %s', signature_method)
+        signature_method = app_settings.SIGNATURE_METHOD
+        symbol_name = 'SIGNATURE_METHOD_' + signature_method.replace('-', '_').upper()
+        if hasattr(lasso, symbol_name):
+            server.signatureMethod = getattr(lasso, symbol_name)
+        else:
+            logger.warning('idp_saml: unable to set signature method %s', signature_method)
     if not server:
         raise Exception('Cannot create LassoServer object')
     return server
@@ -183,14 +185,14 @@ def get_saml2_request_message(request, profile):
 
 
 def return_saml2_response(request, profile, title=''):
-    '''Finish your SAMLv2 views with this method to return a SAML
-    response'''
+    """Finish your SAMLv2 views with this method to return a SAML
+    response"""
     return return_saml2(request, profile, lasso.SAML2_FIELD_RESPONSE, title)
 
 
 def return_saml2_request(request, profile, title=''):
-    '''Finish your SAMLv2 views with this method to return a SAML
-    request'''
+    """Finish your SAMLv2 views with this method to return a SAML
+    request"""
     return return_saml2(request, profile, lasso.SAML2_FIELD_REQUEST, title)
 
 
@@ -210,8 +212,9 @@ def return_saml2(request, profile, field_name, title=''):
                     'url': profile.msgUrl,
                     'fieldname': field_name,
                     'body': profile.msgBody,
-                    'relay_state': profile.msgRelayState
-                })
+                    'relay_state': profile.msgRelayState,
+                },
+            )
         return HttpResponse(profile.msgBody, content_type='text/xml')
     elif profile.msgUrl:
         return HttpResponseRedirect(profile.msgUrl)
@@ -220,13 +223,13 @@ def return_saml2(request, profile, field_name, title=''):
 
 
 def check_id_and_issue_instant(request_response_or_assertion, now=None):
-    '''
-       Check that issue instant is not older than a timeout and also checks
-       that the id has never been seen before.
+    """
+    Check that issue instant is not older than a timeout and also checks
+    that the id has never been seen before.
 
-       Nonce are cached for two times the relative timeout length of the issue
-       instant.
-    '''
+    Nonce are cached for two times the relative timeout length of the issue
+    instant.
+    """
     if now is None:
         now = datetime.datetime.utcnow()
     try:
@@ -234,8 +237,9 @@ def check_id_and_issue_instant(request_response_or_assertion, now=None):
         issue_instant = saml2utils.iso8601_to_datetime(issue_instant)
         delta = datetime.timedelta(seconds=NONCE_TIMEOUT)
         if not (now - delta <= issue_instant < now + delta):
-            logger.warning('IssueInstant %s not in the interval [%s, %s[',
-                           issue_instant, now - delta, now+delta)
+            logger.warning(
+                'IssueInstant %s not in the interval [%s, %s[', issue_instant, now - delta, now + delta
+            )
             return False
     except ValueError:
         logger.error('Unable to parse an IssueInstant: %r', issue_instant)
@@ -246,8 +250,7 @@ def check_id_and_issue_instant(request_response_or_assertion, now=None):
             logger.warning('missing ID')
             return False
         if not nonce.accept_nonce(_id, 'SAML', 2 * NONCE_TIMEOUT):
-            logger.warning("ID '%r' already used, request/response/assertion "
-                           "refused", _id)
+            logger.warning("ID '%r' already used, request/response/assertion " "refused", _id)
             return False
     return True
 
@@ -255,6 +258,7 @@ def check_id_and_issue_instant(request_response_or_assertion, now=None):
 def return_saml_soap_response(profile):
     return HttpResponse(profile.msgBody, content_type='text/xml')
 
+
 # Helper method to handle profiles endpoints
 # In the future we should move away from monolithic object (LassoIdentity and
 # LassoSession) holding all the datas, to manipulate them at row Level with
@@ -296,16 +300,17 @@ def federations_to_identity_dump(self_entity_id, federations):
                 name_id_qualifier = federation.idp.liberty_provider.entity_id
         qualifiers = []
         if federation.name_id_qualifier:
-            qualifiers.append(
-                'NameQualifier="%s"' % name_id_qualifier)
+            qualifiers.append('NameQualifier="%s"' % name_id_qualifier)
         if federation.name_id_sp_name_qualifier:
-            qualifiers.append(
-                'SPNameQualifier="%s"' % name_id_sp_name_qualifier)
-        l.append(MIDDLE_IDENTITY_DUMP.format(
-            content=federation.name_id_content,
-            format=federation.name_id_format,
-            sp_id=sp_id,
-            qualifiers=' '.join(qualifiers)))
+            qualifiers.append('SPNameQualifier="%s"' % name_id_sp_name_qualifier)
+        l.append(
+            MIDDLE_IDENTITY_DUMP.format(
+                content=federation.name_id_content,
+                format=federation.name_id_format,
+                sp_id=sp_id,
+                qualifiers=' '.join(qualifiers),
+            )
+        )
     l.append(END_IDENTITY_DUMP)
     return ''.join(l)
 
@@ -316,8 +321,7 @@ def load_federation(request, entity_id, login, user=None):
         user = request.user
     assert user is not None
 
-    identity_dump = federations_to_identity_dump(
-        entity_id, LibertyFederation.objects.filter(user=user))
+    identity_dump = federations_to_identity_dump(entity_id, LibertyFederation.objects.filter(user=user))
     login.setIdentityFromDump(identity_dump)
 
 
@@ -330,8 +334,9 @@ def retrieve_metadata_and_create(request, provider_id, sp_or_idp):
     try:
         metadata = get_url(provider_id)
     except Exception as e:
-        logging.error('SAML metadata autoload: failure to retrieve metadata '
-                      'for entity id %s: %s', provider_id, e)
+        logging.error(
+            'SAML metadata autoload: failure to retrieve metadata ' 'for entity id %s: %s', provider_id, e
+        )
         return None
     logger.debug('loaded %d bytes', len(metadata))
     try:
@@ -343,12 +348,16 @@ def retrieve_metadata_and_create(request, provider_id, sp_or_idp):
     try:
         p.full_clean(exclude=['entity_id', 'protocol_conformance'])
     except ValidationError as e:
-        logging.error('SAML metadata autoload: retrieved metadata for entity '
-                      'id %s are invalid, %s', provider_id, e.args)
+        logging.error(
+            'SAML metadata autoload: retrieved metadata for entity ' 'id %s are invalid, %s',
+            provider_id,
+            e.args,
+        )
         return None
     except Exception:
-        logging.exception('SAML metadata autoload: retrieved metadata '
-                          'validation raised an unknown exception')
+        logging.exception(
+            'SAML metadata autoload: retrieved metadata ' 'validation raised an unknown exception'
+        )
         return None
     p.save()
     logger.debug('%s saved', p)
@@ -357,27 +366,25 @@ def retrieve_metadata_and_create(request, provider_id, sp_or_idp):
     return p
 
 
-def load_provider(request, entity_id, server=None, sp_or_idp='sp',
-                  autoload=False):
-    '''Look up a provider in the database, and verify it handles wanted
-       role be it sp or idp.
+def load_provider(request, entity_id, server=None, sp_or_idp='sp', autoload=False):
+    """Look up a provider in the database, and verify it handles wanted
+    role be it sp or idp.
 
-       Arguments:
-       request -- the currently handled request
-       entity_id -- the entity ID of the searched provider
+    Arguments:
+    request -- the currently handled request
+    entity_id -- the entity ID of the searched provider
 
-       Keyword arguments:
-       server -- a lasso.Server object into which to load the given provider
-       sp_or_idp -- kind of the provider we are looking for, can be 'sp' or
-       'idp', default to 'sp'
-    '''
+    Keyword arguments:
+    server -- a lasso.Server object into which to load the given provider
+    sp_or_idp -- kind of the provider we are looking for, can be 'sp' or
+    'idp', default to 'sp'
+    """
     try:
         liberty_provider = LibertyProvider.objects.get(entity_id=entity_id)
     except LibertyProvider.DoesNotExist:
         autoload = getattr(settings, 'SAML_METADATA_AUTOLOAD', 'none')
         if autoload and (autoload == 'sp' or autoload == 'both'):
-            liberty_provider = retrieve_metadata_and_create(request, entity_id,
-                                                            sp_or_idp)
+            liberty_provider = retrieve_metadata_and_create(request, entity_id, sp_or_idp)
             if not liberty_provider:
                 return False
         else:
@@ -390,8 +397,8 @@ def load_provider(request, entity_id, server=None, sp_or_idp='sp',
         return False
     if server:
         server.addProviderFromBuffer(
-                lasso.PROVIDER_ROLE_SP,
-                force_text(liberty_provider.metadata.encode('utf8')))
+            lasso.PROVIDER_ROLE_SP, force_text(liberty_provider.metadata.encode('utf8'))
+        )
         policy = get_sp_options_policy(liberty_provider)
         if policy:
             encryption_mode = 0
@@ -408,13 +415,11 @@ def load_provider(request, entity_id, server=None, sp_or_idp='sp',
 
 
 def add_federation(user, login=None, name_id=None, provider_id=None):
-    assert name_id or (login and login.nameIdentifier), \
-        'missing name identifier'
+    assert name_id or (login and login.nameIdentifier), 'missing name identifier'
     name_id = name_id or login.nameIdentifier
     kwargs = models.nameid2kwargs(name_id)
     if provider_id:
-        kwargs['idp'] = LibertyProvider.objects.get(entity_id=provider_id) \
-            .identity_provider
+        kwargs['idp'] = LibertyProvider.objects.get(entity_id=provider_id).identity_provider
     fed = LibertyFederation(user=user, **kwargs)
     fed.save()
     logger.debug('federation %s linked to user %s', fed.name_id_content, user)
@@ -422,8 +427,8 @@ def add_federation(user, login=None, name_id=None, provider_id=None):
 
 
 def lookup_federation_by_name_identifier(name_id=None, profile=None):
-    '''Try to find a LibertyFederation object for the given NameID or
-       profile object.'''
+    """Try to find a LibertyFederation object for the given NameID or
+    profile object."""
     if not name_id:
         name_id = profile.nameIdentifier
     kwargs = models.nameid2kwargs(name_id)
@@ -434,11 +439,10 @@ def lookup_federation_by_name_identifier(name_id=None, profile=None):
 
 
 def lookup_federation_by_name_id_and_provider_id(name_id, provider_id):
-    '''Try to find a LibertyFederation object for the given NameID and
-       the provider id.'''
+    """Try to find a LibertyFederation object for the given NameID and
+    the provider id."""
     kwargs = models.nameid2kwargs(name_id)
-    kwargs['idp'] = LibertyProvider.objects.get(entity_id=provider_id) \
-        .identity_provider
+    kwargs['idp'] = LibertyProvider.objects.get(entity_id=provider_id).identity_provider
     try:
         return LibertyFederation.objects.get(user__isnull=False, **kwargs)
     except LibertyFederation.DoesNotExist:
@@ -449,8 +453,7 @@ def lookup_federation_by_name_id_and_provider_id(name_id, provider_id):
 def lookup_federation_by_user(user, qualifier):
     if not user or not qualifier:
         return None
-    fed = LibertyFederation.objects.filter(user=user,
-                                           name_id_qualifier=qualifier)
+    fed = LibertyFederation.objects.filter(user=user, name_id_qualifier=qualifier)
     if fed and fed.count() > 1:
         # TODO: delete all but the last record
         raise Exception('Unconsistent federation record for %s' % qualifier)
@@ -492,15 +495,16 @@ def set_saml2_response_responder_status_code(response, code, msg=None):
     response.status.statusCode.statusCode = lasso.Samlp2StatusCode()
     response.status.statusCode.statusCode.value = code
 
+
 __root_refererer_re = re.compile('^(https?://[^/]*/?)')
 
 
 def error_page(request, message, back=None, logger=None, warning=False):
-    '''View that show a simple error page to the user with a back link.
+    """View that show a simple error page to the user with a back link.
 
-         back - url for the back link, if None, return to root of the referer
-                or the local root.
-    '''
+    back - url for the back link, if None, return to root of the referer
+           or the local root.
+    """
     if not logger:
         logger = logging
     if warning:
@@ -515,14 +519,8 @@ def error_page(request, message, back=None, logger=None, warning=False):
                 back = root_referer.group(1)
         if back is None:
             back = '/'
-    redirection_timeout = getattr(settings, 'REDIRECTION_TIMEOUT_AFTER_ERROR',
-                                  2000)
-    return render(request, 'error.html',
-                  {
-                      'msg': message,
-                      'back': back,
-                      'redir_timeout': redirection_timeout
-                  })
+    redirection_timeout = getattr(settings, 'REDIRECTION_TIMEOUT_AFTER_ERROR', 2000)
+    return render(request, 'error.html', {'msg': message, 'back': back, 'redir_timeout': redirection_timeout})
 
 
 def redirect_next(request, next):
@@ -535,11 +533,14 @@ def redirect_next(request, next):
 def soap_fault(request, faultcode='soap:Client', faultstring=None):
     if faultstring:
         faultstring = '\n        <faultstring>%s</faultstring>\n' % faultstring
-    content = '''<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+    content = (
+        '''<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
     <soap:Body><soap:Fault>
        <faultcode>%(faultcode)s</faultcode>%(faultstring)s
     </soap:Fault></soap:Body>
-</soap:Envelope>''' % locals()
+</soap:Envelope>'''
+        % locals()
+    )
     return HttpResponse(content, content_type="text/xml")
 
 
@@ -571,21 +572,22 @@ def get_sp_options_policy(provider):
 
 
 def get_session_not_on_or_after(assertion):
-    '''Extract the minimal value for the SessionNotOnOrAfter found in the given
-       assertion AuthenticationStatement(s).
-    '''
+    """Extract the minimal value for the SessionNotOnOrAfter found in the given
+    assertion AuthenticationStatement(s).
+    """
     session_not_on_or_afters = []
     if hasattr(assertion, 'authnStatement'):
         for authn_statement in assertion.authnStatement:
             if authn_statement.sessionNotOnOrAfter:
                 value = authn_statement.sessionNotOnOrAfter
                 try:
-                    session_not_on_or_afters.append(
-                        saml2utils.iso8601_to_datetime(value))
+                    session_not_on_or_afters.append(saml2utils.iso8601_to_datetime(value))
                 except ValueError:
                     logging.getLogger(__name__).error(
                         'unable to parse SessionNotOnOrAfter value %s, will '
-                        'use default value for session length.', value)
+                        'use default value for session length.',
+                        value,
+                    )
     if session_not_on_or_afters:
         return six.moves.reduce(min, session_not_on_or_afters)
     return None
diff --git a/src/authentic2/saml/fields.py b/src/authentic2/saml/fields.py
index ba1c14b5..43b7a2a1 100644
--- a/src/authentic2/saml/fields.py
+++ b/src/authentic2/saml/fields.py
@@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import base64
+
 try:
     import cPickle as pickle
 except ImportError:
@@ -39,9 +40,8 @@ def loads(value):
 
 
 def dumps(value):
-    return PickledObject(
-        force_text(
-            base64.b64encode(pickle.dumps(value, protocol=0))))
+    return PickledObject(force_text(base64.b64encode(pickle.dumps(value, protocol=0))))
+
 
 # This is a copy of http://djangosnippets.org/snippets/513/
 #
@@ -58,8 +58,9 @@ def dumps(value):
 
 class PickledObject(six.text_type):
     """A subclass of string so it can be told whether a string is
-       a pickled object or not (if the object is an instance of this class
-       then it must [well, should] be a pickled one)."""
+    a pickled object or not (if the object is an instance of this class
+    then it must [well, should] be a pickled one)."""
+
     pass
 
 
@@ -71,9 +72,12 @@ class PickledObjectField(models.Field):
         return value
 
     if django.VERSION < (2,):
+
         def from_db_value(self, value, expression, connection, context):
             return self.__from_db_value(value)
+
     else:
+
         def from_db_value(self, value, expression, connection):
             return self.__from_db_value(value)
 
@@ -126,8 +130,10 @@ class MultiSelectFormField(forms.MultipleChoiceField):
         if not value and self.required:
             raise forms.ValidationError(self.error_messages['required'])
         if value and self.max_choices and len(value) > self.max_choices:
-            raise forms.ValidationError('You must select a maximum of %s choice%s.' % (
-                apnumber(self.max_choices), pluralize(self.max_choices)))
+            raise forms.ValidationError(
+                'You must select a maximum of %s choice%s.'
+                % (apnumber(self.max_choices), pluralize(self.max_choices))
+            )
         return value
 
 
@@ -178,15 +184,20 @@ class MultiSelectField(models.Field):
         return value.split(",")
 
     if django.VERSION < (2,):
+
         def from_db_value(self, value, expression, connection, context):
             return self.to_python(value)
+
     else:
+
         def from_db_value(self, value, expression, connection):
             return self.to_python(value)
 
     def contribute_to_class(self, cls, name):
         super(MultiSelectField, self).contribute_to_class(cls, name)
         if self.choices:
+
             def func(self, fieldname=name, choicedict=dict(self.choices)):
                 return ",".join([choicedict.get(value, value) for value in getattr(self, fieldname)])
+
             setattr(cls, 'get_%s_display' % self.name, func)
diff --git a/src/authentic2/saml/forms.py b/src/authentic2/saml/forms.py
index b5dd3868..5ffb1042 100644
--- a/src/authentic2/saml/forms.py
+++ b/src/authentic2/saml/forms.py
@@ -33,11 +33,13 @@ from django_rbac.utils import get_ou_model
 
 class AddLibertyProviderFromUrlForm(forms.Form):
     name = forms.CharField(max_length=140, label=_('Name'))
-    slug = forms.SlugField(max_length=140, label=_('Shortcut'),
-                           help_text=_("Internal nickname for the service provider"))
+    slug = forms.SlugField(
+        max_length=140, label=_('Shortcut'), help_text=_("Internal nickname for the service provider")
+    )
     url = forms.URLField(label=_("Metadata's URL"))
-    ou = forms.ModelChoiceField(queryset=get_ou_model().objects, initial=get_default_ou,
-                                label=_('Organizational unit'))
+    ou = forms.ModelChoiceField(
+        queryset=get_ou_model().objects, initial=get_default_ou, label=_('Organizational unit')
+    )
 
     def clean(self):
         cleaned_data = super(AddLibertyProviderFromUrlForm, self).clean()
@@ -53,24 +55,20 @@ class AddLibertyProviderFromUrlForm(forms.Form):
                 response.raise_for_status()
                 content = response.content
             except requests.RequestException as e:
-                raise ValidationError(_('Retrieval of %(url)s failed: %(exception)s') % {
-                    'url': url,
-                    'exception': e
-                })
+                raise ValidationError(
+                    _('Retrieval of %(url)s failed: %(exception)s') % {'url': url, 'exception': e}
+                )
             root = ET.fromstring(content)
             if root.tag != '{%s}EntityDescriptor' % lasso.SAML2_METADATA_HREF:
-                raise ValidationError(_('Invalid SAML metadata: %s')
-                                      % _('missing EntityDescriptor tag'))
+                raise ValidationError(_('Invalid SAML metadata: %s') % _('missing EntityDescriptor tag'))
             is_sp = not root.find('{%s}SPSSODescriptor' % lasso.SAML2_METADATA_HREF) is None
             if not is_sp:
-                raise ValidationError(_('Invalid SAML metadata: %s')
-                                      % _('missing SPSSODescriptor tags'))
-            liberty_provider = LibertyProvider(name=name, slug=slug, metadata=content,
-                                               metadata_url=url, ou=ou)
+                raise ValidationError(_('Invalid SAML metadata: %s') % _('missing SPSSODescriptor tags'))
+            liberty_provider = LibertyProvider(
+                name=name, slug=slug, metadata=content, metadata_url=url, ou=ou
+            )
             liberty_provider.full_clean(exclude=('entity_id', 'protocol_conformance'))
-            self.childs.append(LibertyServiceProvider(
-                liberty_provider=liberty_provider,
-                enabled=True))
+            self.childs.append(LibertyServiceProvider(liberty_provider=liberty_provider, enabled=True))
             self.instance = liberty_provider
         return cleaned_data
 
diff --git a/src/authentic2/saml/lasso_helper.py b/src/authentic2/saml/lasso_helper.py
index 527cebc8..1d43dd6a 100644
--- a/src/authentic2/saml/lasso_helper.py
+++ b/src/authentic2/saml/lasso_helper.py
@@ -63,11 +63,14 @@ def buid_session_dump(sessions):
     tb = etree.TreeBuilder()
     tb.start(SESSION_ELT, {VERSION_AT: '2'})
     for session in sessions:
-        tb.start(NID_AND_SESSION_INDEX, {
-            PROVIDER_ID_AT: session['provider_id'],
-            ASSERTION_ID_AT: '',
-            SESSION_INDEX_AT: session['session_index']
-        })
+        tb.start(
+            NID_AND_SESSION_INDEX,
+            {
+                PROVIDER_ID_AT: session['provider_id'],
+                ASSERTION_ID_AT: '',
+                SESSION_INDEX_AT: session['session_index'],
+            },
+        )
         build_name_id(session, tb)
         tb.end(NID_AND_SESSION_INDEX)
     tb.end(SESSION_ELT)
diff --git a/src/authentic2/saml/management/commands/mapping.py b/src/authentic2/saml/management/commands/mapping.py
index 68d4a11a..cec359be 100644
--- a/src/authentic2/saml/management/commands/mapping.py
+++ b/src/authentic2/saml/management/commands/mapping.py
@@ -66,2297 +66,2010 @@ def get_def_name_from_alias(alias):
             return key
 
 
-ATTRIBUTE_NAMESPACES = \
-    ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims",)
+ATTRIBUTE_NAMESPACES = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims",)
 
 ATTRIBUTE_MAPPING = {
-
-#Extracted from openldap system schema
-"top": {
-    "oid": "2.5.6.0",
-    "display_name": "top",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"extensibleObject": {
-    "oid": "1.3.6.1.4.1.1466.101.120.111",
-    "display_name": "extensibleObject",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"alias": {
-    "oid": "2.5.6.1",
-    "display_name": "alias",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"referral": {
-    "oid": "2.16.840.1.113730.3.2.6",
-    "display_name": "referral",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"OpenLDAProotDSE": {
-    "oid": "1.3.6.1.4.1.4203.1.4.1",
-    "display_name": "OpenLDAProotDSE LDAProotDSE",
-    "alias": ['LDAProotDSE'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"subentry": {
-    "oid": "2.5.17.0",
-    "display_name": "subentry",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"subschema": {
-    "oid": "2.5.20.1",
-    "display_name": "subschema",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"collectiveAttributeSubentry": {
-    "oid": "2.5.17.2",
-    "display_name": "collectiveAttributeSubentry",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"dynamicObject": {
-    "oid": "1.3.6.1.4.1.1466.101.119.2",
-    "display_name": "dynamicObject",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"glue": {
-    "oid": "1.3.6.1.4.1.4203.666.3.4",
-    "display_name": "glue",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"syncConsumerSubentry": {
-    "oid": "1.3.6.1.4.1.4203.666.3.5",
-    "display_name": "syncConsumerSubentry",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"syncProviderSubentry": {
-    "oid": "1.3.6.1.4.1.4203.666.3.6",
-    "display_name": "syncProviderSubentry",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"objectClass": {
-    "oid": "2.5.4.0",
-    "display_name": "objectClass",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
-},
-
-#Extracted from openldap system schema
-"structuralObjectClass": {
-    "oid": "2.5.21.9",
-    "display_name": "structuralObjectClass",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
-},
-
-#Extracted from openldap system schema
-"createTimestamp": {
-    "oid": "2.5.18.1",
-    "display_name": "createTimestamp",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.24",
-},
-
-#Extracted from openldap system schema
-"modifyTimestamp": {
-    "oid": "2.5.18.2",
-    "display_name": "modifyTimestamp",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.24",
-},
-
-#Extracted from openldap system schema
-"creatorsName": {
-    "oid": "2.5.18.3",
-    "display_name": "creatorsName",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap system schema
-"modifiersName": {
-    "oid": "2.5.18.4",
-    "display_name": "modifiersName",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap system schema
-"hasSubordinates": {
-    "oid": "2.5.18.9",
-    "display_name": "hasSubordinates",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.7",
-},
-
-#Extracted from openldap system schema
-"subschemaSubentry": {
-    "oid": "2.5.18.10",
-    "display_name": "subschemaSubentry",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap system schema
-"collectiveAttributeSubentries": {
-    "oid": "2.5.18.12",
-    "display_name": "collectiveAttributeSubentries",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap system schema
-"collectiveExclusions": {
-    "oid": "2.5.18.7",
-    "display_name": "collectiveExclusions",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
-},
-
-#Extracted from openldap system schema
-"entryDN": {
-    "oid": "1.3.6.1.1.20",
-    "display_name": "entryDN",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap system schema
-"entryUUID": {
-    "oid": "1.3.6.1.1.16.4",
-    "display_name": "entryUUID",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.1.16.1",
-},
-
-#Extracted from openldap system schema
-"entryCSN": {
-    "oid": "1.3.6.1.4.1.4203.666.1.7",
-    "display_name": "entryCSN",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.4203.666.11.2.1{64}",
-},
-
-#Extracted from openldap system schema
-"namingCSN": {
-    "oid": "1.3.6.1.4.1.4203.666.1.13",
-    "display_name": "namingCSN",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.4203.666.11.2.1{64}",
-},
-
-#Extracted from openldap system schema
-"superiorUUID": {
-    "oid": "1.3.6.1.4.1.4203.666.1.11",
-    "display_name": "superiorUUID",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.1.16.1",
-},
-
-#Extracted from openldap system schema
-"syncreplCookie": {
-    "oid": "1.3.6.1.4.1.4203.666.1.23",
-    "display_name": "syncreplCookie",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.40",
-},
-
-#Extracted from openldap system schema
-"contextCSN": {
-    "oid": "1.3.6.1.4.1.4203.666.1.25",
-    "display_name": "contextCSN",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.4203.666.11.2.1{64}",
-},
-
-#Extracted from openldap system schema
-"syncTimestamp": {
-    "oid": "1.3.6.1.4.1.4203.666.1.26",
-    "display_name": "syncTimestamp",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.24",
-},
-
-#Extracted from openldap system schema
-"altServer": {
-    "oid": "1.3.6.1.4.1.1466.101.120.6",
-    "display_name": "altServer",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap system schema
-"namingContexts": {
-    "oid": "1.3.6.1.4.1.1466.101.120.5",
-    "display_name": "namingContexts",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap system schema
-"supportedControl": {
-    "oid": "1.3.6.1.4.1.1466.101.120.13",
-    "display_name": "supportedControl",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
-},
-
-#Extracted from openldap system schema
-"supportedExtension": {
-    "oid": "1.3.6.1.4.1.1466.101.120.7",
-    "display_name": "supportedExtension",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
-},
-
-#Extracted from openldap system schema
-"supportedLDAPVersion": {
-    "oid": "1.3.6.1.4.1.1466.101.120.15",
-    "display_name": "supportedLDAPVersion",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap system schema
-"supportedSASLMechanisms": {
-    "oid": "1.3.6.1.4.1.1466.101.120.14",
-    "display_name": "supportedSASLMechanisms",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from openldap system schema
-"supportedFeatures": {
-    "oid": "1.3.6.1.4.1.4203.1.3.5",
-    "display_name": "supportedFeatures",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
-},
-
-#Extracted from openldap system schema
-"monitorContext": {
-    "oid": "1.3.6.1.4.1.4203.666.1.10",
-    "display_name": "monitorContext",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap system schema
-"configContext": {
-    "oid": "1.3.6.1.4.1.4203.1.12.2.1",
-    "display_name": "configContext",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap system schema
-"vendorName": {
-    "oid": "1.3.6.1.1.4",
-    "display_name": "vendorName",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from openldap system schema
-"vendorVersion": {
-    "oid": "1.3.6.1.1.5",
-    "display_name": "vendorVersion",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from openldap system schema
-"administrativeRole": {
-    "oid": "2.5.18.5",
-    "display_name": "administrativeRole",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
-},
-
-#Extracted from openldap system schema
-"subtreeSpecification": {
-    "oid": "2.5.18.6",
-    "display_name": "subtreeSpecification",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.45",
-},
-
-#Extracted from openldap system schema
-"dITStructureRules": {
-    "oid": "2.5.21.1",
-    "display_name": "dITStructureRules",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.17",
-},
-
-#Extracted from openldap system schema
-"dITContentRules": {
-    "oid": "2.5.21.2",
-    "display_name": "dITContentRules",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.16",
-},
-
-#Extracted from openldap system schema
-"matchingRules": {
-    "oid": "2.5.21.4",
-    "display_name": "matchingRules",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.30",
-},
-
-#Extracted from openldap system schema
-"attributeTypes": {
-    "oid": "2.5.21.5",
-    "display_name": "attributeTypes",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.3",
-},
-
-#Extracted from openldap system schema
-"objectClasses": {
-    "oid": "2.5.21.6",
-    "display_name": "objectClasses",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.37",
-},
-
-#Extracted from openldap system schema
-"nameForms": {
-    "oid": "2.5.21.7",
-    "display_name": "nameForms",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.35",
-},
-
-#Extracted from openldap system schema
-"matchingRuleUse": {
-    "oid": "2.5.21.8",
-    "display_name": "matchingRuleUse",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.31",
-},
-
-#Extracted from openldap system schema
-"ldapSyntaxes": {
-    "oid": "1.3.6.1.4.1.1466.101.120.16",
-    "display_name": "ldapSyntaxes",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.54",
-},
-
-#Extracted from openldap system schema
-"aliasedObjectName": {
-    "oid": "2.5.4.1",
-    "display_name": "aliasedObjectName aliasedEntryName",
-    "alias": ['aliasedEntryName'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap system schema
-"ref": {
-    "oid": "2.16.840.1.113730.3.1.34",
-    "display_name": "ref",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from openldap system schema
-"entry": {
-    "oid": "1.3.6.1.4.1.4203.1.3.1",
-    "display_name": "entry",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.4203.1.1.1",
-},
-
-#Extracted from openldap system schema
-"children": {
-    "oid": "1.3.6.1.4.1.4203.1.3.2",
-    "display_name": "children",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.4203.1.1.1",
-},
-
-#Extracted from openldap system schema
-"authzTo": {
-    "oid": "1.3.6.1.4.1.4203.666.1.8",
-    "display_name": "authzTo saslAuthzTo",
-    "alias": ['saslAuthzTo'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.4203.666.2.7",
-},
-
-#Extracted from openldap system schema
-"authzFrom": {
-    "oid": "1.3.6.1.4.1.4203.666.1.9",
-    "display_name": "authzFrom saslAuthzFrom",
-    "alias": ['saslAuthzFrom'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.4203.666.2.7",
-},
-
-#Extracted from openldap system schema
-"entryTtl": {
-    "oid": "1.3.6.1.4.1.1466.101.119.3",
-    "display_name": "entryTtl",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap system schema
-"dynamicSubtrees": {
-    "oid": "1.3.6.1.4.1.1466.101.119.4",
-    "display_name": "dynamicSubtrees",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap system schema
-"distinguishedName": {
-    "oid": "2.5.4.49",
-    "display_name": "distinguishedName",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap system schema
-"name": {
-    "oid": "2.5.4.41",
-    "display_name": "name",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{32768}",
-},
-
-#Extracted from openldap system schema
-"cn": {
-    "oid": "2.5.4.3",
-    "display_name": "cn commonName",
-    "alias": ['commonName'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap system schema
-"uid": {
-    "oid": "0.9.2342.19200300.100.1.1",
-    "display_name": "uid userid",
-    "alias": ['userid'],
-    "profile_field_name": 'username',
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap system schema
-"uidNumber": {
-    "oid": "1.3.6.1.1.1.1.0",
-    "display_name": "uidNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap system schema
-"gidNumber": {
-    "oid": "1.3.6.1.1.1.1.1",
-    "display_name": "gidNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap system schema
-"userPassword": {
-    "oid": "2.5.4.35",
-    "display_name": "userPassword",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.40{128}",
-},
-
-#Extracted from openldap system schema
-"labeledURI": {
-    "oid": "1.3.6.1.4.1.250.1.57",
-    "display_name": "labeledURI",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from openldap system schema
-"authPassword": {
-    "oid": "1.3.6.1.4.1.4203.1.3.4",
-    "display_name": "authPassword",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.4203.1.1.2",
-},
-
-#Extracted from openldap system schema
-"supportedAuthPasswordSchemes": {
-    "oid": "1.3.6.1.4.1.4203.1.3.3",
-    "display_name": "supportedAuthPasswordSchemes",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{32}",
-},
-
-#Extracted from openldap system schema
-"description": {
-    "oid": "2.5.4.13",
-    "display_name": "description",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{1024}",
-},
-
-#Extracted from openldap system schema
-"seeAlso": {
-    "oid": "2.5.4.34",
-    "display_name": "seeAlso",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
-"carLicense": {
-    "oid": "2.16.840.1.113730.3.1.1",
-    "display_name": "carLicense",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
-"departmentNumber": {
-    "oid": "2.16.840.1.113730.3.1.2",
-    "display_name": "departmentNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
-"displayName": {
-    "oid": "2.16.840.1.113730.3.1.241",
-    "display_name": "displayName",
-    "profile_field_name": "get_full_name",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
-"employeeNumber": {
-    "oid": "2.16.840.1.113730.3.1.3",
-    "display_name": "employeeNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
-"employeeType": {
-    "oid": "2.16.840.1.113730.3.1.4",
-    "display_name": "employeeType",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
-"jpegPhoto": {
-    "oid": "0.9.2342.19200300.100.1.60",
-    "display_name": "jpegPhoto",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.28",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
-"preferredLanguage": {
-    "oid": "2.16.840.1.113730.3.1.39",
-    "display_name": "preferredLanguage",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
-"userSMIMECertificate": {
-    "oid": "2.16.840.1.113730.3.1.40",
-    "display_name": "userSMIMECertificate",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.5",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
-"userPKCS12": {
-    "oid": "2.16.840.1.113730.3.1.216",
-    "display_name": "userPKCS12",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.5",
-},
-
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"gecos": {
-    "oid": "1.3.6.1.1.1.1.2",
-    "display_name": "gecos",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"homeDirectory": {
-    "oid": "1.3.6.1.1.1.1.3",
-    "display_name": "homeDirectory",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"loginShell": {
-    "oid": "1.3.6.1.1.1.1.4",
-    "display_name": "loginShell",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"shadowLastChange": {
-    "oid": "1.3.6.1.1.1.1.5",
-    "display_name": "shadowLastChange",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"shadowMin": {
-    "oid": "1.3.6.1.1.1.1.6",
-    "display_name": "shadowMin",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"shadowMax": {
-    "oid": "1.3.6.1.1.1.1.7",
-    "display_name": "shadowMax",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"shadowWarning": {
-    "oid": "1.3.6.1.1.1.1.8",
-    "display_name": "shadowWarning",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"shadowInactive": {
-    "oid": "1.3.6.1.1.1.1.9",
-    "display_name": "shadowInactive",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"shadowExpire": {
-    "oid": "1.3.6.1.1.1.1.10",
-    "display_name": "shadowExpire",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"shadowFlag": {
-    "oid": "1.3.6.1.1.1.1.11",
-    "display_name": "shadowFlag",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"memberUid": {
-    "oid": "1.3.6.1.1.1.1.12",
-    "display_name": "memberUid",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"memberNisNetgroup": {
-    "oid": "1.3.6.1.1.1.1.13",
-    "display_name": "memberNisNetgroup",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"nisNetgroupTriple": {
-    "oid": "1.3.6.1.1.1.1.14",
-    "display_name": "nisNetgroupTriple",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.1.1.0.0",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"ipServicePort": {
-    "oid": "1.3.6.1.1.1.1.15",
-    "display_name": "ipServicePort",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"ipServiceProtocolSUPname": {
-    "oid": "1.3.6.1.1.1.1.16",
-    "display_name": "ipServiceProtocolSUPname",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"ipProtocolNumber": {
-    "oid": "1.3.6.1.1.1.1.17",
-    "display_name": "ipProtocolNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"oncRpcNumber": {
-    "oid": "1.3.6.1.1.1.1.18",
-    "display_name": "oncRpcNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"ipHostNumber": {
-    "oid": "1.3.6.1.1.1.1.19",
-    "display_name": "ipHostNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"ipNetworkNumber": {
-    "oid": "1.3.6.1.1.1.1.20",
-    "display_name": "ipNetworkNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"ipNetmaskNumber": {
-    "oid": "1.3.6.1.1.1.1.21",
-    "display_name": "ipNetmaskNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"macAddress": {
-    "oid": "1.3.6.1.1.1.1.22",
-    "display_name": "macAddress",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"bootParameter": {
-    "oid": "1.3.6.1.1.1.1.23",
-    "display_name": "bootParameter",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.1.1.0.1",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"bootFile": {
-    "oid": "1.3.6.1.1.1.1.24",
-    "display_name": "bootFile",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"nisMapNameSUPname": {
-    "oid": "1.3.6.1.1.1.1.26",
-    "display_name": "nisMapNameSUPname",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/nis.ldif
-"nisMapEntry": {
-    "oid": "1.3.6.1.1.1.1.27",
-    "display_name": "nisMapEntry",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{1024}",
-},
-
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"knowledgeInformation": {
-    "oid": "2.5.4.2",
-    "display_name": "knowledgeInformation",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{32768}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"sn": {
-    "oid": "2.5.4.4",
-    "display_name": _("Last name") + "(sn surname)",
-    "alias": ['surname'],
-    "profile_field_name": 'last_name',
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "namespaces": {
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
-            "identifiers":
-                [
-            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
+    # Extracted from openldap system schema
+    "top": {
+        "oid": "2.5.6.0",
+        "display_name": "top",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "extensibleObject": {
+        "oid": "1.3.6.1.4.1.1466.101.120.111",
+        "display_name": "extensibleObject",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "alias": {
+        "oid": "2.5.6.1",
+        "display_name": "alias",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "referral": {
+        "oid": "2.16.840.1.113730.3.2.6",
+        "display_name": "referral",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "OpenLDAProotDSE": {
+        "oid": "1.3.6.1.4.1.4203.1.4.1",
+        "display_name": "OpenLDAProotDSE LDAProotDSE",
+        "alias": ['LDAProotDSE'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "subentry": {
+        "oid": "2.5.17.0",
+        "display_name": "subentry",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "subschema": {
+        "oid": "2.5.20.1",
+        "display_name": "subschema",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "collectiveAttributeSubentry": {
+        "oid": "2.5.17.2",
+        "display_name": "collectiveAttributeSubentry",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "dynamicObject": {
+        "oid": "1.3.6.1.4.1.1466.101.119.2",
+        "display_name": "dynamicObject",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "glue": {
+        "oid": "1.3.6.1.4.1.4203.666.3.4",
+        "display_name": "glue",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "syncConsumerSubentry": {
+        "oid": "1.3.6.1.4.1.4203.666.3.5",
+        "display_name": "syncConsumerSubentry",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "syncProviderSubentry": {
+        "oid": "1.3.6.1.4.1.4203.666.3.6",
+        "display_name": "syncProviderSubentry",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "objectClass": {
+        "oid": "2.5.4.0",
+        "display_name": "objectClass",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
+    },
+    # Extracted from openldap system schema
+    "structuralObjectClass": {
+        "oid": "2.5.21.9",
+        "display_name": "structuralObjectClass",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
+    },
+    # Extracted from openldap system schema
+    "createTimestamp": {
+        "oid": "2.5.18.1",
+        "display_name": "createTimestamp",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.24",
+    },
+    # Extracted from openldap system schema
+    "modifyTimestamp": {
+        "oid": "2.5.18.2",
+        "display_name": "modifyTimestamp",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.24",
+    },
+    # Extracted from openldap system schema
+    "creatorsName": {
+        "oid": "2.5.18.3",
+        "display_name": "creatorsName",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap system schema
+    "modifiersName": {
+        "oid": "2.5.18.4",
+        "display_name": "modifiersName",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap system schema
+    "hasSubordinates": {
+        "oid": "2.5.18.9",
+        "display_name": "hasSubordinates",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.7",
+    },
+    # Extracted from openldap system schema
+    "subschemaSubentry": {
+        "oid": "2.5.18.10",
+        "display_name": "subschemaSubentry",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap system schema
+    "collectiveAttributeSubentries": {
+        "oid": "2.5.18.12",
+        "display_name": "collectiveAttributeSubentries",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap system schema
+    "collectiveExclusions": {
+        "oid": "2.5.18.7",
+        "display_name": "collectiveExclusions",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
+    },
+    # Extracted from openldap system schema
+    "entryDN": {
+        "oid": "1.3.6.1.1.20",
+        "display_name": "entryDN",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap system schema
+    "entryUUID": {
+        "oid": "1.3.6.1.1.16.4",
+        "display_name": "entryUUID",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.1.16.1",
+    },
+    # Extracted from openldap system schema
+    "entryCSN": {
+        "oid": "1.3.6.1.4.1.4203.666.1.7",
+        "display_name": "entryCSN",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.4203.666.11.2.1{64}",
+    },
+    # Extracted from openldap system schema
+    "namingCSN": {
+        "oid": "1.3.6.1.4.1.4203.666.1.13",
+        "display_name": "namingCSN",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.4203.666.11.2.1{64}",
+    },
+    # Extracted from openldap system schema
+    "superiorUUID": {
+        "oid": "1.3.6.1.4.1.4203.666.1.11",
+        "display_name": "superiorUUID",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.1.16.1",
+    },
+    # Extracted from openldap system schema
+    "syncreplCookie": {
+        "oid": "1.3.6.1.4.1.4203.666.1.23",
+        "display_name": "syncreplCookie",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.40",
+    },
+    # Extracted from openldap system schema
+    "contextCSN": {
+        "oid": "1.3.6.1.4.1.4203.666.1.25",
+        "display_name": "contextCSN",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.4203.666.11.2.1{64}",
+    },
+    # Extracted from openldap system schema
+    "syncTimestamp": {
+        "oid": "1.3.6.1.4.1.4203.666.1.26",
+        "display_name": "syncTimestamp",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.24",
+    },
+    # Extracted from openldap system schema
+    "altServer": {
+        "oid": "1.3.6.1.4.1.1466.101.120.6",
+        "display_name": "altServer",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap system schema
+    "namingContexts": {
+        "oid": "1.3.6.1.4.1.1466.101.120.5",
+        "display_name": "namingContexts",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap system schema
+    "supportedControl": {
+        "oid": "1.3.6.1.4.1.1466.101.120.13",
+        "display_name": "supportedControl",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
+    },
+    # Extracted from openldap system schema
+    "supportedExtension": {
+        "oid": "1.3.6.1.4.1.1466.101.120.7",
+        "display_name": "supportedExtension",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
+    },
+    # Extracted from openldap system schema
+    "supportedLDAPVersion": {
+        "oid": "1.3.6.1.4.1.1466.101.120.15",
+        "display_name": "supportedLDAPVersion",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap system schema
+    "supportedSASLMechanisms": {
+        "oid": "1.3.6.1.4.1.1466.101.120.14",
+        "display_name": "supportedSASLMechanisms",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from openldap system schema
+    "supportedFeatures": {
+        "oid": "1.3.6.1.4.1.4203.1.3.5",
+        "display_name": "supportedFeatures",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
+    },
+    # Extracted from openldap system schema
+    "monitorContext": {
+        "oid": "1.3.6.1.4.1.4203.666.1.10",
+        "display_name": "monitorContext",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap system schema
+    "configContext": {
+        "oid": "1.3.6.1.4.1.4203.1.12.2.1",
+        "display_name": "configContext",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap system schema
+    "vendorName": {
+        "oid": "1.3.6.1.1.4",
+        "display_name": "vendorName",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from openldap system schema
+    "vendorVersion": {
+        "oid": "1.3.6.1.1.5",
+        "display_name": "vendorVersion",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from openldap system schema
+    "administrativeRole": {
+        "oid": "2.5.18.5",
+        "display_name": "administrativeRole",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
+    },
+    # Extracted from openldap system schema
+    "subtreeSpecification": {
+        "oid": "2.5.18.6",
+        "display_name": "subtreeSpecification",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.45",
+    },
+    # Extracted from openldap system schema
+    "dITStructureRules": {
+        "oid": "2.5.21.1",
+        "display_name": "dITStructureRules",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.17",
+    },
+    # Extracted from openldap system schema
+    "dITContentRules": {
+        "oid": "2.5.21.2",
+        "display_name": "dITContentRules",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.16",
+    },
+    # Extracted from openldap system schema
+    "matchingRules": {
+        "oid": "2.5.21.4",
+        "display_name": "matchingRules",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.30",
+    },
+    # Extracted from openldap system schema
+    "attributeTypes": {
+        "oid": "2.5.21.5",
+        "display_name": "attributeTypes",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.3",
+    },
+    # Extracted from openldap system schema
+    "objectClasses": {
+        "oid": "2.5.21.6",
+        "display_name": "objectClasses",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.37",
+    },
+    # Extracted from openldap system schema
+    "nameForms": {
+        "oid": "2.5.21.7",
+        "display_name": "nameForms",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.35",
+    },
+    # Extracted from openldap system schema
+    "matchingRuleUse": {
+        "oid": "2.5.21.8",
+        "display_name": "matchingRuleUse",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.31",
+    },
+    # Extracted from openldap system schema
+    "ldapSyntaxes": {
+        "oid": "1.3.6.1.4.1.1466.101.120.16",
+        "display_name": "ldapSyntaxes",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.54",
+    },
+    # Extracted from openldap system schema
+    "aliasedObjectName": {
+        "oid": "2.5.4.1",
+        "display_name": "aliasedObjectName aliasedEntryName",
+        "alias": ['aliasedEntryName'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap system schema
+    "ref": {
+        "oid": "2.16.840.1.113730.3.1.34",
+        "display_name": "ref",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from openldap system schema
+    "entry": {
+        "oid": "1.3.6.1.4.1.4203.1.3.1",
+        "display_name": "entry",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.4203.1.1.1",
+    },
+    # Extracted from openldap system schema
+    "children": {
+        "oid": "1.3.6.1.4.1.4203.1.3.2",
+        "display_name": "children",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.4203.1.1.1",
+    },
+    # Extracted from openldap system schema
+    "authzTo": {
+        "oid": "1.3.6.1.4.1.4203.666.1.8",
+        "display_name": "authzTo saslAuthzTo",
+        "alias": ['saslAuthzTo'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.4203.666.2.7",
+    },
+    # Extracted from openldap system schema
+    "authzFrom": {
+        "oid": "1.3.6.1.4.1.4203.666.1.9",
+        "display_name": "authzFrom saslAuthzFrom",
+        "alias": ['saslAuthzFrom'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.4203.666.2.7",
+    },
+    # Extracted from openldap system schema
+    "entryTtl": {
+        "oid": "1.3.6.1.4.1.1466.101.119.3",
+        "display_name": "entryTtl",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap system schema
+    "dynamicSubtrees": {
+        "oid": "1.3.6.1.4.1.1466.101.119.4",
+        "display_name": "dynamicSubtrees",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap system schema
+    "distinguishedName": {
+        "oid": "2.5.4.49",
+        "display_name": "distinguishedName",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap system schema
+    "name": {
+        "oid": "2.5.4.41",
+        "display_name": "name",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{32768}",
+    },
+    # Extracted from openldap system schema
+    "cn": {
+        "oid": "2.5.4.3",
+        "display_name": "cn commonName",
+        "alias": ['commonName'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap system schema
+    "uid": {
+        "oid": "0.9.2342.19200300.100.1.1",
+        "display_name": "uid userid",
+        "alias": ['userid'],
+        "profile_field_name": 'username',
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap system schema
+    "uidNumber": {
+        "oid": "1.3.6.1.1.1.1.0",
+        "display_name": "uidNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap system schema
+    "gidNumber": {
+        "oid": "1.3.6.1.1.1.1.1",
+        "display_name": "gidNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap system schema
+    "userPassword": {
+        "oid": "2.5.4.35",
+        "display_name": "userPassword",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.40{128}",
+    },
+    # Extracted from openldap system schema
+    "labeledURI": {
+        "oid": "1.3.6.1.4.1.250.1.57",
+        "display_name": "labeledURI",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from openldap system schema
+    "authPassword": {
+        "oid": "1.3.6.1.4.1.4203.1.3.4",
+        "display_name": "authPassword",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.4203.1.1.2",
+    },
+    # Extracted from openldap system schema
+    "supportedAuthPasswordSchemes": {
+        "oid": "1.3.6.1.4.1.4203.1.3.3",
+        "display_name": "supportedAuthPasswordSchemes",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{32}",
+    },
+    # Extracted from openldap system schema
+    "description": {
+        "oid": "2.5.4.13",
+        "display_name": "description",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{1024}",
+    },
+    # Extracted from openldap system schema
+    "seeAlso": {
+        "oid": "2.5.4.34",
+        "display_name": "seeAlso",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
+    "carLicense": {
+        "oid": "2.16.840.1.113730.3.1.1",
+        "display_name": "carLicense",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
+    "departmentNumber": {
+        "oid": "2.16.840.1.113730.3.1.2",
+        "display_name": "departmentNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
+    "displayName": {
+        "oid": "2.16.840.1.113730.3.1.241",
+        "display_name": "displayName",
+        "profile_field_name": "get_full_name",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
+    "employeeNumber": {
+        "oid": "2.16.840.1.113730.3.1.3",
+        "display_name": "employeeNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
+    "employeeType": {
+        "oid": "2.16.840.1.113730.3.1.4",
+        "display_name": "employeeType",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
+    "jpegPhoto": {
+        "oid": "0.9.2342.19200300.100.1.60",
+        "display_name": "jpegPhoto",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.28",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
+    "preferredLanguage": {
+        "oid": "2.16.840.1.113730.3.1.39",
+        "display_name": "preferredLanguage",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
+    "userSMIMECertificate": {
+        "oid": "2.16.840.1.113730.3.1.40",
+        "display_name": "userSMIMECertificate",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.5",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/inetorgperson.ldif
+    "userPKCS12": {
+        "oid": "2.16.840.1.113730.3.1.216",
+        "display_name": "userPKCS12",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.5",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "gecos": {
+        "oid": "1.3.6.1.1.1.1.2",
+        "display_name": "gecos",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "homeDirectory": {
+        "oid": "1.3.6.1.1.1.1.3",
+        "display_name": "homeDirectory",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "loginShell": {
+        "oid": "1.3.6.1.1.1.1.4",
+        "display_name": "loginShell",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "shadowLastChange": {
+        "oid": "1.3.6.1.1.1.1.5",
+        "display_name": "shadowLastChange",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "shadowMin": {
+        "oid": "1.3.6.1.1.1.1.6",
+        "display_name": "shadowMin",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "shadowMax": {
+        "oid": "1.3.6.1.1.1.1.7",
+        "display_name": "shadowMax",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "shadowWarning": {
+        "oid": "1.3.6.1.1.1.1.8",
+        "display_name": "shadowWarning",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "shadowInactive": {
+        "oid": "1.3.6.1.1.1.1.9",
+        "display_name": "shadowInactive",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "shadowExpire": {
+        "oid": "1.3.6.1.1.1.1.10",
+        "display_name": "shadowExpire",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "shadowFlag": {
+        "oid": "1.3.6.1.1.1.1.11",
+        "display_name": "shadowFlag",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "memberUid": {
+        "oid": "1.3.6.1.1.1.1.12",
+        "display_name": "memberUid",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "memberNisNetgroup": {
+        "oid": "1.3.6.1.1.1.1.13",
+        "display_name": "memberNisNetgroup",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "nisNetgroupTriple": {
+        "oid": "1.3.6.1.1.1.1.14",
+        "display_name": "nisNetgroupTriple",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.1.1.0.0",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "ipServicePort": {
+        "oid": "1.3.6.1.1.1.1.15",
+        "display_name": "ipServicePort",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "ipServiceProtocolSUPname": {
+        "oid": "1.3.6.1.1.1.1.16",
+        "display_name": "ipServiceProtocolSUPname",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "ipProtocolNumber": {
+        "oid": "1.3.6.1.1.1.1.17",
+        "display_name": "ipProtocolNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "oncRpcNumber": {
+        "oid": "1.3.6.1.1.1.1.18",
+        "display_name": "oncRpcNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "ipHostNumber": {
+        "oid": "1.3.6.1.1.1.1.19",
+        "display_name": "ipHostNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "ipNetworkNumber": {
+        "oid": "1.3.6.1.1.1.1.20",
+        "display_name": "ipNetworkNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "ipNetmaskNumber": {
+        "oid": "1.3.6.1.1.1.1.21",
+        "display_name": "ipNetmaskNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "macAddress": {
+        "oid": "1.3.6.1.1.1.1.22",
+        "display_name": "macAddress",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "bootParameter": {
+        "oid": "1.3.6.1.1.1.1.23",
+        "display_name": "bootParameter",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.1.1.0.1",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "bootFile": {
+        "oid": "1.3.6.1.1.1.1.24",
+        "display_name": "bootFile",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "nisMapNameSUPname": {
+        "oid": "1.3.6.1.1.1.1.26",
+        "display_name": "nisMapNameSUPname",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/nis.ldif
+    "nisMapEntry": {
+        "oid": "1.3.6.1.1.1.1.27",
+        "display_name": "nisMapEntry",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{1024}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "knowledgeInformation": {
+        "oid": "2.5.4.2",
+        "display_name": "knowledgeInformation",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{32768}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "sn": {
+        "oid": "2.5.4.4",
+        "display_name": _("Last name") + "(sn surname)",
+        "alias": ['surname'],
+        "profile_field_name": 'last_name',
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "namespaces": {
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
+                "identifiers": [
+                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
                 ],
-            "friendly_names":
-                [
-            "Last Name",
+                "friendly_names": [
+                    "Last Name",
                 ],
-        }
-    }
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"serialNumber": {
-    "oid": "2.5.4.5",
-    "display_name": "serialNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.44{64}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"c": {
-    "oid": "2.5.4.6",
-    "display_name": "c countryName",
-    "alias": ['countryName'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"l": {
-    "oid": "2.5.4.7",
-    "display_name": "l localityName",
-    "alias": ['localityName'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "namespaces": {
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
-            "identifiers":
-                [
-            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality",
+            }
+        },
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "serialNumber": {
+        "oid": "2.5.4.5",
+        "display_name": "serialNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.44{64}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "c": {
+        "oid": "2.5.4.6",
+        "display_name": "c countryName",
+        "alias": ['countryName'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "l": {
+        "oid": "2.5.4.7",
+        "display_name": "l localityName",
+        "alias": ['localityName'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "namespaces": {
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
+                "identifiers": [
+                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality",
                 ],
-            "friendly_names":
-                [
-            "Locality Name or City",
+                "friendly_names": [
+                    "Locality Name or City",
                 ],
-        }
-    }
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"st": {
-    "oid": "2.5.4.8",
-    "display_name": "st stateOrProvinceName",
-    "alias": ['stateOrProvinceName'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "namespaces": {
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
-            "identifiers":
-                [
-    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince",
+            }
+        },
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "st": {
+        "oid": "2.5.4.8",
+        "display_name": "st stateOrProvinceName",
+        "alias": ['stateOrProvinceName'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "namespaces": {
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
+                "identifiers": [
+                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince",
                 ],
-            "friendly_names":
-                [
-            "State or Province",
+                "friendly_names": [
+                    "State or Province",
                 ],
-        }
-    }
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"street": {
-    "oid": "2.5.4.9",
-    "display_name": "street streetAddress",
-    "alias": ['streetAddress'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "namespaces": {
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
-            "identifiers":
-                [
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress",
+            }
+        },
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "street": {
+        "oid": "2.5.4.9",
+        "display_name": "street streetAddress",
+        "alias": ['streetAddress'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "namespaces": {
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
+                "identifiers": [
+                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress",
                 ],
-            "friendly_names":
-                [
-            "Street Address",
+                "friendly_names": [
+                    "Street Address",
                 ],
-        }
-    }
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"o": {
-    "oid": "2.5.4.10",
-    "display_name": _("Organization") + "(o organizationName)",
-    "alias": ['organizationName'],
-    "profile_field_name": 'company',
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"ou": {
-    "oid": "2.5.4.11",
-    "display_name": "ou organizationalUnitName",
-    "alias": ['organizationalUnitName'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"title": {
-    "oid": "2.5.4.12",
-    "display_name": "title",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"searchGuide": {
-    "oid": "2.5.4.14",
-    "display_name": "searchGuide",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.25",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"businessCategory": {
-    "oid": "2.5.4.15",
-    "display_name": "businessCategory",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"postalAddress": {
-    "oid": "2.5.4.16",
-    "display_name": _("Postal address") + "(postalAddress)",
-    "profile_field_name": 'postal_address',
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.41",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"postalCode": {
-    "oid": "2.5.4.17",
-    "display_name": "postalCode",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{40}",
-    "namespaces": {
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
-            "identifiers":
-                [
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode",
+            }
+        },
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "o": {
+        "oid": "2.5.4.10",
+        "display_name": _("Organization") + "(o organizationName)",
+        "alias": ['organizationName'],
+        "profile_field_name": 'company',
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "ou": {
+        "oid": "2.5.4.11",
+        "display_name": "ou organizationalUnitName",
+        "alias": ['organizationalUnitName'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "title": {
+        "oid": "2.5.4.12",
+        "display_name": "title",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "searchGuide": {
+        "oid": "2.5.4.14",
+        "display_name": "searchGuide",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.25",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "businessCategory": {
+        "oid": "2.5.4.15",
+        "display_name": "businessCategory",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "postalAddress": {
+        "oid": "2.5.4.16",
+        "display_name": _("Postal address") + "(postalAddress)",
+        "profile_field_name": 'postal_address',
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.41",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "postalCode": {
+        "oid": "2.5.4.17",
+        "display_name": "postalCode",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{40}",
+        "namespaces": {
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
+                "identifiers": [
+                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode",
                 ],
-            "friendly_names":
-                [
-            "Postal Code",
+                "friendly_names": [
+                    "Postal Code",
                 ],
-        }
-    }
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"postOfficeBox": {
-    "oid": "2.5.4.18",
-    "display_name": "postOfficeBox",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{40}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"physicalDeliveryOfficeName": {
-    "oid": "2.5.4.19",
-    "display_name": "physicalDeliveryOfficeName",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"telephoneNumber": {
-    "oid": "2.5.4.20",
-    "display_name": _("Phone") + "(telephoneNumber)",
-    "profile_field_name": 'phone',
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.50{32}",
-    "namespaces": {
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
-            "identifiers":
-                [
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone",
+            }
+        },
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "postOfficeBox": {
+        "oid": "2.5.4.18",
+        "display_name": "postOfficeBox",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{40}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "physicalDeliveryOfficeName": {
+        "oid": "2.5.4.19",
+        "display_name": "physicalDeliveryOfficeName",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "telephoneNumber": {
+        "oid": "2.5.4.20",
+        "display_name": _("Phone") + "(telephoneNumber)",
+        "profile_field_name": 'phone',
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.50{32}",
+        "namespaces": {
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
+                "identifiers": [
+                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone",
                 ],
-            "friendly_names":
-                [
-            "Secondary or Work Telephone Number",
+                "friendly_names": [
+                    "Secondary or Work Telephone Number",
                 ],
-        }
-    }
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"telexNumber": {
-    "oid": "2.5.4.21",
-    "display_name": "telexNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.52",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"teletexTerminalIdentifier": {
-    "oid": "2.5.4.22",
-    "display_name": "teletexTerminalIdentifier",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.51",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"fax": {
-    "oid": "2.5.4.23",
-    "display_name": "fax facsimileTelephoneNumber",
-    "alias": ['facsimileTelephoneNumber'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"x121Address": {
-    "oid": "2.5.4.24",
-    "display_name": "x121Address",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.36{15}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"internationaliSDNNumber": {
-    "oid": "2.5.4.25",
-    "display_name": "internationaliSDNNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.36{16}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"registeredAddress": {
-    "oid": "2.5.4.26",
-    "display_name": "registeredAddress",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.41",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"destinationIndicator": {
-    "oid": "2.5.4.27",
-    "display_name": "destinationIndicator",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.44{128}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"preferredDeliveryMethod": {
-    "oid": "2.5.4.28",
-    "display_name": "preferredDeliveryMethod",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.14",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"presentationAddress": {
-    "oid": "2.5.4.29",
-    "display_name": "presentationAddress",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.43",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"supportedApplicationContext": {
-    "oid": "2.5.4.30",
-    "display_name": "supportedApplicationContext",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"member": {
-    "oid": "2.5.4.31",
-    "display_name": "member",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"owner": {
-    "oid": "2.5.4.32",
-    "display_name": "owner",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"roleOccupant": {
-    "oid": "2.5.4.33",
-    "display_name": "roleOccupant",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"userCertificate": {
-    "oid": "2.5.4.36",
-    "display_name": "userCertificate",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.8",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"cACertificate": {
-    "oid": "2.5.4.37",
-    "display_name": "cACertificate",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.8",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"authorityRevocationList": {
-    "oid": "2.5.4.38",
-    "display_name": "authorityRevocationList",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.9",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"certificateRevocationList": {
-    "oid": "2.5.4.39",
-    "display_name": "certificateRevocationList",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.9",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"crossCertificatePair": {
-    "oid": "2.5.4.40",
-    "display_name": "crossCertificatePair",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.10",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"givenName": {
-    "oid": "2.5.4.42",
-    "display_name": _("First name") + "(gn givenName)",
-    "alias": ['gn'],
-    "profile_field_name": 'first_name',
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "namespaces": {
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
-            "identifiers":
-                [
-            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
+            }
+        },
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "telexNumber": {
+        "oid": "2.5.4.21",
+        "display_name": "telexNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.52",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "teletexTerminalIdentifier": {
+        "oid": "2.5.4.22",
+        "display_name": "teletexTerminalIdentifier",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.51",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "fax": {
+        "oid": "2.5.4.23",
+        "display_name": "fax facsimileTelephoneNumber",
+        "alias": ['facsimileTelephoneNumber'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "x121Address": {
+        "oid": "2.5.4.24",
+        "display_name": "x121Address",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.36{15}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "internationaliSDNNumber": {
+        "oid": "2.5.4.25",
+        "display_name": "internationaliSDNNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.36{16}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "registeredAddress": {
+        "oid": "2.5.4.26",
+        "display_name": "registeredAddress",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.41",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "destinationIndicator": {
+        "oid": "2.5.4.27",
+        "display_name": "destinationIndicator",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.44{128}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "preferredDeliveryMethod": {
+        "oid": "2.5.4.28",
+        "display_name": "preferredDeliveryMethod",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.14",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "presentationAddress": {
+        "oid": "2.5.4.29",
+        "display_name": "presentationAddress",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.43",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "supportedApplicationContext": {
+        "oid": "2.5.4.30",
+        "display_name": "supportedApplicationContext",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.38",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "member": {
+        "oid": "2.5.4.31",
+        "display_name": "member",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "owner": {
+        "oid": "2.5.4.32",
+        "display_name": "owner",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "roleOccupant": {
+        "oid": "2.5.4.33",
+        "display_name": "roleOccupant",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "userCertificate": {
+        "oid": "2.5.4.36",
+        "display_name": "userCertificate",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.8",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "cACertificate": {
+        "oid": "2.5.4.37",
+        "display_name": "cACertificate",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.8",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "authorityRevocationList": {
+        "oid": "2.5.4.38",
+        "display_name": "authorityRevocationList",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.9",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "certificateRevocationList": {
+        "oid": "2.5.4.39",
+        "display_name": "certificateRevocationList",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.9",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "crossCertificatePair": {
+        "oid": "2.5.4.40",
+        "display_name": "crossCertificatePair",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.10",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "givenName": {
+        "oid": "2.5.4.42",
+        "display_name": _("First name") + "(gn givenName)",
+        "alias": ['gn'],
+        "profile_field_name": 'first_name',
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "namespaces": {
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
+                "identifiers": [
+                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
                 ],
-            "friendly_names":
-                [
-            "First Name",
+                "friendly_names": [
+                    "First Name",
                 ],
-        }
-    }
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"initials": {
-    "oid": "2.5.4.43",
-    "display_name": "initials",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"generationQualifier": {
-    "oid": "2.5.4.44",
-    "display_name": "generationQualifier",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"x500UniqueIdentifier": {
-    "oid": "2.5.4.45",
-    "display_name": "x500UniqueIdentifier",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.6",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"dnQualifier": {
-    "oid": "2.5.4.46",
-    "display_name": "dnQualifier",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.44",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"enhancedSearchGuide": {
-    "oid": "2.5.4.47",
-    "display_name": "enhancedSearchGuide",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.21",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"protocolInformation": {
-    "oid": "2.5.4.48",
-    "display_name": "protocolInformation",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.42",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"uniqueMember": {
-    "oid": "2.5.4.50",
-    "display_name": "uniqueMember",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.34",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"houseIdentifier": {
-    "oid": "2.5.4.51",
-    "display_name": "houseIdentifier",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{32768}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"supportedAlgorithms": {
-    "oid": "2.5.4.52",
-    "display_name": "supportedAlgorithms",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.49",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"deltaRevocationList": {
-    "oid": "2.5.4.53",
-    "display_name": "deltaRevocationList",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.9",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"dmdName": {
-    "oid": "2.5.4.54",
-    "display_name": "dmdName",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"pseudonym": {
-    "oid": "2.5.4.65",
-    "display_name": "pseudonym",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"mail": {
-    "oid": "0.9.2342.19200300.100.1.3",
-    "display_name": "mail rfc822Mailbox",
-    "alias": ['rfc822Mailbox'],
-    "profile_field_name": 'email',
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"dc": {
-    "oid": "0.9.2342.19200300.100.1.25",
-    "display_name": "dc domainComponent",
-    "alias": ['domainComponent'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"associatedDomain": {
-    "oid": "0.9.2342.19200300.100.1.37",
-    "display_name": "associatedDomain",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/core.ldif
-"email": {
-    "oid": "1.2.840.113549.1.9.1",
-    "display_name": _("Email Address") + "(email pkcs9email emailAddress)",
-    "alias": ['pkcs9email', 'emailAddress'],
-    "profile_field_name": 'email',
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "namespaces": {
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
-            "identifiers":
-                [
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
+            }
+        },
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "initials": {
+        "oid": "2.5.4.43",
+        "display_name": "initials",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "generationQualifier": {
+        "oid": "2.5.4.44",
+        "display_name": "generationQualifier",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "x500UniqueIdentifier": {
+        "oid": "2.5.4.45",
+        "display_name": "x500UniqueIdentifier",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.6",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "dnQualifier": {
+        "oid": "2.5.4.46",
+        "display_name": "dnQualifier",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.44",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "enhancedSearchGuide": {
+        "oid": "2.5.4.47",
+        "display_name": "enhancedSearchGuide",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.21",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "protocolInformation": {
+        "oid": "2.5.4.48",
+        "display_name": "protocolInformation",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.42",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "uniqueMember": {
+        "oid": "2.5.4.50",
+        "display_name": "uniqueMember",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.34",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "houseIdentifier": {
+        "oid": "2.5.4.51",
+        "display_name": "houseIdentifier",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{32768}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "supportedAlgorithms": {
+        "oid": "2.5.4.52",
+        "display_name": "supportedAlgorithms",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.49",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "deltaRevocationList": {
+        "oid": "2.5.4.53",
+        "display_name": "deltaRevocationList",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.9",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "dmdName": {
+        "oid": "2.5.4.54",
+        "display_name": "dmdName",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "pseudonym": {
+        "oid": "2.5.4.65",
+        "display_name": "pseudonym",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "mail": {
+        "oid": "0.9.2342.19200300.100.1.3",
+        "display_name": "mail rfc822Mailbox",
+        "alias": ['rfc822Mailbox'],
+        "profile_field_name": 'email',
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "dc": {
+        "oid": "0.9.2342.19200300.100.1.25",
+        "display_name": "dc domainComponent",
+        "alias": ['domainComponent'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "associatedDomain": {
+        "oid": "0.9.2342.19200300.100.1.37",
+        "display_name": "associatedDomain",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/core.ldif
+    "email": {
+        "oid": "1.2.840.113549.1.9.1",
+        "display_name": _("Email Address") + "(email pkcs9email emailAddress)",
+        "alias": ['pkcs9email', 'emailAddress'],
+        "profile_field_name": 'email',
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "namespaces": {
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
+                "identifiers": [
+                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
                 ],
-            "friendly_names":
-                [
-            "Email Address",
+                "friendly_names": [
+                    "Email Address",
                 ],
-        }
-    }
-},
-
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"textEncodedORAddress": {
-    "oid": "0.9.2342.19200300.100.1.2",
-    "display_name": "textEncodedORAddress",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"info": {
-    "oid": "0.9.2342.19200300.100.1.4",
-    "display_name": "info",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{2048}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"drink": {
-    "oid": "0.9.2342.19200300.100.1.5",
-    "display_name": "drink favouriteDrink",
-    "alias": ['favouriteDrink'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"roomNumber": {
-    "oid": "0.9.2342.19200300.100.1.6",
-    "display_name": "roomNumber",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"photo": {
-    "oid": "0.9.2342.19200300.100.1.7",
-    "display_name": "photo",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.23{25000}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"userClass": {
-    "oid": "0.9.2342.19200300.100.1.8",
-    "display_name": "userClass",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"host": {
-    "oid": "0.9.2342.19200300.100.1.9",
-    "display_name": "host",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"manager": {
-    "oid": "0.9.2342.19200300.100.1.10",
-    "display_name": "manager",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"documentIdentifier": {
-    "oid": "0.9.2342.19200300.100.1.11",
-    "display_name": "documentIdentifier",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"documentTitle": {
-    "oid": "0.9.2342.19200300.100.1.12",
-    "display_name": "documentTitle",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"documentVersion": {
-    "oid": "0.9.2342.19200300.100.1.13",
-    "display_name": "documentVersion",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"documentAuthor": {
-    "oid": "0.9.2342.19200300.100.1.14",
-    "display_name": "documentAuthor",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"documentLocation": {
-    "oid": "0.9.2342.19200300.100.1.15",
-    "display_name": "documentLocation",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"homePhone": {
-    "oid": "0.9.2342.19200300.100.1.20",
-    "display_name": "homePhone homeTelephoneNumber",
-    "alias": ['homeTelephoneNumber'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "namespaces": {
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
-            "identifiers":
-                [
-            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone",
+            }
+        },
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "textEncodedORAddress": {
+        "oid": "0.9.2342.19200300.100.1.2",
+        "display_name": "textEncodedORAddress",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "info": {
+        "oid": "0.9.2342.19200300.100.1.4",
+        "display_name": "info",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{2048}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "drink": {
+        "oid": "0.9.2342.19200300.100.1.5",
+        "display_name": "drink favouriteDrink",
+        "alias": ['favouriteDrink'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "roomNumber": {
+        "oid": "0.9.2342.19200300.100.1.6",
+        "display_name": "roomNumber",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "photo": {
+        "oid": "0.9.2342.19200300.100.1.7",
+        "display_name": "photo",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.23{25000}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "userClass": {
+        "oid": "0.9.2342.19200300.100.1.8",
+        "display_name": "userClass",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "host": {
+        "oid": "0.9.2342.19200300.100.1.9",
+        "display_name": "host",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "manager": {
+        "oid": "0.9.2342.19200300.100.1.10",
+        "display_name": "manager",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "documentIdentifier": {
+        "oid": "0.9.2342.19200300.100.1.11",
+        "display_name": "documentIdentifier",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "documentTitle": {
+        "oid": "0.9.2342.19200300.100.1.12",
+        "display_name": "documentTitle",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "documentVersion": {
+        "oid": "0.9.2342.19200300.100.1.13",
+        "display_name": "documentVersion",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "documentAuthor": {
+        "oid": "0.9.2342.19200300.100.1.14",
+        "display_name": "documentAuthor",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "documentLocation": {
+        "oid": "0.9.2342.19200300.100.1.15",
+        "display_name": "documentLocation",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "homePhone": {
+        "oid": "0.9.2342.19200300.100.1.20",
+        "display_name": "homePhone homeTelephoneNumber",
+        "alias": ['homeTelephoneNumber'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "namespaces": {
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
+                "identifiers": [
+                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone",
                 ],
-            "friendly_names":
-                [
-            "Primary or Home Telephone Number",
+                "friendly_names": [
+                    "Primary or Home Telephone Number",
                 ],
-        }
-    }
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"secretary": {
-    "oid": "0.9.2342.19200300.100.1.21",
-    "display_name": "secretary",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"otherMailbox": {
-    "oid": "0.9.2342.19200300.100.1.22",
-    "display_name": "otherMailbox",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"aRecord": {
-    "oid": "0.9.2342.19200300.100.1.26",
-    "display_name": "aRecord",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"mDRecord": {
-    "oid": "0.9.2342.19200300.100.1.27",
-    "display_name": "mDRecord",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"mXRecord": {
-    "oid": "0.9.2342.19200300.100.1.28",
-    "display_name": "mXRecord",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"nSRecord": {
-    "oid": "0.9.2342.19200300.100.1.29",
-    "display_name": "nSRecord",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"sOARecord": {
-    "oid": "0.9.2342.19200300.100.1.30",
-    "display_name": "sOARecord",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"cNAMERecord": {
-    "oid": "0.9.2342.19200300.100.1.31",
-    "display_name": "cNAMERecord",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"associatedName": {
-    "oid": "0.9.2342.19200300.100.1.38",
-    "display_name": "associatedName",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"homePostalAddress": {
-    "oid": "0.9.2342.19200300.100.1.39",
-    "display_name": "homePostalAddress",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.41",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"personalTitle": {
-    "oid": "0.9.2342.19200300.100.1.40",
-    "display_name": "personalTitle",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"mobile": {
-    "oid": "0.9.2342.19200300.100.1.41",
-    "display_name": "mobile mobileTelephoneNumber",
-    "alias": ['mobileTelephoneNumber'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "namespaces": {
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
-            "identifiers":
-                [
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone",
+            }
+        },
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "secretary": {
+        "oid": "0.9.2342.19200300.100.1.21",
+        "display_name": "secretary",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "otherMailbox": {
+        "oid": "0.9.2342.19200300.100.1.22",
+        "display_name": "otherMailbox",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "aRecord": {
+        "oid": "0.9.2342.19200300.100.1.26",
+        "display_name": "aRecord",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "mDRecord": {
+        "oid": "0.9.2342.19200300.100.1.27",
+        "display_name": "mDRecord",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "mXRecord": {
+        "oid": "0.9.2342.19200300.100.1.28",
+        "display_name": "mXRecord",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "nSRecord": {
+        "oid": "0.9.2342.19200300.100.1.29",
+        "display_name": "nSRecord",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "sOARecord": {
+        "oid": "0.9.2342.19200300.100.1.30",
+        "display_name": "sOARecord",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "cNAMERecord": {
+        "oid": "0.9.2342.19200300.100.1.31",
+        "display_name": "cNAMERecord",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "associatedName": {
+        "oid": "0.9.2342.19200300.100.1.38",
+        "display_name": "associatedName",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "homePostalAddress": {
+        "oid": "0.9.2342.19200300.100.1.39",
+        "display_name": "homePostalAddress",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.41",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "personalTitle": {
+        "oid": "0.9.2342.19200300.100.1.40",
+        "display_name": "personalTitle",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "mobile": {
+        "oid": "0.9.2342.19200300.100.1.41",
+        "display_name": "mobile mobileTelephoneNumber",
+        "alias": ['mobileTelephoneNumber'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "namespaces": {
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
+                "identifiers": [
+                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone",
                 ],
-            "friendly_names":
-                [
-            "Mobile Telephone Number",
+                "friendly_names": [
+                    "Mobile Telephone Number",
                 ],
-        }
-    }
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"pager": {
-    "oid": "0.9.2342.19200300.100.1.42",
-    "display_name": "pager pagerTelephoneNumber",
-    "alias": ['pagerTelephoneNumber'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"co": {
-    "oid": "0.9.2342.19200300.100.1.43",
-    "display_name": "co friendlyCountryName",
-    "alias": ['friendlyCountryName'],
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "namespaces": {
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
-            "identifiers":
-                [
-            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country",
+            }
+        },
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "pager": {
+        "oid": "0.9.2342.19200300.100.1.42",
+        "display_name": "pager pagerTelephoneNumber",
+        "alias": ['pagerTelephoneNumber'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "co": {
+        "oid": "0.9.2342.19200300.100.1.43",
+        "display_name": "co friendlyCountryName",
+        "alias": ['friendlyCountryName'],
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "namespaces": {
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
+                "identifiers": [
+                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country",
                 ],
-            "friendly_names":
-                [
-            "Country",
+                "friendly_names": [
+                    "Country",
                 ],
-        }
-    }
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"uniqueIdentifier": {
-    "oid": "0.9.2342.19200300.100.1.44",
-    "display_name": "uniqueIdentifier",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"organizationalStatus": {
-    "oid": "0.9.2342.19200300.100.1.45",
-    "display_name": "organizationalStatus",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"janetMailbox": {
-    "oid": "0.9.2342.19200300.100.1.46",
-    "display_name": "janetMailbox",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"mailPreferenceOption": {
-    "oid": "0.9.2342.19200300.100.1.47",
-    "display_name": "mailPreferenceOption",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"buildingName": {
-    "oid": "0.9.2342.19200300.100.1.48",
-    "display_name": "buildingName",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"dSAQuality": {
-    "oid": "0.9.2342.19200300.100.1.49",
-    "display_name": "dSAQuality",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.19",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"singleLevelQuality": {
-    "oid": "0.9.2342.19200300.100.1.50",
-    "display_name": "singleLevelQuality",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.13",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"subtreeMinimumQuality": {
-    "oid": "0.9.2342.19200300.100.1.51",
-    "display_name": "subtreeMinimumQuality",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.13",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"subtreeMaximumQuality": {
-    "oid": "0.9.2342.19200300.100.1.52",
-    "display_name": "subtreeMaximumQuality",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.13",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"personalSignature": {
-    "oid": "0.9.2342.19200300.100.1.53",
-    "display_name": "personalSignature",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"dITRedirect": {
-    "oid": "0.9.2342.19200300.100.1.54",
-    "display_name": "dITRedirect",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"audio": {
-    "oid": "0.9.2342.19200300.100.1.55",
-    "display_name": "audio",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.4{25000}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/cosine.ldif
-"documentPublisher": {
-    "oid": "0.9.2342.19200300.100.1.56",
-    "display_name": "documentPublisher",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-
-#Extracted from openldap schema /etc/ldap/schema/misc.ldif
-"mailLocalAddress": {
-    "oid": "2.16.840.1.113730.3.1.13",
-    "display_name": "mailLocalAddress",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/misc.ldif
-"mailHost": {
-    "oid": "2.16.840.1.113730.3.1.18",
-    "display_name": "mailHost",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/misc.ldif
-"mailRoutingAddress": {
-    "oid": "2.16.840.1.113730.3.1.47",
-    "display_name": "mailRoutingAddress",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{256}",
-},
-
-#Extracted from openldap schema /etc/ldap/schema/misc.ldif
-"rfc822MailMember": {
-    "oid": "1.3.6.1.4.1.42.2.27.2.1.15",
-    "display_name": "rfc822MailMember",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-},
-
-#Extracted from eduPerson schema in ldif format for OpenLDAP
-#last edited by Etan E. Weintraub on May 27, 2009
-"eduPersonAffiliation": {
-    "oid": "1.3.6.1.4.1.5923.1.1.1.1",
-    "display_name": "eduPersonAffiliation",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from eduPerson schema in ldif format for OpenLDAP
-#last edited by Etan E. Weintraub on May 27, 2009
-"eduPersonNickname": {
-    "oid": "1.3.6.1.4.1.5923.1.1.1.2",
-    "display_name": "eduPersonNickname",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from eduPerson schema in ldif format for OpenLDAP
-#last edited by Etan E. Weintraub on May 27, 2009
-"eduPersonOrgDN": {
-    "oid": "1.3.6.1.4.1.5923.1.1.1.3",
-    "display_name": "eduPersonOrgDN",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from eduPerson schema in ldif format for OpenLDAP
-#last edited by Etan E. Weintraub on May 27, 2009
-"eduPersonOrgUnitDN": {
-    "oid": "1.3.6.1.4.1.5923.1.1.1.4",
-    "display_name": "eduPersonOrgUnitDN",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from eduPerson schema in ldif format for OpenLDAP
-#last edited by Etan E. Weintraub on May 27, 2009
-"eduPersonPrimaryAffiliation": {
-    "oid": "1.3.6.1.4.1.5923.1.1.1.5",
-    "display_name": "eduPersonPrimaryAffiliation",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from eduPerson schema in ldif format for OpenLDAP
-#last edited by Etan E. Weintraub on May 27, 2009
-"eduPersonPrincipalName": {
-    "oid": "1.3.6.1.4.1.5923.1.1.1.6",
-    "display_name": "eduPersonPrincipalName",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from eduPerson schema in ldif format for OpenLDAP
-#last edited by Etan E. Weintraub on May 27, 2009
-"eduPersonEntitlement": {
-    "oid": "1.3.6.1.4.1.5923.1.1.1.7",
-    "display_name": "eduPersonEntitlement",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from eduPerson schema in ldif format for OpenLDAP
-#last edited by Etan E. Weintraub on May 27, 2009
-"eduPersonPrimaryOrgUnitDN": {
-    "oid": "1.3.6.1.4.1.5923.1.1.1.8",
-    "display_name": "eduPersonPrimaryOrgUnitDN",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from eduPerson schema in ldif format for OpenLDAP
-#last edited by Etan E. Weintraub on May 27, 2009
-"eduPersonScopedAffiliation": {
-    "oid": "1.3.6.1.4.1.5923.1.1.1.9",
-    "display_name": "eduPersonScopedAffiliation",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from eduPerson schema in ldif format for OpenLDAP
-#last edited by Etan E. Weintraub on May 27, 2009
-"eduPersonTargetedID": {
-    "oid": "1.3.6.1.4.1.5923.1.1.1.10",
-    "display_name": "eduPersonTargetedID",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from eduPerson schema in ldif format for OpenLDAP
-#last edited by Etan E. Weintraub on May 27, 2009
-"eduPersonAssurance": {
-    "oid": "1.3.6.1.4.1.5923.1.1.1.11",
-    "display_name": "eduPersonAssurance",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from eduOrg schema in ldif format
-#eduOrg Objectclass version 1.1 (2002-10-23)
-"eduOrgHomePageURI": {
-    "oid": ":1.3.6.1.4.1.5923.1.2.1.2",
-    "display_name": "eduOrgHomePageURI",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from eduOrg schema in ldif format
-#eduOrg Objectclass version 1.1 (2002-10-23)
-"eduOrgIdentityAuthNPolicyURI": {
-    "oid": ":1.3.6.1.4.1.5923.1.2.1.3",
-    "display_name": "eduOrgIdentityAuthNPolicyURI",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from eduOrg schema in ldif format
-#eduOrg Objectclass version 1.1 (2002-10-23)
-"eduOrgLegalName": {
-    "oid": ":1.3.6.1.4.1.5923.1.2.1.4",
-    "display_name": "eduOrgLegalName",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from eduOrg schema in ldif format
-#eduOrg Objectclass version 1.1 (2002-10-23)
-"eduOrgSuperiorURI": {
-    "oid": ":1.3.6.1.4.1.5923.1.2.1.5",
-    "display_name": "eduOrgSuperiorURI",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from eduOrg schema in ldif format
-#eduOrg Objectclass version 1.1 (2002-10-23)
-"eduOrgWhitePagesURI": {
-    "oid": ":1.3.6.1.4.1.5923.1.2.1.6",
-    "display_name": "eduOrgWhitePagesURI",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannListeRouge": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.1",
-    "display_name": "supannListeRouge",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.7",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannActivite": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.2",
-    "display_name": "supannActivite",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannOrganisme": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.3",
-    "display_name": "supannOrganisme",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannCivilite": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.4",
-    "display_name": "supannCivilite",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.44{32}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannAffectation": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.5",
-    "display_name": "supannAffectation",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannCodeEntite": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.6",
-    "display_name": "supannCodeEntite",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannCodeEntiteParent": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.7",
-    "display_name": "supannCodeEntiteParent",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEntiteAffectation": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.8",
-    "display_name": "supannEntiteAffectation",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannCodeINE": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.9",
-    "display_name": "supannCodeINE",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.44{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEtuId": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.10",
-    "display_name": "supannEtuId",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEmpId": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.11",
-    "display_name": "supannEmpId",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannAutreTelephone": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.12",
-    "display_name": "supannAutreTelephone",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.50",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEntiteAffectationPrincipale": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.13",
-    "display_name": "supannEntiteAffectationPrincipale",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEtablissement": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.14",
-    "display_name": "supannEtablissement",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannMailPerso": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.15",
-    "display_name": "supannMailPerso",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{256}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannTypeEntite": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.16",
-    "display_name": "supannTypeEntite",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannParrainDN": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.17",
-    "display_name": "supannParrainDN",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannGroupeDateFin": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.18",
-    "display_name": "supannGroupeDateFin",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.24",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannGroupeAdminDN": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.19",
-    "display_name": "supannGroupeAdminDN",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannAliasLogin": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.20",
-    "display_name": "supannAliasLogin",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannRole": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.21",
-    "display_name": "supannRole",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannGroupeLecteurDN": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.22",
-    "display_name": "supannGroupeLecteurDN",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannRoleGenerique": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.23",
-    "display_name": "supannRoleGenerique",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannRoleEntite": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.24",
-    "display_name": "supannRoleEntite",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{512}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEtuAnneeInscription": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.25",
-    "display_name": "supannEtuAnneeInscription",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.36{4}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEtuCursusAnnee": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.26",
-    "display_name": "supannEtuCursusAnnee",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEtuDiplome": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.27",
-    "display_name": "supannEtuDiplome",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEtuElementPedagogique": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.28",
-    "display_name": "supannEtuElementPedagogique",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEtuEtape": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.29",
-    "display_name": "supannEtuEtape",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEtuInscription": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.30",
-    "display_name": "supannEtuInscription",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{4096}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEtuRegimeInscription": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.31",
-    "display_name": "supannEtuRegimeInscription",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEtuSecteurDisciplinaire": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.32",
-    "display_name": "supannEtuSecteurDisciplinaire",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEtuTypeDiplome": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.33",
-    "display_name": "supannEtuTypeDiplome",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannAutreMail": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.34",
-    "display_name": "supannAutreMail",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.26{256}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannEmpCorps": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.35",
-    "display_name": "supannEmpCorps",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannTypeEntiteAffectation": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.36",
-    "display_name": "supannTypeEntiteAffectation",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#Extracted from version 389 Directory Server du schema
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"supannRefId": {
-    "oid": "1.3.6.1.4.1.7135.1.2.1.37",
-    "display_name": "supannRefId",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-#SupAnn version 2009.6
-#http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
-"mailForwardingAddress": {
-    "oid": "2.16.840.1.113730.3.1.17",
-    "display_name": "mailForwardingAddress",
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
-# macedir.org for eduGain
-"schacHomeOrganization": {
+            }
+        },
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "uniqueIdentifier": {
+        "oid": "0.9.2342.19200300.100.1.44",
+        "display_name": "uniqueIdentifier",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "organizationalStatus": {
+        "oid": "0.9.2342.19200300.100.1.45",
+        "display_name": "organizationalStatus",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "janetMailbox": {
+        "oid": "0.9.2342.19200300.100.1.46",
+        "display_name": "janetMailbox",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "mailPreferenceOption": {
+        "oid": "0.9.2342.19200300.100.1.47",
+        "display_name": "mailPreferenceOption",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.27",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "buildingName": {
+        "oid": "0.9.2342.19200300.100.1.48",
+        "display_name": "buildingName",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "dSAQuality": {
+        "oid": "0.9.2342.19200300.100.1.49",
+        "display_name": "dSAQuality",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.19",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "singleLevelQuality": {
+        "oid": "0.9.2342.19200300.100.1.50",
+        "display_name": "singleLevelQuality",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.13",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "subtreeMinimumQuality": {
+        "oid": "0.9.2342.19200300.100.1.51",
+        "display_name": "subtreeMinimumQuality",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.13",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "subtreeMaximumQuality": {
+        "oid": "0.9.2342.19200300.100.1.52",
+        "display_name": "subtreeMaximumQuality",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.13",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "personalSignature": {
+        "oid": "0.9.2342.19200300.100.1.53",
+        "display_name": "personalSignature",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "dITRedirect": {
+        "oid": "0.9.2342.19200300.100.1.54",
+        "display_name": "dITRedirect",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "audio": {
+        "oid": "0.9.2342.19200300.100.1.55",
+        "display_name": "audio",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.4{25000}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/cosine.ldif
+    "documentPublisher": {
+        "oid": "0.9.2342.19200300.100.1.56",
+        "display_name": "documentPublisher",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/misc.ldif
+    "mailLocalAddress": {
+        "oid": "2.16.840.1.113730.3.1.13",
+        "display_name": "mailLocalAddress",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/misc.ldif
+    "mailHost": {
+        "oid": "2.16.840.1.113730.3.1.18",
+        "display_name": "mailHost",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/misc.ldif
+    "mailRoutingAddress": {
+        "oid": "2.16.840.1.113730.3.1.47",
+        "display_name": "mailRoutingAddress",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{256}",
+    },
+    # Extracted from openldap schema /etc/ldap/schema/misc.ldif
+    "rfc822MailMember": {
+        "oid": "1.3.6.1.4.1.42.2.27.2.1.15",
+        "display_name": "rfc822MailMember",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+    },
+    # Extracted from eduPerson schema in ldif format for OpenLDAP
+    # last edited by Etan E. Weintraub on May 27, 2009
+    "eduPersonAffiliation": {
+        "oid": "1.3.6.1.4.1.5923.1.1.1.1",
+        "display_name": "eduPersonAffiliation",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from eduPerson schema in ldif format for OpenLDAP
+    # last edited by Etan E. Weintraub on May 27, 2009
+    "eduPersonNickname": {
+        "oid": "1.3.6.1.4.1.5923.1.1.1.2",
+        "display_name": "eduPersonNickname",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from eduPerson schema in ldif format for OpenLDAP
+    # last edited by Etan E. Weintraub on May 27, 2009
+    "eduPersonOrgDN": {
+        "oid": "1.3.6.1.4.1.5923.1.1.1.3",
+        "display_name": "eduPersonOrgDN",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from eduPerson schema in ldif format for OpenLDAP
+    # last edited by Etan E. Weintraub on May 27, 2009
+    "eduPersonOrgUnitDN": {
+        "oid": "1.3.6.1.4.1.5923.1.1.1.4",
+        "display_name": "eduPersonOrgUnitDN",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from eduPerson schema in ldif format for OpenLDAP
+    # last edited by Etan E. Weintraub on May 27, 2009
+    "eduPersonPrimaryAffiliation": {
+        "oid": "1.3.6.1.4.1.5923.1.1.1.5",
+        "display_name": "eduPersonPrimaryAffiliation",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from eduPerson schema in ldif format for OpenLDAP
+    # last edited by Etan E. Weintraub on May 27, 2009
+    "eduPersonPrincipalName": {
+        "oid": "1.3.6.1.4.1.5923.1.1.1.6",
+        "display_name": "eduPersonPrincipalName",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from eduPerson schema in ldif format for OpenLDAP
+    # last edited by Etan E. Weintraub on May 27, 2009
+    "eduPersonEntitlement": {
+        "oid": "1.3.6.1.4.1.5923.1.1.1.7",
+        "display_name": "eduPersonEntitlement",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from eduPerson schema in ldif format for OpenLDAP
+    # last edited by Etan E. Weintraub on May 27, 2009
+    "eduPersonPrimaryOrgUnitDN": {
+        "oid": "1.3.6.1.4.1.5923.1.1.1.8",
+        "display_name": "eduPersonPrimaryOrgUnitDN",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from eduPerson schema in ldif format for OpenLDAP
+    # last edited by Etan E. Weintraub on May 27, 2009
+    "eduPersonScopedAffiliation": {
+        "oid": "1.3.6.1.4.1.5923.1.1.1.9",
+        "display_name": "eduPersonScopedAffiliation",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from eduPerson schema in ldif format for OpenLDAP
+    # last edited by Etan E. Weintraub on May 27, 2009
+    "eduPersonTargetedID": {
+        "oid": "1.3.6.1.4.1.5923.1.1.1.10",
+        "display_name": "eduPersonTargetedID",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from eduPerson schema in ldif format for OpenLDAP
+    # last edited by Etan E. Weintraub on May 27, 2009
+    "eduPersonAssurance": {
+        "oid": "1.3.6.1.4.1.5923.1.1.1.11",
+        "display_name": "eduPersonAssurance",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from eduOrg schema in ldif format
+    # eduOrg Objectclass version 1.1 (2002-10-23)
+    "eduOrgHomePageURI": {
+        "oid": ":1.3.6.1.4.1.5923.1.2.1.2",
+        "display_name": "eduOrgHomePageURI",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from eduOrg schema in ldif format
+    # eduOrg Objectclass version 1.1 (2002-10-23)
+    "eduOrgIdentityAuthNPolicyURI": {
+        "oid": ":1.3.6.1.4.1.5923.1.2.1.3",
+        "display_name": "eduOrgIdentityAuthNPolicyURI",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from eduOrg schema in ldif format
+    # eduOrg Objectclass version 1.1 (2002-10-23)
+    "eduOrgLegalName": {
+        "oid": ":1.3.6.1.4.1.5923.1.2.1.4",
+        "display_name": "eduOrgLegalName",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from eduOrg schema in ldif format
+    # eduOrg Objectclass version 1.1 (2002-10-23)
+    "eduOrgSuperiorURI": {
+        "oid": ":1.3.6.1.4.1.5923.1.2.1.5",
+        "display_name": "eduOrgSuperiorURI",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from eduOrg schema in ldif format
+    # eduOrg Objectclass version 1.1 (2002-10-23)
+    "eduOrgWhitePagesURI": {
+        "oid": ":1.3.6.1.4.1.5923.1.2.1.6",
+        "display_name": "eduOrgWhitePagesURI",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannListeRouge": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.1",
+        "display_name": "supannListeRouge",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.7",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannActivite": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.2",
+        "display_name": "supannActivite",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannOrganisme": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.3",
+        "display_name": "supannOrganisme",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannCivilite": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.4",
+        "display_name": "supannCivilite",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.44{32}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannAffectation": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.5",
+        "display_name": "supannAffectation",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannCodeEntite": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.6",
+        "display_name": "supannCodeEntite",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannCodeEntiteParent": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.7",
+        "display_name": "supannCodeEntiteParent",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEntiteAffectation": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.8",
+        "display_name": "supannEntiteAffectation",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannCodeINE": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.9",
+        "display_name": "supannCodeINE",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.44{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEtuId": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.10",
+        "display_name": "supannEtuId",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEmpId": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.11",
+        "display_name": "supannEmpId",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannAutreTelephone": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.12",
+        "display_name": "supannAutreTelephone",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.50",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEntiteAffectationPrincipale": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.13",
+        "display_name": "supannEntiteAffectationPrincipale",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEtablissement": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.14",
+        "display_name": "supannEtablissement",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannMailPerso": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.15",
+        "display_name": "supannMailPerso",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{256}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannTypeEntite": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.16",
+        "display_name": "supannTypeEntite",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannParrainDN": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.17",
+        "display_name": "supannParrainDN",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannGroupeDateFin": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.18",
+        "display_name": "supannGroupeDateFin",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.24",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannGroupeAdminDN": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.19",
+        "display_name": "supannGroupeAdminDN",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannAliasLogin": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.20",
+        "display_name": "supannAliasLogin",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannRole": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.21",
+        "display_name": "supannRole",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannGroupeLecteurDN": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.22",
+        "display_name": "supannGroupeLecteurDN",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.12",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannRoleGenerique": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.23",
+        "display_name": "supannRoleGenerique",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{256}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannRoleEntite": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.24",
+        "display_name": "supannRoleEntite",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{512}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEtuAnneeInscription": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.25",
+        "display_name": "supannEtuAnneeInscription",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.36{4}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEtuCursusAnnee": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.26",
+        "display_name": "supannEtuCursusAnnee",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEtuDiplome": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.27",
+        "display_name": "supannEtuDiplome",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEtuElementPedagogique": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.28",
+        "display_name": "supannEtuElementPedagogique",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEtuEtape": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.29",
+        "display_name": "supannEtuEtape",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEtuInscription": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.30",
+        "display_name": "supannEtuInscription",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{4096}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEtuRegimeInscription": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.31",
+        "display_name": "supannEtuRegimeInscription",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEtuSecteurDisciplinaire": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.32",
+        "display_name": "supannEtuSecteurDisciplinaire",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEtuTypeDiplome": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.33",
+        "display_name": "supannEtuTypeDiplome",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannAutreMail": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.34",
+        "display_name": "supannAutreMail",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.26{256}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannEmpCorps": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.35",
+        "display_name": "supannEmpCorps",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannTypeEntiteAffectation": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.36",
+        "display_name": "supannTypeEntiteAffectation",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # Extracted from version 389 Directory Server du schema
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "supannRefId": {
+        "oid": "1.3.6.1.4.1.7135.1.2.1.37",
+        "display_name": "supannRefId",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # SupAnn version 2009.6
+    # http://www.cru.fr/_media/documentation/supann/supann_2009.schema.txt
+    "mailForwardingAddress": {
+        "oid": "2.16.840.1.113730.3.1.17",
+        "display_name": "mailForwardingAddress",
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
+    # macedir.org for eduGain
+    "schacHomeOrganization": {
         "oid": "1.3.6.1.4.1.25178.1.2.9",
         "display_name": "The persons home organization using the domain of the organization",
         "type": "http://www.w3.org/2001/XMLSchema#string",
         "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-# macedir .org or eduGain
-"schacHomeOrganizationType": {
+    },
+    # macedir .org or eduGain
+    "schacHomeOrganizationType": {
         "oid": "1.3.6.1.4.1.25178.1.2.10",
         "display_name": "Identifies the type of organisation specified in the person's schacHomeOrganization attribute.",
         "type": "http://www.w3.org/2001/XMLSchema#string",
         "syntax": "1.3.6.1.4.1.1466.115.121.1.15",
-},
-
-"role": {
-    "oid": "1.3.6.1.4.1.36560.42.1",
-    "display_name": "Role",
-    "profile_field_name": 'groups',
-    "type": "http://www.w3.org/2001/XMLSchema#string",
-    "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
-},
-
+    },
+    "role": {
+        "oid": "1.3.6.1.4.1.36560.42.1",
+        "display_name": "Role",
+        "profile_field_name": 'groups',
+        "type": "http://www.w3.org/2001/XMLSchema#string",
+        "syntax": "1.3.6.1.4.1.1466.115.121.1.15{128}",
+    },
 }
diff --git a/src/authentic2/saml/management/commands/sync-metadata.py b/src/authentic2/saml/management/commands/sync-metadata.py
index 7cdb70c4..e70569e2 100644
--- a/src/authentic2/saml/management/commands/sync-metadata.py
+++ b/src/authentic2/saml/management/commands/sync-metadata.py
@@ -31,11 +31,15 @@ from django.contrib.contenttypes.models import ContentType
 
 from authentic2.compat_lasso import lasso
 from authentic2.saml.shibboleth.afp_parser import parse_attribute_filters_file
-from authentic2.saml.models import (LibertyProvider, SAMLAttribute, LibertyServiceProvider,
-                                    SPOptionsIdPPolicy)
+from authentic2.saml.models import LibertyProvider, SAMLAttribute, LibertyServiceProvider, SPOptionsIdPPolicy
 
-from .mapping import (get_def_name_from_oid, get_definition_from_oid, get_full_definition,
-                      get_definition_from_alias, get_def_name_from_alias)
+from .mapping import (
+    get_def_name_from_oid,
+    get_definition_from_oid,
+    get_full_definition,
+    get_definition_from_alias,
+    get_def_name_from_alias,
+)
 
 SAML2_METADATA_UI_HREF = 'urn:oasis:names:tc:SAML:metadata:ui'
 
@@ -47,6 +51,7 @@ def md_element_name(tag_name):
 def mdui_element_name(tag_name):
     return '{%s}%s' % (SAML2_METADATA_UI_HREF, tag_name)
 
+
 ENTITY_DESCRIPTOR_TN = md_element_name('EntityDescriptor')
 ENTITIES_DESCRIPTOR_TN = md_element_name('EntitiesDescriptor')
 IDP_SSO_DESCRIPTOR_TN = md_element_name('IDPSSODescriptor')
@@ -124,8 +129,10 @@ def load_acs(tree, provider, pks, verbosity):
                 continue
             def_name, defn = resolve_urn_oid(oid)
             if def_name is None:
-                warnings.warn('attribute %s/%s unsupported on service provider %s' % (
-                    oid, name_format, provider.entity_id))
+                warnings.warn(
+                    'attribute %s/%s unsupported on service provider %s'
+                    % (oid, name_format, provider.entity_id)
+                )
                 continue
             content_type = ContentType.objects.get_for_model(LibertyProvider)
             object_id = provider.pk
@@ -142,13 +149,12 @@ def load_acs(tree, provider, pks, verbosity):
             }
 
             try:
-                attribute, created = SAMLAttribute.objects.get_or_create(
-                    defaults=defaults, **kwargs)
+                attribute, created = SAMLAttribute.objects.get_or_create(defaults=defaults, **kwargs)
                 if created and verbosity > 1:
-                    print(_('Created new attribute %(name)s for %(provider)s') % {
-                        'name': oid,
-                        'provider': provider
-                    })
+                    print(
+                        _('Created new attribute %(name)s for %(provider)s')
+                        % {'name': oid, 'provider': provider}
+                    )
                 pks.append(attribute.pk)
             except SAMLAttribute.MultipleObjectsReturned:
                 pks.extend(SAMLAttribute.objects.filter(**kwargs).values_list('pk', flat=True))
@@ -190,15 +196,14 @@ def load_one_entity(tree, options, sp_policy=None, afp=None):
             slug = '%s-%d' % (baseslug, n)
         # get or create the provider
         provider, created = LibertyProvider.objects.get_or_create(
-            entity_id=entity_id, protocol_conformance=3,
-            defaults={'name': name[:128], 'slug': slug})
+            entity_id=entity_id, protocol_conformance=3, defaults={'name': name[:128], 'slug': slug}
+        )
         if verbosity > 1:
             if created:
                 what = 'Creating'
             else:
                 what = 'Updating'
-            print('%(what)s %(name)s, %(id)s' % {
-                'what': what, 'name': name.encode('utf8'), 'id': entity_id})
+            print('%(what)s %(name)s, %(id)s' % {'what': what, 'name': name.encode('utf8'), 'id': entity_id})
         provider.name = name[:128]
         provider.metadata = etree.tostring(tree, encoding='utf-8').decode('utf-8').strip()
         provider.protocol_conformance = 3
@@ -207,7 +212,8 @@ def load_one_entity(tree, options, sp_policy=None, afp=None):
         options['count'] = options.get('count', 0) + 1
         if sp:
             service_provider, created = LibertyServiceProvider.objects.get_or_create(
-                liberty_provider=provider, defaults={'enabled': not options['create-disabled']})
+                liberty_provider=provider, defaults={'enabled': not options['create-disabled']}
+            )
             if sp_policy:
                 service_provider.sp_options_policy = sp_policy
             service_provider.save()
@@ -219,34 +225,34 @@ def load_one_entity(tree, options, sp_policy=None, afp=None):
                     kwargs, defaults = build_saml_attribute_kwargs(provider, name)
                     if not kwargs:
                         if verbosity > 1:
-                            print(_('Unable to find an LDAP definition for attribute %(name)s on %(provider)s') % {
-                                'name': name,
-                                'provider': provider
-                            }, file=sys.stderr)
+                            print(
+                                _('Unable to find an LDAP definition for attribute %(name)s on %(provider)s')
+                                % {'name': name, 'provider': provider},
+                                file=sys.stderr,
+                            )
                         continue
                     # create object with default attribute mapping to the same name
                     # as the attribute if no SAMLAttribute model already exists,
                     # otherwise do nothing
                     try:
-                        attribute, created = SAMLAttribute.objects.get_or_create(
-                            defaults=defaults, **kwargs)
+                        attribute, created = SAMLAttribute.objects.get_or_create(defaults=defaults, **kwargs)
                         if created and verbosity > 1:
-                            print(_('Created new attribute %(name)s for %(provider)s') % {
-                                'name': name,
-                                'provider': provider
-                            })
+                            print(
+                                _('Created new attribute %(name)s for %(provider)s')
+                                % {'name': name, 'provider': provider}
+                            )
                         pks.append(attribute.pk)
                     except SAMLAttribute.MultipleObjectsReturned:
-                        pks.extend(SAMLAttribute.objects.filter(
-                            **kwargs).values_list('pk', flat=True))
+                        pks.extend(SAMLAttribute.objects.filter(**kwargs).values_list('pk', flat=True))
                 if options.get('reset-attributes'):
                     # remove attributes not matching the filters
                     SAMLAttribute.objects.for_generic_object(provider).exclude(pk__in=pks).delete()
 
 
 class Command(BaseCommand):
-    '''Load SAMLv2 metadata file into the LibertyProvider, LibertyServiceProvider
-    and LibertyIdentityProvider files'''
+    """Load SAMLv2 metadata file into the LibertyProvider, LibertyServiceProvider
+    and LibertyIdentityProvider files"""
+
     can_import_django_settings = True
     output_transaction = True
     requires_system_checks = True
@@ -255,42 +261,52 @@ class Command(BaseCommand):
 
     def add_arguments(self, parser):
         parser.add_argument('metadata_file_path')
+        parser.add_argument('--idp', action='store_true', dest='idp', default=False, help='Do nothing')
+        parser.add_argument('--sp', action='store_true', dest='sp', default=False, help='Do nothing')
         parser.add_argument(
-            '--idp', action='store_true', dest='idp', default=False, help='Do nothing')
-        parser.add_argument(
-            '--sp', action='store_true', dest='sp', default=False, help='Do nothing')
-        parser.add_argument(
-            '--sp-policy', dest='sp_policy', default=None,
-            help='SAML2 service provider options policy'
+            '--sp-policy', dest='sp_policy', default=None, help='SAML2 service provider options policy'
         )
         parser.add_argument(
-            '--delete', action='store_true', dest='delete', default=False,
-            help='Delete all providers defined in the metadata file (kind of uninstall)'
+            '--delete',
+            action='store_true',
+            dest='delete',
+            default=False,
+            help='Delete all providers defined in the metadata file (kind of uninstall)',
         )
         parser.add_argument(
-            '--ignore-errors', action='store_true', dest='ignore-errors', default=False,
-            help='If loading of one EntityDescriptor fails, continue loading'
+            '--ignore-errors',
+            action='store_true',
+            dest='ignore-errors',
+            default=False,
+            help='If loading of one EntityDescriptor fails, continue loading',
         )
         parser.add_argument(
-            '--source', dest='source', default=None,
+            '--source',
+            dest='source',
+            default=None,
             help='Tag the loaded providers with the given source string, '
-                 'existing providers with the same tag will be removed if they do not exist '
-                 'anymore in the metadata file.'
+            'existing providers with the same tag will be removed if they do not exist '
+            'anymore in the metadata file.',
         )
         parser.add_argument(
-            '--reset-attributes', action='store_true', default=False,
+            '--reset-attributes',
+            action='store_true',
+            default=False,
             help='When loading shibboleth attribute filter policies, start by '
-                 'removing all existing SAML attributes for each provider'
+            'removing all existing SAML attributes for each provider',
         )
         parser.add_argument(
-            '--dont-load-attribute-consuming-service', dest='load_attribute_consuming_service',
-            default=True, action='store_false',
+            '--dont-load-attribute-consuming-service',
+            dest='load_attribute_consuming_service',
+            default=True,
+            action='store_false',
             help='Prevent loading of the attribute policy from '
-                 'AttributeConsumingService nodes in the metadata file.'
+            'AttributeConsumingService nodes in the metadata file.',
         )
         parser.add_argument(
             '--shibboleth-attribute-filter-policy',
-            dest='attribute-filter-policy', default=None,
+            dest='attribute-filter-policy',
+            default=None,
             help='''Path to a file containing an Attribute Filter Policy for the
 Shibboleth IdP, that will be used to configure SAML attributes for
 each provider. The following schema is supported:
@@ -305,11 +321,14 @@ each provider. The following schema is supported:
     </AttributeFilterPolicy>
 
 Any other kind of attribute filter policy is unsupported.
-'''
+''',
         )
         parser.add_argument(
-            '--create-disabled', dest='create-disabled', action='store_true', default=False,
-            help='When creating a new provider, make it disabled by default.'
+            '--create-disabled',
+            dest='create-disabled',
+            action='store_true',
+            default=False,
+            help='When creating a new provider, make it disabled by default.',
         )
 
     @atomic
@@ -340,23 +359,26 @@ Any other kind of attribute filter policy is unsupported.
             if 'attribute-filter-policy' in options and options['attribute-filter-policy']:
                 path = options['attribute-filter-policy']
                 if not os.path.isfile(path):
-                    raise CommandError(
-                        'No attribute filter policy file %s' % path)
-                afp = parse_attribute_filters_file(
-                    options['attribute-filter-policy'])
+                    raise CommandError('No attribute filter policy file %s' % path)
+                afp = parse_attribute_filters_file(options['attribute-filter-policy'])
             sp_policy = None
             if 'sp_policy' in options and options['sp_policy']:
                 sp_policy_name = options['sp_policy']
                 try:
                     sp_policy = SPOptionsIdPPolicy.objects.get(name=sp_policy_name)
                     if verbosity > 1:
-                        print('Service providers are set with the following SAML2 \
-                            options policy: %s' % sp_policy)
+                        print(
+                            'Service providers are set with the following SAML2 \
+                            options policy: %s'
+                            % sp_policy
+                        )
                 except SPOptionsIdPPolicy.DoesNoextExist:
                     if verbosity > 0:
-                        print(_('SAML2 service provider options '
-                              'policy with name %s not found') % sp_policy_name,
-                              file=sys.stderr)
+                        print(
+                            _('SAML2 service provider options ' 'policy with name %s not found')
+                            % sp_policy_name,
+                            file=sys.stderr,
+                        )
                         raise CommandError()
             else:
                 if verbosity > 1:
@@ -368,17 +390,16 @@ Any other kind of attribute filter policy is unsupported.
                 entity_descriptors = doc.getroot().findall(ENTITY_DESCRIPTOR_TN)
             for entity_descriptor in entity_descriptors:
                 try:
-                    load_one_entity(
-                        entity_descriptor, options,
-                        sp_policy=sp_policy,
-                        afp=afp)
+                    load_one_entity(entity_descriptor, options, sp_policy=sp_policy, afp=afp)
                     loaded.append(entity_descriptor.get(ENTITY_ID))
                 except Exception:
                     if not options['ignore-errors']:
                         raise
                     if verbosity > 0:
-                        print(_('Failed to load entity descriptor for %s') % entity_descriptor.get(ENTITY_ID),
-                              file=sys.stderr)
+                        print(
+                            _('Failed to load entity descriptor for %s') % entity_descriptor.get(ENTITY_ID),
+                            file=sys.stderr,
+                        )
                     raise CommandError()
             if options['source']:
                 if options['delete']:
diff --git a/src/authentic2/saml/managers.py b/src/authentic2/saml/managers.py
index 45bf7063..7eb687b8 100644
--- a/src/authentic2/saml/managers.py
+++ b/src/authentic2/saml/managers.py
@@ -43,6 +43,7 @@ class SessionLinkedQuerySet(QuerySet):
             if not store.exists(key):
                 o.delete()
 
+
 SessionLinkedManager = models.Manager.from_queryset(SessionLinkedQuerySet)
 
 
@@ -73,8 +74,8 @@ class LibertyArtifactManager(models.Manager):
 
 class LibertyProviderQueryset(GetBySlugQuerySet):
     def by_artifact(self, artifact):
-        '''Find a provider whose SHA-1 hash of its entityID is the 5-th to the
-           25-th byte of the given artifact'''
+        """Find a provider whose SHA-1 hash of its entityID is the 5-th to the
+        25-th byte of the given artifact"""
         try:
             artifact = base64.b64decode(artifact)
         except (TypeError, ValueError):
@@ -95,6 +96,7 @@ class LibertyProviderQueryset(GetBySlugQuerySet):
     def without_federation(self, user):
         return self.exclude(identity_provider__libertyfederation__user=user)
 
+
 LibertyProviderManager = models.Manager.from_queryset(LibertyProviderQueryset)
 
 
@@ -106,15 +108,18 @@ class LibertySessionQuerySet(SessionLinkedQuerySet):
             'name_id_qualifier',
             'name_id_format',
             'name_id_content',
-            'name_id_sp_name_qualifier')
+            'name_id_sp_name_qualifier',
+        )
         return lasso_helper.build_session_dump(sessions)
 
+
 LibertySessionManager = models.Manager.from_queryset(LibertySessionQuerySet)
 
 
 class GetByLibertyProviderManager(models.Manager):
     def get_by_natural_key(self, slug):
         from .models import LibertyProvider
+
         try:
             return self.get(liberty_provider__slug=slug)
         except self.model.DoesNotExist:
@@ -128,6 +133,7 @@ class GetByLibertyProviderManager(models.Manager):
 class SAMLAttributeManager(GenericManager):
     def get_by_natural_key(self, ct_nk, provider_nk, name_format, name, friendly_name, attribute_name):
         from .models import SAMLAttribute
+
         try:
             ct = ContentType.objects.get_by_natural_key(*ct_nk)
         except ContentType.DoesNotExist:
@@ -137,6 +143,11 @@ class SAMLAttributeManager(GenericManager):
             provider = provider_class.objects.get_by_natural_key(*provider_nk)
         except provider_class.DoesNotExist:
             raise SAMLAttribute.DoesNotExist
-        return self.get(content_type=ct, object_id=provider.pk,
-                name_format=name_format, name=name,
-                friendly_name=friendly_name, attribute_name=attribute_name)
+        return self.get(
+            content_type=ct,
+            object_id=provider.pk,
+            name_format=name_format,
+            name=name,
+            friendly_name=friendly_name,
+            attribute_name=attribute_name,
+        )
diff --git a/src/authentic2/saml/migrations/0001_initial.py b/src/authentic2/saml/migrations/0001_initial.py
index 6760b392..fafa87bd 100644
--- a/src/authentic2/saml/migrations/0001_initial.py
+++ b/src/authentic2/saml/migrations/0001_initial.py
@@ -19,7 +19,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='AuthorizationAttributeMap',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(unique=True, max_length=40)),
             ],
             options={
@@ -31,7 +34,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='AuthorizationAttributeMapping',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('source_attribute_name', models.CharField(max_length=40, blank=True)),
                 ('attribute_value_format', models.CharField(max_length=40, blank=True)),
                 ('attribute_name', models.CharField(max_length=40)),
@@ -47,11 +53,30 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='AuthorizationSPPolicy',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(unique=True, max_length=80, verbose_name='name')),
                 ('enabled', models.BooleanField(default=False, verbose_name='Enabled')),
-                ('default_denial_message', models.CharField(default='You are not authorized to access the service.', max_length=80, verbose_name='Default message to display to the user when access is denied')),
-                ('attribute_map', models.ForeignKey(related_name='authorization_attributes', blank=True, to='saml.AuthorizationAttributeMap', null=True, on_delete=models.CASCADE)),
+                (
+                    'default_denial_message',
+                    models.CharField(
+                        default='You are not authorized to access the service.',
+                        max_length=80,
+                        verbose_name='Default message to display to the user when access is denied',
+                    ),
+                ),
+                (
+                    'attribute_map',
+                    models.ForeignKey(
+                        related_name='authorization_attributes',
+                        blank=True,
+                        to='saml.AuthorizationAttributeMap',
+                        null=True,
+                        on_delete=models.CASCADE,
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'authorization identity providers policy',
@@ -62,29 +87,163 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='IdPOptionsSPPolicy',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(unique=True, max_length=200, verbose_name='name')),
                 ('enabled', models.BooleanField(default=False, verbose_name='Enabled')),
-                ('no_nameid_policy', models.BooleanField(default=False, verbose_name='Do not send a nameId Policy')),
-                ('requested_name_id_format', models.CharField(default='none', max_length=200, verbose_name='Requested NameID format', choices=[('username', 'Username (use with Google Apps)'), ('none', 'None'), ('persistent', 'Persistent'), ('transient', 'Transient'), ('edupersontargetedid', 'Use eduPersonTargetedID attribute'), ('email', 'Email')])),
-                ('transient_is_persistent', models.BooleanField(default=False, verbose_name='This IdP sends a transient NameID but you want a persistent behaviour for your SP')),
-                ('persistent_identifier_attribute', models.CharField(max_length=200, null=True, verbose_name='Persistent identifier attribute', blank=True)),
-                ('allow_create', models.BooleanField(default=False, verbose_name='Allow IdP to create an identity')),
-                ('enable_binding_for_sso_response', models.BooleanField(default=False, verbose_name='Binding for Authnresponse             (taken from metadata by the IdP if not enabled)')),
-                ('binding_for_sso_response', models.CharField(default='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', max_length=200, verbose_name='Binding for the SSO responses', choices=[('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', 'Artifact binding'), ('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'POST binding')])),
-                ('enable_http_method_for_slo_request', models.BooleanField(default=False, verbose_name='HTTP method for single logout request             (taken from metadata if not enabled)')),
-                ('http_method_for_slo_request', models.IntegerField(default=4, max_length=200, verbose_name='HTTP binding for the SLO requests', choices=[(4, 'Redirect binding'), (5, 'SOAP binding')])),
-                ('enable_http_method_for_defederation_request', models.BooleanField(default=False, verbose_name='HTTP method for federation termination request             (taken from metadata if not enabled)')),
-                ('http_method_for_defederation_request', models.IntegerField(default=5, max_length=200, verbose_name='HTTP method for the defederation requests', choices=[(4, 'Redirect binding'), (5, 'SOAP binding')])),
-                ('force_user_consent', models.BooleanField(default=False, verbose_name='Require the user consent be given at account linking')),
-                ('want_force_authn_request', models.BooleanField(default=False, verbose_name='Force authentication')),
-                ('want_is_passive_authn_request', models.BooleanField(default=False, verbose_name='Passive authentication')),
-                ('want_authn_request_signed', models.BooleanField(default=False, verbose_name='Want AuthnRequest signed')),
-                ('handle_persistent', models.CharField(default='AUTHSAML2_UNAUTH_PERSISTENT_ACCOUNT_LINKING_BY_AUTH', max_length=200, verbose_name='Behavior with persistent NameID', choices=[('AUTHSAML2_UNAUTH_PERSISTENT_ACCOUNT_LINKING_BY_AUTH', 'Account linking by authentication'), ('AUTHSAML2_UNAUTH_PERSISTENT_CREATE_USER_PSEUDONYMOUS', 'Create new account')])),
-                ('handle_transient', models.CharField(default='', max_length=200, verbose_name='Behavior with transient NameID', choices=[('AUTHSAML2_UNAUTH_TRANSIENT_ASK_AUTH', 'Ask authentication'), ('AUTHSAML2_UNAUTH_TRANSIENT_OPEN_SESSION', 'Open a session')])),
-                ('back_url', models.CharField(default='/', max_length=200, verbose_name='Return URL after a successful authentication')),
-                ('accept_slo', models.BooleanField(default=True, verbose_name='Accept to receive Single Logout requests')),
-                ('forward_slo', models.BooleanField(default=True, verbose_name='Forward Single Logout requests')),
+                (
+                    'no_nameid_policy',
+                    models.BooleanField(default=False, verbose_name='Do not send a nameId Policy'),
+                ),
+                (
+                    'requested_name_id_format',
+                    models.CharField(
+                        default='none',
+                        max_length=200,
+                        verbose_name='Requested NameID format',
+                        choices=[
+                            ('username', 'Username (use with Google Apps)'),
+                            ('none', 'None'),
+                            ('persistent', 'Persistent'),
+                            ('transient', 'Transient'),
+                            ('edupersontargetedid', 'Use eduPersonTargetedID attribute'),
+                            ('email', 'Email'),
+                        ],
+                    ),
+                ),
+                (
+                    'transient_is_persistent',
+                    models.BooleanField(
+                        default=False,
+                        verbose_name='This IdP sends a transient NameID but you want a persistent behaviour for your SP',
+                    ),
+                ),
+                (
+                    'persistent_identifier_attribute',
+                    models.CharField(
+                        max_length=200, null=True, verbose_name='Persistent identifier attribute', blank=True
+                    ),
+                ),
+                (
+                    'allow_create',
+                    models.BooleanField(default=False, verbose_name='Allow IdP to create an identity'),
+                ),
+                (
+                    'enable_binding_for_sso_response',
+                    models.BooleanField(
+                        default=False,
+                        verbose_name='Binding for Authnresponse             (taken from metadata by the IdP if not enabled)',
+                    ),
+                ),
+                (
+                    'binding_for_sso_response',
+                    models.CharField(
+                        default='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
+                        max_length=200,
+                        verbose_name='Binding for the SSO responses',
+                        choices=[
+                            ('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', 'Artifact binding'),
+                            ('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'POST binding'),
+                        ],
+                    ),
+                ),
+                (
+                    'enable_http_method_for_slo_request',
+                    models.BooleanField(
+                        default=False,
+                        verbose_name='HTTP method for single logout request             (taken from metadata if not enabled)',
+                    ),
+                ),
+                (
+                    'http_method_for_slo_request',
+                    models.IntegerField(
+                        default=4,
+                        max_length=200,
+                        verbose_name='HTTP binding for the SLO requests',
+                        choices=[(4, 'Redirect binding'), (5, 'SOAP binding')],
+                    ),
+                ),
+                (
+                    'enable_http_method_for_defederation_request',
+                    models.BooleanField(
+                        default=False,
+                        verbose_name='HTTP method for federation termination request             (taken from metadata if not enabled)',
+                    ),
+                ),
+                (
+                    'http_method_for_defederation_request',
+                    models.IntegerField(
+                        default=5,
+                        max_length=200,
+                        verbose_name='HTTP method for the defederation requests',
+                        choices=[(4, 'Redirect binding'), (5, 'SOAP binding')],
+                    ),
+                ),
+                (
+                    'force_user_consent',
+                    models.BooleanField(
+                        default=False, verbose_name='Require the user consent be given at account linking'
+                    ),
+                ),
+                (
+                    'want_force_authn_request',
+                    models.BooleanField(default=False, verbose_name='Force authentication'),
+                ),
+                (
+                    'want_is_passive_authn_request',
+                    models.BooleanField(default=False, verbose_name='Passive authentication'),
+                ),
+                (
+                    'want_authn_request_signed',
+                    models.BooleanField(default=False, verbose_name='Want AuthnRequest signed'),
+                ),
+                (
+                    'handle_persistent',
+                    models.CharField(
+                        default='AUTHSAML2_UNAUTH_PERSISTENT_ACCOUNT_LINKING_BY_AUTH',
+                        max_length=200,
+                        verbose_name='Behavior with persistent NameID',
+                        choices=[
+                            (
+                                'AUTHSAML2_UNAUTH_PERSISTENT_ACCOUNT_LINKING_BY_AUTH',
+                                'Account linking by authentication',
+                            ),
+                            ('AUTHSAML2_UNAUTH_PERSISTENT_CREATE_USER_PSEUDONYMOUS', 'Create new account'),
+                        ],
+                    ),
+                ),
+                (
+                    'handle_transient',
+                    models.CharField(
+                        default='',
+                        max_length=200,
+                        verbose_name='Behavior with transient NameID',
+                        choices=[
+                            ('AUTHSAML2_UNAUTH_TRANSIENT_ASK_AUTH', 'Ask authentication'),
+                            ('AUTHSAML2_UNAUTH_TRANSIENT_OPEN_SESSION', 'Open a session'),
+                        ],
+                    ),
+                ),
+                (
+                    'back_url',
+                    models.CharField(
+                        default='/',
+                        max_length=200,
+                        verbose_name='Return URL after a successful authentication',
+                    ),
+                ),
+                (
+                    'accept_slo',
+                    models.BooleanField(
+                        default=True, verbose_name='Accept to receive Single Logout requests'
+                    ),
+                ),
+                (
+                    'forward_slo',
+                    models.BooleanField(default=True, verbose_name='Forward Single Logout requests'),
+                ),
             ],
             options={
                 'verbose_name': 'identity provider options policy',
@@ -122,11 +281,23 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='LibertyFederation',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('name_id_format', models.CharField(max_length=100, null=True, verbose_name='NameIDFormat', blank=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
+                (
+                    'name_id_format',
+                    models.CharField(max_length=100, null=True, verbose_name='NameIDFormat', blank=True),
+                ),
                 ('name_id_content', models.CharField(max_length=100, verbose_name='NameID')),
-                ('name_id_qualifier', models.CharField(max_length=256, null=True, verbose_name='NameQualifier', blank=True)),
-                ('name_id_sp_name_qualifier', models.CharField(max_length=256, null=True, verbose_name='SPNameQualifier', blank=True)),
+                (
+                    'name_id_qualifier',
+                    models.CharField(max_length=256, null=True, verbose_name='NameQualifier', blank=True),
+                ),
+                (
+                    'name_id_sp_name_qualifier',
+                    models.CharField(max_length=256, null=True, verbose_name='SPNameQualifier', blank=True),
+                ),
                 ('termination_notified', models.BooleanField(blank=True, default=False)),
                 ('creation', models.DateTimeField(auto_now_add=True)),
                 ('last_modification', models.DateTimeField(auto_now=True)),
@@ -140,7 +311,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='LibertyManageDump',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('django_session_key', models.CharField(max_length=128)),
                 ('manage_dump', models.TextField(blank=True)),
             ],
@@ -153,18 +327,37 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='LibertyProvider',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('name', models.CharField(help_text='Internal nickname for the service provider', max_length=140, blank=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
+                (
+                    'name',
+                    models.CharField(
+                        help_text='Internal nickname for the service provider', max_length=140, blank=True
+                    ),
+                ),
                 ('slug', models.SlugField(unique=True, max_length=140)),
                 ('entity_id', models.URLField(unique=True, verbose_name='Entity ID')),
-                ('entity_id_sha1', models.CharField(max_length=40, verbose_name='Entity ID SHA1', blank=True)),
+                (
+                    'entity_id_sha1',
+                    models.CharField(max_length=40, verbose_name='Entity ID SHA1', blank=True),
+                ),
                 ('metadata_url', models.URLField(max_length=256, verbose_name='Metadata URL', blank=True)),
-                ('protocol_conformance', models.IntegerField(max_length=10, verbose_name='Protocol conformance', choices=[(3, 'SAML 2.0')])),
+                (
+                    'protocol_conformance',
+                    models.IntegerField(
+                        max_length=10, verbose_name='Protocol conformance', choices=[(3, 'SAML 2.0')]
+                    ),
+                ),
                 ('metadata', models.TextField(validators=[authentic2.saml.models.metadata_validator])),
                 ('public_key', models.TextField(blank=True)),
                 ('ssl_certificate', models.TextField(blank=True)),
                 ('ca_cert_chain', models.TextField(blank=True)),
-                ('federation_source', models.CharField(max_length=64, null=True, verbose_name='Federation source', blank=True)),
+                (
+                    'federation_source',
+                    models.CharField(max_length=64, null=True, verbose_name='Federation source', blank=True),
+                ),
             ],
             options={
                 'ordering': ('name',),
@@ -176,12 +369,53 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='LibertyIdentityProvider',
             fields=[
-                ('liberty_provider', models.OneToOneField(related_name='identity_provider', primary_key=True, serialize=False, to='saml.LibertyProvider', on_delete=models.CASCADE)),
+                (
+                    'liberty_provider',
+                    models.OneToOneField(
+                        related_name='identity_provider',
+                        primary_key=True,
+                        serialize=False,
+                        to='saml.LibertyProvider',
+                        on_delete=models.CASCADE,
+                    ),
+                ),
                 ('enabled', models.BooleanField(default=False, verbose_name='Enabled')),
-                ('enable_following_idp_options_policy', models.BooleanField(default=False, verbose_name='The following options policy will apply except if a policy for all identity provider is defined.')),
-                ('enable_following_authorization_policy', models.BooleanField(default=False, verbose_name='The following authorization policy will apply except if a policy for all identity provider is defined.')),
-                ('authorization_policy', models.ForeignKey(related_name='authorization_policy', on_delete=django.db.models.deletion.SET_NULL, verbose_name='authorization identity providers policy', blank=True, to='saml.AuthorizationSPPolicy', null=True)),
-                ('idp_options_policy', models.ForeignKey(related_name='idp_options_policy', on_delete=django.db.models.deletion.SET_NULL, verbose_name='identity provider options policy', blank=True, to='saml.IdPOptionsSPPolicy', null=True)),
+                (
+                    'enable_following_idp_options_policy',
+                    models.BooleanField(
+                        default=False,
+                        verbose_name='The following options policy will apply except if a policy for all identity provider is defined.',
+                    ),
+                ),
+                (
+                    'enable_following_authorization_policy',
+                    models.BooleanField(
+                        default=False,
+                        verbose_name='The following authorization policy will apply except if a policy for all identity provider is defined.',
+                    ),
+                ),
+                (
+                    'authorization_policy',
+                    models.ForeignKey(
+                        related_name='authorization_policy',
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        verbose_name='authorization identity providers policy',
+                        blank=True,
+                        to='saml.AuthorizationSPPolicy',
+                        null=True,
+                    ),
+                ),
+                (
+                    'idp_options_policy',
+                    models.ForeignKey(
+                        related_name='idp_options_policy',
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        verbose_name='identity provider options policy',
+                        blank=True,
+                        to='saml.IdPOptionsSPPolicy',
+                        null=True,
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'SAML identity provider',
@@ -192,12 +426,46 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='LibertyServiceProvider',
             fields=[
-                ('liberty_provider', models.OneToOneField(related_name='service_provider', primary_key=True, serialize=False, to='saml.LibertyProvider', on_delete=models.CASCADE)),
+                (
+                    'liberty_provider',
+                    models.OneToOneField(
+                        related_name='service_provider',
+                        primary_key=True,
+                        serialize=False,
+                        to='saml.LibertyProvider',
+                        on_delete=models.CASCADE,
+                    ),
+                ),
                 ('enabled', models.BooleanField(default=False, verbose_name='Enabled')),
-                ('enable_following_sp_options_policy', models.BooleanField(default=False, verbose_name='The following options policy will apply except if a policy for all service provider is defined.')),
-                ('enable_following_attribute_policy', models.BooleanField(default=False, verbose_name='The following attribute policy will apply except if a policy for all service provider is defined.')),
-                ('users_can_manage_federations', models.BooleanField(default=True, verbose_name='users can manage federation')),
-                ('attribute_policy', models.ForeignKey(related_name='attribute_policy', on_delete=django.db.models.deletion.SET_NULL, verbose_name='attribute policy', blank=True, to='idp.AttributePolicy', null=True)),
+                (
+                    'enable_following_sp_options_policy',
+                    models.BooleanField(
+                        default=False,
+                        verbose_name='The following options policy will apply except if a policy for all service provider is defined.',
+                    ),
+                ),
+                (
+                    'enable_following_attribute_policy',
+                    models.BooleanField(
+                        default=False,
+                        verbose_name='The following attribute policy will apply except if a policy for all service provider is defined.',
+                    ),
+                ),
+                (
+                    'users_can_manage_federations',
+                    models.BooleanField(default=True, verbose_name='users can manage federation'),
+                ),
+                (
+                    'attribute_policy',
+                    models.ForeignKey(
+                        related_name='attribute_policy',
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        verbose_name='attribute policy',
+                        blank=True,
+                        to='idp.AttributePolicy',
+                        null=True,
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'SAML service provider',
@@ -208,16 +476,27 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='LibertySession',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('django_session_key', models.CharField(max_length=128)),
                 ('session_index', models.CharField(max_length=80)),
                 ('provider_id', models.CharField(max_length=256)),
                 ('name_id_qualifier', models.CharField(max_length=256, null=True, verbose_name='Qualifier')),
                 ('name_id_format', models.CharField(max_length=100, null=True, verbose_name='NameIDFormat')),
                 ('name_id_content', models.CharField(max_length=100, verbose_name='NameID')),
-                ('name_id_sp_name_qualifier', models.CharField(max_length=256, null=True, verbose_name='SPNameQualifier')),
+                (
+                    'name_id_sp_name_qualifier',
+                    models.CharField(max_length=256, null=True, verbose_name='SPNameQualifier'),
+                ),
                 ('creation', models.DateTimeField(auto_now_add=True)),
-                ('federation', models.ForeignKey(blank=True, to='saml.LibertyFederation', null=True, on_delete=models.CASCADE)),
+                (
+                    'federation',
+                    models.ForeignKey(
+                        blank=True, to='saml.LibertyFederation', null=True, on_delete=models.CASCADE
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'SAML session',
@@ -228,7 +507,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='LibertySessionDump',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('django_session_key', models.CharField(max_length=128)),
                 ('session_dump', models.TextField(blank=True)),
                 ('kind', models.IntegerField(choices=[(0, 'sp'), (1, 'idp')])),
@@ -242,7 +524,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='LibertySessionSP',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('django_session_key', models.CharField(max_length=128)),
                 ('session_index', models.CharField(max_length=80)),
                 ('federation', models.ForeignKey(to='saml.LibertyFederation', on_delete=models.CASCADE)),
@@ -256,39 +541,151 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='SAMLAttribute',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('object_id', models.PositiveIntegerField(verbose_name='object identifier')),
-                ('name_format', models.CharField(default='basic', max_length=64, verbose_name='name format', choices=[('basic', 'Basic'), ('uri', 'URI'), ('unspecified', 'Unspecified')])),
-                ('name', models.CharField(help_text='the local attribute name is used if left blank', max_length=128, verbose_name='name', blank=True)),
+                (
+                    'name_format',
+                    models.CharField(
+                        default='basic',
+                        max_length=64,
+                        verbose_name='name format',
+                        choices=[('basic', 'Basic'), ('uri', 'URI'), ('unspecified', 'Unspecified')],
+                    ),
+                ),
+                (
+                    'name',
+                    models.CharField(
+                        help_text='the local attribute name is used if left blank',
+                        max_length=128,
+                        verbose_name='name',
+                        blank=True,
+                    ),
+                ),
                 ('friendly_name', models.CharField(max_length=64, verbose_name='friendly name', blank=True)),
                 ('attribute_name', models.CharField(max_length=64, verbose_name='attribute name')),
                 ('enabled', models.BooleanField(blank=True, default=True, verbose_name='enabled')),
-                ('content_type', models.ForeignKey(verbose_name='content type', to='contenttypes.ContentType', on_delete=models.CASCADE)),
+                (
+                    'content_type',
+                    models.ForeignKey(
+                        verbose_name='content type', to='contenttypes.ContentType', on_delete=models.CASCADE
+                    ),
+                ),
             ],
-            options={
-            },
+            options={},
             bases=(models.Model,),
         ),
         migrations.CreateModel(
             name='SPOptionsIdPPolicy',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(unique=True, max_length=80, verbose_name='name')),
                 ('enabled', models.BooleanField(default=False, verbose_name='Enabled')),
-                ('prefered_assertion_consumer_binding', models.CharField(default='meta', max_length=4, verbose_name='Prefered assertion consumer binding', choices=[('meta', 'Use the default from the metadata file'), ('art', 'Artifact binding'), ('post', 'POST binding')])),
+                (
+                    'prefered_assertion_consumer_binding',
+                    models.CharField(
+                        default='meta',
+                        max_length=4,
+                        verbose_name='Prefered assertion consumer binding',
+                        choices=[
+                            ('meta', 'Use the default from the metadata file'),
+                            ('art', 'Artifact binding'),
+                            ('post', 'POST binding'),
+                        ],
+                    ),
+                ),
                 ('encrypt_nameid', models.BooleanField(default=False, verbose_name='Encrypt NameID')),
                 ('encrypt_assertion', models.BooleanField(default=False, verbose_name='Encrypt Assertion')),
-                ('authn_request_signed', models.BooleanField(default=False, verbose_name='Authentication request signed')),
-                ('idp_initiated_sso', models.BooleanField(default=False, verbose_name='Allow IdP initiated SSO')),
-                ('default_name_id_format', models.CharField(default='none', max_length=256, choices=[('username', 'Username (use with Google Apps)'), ('none', 'None'), ('persistent', 'Persistent'), ('transient', 'Transient'), ('edupersontargetedid', 'Use eduPersonTargetedID attribute'), ('email', 'Email')])),
-                ('accepted_name_id_format', authentic2.saml.fields.MultiSelectField(blank=True, max_length=1024, verbose_name='NameID formats accepted', choices=[('username', 'Username (use with Google Apps)'), ('none', 'None'), ('persistent', 'Persistent'), ('transient', 'Transient'), ('edupersontargetedid', 'Use eduPersonTargetedID attribute'), ('email', 'Email')])),
-                ('ask_user_consent', models.BooleanField(default=False, verbose_name='Ask user for consent when creating a federation')),
-                ('accept_slo', models.BooleanField(default=True, verbose_name='Accept to receive Single Logout requests')),
-                ('forward_slo', models.BooleanField(default=True, verbose_name='Forward Single Logout requests')),
-                ('needs_iframe_logout', models.BooleanField(default=False, help_text='logout URL are normally loaded inside an <img> HTML tag, some service provider need to use an iframe', verbose_name='needs iframe logout')),
-                ('iframe_logout_timeout', models.PositiveIntegerField(default=300, help_text="if iframe logout is used, it's the time between the onload event for this iframe and the moment we consider its loading to be really finished", verbose_name='iframe logout timeout')),
-                ('http_method_for_slo_request', models.IntegerField(default=4, verbose_name='HTTP binding for the SLO requests', choices=[(4, 'Redirect binding'), (5, 'SOAP binding')])),
-                ('federation_mode', models.PositiveIntegerField(default=0, verbose_name='federation mode', choices=[(0, 'explicit'), (1, 'implicit')])),
+                (
+                    'authn_request_signed',
+                    models.BooleanField(default=False, verbose_name='Authentication request signed'),
+                ),
+                (
+                    'idp_initiated_sso',
+                    models.BooleanField(default=False, verbose_name='Allow IdP initiated SSO'),
+                ),
+                (
+                    'default_name_id_format',
+                    models.CharField(
+                        default='none',
+                        max_length=256,
+                        choices=[
+                            ('username', 'Username (use with Google Apps)'),
+                            ('none', 'None'),
+                            ('persistent', 'Persistent'),
+                            ('transient', 'Transient'),
+                            ('edupersontargetedid', 'Use eduPersonTargetedID attribute'),
+                            ('email', 'Email'),
+                        ],
+                    ),
+                ),
+                (
+                    'accepted_name_id_format',
+                    authentic2.saml.fields.MultiSelectField(
+                        blank=True,
+                        max_length=1024,
+                        verbose_name='NameID formats accepted',
+                        choices=[
+                            ('username', 'Username (use with Google Apps)'),
+                            ('none', 'None'),
+                            ('persistent', 'Persistent'),
+                            ('transient', 'Transient'),
+                            ('edupersontargetedid', 'Use eduPersonTargetedID attribute'),
+                            ('email', 'Email'),
+                        ],
+                    ),
+                ),
+                (
+                    'ask_user_consent',
+                    models.BooleanField(
+                        default=False, verbose_name='Ask user for consent when creating a federation'
+                    ),
+                ),
+                (
+                    'accept_slo',
+                    models.BooleanField(
+                        default=True, verbose_name='Accept to receive Single Logout requests'
+                    ),
+                ),
+                (
+                    'forward_slo',
+                    models.BooleanField(default=True, verbose_name='Forward Single Logout requests'),
+                ),
+                (
+                    'needs_iframe_logout',
+                    models.BooleanField(
+                        default=False,
+                        help_text='logout URL are normally loaded inside an <img> HTML tag, some service provider need to use an iframe',
+                        verbose_name='needs iframe logout',
+                    ),
+                ),
+                (
+                    'iframe_logout_timeout',
+                    models.PositiveIntegerField(
+                        default=300,
+                        help_text="if iframe logout is used, it's the time between the onload event for this iframe and the moment we consider its loading to be really finished",
+                        verbose_name='iframe logout timeout',
+                    ),
+                ),
+                (
+                    'http_method_for_slo_request',
+                    models.IntegerField(
+                        default=4,
+                        verbose_name='HTTP binding for the SLO requests',
+                        choices=[(4, 'Redirect binding'), (5, 'SOAP binding')],
+                    ),
+                ),
+                (
+                    'federation_mode',
+                    models.PositiveIntegerField(
+                        default=0, verbose_name='federation mode', choices=[(0, 'explicit'), (1, 'implicit')]
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'service provider options policy',
@@ -298,30 +695,45 @@ class Migration(migrations.Migration):
         ),
         migrations.AlterUniqueTogether(
             name='samlattribute',
-            unique_together=set([('content_type', 'object_id', 'name_format', 'name', 'friendly_name', 'attribute_name')]),
+            unique_together=set(
+                [('content_type', 'object_id', 'name_format', 'name', 'friendly_name', 'attribute_name')]
+            ),
         ),
         migrations.AddField(
             model_name='libertyserviceprovider',
             name='sp_options_policy',
-            field=models.ForeignKey(related_name='sp_options_policy', on_delete=django.db.models.deletion.SET_NULL, verbose_name='service provider options policy', blank=True, to='saml.SPOptionsIdPPolicy', null=True),
+            field=models.ForeignKey(
+                related_name='sp_options_policy',
+                on_delete=django.db.models.deletion.SET_NULL,
+                verbose_name='service provider options policy',
+                blank=True,
+                to='saml.SPOptionsIdPPolicy',
+                null=True,
+            ),
             preserve_default=True,
         ),
         migrations.AddField(
             model_name='libertyfederation',
             name='idp',
-            field=models.ForeignKey(blank=True, to='saml.LibertyIdentityProvider', null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                blank=True, to='saml.LibertyIdentityProvider', null=True, on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
         migrations.AddField(
             model_name='libertyfederation',
             name='sp',
-            field=models.ForeignKey(blank=True, to='saml.LibertyServiceProvider', null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                blank=True, to='saml.LibertyServiceProvider', null=True, on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
         migrations.AddField(
             model_name='libertyfederation',
             name='user',
-            field=models.ForeignKey(on_delete=django.db.models.deletion.SET_NULL, blank=True, to='auth.User', null=True),
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.SET_NULL, blank=True, to='auth.User', null=True
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2/saml/migrations/0002_auto_20150320_1245.py b/src/authentic2/saml/migrations/0002_auto_20150320_1245.py
index 81f31748..6253c70d 100644
--- a/src/authentic2/saml/migrations/0002_auto_20150320_1245.py
+++ b/src/authentic2/saml/migrations/0002_auto_20150320_1245.py
@@ -20,13 +20,17 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='libertyserviceprovider',
             name='users_can_manage_federations',
-            field=models.BooleanField(blank=True, default=True, db_index=True, verbose_name='users can manage federation'),
+            field=models.BooleanField(
+                blank=True, default=True, db_index=True, verbose_name='users can manage federation'
+            ),
             preserve_default=True,
         ),
         migrations.AlterField(
             model_name='spoptionsidppolicy',
             name='accept_slo',
-            field=models.BooleanField(default=True, db_index=True, verbose_name='Accept to receive Single Logout requests'),
+            field=models.BooleanField(
+                default=True, db_index=True, verbose_name='Accept to receive Single Logout requests'
+            ),
             preserve_default=True,
         ),
         migrations.AlterField(
diff --git a/src/authentic2/saml/migrations/0002_ease_federation_migration.py b/src/authentic2/saml/migrations/0002_ease_federation_migration.py
index 295c3cfc..60a40871 100644
--- a/src/authentic2/saml/migrations/0002_ease_federation_migration.py
+++ b/src/authentic2/saml/migrations/0002_ease_federation_migration.py
@@ -5,20 +5,23 @@ from django.db import migrations, models
 
 from authentic2.saml.common import AUTHENTIC_SAME_ID_SENTINEL
 
+
 def use_id_sentinel(apps, schema_editor):
     LibertyFederation = apps.get_model('saml', 'LibertyFederation')
     # idp federations
-    LibertyFederation.objects.filter(idp__isnull=True,
-            name_id_sp_name_qualifier=models.F('sp__liberty_provider__entity_id')) \
-            .update(name_id_sp_name_qualifier=AUTHENTIC_SAME_ID_SENTINEL)
+    LibertyFederation.objects.filter(
+        idp__isnull=True, name_id_sp_name_qualifier=models.F('sp__liberty_provider__entity_id')
+    ).update(name_id_sp_name_qualifier=AUTHENTIC_SAME_ID_SENTINEL)
     # If there is NameIDQualifier it must be ours
-    LibertyFederation.objects.filter(idp__isnull=True, name_id_qualifier__isnull=False) \
-            .update(name_id_qualifier=AUTHENTIC_SAME_ID_SENTINEL)
+    LibertyFederation.objects.filter(idp__isnull=True, name_id_qualifier__isnull=False).update(
+        name_id_qualifier=AUTHENTIC_SAME_ID_SENTINEL
+    )
+
 
 class Migration(migrations.Migration):
     dependencies = [
         ('saml', '0001_initial'),
     ]
     operations = [
-            migrations.RunPython(use_id_sentinel),
+        migrations.RunPython(use_id_sentinel),
     ]
diff --git a/src/authentic2/saml/migrations/0003_merge.py b/src/authentic2/saml/migrations/0003_merge.py
index 2ea6659f..a33adf29 100644
--- a/src/authentic2/saml/migrations/0003_merge.py
+++ b/src/authentic2/saml/migrations/0003_merge.py
@@ -11,5 +11,4 @@ class Migration(migrations.Migration):
         ('saml', '0002_ease_federation_migration'),
     ]
 
-    operations = [
-    ]
+    operations = []
diff --git a/src/authentic2/saml/migrations/0004_auto_20150410_1438.py b/src/authentic2/saml/migrations/0004_auto_20150410_1438.py
index 853ca8bf..8e5fe7d9 100644
--- a/src/authentic2/saml/migrations/0004_auto_20150410_1438.py
+++ b/src/authentic2/saml/migrations/0004_auto_20150410_1438.py
@@ -17,7 +17,12 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='libertyfederation',
             name='user',
-            field=models.ForeignKey(on_delete=django.db.models.deletion.SET_NULL, blank=True, to=settings.AUTH_USER_MODEL, null=True),
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.SET_NULL,
+                blank=True,
+                to=settings.AUTH_USER_MODEL,
+                null=True,
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2/saml/migrations/0005_make_liberty_provider_inherit_from_service.py b/src/authentic2/saml/migrations/0005_make_liberty_provider_inherit_from_service.py
index ca1175c3..e681fb69 100644
--- a/src/authentic2/saml/migrations/0005_make_liberty_provider_inherit_from_service.py
+++ b/src/authentic2/saml/migrations/0005_make_liberty_provider_inherit_from_service.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -20,7 +21,9 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='libertyprovider',
             name='name',
-            field=models.CharField(help_text='Internal nickname for the service provider', max_length=140, null=True, blank=True),
+            field=models.CharField(
+                help_text='Internal nickname for the service provider', max_length=140, null=True, blank=True
+            ),
             preserve_default=True,
         ),
         migrations.AlterField(
diff --git a/src/authentic2/saml/migrations/0006_restore_foreign_keys.py b/src/authentic2/saml/migrations/0006_restore_foreign_keys.py
index f2475010..15853e7f 100644
--- a/src/authentic2/saml/migrations/0006_restore_foreign_keys.py
+++ b/src/authentic2/saml/migrations/0006_restore_foreign_keys.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 def create_services(apps, schema_editor):
     Service = apps.get_model('authentic2', 'Service')
     LibertyProvider = apps.get_model('saml', 'LibertyProvider')
@@ -11,6 +12,7 @@ def create_services(apps, schema_editor):
         lp.service_ptr = service
         lp.save()
 
+
 def move_back_name_and_slug(apps, schema_editor):
     LibertyProvider = apps.get_model('saml', 'LibertyProvider')
     for lp in LibertyProvider.objects.all():
@@ -18,6 +20,7 @@ def move_back_name_and_slug(apps, schema_editor):
         lp.slug = lp.service_ptr.slug
         lp.save()
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
diff --git a/src/authentic2/saml/migrations/0007_copy_service_ptr_id_to_old_id.py b/src/authentic2/saml/migrations/0007_copy_service_ptr_id_to_old_id.py
index 2f561faf..0680e38b 100644
--- a/src/authentic2/saml/migrations/0007_copy_service_ptr_id_to_old_id.py
+++ b/src/authentic2/saml/migrations/0007_copy_service_ptr_id_to_old_id.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -26,28 +27,28 @@ class Migration(migrations.Migration):
             name='slug',
         ),
         migrations.AlterField(
-                model_name='LibertyFederation',
-                name='sp',
-                field=models.IntegerField(null=True),
-                preserve_default=False
+            model_name='LibertyFederation',
+            name='sp',
+            field=models.IntegerField(null=True),
+            preserve_default=False,
         ),
         migrations.AlterField(
-                model_name='LibertyFederation',
-                name='idp',
-                field=models.IntegerField(null=True),
-                preserve_default=False
+            model_name='LibertyFederation',
+            name='idp',
+            field=models.IntegerField(null=True),
+            preserve_default=False,
         ),
         migrations.AlterField(
-                model_name='LibertyServiceProvider',
-                name='liberty_provider',
-                field=models.IntegerField(default=0, primary_key=True),
-                preserve_default=False
+            model_name='LibertyServiceProvider',
+            name='liberty_provider',
+            field=models.IntegerField(default=0, primary_key=True),
+            preserve_default=False,
         ),
         migrations.AlterField(
-                model_name='LibertyIdentityProvider',
-                name='liberty_provider',
-                field=models.IntegerField(default=0, primary_key=True),
-                preserve_default=False
+            model_name='LibertyIdentityProvider',
+            name='liberty_provider',
+            field=models.IntegerField(default=0, primary_key=True),
+            preserve_default=False,
         ),
         migrations.AlterField(
             model_name='libertyprovider',
@@ -58,12 +59,22 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='libertyprovider',
             name='service_ptr',
-            field=models.OneToOneField(parent_link=True, auto_created=True, primary_key=True, serialize=False, to='authentic2.Service', on_delete=models.CASCADE),
+            field=models.OneToOneField(
+                parent_link=True,
+                auto_created=True,
+                primary_key=True,
+                serialize=False,
+                to='authentic2.Service',
+                on_delete=models.CASCADE,
+            ),
             preserve_default=True,
         ),
         migrations.AlterModelOptions(
             name='libertyprovider',
-            options={'ordering': ('service_ptr__name',), 'verbose_name': 'SAML provider', 'verbose_name_plural': 'SAML providers'},
+            options={
+                'ordering': ('service_ptr__name',),
+                'verbose_name': 'SAML provider',
+                'verbose_name_plural': 'SAML providers',
+            },
         ),
     ]
-
diff --git a/src/authentic2/saml/migrations/0008_alter_foreign_keys.py b/src/authentic2/saml/migrations/0008_alter_foreign_keys.py
index 1f2ca43f..ebb544a0 100644
--- a/src/authentic2/saml/migrations/0008_alter_foreign_keys.py
+++ b/src/authentic2/saml/migrations/0008_alter_foreign_keys.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 def alter_foreign_keys(apps, schema_editor):
     ContentType = apps.get_model('contenttypes', 'ContentType')
     LibertyProvider = apps.get_model('saml', 'LibertyProvider')
@@ -12,14 +13,14 @@ def alter_foreign_keys(apps, schema_editor):
     SAMLAttribute = apps.get_model('saml', 'SAMLAttribute')
     for sp in LibertyServiceProvider.objects.all():
         lp = LibertyProvider.objects.get(old_id=sp.liberty_provider)
-        LibertyServiceProvider.objects \
-            .filter(liberty_provider=sp.liberty_provider) \
-            .update(new_liberty_provider=lp.service_ptr_id)
+        LibertyServiceProvider.objects.filter(liberty_provider=sp.liberty_provider).update(
+            new_liberty_provider=lp.service_ptr_id
+        )
     for idp in LibertyIdentityProvider.objects.all():
         lp = LibertyProvider.objects.get(old_id=idp.liberty_provider)
-        LibertyIdentityProvider.objects \
-            .filter(liberty_provider=idp.liberty_provider) \
-            .update(new_liberty_provider=lp.service_ptr_id)
+        LibertyIdentityProvider.objects.filter(liberty_provider=idp.liberty_provider).update(
+            new_liberty_provider=lp.service_ptr_id
+        )
     try:
         lp_ct = ContentType.objects.get(app_label='saml', model='libertyprovider')
     except ContentType.DoesNotExist:
@@ -39,15 +40,18 @@ def alter_foreign_keys(apps, schema_editor):
             fed.sp = lp.service_ptr_id
         fed.save()
 
+
 def noop(apps, schema_editor):
     pass
 
+
 def copy_service_ptr_id_to_old_id(apps, schema_editor):
     LibertyProvider = apps.get_model('saml', 'LibertyProvider')
     for lp in LibertyProvider.objects.all():
         lp.old_id = lp.service_ptr_id
         lp.save()
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
diff --git a/src/authentic2/saml/migrations/0009_auto.py b/src/authentic2/saml/migrations/0009_auto.py
index 00193520..a17548c0 100644
--- a/src/authentic2/saml/migrations/0009_auto.py
+++ b/src/authentic2/saml/migrations/0009_auto.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -25,14 +26,25 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='libertyidentityprovider',
             name='new_liberty_provider',
-            field=models.OneToOneField(related_name='identity_provider', primary_key=True, serialize=False, to='saml.LibertyProvider', on_delete=models.CASCADE),
+            field=models.OneToOneField(
+                related_name='identity_provider',
+                primary_key=True,
+                serialize=False,
+                to='saml.LibertyProvider',
+                on_delete=models.CASCADE,
+            ),
             preserve_default=True,
         ),
         migrations.AlterField(
             model_name='libertyserviceprovider',
             name='new_liberty_provider',
-            field=models.OneToOneField(related_name='service_provider', primary_key=True, serialize=False, to='saml.LibertyProvider', on_delete=models.CASCADE),
+            field=models.OneToOneField(
+                related_name='service_provider',
+                primary_key=True,
+                serialize=False,
+                to='saml.LibertyProvider',
+                on_delete=models.CASCADE,
+            ),
             preserve_default=True,
         ),
     ]
-
diff --git a/src/authentic2/saml/migrations/0010_auto.py b/src/authentic2/saml/migrations/0010_auto.py
index 399459b1..a5949893 100644
--- a/src/authentic2/saml/migrations/0010_auto.py
+++ b/src/authentic2/saml/migrations/0010_auto.py
@@ -3,15 +3,18 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 def noop(apps, schema_editor):
     pass
 
+
 def restore_pk(apps, schema_editor):
     LibertyServiceProvider = apps.get_model('saml', 'LibertyServiceProvider')
     LibertyIdentityProvider = apps.get_model('saml', 'LibertyIdentityProvider')
     LibertyServiceProvider.objects.update(liberty_provider=models.F('new_liberty_provider_id'))
     LibertyIdentityProvider.objects.update(liberty_provider=models.F('new_liberty_provider_id'))
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -21,4 +24,3 @@ class Migration(migrations.Migration):
     operations = [
         migrations.RunPython(noop, restore_pk),
     ]
-
diff --git a/src/authentic2/saml/migrations/0011_auto.py b/src/authentic2/saml/migrations/0011_auto.py
index 7c904500..4d43ded9 100644
--- a/src/authentic2/saml/migrations/0011_auto.py
+++ b/src/authentic2/saml/migrations/0011_auto.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -10,30 +11,24 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RemoveField(
-            'libertyidentityprovider',
-            'liberty_provider'),
-        migrations.RemoveField(
-            'libertyserviceprovider',
-            'liberty_provider'),
-        migrations.RenameField(
-            'libertyidentityprovider',
-            'new_liberty_provider',
-            'liberty_provider'),
-        migrations.RenameField(
-            'libertyserviceprovider',
-            'new_liberty_provider',
-            'liberty_provider'),
+        migrations.RemoveField('libertyidentityprovider', 'liberty_provider'),
+        migrations.RemoveField('libertyserviceprovider', 'liberty_provider'),
+        migrations.RenameField('libertyidentityprovider', 'new_liberty_provider', 'liberty_provider'),
+        migrations.RenameField('libertyserviceprovider', 'new_liberty_provider', 'liberty_provider'),
         migrations.AlterField(
             model_name='libertyfederation',
             name='idp',
-            field=models.ForeignKey(blank=True, to='saml.LibertyIdentityProvider', null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                blank=True, to='saml.LibertyIdentityProvider', null=True, on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
         migrations.AlterField(
             model_name='libertyfederation',
             name='sp',
-            field=models.ForeignKey(blank=True, to='saml.LibertyServiceProvider', null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                blank=True, to='saml.LibertyServiceProvider', null=True, on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
         migrations.RemoveField(
@@ -41,4 +36,3 @@ class Migration(migrations.Migration):
             name='old_id',
         ),
     ]
-
diff --git a/src/authentic2/saml/migrations/0012_auto_20150526_2239.py b/src/authentic2/saml/migrations/0012_auto_20150526_2239.py
index 859a9dab..07dde706 100644
--- a/src/authentic2/saml/migrations/0012_auto_20150526_2239.py
+++ b/src/authentic2/saml/migrations/0012_auto_20150526_2239.py
@@ -14,12 +14,20 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='idpoptionssppolicy',
             name='http_method_for_defederation_request',
-            field=models.IntegerField(default=5, verbose_name='HTTP method for the defederation requests', choices=[(4, 'Redirect binding'), (5, 'SOAP binding')]),
+            field=models.IntegerField(
+                default=5,
+                verbose_name='HTTP method for the defederation requests',
+                choices=[(4, 'Redirect binding'), (5, 'SOAP binding')],
+            ),
         ),
         migrations.AlterField(
             model_name='idpoptionssppolicy',
             name='http_method_for_slo_request',
-            field=models.IntegerField(default=4, verbose_name='HTTP binding for the SLO requests', choices=[(4, 'Redirect binding'), (5, 'SOAP binding')]),
+            field=models.IntegerField(
+                default=4,
+                verbose_name='HTTP binding for the SLO requests',
+                choices=[(4, 'Redirect binding'), (5, 'SOAP binding')],
+            ),
         ),
         migrations.AlterField(
             model_name='libertyprovider',
diff --git a/src/authentic2/saml/migrations/0013_auto_20150617_1004.py b/src/authentic2/saml/migrations/0013_auto_20150617_1004.py
index 10fbfba1..5ecfa6db 100644
--- a/src/authentic2/saml/migrations/0013_auto_20150617_1004.py
+++ b/src/authentic2/saml/migrations/0013_auto_20150617_1004.py
@@ -3,18 +3,22 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 def noop(apps, schema_editor):
     pass
 
+
 def remove_duplicate_session_dump(apps, schema_editor):
     LibertySessionDump = apps.get_model('saml', 'LibertySessionDump')
-    qs = LibertySessionDump.objects \
-        .values('django_session_key') \
-        .annotate(cnt=models.Count('django_session_key')) \
+    qs = (
+        LibertySessionDump.objects.values('django_session_key')
+        .annotate(cnt=models.Count('django_session_key'))
         .filter(cnt__gt=1)
+    )
     session_keys = [d['django_session_key'] for d in qs]
     LibertySessionDump.objects.filter(django_session_key__in=session_keys).delete()
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
diff --git a/src/authentic2/saml/migrations/0014_auto_20150617_1216.py b/src/authentic2/saml/migrations/0014_auto_20150617_1216.py
index 006e2f6e..93c1f3f9 100644
--- a/src/authentic2/saml/migrations/0014_auto_20150617_1216.py
+++ b/src/authentic2/saml/migrations/0014_auto_20150617_1216.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
diff --git a/src/authentic2/saml/migrations/0015_auto_20150915_2032.py b/src/authentic2/saml/migrations/0015_auto_20150915_2032.py
index 34c156d7..e5682ff0 100644
--- a/src/authentic2/saml/migrations/0015_auto_20150915_2032.py
+++ b/src/authentic2/saml/migrations/0015_auto_20150915_2032.py
@@ -15,19 +15,55 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='idpoptionssppolicy',
             name='requested_name_id_format',
-            field=models.CharField(default='none', max_length=200, verbose_name='Requested NameID format', choices=[('username', 'Username (use with Google Apps)'), ('none', 'None'), ('uuid', 'UUID'), ('persistent', 'Persistent'), ('transient', 'Transient'), ('edupersontargetedid', 'Use eduPersonTargetedID attribute'), ('email', 'Email')]),
+            field=models.CharField(
+                default='none',
+                max_length=200,
+                verbose_name='Requested NameID format',
+                choices=[
+                    ('username', 'Username (use with Google Apps)'),
+                    ('none', 'None'),
+                    ('uuid', 'UUID'),
+                    ('persistent', 'Persistent'),
+                    ('transient', 'Transient'),
+                    ('edupersontargetedid', 'Use eduPersonTargetedID attribute'),
+                    ('email', 'Email'),
+                ],
+            ),
             preserve_default=True,
         ),
         migrations.AlterField(
             model_name='spoptionsidppolicy',
             name='accepted_name_id_format',
-            field=authentic2.saml.fields.MultiSelectField(blank=True, choices=[('none', 'None'), ('persistent', 'Persistent'), ('transient', 'Transient'), ('email', 'Email'), ('username', 'Username (use with Google Apps)'), ('uuid', 'UUID'), ('edupersontargetedid', 'Use eduPersonTargetedID attribute')], max_length=1024, verbose_name='NameID formats accepted'),
-
+            field=authentic2.saml.fields.MultiSelectField(
+                blank=True,
+                choices=[
+                    ('none', 'None'),
+                    ('persistent', 'Persistent'),
+                    ('transient', 'Transient'),
+                    ('email', 'Email'),
+                    ('username', 'Username (use with Google Apps)'),
+                    ('uuid', 'UUID'),
+                    ('edupersontargetedid', 'Use eduPersonTargetedID attribute'),
+                ],
+                max_length=1024,
+                verbose_name='NameID formats accepted',
+            ),
         ),
         migrations.AlterField(
             model_name='spoptionsidppolicy',
             name='default_name_id_format',
-            field=models.CharField(default='none', max_length=256, choices=[('none', 'None'), ('persistent', 'Persistent'), ('transient', 'Transient'), ('email', 'Email'), ('username', 'Username (use with Google Apps)'), ('uuid', 'UUID'), ('edupersontargetedid', 'Use eduPersonTargetedID attribute')]),
-
+            field=models.CharField(
+                default='none',
+                max_length=256,
+                choices=[
+                    ('none', 'None'),
+                    ('persistent', 'Persistent'),
+                    ('transient', 'Transient'),
+                    ('email', 'Email'),
+                    ('username', 'Username (use with Google Apps)'),
+                    ('uuid', 'UUID'),
+                    ('edupersontargetedid', 'Use eduPersonTargetedID attribute'),
+                ],
+            ),
         ),
     ]
diff --git a/src/authentic2/saml/models.py b/src/authentic2/saml/models.py
index 8d02df3e..4a465c5b 100644
--- a/src/authentic2/saml/models.py
+++ b/src/authentic2/saml/models.py
@@ -34,6 +34,7 @@ from django.utils.encoding import force_text
 from django.utils.translation import ugettext_lazy as _
 from django.core.exceptions import ObjectDoesNotExist
 from django.contrib.contenttypes.models import ContentType
+
 try:
     from django.contrib.contenttypes.fields import GenericForeignKey
 except ImportError:
@@ -51,10 +52,11 @@ from ..models import Service
 
 
 def metadata_validator(meta):
-    provider = lasso.Provider.newFromBuffer(
-            lasso.PROVIDER_ROLE_ANY, force_str(meta.encode('utf8')))
+    provider = lasso.Provider.newFromBuffer(lasso.PROVIDER_ROLE_ANY, force_str(meta.encode('utf8')))
     if not provider:
         raise ValidationError(_('Invalid metadata file'))
+
+
 XML_NS = 'http://www.w3.org/XML/1998/namespace'
 
 
@@ -70,12 +72,12 @@ def ls_find(ls, value):
 
 
 def get_prefered_content(etrees, languages=[None, 'en']):
-    '''Sort XML nodes by their xml:lang attribute using languages as the
+    """Sort XML nodes by their xml:lang attribute using languages as the
     ascending partial order of language identifiers
 
        Default is to prefer english, then no lang declaration, to anything
        else.
-    '''
+    """
     best = None
     best_score = -1
     for tree in etrees:
@@ -91,9 +93,9 @@ def get_prefered_content(etrees, languages=[None, 'en']):
 
 
 def organization_name(provider):
-    '''Extract an organization name from a SAMLv2 metadata organization XML
-       fragment.
-    '''
+    """Extract an organization name from a SAMLv2 metadata organization XML
+    fragment.
+    """
     try:
         organization_xml = provider.organization
         organization = etree.XML(organization_xml)
@@ -108,45 +110,70 @@ def organization_name(provider):
     else:
         return provider.providerId
 
+
 # TODO: Remove this in LibertyServiceProvider
 ASSERTION_CONSUMER_PROFILES = (
     ('meta', _('Use the default from the metadata file')),
     ('art', _('Artifact binding')),
-    ('post', _('POST binding')))
+    ('post', _('POST binding')),
+)
 
 DEFAULT_NAME_ID_FORMAT = 'none'
 
 # Supported name id formats
-NAME_ID_FORMATS = collections.OrderedDict([
-    ('none', {
-        'caption': _('None'),
-        'samlv2': None,
-    }),
-    ('persistent', {
-        'caption': _('Persistent'),
-        'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
-    }),
-    ('transient', {
-        'caption': _("Transient"),
-        'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT,
-    }),
-    ('email', {
-        'caption': _("Email"),
-        'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL,
-    }),
-    ('username', {
-        'caption': _("Username (use with Google Apps)"),
-        'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED,
-    }),
-    ('uuid', {
-        'caption': _("UUID"),
-        'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED,
-    }),
-    ('edupersontargetedid', {
-        'caption': _("Use eduPersonTargetedID attribute"),
-        'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
-    })
-])
+NAME_ID_FORMATS = collections.OrderedDict(
+    [
+        (
+            'none',
+            {
+                'caption': _('None'),
+                'samlv2': None,
+            },
+        ),
+        (
+            'persistent',
+            {
+                'caption': _('Persistent'),
+                'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
+            },
+        ),
+        (
+            'transient',
+            {
+                'caption': _("Transient"),
+                'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT,
+            },
+        ),
+        (
+            'email',
+            {
+                'caption': _("Email"),
+                'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL,
+            },
+        ),
+        (
+            'username',
+            {
+                'caption': _("Username (use with Google Apps)"),
+                'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED,
+            },
+        ),
+        (
+            'uuid',
+            {
+                'caption': _("UUID"),
+                'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED,
+            },
+        ),
+        (
+            'edupersontargetedid',
+            {
+                'caption': _("Use eduPersonTargetedID attribute"),
+                'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
+            },
+        ),
+    ]
+)
 
 NAME_ID_FORMATS_CHOICES = [(force_text(x), y['caption']) for x, y in NAME_ID_FORMATS.items()]
 
@@ -171,26 +198,25 @@ def nidformat_to_saml2_urn(key):
 # exceed the URL length permitted by most user agents.
 BINDING_SSO_IDP = (
     (lasso.SAML2_METADATA_BINDING_ARTIFACT, _('Artifact binding')),
-    (lasso.SAML2_METADATA_BINDING_POST, _('POST binding'))
+    (lasso.SAML2_METADATA_BINDING_POST, _('POST binding')),
 )
 
 
 HTTP_METHOD = (
     (lasso.HTTP_METHOD_REDIRECT, _('Redirect binding')),
-    (lasso.HTTP_METHOD_SOAP, _('SOAP binding'))
+    (lasso.HTTP_METHOD_SOAP, _('SOAP binding')),
 )
 
 
 SIGNATURE_VERIFY_HINT = {
     lasso.PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: _('Let authentic decides which signatures to check'),
     lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE: _('Always check signatures'),
-    lasso.PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: _('Does not check signatures') }
+    lasso.PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: _('Does not check signatures'),
+}
 
 AUTHSAML2_UNAUTH_PERSISTENT = (
-    ('AUTHSAML2_UNAUTH_PERSISTENT_ACCOUNT_LINKING_BY_AUTH',
-        _('Account linking by authentication')),
-    ('AUTHSAML2_UNAUTH_PERSISTENT_CREATE_USER_PSEUDONYMOUS',
-        _('Create new account')),
+    ('AUTHSAML2_UNAUTH_PERSISTENT_ACCOUNT_LINKING_BY_AUTH', _('Account linking by authentication')),
+    ('AUTHSAML2_UNAUTH_PERSISTENT_CREATE_USER_PSEUDONYMOUS', _('Create new account')),
 )
 
 AUTHSAML2_UNAUTH_TRANSIENT = (
@@ -200,71 +226,73 @@ AUTHSAML2_UNAUTH_TRANSIENT = (
 
 
 class SPOptionsIdPPolicy(models.Model):
-    '''
-        Policies configured as a SAML2 identity provider.
+    """
+    Policies configured as a SAML2 identity provider.
+
+    Used to define SAML2 parameters employed with service providers.
+    """
 
-        Used to define SAML2 parameters employed with service providers.
-    '''
     name = models.CharField(_('name'), max_length=80, unique=True)
     enabled = models.BooleanField(verbose_name=_('Enabled'), default=False, db_index=True)
     prefered_assertion_consumer_binding = models.CharField(
         verbose_name=_("Prefered assertion consumer binding"),
         default='meta',
         max_length=4,
-        choices=ASSERTION_CONSUMER_PROFILES)
+        choices=ASSERTION_CONSUMER_PROFILES,
+    )
     encrypt_nameid = models.BooleanField(verbose_name=_("Encrypt NameID"), default=False)
-    encrypt_assertion = models.BooleanField(
-        verbose_name=_("Encrypt Assertion"),
-        default=False)
-    authn_request_signed = models.BooleanField(
-        verbose_name=_("Authentication request signed"),
-        default=False)
+    encrypt_assertion = models.BooleanField(verbose_name=_("Encrypt Assertion"), default=False)
+    authn_request_signed = models.BooleanField(verbose_name=_("Authentication request signed"), default=False)
     idp_initiated_sso = models.BooleanField(
-        verbose_name=_("Allow IdP initiated SSO"),
-        default=False, db_index=True)
+        verbose_name=_("Allow IdP initiated SSO"), default=False, db_index=True
+    )
     # XXX: format in the metadata file, should be suffixed with a star to mark
     # them as special
     default_name_id_format = models.CharField(
-        max_length=256,
-        default=DEFAULT_NAME_ID_FORMAT,
-        choices=NAME_ID_FORMATS_CHOICES)
+        max_length=256, default=DEFAULT_NAME_ID_FORMAT, choices=NAME_ID_FORMATS_CHOICES
+    )
     accepted_name_id_format = MultiSelectField(
         verbose_name=_("NameID formats accepted"),
         max_length=1024,
         blank=True,
-        choices=NAME_ID_FORMATS_CHOICES)
+        choices=NAME_ID_FORMATS_CHOICES,
+    )
     # TODO: add clean method which checks that the LassoProvider we can create
     # with the metadata file support the SP role
     # i.e. provider.roles & lasso.PROVIDER_ROLE_SP != 0
     ask_user_consent = models.BooleanField(
-        verbose_name=_('Ask user for consent when creating a federation'), default=False)
+        verbose_name=_('Ask user for consent when creating a federation'), default=False
+    )
     accept_slo = models.BooleanField(
-        verbose_name=_("Accept to receive Single Logout requests"),
-        default=True,
-        db_index=True)
-    forward_slo = models.BooleanField(
-        verbose_name=_("Forward Single Logout requests"),
-        default=True)
+        verbose_name=_("Accept to receive Single Logout requests"), default=True, db_index=True
+    )
+    forward_slo = models.BooleanField(verbose_name=_("Forward Single Logout requests"), default=True)
     needs_iframe_logout = models.BooleanField(
         verbose_name=_('needs iframe logout'),
         help_text=_(
-            'logout URL are normally loaded inside an <img> HTML tag, some service provider need to use an iframe'),
-        default=False)
+            'logout URL are normally loaded inside an <img> HTML tag, some service provider need to use an iframe'
+        ),
+        default=False,
+    )
     iframe_logout_timeout = models.PositiveIntegerField(
         verbose_name=_('iframe logout timeout'),
         help_text=_(
             'if iframe logout is used, it\'s the time between the '
             'onload event for this iframe and the moment we consider its '
-            'loading to be really finished'),
-        default=300)
+            'loading to be really finished'
+        ),
+        default=300,
+    )
     http_method_for_slo_request = models.IntegerField(
         verbose_name=_("HTTP binding for the SLO requests"),
         choices=HTTP_METHOD,
-        default=lasso.HTTP_METHOD_REDIRECT)
+        default=lasso.HTTP_METHOD_REDIRECT,
+    )
     federation_mode = models.PositiveIntegerField(
         _('federation mode'),
         choices=app_settings.FEDERATION_MODE.get_choices(app_settings),
-        default=app_settings.FEDERATION_MODE.get_default(app_settings))
+        default=app_settings.FEDERATION_MODE.get_default(app_settings),
+    )
     attributes = GenericRelation('SAMLAttribute')
 
     objects = a2_managers.GetByNameManager()
@@ -288,31 +316,21 @@ class SAMLAttribute(models.Model):
     )
     objects = managers.SAMLAttributeManager()
 
-    content_type = models.ForeignKey(
-        ContentType,
-        verbose_name=_('content type'),
-        on_delete=models.CASCADE)
+    content_type = models.ForeignKey(ContentType, verbose_name=_('content type'), on_delete=models.CASCADE)
     object_id = models.PositiveIntegerField(verbose_name=_('object identifier'))
     provider = GenericForeignKey('content_type', 'object_id')
     name_format = models.CharField(
-        max_length=64,
-        verbose_name=_('name format'),
-        default='basic',
-        choices=ATTRIBUTE_NAME_FORMATS)
+        max_length=64, verbose_name=_('name format'), default='basic', choices=ATTRIBUTE_NAME_FORMATS
+    )
     name = models.CharField(
         max_length=128,
         verbose_name=_('name'),
         blank=True,
-        help_text=_('the local attribute name is used if left blank'))
-    friendly_name = models.CharField(
-        max_length=64,
-        verbose_name=_('friendly name'),
-        blank=True)
+        help_text=_('the local attribute name is used if left blank'),
+    )
+    friendly_name = models.CharField(max_length=64, verbose_name=_('friendly name'), blank=True)
     attribute_name = models.CharField(max_length=64, verbose_name=_('attribute name'))
-    enabled = models.BooleanField(
-        verbose_name=_('enabled'),
-        default=True,
-        blank=True)
+    enabled = models.BooleanField(verbose_name=_('enabled'), default=True, blank=True)
 
     def clean(self):
         super(SAMLAttribute, self).clean()
@@ -349,12 +367,14 @@ class SAMLAttribute(models.Model):
     def natural_key(self):
         if not hasattr(self.provider, 'natural_key'):
             return self.id
-        return (self.content_type.natural_key(),
-                self.provider.natural_key(),
-                self.name_format,
-                self.name,
-                self.friendly_name,
-                self.attribute_name)
+        return (
+            self.content_type.natural_key(),
+            self.provider.natural_key(),
+            self.name_format,
+            self.name,
+            self.friendly_name,
+            self.attribute_name,
+        )
 
     class Meta:
         unique_together = (
@@ -367,15 +387,13 @@ class LibertyProvider(Service):
     entity_id_sha1 = models.CharField(max_length=40, blank=True, verbose_name=_('Entity ID SHA1'))
     metadata_url = models.URLField(max_length=256, blank=True, verbose_name=_('Metadata URL'))
     protocol_conformance = models.IntegerField(
-        choices=((lasso.PROTOCOL_SAML_2_0, 'SAML 2.0'),),
-        verbose_name=_('Protocol conformance'))
+        choices=((lasso.PROTOCOL_SAML_2_0, 'SAML 2.0'),), verbose_name=_('Protocol conformance')
+    )
     metadata = models.TextField(validators=[metadata_validator])
     # All following field must be PEM formatted textual data
     federation_source = models.CharField(
-        max_length=64,
-        blank=True,
-        null=True,
-        verbose_name=_('Federation source'))
+        max_length=64, blank=True, null=True, verbose_name=_('Federation source')
+    )
 
     attributes = GenericRelation(SAMLAttribute)
 
@@ -442,26 +460,27 @@ def get_all_custom_or_default(instance, name):
 # expect if the protocol for response is defined in the request (ProtocolBinding attribute)
 class LibertyServiceProvider(models.Model):
     liberty_provider = models.OneToOneField(
-        LibertyProvider,
-        primary_key=True,
-        related_name='service_provider',
-        on_delete=models.CASCADE)
+        LibertyProvider, primary_key=True, related_name='service_provider', on_delete=models.CASCADE
+    )
     enabled = models.BooleanField(verbose_name=_('Enabled'), default=False, db_index=True)
     enable_following_sp_options_policy = models.BooleanField(
-        verbose_name=_('The following options policy will apply except '
-                       'if a policy for all service provider is defined.'),
-        default=False)
+        verbose_name=_(
+            'The following options policy will apply except '
+            'if a policy for all service provider is defined.'
+        ),
+        default=False,
+    )
     sp_options_policy = models.ForeignKey(
         SPOptionsIdPPolicy,
         related_name="sp_options_policy",
-        verbose_name=_('service provider options policy'), blank=True,
+        verbose_name=_('service provider options policy'),
+        blank=True,
         null=True,
-        on_delete=models.SET_NULL)
+        on_delete=models.SET_NULL,
+    )
     users_can_manage_federations = models.BooleanField(
-        verbose_name=_('users can manage federation'),
-        default=True,
-        blank=True,
-        db_index=True)
+        verbose_name=_('users can manage federation'), default=True, blank=True, db_index=True
+    )
 
     objects = managers.GetByLibertyProviderManager()
 
@@ -485,10 +504,11 @@ LIBERTY_SESSION_DUMP_KIND = {
 
 
 class LibertySessionDump(models.Model):
-    '''Store lasso session object dump.
+    """Store lasso session object dump.
+
+    Should be replaced in the future by direct references to known
+    assertions through the LibertySession object"""
 
-       Should be replaced in the future by direct references to known
-       assertions through the LibertySession object'''
     django_session_key = models.CharField(max_length=128)
     session_dump = models.TextField(blank=True)
     kind = models.IntegerField(choices=LIBERTY_SESSION_DUMP_KIND.items())
@@ -503,6 +523,7 @@ class LibertySessionDump(models.Model):
 
 class LibertyArtifact(models.Model):
     """Store an artifact and the associated XML content"""
+
     creation = models.DateTimeField(auto_now_add=True)
     artifact = models.CharField(max_length=128, primary_key=True)
     content = models.TextField()
@@ -523,27 +544,23 @@ def nameid2kwargs(name_id):
         'name_id_format': name_id.format,
     }
 
+
 # XXX: for retrocompatibility
 federation_delete = managers.federation_delete
 
 
 class LibertyFederation(models.Model):
     """Store a federation, i.e. an identifier shared with another provider, be
-       it IdP or SP"""
-    user = models.ForeignKey(
-        settings.AUTH_USER_MODEL,
-        null=True,
-        blank=True,
-        on_delete=models.SET_NULL)
-    sp = models.ForeignKey(
-        'LibertyServiceProvider',
-        null=True,
-        blank=True,
-        on_delete=models.CASCADE)
+    it IdP or SP"""
+
+    user = models.ForeignKey(settings.AUTH_USER_MODEL, null=True, blank=True, on_delete=models.SET_NULL)
+    sp = models.ForeignKey('LibertyServiceProvider', null=True, blank=True, on_delete=models.CASCADE)
     name_id_format = models.CharField(max_length=100, verbose_name="NameIDFormat", blank=True, null=True)
     name_id_content = models.CharField(max_length=100, verbose_name="NameID")
     name_id_qualifier = models.CharField(max_length=256, verbose_name="NameQualifier", blank=True, null=True)
-    name_id_sp_name_qualifier = models.CharField(max_length=256, verbose_name="SPNameQualifier", blank=True, null=True)
+    name_id_sp_name_qualifier = models.CharField(
+        max_length=256, verbose_name="SPNameQualifier", blank=True, null=True
+    )
     termination_notified = models.BooleanField(blank=True, default=False)
     creation = models.DateTimeField(auto_now_add=True)
     last_modification = models.DateTimeField(auto_now=True)
@@ -570,11 +587,11 @@ class LibertyFederation(models.Model):
         return key
 
     def is_unique(self, for_format=True):
-        '''Return whether a federation already exist for this user and this provider.
+        """Return whether a federation already exist for this user and this provider.
 
-           By default the check is made by name_id_format, if you want to check
-           whatever the format, set for_format to False.
-        '''
+        By default the check is made by name_id_format, if you want to check
+        whatever the format, set for_format to False.
+        """
         qs = LibertyFederation.objects.exclude(id=self.id).filter(user=self.user, idp=self.idp, sp=self.sp)
         if for_format:
             qs = qs.filter(name_id_format=self.name_id_format)
@@ -590,14 +607,11 @@ class LibertyFederation(models.Model):
 
 class LibertySession(models.Model):
     """Store the link between a Django session and a SAML session"""
+
     django_session_key = models.CharField(max_length=128)
     session_index = models.CharField(max_length=80)
     provider_id = models.CharField(max_length=256)
-    federation = models.ForeignKey(
-        LibertyFederation,
-        blank=True,
-        null=True,
-        on_delete=models.CASCADE)
+    federation = models.ForeignKey(LibertyFederation, blank=True, null=True, on_delete=models.CASCADE)
     name_id_qualifier = models.CharField(max_length=256, verbose_name=_("Qualifier"), null=True)
     name_id_format = models.CharField(max_length=100, verbose_name=_("NameIDFormat"), null=True)
     name_id_content = models.CharField(max_length=100, verbose_name=_("NameID"))
@@ -609,8 +623,7 @@ class LibertySession(models.Model):
     def __init__(self, *args, **kwargs):
         saml2_assertion = kwargs.pop('saml2_assertion', None)
         if saml2_assertion:
-            kwargs['session_index'] = \
-                saml2_assertion.authnStatement[0].sessionIndex
+            kwargs['session_index'] = saml2_assertion.authnStatement[0].sessionIndex
             name_id = saml2_assertion.subject.nameID
             kwargs.update(nameid2kwargs(name_id))
         models.Model.__init__(self, *args, **kwargs)
@@ -630,7 +643,9 @@ class LibertySession(models.Model):
             qs = qs.filter(**kwargs)
         else:
             kwargs.pop('name_id_qualifier')
-            qs = qs.filter(**kwargs).filter(Q(name_id_qualifier__isnull=True) | Q(name_id_qualifier=issuer_id))
+            qs = qs.filter(**kwargs).filter(
+                Q(name_id_qualifier__isnull=True) | Q(name_id_qualifier=issuer_id)
+            )
         qs = qs.filter(Q(name_id_sp_name_qualifier__isnull=True) | Q(name_id_sp_name_qualifier=provider_id))
         return qs
 
diff --git a/src/authentic2/saml/saml2utils.py b/src/authentic2/saml/saml2utils.py
index f3a8d645..aad5c77b 100644
--- a/src/authentic2/saml/saml2utils.py
+++ b/src/authentic2/saml/saml2utils.py
@@ -43,7 +43,9 @@ def filter_element_private_key(message):
             r'(<saml)(p)?(:PrivateKeyFile>-----BEGIN RSA PRIVATE KEY-----)'
             r'([&#;\w/+=\s])+'
             r'(-----END RSA PRIVATE KEY-----</saml)(p)?(:PrivateKeyFile>)',
-            '', message)
+            '',
+            message,
+        )
     else:
         return message
 
@@ -71,14 +73,10 @@ def keyinfo(tb, key):
         tb.start('KeyValue', {})
         tb.start('RSAKeyValue', {})
         tb.start('Modulus', {})
-        tb.data(
-            x509utils.int_to_cryptobinary(
-                x509utils.get_rsa_public_key_modulus(key)))
+        tb.data(x509utils.int_to_cryptobinary(x509utils.get_rsa_public_key_modulus(key)))
         tb.end('Modulus')
         tb.start('Exponent', {})
-        tb.data(
-            x509utils.int_to_cryptobinary(
-                x509utils.get_rsa_public_key_exponent(key)))
+        tb.data(x509utils.int_to_cryptobinary(x509utils.get_rsa_public_key_exponent(key)))
         tb.end('Exponent')
         tb.end('RSAKeyValue')
         tb.end('KeyValue')
@@ -143,10 +141,10 @@ class Saml2Metadata(object):
     indexed_endpoints = (ARTIFACT_RESOLUTION_SERVICE, ASSERTION_CONSUMER_SERVICE)
 
     def __init__(self, entity_id, url_prefix='', valid_until=None, cache_duration=None):
-        '''Initialize a new generator for a metadata file.
+        """Initialize a new generator for a metadata file.
 
-           Entity id is the name of the provider
-        '''
+        Entity id is the name of the provider
+        """
         self.entity_id = entity_id
         self.url_prefix = url_prefix
         self.role_descriptors = {}
@@ -156,20 +154,20 @@ class Saml2Metadata(object):
         self.tb.pushNamespace(lasso.SAML2_METADATA_HREF)
 
     def add_role_descriptor(self, role, map, options):
-        '''Add a role descriptor, map is a sequence of tuples formatted as
+        """Add a role descriptor, map is a sequence of tuples formatted as
 
-              (endpoint_type, (bindings, ..) , url [, return_url])
+           (endpoint_type, (bindings, ..) , url [, return_url])
 
-           endpoint_type is a string among:
+        endpoint_type is a string among:
 
-              - SingleSignOnService
-              - AssertionConsumer
-              - SingleLogoutService
-              - ManageNameIDService
-              - AuthzService
-              - AuthnQueryService
-              - AttributeService
-              - AssertionIDRequestService'''
+           - SingleSignOnService
+           - AssertionConsumer
+           - SingleLogoutService
+           - ManageNameIDService
+           - AuthzService
+           - AuthnQueryService
+           - AttributeService
+           - AssertionIDRequestService"""
         self.role_descriptors[role] = (map, options)
 
     def add_sp_descriptor(self, map, options):
@@ -208,10 +206,7 @@ class Saml2Metadata(object):
                 else:
                     bindings = row[1]
                 for binding in bindings:
-                    attribs = {
-                        'Binding': binding,
-                        'Location': self.url_prefix + row[2]
-                    }
+                    attribs = {'Binding': binding, 'Location': self.url_prefix + row[2]}
                     if len(row) == 4:
                         attribs['ResponseLocation'] = self.url_prefix + row[3]
                     if service in self.indexed_endpoints:
@@ -242,7 +237,7 @@ class Saml2Metadata(object):
 
         self.entity_descriptor = self.tb.start(self.ENTITY_DESCRIPTOR, attrib)
         # Generate sso descriptor
-        attrib =  {self.PROTOCOL_SUPPORT_ENUMERATION: lasso.SAML2_PROTOCOL_HREF}
+        attrib = {self.PROTOCOL_SUPPORT_ENUMERATION: lasso.SAML2_PROTOCOL_HREF}
         if self.role_descriptors.get('sp'):
             map, options = self.role_descriptors['sp']
             self.sp_descriptor = self.tb.start(self.SP_SSO_DESCRIPTOR, attrib)
@@ -266,7 +261,7 @@ class Saml2Metadata(object):
             attrib = {
                 'Binding': self.DISCOVERY_BINDING,
                 'Location': self.url_prefix + url,
-                'index': str(index)
+                'index': str(index),
             }
             self.tb.start(self.DISCOVERY_RESPONSE, attrib)
             self.tb.end(self.DISCOVERY_RESPONSE)
@@ -275,20 +270,20 @@ class Saml2Metadata(object):
         self.tb.end(self.EXTENSIONS)
 
     def __str__(self):
-        return '<?xml version="1.0"?>\n' + force_text(
-                etree.tostring(self.root_element()))
+        return '<?xml version="1.0"?>\n' + force_text(etree.tostring(self.root_element()))
 
 
 def iso8601_to_datetime(date_string):
-    '''Convert a string formatted as an ISO8601 date into a time_t value.
+    """Convert a string formatted as an ISO8601 date into a time_t value.
 
-       This function ignores the sub-second resolution'''
+    This function ignores the sub-second resolution"""
     m = re.match(r'(\d+-\d+-\d+T\d+:\d+:\d+)(?:\.\d+)?Z$', date_string)
     if not m:
         raise ValueError('Invalid ISO8601 date')
     tm = time.strptime(m.group(1) + 'Z', "%Y-%m-%dT%H:%M:%SZ")
     return datetime.datetime.fromtimestamp(time.mktime(tm))
 
+
 def authnresponse_checking(login, subject_confirmation, logger, saml_request_id=None):
     logger.debug('beginning...')
     # If there is no inResponseTo: IDP initiated
@@ -301,8 +296,7 @@ def authnresponse_checking(login, subject_confirmation, logger, saml_request_id=
 
     irt = None
     try:
-        irt = assertion.subject. \
-            subjectConfirmation.subjectConfirmationData.inResponseTo
+        irt = assertion.subject.subjectConfirmation.subjectConfirmationData.inResponseTo
     except Exception:
         pass
     logger.debug('inResponseTo: %s' % irt)
@@ -313,8 +307,7 @@ def authnresponse_checking(login, subject_confirmation, logger, saml_request_id=
 
     # Check: SubjectConfirmation
     try:
-        if assertion.subject.subjectConfirmation.method != \
-                'urn:oasis:names:tc:SAML:2.0:cm:bearer':
+        if assertion.subject.subjectConfirmation.method != 'urn:oasis:names:tc:SAML:2.0:cm:bearer':
             logger.error('Unknown SubjectConfirmation Method')
             return False
     except Exception:
@@ -324,12 +317,12 @@ def authnresponse_checking(login, subject_confirmation, logger, saml_request_id=
 
     # Check: Check that the url is the same as in the assertion
     try:
-        if assertion.subject. \
-                subjectConfirmation.subjectConfirmationData.recipient != \
-                subject_confirmation:
-            logger.error('SubjectConfirmation Recipient Mismatch, %s is not %s',
-                         assertion.subject.subjectConfirmation.subjectConfirmationData.recipient,
-                         subject_confirmation)
+        if assertion.subject.subjectConfirmation.subjectConfirmationData.recipient != subject_confirmation:
+            logger.error(
+                'SubjectConfirmation Recipient Mismatch, %s is not %s',
+                assertion.subject.subjectConfirmation.subjectConfirmationData.recipient,
+                subject_confirmation,
+            )
             return False
     except Exception:
         logger.error('Error checking SubjectConfirmation Recipient')
@@ -355,19 +348,19 @@ def authnresponse_checking(login, subject_confirmation, logger, saml_request_id=
     # Check: notBefore, notOnOrAfter
     now = datetime.datetime.utcnow()
     try:
-        not_before = assertion.subject. \
-            subjectConfirmation.subjectConfirmationData.notBefore
+        not_before = assertion.subject.subjectConfirmation.subjectConfirmationData.notBefore
     except Exception:
         logger.error('missing subjectConfirmationData')
         return False
 
-    not_on_or_after = assertion.subject.subjectConfirmation. \
-        subjectConfirmationData.notOnOrAfter
+    not_on_or_after = assertion.subject.subjectConfirmation.subjectConfirmationData.notOnOrAfter
 
     if irt:
         if not_before is not None:
-            logger.error('assertion in response to an AuthnRequest, \
-                notBefore MUST not be present in SubjectConfirmationData')
+            logger.error(
+                'assertion in response to an AuthnRequest, \
+                notBefore MUST not be present in SubjectConfirmationData'
+            )
             return False
     elif not_before is not None and not not_before.endswith('Z'):
         logger.error('invalid notBefore value ' + not_before)
@@ -390,8 +383,11 @@ def authnresponse_checking(login, subject_confirmation, logger, saml_request_id=
         logger.error('invalid notOnOrAfter value')
         return False
 
-    logger.debug('assertion validity timeslice respected \
-        %s <= %s < %s ' % (not_before, str(now), not_on_or_after))
+    logger.debug(
+        'assertion validity timeslice respected \
+        %s <= %s < %s '
+        % (not_before, str(now), not_on_or_after)
+    )
     return True
 
 
@@ -407,8 +403,11 @@ def get_attributes_from_assertion(assertion, logger):
             try:
                 name = attribute.name.decode('ascii')
             except Exception:
-                logger.warning('get_attributes_from_assertion: error decoding name of \
-                    attribute %s' % attribute.dump())
+                logger.warning(
+                    'get_attributes_from_assertion: error decoding name of \
+                    attribute %s'
+                    % attribute.dump()
+                )
             else:
                 try:
                     if attribute.nameFormat:
@@ -447,13 +446,13 @@ if __name__ == '__main__':
         lasso.SAML2_METADATA_BINDING_POST,
     ]
     options = {'signing_key': pkey}
-    meta.add_sp_descriptor((
-        ('SingleLogoutService',
-            lasso.SAML2_METADATA_BINDING_SOAP, 'logout', 'logoutReturn' ),
-        ('ManageNameIDService',
-            bindings2, 'manageNameID', 'manageNameIDReturn' ),
-        ('AssertionConsumerService',
-            [lasso.SAML2_METADATA_BINDING_POST ], 'acs'),),
-        options)
+    meta.add_sp_descriptor(
+        (
+            ('SingleLogoutService', lasso.SAML2_METADATA_BINDING_SOAP, 'logout', 'logoutReturn'),
+            ('ManageNameIDService', bindings2, 'manageNameID', 'manageNameIDReturn'),
+            ('AssertionConsumerService', [lasso.SAML2_METADATA_BINDING_POST], 'acs'),
+        ),
+        options,
+    )
     root = meta.root_element()
     print(etree.tostring(root))
diff --git a/src/authentic2/saml/shibboleth/utils.py b/src/authentic2/saml/shibboleth/utils.py
index 3b08dbf0..fc3eab5d 100644
--- a/src/authentic2/saml/shibboleth/utils.py
+++ b/src/authentic2/saml/shibboleth/utils.py
@@ -37,4 +37,3 @@ class FancyTreeBuilder(XMLParser):
 
     def _start_ns(self, prefix, uri):
         self._namespaces[prefix] = uri
-
diff --git a/src/authentic2/saml/utils.py b/src/authentic2/saml/utils.py
index c960e789..dd9deeca 100644
--- a/src/authentic2/saml/utils.py
+++ b/src/authentic2/saml/utils.py
@@ -33,5 +33,3 @@ def saml_good_next_url(next_url):
         if same_origin(entity_id, next_url):
             return True
     return None
-
-
diff --git a/src/authentic2/saml/x509utils.py b/src/authentic2/saml/x509utils.py
index 3c14fe83..a15508c3 100644
--- a/src/authentic2/saml/x509utils.py
+++ b/src/authentic2/saml/x509utils.py
@@ -34,19 +34,18 @@ def decapsulate_pem_file(file_or_string):
     j = content.find('\n', i)
     k = content.find('--END', j)
     l = content.rfind('\n', 0, k)  # noqa: E741
-    return content[j + 1:l]
+    return content[j + 1 : l]
 
 
 def _call_openssl(args):
-    '''Use subprocees to spawn an openssl process
+    """Use subprocees to spawn an openssl process
 
     Return a tuple made of the return code and the stdout output
-    '''
+    """
     try:
-        process = subprocess.Popen(args=[_openssl] + args,
-                                   stdout=subprocess.PIPE,
-                                   stderr=subprocess.STDOUT,
-                                   universal_newlines=True)
+        process = subprocess.Popen(
+            args=[_openssl] + args, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True
+        )
         output = process.communicate()[0]
         return process.returncode, output
     except OSError:
@@ -54,9 +53,9 @@ def _call_openssl(args):
 
 
 def check_key_pair_consistency(publickey=None, privatekey=None):
-    '''Check if two PEM key pair whether they are publickey or certificate, are
+    """Check if two PEM key pair whether they are publickey or certificate, are
     well formed and related.
-    '''
+    """
     if not publickey or not privatekey:
         return None
 
@@ -74,7 +73,9 @@ def check_key_pair_consistency(publickey=None, privatekey=None):
         else:
             rc1, modulus1 = _call_openssl(['rsa', '-pubin', '-in', publickey_file.name, '-noout', '-modulus'])
             if rc1 != 0:
-                rc1, modulus1 = _call_openssl(['dsa', '-pubin', '-in', publickey_file.name, '-noout', '-modulus'])
+                rc1, modulus1 = _call_openssl(
+                    ['dsa', '-pubin', '-in', publickey_file.name, '-noout', '-modulus']
+                )
 
         if rc1 != 0:
             return False
@@ -90,8 +91,7 @@ def check_key_pair_consistency(publickey=None, privatekey=None):
 
 
 def generate_rsa_keypair(numbits=1024):
-    '''Generate simple RSA public and private key files
-    '''
+    """Generate simple RSA public and private key files"""
     privatekey_file = tempfile.NamedTemporaryFile(mode='r')
     publickey_file = tempfile.NamedTemporaryFile(mode='r')
 
@@ -124,7 +124,7 @@ def get_rsa_public_key_modulus(publickey):
         i = modulus.find('=')
 
         if rc == 0 and i:
-            return int(modulus[i + 1:].strip(), 16)
+            return int(modulus[i + 1 :].strip(), 16)
     return None
 
 
@@ -148,7 +148,7 @@ def get_rsa_public_key_exponent(publickey):
         i = modulus.find(_exponent)
         j = modulus.find('(', i)
         if rc == 0 and i and j:
-            return int(modulus[i + len(_exponent):j].strip())
+            return int(modulus[i + len(_exponent) : j].strip())
     return None
 
 
@@ -175,7 +175,9 @@ def get_xmldsig_rsa_key_value(publickey):
     return (
         '<RSAKeyValue xmlns="http://www.w3.org/2000/09/xmldsig#">\n\t'
         '<Modulus>%s</Modulus>\n\t'
-        '<Exponent>%s</Exponent>\n</RSAKeyValue>' % (
+        '<Exponent>%s</Exponent>\n</RSAKeyValue>'
+        % (
             int_to_cryptobinary(mod),
             int_to_cryptobinary(exp),
-    ))
+        )
+    )
diff --git a/src/authentic2/serializers.py b/src/authentic2/serializers.py
index cdc92178..a0319888 100644
--- a/src/authentic2/serializers.py
+++ b/src/authentic2/serializers.py
@@ -72,6 +72,7 @@ def Deserializer(stream_or_string, **options):
     Deserialize a stream or string of JSON data.
     """
     from django.core.serializers.python import Deserializer as PythonDeserializer
+
     if not isinstance(stream_or_string, (bytes, six.string_types)):
         stream_or_string = stream_or_string.read()
     if isinstance(stream_or_string, bytes):
diff --git a/src/authentic2/settings.py b/src/authentic2/settings.py
index cce65c88..d706b081 100644
--- a/src/authentic2/settings.py
+++ b/src/authentic2/settings.py
@@ -16,6 +16,7 @@
 
 import logging
 import logging.config
+
 # Load default from Django
 from django.conf import global_settings
 import os
@@ -119,7 +120,7 @@ ROOT_URLCONF = 'authentic2.urls'
 
 STATICFILES_FINDERS = list(global_settings.STATICFILES_FINDERS) + ['gadjo.finders.XStaticFinder']
 
-LOCALE_PATHS = (os.path.join(BASE_DIR, 'locale'), )
+LOCALE_PATHS = (os.path.join(BASE_DIR, 'locale'),)
 
 INSTALLED_APPS = (
     'django.contrib.staticfiles',
@@ -191,8 +192,7 @@ AUTH_FRONTENDS = (
     'authentic2_auth_saml.authenticators.SAMLAuthenticator',
     'authentic2_auth_oidc.authenticators.OIDCAuthenticator',
     'authentic2_auth_fc.authenticators.FcAuthenticator',
-) + plugins.register_plugins_authenticators((
-    'authentic2.authenticators.LoginPasswordAuthenticator',))
+) + plugins.register_plugins_authenticators(('authentic2.authenticators.LoginPasswordAuthenticator',))
 
 ###########################
 # RBAC settings
@@ -242,16 +242,16 @@ LOGGING = {
         },
         'force_debug': {
             '()': 'authentic2.log_filters.ForceDebugFilter',
-        }
+        },
     },
     'formatters': {
         'verbose': {
             'format': '[%(asctime)s] %(ip)s %(user)s %(request_id)s %(levelname)s %(name)s.%(funcName)s: %(message)s',
-            'datefmt': '%Y-%m-%d %a %H:%M:%S'
+            'datefmt': '%Y-%m-%d %a %H:%M:%S',
         },
         'verbose_db': {
             'format': '[%(asctime)s] - - - %(levelname)s %(name)s.%(funcName)s: %(message)s',
-            'datefmt': '%Y-%m-%d %a %H:%M:%S'
+            'datefmt': '%Y-%m-%d %a %H:%M:%S',
         },
     },
     'handlers': {
@@ -313,9 +313,7 @@ REST_FRAMEWORK = {
         'authentic2.authentication.Authentic2Authentication',
         'rest_framework.authentication.SessionAuthentication',
     ),
-    'DEFAULT_PERMISSION_CLASSES': (
-        'rest_framework.permissions.IsAuthenticated',
-    ),
+    'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAuthenticated',),
     'DEFAULT_FILTER_BACKENDS': (
         'django_filters.rest_framework.DjangoFilterBackend',
         'rest_framework.filters.OrderingFilter',
@@ -336,8 +334,19 @@ DJANGO_RBAC_PERMISSIONS_HIERARCHY = {
     'change_email': ['view', 'search'],
     'reset_password': ['view', 'search'],
     'activate': ['view', 'search'],
-    'admin': ['change', 'delete', 'add', 'view', 'change_password', 'reset_password', 'activate',
-              'search', 'change_email', 'manage_members', 'manage_authorizations'],
+    'admin': [
+        'change',
+        'delete',
+        'add',
+        'view',
+        'change_password',
+        'reset_password',
+        'activate',
+        'search',
+        'change_email',
+        'manage_members',
+        'manage_authorizations',
+    ],
     'change': ['view', 'search', 'manage_members'],
     'delete': ['view', 'search'],
     'add': ['view', 'search'],
diff --git a/src/authentic2/urls.py b/src/authentic2/urls.py
index 34da9524..aa8f3a91 100644
--- a/src/authentic2/urls.py
+++ b/src/authentic2/urls.py
@@ -38,70 +38,63 @@ import authentic2.idp.saml.app_settings
 admin.autodiscover()
 
 accounts_urlpatterns = [
-    url(r'^activate/(?P<registration_token>[A-Za-z0-9_ -]+)/$',
-        views.registration_completion, name='registration_activate'),
-    url(r'^register/$',
-        views.RegistrationView.as_view(),
-        name='registration_register'),
-    url(r'^register/complete/$',
-        views.registration_complete,
-        name='registration_complete'),
-    url(r'^register/closed/$',
+    url(
+        r'^activate/(?P<registration_token>[A-Za-z0-9_ -]+)/$',
+        views.registration_completion,
+        name='registration_activate',
+    ),
+    url(r'^register/$', views.RegistrationView.as_view(), name='registration_register'),
+    url(r'^register/complete/$', views.registration_complete, name='registration_complete'),
+    url(
+        r'^register/closed/$',
         TemplateView.as_view(template_name='registration/registration_closed.html'),
-        name='registration_disallowed'),
-    url(r'^delete/$',
-        login_required(views.DeleteView.as_view()),
-        name='delete_account'),
-    url(r'validate-deletion/(?P<deletion_token>[\w: -]+)/$',
+        name='registration_disallowed',
+    ),
+    url(r'^delete/$', login_required(views.DeleteView.as_view()), name='delete_account'),
+    url(
+        r'validate-deletion/(?P<deletion_token>[\w: -]+)/$',
         views.ValidateDeletionView.as_view(),
-        name='validate_deletion'),
-    url(r'^logged-in/$',
-        views.logged_in,
-        name='logged-in'),
-    url(r'^edit/$',
-        views.edit_profile,
-        name='profile_edit'),
-    url(r'^edit/(?P<scope>[-\w]+)/$',
-        views.edit_profile,
-        name='profile_edit_with_scope'),
-    url(r'^change-email/$',
-        views.email_change,
-        name='email-change'),
-    url(r'^change-email/verify/$',
-        views.email_change_verify,
-        name='email-change-verify'),
-    url(r'^authorizations/$',
+        name='validate_deletion',
+    ),
+    url(r'^logged-in/$', views.logged_in, name='logged-in'),
+    url(r'^edit/$', views.edit_profile, name='profile_edit'),
+    url(r'^edit/(?P<scope>[-\w]+)/$', views.edit_profile, name='profile_edit_with_scope'),
+    url(r'^change-email/$', views.email_change, name='email-change'),
+    url(r'^change-email/verify/$', views.email_change_verify, name='email-change-verify'),
+    url(
+        r'^authorizations/$',
         login_required(views.authorized_oauth_services),
-        name='authorized-oauth-services'),
-    url(r'^$',
-        views.profile,
-        name='account_management'),
-
+        name='authorized-oauth-services',
+    ),
+    url(r'^$', views.profile, name='account_management'),
     # Password change
-    url(r'^password/change/$',
-        views.password_change,
-        name='password_change'),
-    url(r'^password/change/done/$',
+    url(r'^password/change/$', views.password_change, name='password_change'),
+    url(
+        r'^password/change/done/$',
         dj_auth_views.PasswordChangeDoneView.as_view(),
-        name='password_change_done'),
-
+        name='password_change_done',
+    ),
     # Password reset
-    url(r'^password/reset/confirm/(?P<token>[A-Za-z0-9_ -]+)/$',
+    url(
+        r'^password/reset/confirm/(?P<token>[A-Za-z0-9_ -]+)/$',
         views.password_reset_confirm,
-        name='password_reset_confirm'),
-    url(r'^password/reset/$',
-        views.password_reset,
-        name='password_reset'),
-    url(r'^password/reset/instructions/$',
+        name='password_reset_confirm',
+    ),
+    url(r'^password/reset/$', views.password_reset, name='password_reset'),
+    url(
+        r'^password/reset/instructions/$',
         views.password_reset_instructions,
-        name='password_reset_instructions'),
-    url(r'^password/reset/.*',
+        name='password_reset_instructions',
+    ),
+    url(
+        r'^password/reset/.*',
         views.old_view_redirect,
         kwargs={
             'to': 'password_reset',
             'message': _('Your password reset link has become invalid, please reset your password again.'),
         },
-        name='invalid-password-reset-urls'),
+        name='invalid-password-reset-urls',
+    ),
 ]
 
 urlpatterns = [
@@ -126,18 +119,12 @@ except Exception:
     pass
 
 if settings.DEBUG:
-    urlpatterns += [
-        url(r'^static/(?P<path>.*)$', serve)
-    ]
-    urlpatterns += [
-        url(r'^media/(?P<path>.*)$', media_serve,
-            {
-                'document_root': settings.MEDIA_ROOT
-            })
-    ]
+    urlpatterns += [url(r'^static/(?P<path>.*)$', serve)]
+    urlpatterns += [url(r'^media/(?P<path>.*)$', media_serve, {'document_root': settings.MEDIA_ROOT})]
 
 if settings.DEBUG and 'debug_toolbar' in settings.INSTALLED_APPS:
     import debug_toolbar
+
     urlpatterns = [
         url(r'^__debug__/', include(debug_toolbar.urls)),
     ] + urlpatterns
@@ -148,26 +135,21 @@ urlpatterns = required(xframe_options_deny, urlpatterns)
 urlpatterns = plugins.register_plugins_urls(urlpatterns)
 
 authentic2_idp_saml_urls = required(
-    (
-        setting_enabled('ENABLE', settings=authentic2.idp.saml.app_settings),
-        lasso_required()
-    ),
-    [url(r'^idp/saml2/', include('authentic2.idp.saml.urls'))]
+    (setting_enabled('ENABLE', settings=authentic2.idp.saml.app_settings), lasso_required()),
+    [url(r'^idp/saml2/', include('authentic2.idp.saml.urls'))],
 )
 
 authentic2_idp_cas_urls = required(
-    (
-        setting_enabled('ENABLE', settings=authentic2_idp_cas.app_settings),
-    ),
-    [url(r'^idp/cas/', include('authentic2_idp_cas.urls'))]
+    (setting_enabled('ENABLE', settings=authentic2_idp_cas.app_settings),),
+    [url(r'^idp/cas/', include('authentic2_idp_cas.urls'))],
 )
 
 urlpatterns = (
-    authentic2_auth_fc.urls.urlpatterns +
-    authentic2_idp_oidc.urls.urlpatterns +
-    authentic2_idp_cas_urls +
-    authentic2_auth_oidc.urls.urlpatterns +
-    authentic2_auth_saml.urls.urlpatterns +
-    authentic2_idp_saml_urls +
-    urlpatterns
+    authentic2_auth_fc.urls.urlpatterns
+    + authentic2_idp_oidc.urls.urlpatterns
+    + authentic2_idp_cas_urls
+    + authentic2_auth_oidc.urls.urlpatterns
+    + authentic2_auth_saml.urls.urlpatterns
+    + authentic2_idp_saml_urls
+    + urlpatterns
 )
diff --git a/src/authentic2/user_login_failure.py b/src/authentic2/user_login_failure.py
index 7095f44c..974006ba 100644
--- a/src/authentic2/user_login_failure.py
+++ b/src/authentic2/user_login_failure.py
@@ -36,7 +36,8 @@ def user_login_failure(identifier):
     count = cache.incr(key(identifier))
     logger = logging.getLogger('authentic2.user_login_failure')
     logger.info(u'user %s failed to login', identifier)
-    if (app_settings.A2_LOGIN_FAILURE_COUNT_BEFORE_WARNING
-            and count >= app_settings.A2_LOGIN_FAILURE_COUNT_BEFORE_WARNING):
+    if (
+        app_settings.A2_LOGIN_FAILURE_COUNT_BEFORE_WARNING
+        and count >= app_settings.A2_LOGIN_FAILURE_COUNT_BEFORE_WARNING
+    ):
         logger.warning(u'user %s failed to login more than %d times in a row', identifier, count)
-
diff --git a/src/authentic2/utils/__init__.py b/src/authentic2/utils/__init__.py
index c9657e4f..754605e3 100644
--- a/src/authentic2/utils/__init__.py
+++ b/src/authentic2/utils/__init__.py
@@ -34,9 +34,12 @@ from django.core.mail import EmailMessage
 from django.http import HttpResponseRedirect, HttpResponse
 from django.core.exceptions import ImproperlyConfigured
 from django.http.request import QueryDict
-from django.contrib.auth import (REDIRECT_FIELD_NAME, login as auth_login,
-                                 authenticate as dj_authenticate,
-                                 get_user_model)
+from django.contrib.auth import (
+    REDIRECT_FIELD_NAME,
+    login as auth_login,
+    authenticate as dj_authenticate,
+    get_user_model,
+)
 from django import forms
 from django.forms.utils import ErrorList, to_current_timezone
 from django.utils import timezone
@@ -61,8 +64,7 @@ except ImportError:
     # Django < 1.8
     from django.db.models.fields import FieldDoesNotExist
 
-from authentic2.saml.saml2utils import filter_attribute_private_key, \
-    filter_element_private_key
+from authentic2.saml.saml2utils import filter_attribute_private_key, filter_element_private_key
 
 from .. import plugins, app_settings, constants, crypto
 from .service import set_service_ref
@@ -77,6 +79,7 @@ class CleanLogMessage(logging.Filter):
 
 class MWT(object):
     """Memoize With Timeout"""
+
     _caches = {}
     _timeouts = {}
 
@@ -107,6 +110,7 @@ class MWT(object):
             except KeyError:
                 v = self.cache[key] = f(*args, **kwargs), time.time()
             return v[0]
+
         func.func_name = f.func_name
 
         return func
@@ -126,8 +130,9 @@ def flush_django_session(django_session_key):
 
 
 class IterableFactory(object):
-    '''Return an new iterable using a generator function each time this object
-       is iterated.'''
+    """Return an new iterable using a generator function each time this object
+    is iterated."""
+
     def __init__(self, f):
         self.f = f
 
@@ -154,19 +159,19 @@ def accumulate_from_backends(request, method_name, **kwargs):
 def load_backend(path, kwargs):
     '''Load an IdP backend by its module path'''
     i = path.rfind('.')
-    module, attr = path[:i], path[i + 1:]
+    module, attr = path[:i], path[i + 1 :]
     try:
         mod = import_module(module)
     except ImportError as e:
         raise ImproperlyConfigured('Error importing idp backend %s: "%s"' % (module, e))
     except ValueError:
-        raise ImproperlyConfigured('Error importing idp backends. Is IDP_BACKENDS a correctly '
-                                   'defined list or tuple?')
+        raise ImproperlyConfigured(
+            'Error importing idp backends. Is IDP_BACKENDS a correctly ' 'defined list or tuple?'
+        )
     try:
         cls = getattr(mod, attr)
     except AttributeError:
-        raise ImproperlyConfigured('Module "%s" does not define a "%s" idp backend'
-                                   % (module, attr))
+        raise ImproperlyConfigured('Module "%s" does not define a "%s" idp backend' % (module, attr))
     backend_kwargs = {}
     if hasattr(cls, 'id'):
         backend_kwargs.update(kwargs.get(cls.id, {}))
@@ -284,18 +289,31 @@ def is_valid_url(url):
         return False
 
 
-def make_url(to, args=(), kwargs={}, keep_params=False, params=None, append=None, request=None,
-             include=None, exclude=None, fragment=None, absolute=False,
-             resolve=True, next_url=None, sign_next_url=False):
-    '''Build an URL from a relative or absolute path, a model instance, a view
-       name or view function.
-
-       If you pass a request you can ask to keep params from it, exclude some
-       of them or include only a subset of them.
-       You can set parameters or append to existing one.
-       If a parameter value is None, it clears the parameter from the URL, if
-       the parameter was appended, it's just ignored.
-    '''
+def make_url(
+    to,
+    args=(),
+    kwargs={},
+    keep_params=False,
+    params=None,
+    append=None,
+    request=None,
+    include=None,
+    exclude=None,
+    fragment=None,
+    absolute=False,
+    resolve=True,
+    next_url=None,
+    sign_next_url=False,
+):
+    """Build an URL from a relative or absolute path, a model instance, a view
+    name or view function.
+
+    If you pass a request you can ask to keep params from it, exclude some
+    of them or include only a subset of them.
+    You can set parameters or append to existing one.
+    If a parameter value is None, it clears the parameter from the URL, if
+    the parameter was appended, it's just ignored.
+    """
     if resolve:
         url = resolve_url(to, *args, **kwargs)
     else:
@@ -350,28 +368,54 @@ def make_url(to, args=(), kwargs={}, keep_params=False, params=None, append=None
 
 
 # improvement over django.shortcuts.redirect
-def redirect(request, to, args=(), kwargs={}, keep_params=False, params=None,
-             append=None, include=None, exclude=None, permanent=False,
-             fragment=None, status=302, resolve=True):
-    '''Build a redirect response to an absolute or relative URL, eventually
-       adding params from the request or new, see make_url().
-    '''
-    url = make_url(to, args=args, kwargs=kwargs, keep_params=keep_params,
-                   params=params, append=append, request=request,
-                   include=include, exclude=exclude, fragment=fragment, resolve=resolve)
+def redirect(
+    request,
+    to,
+    args=(),
+    kwargs={},
+    keep_params=False,
+    params=None,
+    append=None,
+    include=None,
+    exclude=None,
+    permanent=False,
+    fragment=None,
+    status=302,
+    resolve=True,
+):
+    """Build a redirect response to an absolute or relative URL, eventually
+    adding params from the request or new, see make_url().
+    """
+    url = make_url(
+        to,
+        args=args,
+        kwargs=kwargs,
+        keep_params=keep_params,
+        params=params,
+        append=append,
+        request=request,
+        include=include,
+        exclude=exclude,
+        fragment=fragment,
+        resolve=resolve,
+    )
     if permanent:
         status = 301
     return HttpResponseRedirect(url, status=status)
 
 
-def redirect_to_login(request, login_url='auth_login', keep_params=True,
-                      include=(REDIRECT_FIELD_NAME, constants.NONCE_FIELD_NAME), **kwargs):
+def redirect_to_login(
+    request,
+    login_url='auth_login',
+    keep_params=True,
+    include=(REDIRECT_FIELD_NAME, constants.NONCE_FIELD_NAME),
+    **kwargs,
+):
     '''Redirect to the login, eventually adding a nonce'''
     return redirect(request, login_url, keep_params=keep_params, include=include, **kwargs)
 
 
-def continue_to_next_url(request, keep_params=True, include=(constants.NONCE_FIELD_NAME,),
-                         **kwargs):
+def continue_to_next_url(request, keep_params=True, include=(constants.NONCE_FIELD_NAME,), **kwargs):
     next_url = select_next_url(request, settings.LOGIN_REDIRECT_URL, include_post=True)
     return redirect(request, to=next_url, keep_params=keep_params, include=include, **kwargs)
 
@@ -384,12 +428,12 @@ def get_nonce(request):
 
 
 def record_authentication_event(request, how, nonce=None):
-    '''Record an authentication event in the session and in the database, in
-       later version the database persistence can be removed'''
+    """Record an authentication event in the session and in the database, in
+    later version the database persistence can be removed"""
     from .. import models
+
     logging.getLogger(__name__).info('logged in (%s)', how)
-    authentication_events = request.session.setdefault(constants.AUTHENTICATION_EVENTS_SESSION_KEY,
-                                                       [])
+    authentication_events = request.session.setdefault(constants.AUTHENTICATION_EVENTS_SESSION_KEY, [])
     # As we update a persistent object and not a session key we must
     # explicitly state that the session has been modified
     request.session.modified = True
@@ -398,7 +442,6 @@ def record_authentication_event(request, how, nonce=None):
         'who_id': getattr(request.user, 'pk', None),
         'how': how,
         'when': int(time.time()),
-
     }
     kwargs = {
         'who': six.text_type(request.user)[:80],
@@ -414,8 +457,8 @@ def record_authentication_event(request, how, nonce=None):
 
 
 def find_authentication_event(request, nonce):
-    '''Find an authentication event occurring during this session and matching
-       this nonce.'''
+    """Find an authentication event occurring during this session and matching
+    this nonce."""
     for event in get_authentication_events(request=request):
         if event.get('nonce') == nonce:
             return event
@@ -430,8 +473,8 @@ def last_authentication_event(request=None, session=None):
 
 
 def login(request, user, how, service=None, service_slug=None, nonce=None, record=True, **kwargs):
-    '''Login a user model, record the authentication event and redirect to next
-       URL or settings.LOGIN_REDIRECT_URL.'''
+    """Login a user model, record the authentication event and redirect to next
+    URL or settings.LOGIN_REDIRECT_URL."""
     from .. import hooks
     from .views import check_cookie_works
 
@@ -444,8 +487,7 @@ def login(request, user, how, service=None, service_slug=None, nonce=None, recor
     if hasattr(user, 'init_to_session'):
         user.init_to_session(request.session)
     if constants.LAST_LOGIN_SESSION_KEY not in request.session:
-        request.session[constants.LAST_LOGIN_SESSION_KEY] = \
-            localize(to_current_timezone(last_login), True)
+        request.session[constants.LAST_LOGIN_SESSION_KEY] = localize(to_current_timezone(last_login), True)
     record_authentication_event(request, how, nonce=nonce)
     hooks.call_hooks('event', name='login', user=user, how=how, service=service_slug)
     # prevent logint-hint to influence next use of the login page
@@ -489,12 +531,10 @@ def redirect_and_come_back(request, to, **kwargs):
 
 
 def generate_password():
-    '''Generate a password based on a certain composition based on number of
-       characters based on classes of characters.
-    '''
-    composition = ((2, '23456789'),
-                   (6, 'ABCDEFGHJKLMNPQRSTUVWXYZ'),
-                   (1, '%$/\\#@!'))
+    """Generate a password based on a certain composition based on number of
+    characters based on classes of characters.
+    """
+    composition = ((2, '23456789'), (6, 'ABCDEFGHJKLMNPQRSTUVWXYZ'), (1, '%$/\\#@!'))
     parts = []
     for cnt, alphabet in composition:
         for i in range(cnt):
@@ -525,11 +565,11 @@ def import_module_or_class(path):
 
 
 def check_referer(request, skip_post=True):
-    '''Check that the current referer match current origin.
+    """Check that the current referer match current origin.
 
-       Post requests are usually ignored as they are already check by the
-       CSRF middleware.
-    '''
+    Post requests are usually ignored as they are already check by the
+    CSRF middleware.
+    """
     if skip_post and request.method == 'POST':
         return True
     referer = request.META.get('HTTP_REFERER')
@@ -551,7 +591,7 @@ def get_user_from_session_key(session_key):
     '''Get the user logged in an active session'''
     from importlib import import_module
     from django.conf import settings
-    from django.contrib.auth import (load_backend, SESSION_KEY, BACKEND_SESSION_KEY)
+    from django.contrib.auth import load_backend, SESSION_KEY, BACKEND_SESSION_KEY
     from django.contrib.auth.models import AnonymousUser
     from authentic2.compat.misc import signature_parameters
 
@@ -575,6 +615,7 @@ def to_list(func):
     @wraps(func)
     def f(*args, **kwargs):
         return list(func(*args, **kwargs))
+
     return f
 
 
@@ -582,6 +623,7 @@ def to_iter(func):
     @wraps(func)
     def f(*args, **kwargs):
         return IterableFactory(lambda: func(*args, **kwargs))
+
     return f
 
 
@@ -609,9 +651,9 @@ def get_hex_uuid():
 
 
 def get_fields_and_labels(*args):
-    '''Analyze fields settings and extracts ordered list of fields and
-       their overriden labels.
-    '''
+    """Analyze fields settings and extracts ordered list of fields and
+    their overriden labels.
+    """
     labels = {}
     fields = []
     for arg in args:
@@ -629,16 +671,26 @@ def render_plain_text_template_to_string(template_names, ctx, request=None):
     return template.template.render(make_context(ctx, request=request, autoescape=False))
 
 
-def send_templated_mail(user_or_email, template_names, context=None, with_html=True,
-                        from_email=None, request=None, legacy_subject_templates=None,
-                        legacy_body_templates=None, legacy_html_body_templates=None,
-                        per_ou_templates=False, **kwargs):
-    '''Send mail to an user by using templates:
-       - <template_name>_subject.txt for the subject
-       - <template_name>_body.txt for the plain text body
-       - <template_name>_body.html for the HTML body
-    '''
+def send_templated_mail(
+    user_or_email,
+    template_names,
+    context=None,
+    with_html=True,
+    from_email=None,
+    request=None,
+    legacy_subject_templates=None,
+    legacy_body_templates=None,
+    legacy_html_body_templates=None,
+    per_ou_templates=False,
+    **kwargs,
+):
+    """Send mail to an user by using templates:
+    - <template_name>_subject.txt for the subject
+    - <template_name>_body.txt for the plain text body
+    - <template_name>_body.html for the HTML body
+    """
     from .. import middleware
+
     if isinstance(template_names, six.string_types):
         template_names = [template_names]
     if per_ou_templates and getattr(user_or_email, 'ou', None):
@@ -685,8 +737,14 @@ def send_templated_mail(user_or_email, template_names, context=None, with_html=T
         )
         msg.send()
     else:
-        send_mail(subject, body, from_email or settings.DEFAULT_FROM_EMAIL, [user_or_email],
-                  html_message=html_body, **kwargs)
+        send_mail(
+            subject,
+            body,
+            from_email or settings.DEFAULT_FROM_EMAIL,
+            [user_or_email],
+            html_message=html_body,
+            **kwargs,
+        )
 
 
 def get_fk_model(model, fieldname):
@@ -702,8 +760,9 @@ def get_fk_model(model, fieldname):
 
 def get_registration_url(request, service=None):
     next_url = select_next_url(request, settings.LOGIN_REDIRECT_URL)
-    next_url = make_url(next_url, request=request, keep_params=True,
-                        include=(constants.NONCE_FIELD_NAME,), resolve=False)
+    next_url = make_url(
+        next_url, request=request, keep_params=True, include=(constants.NONCE_FIELD_NAME,), resolve=False
+    )
     params = {REDIRECT_FIELD_NAME: next_url}
     if service:
         set_service_ref(params, service)
@@ -723,7 +782,8 @@ def build_activation_url(request, email, next_url=None, ou=None, **kwargs):
     Token.objects.filter(kind='registration', content__email=email).delete()
     token = Token.create('registration', data, duration=lifetime)
     activate_url = request.build_absolute_uri(
-        reverse('registration_activate', kwargs={'registration_token': token.uuid_b64url}))
+        reverse('registration_activate', kwargs={'registration_token': token.uuid_b64url})
+    )
     return activate_url
 
 
@@ -732,17 +792,17 @@ def build_deletion_url(request, **kwargs):
     data['user_pk'] = request.user.pk
     deletion_token = signing.dumps(data)
     delete_url = request.build_absolute_uri(
-            reverse('validate_deletion', kwargs={'deletion_token': deletion_token}))
+        reverse('validate_deletion', kwargs={'deletion_token': deletion_token})
+    )
     return delete_url
 
 
-def send_registration_mail(request, email, ou, template_names=None, next_url=None, context=None,
-                           **kwargs):
-    '''Send a registration mail to an user. All given kwargs will be used
-       to completed the user model.
+def send_registration_mail(request, email, ou, template_names=None, next_url=None, context=None, **kwargs):
+    """Send a registration mail to an user. All given kwargs will be used
+    to completed the user model.
 
-       Can raise an smtplib.SMTPException
-    '''
+    Can raise an smtplib.SMTPException
+    """
     logger = logging.getLogger(__name__)
     User = get_user_model()
 
@@ -750,8 +810,7 @@ def send_registration_mail(request, email, ou, template_names=None, next_url=Non
         template_names = ['authentic2/activation_email']
 
     # registration_url
-    registration_url = build_activation_url(request, email=email, next_url=next_url, ou=ou,
-                                            **kwargs)
+    registration_url = build_activation_url(request, email=email, next_url=next_url, ou=ou, **kwargs)
 
     # existing accounts
     existing_accounts = User.objects.filter(email=email)
@@ -760,59 +819,59 @@ def send_registration_mail(request, email, ou, template_names=None, next_url=Non
 
     # ctx for rendering the templates
     context = context or {}
-    context.update({
-        'registration_url': registration_url,
-        'expiration_days': settings.ACCOUNT_ACTIVATION_DAYS,
-        'email': email,
-        'site': request.get_host(),
-        'existing_accounts': existing_accounts,
-    })
-
-    send_templated_mail(email, template_names,
-                        request=request,
-                        context=context,
-                        # legacy templates, for new templates use
-                        # authentic2/activation_email_body.txt
-                        # authentic2/activation_email_body.html
-                        # authentic2/activation_email_subject.txt
-                        legacy_subject_templates=['registration/activation_email_subject.txt'],
-                        legacy_body_templates=['registration/activation_email.txt'],
-                        legacy_html_body_templates=['registration/activation_email.html'])
-    logger.info(u'registration mail sent to  %s with registration URL %s...', email,
-                registration_url)
+    context.update(
+        {
+            'registration_url': registration_url,
+            'expiration_days': settings.ACCOUNT_ACTIVATION_DAYS,
+            'email': email,
+            'site': request.get_host(),
+            'existing_accounts': existing_accounts,
+        }
+    )
+
+    send_templated_mail(
+        email,
+        template_names,
+        request=request,
+        context=context,
+        # legacy templates, for new templates use
+        # authentic2/activation_email_body.txt
+        # authentic2/activation_email_body.html
+        # authentic2/activation_email_subject.txt
+        legacy_subject_templates=['registration/activation_email_subject.txt'],
+        legacy_body_templates=['registration/activation_email.txt'],
+        legacy_html_body_templates=['registration/activation_email.html'],
+    )
+    logger.info(u'registration mail sent to  %s with registration URL %s...', email, registration_url)
     request.journal.record('user.registration.request', email=email)
 
 
 def send_account_deletion_code(request, user):
-    '''Send an account deletion notification code to a user.
+    """Send an account deletion notification code to a user.
 
-       Can raise an smtplib.SMTPException
-    '''
+    Can raise an smtplib.SMTPException
+    """
     logger = logging.getLogger(__name__)
     deletion_url = build_deletion_url(request)
     context = {
         'full_name': request.user.get_full_name(),
         'user': request.user,
         'site': request.get_host(),
-        'deletion_url': deletion_url}
-    template_names = [
-        'authentic2/account_deletion_code']
+        'deletion_url': deletion_url,
+    }
+    template_names = ['authentic2/account_deletion_code']
     send_templated_mail(user, template_names, context, request=request, per_ou_templates=True)
     logger.info(u'account deletion code sent to %s', user.email)
 
 
 def send_account_deletion_mail(request, user):
-    '''Send an account deletion notification mail to a user.
+    """Send an account deletion notification mail to a user.
 
-       Can raise an smtplib.SMTPException
-    '''
+    Can raise an smtplib.SMTPException
+    """
     logger = logging.getLogger(__name__)
-    context = {
-        'full_name': user.get_full_name(),
-        'user': user,
-        'site': request.get_host()}
-    template_names = [
-        'authentic2/account_delete_notification']
+    context = {'full_name': user.get_full_name(), 'user': user, 'site': request.get_host()}
+    template_names = ['authentic2/account_delete_notification']
     send_templated_mail(user, template_names, context, request=request, per_ou_templates=True)
     logger.info(u'account deletion mail sent to %s', user.email)
 
@@ -834,18 +893,25 @@ def build_reset_password_url(user, request=None, next_url=None, set_random_passw
         next_url=next_url,
         sign_next_url=sign_next_url,
         request=request,
-        absolute=True)
+        absolute=True,
+    )
     return reset_url, token
 
 
-def send_password_reset_mail(user, template_names=None, request=None,
-                             token_generator=None, from_email=None,
-                             next_url=None, context=None,
-                             legacy_subject_templates=['registration/password_reset_subject.txt'],
-                             legacy_body_templates=['registration/password_reset_email.html'],
-                             set_random_password=True,
-                             sign_next_url=True,
-                             **kwargs):
+def send_password_reset_mail(
+    user,
+    template_names=None,
+    request=None,
+    token_generator=None,
+    from_email=None,
+    next_url=None,
+    context=None,
+    legacy_subject_templates=['registration/password_reset_subject.txt'],
+    legacy_body_templates=['registration/password_reset_email.html'],
+    set_random_password=True,
+    sign_next_url=True,
+    **kwargs,
+):
     from .. import middleware
     from authentic2.journal import journal
 
@@ -859,31 +925,44 @@ def send_password_reset_mail(user, template_names=None, request=None,
 
     ctx = {}
     ctx.update(context or {})
-    ctx.update({
-        'user': user,
-        'email': user.email,
-        'expiration_days': settings.PASSWORD_RESET_TIMEOUT_DAYS,
-        'site': request.get_host() if request else '',
-    })
+    ctx.update(
+        {
+            'user': user,
+            'email': user.email,
+            'expiration_days': settings.PASSWORD_RESET_TIMEOUT_DAYS,
+            'site': request.get_host() if request else '',
+        }
+    )
 
     # Build reset URL
-    ctx['reset_url'], token = build_reset_password_url(user, request=request, next_url=next_url,
-                                                       set_random_password=set_random_password,
-                                                       sign_next_url=sign_next_url)
-
-    send_templated_mail(user, template_names, ctx, request=request,
-                        legacy_subject_templates=legacy_subject_templates,
-                        legacy_body_templates=legacy_body_templates,
-                        per_ou_templates=True, **kwargs)
-    logger.info(u'password reset request for user %s, email sent to %s '
-                'with token %s', user, user.email, token.uuid)
+    ctx['reset_url'], token = build_reset_password_url(
+        user,
+        request=request,
+        next_url=next_url,
+        set_random_password=set_random_password,
+        sign_next_url=sign_next_url,
+    )
+
+    send_templated_mail(
+        user,
+        template_names,
+        ctx,
+        request=request,
+        legacy_subject_templates=legacy_subject_templates,
+        legacy_body_templates=legacy_body_templates,
+        per_ou_templates=True,
+        **kwargs,
+    )
+    logger.info(
+        u'password reset request for user %s, email sent to %s ' 'with token %s', user, user.email, token.uuid
+    )
     journal.record('user.password.reset.request', email=user.email, user=user)
 
 
 def batch(iterable, size):
-    '''Batch an iterable as an iterable of iterables of at most size element
-       long.
-    '''
+    """Batch an iterable as an iterable of iterables of at most size element
+    long.
+    """
     sourceiter = iter(iterable)
     while True:
         batchiter = islice(sourceiter, size)
@@ -893,12 +972,12 @@ def batch(iterable, size):
 
 
 def batch_queryset(qs, size=1000):
-    '''Batch prefetched potentially very large queryset, it's a middle ground
-       between using .iterator() which cannot be prefetched and prefetching a full
-       table, which can take a larte place in memory.
-    '''
+    """Batch prefetched potentially very large queryset, it's a middle ground
+    between using .iterator() which cannot be prefetched and prefetching a full
+    table, which can take a larte place in memory.
+    """
     for i in count(0):
-        chunk = qs[i * size:(i + 1) * size]
+        chunk = qs[i * size : (i + 1) * size]
         if not chunk:
             break
         for row in chunk:
@@ -931,11 +1010,13 @@ def good_next_url(request, next_url):
 
     if not next_url:
         return False
-    if (next_url.startswith('/') and (len(next_url) == 1 or next_url[1] != '/')):
+    if next_url.startswith('/') and (len(next_url) == 1 or next_url[1] != '/'):
         return True
     if same_origin(request.build_absolute_uri(), next_url):
         return True
-    signature = request.POST.get(constants.NEXT_URL_SIGNATURE) or request.GET.get(constants.NEXT_URL_SIGNATURE)
+    signature = request.POST.get(constants.NEXT_URL_SIGNATURE) or request.GET.get(
+        constants.NEXT_URL_SIGNATURE
+    )
 
     if signature:
         return crypto.check_hmac_url(settings.SECRET_KEY, next_url, signature)
@@ -976,9 +1057,8 @@ def get_next_url(params, field_name=None):
 
 def select_next_url(request, default, field_name=None, include_post=False, replace=None):
     '''Select the first valid next URL'''
-    next_url = (
-        (include_post and get_next_url(request.POST, field_name=field_name))
-        or get_next_url(request.GET, field_name=field_name)
+    next_url = (include_post and get_next_url(request.POST, field_name=field_name)) or get_next_url(
+        request.GET, field_name=field_name
     )
     if good_next_url(request, next_url):
         if replace:
@@ -989,7 +1069,7 @@ def select_next_url(request, default, field_name=None, include_post=False, repla
 
 
 def human_duration(seconds):
-    day = (24 * 3600)
+    day = 24 * 3600
     hour = 3600
     minute = 60
     days, seconds = seconds // day, seconds % day
@@ -1009,7 +1089,6 @@ def human_duration(seconds):
 
 
 class ServiceAccessDenied(Exception):
-
     def __init__(self, service):
         self.service = service
 
@@ -1049,13 +1128,13 @@ def same_domain(domain1, domain2):
 
 
 def same_origin(url1, url2):
-    '''Checks if both URL use the same domain. It understands domain patterns on url2, i.e. .example.com
+    """Checks if both URL use the same domain. It understands domain patterns on url2, i.e. .example.com
     matches www.example.com.
 
     If not scheme is given in url2, scheme compare is skipped.
     If not scheme and not port are given, port compare is skipped.
     The last two rules allow authorizing complete domains easily.
-    '''
+    """
     p1, p2 = urlparse.urlparse(url1), urlparse.urlparse(url2)
     p1_host, p1_port = netloc_to_host_port(p1.netloc)
     p2_host, p2_port = netloc_to_host_port(p2.netloc)
@@ -1068,8 +1147,8 @@ def same_origin(url1, url2):
 
     try:
         if (p2_port or (p1_port and p2.scheme)) and (
-                (p1_port or PROTOCOLS_TO_PORT[p1.scheme])
-                != (p2_port or PROTOCOLS_TO_PORT[p2.scheme])):
+            (p1_port or PROTOCOLS_TO_PORT[p1.scheme]) != (p2_port or PROTOCOLS_TO_PORT[p2.scheme])
+        ):
             return False
     except (ValueError, KeyError):
         return False
@@ -1077,9 +1156,9 @@ def same_origin(url1, url2):
     return True
 
 
-def simulate_authentication(request, user, method,
-                            backend='authentic2.backends.models_backend.ModelBackend',
-                            service=None, **kwargs):
+def simulate_authentication(
+    request, user, method, backend='authentic2.backends.models_backend.ModelBackend', service=None, **kwargs
+):
     '''Simulate a normal login by forcing a backend attribute on the user instance'''
     # do not modify the passed user
     user = copy.deepcopy(user)
@@ -1089,6 +1168,7 @@ def simulate_authentication(request, user, method,
 
 def get_manager_login_url():
     from authentic2.manager import app_settings
+
     return app_settings.LOGIN_URL or settings.LOGIN_URL
 
 
@@ -1108,10 +1188,12 @@ def send_email_change_email(user, email, request=None, context=None, template_na
         legacy_body_templates = None
 
     # build verify email URL containing a signed token
-    token = signing.dumps({
-        'email': email,
-        'user_pk': user.pk,
-    })
+    token = signing.dumps(
+        {
+            'email': email,
+            'user_pk': user.pk,
+        }
+    )
     link = '{0}?token={1}'.format(reverse('email-change-verify'), token)
     link = request.build_absolute_uri(link)
 
@@ -1123,24 +1205,27 @@ def send_email_change_email(user, email, request=None, context=None, template_na
     elif user.ou and user.ou.email_is_unique:
         email_is_not_unique = qs.filter(email=email, ou=user.ou).exclude(pk=user.pk).exists()
     ctx = context or {}
-    ctx.update({
-        'email': email,
-        'old_email': user.email,
-        'user': user,
-        'link': link,
-        'site': request.get_host(),
-        'domain': request.get_host(),
-        'token_lifetime': human_duration(app_settings.A2_EMAIL_CHANGE_TOKEN_LIFETIME),
-        'password_reset_url': request.build_absolute_uri(reverse('password_reset')),
-        'email_is_not_unique': email_is_not_unique,
-    })
+    ctx.update(
+        {
+            'email': email,
+            'old_email': user.email,
+            'user': user,
+            'link': link,
+            'site': request.get_host(),
+            'domain': request.get_host(),
+            'token_lifetime': human_duration(app_settings.A2_EMAIL_CHANGE_TOKEN_LIFETIME),
+            'password_reset_url': request.build_absolute_uri(reverse('password_reset')),
+            'email_is_not_unique': email_is_not_unique,
+        }
+    )
     logger.info(u'sent email verify email to %s for %s', email, user)
     send_templated_mail(
         email,
         template_names,
         context=ctx,
         legacy_subject_templates=legacy_subject_templates,
-        legacy_body_templates=legacy_body_templates)
+        legacy_body_templates=legacy_body_templates,
+    )
 
 
 def get_user_flag(user, name, default=None):
@@ -1168,6 +1253,7 @@ def get_user_flag(user, name, default=None):
 
 def user_can_change_password(user=None, request=None):
     from .. import hooks
+
     if not app_settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD:
         return False
     if request is not None and user is None and hasattr(request, 'user'):
@@ -1220,8 +1306,11 @@ def get_remember_cookie(request, name, count=5):
 
 def prepend_remember_cookie(request, response, name, value, count=5):
     values = get_remember_cookie(request, name, count=count)
-    values = [value] + values[:count - 1]
-    response.set_cookie(name, ' '.join(str(value) for value in values),
-                        max_age=86400 * 365,  # keep preferences for 1 year
-                        path=request.path,
-                        httponly=True)
+    values = [value] + values[: count - 1]
+    response.set_cookie(
+        name,
+        ' '.join(str(value) for value in values),
+        max_age=86400 * 365,  # keep preferences for 1 year
+        path=request.path,
+        httponly=True,
+    )
diff --git a/src/authentic2/utils/evaluate.py b/src/authentic2/utils/evaluate.py
index 90474f3e..6ea291dc 100644
--- a/src/authentic2/utils/evaluate.py
+++ b/src/authentic2/utils/evaluate.py
@@ -17,6 +17,7 @@
 import sys
 
 from django.core.exceptions import ValidationError
+
 try:
     from functools import lru_cache
 except ImportError:
@@ -91,7 +92,9 @@ class BaseExpressionValidator(ast.NodeVisitor):
         else:
             ok = True
         if not ok:
-            raise ExpressionError(_('expression "%(expression)s" is forbidden'), node=node, code='forbidden-expression')
+            raise ExpressionError(
+                _('expression "%(expression)s" is forbidden'), node=node, code='forbidden-expression'
+            )
 
         # specific node class check
         node_name = node.__class__.__name__
@@ -114,10 +117,9 @@ class BaseExpressionValidator(ast.NodeVisitor):
         try:
             tree = ast.parse(expression, mode='eval')
         except SyntaxError as e:
-            raise ExpressionError(_('could not parse expression') % e,
-                                  code='parsing-error',
-                                  column=e.offset,
-                                  text=expression)
+            raise ExpressionError(
+                _('could not parse expression') % e, code='parsing-error', column=e.offset, text=expression
+            )
         try:
             self.visit(tree)
         except ExpressionError as e:
@@ -127,6 +129,7 @@ class BaseExpressionValidator(ast.NodeVisitor):
             six.reraise(*sys.exc_info())
         return compile(tree, expression, mode='eval')
 
+
 # python 3.8 introduced ast.Constant to replace Num, Str, Bytes and NameConstant (True, False, None)
 if sys.version_info < (3, 8):
     CONSTANT_CLASSES = (ast.Num, ast.Str, ast.Bytes)
@@ -135,27 +138,28 @@ else:
 
 
 class ConditionValidator(BaseExpressionValidator):
-    '''
-       Only authorize :
-       - direct variable references, without underscore in them,
-       - num and str constants,
-       - boolean expressions with all operators,
-       - unary operator expressions with all operators,
-       - if expressions (x if y else z),
-       - compare expressions with all operators.
-       - subscript of direct variable reference.
-
-       Are implicitely forbidden:
-       - binary expressions (so no "'aaa' * 99999999999" or 233333333333333233**2232323233232323 bombs),
-       - lambda,
-       - literal list, tuple, dict and sets,
-       - comprehensions (list, dict and set),
-       - generators,
-       - yield,
-       - call,
-       - Repr node (i dunno what it is),
-       - attribute access,
-    '''
+    """
+    Only authorize :
+    - direct variable references, without underscore in them,
+    - num and str constants,
+    - boolean expressions with all operators,
+    - unary operator expressions with all operators,
+    - if expressions (x if y else z),
+    - compare expressions with all operators.
+    - subscript of direct variable reference.
+
+    Are implicitely forbidden:
+    - binary expressions (so no "'aaa' * 99999999999" or 233333333333333233**2232323233232323 bombs),
+    - lambda,
+    - literal list, tuple, dict and sets,
+    - comprehensions (list, dict and set),
+    - generators,
+    - yield,
+    - call,
+    - Repr node (i dunno what it is),
+    - attribute access,
+    """
+
     authorized_nodes = [
         ast.Load,
         ast.Name,
@@ -173,8 +177,8 @@ class ConditionValidator(BaseExpressionValidator):
 
     def __init__(self, authorized_nodes=None, forbidden_nodes=None):
         super(ConditionValidator, self).__init__(
-            authorized_nodes=authorized_nodes,
-            forbidden_nodes=forbidden_nodes)
+            authorized_nodes=authorized_nodes, forbidden_nodes=forbidden_nodes
+        )
         if six.PY3:
             self.authorized_nodes.append(ast.NameConstant)
 
@@ -196,7 +200,9 @@ class ConditionValidator(BaseExpressionValidator):
         else:
             ok = isinstance(node.slice, ast.Index) and isinstance(node.slice.value, CONSTANT_CLASSES)
         if not ok:
-            raise ExpressionError(_('subscript index MUST be a constant'), code='invalid-subscript', node=node)
+            raise ExpressionError(
+                _('subscript index MUST be a constant'), code='invalid-subscript', node=node
+            )
 
 
 validate_condition = ConditionValidator()
@@ -217,10 +223,8 @@ def evaluate_condition(expression, ctx=None, validator=None, on_raise=None):
         except NameError as e:
             # NameError does not report the column of the name reference :/
             raise ExpressionError(
-                _('variable is not defined: %s') % e,
-                code='undefined-variable',
-                text=expression,
-                column=0)
+                _('variable is not defined: %s') % e, code='undefined-variable', text=expression, column=0
+            )
     except Exception:
         if on_raise is not None:
             return on_raise
diff --git a/src/authentic2/utils/lazy.py b/src/authentic2/utils/lazy.py
index 1b1fa067..57ad3942 100644
--- a/src/authentic2/utils/lazy.py
+++ b/src/authentic2/utils/lazy.py
@@ -33,8 +33,8 @@ def lazy_join(join, args):
 
 @keep_lazy(six.text_type)
 def lazy_label(default, func):
-    '''Allow using a getter for a label, with late binding.
+    """Allow using a getter for a label, with late binding.
 
-       ex.: lazy_label(_('Default label'), lambda: app_settings.CUSTOM_LABEL)
-    '''
+    ex.: lazy_label(_('Default label'), lambda: app_settings.CUSTOM_LABEL)
+    """
     return force_text(func() or default)
diff --git a/src/authentic2/utils/lookups.py b/src/authentic2/utils/lookups.py
index 135c9143..a382578a 100644
--- a/src/authentic2/utils/lookups.py
+++ b/src/authentic2/utils/lookups.py
@@ -2,6 +2,7 @@ from django.contrib.postgres.lookups import Unaccent as PGUnaccent
 from django.db.models import Func
 from django.db.models.functions import Concat, ConcatPair as DjConcatPair
 
+
 class Unaccent(PGUnaccent):
     function = 'immutable_unaccent'
 
@@ -11,6 +12,7 @@ class ConcatPair(DjConcatPair):
 
     But we need immutable concatenation, || being immutable while CONCAT is not.
     """
+
     def as_postgresql(self, compiler, connection):
         return super(ConcatPair, self).as_sql(
             compiler, connection, template='%(expressions)s', arg_joiner=' || '
diff --git a/src/authentic2/utils/service.py b/src/authentic2/utils/service.py
index bcce22ce..5bfdd805 100644
--- a/src/authentic2/utils/service.py
+++ b/src/authentic2/utils/service.py
@@ -37,7 +37,7 @@ def get_service_from_ref(ref):
         return Service.objects.filter(ou__slug=ou_slug, slug=service_slug).first()
 
     try:
-        service_slug, = splitted
+        (service_slug,) = splitted
     except ValueError:
         return None
 
@@ -61,6 +61,7 @@ def get_service_from_session(request):
     session = getattr(request, 'session', None)
     if session and 'service_pk' in session:
         from authentic2.models import Service
+
         return Service.objects.get(pk=session['service_pk'])
     return None
 
diff --git a/src/authentic2/utils/switch_user.py b/src/authentic2/utils/switch_user.py
index def1943e..252e82d2 100644
--- a/src/authentic2/utils/switch_user.py
+++ b/src/authentic2/utils/switch_user.py
@@ -35,5 +35,3 @@ def resolve_token(uuid):
         return User.objects.get(pk=token.content['user_pk'])
     except User.DoesNotExist:
         return None
-
-
diff --git a/src/authentic2/utils/views.py b/src/authentic2/utils/views.py
index 93ca5d55..e0c97acd 100644
--- a/src/authentic2/utils/views.py
+++ b/src/authentic2/utils/views.py
@@ -21,25 +21,28 @@ from django.utils.translation import gettext as _
 
 
 def check_cookie_works(request):
-    '''Verify the test cookie is set, if not log a message for the user explaining the problem.
+    """Verify the test cookie is set, if not log a message for the user explaining the problem.
 
-       It should only be used in views in which we are sure of coming from the login page.
+    It should only be used in views in which we are sure of coming from the login page.
 
-       For authentication sources able to do IdP initiated SSOs, please do not use.
-    '''
+    For authentication sources able to do IdP initiated SSOs, please do not use.
+    """
     if not request.COOKIES:
         messages.warning(
             request,
-            _('Cookies are disabled in your browser, please activate them or you will not be able to log in.'))
+            _(
+                'Cookies are disabled in your browser, please activate them or you will not be able to log in.'
+            ),
+        )
         return False
     else:
         return True
 
 
 def csrf_token_check(request, form):
-    '''Check a request for CSRF cookie validation, and add an error to the form
-       if check fails.
-    '''
+    """Check a request for CSRF cookie validation, and add an error to the form
+    if check fails.
+    """
     # allow tests to disable csrf check
     if form.is_valid() and not getattr(request, 'csrf_processing_done', False):
         msg = _('The form was out of date, please try again.')
diff --git a/src/authentic2/validators.py b/src/authentic2/validators.py
index c43da817..ac9a2dd8 100644
--- a/src/authentic2/validators.py
+++ b/src/authentic2/validators.py
@@ -28,6 +28,7 @@ import dns.resolver
 import dns.exception
 
 from . import app_settings
+
 # keep those symbols here for retrocompatibility
 from .passwords import password_help_text, validate_password  # noqa: F401
 
@@ -108,6 +109,7 @@ class UsernameValidator(RegexValidator):
 @deconstructible
 class ProhibitNullCharactersValidator:
     """Validate that the string doesn't contain the null character."""
+
     message = _('Null characters are not allowed.')
     code = 'null_characters_not_allowed'
 
@@ -122,8 +124,4 @@ class ProhibitNullCharactersValidator:
             raise ValidationError(self.message, code=self.code)
 
     def __eq__(self, other):
-        return (
-            isinstance(other, self.__class__)
-            and self.message == other.message
-            and self.code == other.code
-        )
+        return isinstance(other, self.__class__) and self.message == other.message and self.code == other.code
diff --git a/src/authentic2/views.py b/src/authentic2/views.py
index 27927eaa..6ac54425 100644
--- a/src/authentic2/views.py
+++ b/src/authentic2/views.py
@@ -37,7 +37,7 @@ from django.urls import reverse
 from django.contrib.auth import logout as auth_logout
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.contrib.auth.views import PasswordChangeView as DjPasswordChangeView
-from django.http import (HttpResponseRedirect, HttpResponseForbidden, HttpResponse)
+from django.http import HttpResponseRedirect, HttpResponseForbidden, HttpResponse
 from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
 from django.views.decorators.cache import never_cache
 from django.contrib.auth.decorators import login_required
@@ -52,17 +52,13 @@ from django.http import HttpResponseBadRequest
 from django.template import loader
 
 from authentic2.custom_user.models import iter_attributes
-from . import (utils, app_settings, decorators, constants,
-               models, cbv, hooks, validators, attribute_kinds)
+from . import utils, app_settings, decorators, constants, models, cbv, hooks, validators, attribute_kinds
 from .utils.service import get_service_from_request, get_service_from_token, set_service_ref
 from .utils.evaluate import HTTPHeaders
 from .utils import switch_user
 from .a2_rbac.utils import get_default_ou
 from .a2_rbac.models import OrganizationalUnit as OU
-from .forms import (
-    passwords as passwords_forms,
-    registration as registration_forms,
-    profile as profile_forms)
+from .forms import passwords as passwords_forms, registration as registration_forms, profile as profile_forms
 
 User = get_user_model()
 
@@ -71,8 +67,7 @@ logger = logging.getLogger(__name__)
 
 class EditProfile(cbv.HookMixin, cbv.TemplateNamesMixin, UpdateView):
     model = User
-    template_names = ['profiles/edit_profile.html',
-                      'authentic2/accounts_edit.html']
+    template_names = ['profiles/edit_profile.html', 'authentic2/accounts_edit.html']
     title = _('Edit account data')
 
     def get_template_names(self):
@@ -105,11 +100,12 @@ class EditProfile(cbv.HookMixin, cbv.TemplateNamesMixin, UpdateView):
         attributes = models.Attribute.objects.filter(user_editable=True)
         if scopes:
             scopes = set(scopes)
-            default_fields = [attribute.name for attribute in attributes if scopes & set(attribute.scopes.split())]
+            default_fields = [
+                attribute.name for attribute in attributes if scopes & set(attribute.scopes.split())
+            ]
         else:
             default_fields = list(attributes.values_list('name', flat=True))
-        fields, labels = utils.get_fields_and_labels(
-            editable_profile_fields, default_fields)
+        fields, labels = utils.get_fields_and_labels(editable_profile_fields, default_fields)
         if scopes:
             # restrict fields to those in the scopes
             fields = [field for field in fields if field in default_fields]
@@ -124,9 +120,8 @@ class EditProfile(cbv.HookMixin, cbv.TemplateNamesMixin, UpdateView):
         # Email must be edited through the change email view, as it needs validation
         fields = [field for field in fields if field != 'email']
         return profile_forms.modelform_factory(
-            User, fields=fields,
-            labels=labels,
-            form=profile_forms.EditProfileForm)
+            User, fields=fields, labels=labels, form=profile_forms.EditProfileForm
+        )
 
     def get_object(self):
         return self.request.user
@@ -138,10 +133,8 @@ class EditProfile(cbv.HookMixin, cbv.TemplateNamesMixin, UpdateView):
 
     def get_success_url(self):
         return utils.select_next_url(
-            self.request,
-            default=reverse('account_management'),
-            field_name='next_url',
-            include_post=True)
+            self.request, default=reverse('account_management'), field_name='next_url', include_post=True
+        )
 
     def post(self, request, *args, **kwargs):
         if 'cancel' in request.POST:
@@ -154,15 +147,14 @@ class EditProfile(cbv.HookMixin, cbv.TemplateNamesMixin, UpdateView):
         self.request.journal.record('user.profile.edit', form=form)
         return response
 
+
 edit_profile = decorators.setting_enabled('A2_PROFILE_CAN_EDIT_PROFILE')(
-    login_required(EditProfile.as_view()))
+    login_required(EditProfile.as_view())
+)
 
 
 class EmailChangeView(cbv.TemplateNamesMixin, FormView):
-    template_names = [
-        'profiles/email_change.html',
-        'authentic2/change_email.html'
-    ]
+    template_names = ['profiles/email_change.html', 'authentic2/change_email.html']
     title = _('Email Change')
     success_url = '..'
 
@@ -187,23 +179,29 @@ class EmailChangeView(cbv.TemplateNamesMixin, FormView):
         hooks.call_hooks('event', name='change-email', user=self.request.user, email=email)
         messages.info(
             self.request,
-            _('Your request for changing your email '
-              'is received. An email of validation '
-              'was sent to you. Please click on the '
-              'link contained inside.'))
+            _(
+                'Your request for changing your email '
+                'is received. An email of validation '
+                'was sent to you. Please click on the '
+                'link contained inside.'
+            ),
+        )
         logger.info('email change request')
         return super(EmailChangeView, self).form_valid(form)
 
+
 email_change = decorators.setting_enabled('A2_PROFILE_CAN_CHANGE_EMAIL')(
-    login_required(EmailChangeView.as_view()))
+    login_required(EmailChangeView.as_view())
+)
 
 
 class EmailChangeVerifyView(TemplateView):
     def get(self, request, *args, **kwargs):
         if 'token' in request.GET:
             try:
-                token = signing.loads(request.GET['token'],
-                                      max_age=app_settings.A2_EMAIL_CHANGE_TOKEN_LIFETIME)
+                token = signing.loads(
+                    request.GET['token'], max_age=app_settings.A2_EMAIL_CHANGE_TOKEN_LIFETIME
+                )
                 user_pk = token['user_pk']
                 email = token['email']
                 user = User.objects.get(pk=user_pk)
@@ -218,22 +216,23 @@ class EmailChangeVerifyView(TemplateView):
                 user.email = email
                 user.email_verified = True
                 user.save()
-                messages.info(request,
-                              _('your request for changing your email for {0} is successful').format(email))
+                messages.info(
+                    request, _('your request for changing your email for {0} is successful').format(email)
+                )
                 logger.info('user %s changed its email from %s to %s', user, old_email, email)
                 hooks.call_hooks('event', name='change-email-confirm', user=user, email=email)
             except signing.SignatureExpired:
-                messages.error(request,
-                               _('your request for changing your email is too old, try again'))
+                messages.error(request, _('your request for changing your email is too old, try again'))
             except signing.BadSignature:
-                messages.error(request,
-                               _('your request for changing your email is invalid, try again'))
+                messages.error(request, _('your request for changing your email is invalid, try again'))
             except ValueError:
-                messages.error(request,
-                               _('your request for changing your email was not on this site, try again'))
+                messages.error(
+                    request, _('your request for changing your email was not on this site, try again')
+                )
             except User.DoesNotExist:
-                messages.error(request,
-                               _('your request for changing your email is for an unknown user, try again'))
+                messages.error(
+                    request, _('your request for changing your email is for an unknown user, try again')
+                )
             except ValidationError as e:
                 messages.error(request, e.message)
             else:
@@ -247,14 +246,12 @@ email_change_verify = EmailChangeVerifyView.as_view()
 @csrf_exempt
 @ensure_csrf_cookie
 @never_cache
-def login(request, template_name='authentic2/login.html',
-          redirect_field_name=REDIRECT_FIELD_NAME):
+def login(request, template_name='authentic2/login.html', redirect_field_name=REDIRECT_FIELD_NAME):
     """Displays the login form and handles the login action."""
 
     # redirect user to homepage if already connected, if setting
     # A2_LOGIN_REDIRECT_AUTHENTICATED_USERS_TO_HOMEPAGE is True
-    if (request.user.is_authenticated
-            and app_settings.A2_LOGIN_REDIRECT_AUTHENTICATED_USERS_TO_HOMEPAGE):
+    if request.user.is_authenticated and app_settings.A2_LOGIN_REDIRECT_AUTHENTICATED_USERS_TO_HOMEPAGE:
         return utils.redirect(request, 'auth_homepage')
 
     redirect_to = request.GET.get(redirect_field_name)
@@ -268,7 +265,7 @@ def login(request, template_name='authentic2/login.html',
     # should be allowed. This regex checks if there is a '//' *before* a
     # question mark.
     elif '//' in redirect_to and re.match(r'[^\?]*//', redirect_to):
-            redirect_to = settings.LOGIN_REDIRECT_URL
+        redirect_to = settings.LOGIN_REDIRECT_URL
     nonce = request.GET.get(constants.NONCE_FIELD_NAME)
 
     authenticators = utils.get_backends('AUTH_FRONTENDS')
@@ -285,8 +282,7 @@ def login(request, template_name='authentic2/login.html',
     }
 
     # Cancel button
-    if request.method == "POST" \
-            and constants.CANCEL_FIELD_NAME in request.POST:
+    if request.method == "POST" and constants.CANCEL_FIELD_NAME in request.POST:
         return utils.continue_to_next_url(request, params={'cancel': 1})
 
     # Create blocks
@@ -297,11 +293,7 @@ def login(request, template_name='authentic2/login.html',
             name = authenticator.name
             form_class = authenticator.form()
             submit_name = 'submit-%s' % fid
-            block = {
-                'id': fid,
-                'name': name,
-                'authenticator': authenticator
-            }
+            block = {'id': fid, 'name': name, 'authenticator': authenticator}
             if request.method == 'POST' and submit_name in request.POST:
                 form = form_class(data=request.POST)
                 if form.is_valid():
@@ -312,14 +304,10 @@ def login(request, template_name='authentic2/login.html',
             blocks.append(block)
         else:  # New frontends API
             auth_blocks = []
-            parameters = {'request': request,
-                          'context': context}
+            parameters = {'request': request, 'context': context}
             remote_addr = request.META.get('REMOTE_ADDR')
             login_hint = set(request.session.get('login-hint', []))
-            show_ctx = dict(
-                remote_addr=remote_addr,
-                login_hint=login_hint,
-                headers=HTTPHeaders(request))
+            show_ctx = dict(remote_addr=remote_addr, login_hint=login_hint, headers=HTTPHeaders(request))
             if service:
                 show_ctx['service_ou_slug'] = service.ou and service.ou.slug
                 show_ctx['service_slug'] = service.slug
@@ -329,8 +317,7 @@ def login(request, template_name='authentic2/login.html',
                 for instance_id, instance in authenticator.instances(**parameters):
                     parameters['instance'] = instance
                     parameters['instance_id'] = instance_id
-                    if not authenticator.shown(instance_id=instance_id,
-                                               ctx=show_ctx):
+                    if not authenticator.shown(instance_id=instance_id, ctx=show_ctx):
                         continue
                     block = utils.get_authenticator_method(authenticator, 'login', parameters)
                     # update block id in order to separate instances
@@ -360,11 +347,9 @@ def login(request, template_name='authentic2/login.html',
         if 'form' not in block:
             continue
         authenticator = block['authenticator']
-        context.update({
-            'submit_name': 'submit-%s' % fid,
-            redirect_field_name: redirect_to,
-            'form': block['form']
-        })
+        context.update(
+            {'submit_name': 'submit-%s' % fid, redirect_field_name: redirect_to, 'form': block['form']}
+        )
         if hasattr(authenticator, 'get_context'):
             context.update(authenticator.get_context())
         sub_template_name = authenticator.template()
@@ -372,12 +357,14 @@ def login(request, template_name='authentic2/login.html',
 
     # legacy context variable
     rendered_forms = [(block['name'], block['content']) for block in blocks]
-    context.update({
-        'methods': rendered_forms,
-        # new definition
-        'blocks': collections.OrderedDict((block['id'], block) for block in blocks),
-        redirect_field_name: redirect_to,
-    })
+    context.update(
+        {
+            'methods': rendered_forms,
+            # new definition
+            'blocks': collections.OrderedDict((block['id'], block) for block in blocks),
+            redirect_field_name: redirect_to,
+        }
+    )
     return render(request, template_name, context)
 
 
@@ -400,6 +387,7 @@ class Homepage(cbv.TemplateNamesMixin, TemplateView):
         ctx['authorized_services'] = service_list(self.request)
         return ctx
 
+
 homepage = Homepage.as_view()
 
 
@@ -486,8 +474,7 @@ class ProfileView(cbv.TemplateNamesMixin, TemplateView):
                 attributes.append({'attribute': attribute, 'values': raw_value})
 
         # Credentials management
-        parameters = {'request': request,
-                      'context': context}
+        parameters = {'request': request, 'context': context}
         profiles = [utils.get_authenticator_method(frontend, 'profile', parameters) for frontend in frontends]
         # Old frontends data structure for templates
         blocks = [block['content'] for block in profiles if block]
@@ -501,29 +488,36 @@ class ProfileView(cbv.TemplateNamesMixin, TemplateView):
             for idp_backend in idp_backends:
                 if hasattr(idp_backend, 'federation_management'):
                     federation_management.extend(idp_backend.federation_management(request))
-        context.update({
-            'frontends_block': blocks,
-            'frontends_block_by_id': blocks_by_id,
-            'profile': profile,
-            'attributes': attributes,
-            'allow_account_deletion': app_settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT,
-            'allow_profile_edit': EditProfile.can_edit_profile(),
-            'allow_email_change': app_settings.A2_PROFILE_CAN_CHANGE_EMAIL,
-            'allow_authorization_management': False,
-            # TODO: deprecated should be removed when publik-base-theme is updated
-            'allow_password_change': utils.user_can_change_password(request=request),
-            'federation_management': federation_management,
-        })
-
-        if ('authentic2_idp_oidc' in settings.INSTALLED_APPS and
-                app_settings.A2_PROFILE_CAN_MANAGE_SERVICE_AUTHORIZATIONS):
+        context.update(
+            {
+                'frontends_block': blocks,
+                'frontends_block_by_id': blocks_by_id,
+                'profile': profile,
+                'attributes': attributes,
+                'allow_account_deletion': app_settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT,
+                'allow_profile_edit': EditProfile.can_edit_profile(),
+                'allow_email_change': app_settings.A2_PROFILE_CAN_CHANGE_EMAIL,
+                'allow_authorization_management': False,
+                # TODO: deprecated should be removed when publik-base-theme is updated
+                'allow_password_change': utils.user_can_change_password(request=request),
+                'federation_management': federation_management,
+            }
+        )
+
+        if (
+            'authentic2_idp_oidc' in settings.INSTALLED_APPS
+            and app_settings.A2_PROFILE_CAN_MANAGE_SERVICE_AUTHORIZATIONS
+        ):
             from authentic2_idp_oidc.models import OIDCClient
+
             context['allow_authorization_management'] = OIDCClient.objects.filter(
-                    authorization_mode=OIDCClient.AUTHORIZATION_MODE_BY_SERVICE).exists()
+                authorization_mode=OIDCClient.AUTHORIZATION_MODE_BY_SERVICE
+            ).exists()
 
         hooks.call_hooks('modify_context_data', self, context)
         return context
 
+
 profile = login_required(ProfileView.as_view())
 
 
@@ -537,17 +531,14 @@ def redirect_logout_list(request):
     return utils.accumulate_from_backends(request, 'redirect_logout_list')
 
 
-def logout(request,
-           next_url=None,
-           do_local=True,
-           check_referer=True):
-    '''Logout first check if a logout request is authorized, i.e.
-       that logout was done using a POST with CSRF token or with a GET
-       from the same site.
+def logout(request, next_url=None, do_local=True, check_referer=True):
+    """Logout first check if a logout request is authorized, i.e.
+    that logout was done using a POST with CSRF token or with a GET
+    from the same site.
 
-       Logout endpoints of IdP module must re-user the view by setting
-       check_referer and do_local to False.
-    '''
+    Logout endpoints of IdP module must re-user the view by setting
+    check_referer and do_local to False.
+    """
     next_url = next_url or utils.select_next_url(request, settings.LOGIN_REDIRECT_URL)
 
     ctx = {}
@@ -563,9 +554,9 @@ def logout(request,
             fragments = logout_list(request)
             if fragments:
                 # Full logout with iframes
-                next_url = utils.make_url('auth_logout', params={'local': 'ok'},
-                                          next_url=next_url,
-                                          sign_next_url=True)
+                next_url = utils.make_url(
+                    'auth_logout', params={'local': 'ok'}, next_url=next_url, sign_next_url=True
+                )
                 ctx['next_url'] = next_url
                 ctx['logout_list'] = fragments
                 ctx['message'] = _('Logging out from all your services')
@@ -602,17 +593,22 @@ def login_password_profile(request, *args, **kwargs):
     context = kwargs.pop('context', {})
     can_change_password = utils.user_can_change_password(request=request)
     has_usable_password = request.user.has_usable_password()
-    context.update({
-        'can_change_password': can_change_password,
-        'has_usable_password': has_usable_password,
-    })
-    return render_to_string(['auth/login_password_profile.html',
-                             'authentic2/login_password_profile.html'],
-                            context, request=request)
+    context.update(
+        {
+            'can_change_password': can_change_password,
+            'has_usable_password': has_usable_password,
+        }
+    )
+    return render_to_string(
+        ['auth/login_password_profile.html', 'authentic2/login_password_profile.html'],
+        context,
+        request=request,
+    )
 
 
 class LoggedInView(View):
     '''JSONP web service to detect if an user is logged'''
+
     http_method_names = [u'get']
 
     def check_referrer(self):
@@ -630,6 +626,7 @@ class LoggedInView(View):
         content = u'{0}({1})'.format(callback, int(request.user.is_authenticated))
         return HttpResponse(content, content_type='application/json')
 
+
 logged_in = never_cache(LoggedInView.as_view())
 
 
@@ -640,6 +637,7 @@ def csrf_failure_view(request, reason=""):
 
 class PasswordResetView(FormView):
     '''Ask for an email and send a password reset link by mail'''
+
     form_class = passwords_forms.PasswordResetForm
     title = _('Password Reset')
 
@@ -684,28 +682,45 @@ class PasswordResetView(FormView):
             self.request.session[resend_key] = True
             form.add_error(
                 'email',
-                _('An email has already been sent to %s. Click "Validate" again if '
-                  'you really want it to be sent again.') % email
+                _(
+                    'An email has already been sent to %s. Click "Validate" again if '
+                    'you really want it to be sent again.'
+                )
+                % email,
             )
             return self.form_invalid(form)
         self.request.session[resend_key] = False
 
-        if is_ratelimited(self.request, key='post:email', group='pw-reset-email',
-                          rate=app_settings.A2_EMAILS_ADDRESS_RATELIMIT, increment=True):
+        if is_ratelimited(
+            self.request,
+            key='post:email',
+            group='pw-reset-email',
+            rate=app_settings.A2_EMAILS_ADDRESS_RATELIMIT,
+            increment=True,
+        ):
             self.request.journal.record('user.password.reset.failure', email=email)
             form.add_error(
                 'email',
-                _('Multiple emails have already been sent to this address. Further attempts are '
-                  'blocked, please check your spam folder or try again later.')
+                _(
+                    'Multiple emails have already been sent to this address. Further attempts are '
+                    'blocked, please check your spam folder or try again later.'
+                ),
             )
             return self.form_invalid(form)
-        if is_ratelimited(self.request, key='ip', group='pw-reset-email',
-                          rate=app_settings.A2_EMAILS_IP_RATELIMIT, increment=True):
+        if is_ratelimited(
+            self.request,
+            key='ip',
+            group='pw-reset-email',
+            rate=app_settings.A2_EMAILS_IP_RATELIMIT,
+            increment=True,
+        ):
             self.request.journal.record('user.password.reset.failure', email=email)
             form.add_error(
                 'email',
-                _('Multiple password reset attempts have already been made from this IP address. No '
-                  'further email will be sent, please check your spam folder or try again later.')
+                _(
+                    'Multiple password reset attempts have already been made from this IP address. No '
+                    'further email will be sent, please check your spam folder or try again later.'
+                ),
             )
             return self.form_invalid(form)
 
@@ -713,6 +728,7 @@ class PasswordResetView(FormView):
         self.request.session['reset_email'] = email
         return super(PasswordResetView, self).form_valid(form)
 
+
 password_reset = PasswordResetView.as_view()
 
 
@@ -729,9 +745,10 @@ password_reset_instructions = PasswordResetInstructionsView.as_view()
 
 
 class PasswordResetConfirmView(cbv.RedirectToNextURLViewMixin, FormView):
-    '''Validate password reset link, show a set password form and login
-       the user.
-    '''
+    """Validate password reset link, show a set password form and login
+    the user.
+    """
+
     form_class = passwords_forms.SetPasswordForm
     title = _('Password Reset')
 
@@ -760,13 +777,13 @@ class PasswordResetConfirmView(cbv.RedirectToNextURLViewMixin, FormView):
             messages.warning(request, _('User not found'))
             return utils.redirect(request, self.get_success_url())
 
-        can_reset_password = utils.get_user_flag(user=self.user,
-                                                 name='can_reset_password',
-                                                 default=self.user.has_usable_password())
+        can_reset_password = utils.get_user_flag(
+            user=self.user, name='can_reset_password', default=self.user.has_usable_password()
+        )
         if not can_reset_password:
             messages.warning(
-                request,
-                _('It\'s not possible to reset your password. Please contact an administrator.'))
+                request, _('It\'s not possible to reset your password. Please contact an administrator.')
+            )
             return utils.redirect(request, self.get_success_url())
         return super(PasswordResetConfirmView, self).dispatch(request, *args, **kwargs)
 
@@ -786,8 +803,7 @@ class PasswordResetConfirmView(cbv.RedirectToNextURLViewMixin, FormView):
         # Changing password by mail validate the email
         form.user.email_verified = True
         form.save()
-        hooks.call_hooks('event', name='password-reset-confirm', user=form.user, token=self.token,
-                         form=form)
+        hooks.call_hooks('event', name='password-reset-confirm', user=form.user, token=self.token, form=form)
         logger.info(u'password reset for user %s with token %r', self.user, self.token.uuid)
         self.token.delete()
         return self.finish()
@@ -797,6 +813,7 @@ class PasswordResetConfirmView(cbv.RedirectToNextURLViewMixin, FormView):
         self.request.journal.record('user.password.reset')
         return response
 
+
 password_reset_confirm = PasswordResetConfirmView.as_view()
 
 
@@ -815,8 +832,8 @@ class BaseRegistrationView(FormView):
         if request.GET.get('token'):
             try:
                 self.token = signing.loads(
-                    request.GET.get('token'),
-                    max_age=settings.ACCOUNT_ACTIVATION_DAYS * 3600 * 24)
+                    request.GET.get('token'), max_age=settings.ACCOUNT_ACTIVATION_DAYS * 3600 * 24
+                )
             except (TypeError, ValueError, signing.BadSignature) as e:
                 logger.warning(u'registration_view: invalid token: %s', e)
                 return HttpResponseBadRequest('invalid token', content_type='text/plain')
@@ -827,11 +844,14 @@ class BaseRegistrationView(FormView):
 
     def form_valid(self, form):
         if form.is_robot():
-            return utils.redirect(self.request, 'registration_complete',
-                                  params={
-                                      REDIRECT_FIELD_NAME: self.next_url,
-                                      'robot': 'on',
-                                  })
+            return utils.redirect(
+                self.request,
+                'registration_complete',
+                params={
+                    REDIRECT_FIELD_NAME: self.next_url,
+                    'robot': 'on',
+                },
+            )
         email = form.cleaned_data.pop('email')
 
         # if an email has already been sent, warn once before allowing resend
@@ -843,26 +863,43 @@ class BaseRegistrationView(FormView):
             self.request.session[resend_key] = True
             form.add_error(
                 'email',
-                _('An email has already been sent to %s. Click "Validate" again if '
-                  'you really want it to be sent again.') % email
+                _(
+                    'An email has already been sent to %s. Click "Validate" again if '
+                    'you really want it to be sent again.'
+                )
+                % email,
             )
             return self.form_invalid(form)
         self.request.session[resend_key] = False
 
-        if is_ratelimited(self.request, key='post:email', group='registration-email',
-                          rate=app_settings.A2_EMAILS_ADDRESS_RATELIMIT, increment=True):
+        if is_ratelimited(
+            self.request,
+            key='post:email',
+            group='registration-email',
+            rate=app_settings.A2_EMAILS_ADDRESS_RATELIMIT,
+            increment=True,
+        ):
             form.add_error(
                 'email',
-                _('Multiple emails have already been sent to this address. Further attempts are '
-                  'blocked, please check your spam folder or try again later.')
+                _(
+                    'Multiple emails have already been sent to this address. Further attempts are '
+                    'blocked, please check your spam folder or try again later.'
+                ),
             )
             return self.form_invalid(form)
-        if is_ratelimited(self.request, key='ip', group='registration-email',
-                          rate=app_settings.A2_EMAILS_IP_RATELIMIT, increment=True):
+        if is_ratelimited(
+            self.request,
+            key='ip',
+            group='registration-email',
+            rate=app_settings.A2_EMAILS_IP_RATELIMIT,
+            increment=True,
+        ):
             form.add_error(
                 'email',
-                _('Multiple registration attempts have already been made from this IP address. No '
-                  'further email will be sent, please check your spam folder or try again later.')
+                _(
+                    'Multiple registration attempts have already been made from this IP address. No '
+                    'further email will be sent, please check your spam folder or try again later.'
+                ),
             )
             return self.form_invalid(form)
 
@@ -877,19 +914,20 @@ class BaseRegistrationView(FormView):
         self.token.pop(REDIRECT_FIELD_NAME, None)
         self.token.pop('email', None)
 
-        utils.send_registration_mail(self.request, email, next_url=self.next_url,
-                                     ou=self.ou, **self.token)
+        utils.send_registration_mail(self.request, email, next_url=self.next_url, ou=self.ou, **self.token)
         self.request.session['registered_email'] = email
-        return utils.redirect(self.request, 'registration_complete', params={REDIRECT_FIELD_NAME: self.next_url})
+        return utils.redirect(
+            self.request, 'registration_complete', params={REDIRECT_FIELD_NAME: self.next_url}
+        )
 
     def get_context_data(self, **kwargs):
         context = super(BaseRegistrationView, self).get_context_data(**kwargs)
-        parameters = {'request': self.request,
-                      'context': context}
-        blocks = [utils.get_authenticator_method(authenticator, 'registration', parameters)
-                  for authenticator in utils.get_backends('AUTH_FRONTENDS')]
-        context['frontends'] = collections.OrderedDict((block['id'], block)
-                                                       for block in blocks if block)
+        parameters = {'request': self.request, 'context': context}
+        blocks = [
+            utils.get_authenticator_method(authenticator, 'registration', parameters)
+            for authenticator in utils.get_backends('AUTH_FRONTENDS')
+        ]
+        context['frontends'] = collections.OrderedDict((block['id'], block) for block in blocks if block)
         return context
 
 
@@ -950,36 +988,31 @@ class RegistrationCompletionView(CreateView):
         self.users = User.objects.filter(email__iexact=self.email).order_by('date_joined')
         if self.ou:
             self.users = self.users.filter(ou=self.ou)
-        self.email_is_unique = app_settings.A2_EMAIL_IS_UNIQUE \
-            or app_settings.A2_REGISTRATION_EMAIL_IS_UNIQUE
+        self.email_is_unique = app_settings.A2_EMAIL_IS_UNIQUE or app_settings.A2_REGISTRATION_EMAIL_IS_UNIQUE
         if self.ou:
             self.email_is_unique |= self.ou.email_is_unique
         self.init_fields_labels_and_help_texts()
         # if registration is done during an SSO add the service to the registration event
         self.service = get_service_from_token(self.token)
-        return super(RegistrationCompletionView, self) \
-            .dispatch(request, *args, **kwargs)
+        return super(RegistrationCompletionView, self).dispatch(request, *args, **kwargs)
 
     def init_fields_labels_and_help_texts(self):
-        attributes = models.Attribute.objects.filter(
-            asked_on_registration=True)
+        attributes = models.Attribute.objects.filter(asked_on_registration=True)
         default_fields = attributes.values_list('name', flat=True)
-        required_fields = models.Attribute.objects.filter(required=True) \
-            .values_list('name', flat=True)
+        required_fields = models.Attribute.objects.filter(required=True).values_list('name', flat=True)
         fields, labels = utils.get_fields_and_labels(
             app_settings.A2_REGISTRATION_FIELDS,
             default_fields,
             app_settings.A2_REGISTRATION_REQUIRED_FIELDS,
             app_settings.A2_REQUIRED_FIELDS,
-            models.Attribute.objects.filter(required=True).values_list('name', flat=True))
+            models.Attribute.objects.filter(required=True).values_list('name', flat=True),
+        )
         help_texts = {}
         if app_settings.A2_REGISTRATION_FORM_USERNAME_LABEL:
             labels['username'] = app_settings.A2_REGISTRATION_FORM_USERNAME_LABEL
         if app_settings.A2_REGISTRATION_FORM_USERNAME_HELP_TEXT:
-            help_texts['username'] = \
-                app_settings.A2_REGISTRATION_FORM_USERNAME_HELP_TEXT
-        required = list(app_settings.A2_REGISTRATION_REQUIRED_FIELDS) + \
-            list(required_fields)
+            help_texts['username'] = app_settings.A2_REGISTRATION_FORM_USERNAME_HELP_TEXT
+        required = list(app_settings.A2_REGISTRATION_REQUIRED_FIELDS) + list(required_fields)
         if 'email' in fields:
             fields.remove('email')
         for field in self.token.get('skip_fields') or []:
@@ -1003,7 +1036,8 @@ class RegistrationCompletionView(CreateView):
             fields=self.fields,
             labels=self.labels,
             required=self.required,
-            help_texts=self.help_texts)
+            help_texts=self.help_texts,
+        )
         if 'username' in self.fields and app_settings.A2_REGISTRATION_FORM_USERNAME_REGEX:
             # Keep existing field label and help_text
             old_field = form_class.base_fields['username']
@@ -1011,7 +1045,8 @@ class RegistrationCompletionView(CreateView):
                 max_length=256,
                 label=old_field.label,
                 help_text=old_field.help_text,
-                validators=[validators.UsernameValidator()])
+                validators=[validators.UsernameValidator()],
+            )
             form_class = type('RegistrationForm', (form_class,), {'username': field})
         return form_class
 
@@ -1072,9 +1107,8 @@ class RegistrationCompletionView(CreateView):
         if len(self.users) == 1 and self.email_is_unique:
             # Found one user, EMAIL is unique, log her in
             utils.simulate_authentication(
-                request, self.users[0],
-                method=self.authentication_method,
-                service=self.service)
+                request, self.users[0], method=self.authentication_method, service=self.service
+            )
             return utils.redirect(request, self.get_success_url())
         confirm_data = self.token.get('confirm_data', False)
 
@@ -1082,8 +1116,9 @@ class RegistrationCompletionView(CreateView):
             fields_to_confirm = self.required
         else:
             fields_to_confirm = self.fields
-        if (all(field in self.token for field in fields_to_confirm)
-                and (not confirm_data or confirm_data == 'required')):
+        if all(field in self.token for field in fields_to_confirm) and (
+            not confirm_data or confirm_data == 'required'
+        ):
             # We already have every fields
             form_kwargs = self.get_form_kwargs()
             form_class = self.get_form_class()
@@ -1104,16 +1139,15 @@ class RegistrationCompletionView(CreateView):
         if self.users and self.email_is_unique:
             # email is unique, users already exist, creating a new one is forbidden !
             return utils.redirect(
-                request, request.resolver_match.view_name, args=self.args,
-                kwargs=self.kwargs)
+                request, request.resolver_match.view_name, args=self.args, kwargs=self.kwargs
+            )
         if 'uid' in request.POST:
             uid = request.POST['uid']
             for user in self.users:
                 if str(user.id) == uid:
                     utils.simulate_authentication(
-                        request, user,
-                        method=self.authentication_method,
-                        service=self.service)
+                        request, user, method=self.authentication_method, service=self.service
+                    )
                     return utils.redirect(request, self.get_success_url())
         return super(RegistrationCompletionView, self).post(request, *args, **kwargs)
 
@@ -1126,9 +1160,11 @@ class RegistrationCompletionView(CreateView):
             if av.verified and av.attribute.name in form.fields:
                 del form.fields[av.attribute.name]
 
-        if ('email' in self.request.POST
-                and ('email' not in self.token or self.request.POST['email'] != self.token['email'])
-                and not self.token.get('skip_email_check')):
+        if (
+            'email' in self.request.POST
+            and ('email' not in self.token or self.request.POST['email'] != self.token['email'])
+            and not self.token.get('skip_email_check')
+        ):
             # If an email is submitted it must be validated or be the same as in the token
             data = form.cleaned_data.copy()
             # handle complex attributes
@@ -1141,11 +1177,7 @@ class RegistrationCompletionView(CreateView):
                 data[attribute.name] = kind['serialize'](data[attribute.name])
 
             data['no_password'] = self.token.get('no_password', False)
-            utils.send_registration_mail(
-                self.request,
-                ou=self.ou,
-                next_url=self.get_success_url(),
-                **data)
+            utils.send_registration_mail(self.request, ou=self.ou, next_url=self.get_success_url(), **data)
             self.token_obj.delete()
             self.request.session['registered_email'] = form.cleaned_data['email']
             return utils.redirect(self.request, 'registration_complete')
@@ -1153,19 +1185,19 @@ class RegistrationCompletionView(CreateView):
         return self.registration_success(self.request, form.instance, form)
 
     def registration_success(self, request, user, form):
-        request.journal.record(
-            'user.registration',
+        request.journal.record('user.registration', user=user, session=None, how=self.authentication_method)
+        hooks.call_hooks(
+            'event',
+            name='registration',
             user=user,
-            session=None,
-            how=self.authentication_method)
-        hooks.call_hooks('event', name='registration', user=user, form=form, view=self,
-                         authentication_method=self.authentication_method,
-                         token=self.token, service=self.service and self.service.slug)
+            form=form,
+            view=self,
+            authentication_method=self.authentication_method,
+            token=self.token,
+            service=self.service and self.service.slug,
+        )
         self.token_obj.delete()
-        utils.simulate_authentication(
-            request, user,
-            method=self.authentication_method,
-            service=self.service)
+        utils.simulate_authentication(request, user, method=self.authentication_method, service=self.service)
         message_template = loader.get_template('authentic2/registration_success_message.html')
         messages.info(self.request, message_template.render(request=request))
         self.send_registration_success_email(user)
@@ -1175,18 +1207,19 @@ class RegistrationCompletionView(CreateView):
         if not user.email:
             return
 
-        template_names = [
-            'authentic2/registration_success'
-        ]
+        template_names = ['authentic2/registration_success']
         login_url = self.request.build_absolute_uri(settings.LOGIN_URL)
-        utils.send_templated_mail(user, template_names=template_names,
-                                  context={
-                                      'user': user,
-                                      'email': user.email,
-                                      'site': self.request.get_host(),
-                                      'login_url': login_url,
-                                  },
-                                  request=self.request)
+        utils.send_templated_mail(
+            user,
+            template_names=template_names,
+            context={
+                'user': user,
+                'email': user.email,
+                'site': self.request.get_host(),
+                'login_url': login_url,
+            },
+            request=self.request,
+        )
 
 
 registration_completion = RegistrationCompletionView.as_view()
@@ -1205,8 +1238,7 @@ class DeleteView(TemplateView):
         if 'cancel' in request.POST:
             return utils.redirect(request, 'account_management')
         utils.send_account_deletion_code(self.request, self.request.user)
-        messages.info(request,
-                _("An account deletion validation email has been sent to your email address."))
+        messages.info(request, _("An account deletion validation email has been sent to your email address."))
         return utils.redirect(request, 'account_management')
 
     def get_context_data(self, **kwargs):
@@ -1222,14 +1254,14 @@ class ValidateDeletionView(TemplateView):
 
     def dispatch(self, request, *args, **kwargs):
         try:
-            deletion_token = signing.loads(kwargs['deletion_token'],
-                    max_age=app_settings.A2_DELETION_REQUEST_LIFETIME)
+            deletion_token = signing.loads(
+                kwargs['deletion_token'], max_age=app_settings.A2_DELETION_REQUEST_LIFETIME
+            )
             user_pk = deletion_token['user_pk']
             self.user = get_user_model().objects.get(pk=user_pk)
             # A user account wont be deactived twice
             if not self.user.is_active:
-                raise ValidationError(
-                    _('This account is inactive, it cannot be deleted.'))
+                raise ValidationError(_('This account is inactive, it cannot be deleted.'))
             logger.info('user %s confirmed the deletion of their own account', self.user)
         except signing.SignatureExpired:
             error = _('The account deletion request is too old, try again')
@@ -1252,7 +1284,7 @@ class ValidateDeletionView(TemplateView):
             logger.info(u'deletion of account %s performed', self.user)
             hooks.call_hooks('event', name='delete-account', user=self.user)
             request.journal.record('user.deletion', user=self.user)
-            is_deleted_user_logged = (self.user == request.user)
+            is_deleted_user_logged = self.user == request.user
             self.user.delete()
             messages.info(request, _('Deletion performed.'))
             # No real use for cancel_url or next_url here, assuming the link
@@ -1276,8 +1308,8 @@ class RegistrationCompleteView(TemplateView):
         kwargs['from_email'] = settings.DEFAULT_FROM_EMAIL
         kwargs['from_email_address'] = parseaddr(settings.DEFAULT_FROM_EMAIL)[1]
         return super(RegistrationCompleteView, self).get_context_data(
-            account_activation_days=settings.ACCOUNT_ACTIVATION_DAYS,
-            **kwargs)
+            account_activation_days=settings.ACCOUNT_ACTIVATION_DAYS, **kwargs
+        )
 
 
 registration_complete = RegistrationCompleteView.as_view()
@@ -1325,7 +1357,8 @@ class PasswordChangeView(DjPasswordChangeView):
 
 
 password_change = decorators.setting_enabled('A2_REGISTRATION_CAN_CHANGE_PASSWORD')(
-    PasswordChangeView.as_view())
+    PasswordChangeView.as_view()
+)
 
 
 class SuView(View):
@@ -1335,6 +1368,7 @@ class SuView(View):
             raise Http404
         return utils.simulate_authentication(request, user, 'su')
 
+
 su = SuView.as_view()
 
 
@@ -1346,8 +1380,7 @@ class AuthorizedOauthServicesView(TemplateView):
         from authentic2_idp_oidc.models import OIDCAuthorization
 
         context = super(AuthorizedOauthServicesView, self).get_context_data(**kwargs)
-        context['authorized_oauth_services'] = OIDCAuthorization.objects.filter(
-            user=self.request.user)
+        context['authorized_oauth_services'] = OIDCAuthorization.objects.filter(user=self.request.user)
         return context
 
     def post(self, request, *args, **kwargs):
@@ -1361,8 +1394,9 @@ class AuthorizedOauthServicesView(TemplateView):
         return HttpResponseRedirect(reverse('authorized-oauth-services'))
 
 
-authorized_oauth_services = decorators.setting_enabled(
-    'A2_PROFILE_CAN_MANAGE_SERVICE_AUTHORIZATIONS')(AuthorizedOauthServicesView.as_view())
+authorized_oauth_services = decorators.setting_enabled('A2_PROFILE_CAN_MANAGE_SERVICE_AUTHORIZATIONS')(
+    AuthorizedOauthServicesView.as_view()
+)
 
 
 def old_view_redirect(request, to, message=None):
@@ -1397,4 +1431,5 @@ class DisplayMessageAndContinueView(TemplateView):
         ctx['only_info'] = self.only_info
         return ctx
 
+
 display_message_and_continue = DisplayMessageAndContinueView.as_view()
diff --git a/src/authentic2_auth_fc/api_views.py b/src/authentic2_auth_fc/api_views.py
index 06e789d2..f269104a 100644
--- a/src/authentic2_auth_fc/api_views.py
+++ b/src/authentic2_auth_fc/api_views.py
@@ -24,8 +24,12 @@ from authentic2.compat.drf import action
 from authentic2.api_views import DjangoPermission
 
 
-@action(detail=True, methods=['delete'], url_path='fc-unlink',
-        permission_classes=(DjangoPermission('custom_user.view_user'),))
+@action(
+    detail=True,
+    methods=['delete'],
+    url_path='fc-unlink',
+    permission_classes=(DjangoPermission('custom_user.view_user'),),
+)
 def fc_unlink(self, request, uuid):
     user = get_object_or_404(get_user_model(), uuid=uuid)
     user.fc_accounts.all().delete()
diff --git a/src/authentic2_auth_fc/app_settings.py b/src/authentic2_auth_fc/app_settings.py
index 3d2e3ec3..2d985976 100644
--- a/src/authentic2_auth_fc/app_settings.py
+++ b/src/authentic2_auth_fc/app_settings.py
@@ -73,26 +73,26 @@ class AppSettings(object):
 
     @property
     def attributes_mapping(self):
-        return self._setting('ATTRIBUTES_MAPPING',
-                             {
-                                 'family_name': 'last_name',
-                                 'given_name': 'first_name',
-                                 'email': 'email'
-                             })
+        return self._setting(
+            'ATTRIBUTES_MAPPING', {'family_name': 'last_name', 'given_name': 'first_name', 'email': 'email'}
+        )
 
     @property
     def user_info_mappings(self):
-        return self._setting('USER_INFO_MAPPINGS', {
-            'last_name': {
-                'ref': 'family_name',
-                'verified': True,
+        return self._setting(
+            'USER_INFO_MAPPINGS',
+            {
+                'last_name': {
+                    'ref': 'family_name',
+                    'verified': True,
+                },
+                'first_name': {
+                    'ref': 'given_name',
+                    'verified': True,
+                },
+                'email': 'email',
             },
-            'first_name': {
-                'ref': 'given_name',
-                'verified': True,
-            },
-            'email': 'email',
-        })
+        )
 
     @property
     def next_field_name(self):
@@ -134,6 +134,7 @@ class AppSettings(object):
     def popup(self):
         return self._setting('POPUP', False)
 
+
 app_settings = AppSettings('A2_FC_')
 app_settings.__name__ = __name__
 sys.modules[__name__] = app_settings
diff --git a/src/authentic2_auth_fc/apps.py b/src/authentic2_auth_fc/apps.py
index 8bd04ec7..ebda6657 100644
--- a/src/authentic2_auth_fc/apps.py
+++ b/src/authentic2_auth_fc/apps.py
@@ -60,6 +60,7 @@ class AppConfig(django.apps.AppConfig):
             return
 
         if view.__class__.__name__ == 'UsersAPI':
+
             def get_franceconnect(user):
                 linked = user.fc_accounts.exists()
                 return {
@@ -67,6 +68,7 @@ class AppConfig(django.apps.AppConfig):
                     'link_url': make_url('fc-login-or-link', request=request, absolute=True),
                     'unlink_url': make_url('fc-unlink', request=request, absolute=True),
                 }
+
             serializer.get_franceconnect = get_franceconnect
             serializer.fields['franceconnect'] = serializers.SerializerMethodField()
 
@@ -102,9 +104,8 @@ class AppConfig(django.apps.AppConfig):
 
         from django.db.models.signals import pre_save
         from authentic2.custom_user.models import DeletedUser
-        pre_save.connect(
-            self.pre_save_deleted_user,
-            sender=DeletedUser)
+
+        pre_save.connect(self.pre_save_deleted_user, sender=DeletedUser)
 
     def pre_save_deleted_user(self, sender, instance, **kwargs):
         '''Delete and copy FcAccount to old_data'''
@@ -113,6 +114,8 @@ class AppConfig(django.apps.AppConfig):
         fc_accounts = FcAccount.objects.filter(user__uuid=instance.old_uuid).order_by('id')
         for fc_account in fc_accounts:
             instance.old_data = instance.old_data or {}
-            instance.old_data.setdefault('fc_accounts', []).append({
-                'sub': fc_account.sub,
-            })
+            instance.old_data.setdefault('fc_accounts', []).append(
+                {
+                    'sub': fc_account.sub,
+                }
+            )
diff --git a/src/authentic2_auth_fc/authenticators.py b/src/authentic2_auth_fc/authenticators.py
index a7829b7b..64a64574 100644
--- a/src/authentic2_auth_fc/authenticators.py
+++ b/src/authentic2_auth_fc/authenticators.py
@@ -30,9 +30,7 @@ class FcAuthenticator(BaseAuthenticator):
     priority = -1
 
     def enabled(self):
-        return (app_settings.enable and
-                app_settings.client_id and
-                app_settings.client_secret)
+        return app_settings.enable and app_settings.client_id and app_settings.client_secret
 
     def name(self):
         return gettext_noop('FranceConnect')
@@ -51,26 +49,28 @@ class FcAuthenticator(BaseAuthenticator):
         params = {}
         if app_settings.popup:
             params['popup'] = ''
-        context.update({
-            'popup': app_settings.popup,
-            'about_url': app_settings.about_url,
-            'fc_user_info': fc_user_info,
-        })
-        if fc_user_info:
-            context.update({
-                'registration_url': a2_utils.make_url('fc-registration',
-                                                      keep_params=True,
-                                                      params=params,
-                                                      request=request),
+        context.update(
+            {
+                'popup': app_settings.popup,
+                'about_url': app_settings.about_url,
                 'fc_user_info': fc_user_info,
-                'block-extra-css-class': 'fc-registration',
-            })
+            }
+        )
+        if fc_user_info:
+            context.update(
+                {
+                    'registration_url': a2_utils.make_url(
+                        'fc-registration', keep_params=True, params=params, request=request
+                    ),
+                    'fc_user_info': fc_user_info,
+                    'block-extra-css-class': 'fc-registration',
+                }
+            )
             template = 'authentic2_auth_fc/login_registration.html'
         else:
-            context['login_url'] = a2_utils.make_url('fc-login-or-link',
-                                                     keep_params=True,
-                                                     params=params,
-                                                     request=request)
+            context['login_url'] = a2_utils.make_url(
+                'fc-login-or-link', keep_params=True, params=params, request=request
+            )
             context['block-extra-css-class'] = 'fc-login'
             template = 'authentic2_auth_fc/login.html'
         return TemplateResponse(request, template, context)
@@ -87,16 +87,17 @@ class FcAuthenticator(BaseAuthenticator):
         }
         if app_settings.popup:
             params['popup'] = ''
-        link_url = a2_utils.make_url('fc-login-or-link',
-                                     params=params)
+        link_url = a2_utils.make_url('fc-login-or-link', params=params)
 
         context = kwargs.pop('context', {}).copy()
-        context.update({
-            'popup': app_settings.popup,
-            'unlink': unlink,
-            'about_url': app_settings.about_url,
-            'link_url': link_url,
-        })
+        context.update(
+            {
+                'popup': app_settings.popup,
+                'unlink': unlink,
+                'about_url': app_settings.about_url,
+                'link_url': link_url,
+            }
+        )
         return render_to_string('authentic2_auth_fc/linking.html', context, request=request)
 
     def registration(self, request, *args, **kwargs):
@@ -109,11 +110,13 @@ class FcAuthenticator(BaseAuthenticator):
         }
         if app_settings.popup:
             params['popup'] = ''
-        context.update({
-            'login_url': a2_utils.make_url('fc-login-or-link',
-                                           keep_params=True, params=params,
-                                           request=request),
-            'popup': app_settings.popup,
-            'about_url': app_settings.about_url,
-        })
+        context.update(
+            {
+                'login_url': a2_utils.make_url(
+                    'fc-login-or-link', keep_params=True, params=params, request=request
+                ),
+                'popup': app_settings.popup,
+                'about_url': app_settings.about_url,
+            }
+        )
         return TemplateResponse(request, 'authentic2_auth_fc/registration.html', context)
diff --git a/src/authentic2_auth_fc/backends.py b/src/authentic2_auth_fc/backends.py
index 9d8d4e4a..04bba446 100644
--- a/src/authentic2_auth_fc/backends.py
+++ b/src/authentic2_auth_fc/backends.py
@@ -54,18 +54,19 @@ class FcBackend(ModelBackend):
                 user.set_unusable_password()
                 try:
                     models.FcAccount.objects.create(
-                        user=user,
-                        sub=sub,
-                        order=0,
-                        token=json.dumps(kwargs['token']))
+                        user=user, sub=sub, order=0, token=json.dumps(kwargs['token'])
+                    )
                 except IntegrityError:
                     # uniqueness check failed, as the user is new, it can only means that the sub is not unique
                     # let's try again
                     user.delete()
                     return self.authenticate(sub, **kwargs)
                 else:
-                    logger.debug(u'user creation enabled with fc_account (sub : %s - token : %s)',
-                                 sub, json.dumps(kwargs['token']))
+                    logger.debug(
+                        u'user creation enabled with fc_account (sub : %s - token : %s)',
+                        sub,
+                        json.dumps(kwargs['token']),
+                    )
                     hooks.call_hooks('event', name='fc-create', user=user, sub=sub)
 
             if not user:
@@ -86,4 +87,5 @@ class FcBackend(ModelBackend):
 
     def get_saml2_authn_context(self):
         import lasso
+
         return lasso.SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT
diff --git a/src/authentic2_auth_fc/migrations/0001_initial.py b/src/authentic2_auth_fc/migrations/0001_initial.py
index 9b36b774..5837df1d 100644
--- a/src/authentic2_auth_fc/migrations/0001_initial.py
+++ b/src/authentic2_auth_fc/migrations/0001_initial.py
@@ -15,11 +15,22 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='FcAccount',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('sub', models.TextField(verbose_name='sub', db_index=True)),
                 ('token', models.TextField(verbose_name='access token')),
                 ('user_info', models.TextField(null=True, verbose_name='access token', blank=True)),
-                ('user', models.ForeignKey(related_name='fc_accounts', verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE)),
+                (
+                    'user',
+                    models.ForeignKey(
+                        related_name='fc_accounts',
+                        verbose_name='user',
+                        to=settings.AUTH_USER_MODEL,
+                        on_delete=models.CASCADE,
+                    ),
+                ),
             ],
         ),
     ]
diff --git a/src/authentic2_auth_fc/migrations/0002_auto_20200416_1439.py b/src/authentic2_auth_fc/migrations/0002_auto_20200416_1439.py
index 145ba018..357c8586 100644
--- a/src/authentic2_auth_fc/migrations/0002_auto_20200416_1439.py
+++ b/src/authentic2_auth_fc/migrations/0002_auto_20200416_1439.py
@@ -16,7 +16,9 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='fcaccount',
             name='created',
-            field=models.DateTimeField(auto_now_add=True, default=django.utils.timezone.now, verbose_name='created'),
+            field=models.DateTimeField(
+                auto_now_add=True, default=django.utils.timezone.now, verbose_name='created'
+            ),
             preserve_default=False,
         ),
         migrations.AddField(
diff --git a/src/authentic2_auth_fc/migrations/0003_fcaccount_order1.py b/src/authentic2_auth_fc/migrations/0003_fcaccount_order1.py
index 506db3f1..f4ed8399 100644
--- a/src/authentic2_auth_fc/migrations/0003_fcaccount_order1.py
+++ b/src/authentic2_auth_fc/migrations/0003_fcaccount_order1.py
@@ -12,15 +12,13 @@ def set_fcaccount_order(apps, schema_editor):
     c = Counter()
     FcAccount.objects.update(order=0)
     user_ids = (
-        FcAccount.objects
-        .values('user_id')
+        FcAccount.objects.values('user_id')
         .annotate(total=models.Count('id'))
         .filter(total__gt=1)
         .values_list('user_id', flat=True)
     )
     subs = (
-        FcAccount.objects
-        .values_list('sub')
+        FcAccount.objects.values_list('sub')
         .annotate(total=models.Count('id'))
         .filter(total__gt=1)
         .values_list('sub', flat=True)
diff --git a/src/authentic2_auth_fc/models.py b/src/authentic2_auth_fc/models.py
index f0a1ded7..81c923a0 100644
--- a/src/authentic2_auth_fc/models.py
+++ b/src/authentic2_auth_fc/models.py
@@ -53,9 +53,7 @@ def parse_id_token(id_token, client_id=None, client_secret=None):
         return None, 'invalid signature'
     signed = '%s.%s' % (header, payload)
     if client_secret is not None:
-        h = hmac.HMAC(
-                key=client_secret, msg=force_bytes(signed),
-                digestmod=hashlib.sha256)
+        h = hmac.HMAC(key=client_secret, msg=force_bytes(signed), digestmod=hashlib.sha256)
         if h.digest() != signature:
             return None, 'hmac signature does not match'
     payload = base64url_decode(str(payload))
@@ -84,23 +82,16 @@ def parse_id_token(id_token, client_id=None, client_secret=None):
 
 
 class FcAccount(models.Model):
-    created = models.DateTimeField(
-        verbose_name=_('created'),
-        auto_now_add=True)
-    modified = models.DateTimeField(
-        verbose_name=_('modified'),
-        auto_now=True)
+    created = models.DateTimeField(verbose_name=_('created'), auto_now_add=True)
+    modified = models.DateTimeField(verbose_name=_('modified'), auto_now=True)
     user = models.ForeignKey(
         to=settings.AUTH_USER_MODEL,
         verbose_name=_('user'),
         related_name='fc_accounts',
-        on_delete=models.CASCADE)
-    sub = models.TextField(
-        verbose_name=_('sub'),
-        db_index=True)
-    order = models.PositiveIntegerField(
-        verbose_name=_('order'),
-        default=0)
+        on_delete=models.CASCADE,
+    )
+    sub = models.TextField(verbose_name=_('sub'), db_index=True)
+    order = models.PositiveIntegerField(verbose_name=_('order'), default=0)
     token = models.TextField(verbose_name=_('access token'))
     user_info = models.TextField(verbose_name=_('access token'), blank=True, null=True)
 
diff --git a/src/authentic2_auth_fc/utils.py b/src/authentic2_auth_fc/utils.py
index bcb8db23..2ffee658 100644
--- a/src/authentic2_auth_fc/utils.py
+++ b/src/authentic2_auth_fc/utils.py
@@ -106,8 +106,7 @@ def mapping_to_value(mapping, user_info):
         elif mapping['translation'] == 'isodate':
             value = datetime.datetime.strptime(value, '%Y-%m-%d').date()
         elif mapping['translation'] == 'simple':
-            value = mapping['translation_simple'].get(
-                value, mapping.get('translation_simple_default', ''))
+            value = mapping['translation_simple'].get(value, mapping.get('translation_simple_default', ''))
         elif mapping['translation'] == 'notempty':
             value = bool(value)
         else:
@@ -121,10 +120,7 @@ _insee_communes = None
 def resolve_insee_commune(insee_code):
     global _insee_communes
     if not _insee_communes:
-        _insee_communes = json.load(
-            open(
-                os.path.join(
-                    os.path.dirname(__file__), 'insee-communes.json')))
+        _insee_communes = json.load(open(os.path.join(os.path.dirname(__file__), 'insee-communes.json')))
     return _insee_communes.get(insee_code, _('Unknown INSEE code'))
 
 
@@ -135,10 +131,7 @@ def resolve_insee_country(insee_code):
     global _insee_countries
 
     if not _insee_countries:
-        _insee_countries = json.load(
-            open(
-                os.path.join(
-                    os.path.dirname(__file__), 'insee-countries.json')))
+        _insee_countries = json.load(open(os.path.join(os.path.dirname(__file__), 'insee-countries.json')))
     return _insee_countries.get(insee_code, _('Unknown INSEE code'))
 
 
diff --git a/src/authentic2_auth_fc/views.py b/src/authentic2_auth_fc/views.py
index 99eaabae..9eef2fe9 100644
--- a/src/authentic2_auth_fc/views.py
+++ b/src/authentic2_auth_fc/views.py
@@ -37,6 +37,7 @@ from django.core import signing
 from django.core.cache import InvalidCacheBackendError, caches
 from django.core.exceptions import PermissionDenied
 from django.forms import Form
+
 try:
     from django.contrib.auth.views import update_session_auth_hash
 except ImportError:
@@ -57,6 +58,7 @@ class LoggerMixin(object):
         self.logger = logging.getLogger(__name__)
         super(LoggerMixin, *args, **kwargs)
 
+
 try:
     cache = caches['fc']
 except InvalidCacheBackendError:
@@ -107,9 +109,12 @@ def resolve_access_token(authorization_code, redirect_uri, logger):
     try:
         session = utils.requests_retry_session()
         response = session.post(
-            app_settings.token_url, data=data,
+            app_settings.token_url,
+            data=data,
             verify=app_settings.verify_certificate,
-            allow_redirects=False, timeout=3)
+            allow_redirects=False,
+            timeout=3,
+        )
         if response.status_code != 200:
             try:
                 data = response.json()
@@ -128,13 +133,15 @@ def resolve_access_token(authorization_code, redirect_uri, logger):
         except ValueError:
             logger.error(
                 'no JSON object can be decoded from the data received from %s: %r',
-                app_settings.token_url, response.content[:1024])
+                app_settings.token_url,
+                response.content[:1024],
+            )
 
 
 def access_token_from_request(request, logger):
-    '''Resolve an access token given a request returning from the authorization
-       endpoint.
-    '''
+    """Resolve an access token given a request returning from the authorization
+    endpoint.
+    """
     code = request.GET.get('code')
     state = request.GET.get('state')
     if not code:
@@ -161,6 +168,7 @@ def clean_fc_session(session):
 
 class FcOAuthSessionViewMixin(LoggerMixin):
     '''Add the OAuth2 dance to a view'''
+
     redirect_field_name = REDIRECT_FIELD_NAME
     in_popup = False
     token = None
@@ -171,8 +179,9 @@ class FcOAuthSessionViewMixin(LoggerMixin):
 
     def redirect_to(self, request):
         if request.method == 'POST':
-            redirect_to = request.POST.get(self.redirect_field_name,
-                                           request.GET.get(self.redirect_field_name, ''))
+            redirect_to = request.POST.get(
+                self.redirect_field_name, request.GET.get(self.redirect_field_name, '')
+            )
         else:
             redirect_to = request.GET.get(self.redirect_field_name, '')
 
@@ -182,11 +191,10 @@ class FcOAuthSessionViewMixin(LoggerMixin):
         return redirect_to
 
     def close_popup_redirect(self, request, next_url, *args, **kwargs):
-        '''Show a page to close the current popup and reload the parent window
-           with the return url.
-        '''
-        return render(request, 'authentic2_auth_fc/close-popup-redirect.html',
-                      {'redirect_to': next_url})
+        """Show a page to close the current popup and reload the parent window
+        with the return url.
+        """
+        return render(request, 'authentic2_auth_fc/close-popup-redirect.html', {'redirect_to': next_url})
 
     def simple_redirect(self, request, next_url, *args, **kwargs):
         return a2_utils.redirect(request, next_url, *args, resolve=False, **kwargs)
@@ -196,8 +204,7 @@ class FcOAuthSessionViewMixin(LoggerMixin):
         if next_url is None:
             next_url = self.redirect_to(request, *args, **kwargs)
         if self.get_in_popup():
-            return self.close_popup_redirect(request, next_url, *args,
-                                             **kwargs)
+            return self.close_popup_redirect(request, next_url, *args, **kwargs)
         else:
             return self.simple_redirect(request, next_url, *args, **kwargs)
 
@@ -224,12 +231,13 @@ class FcOAuthSessionViewMixin(LoggerMixin):
                 return data
             except ValueError:
                 self.logger.error(
-                    'no JSON object can be decoded from the data received from %s: %r',
-                    url, data.content)
+                    'no JSON object can be decoded from the data received from %s: %r', url, data.content
+                )
 
     def get_user_info(self):
-        return self.get_ressource(app_settings.userinfo_url + '?schema=openid',
-                                  app_settings.verify_certificate)
+        return self.get_ressource(
+            app_settings.userinfo_url + '?schema=openid', app_settings.verify_certificate
+        )
 
     def get_data(self, scopes=[]):
         data = dict()
@@ -252,8 +260,9 @@ class FcOAuthSessionViewMixin(LoggerMixin):
         if error_description:
             msg += _('("%s")') % error_description
         messages.error(request, msg)
-        self.logger.warning('auth_fc: authorization failed with error=%r error_description=%r',
-                            error, error_description or '')
+        self.logger.warning(
+            'auth_fc: authorization failed with error=%r error_description=%r', error, error_description or ''
+        )
         return self.redirect(request)
 
     def dispatch(self, request, *args, **kwargs):
@@ -273,14 +282,17 @@ class FcOAuthSessionViewMixin(LoggerMixin):
             if 'error' in self.token:
                 msg = 'token request failed : {}'.format(self.token)
                 self.logger.warning(msg)
-                messages.warning(request, _('Unable to connect to FranceConnect: "%s".') % self.token['error'])
+                messages.warning(
+                    request, _('Unable to connect to FranceConnect: "%s".') % self.token['error']
+                )
                 return self.redirect(request)
             key = app_settings.client_secret
             # duck-type unicode/Py3 strings
             if hasattr(key, 'isdecimal'):
                 key = key.encode('utf-8')
             self.id_token, error = models.parse_id_token(
-                self.token['id_token'], client_id=app_settings.client_id, client_secret=key)
+                self.token['id_token'], client_id=app_settings.client_id, client_secret=key
+            )
             if not self.id_token:
                 self.logger.error(u'validation of id_token failed: %s', error)
                 messages.warning(request, _('Unable to connect to FranceConnect.'))
@@ -288,16 +300,17 @@ class FcOAuthSessionViewMixin(LoggerMixin):
             nonce = self.id_token.get('nonce')
             states = request.session.get('fc_states', {})
             if not nonce or nonce not in states:
-                self.logger.error(u'invalid nonce in id_token %s, known ones %s', nonce,
-                                  u', '.join(states.keys()))
+                self.logger.error(
+                    u'invalid nonce in id_token %s, known ones %s', nonce, u', '.join(states.keys())
+                )
                 messages.warning(request, _('Unable to connect to FranceConnect.'))
                 return self.redirect(request)
             self.logger.debug('fc id_token %s', self.id_token)
             for key in self.id_token:
                 setattr(self, key, self.id_token[key])
             self.oauth_session = lambda: utils.requests_retry_session(
-                session=OAuth2Session(
-                    app_settings.client_id, token=self.token))
+                session=OAuth2Session(app_settings.client_id, token=self.token)
+            )
             self.user_info = self.get_user_info()
             if not self.user_info:
                 self.logger.error('userinfo resolution failed: %s', self.token)
@@ -316,9 +329,7 @@ class FcOAuthSessionViewMixin(LoggerMixin):
                 for scope in self.data:
                     fc_data.setdefault(scope, []).extend(self.data[scope])
                 self.logger.debug('fc data in session %s', self.request.session['fc_data'])
-            return super(FcOAuthSessionViewMixin, self).dispatch(request,
-                                                                 *args,
-                                                                 **kwargs)
+            return super(FcOAuthSessionViewMixin, self).dispatch(request, *args, **kwargs)
         elif 'error' in request.GET:
             return self.authorization_error(request, *args, **kwargs)
         else:
@@ -349,10 +360,10 @@ class PopupViewMixin(object):
 
 
 class LoginOrLinkView(PopupViewMixin, FcOAuthSessionViewMixin, View):
-    '''Login with FC, if the FC account is already linked, connect this user,
-       if a user is logged link the user to this account, otherwise display an
-       error message.
-    '''
+    """Login with FC, if the FC account is already linked, connect this user,
+    if a user is logged link the user to this account, otherwise display an
+    error message.
+    """
 
     def update_user_info(self):
         self.fc_account.token = json.dumps(self.token)
@@ -366,13 +377,15 @@ class LoginOrLinkView(PopupViewMixin, FcOAuthSessionViewMixin, View):
             # currently logged :
             if models.FcAccount.objects.filter(user=request.user, order=0).count():
                 # cannot link because we are already linked to another FC account
-                messages.error(request,
-                               _('Your account is already linked to a FranceConnect account'))
+                messages.error(request, _('Your account is already linked to a FranceConnect account'))
             else:
                 # cannot link because the FC account is already linked to another account.
-                messages.error(request,
-                               _('The FranceConnect account {} is already'
-                                 ' linked with another account.').format(self.fc_display_name))
+                messages.error(
+                    request,
+                    _('The FranceConnect account {} is already' ' linked with another account.').format(
+                        self.fc_display_name
+                    ),
+                )
         else:
             # not logged, cannot login because the user is disabled (user.is_active is False)
             messages.error(request, _('Your account is disabled.'))
@@ -386,16 +399,17 @@ class LoginOrLinkView(PopupViewMixin, FcOAuthSessionViewMixin, View):
             # Prevent to add a link with an FC account already linked with another user.
             try:
                 self.fc_account, created = models.FcAccount.objects.get_or_create(
-                    sub=self.sub, user=request.user, order=0,
-                    defaults={'token': json.dumps(self.token)})
+                    sub=self.sub, user=request.user, order=0, defaults={'token': json.dumps(self.token)}
+                )
             except IntegrityError:
                 # unique index check failed, find why.
                 return self.uniqueness_check_failed(request)
 
             if created:
                 self.logger.info('fc link created sub %s', self.sub)
-                messages.info(request,
-                              _('Your FranceConnect account {} has been linked.').format(self.fc_display_name))
+                messages.info(
+                    request, _('Your FranceConnect account {} has been linked.').format(self.fc_display_name)
+                )
                 hooks.call_hooks('event', name='fc-link', user=request.user, sub=self.sub, request=request)
             else:
                 messages.info(request, _('Your local account has been updated.'))
@@ -404,11 +418,7 @@ class LoginOrLinkView(PopupViewMixin, FcOAuthSessionViewMixin, View):
 
         default_ou = get_default_ou()
         email_is_unique = a2_app_settings.A2_EMAIL_IS_UNIQUE or default_ou.email_is_unique
-        user = a2_utils.authenticate(
-            request,
-            sub=self.sub,
-            user_info=self.user_info,
-            token=self.token)
+        user = a2_utils.authenticate(request, sub=self.sub, user_info=self.user_info, token=self.token)
         if user:
             self.fc_account = user.fc_accounts.get(order=0)
         if not user and self.user_info.get('email') and email_is_unique:
@@ -421,8 +431,7 @@ class LoginOrLinkView(PopupViewMixin, FcOAuthSessionViewMixin, View):
             if qs.exists():
                 # there should not be multiple accounts with the same mail
                 if len(qs) > 1:
-                    self.logger.error(u'multiple accounts with the same mail %s, %s', email,
-                                      list(qs))
+                    self.logger.error(u'multiple accounts with the same mail %s, %s', email, list(qs))
                 # ok we have one account
                 elif len(qs) == 1:
                     user = qs[0]
@@ -430,28 +439,31 @@ class LoginOrLinkView(PopupViewMixin, FcOAuthSessionViewMixin, View):
                     if not user.fc_accounts.exists():
                         try:
                             self.fc_account, created = models.FcAccount.objects.get_or_create(
-                                defaults={'token': json.dumps(self.token)},
-                                sub=self.sub, user=user, order=0)
+                                defaults={'token': json.dumps(self.token)}, sub=self.sub, user=user, order=0
+                            )
                         except IntegrityError:
                             # unique index check failed, find why.
                             return self.uniqueness_check_failed(request)
 
                         if created:
                             self.logger.info(u'fc link created sub %s user %s', self.sub, user)
-                            hooks.call_hooks('event', name='fc-link', user=user, sub=self.sub,
-                                             request=request)
+                            hooks.call_hooks(
+                                'event', name='fc-link', user=user, sub=self.sub, request=request
+                            )
                         user = a2_utils.authenticate(
-                            request=request,
-                            sub=self.sub,
-                            user_info=self.user_info,
-                            token=self.token)
+                            request=request, sub=self.sub, user_info=self.user_info, token=self.token
+                        )
                     else:
                         messages.warning(
                             request,
-                            _('Your FranceConnect email address \'%s\' is already used by another '
-                              'account, so we cannot create an account for you. Please create an '
-                              'account with another email address then link it to FranceConnect '
-                              'using your account management page.') % email)
+                            _(
+                                'Your FranceConnect email address \'%s\' is already used by another '
+                                'account, so we cannot create an account for you. Please create an '
+                                'account with another email address then link it to FranceConnect '
+                                'using your account management page.'
+                            )
+                            % email,
+                        )
                         return self.redirect(request)
         if user:
             views_utils.check_cookie_works(request)
@@ -469,13 +481,13 @@ class LoginOrLinkView(PopupViewMixin, FcOAuthSessionViewMixin, View):
             if self.service:
                 set_service_ref(params, self.service)
             if registration:
-                return self.redirect_and_come_back(request,
-                                                   a2_utils.make_url('fc-registration',
-                                                                     params=params),
-                                                   params=params)
+                return self.redirect_and_come_back(
+                    request, a2_utils.make_url('fc-registration', params=params), params=params
+                )
             else:
-                messages.info(request, _('If you already have an account, please log in, else '
-                                         'create your account.'))
+                messages.info(
+                    request, _('If you already have an account, please log in, else ' 'create your account.')
+                )
 
                 login_params = params.copy()
                 if not app_settings.show_button_quick_account_creation:
@@ -500,8 +512,9 @@ class RegistrationView(PopupViewMixin, LoggerMixin, View):
         # Prevent errors when redirect_to does not contain fc-login-or-link view
         parsed_redirect_to = urlparse.urlparse(redirect_to)
         if parsed_redirect_to.path == reverse('fc-login-or-link'):
-            redirect_to = urlparse.parse_qs(parsed_redirect_to.query) \
-                .get(REDIRECT_FIELD_NAME, [a2_utils.make_url('auth_homepage')])[0]
+            redirect_to = urlparse.parse_qs(parsed_redirect_to.query).get(
+                REDIRECT_FIELD_NAME, [a2_utils.make_url('auth_homepage')]
+            )[0]
         params = {
             REDIRECT_FIELD_NAME: redirect_to,
         }
@@ -513,18 +526,16 @@ class RegistrationView(PopupViewMixin, LoggerMixin, View):
         redirect_to = a2_utils.make_url('fc-login-or-link', params=params)
         if 'email' not in data:
             data[REDIRECT_FIELD_NAME] = redirect_to
-            messages.warning(request,
-                             _("FranceConnect didn't provide your email address, please do."))
-            return HttpResponseRedirect("{}?token={}".format(reverse('registration_register'),
-                                                             signing.dumps(data)))
+            messages.warning(request, _("FranceConnect didn't provide your email address, please do."))
+            return HttpResponseRedirect(
+                "{}?token={}".format(reverse('registration_register'), signing.dumps(data))
+            )
         data['valid_email'] = False
         data['franceconnect'] = True
         data['authentication_method'] = 'france-connect'
         if service:
             set_service_ref(data, service)
-        activation_url = a2_utils.build_activation_url(request,
-                                                       next_url=redirect_to,
-                                                       **data)
+        activation_url = a2_utils.build_activation_url(request, next_url=redirect_to, **data)
         return HttpResponseRedirect(activation_url)
 
 
@@ -613,4 +624,5 @@ class LogoutReturnView(View):
             next_url = reverse('auth_logout')
         return HttpResponseRedirect(next_url)
 
+
 logout = LogoutReturnView.as_view()
diff --git a/src/authentic2_auth_oidc/admin.py b/src/authentic2_auth_oidc/admin.py
index b713bfd4..95452861 100644
--- a/src/authentic2_auth_oidc/admin.py
+++ b/src/authentic2_auth_oidc/admin.py
@@ -33,12 +33,26 @@ class OIDCClaimMappingForm(forms.ModelForm):
         claim_widget = self.fields['claim'].widget
         # fill datalist with standard claims from
         # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
-        claim_widget.data = ('sub', 'name', 'given_name', 'family_name',
-                             'nickname' 'preferred_username', 'profile',
-                             'picture', 'website', 'email', 'email_verified',
-                             'gender', 'birthdate', 'zoneinfo', 'locale',
-                             'phone_number', 'phone_number_verified',
-                             'address', 'updated_at')
+        claim_widget.data = (
+            'sub',
+            'name',
+            'given_name',
+            'family_name',
+            'nickname' 'preferred_username',
+            'profile',
+            'picture',
+            'website',
+            'email',
+            'email_verified',
+            'gender',
+            'birthdate',
+            'zoneinfo',
+            'locale',
+            'phone_number',
+            'phone_number_verified',
+            'address',
+            'updated_at',
+        )
         claim_widget.name = 'list__oidcclaim-mapping-inline'
         claim_widget.attrs.update({'list': 'list__oidcclaim-mapping-inline'})
 
@@ -57,7 +71,11 @@ class OIDCClaimMappingForm(forms.ModelForm):
     class Meta:
         model = models.OIDCClaimMapping
         fields = [
-            'claim', 'attribute', 'verified', 'required', 'idtoken_claim',
+            'claim',
+            'attribute',
+            'verified',
+            'required',
+            'idtoken_claim',
         ]
         readonly_fields = ['created', 'modified']
         widgets = {
@@ -87,5 +105,6 @@ class OIDCAccountAdmin(admin.ModelAdmin):
     list_filter = ['provider']
     readonly_fields = ['provider', 'user', 'sub', 'created', 'modified']
 
+
 admin.site.register(models.OIDCProvider, OIDCProviderAdmin)
 admin.site.register(models.OIDCAccount, OIDCAccountAdmin)
diff --git a/src/authentic2_auth_oidc/app_settings.py b/src/authentic2_auth_oidc/app_settings.py
index e998d8b3..5a535703 100644
--- a/src/authentic2_auth_oidc/app_settings.py
+++ b/src/authentic2_auth_oidc/app_settings.py
@@ -19,6 +19,7 @@ import sys
 
 class AppSettings(object):
     '''Thanks django-allauth'''
+
     __SENTINEL = object()
 
     def __init__(self, prefix):
@@ -37,6 +38,7 @@ class AppSettings(object):
     def ENABLE(self):
         return self._setting('ENABLE', True)
 
+
 app_settings = AppSettings('A2_AUTH_OIDC_')
 app_settings.__name__ = __name__
 sys.modules[__name__] = app_settings
diff --git a/src/authentic2_auth_oidc/apps.py b/src/authentic2_auth_oidc/apps.py
index fc2de0f3..13684f53 100644
--- a/src/authentic2_auth_oidc/apps.py
+++ b/src/authentic2_auth_oidc/apps.py
@@ -18,7 +18,6 @@ import django.apps
 
 
 class Plugin(object):
-
     def revoke_token(self, provider, access_token):
         import logging
         import requests
@@ -27,12 +26,14 @@ class Plugin(object):
 
         url = provider.token_revocation_endpoint
         try:
-            response = requests.post(url, auth=(provider.client_id, provider.client_secret),
-                                     data={'token': access_token, 'token_type': 'access_token'},
-                                     timeout=10)
+            response = requests.post(
+                url,
+                auth=(provider.client_id, provider.client_secret),
+                data={'token': access_token, 'token_type': 'access_token'},
+                timeout=10,
+            )
         except requests.RequestException as e:
-            logger.warning('failed to revoke access token from OIDC provider %s: %s',
-                           provider.issuer, e)
+            logger.warning('failed to revoke access token from OIDC provider %s: %s', provider.issuer, e)
             return
         try:
             response.raise_for_status()
@@ -41,8 +42,9 @@ class Plugin(object):
                 content = response.json()
             except ValueError:
                 content = None
-            logger.warning('failed to revoke access token from OIDC provider %s: %s, %s',
-                           provider.issuer, e, content)
+            logger.warning(
+                'failed to revoke access token from OIDC provider %s: %s, %s', provider.issuer, e, content
+            )
             return
         logger.info('revoked token from OIDC provider %s', provider.issuer)
 
@@ -80,20 +82,18 @@ class AppConfig(django.apps.AppConfig):
         from django.db.models.signals import pre_save
         from authentic2.custom_user.models import DeletedUser
 
-        pre_save.connect(
-            self.pre_save_deleted_user,
-            sender=DeletedUser)
+        pre_save.connect(self.pre_save_deleted_user, sender=DeletedUser)
 
     def pre_save_deleted_user(self, sender, instance, **kwargs):
         '''Delete and copy OIDCAccount to old_data'''
         from .models import OIDCAccount
 
-        oidc_accounts = (
-            OIDCAccount.objects.filter(user__uuid=instance.old_uuid).order_by('id')
-        )
+        oidc_accounts = OIDCAccount.objects.filter(user__uuid=instance.old_uuid).order_by('id')
         for oidc_account in oidc_accounts:
             instance.old_data = instance.old_data or {}
-            instance.old_data.setdefault('oidc_accounts', []).append({
-                'issuer': oidc_account.provider.issuer,
-                'sub': oidc_account.sub,
-            })
+            instance.old_data.setdefault('oidc_accounts', []).append(
+                {
+                    'issuer': oidc_account.provider.issuer,
+                    'sub': oidc_account.sub,
+                }
+            )
diff --git a/src/authentic2_auth_oidc/authenticators.py b/src/authentic2_auth_oidc/authenticators.py
index cb3040d5..cd798d93 100644
--- a/src/authentic2_auth_oidc/authenticators.py
+++ b/src/authentic2_auth_oidc/authenticators.py
@@ -53,8 +53,11 @@ class OIDCAuthenticator(BaseAuthenticator):
         if kwargs.get('instance'):
             instance = kwargs['instance']
             context['provider'] = instance
-            context['login_url'] = make_url('oidc-login', kwargs={'pk': instance.id},
-                                            request=request, keep_params=True)
-            template_names = ['authentic2_auth_oidc/login_%s.html' % instance.slug,
-                              'authentic2_auth_oidc/login.html']
+            context['login_url'] = make_url(
+                'oidc-login', kwargs={'pk': instance.id}, request=request, keep_params=True
+            )
+            template_names = [
+                'authentic2_auth_oidc/login_%s.html' % instance.slug,
+                'authentic2_auth_oidc/login.html',
+            ]
             return render(request, template_names, context)
diff --git a/src/authentic2_auth_oidc/backends.py b/src/authentic2_auth_oidc/backends.py
index 6fa3962a..29a3d4e6 100644
--- a/src/authentic2_auth_oidc/backends.py
+++ b/src/authentic2_auth_oidc/backends.py
@@ -59,66 +59,81 @@ class OIDCBackend(ModelBackend):
         if provider.idtoken_algo == models.OIDCProvider.ALGO_RSA:
             key_or_keyset = provider.jwkset
             if not key_or_keyset:
-                logger.warning('auth_oidc: idtoken signature algorithm is RSA but '
-                               'no JWKSet is defined on provider %s', id_token.iss)
+                logger.warning(
+                    'auth_oidc: idtoken signature algorithm is RSA but '
+                    'no JWKSet is defined on provider %s',
+                    id_token.iss,
+                )
                 return None
             algs = ['RS256', 'RS384', 'RS512']
         elif provider.idtoken_algo == models.OIDCProvider.ALGO_HMAC:
             k = base64url_encode(provider.client_secret.encode('utf-8'))
             key_or_keyset = JWK(kty='oct', k=k.decode('ascii'))
             if not provider.client_secret:
-                logger.warning('auth_oidc: idtoken signature algorithm is HMAC but '
-                               'no client_secret is defined on provider %s', id_token.iss)
+                logger.warning(
+                    'auth_oidc: idtoken signature algorithm is HMAC but '
+                    'no client_secret is defined on provider %s',
+                    id_token.iss,
+                )
                 return None
             algs = ['HS256', 'HS384', 'HS512']
         elif provider.idtoken_algo == models.OIDCProvider.ALGO_EC:
             key_or_keyset = provider.jwkset
             if not key_or_keyset:
-                logger.warning('auth_oidc: idtoken signature algorithm is EC but '
-                               'no JWKSet is defined on provider %s', id_token.iss)
+                logger.warning(
+                    'auth_oidc: idtoken signature algorithm is EC but ' 'no JWKSet is defined on provider %s',
+                    id_token.iss,
+                )
                 return None
             algs = ['ES256', 'ES384', 'ES512']
 
         if key_or_keyset:
-            jwt = JWT(jwt=original_id_token,
-                      key=key_or_keyset,
-                      check_claims={}, algs=algs)
+            jwt = JWT(jwt=original_id_token, key=key_or_keyset, check_claims={}, algs=algs)
             jwt.claims
 
         if isinstance(id_token.aud, six.text_type) and provider.client_id != id_token.aud:
-            logger.warning('auth_oidc: invalid id_token audience %s != provider client_id %s',
-                           id_token.aud, provider.client_id)
+            logger.warning(
+                'auth_oidc: invalid id_token audience %s != provider client_id %s',
+                id_token.aud,
+                provider.client_id,
+            )
             return None
         if isinstance(id_token.aud, list):
             if provider.client_id not in id_token.aud:
-                logger.warning('auth_oidc: invalid id_token audience %s != provider client_id %s',
-                               id_token.aud, provider.client_id)
+                logger.warning(
+                    'auth_oidc: invalid id_token audience %s != provider client_id %s',
+                    id_token.aud,
+                    provider.client_id,
+                )
                 return None
             if len(id_token.aud) > 1 and 'azp' not in id_token:
-                logger.warning('auth_oidc: multiple audience and azp not set',
-                               id_token.aud, provider.client_id)
+                logger.warning(
+                    'auth_oidc: multiple audience and azp not set', id_token.aud, provider.client_id
+                )
                 return None
             if id_token.azp != provider.client_id:
-                logger.warning('auth_oidc: multiple audience and azp %r does not match client_id'
-                               ' %r',
-                               id_token.azp, provider.client_id)
+                logger.warning(
+                    'auth_oidc: multiple audience and azp %r does not match client_id' ' %r',
+                    id_token.azp,
+                    provider.client_id,
+                )
                 return None
 
         if provider.max_auth_age:
             if not id_token.iat:
-                logger.warning('auth_oidc: provider configured for fresh authentication but iat is '
-                               'missing from idtoken')
+                logger.warning(
+                    'auth_oidc: provider configured for fresh authentication but iat is '
+                    'missing from idtoken'
+                )
                 return None
             duration = now() - id_token.iat
             if duration > datetime.timedelta(seconds=provider.max_auth_age):
-                logger.warning('auth_oidc: authentication is too old %s (%s old)', id_token.iat,
-                               duration)
+                logger.warning('auth_oidc: authentication is too old %s (%s old)', id_token.iat, duration)
                 return None
 
         id_token_nonce = getattr(id_token, 'nonce', None)
         if nonce and nonce != id_token_nonce:
-            logger.warning('auth_oidc: id_token nonce %r != expected nonce %r',
-                           id_token_nonce, nonce)
+            logger.warning('auth_oidc: id_token nonce %r != expected nonce %r', id_token_nonce, nonce)
             return None
 
         User = get_user_model()
@@ -131,14 +146,13 @@ class OIDCBackend(ModelBackend):
             except User.DoesNotExist:
                 pass
             else:
-                logger.info('auth_oidc: found user using UUID (=sub) "%s": %s', id_token.sub,
-                            user)
+                logger.info('auth_oidc: found user using UUID (=sub) "%s": %s', id_token.sub, user)
 
         else:
             try:
-                user = User.objects.get(oidc_account__provider=provider,
-                                        oidc_account__sub=id_token.sub,
-                                        is_active=True)
+                user = User.objects.get(
+                    oidc_account__provider=provider, oidc_account__sub=id_token.sub, is_active=True
+                )
             except User.DoesNotExist:
                 pass
             else:
@@ -150,14 +164,17 @@ class OIDCBackend(ModelBackend):
         user_info = None
         if need_user_info:
             if not access_token:
-                logger.warning('auth_oidc: need user info for some claims, but no access token was '
-                               'returned')
+                logger.warning(
+                    'auth_oidc: need user info for some claims, but no access token was ' 'returned'
+                )
                 return None
             try:
-                response = requests.get(provider.userinfo_endpoint,
-                                        headers={
-                                            'Authorization': 'Bearer %s' % access_token,
-                                        })
+                response = requests.get(
+                    provider.userinfo_endpoint,
+                    headers={
+                        'Authorization': 'Bearer %s' % access_token,
+                    },
+                )
                 response.raise_for_status()
             except requests.RequestException as e:
                 logger.warning('auth_oidc: failed to retrieve user info %s', e)
@@ -165,8 +182,7 @@ class OIDCBackend(ModelBackend):
                 try:
                     user_info = response.json()
                 except ValueError as e:
-                    logger.warning('auth_oidc: bad JSON in user info response, %s (%r)', e,
-                                   response.content)
+                    logger.warning('auth_oidc: bad JSON in user info response, %s (%r)', e, response.content)
 
         # check for required claims
         for claim_mapping in provider.claim_mappings.all():
@@ -175,13 +191,18 @@ class OIDCBackend(ModelBackend):
                 if '{{' in claim or '{%' in claim:
                     logger.warning('claim \'%r\' is templated, it cannot be set as required')
                 elif claim_mapping.idtoken_claim and claim not in id_token:
-                    logger.warning('auth_oidc: cannot create user missing required claim %r in '
-                                   'id_token (%r)',
-                                   claim, id_token)
+                    logger.warning(
+                        'auth_oidc: cannot create user missing required claim %r in ' 'id_token (%r)',
+                        claim,
+                        id_token,
+                    )
                     return None
                 elif not user_info or claim not in user_info:
-                    logger.warning('auth_oidc: cannot create user missing required claim %r in '
-                                   'user_info (%r)', claim, user_info)
+                    logger.warning(
+                        'auth_oidc: cannot create user missing required claim %r in ' 'user_info (%r)',
+                        claim,
+                        user_info,
+                    )
                     return None
 
         # map claims to attributes or user fields
@@ -240,57 +261,73 @@ class OIDCBackend(ModelBackend):
                 except User.DoesNotExist:
                     pass
                 except User.MultipleObjectsReturned:
-                    logger.error('auth_oidc: cannot create user with sub "%s", '
-                                 'too many users with the same email "%s" in ou "%s"',
-                                 id_token.sub, email, provider.ou)
+                    logger.error(
+                        'auth_oidc: cannot create user with sub "%s", '
+                        'too many users with the same email "%s" in ou "%s"',
+                        id_token.sub,
+                        email,
+                        provider.ou,
+                    )
                     return
                 if not user:
                     user = User.objects.create(ou=provider.ou)
                     user.set_unusable_password()
                     created = True
                 oidc_account, created = models.OIDCAccount.objects.get_or_create(
-                    provider=provider,
-                    user=user,
-                    defaults={'sub': id_token.sub})
+                    provider=provider, user=user, defaults={'sub': id_token.sub}
+                )
                 if not created and oidc_account.sub != id_token.sub:
-                    logger.info('auth_oidc: changed user %s sub from %s to %s (issuer %s)',
-                                user, oidc_account.sub, id_token.sub, id_token.iss)
+                    logger.info(
+                        'auth_oidc: changed user %s sub from %s to %s (issuer %s)',
+                        user,
+                        oidc_account.sub,
+                        id_token.sub,
+                        id_token.iss,
+                    )
                     oidc_account.sub = id_token.sub
                     oidc_account.save()
             else:
-                logger.warning('auth_oidc: cannot create user for sub %r as issuer %r does not'
-                               ' allow it', id_token.sub, id_token.iss)
+                logger.warning(
+                    'auth_oidc: cannot create user for sub %r as issuer %r does not' ' allow it',
+                    id_token.sub,
+                    id_token.iss,
+                )
                 return None
 
         if created:
-            logger.info('auth_oidc: created user %s for sub %s and issuer %s',
-                        user, id_token.sub, id_token.iss)
+            logger.info(
+                'auth_oidc: created user %s for sub %s and issuer %s', user, id_token.sub, id_token.iss
+            )
 
         if linked:
-            logger.info('auth_oidc: linked user %s to sub %s and issuer %s',
-                        user, id_token.sub, id_token.iss)
+            logger.info('auth_oidc: linked user %s to sub %s and issuer %s', user, id_token.sub, id_token.iss)
 
         # legacy attributes
         for attribute, value, verified in mappings:
             if attribute not in ('username', 'first_name', 'last_name', 'email'):
                 continue
             if getattr(user, attribute) != value:
-                logger.info('auth_oidc: set user %s attribute %s to value %s',
-                            user, attribute, value)
+                logger.info('auth_oidc: set user %s attribute %s to value %s', user, attribute, value)
                 setattr(user, attribute, value)
                 if attribute == 'email' and verified:
                     user.email_verified = True
                 save_user = True
 
         if user.ou != user_ou:
-            logger.info('auth_oidc: set user %s ou to %s',
-                        user, user_ou)
+            logger.info('auth_oidc: set user %s ou to %s', user, user_ou)
             user.ou = user_ou
             save_user = True
 
-        if any(hooks.call_hooks(
+        if any(
+            hooks.call_hooks(
                 'auth_oidc_backend_modify_user',
-                user=user, user_info=user_info, access_token=access_token, id_token=id_token, provider=provider)):
+                user=user,
+                user_info=user_info,
+                access_token=access_token,
+                id_token=id_token,
+                provider=provider,
+            )
+        ):
             save_user = True
 
         if save_user:
@@ -310,4 +347,5 @@ class OIDCBackend(ModelBackend):
 
     def get_saml2_authn_context(self):
         import lasso
+
         return lasso.SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT
diff --git a/src/authentic2_auth_oidc/management/commands/oidc-register-issuer.py b/src/authentic2_auth_oidc/management/commands/oidc-register-issuer.py
index 1577ebad..eb2a1a6a 100644
--- a/src/authentic2_auth_oidc/management/commands/oidc-register-issuer.py
+++ b/src/authentic2_auth_oidc/management/commands/oidc-register-issuer.py
@@ -32,6 +32,7 @@ from django_rbac.utils import get_ou_model
 
 class Command(BaseCommand):
     '''Load LDAP ldif file'''
+
     can_import_django_settings = True
     requires_system_checks = True
     help = 'Register an OpenID Connect OP'
@@ -40,30 +41,21 @@ class Command(BaseCommand):
         parser.add_argument('name')
         parser.add_argument('--issuer', help='do automatic registration of the issuer')
         parser.add_argument(
-            '--openid-configuration',
-            help='file containing the OpenID Connect '
-                 'configuration of the OP'
+            '--openid-configuration', help='file containing the OpenID Connect ' 'configuration of the OP'
         )
         parser.add_argument(
-            '--claim-mapping', default=[], action='append',
-            help='mapping from claim to attribute'
+            '--claim-mapping', default=[], action='append', help='mapping from claim to attribute'
         )
         parser.add_argument(
-            '--delete-claim', default=[], action='append',
-            help='delete mapping from claim to attribute'
+            '--delete-claim', default=[], action='append', help='delete mapping from claim to attribute'
         )
         parser.add_argument('--client-id', help='registered client ID')
         parser.add_argument('--client-secret', help='register client secret')
+        parser.add_argument('--scope', default=[], action='append', help='extra scopes, openid is automatic')
         parser.add_argument(
-            '--scope', default=[], action='append',
-            help='extra scopes, openid is automatic')
-        parser.add_argument(
-            '--no-verify', default=False, action='store_true',
-            help='do not verify TLS certificates'
+            '--no-verify', default=False, action='store_true', help='do not verify TLS certificates'
         )
-        parser.add_argument(
-            '--show', default=False, action='store_true',
-            help='show provider configuration')
+        parser.add_argument('--show', default=False, action='store_true', help='show provider configuration')
         parser.add_argument('--ou-slug', help='slug of the ou, if absent default ou is used')
 
     @atomic
@@ -80,10 +72,13 @@ class Command(BaseCommand):
                 if options.get('ou_slug'):
                     OU = get_ou_model()
                     ou = OU.objects.get(slug=options['ou_slug'])
-                provider = register_issuer(name, issuer=issuer,
-                                           openid_configuration=openid_configuration,
-                                           verify=not options['no_verify'],
-                                           ou=ou)
+                provider = register_issuer(
+                    name,
+                    issuer=issuer,
+                    openid_configuration=openid_configuration,
+                    verify=not options['no_verify'],
+                    ou=ou,
+                )
             except ValueError as e:
                 raise CommandError(e)
         else:
@@ -110,8 +105,9 @@ class Command(BaseCommand):
         for claim_mapping in options.get('claim_mapping', []):
             tup = claim_mapping.split()
             if len(tup) < 2:
-                raise CommandError('invalid claim mapping %r. it must contain at least a claim and '
-                                   'an attribute name')
+                raise CommandError(
+                    'invalid claim mapping %r. it must contain at least a claim and ' 'an attribute name'
+                )
             claim, attribute = tup[:2]
             claim_options = [x.strip() for x in tup[2:]]
             extra = {
@@ -125,10 +121,8 @@ class Command(BaseCommand):
             else:
                 extra['verified'] = OIDCClaimMapping.NOT_VERIFIED
             o, created = OIDCClaimMapping.objects.get_or_create(
-                provider=provider,
-                claim=claim,
-                attribute=attribute,
-                defaults=extra)
+                provider=provider, claim=claim, attribute=attribute, defaults=extra
+            )
             if not created:
                 OIDCClaimMapping.objects.filter(pk=o.pk).update(**extra)
         delete_claims = options.get('delete_claim', [])
@@ -148,4 +142,3 @@ class Command(BaseCommand):
             print('Mappings:')
             for claim_mapping in provider.claim_mappings.all():
                 print('-', claim_mapping)
-
diff --git a/src/authentic2_auth_oidc/managers.py b/src/authentic2_auth_oidc/managers.py
index 721db684..9e05595a 100644
--- a/src/authentic2_auth_oidc/managers.py
+++ b/src/authentic2_auth_oidc/managers.py
@@ -21,6 +21,7 @@ class OIDCProviderQuerySet(QuerySet):
     def get_by_natural_key(self, issuer):
         return self.get(issuer=issuer)
 
+
 OIDCProviderManager = OIDCProviderQuerySet.as_manager
 
 
@@ -28,4 +29,5 @@ class OIDCClaimMappingQuerySet(QuerySet):
     def get_by_natural_key(self, claim, attribute, verified, required):
         return self.get(claim=claim, attribute=attribute, verified=verified, required=required)
 
+
 OIDCClaimMappingManager = OIDCClaimMappingQuerySet.as_manager
diff --git a/src/authentic2_auth_oidc/migrations/0001_initial.py b/src/authentic2_auth_oidc/migrations/0001_initial.py
index 4869a59c..8cb51d95 100644
--- a/src/authentic2_auth_oidc/migrations/0001_initial.py
+++ b/src/authentic2_auth_oidc/migrations/0001_initial.py
@@ -20,7 +20,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='OIDCAccount',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('created', models.DateTimeField(auto_now_add=True, verbose_name='created')),
                 ('modified', models.DateTimeField(auto_now=True, verbose_name='modified')),
                 ('sub', models.CharField(unique=True, max_length=256, verbose_name='sub')),
@@ -29,12 +32,25 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='OIDCClaimMapping',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('claim', models.CharField(max_length=64, verbose_name='claim')),
                 ('attribute', models.CharField(max_length=64, verbose_name='attribute')),
-                ('verified', models.PositiveIntegerField(default=0, verbose_name='verified', choices=[(0, 'not verified'), (1, 'verified claim'), (2, 'always verified')])),
+                (
+                    'verified',
+                    models.PositiveIntegerField(
+                        default=0,
+                        verbose_name='verified',
+                        choices=[(0, 'not verified'), (1, 'verified claim'), (2, 'always verified')],
+                    ),
+                ),
                 ('required', models.BooleanField(blank=True, default=False, verbose_name='required')),
-                ('idtoken_claim', models.BooleanField(blank=True, default=False, verbose_name='idtoken claim')),
+                (
+                    'idtoken_claim',
+                    models.BooleanField(blank=True, default=False, verbose_name='idtoken claim'),
+                ),
                 ('created', models.DateTimeField(auto_now_add=True, verbose_name='created')),
                 ('modified', models.DateTimeField(auto_now=True, verbose_name='modified')),
             ],
@@ -42,38 +58,102 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='OIDCProvider',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(unique=True, max_length=128, verbose_name='name')),
-                ('issuer', models.CharField(unique=True, max_length=256, verbose_name='issuer', db_index=True)),
+                (
+                    'issuer',
+                    models.CharField(unique=True, max_length=256, verbose_name='issuer', db_index=True),
+                ),
                 ('client_id', models.CharField(default=uuid.uuid4, max_length=128, verbose_name='client id')),
-                ('client_secret', models.CharField(default=uuid.uuid4, max_length=128, verbose_name='client secret')),
-                ('authorization_endpoint', models.URLField(max_length=128, verbose_name='authorization endpoint')),
+                (
+                    'client_secret',
+                    models.CharField(default=uuid.uuid4, max_length=128, verbose_name='client secret'),
+                ),
+                (
+                    'authorization_endpoint',
+                    models.URLField(max_length=128, verbose_name='authorization endpoint'),
+                ),
                 ('token_endpoint', models.URLField(max_length=128, verbose_name='token endpoint')),
                 ('userinfo_endpoint', models.URLField(max_length=128, verbose_name='userinfo endpoint')),
-                ('end_session_endpoint', models.URLField(max_length=128, null=True, verbose_name='end session endpoint', blank=True)),
+                (
+                    'end_session_endpoint',
+                    models.URLField(
+                        max_length=128, null=True, verbose_name='end session endpoint', blank=True
+                    ),
+                ),
                 ('scopes', models.CharField(max_length=128, verbose_name='scopes', blank=True)),
-                ('jwkset_json', django.contrib.postgres.fields.jsonb.JSONField(blank=True, null=True, verbose_name='JSON WebKey set', validators=[authentic2_auth_oidc.models.validate_jwkset])),
-                ('idtoken_algo', models.PositiveIntegerField(default=1, verbose_name='IDToken signature algorithm', choices=[(0, 'none'), (1, 'RSA'), (2, 'HMAC'), (3, 'EC')])),
-                ('strategy', models.CharField(max_length=32, verbose_name='strategy', choices=[('create', 'create'), ('none', 'none')])),
-                ('max_auth_age', models.PositiveIntegerField(null=True, verbose_name='max authentication age', blank=True)),
+                (
+                    'jwkset_json',
+                    django.contrib.postgres.fields.jsonb.JSONField(
+                        blank=True,
+                        null=True,
+                        verbose_name='JSON WebKey set',
+                        validators=[authentic2_auth_oidc.models.validate_jwkset],
+                    ),
+                ),
+                (
+                    'idtoken_algo',
+                    models.PositiveIntegerField(
+                        default=1,
+                        verbose_name='IDToken signature algorithm',
+                        choices=[(0, 'none'), (1, 'RSA'), (2, 'HMAC'), (3, 'EC')],
+                    ),
+                ),
+                (
+                    'strategy',
+                    models.CharField(
+                        max_length=32,
+                        verbose_name='strategy',
+                        choices=[('create', 'create'), ('none', 'none')],
+                    ),
+                ),
+                (
+                    'max_auth_age',
+                    models.PositiveIntegerField(null=True, verbose_name='max authentication age', blank=True),
+                ),
                 ('created', models.DateTimeField(auto_now_add=True, verbose_name='created')),
                 ('modified', models.DateTimeField(auto_now=True, verbose_name='modified')),
-                ('ou', models.ForeignKey(verbose_name='organizational unit', to=settings.RBAC_OU_MODEL, on_delete=models.CASCADE)),
+                (
+                    'ou',
+                    models.ForeignKey(
+                        verbose_name='organizational unit',
+                        to=settings.RBAC_OU_MODEL,
+                        on_delete=models.CASCADE,
+                    ),
+                ),
             ],
         ),
         migrations.AddField(
             model_name='oidcclaimmapping',
             name='provider',
-            field=models.ForeignKey(related_name='claim_mappings', verbose_name='provider', to='authentic2_auth_oidc.OIDCProvider', on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                related_name='claim_mappings',
+                verbose_name='provider',
+                to='authentic2_auth_oidc.OIDCProvider',
+                on_delete=models.CASCADE,
+            ),
         ),
         migrations.AddField(
             model_name='oidcaccount',
             name='provider',
-            field=models.ForeignKey(related_name='accounts', verbose_name='provider', to='authentic2_auth_oidc.OIDCProvider', on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                related_name='accounts',
+                verbose_name='provider',
+                to='authentic2_auth_oidc.OIDCProvider',
+                on_delete=models.CASCADE,
+            ),
         ),
         migrations.AddField(
             model_name='oidcaccount',
             name='user',
-            field=models.OneToOneField(related_name='oidc_account', verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE),
+            field=models.OneToOneField(
+                related_name='oidc_account',
+                verbose_name='user',
+                to=settings.AUTH_USER_MODEL,
+                on_delete=models.CASCADE,
+            ),
         ),
     ]
diff --git a/src/authentic2_auth_oidc/migrations/0002_oidcprovider_token_revocation_endpoint.py b/src/authentic2_auth_oidc/migrations/0002_oidcprovider_token_revocation_endpoint.py
index dacde2f2..3a79eb8e 100644
--- a/src/authentic2_auth_oidc/migrations/0002_oidcprovider_token_revocation_endpoint.py
+++ b/src/authentic2_auth_oidc/migrations/0002_oidcprovider_token_revocation_endpoint.py
@@ -14,6 +14,8 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='oidcprovider',
             name='token_revocation_endpoint',
-            field=models.URLField(max_length=128, null=True, verbose_name='token revocation endpoint', blank=True),
+            field=models.URLField(
+                max_length=128, null=True, verbose_name='token revocation endpoint', blank=True
+            ),
         ),
     ]
diff --git a/src/authentic2_auth_oidc/migrations/0004_auto_20171017_1522.py b/src/authentic2_auth_oidc/migrations/0004_auto_20171017_1522.py
index 19630c07..b69356c1 100644
--- a/src/authentic2_auth_oidc/migrations/0004_auto_20171017_1522.py
+++ b/src/authentic2_auth_oidc/migrations/0004_auto_20171017_1522.py
@@ -14,6 +14,14 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='oidcprovider',
             name='strategy',
-            field=models.CharField(max_length=32, verbose_name='strategy', choices=[('create', 'create'), ('find-uuid', 'use sub to find existing user through UUID'), ('none', 'none')]),
+            field=models.CharField(
+                max_length=32,
+                verbose_name='strategy',
+                choices=[
+                    ('create', 'create'),
+                    ('find-uuid', 'use sub to find existing user through UUID'),
+                    ('none', 'none'),
+                ],
+            ),
         ),
     ]
diff --git a/src/authentic2_auth_oidc/models.py b/src/authentic2_auth_oidc/models.py
index f8c76595..eb6a0991 100644
--- a/src/authentic2_auth_oidc/models.py
+++ b/src/authentic2_auth_oidc/models.py
@@ -60,95 +60,49 @@ class OIDCProvider(models.Model):
         (ALGO_EC, _('EC')),
     ]
 
-    name = models.CharField(
-        unique=True,
-        max_length=128,
-        verbose_name=_('name'))
-    slug = models.SlugField(
-        unique=True,
-        max_length=256,
-        verbose_name=_('slug'),
-        blank=True,
-        null=True)
-    issuer = models.CharField(
-        max_length=256,
-        verbose_name=_('issuer'),
-        unique=True,
-        db_index=True)
-    client_id = models.CharField(
-        max_length=128,
-        default=uuid.uuid4,
-        verbose_name=_('client id'))
-    client_secret = models.CharField(
-        max_length=128,
-        default=uuid.uuid4,
-        verbose_name=_('client secret'))
+    name = models.CharField(unique=True, max_length=128, verbose_name=_('name'))
+    slug = models.SlugField(unique=True, max_length=256, verbose_name=_('slug'), blank=True, null=True)
+    issuer = models.CharField(max_length=256, verbose_name=_('issuer'), unique=True, db_index=True)
+    client_id = models.CharField(max_length=128, default=uuid.uuid4, verbose_name=_('client id'))
+    client_secret = models.CharField(max_length=128, default=uuid.uuid4, verbose_name=_('client secret'))
     # endpoints
-    authorization_endpoint = models.URLField(
-        max_length=128,
-        verbose_name=_('authorization endpoint'))
-    token_endpoint = models.URLField(
-        max_length=128,
-        verbose_name=_('token endpoint'))
-    userinfo_endpoint = models.URLField(
-        max_length=128,
-        verbose_name=_('userinfo endpoint'))
+    authorization_endpoint = models.URLField(max_length=128, verbose_name=_('authorization endpoint'))
+    token_endpoint = models.URLField(max_length=128, verbose_name=_('token endpoint'))
+    userinfo_endpoint = models.URLField(max_length=128, verbose_name=_('userinfo endpoint'))
     end_session_endpoint = models.URLField(
-        max_length=128,
-        blank=True,
-        null=True,
-        verbose_name=_('end session endpoint'))
+        max_length=128, blank=True, null=True, verbose_name=_('end session endpoint')
+    )
     token_revocation_endpoint = models.URLField(
-        max_length=128,
-        blank=True,
-        null=True,
-        verbose_name=_('token revocation endpoint'))
-    scopes = models.CharField(
-        max_length=128,
-        blank=True,
-        verbose_name=_('scopes'))
+        max_length=128, blank=True, null=True, verbose_name=_('token revocation endpoint')
+    )
+    scopes = models.CharField(max_length=128, blank=True, verbose_name=_('scopes'))
     jwkset_json = JSONField(
-        verbose_name=_('JSON WebKey set'),
-        null=True,
-        blank=True,
-        validators=[validate_jwkset])
+        verbose_name=_('JSON WebKey set'), null=True, blank=True, validators=[validate_jwkset]
+    )
     idtoken_algo = models.PositiveIntegerField(
-        default=ALGO_RSA,
-        choices=ALGO_CHOICES,
-        verbose_name=_('IDToken signature algorithm'))
+        default=ALGO_RSA, choices=ALGO_CHOICES, verbose_name=_('IDToken signature algorithm')
+    )
     claims_parameter_supported = models.BooleanField(
-        verbose_name=_('Claims parameter supported'),
-        default=False)
+        verbose_name=_('Claims parameter supported'), default=False
+    )
 
     # ou where new users should be created
-    strategy = models.CharField(
-        max_length=32,
-        choices=STRATEGIES,
-        verbose_name=_('strategy'))
+    strategy = models.CharField(max_length=32, choices=STRATEGIES, verbose_name=_('strategy'))
     ou = models.ForeignKey(
-        to=get_ou_model_name(),
-        verbose_name=_('organizational unit'),
-        on_delete=models.CASCADE)
+        to=get_ou_model_name(), verbose_name=_('organizational unit'), on_delete=models.CASCADE
+    )
 
     # policy
     max_auth_age = models.PositiveIntegerField(
-        verbose_name=_('max authentication age'),
-        blank=True,
-        null=True)
+        verbose_name=_('max authentication age'), blank=True, null=True
+    )
 
     # hide OP from login page
-    show = models.BooleanField(
-        verbose_name=_('show on login page'),
-        blank=True,
-        default=True)
+    show = models.BooleanField(verbose_name=_('show on login page'), blank=True, default=True)
 
     # metadata
-    created = models.DateTimeField(
-        verbose_name=_('created'),
-        auto_now_add=True)
-    modified = models.DateTimeField(
-        verbose_name=_('modified'),
-        auto_now=True)
+    created = models.DateTimeField(verbose_name=_('created'), auto_now_add=True)
+    modified = models.DateTimeField(verbose_name=_('modified'), auto_now=True)
 
     objects = managers.OIDCProviderManager()
 
@@ -190,34 +144,17 @@ class OIDCClaimMapping(models.Model):
     ]
 
     provider = models.ForeignKey(
-        to='OIDCProvider',
-        verbose_name=_('provider'),
-        related_name='claim_mappings',
-        on_delete=models.CASCADE)
-    claim = models.CharField(
-        max_length=128,
-        verbose_name=_('claim'))
-    attribute = models.CharField(
-        max_length=64,
-        verbose_name=_('attribute'))
+        to='OIDCProvider', verbose_name=_('provider'), related_name='claim_mappings', on_delete=models.CASCADE
+    )
+    claim = models.CharField(max_length=128, verbose_name=_('claim'))
+    attribute = models.CharField(max_length=64, verbose_name=_('attribute'))
     verified = models.PositiveIntegerField(
-        default=NOT_VERIFIED,
-        choices=VERIFIED_CHOICES,
-        verbose_name=_('verified'))
-    required = models.BooleanField(
-        blank=True,
-        default=False,
-        verbose_name=_('required'))
-    idtoken_claim = models.BooleanField(
-        verbose_name=_('idtoken claim'),
-        default=False,
-        blank=True)
-    created = models.DateTimeField(
-        verbose_name=_('created'),
-        auto_now_add=True)
-    modified = models.DateTimeField(
-        verbose_name=_('modified'),
-        auto_now=True)
+        default=NOT_VERIFIED, choices=VERIFIED_CHOICES, verbose_name=_('verified')
+    )
+    required = models.BooleanField(blank=True, default=False, verbose_name=_('required'))
+    idtoken_claim = models.BooleanField(verbose_name=_('idtoken claim'), default=False, blank=True)
+    created = models.DateTimeField(verbose_name=_('created'), auto_now_add=True)
+    modified = models.DateTimeField(verbose_name=_('modified'), auto_now=True)
 
     objects = managers.OIDCClaimMappingManager()
 
@@ -236,30 +173,27 @@ class OIDCClaimMapping(models.Model):
 
     def __repr__(self):
         return '<OIDCClaimMapping %r:%r on provider %r verified:%s required:%s >' % (
-            self.claim, self.attribute, self.provider and self.provider.issuer,
-            self.verified, self.required)
+            self.claim,
+            self.attribute,
+            self.provider and self.provider.issuer,
+            self.verified,
+            self.required,
+        )
 
 
 class OIDCAccount(models.Model):
-    created = models.DateTimeField(
-        verbose_name=_('created'),
-        auto_now_add=True)
-    modified = models.DateTimeField(
-        verbose_name=_('modified'),
-        auto_now=True)
+    created = models.DateTimeField(verbose_name=_('created'), auto_now_add=True)
+    modified = models.DateTimeField(verbose_name=_('modified'), auto_now=True)
     provider = models.ForeignKey(
-        to='OIDCProvider',
-        verbose_name=_('provider'),
-        related_name='accounts',
-        on_delete=models.CASCADE)
+        to='OIDCProvider', verbose_name=_('provider'), related_name='accounts', on_delete=models.CASCADE
+    )
     user = models.OneToOneField(
         to=settings.AUTH_USER_MODEL,
         verbose_name=_('user'),
         related_name='oidc_account',
-        on_delete=models.CASCADE)
-    sub = models.CharField(
-        verbose_name=_('sub'),
-        max_length=256)
+        on_delete=models.CASCADE,
+    )
+    sub = models.CharField(verbose_name=_('sub'), max_length=256)
 
     def __str__(self):
         return '{0} on {1} linked to {2}'.format(self.sub, self.provider and self.provider.issuer, self.user)
diff --git a/src/authentic2_auth_oidc/utils.py b/src/authentic2_auth_oidc/utils.py
index a392250a..ef480b14 100644
--- a/src/authentic2_auth_oidc/utils.py
+++ b/src/authentic2_auth_oidc/utils.py
@@ -54,18 +54,21 @@ def get_attributes():
 @GlobalCache(timeout=TIMEOUT)
 def get_provider(pk):
     from . import models
+
     return get_object_or_404(models.OIDCProvider, pk=pk)
 
 
 @GlobalCache(timeout=TIMEOUT)
 def has_providers():
     from . import models
+
     return models.OIDCProvider.objects.filter(show=True).exists()
 
 
 @GlobalCache(timeout=TIMEOUT)
 def get_provider_by_issuer(issuer):
     from . import models
+
     return models.OIDCProvider.objects.prefetch_related('claim_mappings').get(issuer=issuer)
 
 
@@ -121,8 +124,7 @@ class IDToken(object):
 
     def __init__(self, encoded):
         if not isinstance(encoded, (six.binary_type, six.string_types)):
-            raise IDTokenError(
-                    _('Encoded ID Token must be either binary or string data'))
+            raise IDTokenError(_('Encoded ID Token must be either binary or string data'))
         self._encoded = encoded
 
     def as_dict(self, provider):
@@ -135,20 +137,18 @@ class IDToken(object):
         keys = set(decoded.keys())
         # check fields are ok
         if not keys.issuperset(REQUIRED_ID_TOKEN_KEYS):
-            raise IDTokenError(
-                    _('missing field: %s') % (REQUIRED_ID_TOKEN_KEYS - keys))
+            raise IDTokenError(_('missing field: %s') % (REQUIRED_ID_TOKEN_KEYS - keys))
         for key in keys:
             if key == 'amr':
                 if not isinstance(decoded['amr'], list):
-                    raise IDTokenError(
-                            _('invalid amr value: %s') % decoded['amr'])
+                    raise IDTokenError(_('invalid amr value: %s') % decoded['amr'])
                 if not all(isinstance(v, six.text_type) for v in decoded['amr']):
-                    raise IDTokenError(
-                            _('invalid amr value: %s') % decoded['amr'])
+                    raise IDTokenError(_('invalid amr value: %s') % decoded['amr'])
             elif key in KEY_TYPES:
                 if not isinstance(decoded[key], KEY_TYPES[key]):
-                    raise IDTokenError(_('invalid %(key)s value: %(value)s') %
-                            {'key': key, 'value': decoded[key]})
+                    raise IDTokenError(
+                        _('invalid %(key)s value: %(value)s') % {'key': key, 'value': decoded[key]}
+                    )
         self.iss = decoded.pop('iss')
         self.sub = decoded.pop('sub')
         self.aud = decoded.pop('aud')
@@ -158,8 +158,7 @@ class IDToken(object):
             try:
                 self.auth_time = parse_timestamp(decoded.pop('auth_time'))
             except ValueError as e:
-                raise IDTokenError(
-                        _('invalid auth_time value: %s') % e)
+                raise IDTokenError(_('invalid auth_time value: %s') % e)
         self.nonce = decoded.pop('nonce', None)
         self.acr = decoded.pop('acr', None)
         self.azp = decoded.pop('azp', None)
@@ -185,9 +184,18 @@ class IDToken(object):
         except KeyError:
             return default
 
+
 OPENID_CONFIGURATION_REQUIRED = set(
-    ['issuer', 'authorization_endpoint', 'token_endpoint', 'jwks_uri', 'response_types_supported',
-     'subject_types_supported', 'id_token_signing_alg_values_supported', 'userinfo_endpoint']
+    [
+        'issuer',
+        'authorization_endpoint',
+        'token_endpoint',
+        'jwks_uri',
+        'response_types_supported',
+        'subject_types_supported',
+        'id_token_signing_alg_values_supported',
+        'userinfo_endpoint',
+    ]
 )
 
 
@@ -195,8 +203,7 @@ def check_https(url):
     return urlparse.urlparse(url).scheme == 'https'
 
 
-def register_issuer(name, issuer=None, openid_configuration=None, verify=True, timeout=None,
-                    ou=None):
+def register_issuer(name, issuer=None, openid_configuration=None, verify=True, timeout=None, ou=None):
     from . import models
 
     if issuer and not openid_configuration:
@@ -205,11 +212,13 @@ def register_issuer(name, issuer=None, openid_configuration=None, verify=True, t
             response = requests.get(openid_configuration_url, verify=verify, timeout=timeout)
             response.raise_for_status()
         except requests.RequestException as e:
-            raise ValueError(_('Unable to reach the OpenID Connect configuration for %(issuer)s: '
-                               '%(error)s') % {
-                                   'issuer': issuer,
-                                   'error': e,
-            })
+            raise ValueError(
+                _('Unable to reach the OpenID Connect configuration for %(issuer)s: ' '%(error)s')
+                % {
+                    'issuer': issuer,
+                    'error': e,
+                }
+            )
 
     try:
         openid_configuration = openid_configuration or response.json()
@@ -218,29 +227,31 @@ def register_issuer(name, issuer=None, openid_configuration=None, verify=True, t
         keys = set(openid_configuration.keys())
         if not keys >= OPENID_CONFIGURATION_REQUIRED:
             raise ValueError(_('missing keys %s') % (OPENID_CONFIGURATION_REQUIRED - keys))
-        for key in ['issuer', 'authorization_endpoint', 'token_endpoint', 'jwks_uri',
-                    'userinfo_endpoint']:
+        for key in ['issuer', 'authorization_endpoint', 'token_endpoint', 'jwks_uri', 'userinfo_endpoint']:
             if not check_https(openid_configuration[key]):
-                raise ValueError(_('%(key)s is not an https:// URL; %(value)s') % {
-                    'key': key,
-                    'value': openid_configuration[key],
-                })
+                raise ValueError(
+                    _('%(key)s is not an https:// URL; %(value)s')
+                    % {
+                        'key': key,
+                        'value': openid_configuration[key],
+                    }
+                )
     except ValueError as e:
-        raise ValueError(_('Invalid OpenID Connect configuration for %(issuer)s: '
-                           '%(error)s') % (issuer, e))
+        raise ValueError(_('Invalid OpenID Connect configuration for %(issuer)s: ' '%(error)s') % (issuer, e))
     if 'code' not in openid_configuration['response_types_supported']:
-        raise ValueError(_('authorization code flow is unsupported: code response type is '
-                           'unsupported'))
+        raise ValueError(_('authorization code flow is unsupported: code response type is ' 'unsupported'))
     try:
         response = requests.get(openid_configuration['jwks_uri'], verify=verify, timeout=None)
         response.raise_for_status()
     except requests.RequestException as e:
-            raise ValueError(_('Unable to reach the OpenID Connect JWKSet for %(issuer)s: '
-                               '%(url)s %(error)s') % {
-                                   'issuer': issuer,
-                                   'url': openid_configuration['jwks_uri'],
-                                   'error': e,
-            })
+        raise ValueError(
+            _('Unable to reach the OpenID Connect JWKSet for %(issuer)s: ' '%(url)s %(error)s')
+            % {
+                'issuer': issuer,
+                'url': openid_configuration['jwks_uri'],
+                'error': e,
+            }
+        )
     try:
         jwkset_json = response.json()
     except ValueError as e:
@@ -249,18 +260,21 @@ def register_issuer(name, issuer=None, openid_configuration=None, verify=True, t
         old_pk = models.OIDCProvider.objects.get(issuer=openid_configuration['issuer']).pk
     except models.OIDCProvider.DoesNotExist:
         old_pk = None
-    if (set(['RS256', 'RS384', 'RS512'])
-            & set(openid_configuration['id_token_signing_alg_values_supported'])):
+    if set(['RS256', 'RS384', 'RS512']) & set(openid_configuration['id_token_signing_alg_values_supported']):
         idtoken_algo = models.OIDCProvider.ALGO_RSA
-    elif (set(['HS256', 'HS384', 'HS512'])
-          & set(openid_configuration['id_token_signing_alg_values_supported'])):
+    elif set(['HS256', 'HS384', 'HS512']) & set(
+        openid_configuration['id_token_signing_alg_values_supported']
+    ):
         idtoken_algo = models.OIDCProvider.ALGO_HMAC
-    elif (set(['ES256', 'ES384', 'ES512']) &
-          set(openid_configuration['id_token_signing_alg_values_supported'])):
+    elif set(['ES256', 'ES384', 'ES512']) & set(
+        openid_configuration['id_token_signing_alg_values_supported']
+    ):
         idtoken_algo = models.OIDCProvider.ALGO_EC
     else:
-        raise ValueError(_('no common algorithm found for signing idtokens: %s') %
-                         openid_configuration['id_token_signing_alg_values_supported'])
+        raise ValueError(
+            _('no common algorithm found for signing idtokens: %s')
+            % openid_configuration['id_token_signing_alg_values_supported']
+        )
     claims_parameter_supported = openid_configuration.get('claims_parameter_supported') is True
     kwargs = dict(
         ou=ou or get_default_ou(),
@@ -272,7 +286,8 @@ def register_issuer(name, issuer=None, openid_configuration=None, verify=True, t
         jwkset_json=jwkset_json,
         idtoken_algo=idtoken_algo,
         strategy=models.OIDCProvider.STRATEGY_CREATE,
-        claims_parameter_supported=claims_parameter_supported)
+        claims_parameter_supported=claims_parameter_supported,
+    )
     if old_pk:
         models.OIDCProvider.objects.filter(pk=old_pk).update(**kwargs)
         return models.OIDCProvider.objects.get(pk=old_pk)
@@ -283,10 +298,8 @@ def register_issuer(name, issuer=None, openid_configuration=None, verify=True, t
 def get_openid_configuration_url(issuer):
     parsed = urlparse.urlparse(issuer)
     if parsed.query or parsed.fragment or parsed.scheme != 'https':
-        raise ValueError(_('invalid issuer URL, it must use the https:// scheme and not have a '
-                           'query or fragment'))
-    issuer = urlparse.urlunparse((parsed.scheme, parsed.netloc, parsed.path.rstrip('/'), None,
-                                  None, None))
+        raise ValueError(
+            _('invalid issuer URL, it must use the https:// scheme and not have a ' 'query or fragment')
+        )
+    issuer = urlparse.urlunparse((parsed.scheme, parsed.netloc, parsed.path.rstrip('/'), None, None, None))
     return issuer + '/.well-known/openid-configuration'
-
-
diff --git a/src/authentic2_auth_oidc/views.py b/src/authentic2_auth_oidc/views.py
index b171f02a..f025e249 100644
--- a/src/authentic2_auth_oidc/views.py
+++ b/src/authentic2_auth_oidc/views.py
@@ -89,8 +89,9 @@ def oidc_login(request, pk, next_url=None, *args, **kwargs):
     # FIXME: id_token_hint ?
     # FIXME: acr_values ?
     # save request state
-    logger.debug('auth_oidc: sent request %s to authorization endpoint "%s"',
-                 params, provider.authorization_endpoint)
+    logger.debug(
+        'auth_oidc: sent request %s to authorization endpoint "%s"', params, provider.authorization_endpoint
+    )
     response = redirect(request, provider.authorization_endpoint, params=params, resolve=False)
 
     # As the oidc-state is used during a redirect from a third-party, we need
@@ -99,15 +100,24 @@ def oidc_login(request, pk, next_url=None, *args, **kwargs):
     # for more explanations.
     if django.VERSION < (2, 1):
         response.set_cookie(
-            'oidc-state', value=state_id, path=reverse('oidc-login-callback'),
-            httponly=True, secure=request.is_secure())
+            'oidc-state',
+            value=state_id,
+            path=reverse('oidc-login-callback'),
+            httponly=True,
+            secure=request.is_secure(),
+        )
         # work around lack of samesite parameter to set_cookie() in Django 1.11
         # it also needs monkeypatch from authentic2.compat.cookies.
         response.cookies['oidc-state']['samesite'] = 'Lax'
     else:
         response.set_cookie(
-            'oidc-state', value=state_id, path=reverse('oidc-login-callback'),
-            httponly=True, secure=request.is_secure(), samesite='Lax')
+            'oidc-state',
+            value=state_id,
+            path=reverse('oidc-login-callback'),
+            httponly=True,
+            secure=request.is_secure(),
+            samesite='Lax',
+        )
     return response
 
 
@@ -173,8 +183,7 @@ class LoginCallback(View):
         if 'error' in request.GET:  # error code path
             return self.handle_error(request, provider)
         elif not code:
-            messages.warning(request, _('Missing code, report %s to an administrator') %
-                             request.request_id)
+            messages.warning(request, _('Missing code, report %s to an administrator') % request.request_id)
             logger.warning('auth_oidc: missing code, %r', request.GET)
             return self.continue_to_next_url(request)
         else:
@@ -187,66 +196,85 @@ class LoginCallback(View):
                 'code': code,
                 'redirect_uri': request.build_absolute_uri(request.path),
             }
-            logger.debug('auth_oidc: sent request %s to token endpoint "%s"',
-                         token_endpoint_request, token_endpoint_request)
-            response = requests.post(provider.token_endpoint, data=token_endpoint_request,
-                                     auth=(provider.client_id, provider.client_secret), timeout=10)
+            logger.debug(
+                'auth_oidc: sent request %s to token endpoint "%s"',
+                token_endpoint_request,
+                token_endpoint_request,
+            )
+            response = requests.post(
+                provider.token_endpoint,
+                data=token_endpoint_request,
+                auth=(provider.client_id, provider.client_secret),
+                timeout=10,
+            )
             response.raise_for_status()
         except requests.RequestException as e:
             logger.warning(
-                'auth_oidc: failed to contact the token_endpoint for %(issuer)s, %(exception)s' % {
+                'auth_oidc: failed to contact the token_endpoint for %(issuer)s, %(exception)s'
+                % {
                     'issuer': provider.issuer,
                     'exception': e,
-                })
-            messages.warning(request, _('Provider %(name)s is down, report %(request_id)s to '
-                                        'an administrator. ') %
-                             {
-                                 'name': provider.name,
-                                 'request_id': request.request_id,
-            })
+                }
+            )
+            messages.warning(
+                request,
+                _('Provider %(name)s is down, report %(request_id)s to ' 'an administrator. ')
+                % {
+                    'name': provider.name,
+                    'request_id': request.request_id,
+                },
+            )
             return self.continue_to_next_url(request)
         try:
             result = response.json()
         except ValueError as e:
-            logger.warning('auth_oidc: response from %s is not a JSON document, %s, %r' %
-                           (provider.token_endpoint, e, response.content))
-            messages.warning(request, _('Provider %(name)s is down, report %(request_id)s to '
-                                        'an administrator. ') %
-                             {
-                                 'name': provider.name,
-                                 'request_id': request.request_id,
-            })
+            logger.warning(
+                'auth_oidc: response from %s is not a JSON document, %s, %r'
+                % (provider.token_endpoint, e, response.content)
+            )
+            messages.warning(
+                request,
+                _('Provider %(name)s is down, report %(request_id)s to ' 'an administrator. ')
+                % {
+                    'name': provider.name,
+                    'request_id': request.request_id,
+                },
+            )
             return self.continue_to_next_url(request)
         # token_type is case insensitive, https://tools.ietf.org/html/rfc6749#section-4.2.2
-        if ('access_token' not in result
-                or 'token_type' not in result
-                or result['token_type'].lower() != 'bearer'
-                or 'id_token' not in result):
-            logger.warning('auth_oidc: invalid token endpoint response from %s: %r' % (
-                provider.token_endpoint, result))
-            messages.warning(request, _('Provider %(name)s is down, report %(request_id)s to '
-                                        'an administrator. ') %
-                             {
-                                 'name': provider.name,
-                                 'request_id': request.request_id,
-            })
+        if (
+            'access_token' not in result
+            or 'token_type' not in result
+            or result['token_type'].lower() != 'bearer'
+            or 'id_token' not in result
+        ):
+            logger.warning(
+                'auth_oidc: invalid token endpoint response from %s: %r' % (provider.token_endpoint, result)
+            )
+            messages.warning(
+                request,
+                _('Provider %(name)s is down, report %(request_id)s to ' 'an administrator. ')
+                % {
+                    'name': provider.name,
+                    'request_id': request.request_id,
+                },
+            )
             return self.continue_to_next_url(request)
         logger.debug('auth_oidc: got token response %s', result)
         access_token = result.get('access_token')
         user = authenticate(
-            request,
-            access_token=access_token,
-            nonce=nonce,
-            id_token=result['id_token'],
-            provider=provider)
+            request, access_token=access_token, nonce=nonce, id_token=result['id_token'], provider=provider
+        )
         if user:
             # remember last tokens for logout
             login(request, user, 'oidc', nonce=nonce)
             tokens = request.session.setdefault('auth_oidc', {}).setdefault('tokens', [])
-            tokens.append({
-                'token_response': result,
-                'provider_pk': provider.pk,
-            })
+            tokens.append(
+                {
+                    'token_response': result,
+                    'provider_pk': provider.pk,
+                }
+            )
         else:
             messages.warning(request, _('No user found'))
         return self.continue_to_next_url(request)
@@ -263,15 +291,19 @@ class LoginCallback(View):
             msg += ' see %s' % error_url
         logger.warning(msg)
         if provider:
-            messages.warning(request, _('Login with %(name)s failed, report %(request_id)s '
-                                        'to an administrator.')
-                             % {
-                                 'name': provider.name,
-                                 'request_id': request.request_id,
-            })
+            messages.warning(
+                request,
+                _('Login with %(name)s failed, report %(request_id)s ' 'to an administrator.')
+                % {
+                    'name': provider.name,
+                    'request_id': request.request_id,
+                },
+            )
         else:
-            messages.warning(request, _('Login with OpenIDConnect failed, report %s to an '
-                                        'administrator') % request.request_id)
+            messages.warning(
+                request,
+                _('Login with OpenIDConnect failed, report %s to an ' 'administrator') % request.request_id,
+            )
         return self.continue_to_next_url(request)
 
 
diff --git a/src/authentic2_auth_saml/adapters.py b/src/authentic2_auth_saml/adapters.py
index 95573a83..9ae18724 100644
--- a/src/authentic2_auth_saml/adapters.py
+++ b/src/authentic2_auth_saml/adapters.py
@@ -57,7 +57,7 @@ class SamlConditionContextProxy(object):
 
     def __getitem__(self, key):
         if key.endswith('__list'):
-            return self.saml_attributes[key[:-len('__list')]]
+            return self.saml_attributes[key[: -len('__list')]]
         else:
             v = self.saml_attributes[key]
             if isinstance(v, list):
@@ -94,19 +94,19 @@ class AuthenticAdapter(DefaultAdapter):
 
     @atomic
     def provision_a2_attributes(self, user, idp, saml_attributes):
-        '''Copy incoming SAML attributes to user attributes, A2_ATTRIBUTE_MAPPING must be a list of
-           dictionaries like:
-
-              {
-                  'attribute': 'email',
-                  'saml_attribute': 'email',
-                  # optional:
-                  'mandatory': False,
-              }
-
-            If an attribute is not mandatory any error is just logged, if the attribute is
-            mandatory, login will fail.
-        '''
+        """Copy incoming SAML attributes to user attributes, A2_ATTRIBUTE_MAPPING must be a list of
+        dictionaries like:
+
+           {
+               'attribute': 'email',
+               'saml_attribute': 'email',
+               # optional:
+               'mandatory': False,
+           }
+
+         If an attribute is not mandatory any error is just logged, if the attribute is
+         mandatory, login will fail.
+        """
 
         saml_attributes = saml_attributes.copy()
         attribute_mapping = get_setting(idp, 'A2_ATTRIBUTE_MAPPING', [])
diff --git a/src/authentic2_auth_saml/app_settings.py b/src/authentic2_auth_saml/app_settings.py
index adbcab7a..b6c4deb6 100644
--- a/src/authentic2_auth_saml/app_settings.py
+++ b/src/authentic2_auth_saml/app_settings.py
@@ -19,6 +19,7 @@ import sys
 
 class AppSettings(object):
     '''Thanks django-allauth'''
+
     __SENTINEL = object()
 
     def __init__(self, prefix):
@@ -37,6 +38,7 @@ class AppSettings(object):
     def enable(self):
         return self._setting('ENABLE', False)
 
+
 app_settings = AppSettings('A2_AUTH_SAML_')
 app_settings.__name__ = __name__
 sys.modules[__name__] = app_settings
diff --git a/src/authentic2_auth_saml/apps.py b/src/authentic2_auth_saml/apps.py
index 067329fb..8113d5ca 100644
--- a/src/authentic2_auth_saml/apps.py
+++ b/src/authentic2_auth_saml/apps.py
@@ -25,9 +25,7 @@ class AppConfig(django.apps.AppConfig):
         from django.db.models.signals import pre_save
         from authentic2.custom_user.models import DeletedUser
 
-        pre_save.connect(
-            self.pre_save_deleted_user,
-            sender=DeletedUser)
+        pre_save.connect(self.pre_save_deleted_user, sender=DeletedUser)
 
     def pre_save_deleted_user(self, sender, instance, **kwargs):
         '''Delete and copy UserSamlIdentifier to old_data'''
@@ -36,7 +34,9 @@ class AppConfig(django.apps.AppConfig):
         saml_accounts = UserSAMLIdentifier.objects.filter(user__uuid=instance.old_uuid).order_by('id')
         for saml_account in saml_accounts:
             instance.old_data = instance.old_data or {}
-            instance.old_data.setdefault('saml_accounts', []).append({
-                'issuer': saml_account.issuer,
-                'name_id': saml_account.name_id,
-            })
+            instance.old_data.setdefault('saml_accounts', []).append(
+                {
+                    'issuer': saml_account.issuer,
+                    'name_id': saml_account.name_id,
+                }
+            )
diff --git a/src/authentic2_auth_saml/authenticators.py b/src/authentic2_auth_saml/authenticators.py
index 613d95b9..98fec9a6 100644
--- a/src/authentic2_auth_saml/authenticators.py
+++ b/src/authentic2_auth_saml/authenticators.py
@@ -37,7 +37,7 @@ class SAMLAuthenticator(BaseAuthenticator):
 
     def instances(self, request, *args, **kwargs):
         for idx, idp in enumerate(get_idps()):
-            yield(idp.get('SLUG') or str(idx), idp)
+            yield (idp.get('SLUG') or str(idx), idp)
 
     def autorun(self, request, block_id):
         auth_id, instance_slug = block_id.split('_')
@@ -45,11 +45,11 @@ class SAMLAuthenticator(BaseAuthenticator):
 
         for slug, instance in self.instances(request):
             if slug == instance_slug:
-                return redirect_to_login(request, login_url='mellon_login',
-                                         params={'entityID': instance['ENTITY_ID']})
+                return redirect_to_login(
+                    request, login_url='mellon_login', params={'entityID': instance['ENTITY_ID']}
+                )
         return redirect_to_login(request)
 
-
     def login(self, request, *args, **kwargs):
         context = kwargs.pop('context', {})
         instance_id = kwargs.get('instance_id')
@@ -57,10 +57,14 @@ class SAMLAuthenticator(BaseAuthenticator):
         context['submit_name'] = submit_name
         if request.method == 'POST' and submit_name in request.POST:
             instance = kwargs.get('instance')
-            return redirect_to_login(request, login_url='mellon_login',
-                                     params={'entityID': instance['ENTITY_ID']})
-        return render(request, ['authentic2_auth_saml/login_%s.html' % instance_id,
-                                'authentic2_auth_saml/login.html'], context)
+            return redirect_to_login(
+                request, login_url='mellon_login', params={'entityID': instance['ENTITY_ID']}
+            )
+        return render(
+            request,
+            ['authentic2_auth_saml/login_%s.html' % instance_id, 'authentic2_auth_saml/login.html'],
+            context,
+        )
 
     def profile(self, request, *args, **kwargs):
         context = kwargs.pop('context', {})
@@ -70,5 +74,4 @@ class SAMLAuthenticator(BaseAuthenticator):
         for user_saml_identifier in user_saml_identifiers:
             user_saml_identifier.idp = get_idp(user_saml_identifier.issuer)
         context['user_saml_identifiers'] = user_saml_identifiers
-        return render_to_string('authentic2_auth_saml/profile.html',
-                                context, request=request)
+        return render_to_string('authentic2_auth_saml/profile.html', context, request=request)
diff --git a/src/authentic2_auth_saml/backends.py b/src/authentic2_auth_saml/backends.py
index 31ab91be..9ac1da22 100644
--- a/src/authentic2_auth_saml/backends.py
+++ b/src/authentic2_auth_saml/backends.py
@@ -31,16 +31,17 @@ class SAMLBackend(SAMLBackend):
         # Pass AuthnContextClassRef from the previous IdP
         request = StoreRequestMiddleware.get_request()
         if request:
-            authn_context_class_ref = request.session.get(
-                'mellon_session', {}).get('authn_context_class_ref')
+            authn_context_class_ref = request.session.get('mellon_session', {}).get('authn_context_class_ref')
             if authn_context_class_ref:
                 return authn_context_class_ref
 
         import lasso
+
         return lasso.SAML2_AUTHN_CONTEXT_PREVIOUS_SESSION
 
     def redirect_logout_list(self, request, next_url=None):
         from mellon.views import logout
+
         if 'mellon_session' in request.session:
             response = logout(request)
             if 'Location' in response:
diff --git a/src/authentic2_auth_saml/urls.py b/src/authentic2_auth_saml/urls.py
index 6aaecda1..ae207976 100644
--- a/src/authentic2_auth_saml/urls.py
+++ b/src/authentic2_auth_saml/urls.py
@@ -16,5 +16,6 @@
 
 from django.conf.urls import url, include
 
-urlpatterns = [url(r'^accounts/saml/', include('mellon.urls'),
-                   kwargs={'template_base': 'authentic/base.html'})]
+urlpatterns = [
+    url(r'^accounts/saml/', include('mellon.urls'), kwargs={'template_base': 'authentic/base.html'})
+]
diff --git a/src/authentic2_idp_cas/admin.py b/src/authentic2_idp_cas/admin.py
index 97d94480..a869539e 100644
--- a/src/authentic2_idp_cas/admin.py
+++ b/src/authentic2_idp_cas/admin.py
@@ -17,6 +17,7 @@
 from django import forms
 from django.contrib import admin
 from django.utils.translation import ugettext as _
+
 # Django < 1.7 compat
 from authentic2.attributes_ng.engine import get_attribute_names
 from authentic2.decorators import to_iter
@@ -45,11 +46,7 @@ class AttributeInlineForm(forms.ModelForm):
     def __init__(self, *args, **kwargs):
         service = kwargs.pop('service', None)
         super(AttributeInlineForm, self).__init__(*args, **kwargs)
-        choices = self.choices({
-            'user': None,
-            'request': None,
-            'service': service
-        })
+        choices = self.choices({'user': None, 'request': None, 'service': service})
         self.fields['attribute_name'].choices = choices
         self.fields['attribute_name'].widget = forms.Select(choices=choices)
 
@@ -76,6 +73,7 @@ class AttributeInlineAdmin(admin.TabularInline):
             def __init__(self, *args, **kwargs):
                 kwargs['service'] = obj
                 super(NewForm, self).__init__(*args, **kwargs)
+
         kwargs['form'] = NewForm
         return super(AttributeInlineAdmin, self).get_formset(request, obj=obj, **kwargs)
 
@@ -85,35 +83,36 @@ class ServiceAdmin(admin.ModelAdmin):
     list_display = ('name', 'ou', 'slug', 'urls', 'identifier_attribute')
     prepopulated_fields = {"slug": ("name",)}
     fieldsets = (
-        (None, {
-            'fields': [
-                'name',
-                'slug',
-                'ou',
-                'urls',
-                'identifier_attribute',
-                'proxy',
-            ]}),
-        (_('Logout'), {
-            'fields': [
-                'logout_url',
-                'logout_use_iframe',
-                'logout_use_iframe_timeout',
-            ]}))
+        (
+            None,
+            {
+                'fields': [
+                    'name',
+                    'slug',
+                    'ou',
+                    'urls',
+                    'identifier_attribute',
+                    'proxy',
+                ]
+            },
+        ),
+        (
+            _('Logout'),
+            {
+                'fields': [
+                    'logout_url',
+                    'logout_use_iframe',
+                    'logout_use_iframe_timeout',
+                ]
+            },
+        ),
+    )
     inlines = [AttributeInlineAdmin]
 
 
 class TicketAdmin(CleanupAdminMixin, admin.ModelAdmin):
-    list_display = (
-        'ticket_id',
-        'validity',
-        'renew',
-        'service',
-        'service_url',
-        'user',
-        'creation',
-        'expire'
-    )
+    list_display = ('ticket_id', 'validity', 'renew', 'service', 'service_url', 'user', 'creation', 'expire')
+
 
 admin.site.register(models.Service, ServiceAdmin)
 
diff --git a/src/authentic2_idp_cas/app_settings.py b/src/authentic2_idp_cas/app_settings.py
index 436c0ec3..9dc29b1b 100644
--- a/src/authentic2_idp_cas/app_settings.py
+++ b/src/authentic2_idp_cas/app_settings.py
@@ -29,6 +29,7 @@ class AppSettings(object):
 
     def _setting(self, name, dflt):
         from django.conf import settings
+
         return getattr(settings, self.prefix + name, dflt)
 
     def __getattr__(self, name):
diff --git a/src/authentic2_idp_cas/apps.py b/src/authentic2_idp_cas/apps.py
index b0778aa3..289a64a1 100644
--- a/src/authentic2_idp_cas/apps.py
+++ b/src/authentic2_idp_cas/apps.py
@@ -21,7 +21,6 @@ from .constants import SESSION_CAS_LOGOUTS
 
 
 class Plugin(object):
-
     def logout_list(self, request):
         fragments = []
         cas_logouts = request.session.get(SESSION_CAS_LOGOUTS, [])
diff --git a/src/authentic2_idp_cas/constants.py b/src/authentic2_idp_cas/constants.py
index cdbf117e..c090718e 100644
--- a/src/authentic2_idp_cas/constants.py
+++ b/src/authentic2_idp_cas/constants.py
@@ -15,35 +15,35 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # Constants #
-CAS_NAMESPACE    = 'http://www.yale.edu/tp/cas'
-RENEW_PARAM      = 'renew'
-SERVICE_PARAM    = 'service'
-GATEWAY_PARAM    = 'gateway'
-WARN_PARAM       = 'warn'
-URL_PARAM        = 'url'
-TICKET_PARAM     = 'ticket'
-PGT_URL_PARAM    = 'pgtUrl'
-PGT_PARAM        = 'pgt'
-PGT_ID_PARAM     = 'pgtId'
-PGT_IOU_PARAM    = 'pgtIou'
+CAS_NAMESPACE = 'http://www.yale.edu/tp/cas'
+RENEW_PARAM = 'renew'
+SERVICE_PARAM = 'service'
+GATEWAY_PARAM = 'gateway'
+WARN_PARAM = 'warn'
+URL_PARAM = 'url'
+TICKET_PARAM = 'ticket'
+PGT_URL_PARAM = 'pgtUrl'
+PGT_PARAM = 'pgt'
+PGT_ID_PARAM = 'pgtId'
+PGT_IOU_PARAM = 'pgtIou'
 TARGET_SERVICE_PARAM = 'targetService'
-USERNAME_FIELD   = 'username' # unused
-PASSWORD_FIELD   = 'password' # unused
-LT_FIELD         = 'lt'       # unused
+USERNAME_FIELD = 'username'  # unused
+PASSWORD_FIELD = 'password'  # unused
+LT_FIELD = 'lt'  # unused
 SERVICE_TICKET_PREFIX = 'ST-'
-PGT_PREFIX       = 'PGT-'
-PGT_IOU_PREFIX   = 'PGTIOU-'
-PT_PREFIX        = 'PT-'
-ID_PARAM         = 'id'
-CANCEL_PARAM     = 'cancel'
+PGT_PREFIX = 'PGT-'
+PGT_IOU_PREFIX = 'PGTIOU-'
+PT_PREFIX = 'PT-'
+ID_PARAM = 'id'
+CANCEL_PARAM = 'cancel'
 
 # ERROR codes
-INVALID_REQUEST_ERROR  = 'INVALID_REQUEST'
+INVALID_REQUEST_ERROR = 'INVALID_REQUEST'
 INVALID_TICKET_SPEC_ERROR = 'INVALID_TICKET_SPEC'
-INVALID_TICKET_ERROR   = 'INVALID_TICKET'
-INVALID_SERVICE_ERROR  = 'INVALID_SERVICE'
-INTERNAL_ERROR         = 'INTERNAL_ERROR'
-BAD_PGT_ERROR          = 'BAD_PGT'
+INVALID_TICKET_ERROR = 'INVALID_TICKET'
+INVALID_SERVICE_ERROR = 'INVALID_SERVICE'
+INTERNAL_ERROR = 'INTERNAL_ERROR'
+BAD_PGT_ERROR = 'BAD_PGT'
 INVALID_TARGET_SERVICE_ERROR = 'INVALID_TARGET_SERVICE'
 PROXY_UNAUTHORIZED_ERROR = 'PROXY_UNAUTHORIZED'
 
@@ -51,24 +51,26 @@ PROXY_UNAUTHORIZED_ERROR = 'PROXY_UNAUTHORIZED'
 # XML Elements for CAS 2.0
 def cas_elt(name):
     return '{%s}%s' % (CAS_NAMESPACE, name)
-SERVICE_RESPONSE_ELT       = cas_elt('serviceResponse')
+
+
+SERVICE_RESPONSE_ELT = cas_elt('serviceResponse')
 
 AUTHENTICATION_SUCCESS_ELT = cas_elt('authenticationSuccess')
-USER_ELT                   = cas_elt('user')
-PGT_ELT                    = cas_elt('proxyGrantingTicket')
-PROXIES_ELT                = cas_elt('proxies')
-PROXY_ELT                  = cas_elt('proxy')
+USER_ELT = cas_elt('user')
+PGT_ELT = cas_elt('proxyGrantingTicket')
+PROXIES_ELT = cas_elt('proxies')
+PROXY_ELT = cas_elt('proxy')
 
 AUTHENTICATION_FAILURE_ELT = cas_elt('authenticationFailure')
-CODE_ATTR                   = 'code'
+CODE_ATTR = 'code'
 
-PROXY_SUCCESS_ELT          = cas_elt('proxySuccess')
-PROXY_TICKET_ELT           = cas_elt('proxyTicket')
+PROXY_SUCCESS_ELT = cas_elt('proxySuccess')
+PROXY_TICKET_ELT = cas_elt('proxyTicket')
 
-PROXY_FAILURE_ELT          = cas_elt('proxyFailure')
+PROXY_FAILURE_ELT = cas_elt('proxyFailure')
 
 # XML Elements for CAS 3.0
-ATTRIBUTES_ELT             = cas_elt('attributes')
+ATTRIBUTES_ELT = cas_elt('attributes')
 
 # Templates
 
@@ -130,4 +132,3 @@ SAML_RESPONSE_TEMPLATE = '''<?xml version="1.0" encoding="UTF-8"?>
 </SOAP-ENV:Envelope>'''
 
 SESSION_CAS_LOGOUTS = 'cas-logouts'
-
diff --git a/src/authentic2_idp_cas/migrations/0001_initial.py b/src/authentic2_idp_cas/migrations/0001_initial.py
index 13759aff..a3fd517d 100644
--- a/src/authentic2_idp_cas/migrations/0001_initial.py
+++ b/src/authentic2_idp_cas/migrations/0001_initial.py
@@ -15,7 +15,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='Attribute',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('slug', models.SlugField(verbose_name='slug')),
                 ('attribute_name', models.CharField(max_length=64, verbose_name='attribute name')),
                 ('enabled', models.BooleanField(default=True, verbose_name='enabled')),
@@ -29,15 +32,47 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='Service',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('logout_url', models.URLField(help_text='you can use a {} to pass the URL of the success icon, ex.: http://example.com/logout?next={}', max_length=255, null=True, verbose_name='url', blank=True)),
-                ('logout_use_iframe', models.BooleanField(default=False, verbose_name='use an iframe instead of an img tag for logout')),
-                ('logout_use_iframe_timeout', models.PositiveIntegerField(default=300, help_text="if iframe logout is used, it's the time between the onload event for this iframe and the moment we consider its loading to be really finished", verbose_name='iframe logout timeout (ms)')),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
+                (
+                    'logout_url',
+                    models.URLField(
+                        help_text='you can use a {} to pass the URL of the success icon, ex.: http://example.com/logout?next={}',
+                        max_length=255,
+                        null=True,
+                        verbose_name='url',
+                        blank=True,
+                    ),
+                ),
+                (
+                    'logout_use_iframe',
+                    models.BooleanField(
+                        default=False, verbose_name='use an iframe instead of an img tag for logout'
+                    ),
+                ),
+                (
+                    'logout_use_iframe_timeout',
+                    models.PositiveIntegerField(
+                        default=300,
+                        help_text="if iframe logout is used, it's the time between the onload event for this iframe and the moment we consider its loading to be really finished",
+                        verbose_name='iframe logout timeout (ms)',
+                    ),
+                ),
                 ('name', models.CharField(unique=True, max_length=128, verbose_name='name')),
                 ('slug', models.SlugField(unique=True, max_length=128, verbose_name='slug')),
                 ('urls', models.TextField(verbose_name='urls')),
                 ('identifier_attribute', models.CharField(max_length=64, verbose_name='attribute name')),
-                ('proxy', models.ManyToManyField(help_text='services who can request proxy tickets for this service', related_name='proxy_rel_+', verbose_name='proxy', to='authentic2_idp_cas.Service')),
+                (
+                    'proxy',
+                    models.ManyToManyField(
+                        help_text='services who can request proxy tickets for this service',
+                        related_name='proxy_rel_+',
+                        verbose_name='proxy',
+                        to='authentic2_idp_cas.Service',
+                    ),
+                ),
             ],
             options={
                 'verbose_name': 'service',
@@ -48,26 +83,65 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='Ticket',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('ticket_id', models.CharField(default=authentic2_idp_cas.models.make_uuid, unique=True, max_length=64, verbose_name='ticket id')),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
+                (
+                    'ticket_id',
+                    models.CharField(
+                        default=authentic2_idp_cas.models.make_uuid,
+                        unique=True,
+                        max_length=64,
+                        verbose_name='ticket id',
+                    ),
+                ),
                 ('renew', models.BooleanField(default=False, verbose_name='fresh authentication')),
                 ('validity', models.BooleanField(default=False, verbose_name='valid')),
-                ('service_url', models.CharField(default='', max_length=256, verbose_name='service URL', blank=True)),
+                (
+                    'service_url',
+                    models.CharField(default='', max_length=256, verbose_name='service URL', blank=True),
+                ),
                 ('creation', models.DateTimeField(auto_now_add=True, verbose_name='creation')),
                 ('expire', models.DateTimeField(null=True, verbose_name='expire', blank=True)),
-                ('session_key', models.CharField(default='', max_length=64, verbose_name='django session key', db_index=True, blank=True)),
+                (
+                    'session_key',
+                    models.CharField(
+                        default='',
+                        max_length=64,
+                        verbose_name='django session key',
+                        db_index=True,
+                        blank=True,
+                    ),
+                ),
                 ('proxies', models.TextField(default='', verbose_name='proxies', blank=True)),
-                ('service', models.ForeignKey(verbose_name='service', to='authentic2_idp_cas.Service', on_delete=models.CASCADE)),
-                ('user', models.ForeignKey(blank=True, to='auth.User', max_length=128, null=True, verbose_name='user', on_delete=models.CASCADE)),
+                (
+                    'service',
+                    models.ForeignKey(
+                        verbose_name='service', to='authentic2_idp_cas.Service', on_delete=models.CASCADE
+                    ),
+                ),
+                (
+                    'user',
+                    models.ForeignKey(
+                        blank=True,
+                        to='auth.User',
+                        max_length=128,
+                        null=True,
+                        verbose_name='user',
+                        on_delete=models.CASCADE,
+                    ),
+                ),
             ],
-            options={
-            },
+            options={},
             bases=(models.Model,),
         ),
         migrations.AddField(
             model_name='attribute',
             name='service',
-            field=models.ForeignKey(verbose_name='service', to='authentic2_idp_cas.Service', on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='service', to='authentic2_idp_cas.Service', on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
         migrations.AlterUniqueTogether(
diff --git a/src/authentic2_idp_cas/migrations/0002_auto_20150410_1438.py b/src/authentic2_idp_cas/migrations/0002_auto_20150410_1438.py
index c152cb18..cb5bf2ba 100644
--- a/src/authentic2_idp_cas/migrations/0002_auto_20150410_1438.py
+++ b/src/authentic2_idp_cas/migrations/0002_auto_20150410_1438.py
@@ -16,7 +16,14 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='ticket',
             name='user',
-            field=models.ForeignKey(blank=True, to=settings.AUTH_USER_MODEL, max_length=128, null=True, verbose_name='user', on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                blank=True,
+                to=settings.AUTH_USER_MODEL,
+                max_length=128,
+                null=True,
+                verbose_name='user',
+                on_delete=models.CASCADE,
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2_idp_cas/migrations/0003_auto_20150415_2223.py b/src/authentic2_idp_cas/migrations/0003_auto_20150415_2223.py
index c5a01f93..9ecbb6ea 100644
--- a/src/authentic2_idp_cas/migrations/0003_auto_20150415_2223.py
+++ b/src/authentic2_idp_cas/migrations/0003_auto_20150415_2223.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -14,12 +15,14 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='ServiceProxy2',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('from_service', models.IntegerField()),
                 ('to_service', models.IntegerField()),
             ],
-            options={
-            },
+            options={},
             bases=(models.Model,),
         ),
         migrations.AddField(
diff --git a/src/authentic2_idp_cas/migrations/0004_create_services.py b/src/authentic2_idp_cas/migrations/0004_create_services.py
index 1e531631..4d5fcb96 100644
--- a/src/authentic2_idp_cas/migrations/0004_create_services.py
+++ b/src/authentic2_idp_cas/migrations/0004_create_services.py
@@ -3,15 +3,16 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 def create_services(apps, schema_editor):
     Service = apps.get_model('authentic2', 'Service')
     CasService = apps.get_model('authentic2_idp_cas', 'Service')
     for cas_service in CasService.objects.all():
-        service = Service.objects.create(name=cas_service.name,
-                    slug=cas_service.slug)
+        service = Service.objects.create(name=cas_service.name, slug=cas_service.slug)
         cas_service.service_ptr = service
         cas_service.save()
 
+
 def move_back_name_and_slug(apps, schema_editor):
     CasService = apps.get_model('authentic2_idp_cas', 'Service')
     for cas_service in CasService.objects.all():
@@ -19,6 +20,7 @@ def move_back_name_and_slug(apps, schema_editor):
         cas_service.slug = cas_service.service_ptr.slug
         cas_service.save()
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
diff --git a/src/authentic2_idp_cas/migrations/0005_alter_field_service_ptr.py b/src/authentic2_idp_cas/migrations/0005_alter_field_service_ptr.py
index 84f9cc28..59fe2ce9 100644
--- a/src/authentic2_idp_cas/migrations/0005_alter_field_service_ptr.py
+++ b/src/authentic2_idp_cas/migrations/0005_alter_field_service_ptr.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
diff --git a/src/authentic2_idp_cas/migrations/0006_copy_proxy_m2m.py b/src/authentic2_idp_cas/migrations/0006_copy_proxy_m2m.py
index 91b5e0fd..78d7bb53 100644
--- a/src/authentic2_idp_cas/migrations/0006_copy_proxy_m2m.py
+++ b/src/authentic2_idp_cas/migrations/0006_copy_proxy_m2m.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 def copy_proxy_m2m_to_service_proxy(apps, schema_editor):
     ServiceProxy2 = apps.get_model('authentic2_idp_cas', 'ServiceProxy2')
     Service = apps.get_model('authentic2_idp_cas', 'Service')
@@ -10,6 +11,7 @@ def copy_proxy_m2m_to_service_proxy(apps, schema_editor):
         for proxy in service.proxy.all():
             ServiceProxy2.objects.create(from_service=service.service_ptr_id, to_service=proxy.service_ptr_id)
 
+
 def copy_service_proxy_to_m2m(apps, schema_editor):
     ServiceProxy2 = apps.get_model('authentic2_idp_cas', 'ServiceProxy2')
     Service = apps.get_model('authentic2_idp_cas', 'Service')
@@ -20,6 +22,7 @@ def copy_service_proxy_to_m2m(apps, schema_editor):
         to_service = Service.objects.get(pk=service_proxy.to_service)
         from_service.proxy.add(to_service)
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -27,6 +30,5 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RunPython(copy_proxy_m2m_to_service_proxy,
-            copy_service_proxy_to_m2m),
+        migrations.RunPython(copy_proxy_m2m_to_service_proxy, copy_service_proxy_to_m2m),
     ]
diff --git a/src/authentic2_idp_cas/migrations/0007_alter_service.py b/src/authentic2_idp_cas/migrations/0007_alter_service.py
index acf6c6e1..b69edc23 100644
--- a/src/authentic2_idp_cas/migrations/0007_alter_service.py
+++ b/src/authentic2_idp_cas/migrations/0007_alter_service.py
@@ -25,16 +25,13 @@ class Migration(migrations.Migration):
             name='slug',
         ),
         migrations.AlterField(
-                model_name='Attribute',
-                name='service',
-                field=models.IntegerField(default=0),
-                preserve_default=False
+            model_name='Attribute',
+            name='service',
+            field=models.IntegerField(default=0),
+            preserve_default=False,
         ),
         migrations.AlterField(
-                model_name='Ticket',
-                name='service',
-                field=models.IntegerField(default=0),
-                preserve_default=False
+            model_name='Ticket', name='service', field=models.IntegerField(default=0), preserve_default=False
         ),
         migrations.AlterField(
             model_name='service',
@@ -45,7 +42,14 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='service',
             name='service_ptr',
-            field=models.OneToOneField(parent_link=True, auto_created=True, primary_key=True, serialize=False, to='authentic2.Service', on_delete=models.CASCADE),
+            field=models.OneToOneField(
+                parent_link=True,
+                auto_created=True,
+                primary_key=True,
+                serialize=False,
+                to='authentic2.Service',
+                on_delete=models.CASCADE,
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2_idp_cas/migrations/0008_alter_foreign_keys.py b/src/authentic2_idp_cas/migrations/0008_alter_foreign_keys.py
index 646268e2..2bb5bf3e 100644
--- a/src/authentic2_idp_cas/migrations/0008_alter_foreign_keys.py
+++ b/src/authentic2_idp_cas/migrations/0008_alter_foreign_keys.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 def alter_foreign_keys(apps, schema_editor):
     Service = apps.get_model('authentic2_idp_cas', 'Service')
     Attribute = apps.get_model('authentic2_idp_cas', 'Attribute')
@@ -16,9 +17,11 @@ def alter_foreign_keys(apps, schema_editor):
         ticket.service = service.service_ptr_id
         ticket.save()
 
+
 def noop(apps, schema_editor):
     pass
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
diff --git a/src/authentic2_idp_cas/migrations/0009_alter_related_models.py b/src/authentic2_idp_cas/migrations/0009_alter_related_models.py
index 80d2860f..621ae47a 100644
--- a/src/authentic2_idp_cas/migrations/0009_alter_related_models.py
+++ b/src/authentic2_idp_cas/migrations/0009_alter_related_models.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -13,13 +14,17 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='attribute',
             name='service',
-            field=models.ForeignKey(verbose_name='service', to='authentic2_idp_cas.Service', on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='service', to='authentic2_idp_cas.Service', on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
         migrations.AlterField(
             model_name='ticket',
             name='service',
-            field=models.ForeignKey(verbose_name='service', to='authentic2_idp_cas.Service', on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='service', to='authentic2_idp_cas.Service', on_delete=models.CASCADE
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2_idp_cas/migrations/0010_copy_service_ptr_id_to_old_id.py b/src/authentic2_idp_cas/migrations/0010_copy_service_ptr_id_to_old_id.py
index bbfc46cc..78776a4e 100644
--- a/src/authentic2_idp_cas/migrations/0010_copy_service_ptr_id_to_old_id.py
+++ b/src/authentic2_idp_cas/migrations/0010_copy_service_ptr_id_to_old_id.py
@@ -3,15 +3,18 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 def noop(apps, schema_editor):
     pass
 
+
 def copy_service_ptr_id_to_old_id(apps, schema_editor):
     CasService = apps.get_model('authentic2_idp_cas', 'Service')
     for cas_service in CasService.objects.all():
         cas_service.old_id = cas_service.service_ptr_id
         cas_service.save()
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
diff --git a/src/authentic2_idp_cas/migrations/0011_remove_old_id_restore_proxy.py b/src/authentic2_idp_cas/migrations/0011_remove_old_id_restore_proxy.py
index c9b0cc12..ab55a45a 100644
--- a/src/authentic2_idp_cas/migrations/0011_remove_old_id_restore_proxy.py
+++ b/src/authentic2_idp_cas/migrations/0011_remove_old_id_restore_proxy.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -17,7 +18,12 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='service',
             name='proxy',
-            field=models.ManyToManyField(help_text='services who can request proxy tickets for this service', related_name='proxy_rel_+', verbose_name='proxy', to='authentic2_idp_cas.Service'),
+            field=models.ManyToManyField(
+                help_text='services who can request proxy tickets for this service',
+                related_name='proxy_rel_+',
+                verbose_name='proxy',
+                to='authentic2_idp_cas.Service',
+            ),
             preserve_default=True,
         ),
     ]
diff --git a/src/authentic2_idp_cas/migrations/0012_copy_service_proxy_to_m2m.py b/src/authentic2_idp_cas/migrations/0012_copy_service_proxy_to_m2m.py
index 103f4119..75bf9f5d 100644
--- a/src/authentic2_idp_cas/migrations/0012_copy_service_proxy_to_m2m.py
+++ b/src/authentic2_idp_cas/migrations/0012_copy_service_proxy_to_m2m.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 def copy_proxy_m2m_to_service_proxy(apps, schema_editor):
     ServiceProxy2 = apps.get_model('authentic2_idp_cas', 'ServiceProxy2')
     Service = apps.get_model('authentic2_idp_cas', 'Service')
@@ -10,6 +11,7 @@ def copy_proxy_m2m_to_service_proxy(apps, schema_editor):
         for proxy in service.proxy.all():
             ServiceProxy2.objects.create(from_service=service.service_ptr_id, to_service=proxy.service_ptr_id)
 
+
 def copy_service_proxy_to_m2m(apps, schema_editor):
     ServiceProxy2 = apps.get_model('authentic2_idp_cas', 'ServiceProxy2')
     Service = apps.get_model('authentic2_idp_cas', 'Service')
@@ -20,6 +22,7 @@ def copy_service_proxy_to_m2m(apps, schema_editor):
         to_service = Service.objects.get(pk=service_proxy.to_service)
         from_service.proxy.add(to_service)
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -27,6 +30,5 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RunPython(copy_service_proxy_to_m2m,
-            copy_proxy_m2m_to_service_proxy),
+        migrations.RunPython(copy_service_proxy_to_m2m, copy_proxy_m2m_to_service_proxy),
     ]
diff --git a/src/authentic2_idp_cas/migrations/0013_delete_model_service_proxy2.py b/src/authentic2_idp_cas/migrations/0013_delete_model_service_proxy2.py
index 4d7680b0..ab1aba42 100644
--- a/src/authentic2_idp_cas/migrations/0013_delete_model_service_proxy2.py
+++ b/src/authentic2_idp_cas/migrations/0013_delete_model_service_proxy2.py
@@ -3,6 +3,7 @@ from __future__ import unicode_literals
 
 from django.db import models, migrations
 
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -12,4 +13,3 @@ class Migration(migrations.Migration):
     operations = [
         migrations.DeleteModel('ServiceProxy2'),
     ]
-
diff --git a/src/authentic2_idp_cas/migrations/0015_auto_20170406_1825.py b/src/authentic2_idp_cas/migrations/0015_auto_20170406_1825.py
index 08b17fdf..056b80a0 100644
--- a/src/authentic2_idp_cas/migrations/0015_auto_20170406_1825.py
+++ b/src/authentic2_idp_cas/migrations/0015_auto_20170406_1825.py
@@ -14,6 +14,12 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='service',
             name='proxy',
-            field=models.ManyToManyField(help_text='services who can request proxy tickets for this service', related_name='proxy_rel_+', verbose_name='proxy', to='authentic2_idp_cas.Service', blank=True),
+            field=models.ManyToManyField(
+                help_text='services who can request proxy tickets for this service',
+                related_name='proxy_rel_+',
+                verbose_name='proxy',
+                to='authentic2_idp_cas.Service',
+                blank=True,
+            ),
         ),
     ]
diff --git a/src/authentic2_idp_cas/models.py b/src/authentic2_idp_cas/models.py
index 61f8cd69..a5746914 100644
--- a/src/authentic2_idp_cas/models.py
+++ b/src/authentic2_idp_cas/models.py
@@ -25,7 +25,9 @@ from authentic2.utils import check_session_key
 
 from . import managers, utils, constants
 
-url_validator = URLValidator(schemes=['http', 'https', 'ftp', 'ftps', 'imap', 'imaps', 'sieve', 'smtp', 'smtps', 'ssh'])
+url_validator = URLValidator(
+    schemes=['http', 'https', 'ftp', 'ftps', 'imap', 'imaps', 'sieve', 'smtp', 'smtps', 'ssh']
+)
 
 
 class Service(LogoutUrlAbstract, Service):
@@ -35,7 +37,8 @@ class Service(LogoutUrlAbstract, Service):
         'self',
         blank=True,
         verbose_name=_('proxy'),
-        help_text=_('services who can request proxy tickets for this service'))
+        help_text=_('services who can request proxy tickets for this service'),
+    )
 
     objects = managers.ServiceManager()
 
@@ -77,10 +80,7 @@ class Service(LogoutUrlAbstract, Service):
 
 
 class Attribute(models.Model):
-    service = models.ForeignKey(
-        Service,
-        verbose_name=_('service'),
-        on_delete=models.CASCADE)
+    service = models.ForeignKey(Service, verbose_name=_('service'), on_delete=models.CASCADE)
     slug = models.SlugField(verbose_name=_('slug'))
     attribute_name = models.CharField(max_length=64, verbose_name=_('attribute name'), blank=False)
     enabled = models.BooleanField(verbose_name=_('enabled'), default=True)
@@ -91,7 +91,13 @@ class Attribute(models.Model):
     class Meta:
         verbose_name = _('CAS attribute')
         verbose_name_plural = _('CAS attributes')
-        unique_together = (('service', 'slug', 'attribute_name',),)
+        unique_together = (
+            (
+                'service',
+                'slug',
+                'attribute_name',
+            ),
+        )
 
 
 def make_uuid():
@@ -100,13 +106,11 @@ def make_uuid():
 
 class Ticket(models.Model):
     '''Session ticket with a CAS 1.0 or 2.0 consumer'''
+
     ticket_id = models.CharField(max_length=64, verbose_name=_('ticket id'), unique=True, default=make_uuid)
     renew = models.BooleanField(default=False, verbose_name=_('fresh authentication'))
     validity = models.BooleanField(default=False, verbose_name=_('valid'))
-    service = models.ForeignKey(
-        Service,
-        verbose_name=_('service'),
-        on_delete=models.CASCADE)
+    service = models.ForeignKey(Service, verbose_name=_('service'), on_delete=models.CASCADE)
     service_url = models.TextField(verbose_name=_('service URL'), blank=True, default='')
     user = models.ForeignKey(
         'custom_user.User',
@@ -114,11 +118,13 @@ class Ticket(models.Model):
         blank=True,
         null=True,
         verbose_name=_('user'),
-        on_delete=models.CASCADE)
+        on_delete=models.CASCADE,
+    )
     creation = models.DateTimeField(auto_now_add=True, verbose_name=_('creation'))
     expire = models.DateTimeField(verbose_name=_('expire'), blank=True, null=True)
     session_key = models.CharField(
-        max_length=64, db_index=True, blank=True, verbose_name=_('django session key'), default='')
+        max_length=64, db_index=True, blank=True, verbose_name=_('django session key'), default=''
+    )
     proxies = models.TextField(verbose_name=_('proxies'), blank=True, default='')
 
     objects = managers.TicketManager()
@@ -142,4 +148,3 @@ class Ticket(models.Model):
             return now() >= self.expire
         else:
             return False
-
diff --git a/src/authentic2_idp_cas/urls.py b/src/authentic2_idp_cas/urls.py
index c8473b30..ca7c01af 100644
--- a/src/authentic2_idp_cas/urls.py
+++ b/src/authentic2_idp_cas/urls.py
@@ -22,10 +22,8 @@ urlpatterns = [
     url('^login/?$', views.login, name='a2-idp-cas-login'),
     url('^continue/$', views._continue, name='a2-idp-cas-continue'),
     url('^validate/?$', views.validate, name='a2-idp-cas-validate'),
-    url('^serviceValidate/?$', views.service_validate,
-        name='a2-idp-cas-service-validate'),
+    url('^serviceValidate/?$', views.service_validate, name='a2-idp-cas-service-validate'),
     url('^logout/?$', views.logout, name='a2-idp-cas-logout'),
     url('^proxy/?$', views.proxy, name='a2-idp-cas-proxy'),
-    url('^proxyValidate/?$', views.proxy_validate,
-        name='a2-idp-cas-proxy-validate'),
+    url('^proxyValidate/?$', views.proxy_validate, name='a2-idp-cas-proxy-validate'),
 ]
diff --git a/src/authentic2_idp_cas/utils.py b/src/authentic2_idp_cas/utils.py
index c2c49f83..fe0c6fa4 100644
--- a/src/authentic2_idp_cas/utils.py
+++ b/src/authentic2_idp_cas/utils.py
@@ -23,5 +23,5 @@ ALPHABET = string.ascii_letters + string.digits + '-'
 def make_id(prefix='', length=29):
     '''Generate CAS tickets identifiers'''
     c = length - len(prefix)
-    content = (random.SystemRandom().choice(ALPHABET) for x in range(c) )
+    content = (random.SystemRandom().choice(ALPHABET) for x in range(c))
     return prefix + ''.join(content)
diff --git a/src/authentic2_idp_cas/views.py b/src/authentic2_idp_cas/views.py
index 5e268cd3..a8535f4c 100644
--- a/src/authentic2_idp_cas/views.py
+++ b/src/authentic2_idp_cas/views.py
@@ -26,10 +26,15 @@ from django.views.generic.base import View
 from django.utils import six
 from django.utils.timezone import now
 
-from authentic2.utils import (get_user_from_session_key, make_url,
-                              login_require, find_authentication_event,
-                              redirect, normalize_attribute_values,
-                              attribute_values_to_identifier)
+from authentic2.utils import (
+    get_user_from_session_key,
+    make_url,
+    login_require,
+    find_authentication_event,
+    redirect,
+    normalize_attribute_values,
+    attribute_values_to_identifier,
+)
 from authentic2.attributes_ng.engine import get_attributes
 from authentic2.constants import NONCE_FIELD_NAME
 from authentic2.views import logout as logout_view
@@ -38,16 +43,44 @@ from authentic2 import hooks
 from authentic2_idp_cas.models import Ticket, Service
 from authentic2_idp_cas.utils import make_id
 from authentic2_idp_cas.constants import (
-    SERVICE_PARAM, RENEW_PARAM, GATEWAY_PARAM, TICKET_PARAM, CANCEL_PARAM,
-    SERVICE_TICKET_PREFIX, INVALID_REQUEST_ERROR, INVALID_TICKET_SPEC_ERROR,
-    INVALID_SERVICE_ERROR, INVALID_TICKET_ERROR, CAS10_VALIDATION_FAILURE,
-    CAS20_VALIDATION_FAILURE, SERVICE_RESPONSE_ELT, AUTHENTICATION_SUCCESS_ELT,
-    USER_ELT, PGT_URL_PARAM, PGT_IOU_PARAM, SESSION_CAS_LOGOUTS,
-    CAS10_VALIDATION_SUCCESS, PGT_ELT, PROXIES_ELT, PROXY_ELT, PGT_PREFIX,
-    PGT_IOU_PREFIX, PT_PREFIX, TARGET_SERVICE_PARAM, BAD_PGT_ERROR,
-    INVALID_TARGET_SERVICE_ERROR, PROXY_UNAUTHORIZED_ERROR, PGT_PARAM,
-    PGT_ID_PARAM, CAS20_PROXY_FAILURE, PROXY_SUCCESS_ELT, PROXY_TICKET_ELT,
-    INTERNAL_ERROR, CAS_NAMESPACE, ATTRIBUTES_ELT)
+    SERVICE_PARAM,
+    RENEW_PARAM,
+    GATEWAY_PARAM,
+    TICKET_PARAM,
+    CANCEL_PARAM,
+    SERVICE_TICKET_PREFIX,
+    INVALID_REQUEST_ERROR,
+    INVALID_TICKET_SPEC_ERROR,
+    INVALID_SERVICE_ERROR,
+    INVALID_TICKET_ERROR,
+    CAS10_VALIDATION_FAILURE,
+    CAS20_VALIDATION_FAILURE,
+    SERVICE_RESPONSE_ELT,
+    AUTHENTICATION_SUCCESS_ELT,
+    USER_ELT,
+    PGT_URL_PARAM,
+    PGT_IOU_PARAM,
+    SESSION_CAS_LOGOUTS,
+    CAS10_VALIDATION_SUCCESS,
+    PGT_ELT,
+    PROXIES_ELT,
+    PROXY_ELT,
+    PGT_PREFIX,
+    PGT_IOU_PREFIX,
+    PT_PREFIX,
+    TARGET_SERVICE_PARAM,
+    BAD_PGT_ERROR,
+    INVALID_TARGET_SERVICE_ERROR,
+    PROXY_UNAUTHORIZED_ERROR,
+    PGT_PARAM,
+    PGT_ID_PARAM,
+    CAS20_PROXY_FAILURE,
+    PROXY_SUCCESS_ELT,
+    PROXY_TICKET_ELT,
+    INTERNAL_ERROR,
+    CAS_NAMESPACE,
+    ATTRIBUTES_ELT,
+)
 from . import app_settings
 
 try:
@@ -84,21 +117,25 @@ class CasMixin(object):
         st.session_key = request.session.session_key
         st.save()
         if st.service.logout_url:
-            request.session.setdefault(SESSION_CAS_LOGOUTS, []).append((
-                st.service.name,
-                st.service.get_logout_url(request),
-                st.service.logout_use_iframe,
-                st.service.logout_use_iframe_timeout))
+            request.session.setdefault(SESSION_CAS_LOGOUTS, []).append(
+                (
+                    st.service.name,
+                    st.service.get_logout_url(request),
+                    st.service.logout_use_iframe,
+                    st.service.logout_use_iframe_timeout,
+                )
+            )
 
     def authenticate(self, request, st):
-        '''
-           Redirect to an login page, pass a cookie to the login page to
-           associate the login event with the service ticket, if renew was
-           asked
-        '''
+        """
+        Redirect to an login page, pass a cookie to the login page to
+        associate the login event with the service ticket, if renew was
+        asked
+        """
         nonce = st.ticket_id
-        next_url = make_url('a2-idp-cas-continue', params={
-            SERVICE_PARAM: st.service_url, NONCE_FIELD_NAME: nonce})
+        next_url = make_url(
+            'a2-idp-cas-continue', params={SERVICE_PARAM: st.service_url, NONCE_FIELD_NAME: nonce}
+        )
         return login_require(request, next_url=next_url, params={NONCE_FIELD_NAME: nonce})
 
 
@@ -139,8 +176,7 @@ class LoginView(CasMixin, View):
         return redirect(request, service)
 
     def must_authenticate(self, request, renew, gateway):
-        '''Does the user needs to authenticate ?
-        '''
+        """Does the user needs to authenticate ?"""
         return not gateway and (not request.user.is_authenticated or renew)
 
 
@@ -225,8 +261,11 @@ class ValidateBaseView(CasMixin, View):
                 return self.validation_failure(request, service, INVALID_TICKET_SPEC_ERROR)
             attributes = self.get_attributes(request, st)
             if st.service.identifier_attribute not in attributes:
-                self.logger.error('unable to compute an identifier for user %r and service %s',
-                                  six.text_type(st.user), st.service_url)
+                self.logger.error(
+                    'unable to compute an identifier for user %r and service %s',
+                    six.text_type(st.user),
+                    st.service_url,
+                )
                 return self.validation_failure(request, service, INTERNAL_ERROR)
             # Compute user identifier
             identifier = attribute_values_to_identifier(attributes[st.service.identifier_attribute])
@@ -242,12 +281,14 @@ class ValidateBaseView(CasMixin, View):
             user = get_user_from_session_key(st.session_key)
             assert user.pk  # not an annymous user
             assert st.user_id == user.pk  # session user matches ticket user
-            st.attributes = get_attributes({
-                'request': request,
-                'user': user,
-                'service': st.service,
-                '__wanted_attributes': wanted_attributes,
-            })
+            st.attributes = get_attributes(
+                {
+                    'request': request,
+                    'user': user,
+                    'service': st.service,
+                    '__wanted_attributes': wanted_attributes,
+                }
+            )
         return st.attributes
 
     def validation_failure(self, request, service, code):
@@ -255,8 +296,13 @@ class ValidateBaseView(CasMixin, View):
         return self.real_validation_failure(request, service, code)
 
     def validation_success(self, request, st, identifier):
-        self.logger.info('validation success service: %r ticket: %s user: %r identifier: %r',
-                         st.service_url, st.ticket_id, six.text_type(st.user), identifier)
+        self.logger.info(
+            'validation success service: %r ticket: %s user: %r identifier: %r',
+            st.service_url,
+            st.ticket_id,
+            six.text_type(st.user),
+            identifier,
+        )
         return self.real_validation_success(request, st, identifier)
 
 
@@ -307,8 +353,7 @@ class ServiceValidateView(ValidateBaseView):
                 attribute_elt.text = six.text_type(value)
 
     def provision_pgt(self, request, st, success):
-        '''Provision a PGT ticket if requested
-        '''
+        """Provision a PGT ticket if requested"""
         pgt_url = request.GET.get(PGT_URL_PARAM)
         if not pgt_url:
             return
@@ -323,10 +368,7 @@ class ServiceValidateView(ValidateBaseView):
         # Skip PGT_URL check for testing purpose
         # instead store PGT_IOU / PGT association in session
         if app_settings.CHECK_PGT_URL:
-            response = requests.get(pgt_url,
-                                    params={
-                                        PGT_ID_PARAM: pgt,
-                                        PGT_IOU_PARAM: pgt_iou})
+            response = requests.get(pgt_url, params={PGT_ID_PARAM: pgt, PGT_IOU_PARAM: pgt_iou})
             if response.status_code != 200:
                 self.logger.warning('pgtUrl %r returned non 200 code: %d', pgt_url, response.status_code)
                 return
@@ -342,7 +384,8 @@ class ServiceValidateView(ValidateBaseView):
             validity=True,
             user=st.user,
             session_key=st.session_key,
-            proxies=proxies)
+            proxies=proxies,
+        )
         user = ET.SubElement(success, PGT_ELT)
         user.text = pgt_iou
         if self.add_proxies:
@@ -359,11 +402,11 @@ class ProxyView(View):
         pgt = request.GET.get(PGT_PARAM)
         target_service_url = request.GET.get(TARGET_SERVICE_PARAM)
         if not pgt or not target_service_url:
-            return self.validation_failure(INVALID_REQUEST_ERROR,
-                                           "'pgt' and 'targetService' parameters are both required")
+            return self.validation_failure(
+                INVALID_REQUEST_ERROR, "'pgt' and 'targetService' parameters are both required"
+            )
         if not pgt.startswith(PGT_PREFIX):
-            return self.validation_failure(BAD_PGT_ERROR,
-                                           'a proxy granting ticket must start with PGT-')
+            return self.validation_failure(BAD_PGT_ERROR, 'a proxy granting ticket must start with PGT-')
         try:
             pgt = Ticket.objects.get(ticket_id=pgt)
         except Ticket.DoesNotExist:
@@ -381,7 +424,9 @@ class ProxyView(View):
         # Verify that the requested service is authorized to get proxy tickets
         # for the target service
         if not target_service.proxy.filter(pk=pgt.service_id).exists():
-            return self.validation_failure(PROXY_UNAUTHORIZED_ERROR, 'proxying to the target service is forbidden')
+            return self.validation_failure(
+                PROXY_UNAUTHORIZED_ERROR, 'proxying to the target service is forbidden'
+            )
         pt = Ticket.objects.create(
             ticket_id=make_id(PT_PREFIX),
             validity=True,
@@ -390,7 +435,8 @@ class ProxyView(View):
             service_url=target_service_url,
             user=pgt.user,
             session_key=pgt.session_key,
-            proxies=pgt.proxies)
+            proxies=pgt.proxies,
+        )
         return self.validation_success(request, pt)
 
     def validation_failure(self, code, reason):
@@ -422,6 +468,7 @@ class LogoutView(View):
                 return logout_view(request, next_url=next_url, check_referer=False, do_local=False)
         return redirect(request, next_url)
 
+
 login = LoginView.as_view()
 logout = LogoutView.as_view()
 _continue = ContinueView.as_view()
diff --git a/src/authentic2_idp_oidc/admin.py b/src/authentic2_idp_oidc/admin.py
index 4b7cfa00..5d39fdec 100644
--- a/src/authentic2_idp_oidc/admin.py
+++ b/src/authentic2_idp_oidc/admin.py
@@ -25,11 +25,9 @@ from . import models, app_settings
 
 
 class OIDCClaimInlineForm(forms.ModelForm):
-
     def __init__(self, *args, **kwargs):
         super(OIDCClaimInlineForm, self).__init__(*args, **kwargs)
-        data = dict(get_service_attributes(getattr(
-                self.instance, 'client', None))).keys()
+        data = dict(get_service_attributes(getattr(self.instance, 'client', None))).keys()
         widget = self.fields['value'].widget
         widget.data = data
         widget.name = 'list__oidcclaim-inline'
@@ -81,27 +79,25 @@ class OIDCAuthorizationAdmin(admin.ModelAdmin):
         return qs
 
     def get_search_results(self, request, queryset, search_term):
-            from django.contrib.contenttypes.models import ContentType
-            from authentic2.a2_rbac.models import OrganizationalUnit as OU
-
-            queryset, use_distinct = super(OIDCAuthorizationAdmin, self).get_search_results(
-                request, queryset, search_term)
-            clients = models.OIDCClient.objects.filter(name__contains=search_term).values_list('pk')
-            ous = OU.objects.filter(name__contains=search_term).values_list('pk')
-            queryset |= self.model.objects.filter(
-                client_ct=ContentType.objects.get_for_model(models.OIDCClient),
-                client_id=clients)
-            queryset |= self.model.objects.filter(
-                client_ct=ContentType.objects.get_for_model(OU),
-                client_id=ous)
-            return queryset, use_distinct
+        from django.contrib.contenttypes.models import ContentType
+        from authentic2.a2_rbac.models import OrganizationalUnit as OU
+
+        queryset, use_distinct = super(OIDCAuthorizationAdmin, self).get_search_results(
+            request, queryset, search_term
+        )
+        clients = models.OIDCClient.objects.filter(name__contains=search_term).values_list('pk')
+        ous = OU.objects.filter(name__contains=search_term).values_list('pk')
+        queryset |= self.model.objects.filter(
+            client_ct=ContentType.objects.get_for_model(models.OIDCClient), client_id=clients
+        )
+        queryset |= self.model.objects.filter(client_ct=ContentType.objects.get_for_model(OU), client_id=ous)
+        return queryset, use_distinct
 
 
 class OIDCCodeAdmin(admin.ModelAdmin):
     list_display = ['client', 'user', 'uuid', 'created', 'expired']
     list_filter = ['client']
-    search_fields = ['user__first_name', 'user__last_name', 'user__email', 'user__username',
-                     'client__name']
+    search_fields = ['user__first_name', 'user__last_name', 'user__email', 'user__username', 'client__name']
     date_hierarchy = 'created'
     readonly_fields = ['uuid', 'created', 'expired', 'user', 'uuid', 'client', 'state', 'nonce']
 
@@ -109,8 +105,7 @@ class OIDCCodeAdmin(admin.ModelAdmin):
 class OIDCAccessTokenAdmin(admin.ModelAdmin):
     list_display = ['client', 'user', 'uuid', 'created', 'expired']
     list_filter = ['client']
-    search_fields = ['user__first_name', 'user__last_name', 'user__email', 'user__username',
-                     'client__name']
+    search_fields = ['user__first_name', 'user__last_name', 'user__email', 'user__username', 'client__name']
     date_hierarchy = 'created'
     readonly_fields = ['uuid', 'created', 'expired']
 
diff --git a/src/authentic2_idp_oidc/app_settings.py b/src/authentic2_idp_oidc/app_settings.py
index 80053235..aa385d78 100644
--- a/src/authentic2_idp_oidc/app_settings.py
+++ b/src/authentic2_idp_oidc/app_settings.py
@@ -19,6 +19,7 @@ import sys
 
 class AppSettings(object):
     '''Thanks django-allauth'''
+
     __SENTINEL = object()
 
     def __init__(self, prefix):
@@ -67,13 +68,16 @@ class AppSettings(object):
 
     @property
     def DEFAULT_MAPPINGS(self):
-        return self._setting('DEFAULT_MAPPINGS', [
-            {'name': 'preferred_username', 'value': 'django_user_identifier', 'scopes': 'profile'},
-            {'name': 'given_name', 'value': 'django_user_first_name', 'scopes': 'profile'},
-            {'name': 'family_name', 'value': 'django_user_last_name', 'scopes': 'profile'},
-            {'name': 'email', 'value': 'django_user_email', 'scopes': 'email'},
-            {'name': 'email_verified', 'value': 'django_user_email_verified', 'scopes': 'email'},
-        ])
+        return self._setting(
+            'DEFAULT_MAPPINGS',
+            [
+                {'name': 'preferred_username', 'value': 'django_user_identifier', 'scopes': 'profile'},
+                {'name': 'given_name', 'value': 'django_user_first_name', 'scopes': 'profile'},
+                {'name': 'family_name', 'value': 'django_user_last_name', 'scopes': 'profile'},
+                {'name': 'email', 'value': 'django_user_email', 'scopes': 'email'},
+                {'name': 'email_verified', 'value': 'django_user_email_verified', 'scopes': 'email'},
+            ],
+        )
 
 
 app_settings = AppSettings('A2_IDP_OIDC_')
diff --git a/src/authentic2_idp_oidc/apps.py b/src/authentic2_idp_oidc/apps.py
index d4a086f6..8b6673d4 100644
--- a/src/authentic2_idp_oidc/apps.py
+++ b/src/authentic2_idp_oidc/apps.py
@@ -20,7 +20,6 @@ from django.utils.encoding import smart_bytes
 
 
 class Plugin(object):
-
     def logout_list(self, request):
         from .utils import get_oidc_sessions
         from . import app_settings
@@ -34,129 +33,129 @@ class Plugin(object):
             ctx = {
                 'url': value['frontchannel_logout_uri'],
                 'name': value['name'],
-                'iframe_timeout': value.get('frontchannel_timeout') or app_settings.DEFAULT_FRONTCHANNEL_TIMEOUT,
+                'iframe_timeout': value.get('frontchannel_timeout')
+                or app_settings.DEFAULT_FRONTCHANNEL_TIMEOUT,
             }
-            fragments.append(
-                render_to_string(
-                    'authentic2_idp_oidc/logout_fragment.html',
-                    ctx))
+            fragments.append(render_to_string('authentic2_idp_oidc/logout_fragment.html', ctx))
         return fragments
 
 
 class AppConfig(django.apps.AppConfig):
-        name = 'authentic2_idp_oidc'
-
-        def get_a2_plugin(self):
-            return Plugin()
-
-
-        # implement translation of encrypted pairwise identifiers when and OIDC Client is using the
-        # A2 API
-        def a2_hook_api_modify_serializer(self, view, serializer):
-            from . import utils
-            from rest_framework import serializers
-
-            if hasattr(view.request.user, 'oidc_client'):
-                client = view.request.user.oidc_client
-                if client.identifier_policy == client.POLICY_PAIRWISE_REVERSIBLE:
-
-                    def get_oidc_uuuid(user):
-                        return utils.make_pairwise_reversible_sub(client, user)
-                    serializer.get_oidc_uuid = get_oidc_uuuid
-                    serializer.fields['uuid'] = serializers.SerializerMethodField(
-                        method_name='get_oidc_uuid')
-
-        @classmethod
-        def get_oidc_client(cls, view):
-            request = view.request
-            if not hasattr(request.user, 'oidc_client'):
-                return None
-            return request.user.oidc_client
-
-        def a2_hook_api_modify_view_before_get_object(self, view):
-            '''Decrypt sub used as pk argument in URL.'''
-            import uuid
-            from . import utils
-
-            client = self.get_oidc_client(view)
-            if client is None:
-                return
-            if client.identifier_policy != client.POLICY_PAIRWISE_REVERSIBLE:
-                return
-            lookup_url_kwarg = view.lookup_url_kwarg or view.lookup_field
-            if lookup_url_kwarg not in view.kwargs:
-                return
-
-            sub = smart_bytes(view.kwargs[lookup_url_kwarg])
-            decrypted = utils.reverse_pairwise_sub(client, sub)
+    name = 'authentic2_idp_oidc'
+
+    def get_a2_plugin(self):
+        return Plugin()
+
+    # implement translation of encrypted pairwise identifiers when and OIDC Client is using the
+    # A2 API
+    def a2_hook_api_modify_serializer(self, view, serializer):
+        from . import utils
+        from rest_framework import serializers
+
+        if hasattr(view.request.user, 'oidc_client'):
+            client = view.request.user.oidc_client
+            if client.identifier_policy == client.POLICY_PAIRWISE_REVERSIBLE:
+
+                def get_oidc_uuuid(user):
+                    return utils.make_pairwise_reversible_sub(client, user)
+
+                serializer.get_oidc_uuid = get_oidc_uuuid
+                serializer.fields['uuid'] = serializers.SerializerMethodField(method_name='get_oidc_uuid')
+
+    @classmethod
+    def get_oidc_client(cls, view):
+        request = view.request
+        if not hasattr(request.user, 'oidc_client'):
+            return None
+        return request.user.oidc_client
+
+    def a2_hook_api_modify_view_before_get_object(self, view):
+        '''Decrypt sub used as pk argument in URL.'''
+        import uuid
+        from . import utils
+
+        client = self.get_oidc_client(view)
+        if client is None:
+            return
+        if client.identifier_policy != client.POLICY_PAIRWISE_REVERSIBLE:
+            return
+        lookup_url_kwarg = view.lookup_url_kwarg or view.lookup_field
+        if lookup_url_kwarg not in view.kwargs:
+            return
+
+        sub = smart_bytes(view.kwargs[lookup_url_kwarg])
+        decrypted = utils.reverse_pairwise_sub(client, sub)
+        if decrypted:
+            view.kwargs[lookup_url_kwarg] = uuid.UUID(bytes=decrypted).hex
+
+    def a2_hook_api_modify_serializer_after_validation(self, view, serializer):
+        import uuid
+        from . import utils
+
+        if view.__class__.__name__ != 'UsersAPI':
+            return
+        if serializer.__class__.__name__ != 'SynchronizationSerializer':
+            return
+        request = view.request
+        if not hasattr(request.user, 'oidc_client'):
+            return
+        client = request.user.oidc_client
+        if client.identifier_policy != client.POLICY_PAIRWISE_REVERSIBLE:
+            return
+        new_known_uuids = []
+        uuid_map = request.uuid_map = {}
+        request.unknown_uuids = []
+        for u in serializer.validated_data['known_uuids']:
+            decrypted = utils.reverse_pairwise_sub(client, smart_bytes(u))
             if decrypted:
-                view.kwargs[lookup_url_kwarg] = uuid.UUID(bytes=decrypted).hex
-
-        def a2_hook_api_modify_serializer_after_validation(self, view, serializer):
-            import uuid
-            from . import utils
-
-            if view.__class__.__name__ != 'UsersAPI':
-                return
-            if serializer.__class__.__name__ != 'SynchronizationSerializer':
-                return
-            request = view.request
-            if not hasattr(request.user, 'oidc_client'):
-                return
-            client = request.user.oidc_client
-            if client.identifier_policy != client.POLICY_PAIRWISE_REVERSIBLE:
-                return
-            new_known_uuids = []
-            uuid_map = request.uuid_map = {}
-            request.unknown_uuids = []
-            for u in serializer.validated_data['known_uuids']:
-                decrypted = utils.reverse_pairwise_sub(client, smart_bytes(u))
-                if decrypted:
-                    new_known_uuid = uuid.UUID(bytes=decrypted).hex
-                    new_known_uuids.append(new_known_uuid)
-                    uuid_map[new_known_uuid] = u
-                else:
-                    request.unknown_uuids.append(u)
-                # undecipherable sub are just not checked at all
-            serializer.validated_data['known_uuids'] = new_known_uuids
-
-        def a2_hook_api_modify_response(self, view, method_name, data):
-            '''Reverse mapping applied in a2_hook_api_modify_serializer_after_validation using the
-               uuid_map saved on the request.
-            '''
-            request = view.request
-            if not hasattr(request.user, 'oidc_client'):
-                return
-            if view.__class__.__name__ != 'UsersAPI':
-                return
-            if method_name != 'synchronization':
-                return
-            if not hasattr(request, 'uuid_map'):
-                return
-            uuid_map = request.uuid_map
-
-            unknown_uuids = data['unknown_uuids']
-            new_unknown_uuids = []
-            for u in unknown_uuids:
-                new_unknown_uuids.append(uuid_map[u])
-            new_unknown_uuids.extend(request.unknown_uuids)
-            data['unknown_uuids'] = new_unknown_uuids
-
-        def a2_hook_api_modify_queryset(self, view, qs):
-            from django.contrib.auth import get_user_model
-
-            client = self.get_oidc_client(view)
-            # fast path
-            if (not issubclass(qs.model, get_user_model())
-                    or client is None
-                    or not client.authorized_roles.exists()):
-                return qs
-
-            qs = qs.filter(roles__in=client.authorized_roles.children())
-            qs = qs.distinct()
-
+                new_known_uuid = uuid.UUID(bytes=decrypted).hex
+                new_known_uuids.append(new_known_uuid)
+                uuid_map[new_known_uuid] = u
+            else:
+                request.unknown_uuids.append(u)
+            # undecipherable sub are just not checked at all
+        serializer.validated_data['known_uuids'] = new_known_uuids
+
+    def a2_hook_api_modify_response(self, view, method_name, data):
+        """Reverse mapping applied in a2_hook_api_modify_serializer_after_validation using the
+        uuid_map saved on the request.
+        """
+        request = view.request
+        if not hasattr(request.user, 'oidc_client'):
+            return
+        if view.__class__.__name__ != 'UsersAPI':
+            return
+        if method_name != 'synchronization':
+            return
+        if not hasattr(request, 'uuid_map'):
+            return
+        uuid_map = request.uuid_map
+
+        unknown_uuids = data['unknown_uuids']
+        new_unknown_uuids = []
+        for u in unknown_uuids:
+            new_unknown_uuids.append(uuid_map[u])
+        new_unknown_uuids.extend(request.unknown_uuids)
+        data['unknown_uuids'] = new_unknown_uuids
+
+    def a2_hook_api_modify_queryset(self, view, qs):
+        from django.contrib.auth import get_user_model
+
+        client = self.get_oidc_client(view)
+        # fast path
+        if (
+            not issubclass(qs.model, get_user_model())
+            or client is None
+            or not client.authorized_roles.exists()
+        ):
             return qs
 
-        def a2_hook_good_next_url(self, next_url):
-            from .utils import good_next_url
-            return good_next_url(next_url)
+        qs = qs.filter(roles__in=client.authorized_roles.children())
+        qs = qs.distinct()
+
+        return qs
+
+    def a2_hook_good_next_url(self, next_url):
+        from .utils import good_next_url
+
+        return good_next_url(next_url)
diff --git a/src/authentic2_idp_oidc/migrations/0001_initial.py b/src/authentic2_idp_oidc/migrations/0001_initial.py
index 778223f0..15ef26ea 100644
--- a/src/authentic2_idp_oidc/migrations/0001_initial.py
+++ b/src/authentic2_idp_oidc/migrations/0001_initial.py
@@ -17,8 +17,16 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='OIDCAccessToken',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('uuid', models.CharField(default=authentic2_idp_oidc.models.generate_uuid, max_length=128, verbose_name='uuid')),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
+                (
+                    'uuid',
+                    models.CharField(
+                        default=authentic2_idp_oidc.models.generate_uuid, max_length=128, verbose_name='uuid'
+                    ),
+                ),
                 ('scopes', models.TextField(verbose_name='scopes')),
                 ('session_key', models.CharField(blank=True, max_length=128, verbose_name='session key')),
                 ('created', models.DateTimeField(auto_now_add=True, verbose_name='created')),
@@ -28,7 +36,10 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='OIDCAuthorization',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('scopes', models.TextField(verbose_name='scopes')),
                 ('created', models.DateTimeField(auto_now_add=True, verbose_name='created')),
                 ('expired', models.DateTimeField(verbose_name='expire')),
@@ -37,14 +48,70 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='OIDCClient',
             fields=[
-                ('service_ptr', models.OneToOneField(parent_link=True, auto_created=True, primary_key=True, serialize=False, to='authentic2.Service', on_delete=models.CASCADE)),
-                ('client_id', models.CharField(default=authentic2_idp_oidc.models.generate_uuid, unique=True, max_length=255, verbose_name='client id')),
-                ('client_secret', models.CharField(default=authentic2_idp_oidc.models.generate_uuid, max_length=255, verbose_name='client secret')),
-                ('authorization_flow', models.PositiveIntegerField(choices=[(1, 'authorization code'), (2, 'implicit/native'), (3, 'resource owner password credentials')], default=1, verbose_name='authorization flow')),
-                ('redirect_uris', models.TextField(verbose_name='redirect URIs', validators=[authentic2_idp_oidc.models.validate_https_url])),
+                (
+                    'service_ptr',
+                    models.OneToOneField(
+                        parent_link=True,
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        to='authentic2.Service',
+                        on_delete=models.CASCADE,
+                    ),
+                ),
+                (
+                    'client_id',
+                    models.CharField(
+                        default=authentic2_idp_oidc.models.generate_uuid,
+                        unique=True,
+                        max_length=255,
+                        verbose_name='client id',
+                    ),
+                ),
+                (
+                    'client_secret',
+                    models.CharField(
+                        default=authentic2_idp_oidc.models.generate_uuid,
+                        max_length=255,
+                        verbose_name='client secret',
+                    ),
+                ),
+                (
+                    'authorization_flow',
+                    models.PositiveIntegerField(
+                        choices=[
+                            (1, 'authorization code'),
+                            (2, 'implicit/native'),
+                            (3, 'resource owner password credentials'),
+                        ],
+                        default=1,
+                        verbose_name='authorization flow',
+                    ),
+                ),
+                (
+                    'redirect_uris',
+                    models.TextField(
+                        verbose_name='redirect URIs',
+                        validators=[authentic2_idp_oidc.models.validate_https_url],
+                    ),
+                ),
                 ('sector_identifier_uri', models.URLField(verbose_name='sector identifier URI', blank=True)),
-                ('identifier_policy', models.PositiveIntegerField(default=2, verbose_name='identifier policy', choices=[(1, 'uuid'), (2, 'pairwise'), (3, 'email')])),
-                ('idtoken_algo', models.PositiveIntegerField(default=2, verbose_name='IDToken signature algorithm', choices=[(2, 'HMAC'), (1, 'RSA'), (3, 'EC')])),
+                (
+                    'identifier_policy',
+                    models.PositiveIntegerField(
+                        default=2,
+                        verbose_name='identifier policy',
+                        choices=[(1, 'uuid'), (2, 'pairwise'), (3, 'email')],
+                    ),
+                ),
+                (
+                    'idtoken_algo',
+                    models.PositiveIntegerField(
+                        default=2,
+                        verbose_name='IDToken signature algorithm',
+                        choices=[(2, 'HMAC'), (1, 'RSA'), (3, 'EC')],
+                    ),
+                ),
                 ('created', models.DateTimeField(auto_now_add=True, verbose_name='created')),
                 ('modified', models.DateTimeField(auto_now=True, verbose_name='modified')),
             ],
@@ -53,8 +120,16 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='OIDCCode',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('uuid', models.CharField(default=authentic2_idp_oidc.models.generate_uuid, max_length=128, verbose_name='uuid')),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
+                (
+                    'uuid',
+                    models.CharField(
+                        default=authentic2_idp_oidc.models.generate_uuid, max_length=128, verbose_name='uuid'
+                    ),
+                ),
                 ('scopes', models.TextField(verbose_name='scopes')),
                 ('state', models.TextField(default='', verbose_name='state')),
                 ('nonce', models.TextField(default='', verbose_name='nonce')),
@@ -63,28 +138,46 @@ class Migration(migrations.Migration):
                 ('auth_time', models.DateTimeField(verbose_name='auth time')),
                 ('created', models.DateTimeField(auto_now_add=True, verbose_name='created')),
                 ('expired', models.DateTimeField(verbose_name='expire')),
-                ('client', models.ForeignKey(verbose_name='client', to='authentic2_idp_oidc.OIDCClient', on_delete=models.CASCADE)),
-                ('user', models.ForeignKey(verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE)),
+                (
+                    'client',
+                    models.ForeignKey(
+                        verbose_name='client', to='authentic2_idp_oidc.OIDCClient', on_delete=models.CASCADE
+                    ),
+                ),
+                (
+                    'user',
+                    models.ForeignKey(
+                        verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE
+                    ),
+                ),
             ],
         ),
         migrations.AddField(
             model_name='oidcauthorization',
             name='client',
-            field=models.ForeignKey(verbose_name='client', to='authentic2_idp_oidc.OIDCClient', on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='client', to='authentic2_idp_oidc.OIDCClient', on_delete=models.CASCADE
+            ),
         ),
         migrations.AddField(
             model_name='oidcauthorization',
             name='user',
-            field=models.ForeignKey(verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE
+            ),
         ),
         migrations.AddField(
             model_name='oidcaccesstoken',
             name='client',
-            field=models.ForeignKey(verbose_name='client', to='authentic2_idp_oidc.OIDCClient', on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='client', to='authentic2_idp_oidc.OIDCClient', on_delete=models.CASCADE
+            ),
         ),
         migrations.AddField(
             model_name='oidcaccesstoken',
             name='user',
-            field=models.ForeignKey(verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='user', to=settings.AUTH_USER_MODEL, on_delete=models.CASCADE
+            ),
         ),
     ]
diff --git a/src/authentic2_idp_oidc/migrations/0002_auto_20170121_2346.py b/src/authentic2_idp_oidc/migrations/0002_auto_20170121_2346.py
index 89b12f3d..141c27ee 100644
--- a/src/authentic2_idp_oidc/migrations/0002_auto_20170121_2346.py
+++ b/src/authentic2_idp_oidc/migrations/0002_auto_20170121_2346.py
@@ -15,6 +15,10 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='oidcclient',
             name='post_logout_redirect_uris',
-            field=models.TextField(default='', verbose_name='post logout redirect URIs', validators=[authentic2_idp_oidc.models.validate_https_url]),
+            field=models.TextField(
+                default='',
+                verbose_name='post logout redirect URIs',
+                validators=[authentic2_idp_oidc.models.validate_https_url],
+            ),
         ),
     ]
diff --git a/src/authentic2_idp_oidc/migrations/0003_auto_20170329_1259.py b/src/authentic2_idp_oidc/migrations/0003_auto_20170329_1259.py
index f80b3fff..52361ded 100644
--- a/src/authentic2_idp_oidc/migrations/0003_auto_20170329_1259.py
+++ b/src/authentic2_idp_oidc/migrations/0003_auto_20170329_1259.py
@@ -15,6 +15,11 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='oidcclient',
             name='post_logout_redirect_uris',
-            field=models.TextField(default='', blank=True, verbose_name='post logout redirect URIs', validators=[authentic2_idp_oidc.models.validate_https_url]),
+            field=models.TextField(
+                default='',
+                blank=True,
+                verbose_name='post logout redirect URIs',
+                validators=[authentic2_idp_oidc.models.validate_https_url],
+            ),
         ),
     ]
diff --git a/src/authentic2_idp_oidc/migrations/0005_authorization_mode.py b/src/authentic2_idp_oidc/migrations/0005_authorization_mode.py
index e3a09310..e4fd951b 100644
--- a/src/authentic2_idp_oidc/migrations/0005_authorization_mode.py
+++ b/src/authentic2_idp_oidc/migrations/0005_authorization_mode.py
@@ -28,7 +28,11 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='oidcclient',
             name='authorization_mode',
-            field=models.PositiveIntegerField(default=1, verbose_name='authorization mode', choices=[(1, 'authorization by service'), (1, 'authorization by ou')]),
+            field=models.PositiveIntegerField(
+                default=1,
+                verbose_name='authorization mode',
+                choices=[(1, 'authorization by service'), (1, 'authorization by ou')],
+            ),
         ),
         migrations.AlterField(
             model_name='oidcauthorization',
@@ -43,7 +47,9 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='oidcauthorization',
             name='client_ct',
-            field=models.ForeignKey(verbose_name='client ct', to='contenttypes.ContentType', null=True, on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='client ct', to='contenttypes.ContentType', null=True, on_delete=models.CASCADE
+            ),
         ),
         migrations.RunPython(set_client_ct, noop),
         migrations.AlterField(
@@ -54,6 +60,8 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='oidcauthorization',
             name='client_ct',
-            field=models.ForeignKey(verbose_name='client ct', to='contenttypes.ContentType', on_delete=models.CASCADE),
+            field=models.ForeignKey(
+                verbose_name='client ct', to='contenttypes.ContentType', on_delete=models.CASCADE
+            ),
         ),
     ]
diff --git a/src/authentic2_idp_oidc/migrations/0006_auto_20170720_1054.py b/src/authentic2_idp_oidc/migrations/0006_auto_20170720_1054.py
index 23b5a519..7a4c73db 100644
--- a/src/authentic2_idp_oidc/migrations/0006_auto_20170720_1054.py
+++ b/src/authentic2_idp_oidc/migrations/0006_auto_20170720_1054.py
@@ -14,11 +14,19 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='oidcclient',
             name='authorization_mode',
-            field=models.PositiveIntegerField(default=1, verbose_name='authorization mode', choices=[(1, 'authorization by service'), (2, 'authorization by ou'), (3, 'none')]),
+            field=models.PositiveIntegerField(
+                default=1,
+                verbose_name='authorization mode',
+                choices=[(1, 'authorization by service'), (2, 'authorization by ou'), (3, 'none')],
+            ),
         ),
         migrations.AlterField(
             model_name='oidcclient',
             name='identifier_policy',
-            field=models.PositiveIntegerField(default=2, verbose_name='identifier policy', choices=[(1, 'uuid'), (2, 'pairwise unreversible'), (4, 'pairwise reversible'), (3, 'email')]),
+            field=models.PositiveIntegerField(
+                default=2,
+                verbose_name='identifier policy',
+                choices=[(1, 'uuid'), (2, 'pairwise unreversible'), (4, 'pairwise reversible'), (3, 'email')],
+            ),
         ),
     ]
diff --git a/src/authentic2_idp_oidc/migrations/0008_oidcclient_idtoken_duration.py b/src/authentic2_idp_oidc/migrations/0008_oidcclient_idtoken_duration.py
index 2fbf0dce..61b4c09c 100644
--- a/src/authentic2_idp_oidc/migrations/0008_oidcclient_idtoken_duration.py
+++ b/src/authentic2_idp_oidc/migrations/0008_oidcclient_idtoken_duration.py
@@ -15,9 +15,7 @@ class Migration(migrations.Migration):
             model_name='oidcclient',
             name='idtoken_duration',
             field=models.DurationField(
-                verbose_name='time during which the token is valid',
-                blank=True,
-                null=True,
-                default=None),
+                verbose_name='time during which the token is valid', blank=True, null=True, default=None
+            ),
         ),
     ]
diff --git a/src/authentic2_idp_oidc/migrations/0010_oidcclaim.py b/src/authentic2_idp_oidc/migrations/0010_oidcclaim.py
index cdde8e01..e53bfa88 100644
--- a/src/authentic2_idp_oidc/migrations/0010_oidcclaim.py
+++ b/src/authentic2_idp_oidc/migrations/0010_oidcclaim.py
@@ -8,11 +8,19 @@ def set_odcclient_default_claims(apps, schema_editor):
     OIDCClient = apps.get_model('authentic2_idp_oidc', 'OIDCClient')
     OIDCClaim = apps.get_model('authentic2_idp_oidc', 'OIDCClaim')
     for oidcclient in OIDCClient.objects.all():
-        OIDCClaim.objects.create(client=oidcclient, name='preferred_username', value='django_user_username', scopes='profile')
-        OIDCClaim.objects.create(client=oidcclient, name='given_name', value='django_user_first_name', scopes='profile')
-        OIDCClaim.objects.create(client=oidcclient, name='family_name', value='django_user_last_name', scopes='profile')
+        OIDCClaim.objects.create(
+            client=oidcclient, name='preferred_username', value='django_user_username', scopes='profile'
+        )
+        OIDCClaim.objects.create(
+            client=oidcclient, name='given_name', value='django_user_first_name', scopes='profile'
+        )
+        OIDCClaim.objects.create(
+            client=oidcclient, name='family_name', value='django_user_last_name', scopes='profile'
+        )
         OIDCClaim.objects.create(client=oidcclient, name='email', value='django_user_email', scopes='email')
-        OIDCClaim.objects.create(client=oidcclient, name='email_verified', value='django_user_email_verified', scopes='email')
+        OIDCClaim.objects.create(
+            client=oidcclient, name='email_verified', value='django_user_email_verified', scopes='email'
+        )
 
 
 def unset_odcclient_default_claims(apps, schema_editor):
@@ -31,11 +39,19 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='OIDCClaim',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(max_length=128, verbose_name='attribute name', blank=True)),
                 ('value', models.CharField(max_length=128, verbose_name='attribute value', blank=True)),
                 ('scopes', models.CharField(max_length=128, verbose_name='attribute scopes', blank=True)),
-                ('client', models.ForeignKey(verbose_name='client', to='authentic2_idp_oidc.OIDCClient', on_delete=models.CASCADE)),
+                (
+                    'client',
+                    models.ForeignKey(
+                        verbose_name='client', to='authentic2_idp_oidc.OIDCClient', on_delete=models.CASCADE
+                    ),
+                ),
             ],
         ),
         migrations.RunPython(set_odcclient_default_claims, unset_odcclient_default_claims),
diff --git a/src/authentic2_idp_oidc/migrations/0011_auto_20180808_1546.py b/src/authentic2_idp_oidc/migrations/0011_auto_20180808_1546.py
index bbf1820e..8121a24b 100644
--- a/src/authentic2_idp_oidc/migrations/0011_auto_20180808_1546.py
+++ b/src/authentic2_idp_oidc/migrations/0011_auto_20180808_1546.py
@@ -5,9 +5,12 @@ from django.db import migrations
 
 
 OLD_DEFAULT_CLAIMS_MAPPING = {
-    'email': 'django_user_email', 'email_verified': 'django_user_email_verified',
-    'family_name': 'django_user_last_name', 'given_name': 'django_user_first_name',
-    'preferred_username': 'django_user_username'}
+    'email': 'django_user_email',
+    'email_verified': 'django_user_email_verified',
+    'family_name': 'django_user_last_name',
+    'given_name': 'django_user_first_name',
+    'preferred_username': 'django_user_username',
+}
 
 
 def set_oidcclient_default_preferred_username_as_identifier(apps, schema_editor):
@@ -35,5 +38,8 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RunPython(set_oidcclient_default_preferred_username_as_identifier, unset_oidcclient_default_preferred_username_as_identifier)
+        migrations.RunPython(
+            set_oidcclient_default_preferred_username_as_identifier,
+            unset_oidcclient_default_preferred_username_as_identifier,
+        )
     ]
diff --git a/src/authentic2_idp_oidc/migrations/0012_auto_20200122_2258.py b/src/authentic2_idp_oidc/migrations/0012_auto_20200122_2258.py
index ce3d446e..51c51bbc 100644
--- a/src/authentic2_idp_oidc/migrations/0012_auto_20200122_2258.py
+++ b/src/authentic2_idp_oidc/migrations/0012_auto_20200122_2258.py
@@ -15,11 +15,21 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='oidcclient',
             name='access_token_duration',
-            field=models.DurationField(blank=True, default=None, null=True, verbose_name='time during which the access token is valid'),
+            field=models.DurationField(
+                blank=True,
+                default=None,
+                null=True,
+                verbose_name='time during which the access token is valid',
+            ),
         ),
         migrations.AddField(
             model_name='oidcclient',
             name='scope',
-            field=models.TextField(blank=True, default='', help_text='Permitted or default scopes (for credentials grant)', verbose_name='resource owner credentials grant scope'),
+            field=models.TextField(
+                blank=True,
+                default='',
+                help_text='Permitted or default scopes (for credentials grant)',
+                verbose_name='resource owner credentials grant scope',
+            ),
         ),
     ]
diff --git a/src/authentic2_idp_oidc/migrations/0013_auto_20200630_1007.py b/src/authentic2_idp_oidc/migrations/0013_auto_20200630_1007.py
index ef588644..9754c02d 100644
--- a/src/authentic2_idp_oidc/migrations/0013_auto_20200630_1007.py
+++ b/src/authentic2_idp_oidc/migrations/0013_auto_20200630_1007.py
@@ -14,6 +14,8 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='oidccode',
             name='redirect_uri',
-            field=models.TextField(validators=[django.core.validators.URLValidator()], verbose_name='redirect URI'),
+            field=models.TextField(
+                validators=[django.core.validators.URLValidator()], verbose_name='redirect URI'
+            ),
         ),
     ]
diff --git a/src/authentic2_idp_oidc/models.py b/src/authentic2_idp_oidc/models.py
index 8bd940b8..96236459 100644
--- a/src/authentic2_idp_oidc/models.py
+++ b/src/authentic2_idp_oidc/models.py
@@ -97,78 +97,53 @@ class OIDCClient(Service):
     ]
 
     client_id = models.CharField(
-        max_length=255,
-        verbose_name=_('client id'),
-        unique=True,
-        default=generate_uuid)
-    client_secret = models.CharField(
-        max_length=255,
-        verbose_name=_('client secret'),
-        default=generate_uuid)
+        max_length=255, verbose_name=_('client id'), unique=True, default=generate_uuid
+    )
+    client_secret = models.CharField(max_length=255, verbose_name=_('client secret'), default=generate_uuid)
     idtoken_duration = models.DurationField(
-        verbose_name=_('time during which the token is valid'),
-        blank=True,
-        null=True,
-        default=None)
+        verbose_name=_('time during which the token is valid'), blank=True, null=True, default=None
+    )
     access_token_duration = models.DurationField(
-        verbose_name=_('time during which the access token is valid'),
-        blank=True,
-        null=True,
-        default=None)
+        verbose_name=_('time during which the access token is valid'), blank=True, null=True, default=None
+    )
     authorization_mode = models.PositiveIntegerField(
         default=AUTHORIZATION_MODE_BY_SERVICE,
         choices=AUTHORIZATION_MODES,
-        verbose_name=_('authorization mode'))
+        verbose_name=_('authorization mode'),
+    )
     authorization_flow = models.PositiveIntegerField(
-        verbose_name=_('authorization flow'),
-        default=FLOW_AUTHORIZATION_CODE,
-        choices=FLOW_CHOICES)
-    redirect_uris = models.TextField(
-        verbose_name=_('redirect URIs'),
-        validators=[validate_https_url])
+        verbose_name=_('authorization flow'), default=FLOW_AUTHORIZATION_CODE, choices=FLOW_CHOICES
+    )
+    redirect_uris = models.TextField(verbose_name=_('redirect URIs'), validators=[validate_https_url])
     post_logout_redirect_uris = models.TextField(
-        verbose_name=_('post logout redirect URIs'),
-        blank=True,
-        default='',
-        validators=[validate_https_url])
-    sector_identifier_uri = models.URLField(
-        verbose_name=_('sector identifier URI'),
-        blank=True)
+        verbose_name=_('post logout redirect URIs'), blank=True, default='', validators=[validate_https_url]
+    )
+    sector_identifier_uri = models.URLField(verbose_name=_('sector identifier URI'), blank=True)
     identifier_policy = models.PositiveIntegerField(
-        verbose_name=_('identifier policy'),
-        default=POLICY_PAIRWISE,
-        choices=IDENTIFIER_POLICIES)
+        verbose_name=_('identifier policy'), default=POLICY_PAIRWISE, choices=IDENTIFIER_POLICIES
+    )
     scope = models.TextField(
         verbose_name=_('resource owner credentials grant scope'),
         help_text=_('Permitted or default scopes (for credentials grant)'),
         default='',
-        blank=True)
+        blank=True,
+    )
     idtoken_algo = models.PositiveIntegerField(
-        default=ALGO_HMAC,
-        choices=ALGO_CHOICES,
-        verbose_name=_('IDToken signature algorithm'))
-    has_api_access = models.BooleanField(
-        verbose_name=_('has API access'),
-        default=False)
-    frontchannel_logout_uri = models.URLField(
-        verbose_name=_('frontchannel logout URI'),
-        blank=True)
+        default=ALGO_HMAC, choices=ALGO_CHOICES, verbose_name=_('IDToken signature algorithm')
+    )
+    has_api_access = models.BooleanField(verbose_name=_('has API access'), default=False)
+    frontchannel_logout_uri = models.URLField(verbose_name=_('frontchannel logout URI'), blank=True)
     frontchannel_timeout = models.PositiveIntegerField(
-        verbose_name=_('frontchannel timeout'),
-        null=True,
-        blank=True)
+        verbose_name=_('frontchannel timeout'), null=True, blank=True
+    )
 
-    authorizations = GenericRelation('OIDCAuthorization',
-                                     content_type_field='client_ct',
-                                     object_id_field='client_id')
+    authorizations = GenericRelation(
+        'OIDCAuthorization', content_type_field='client_ct', object_id_field='client_id'
+    )
 
     # metadata
-    created = models.DateTimeField(
-        verbose_name=_('created'),
-        auto_now_add=True)
-    modified = models.DateTimeField(
-        verbose_name=_('modified'),
-        auto_now=True)
+    created = models.DateTimeField(verbose_name=_('created'), auto_now_add=True)
+    modified = models.DateTimeField(verbose_name=_('modified'), auto_now=True)
 
     def clean(self):
         self.redirect_uris = strip_words(self.redirect_uris)
@@ -178,16 +153,20 @@ class OIDCClient(Service):
                 utils.get_jwkset()
             except ImproperlyConfigured:
                 raise ValidationError(
-                    _('You cannot use algorithm %(algorithm)s, setting A2_IDP_OIDC_JWKSET is not defined') %
-                    {'algorithm': self.get_idtoken_algo_display()})
+                    _('You cannot use algorithm %(algorithm)s, setting A2_IDP_OIDC_JWKSET is not defined')
+                    % {'algorithm': self.get_idtoken_algo_display()}
+                )
         if self.identifier_policy in [self.POLICY_PAIRWISE, self.POLICY_PAIRWISE_REVERSIBLE]:
             try:
                 self.get_sector_identifier()
             except ValueError:
                 raise ValidationError(
-                    _('Redirect URIs must have the same domain or you must define a '
-                      'sector identifier URI if you want to use pairwise'
-                      'identifiers'))
+                    _(
+                        'Redirect URIs must have the same domain or you must define a '
+                        'sector identifier URI if you want to use pairwise'
+                        'identifiers'
+                    )
+                )
 
     def get_wanted_attributes(self):
         return self.oidcclaim_set.filter(name__isnull=False).values_list('value', flat=True)
@@ -204,27 +183,25 @@ class OIDCClient(Service):
             if parsed_valid_uri.netloc.startswith('*'):
                 # globing on the left
                 netloc = parsed_valid_uri.netloc.lstrip('*')
-                if (parsed_uri.netloc != netloc
-                        and not parsed_uri.netloc.endswith('.' + netloc)):
+                if parsed_uri.netloc != netloc and not parsed_uri.netloc.endswith('.' + netloc):
                     continue
             elif parsed_uri.netloc != parsed_valid_uri.netloc:
                 continue
             if parsed_valid_uri.path.endswith('*'):
                 path = parsed_valid_uri.path.rstrip('*').rstrip('/')
-                if (parsed_uri.path.rstrip('/') != path
-                        and not parsed_uri.path.startswith(path + '/')):
+                if parsed_uri.path.rstrip('/') != path and not parsed_uri.path.startswith(path + '/'):
                     continue
             else:
                 if parsed_uri.path.rstrip('/') != parsed_valid_uri.path.rstrip('/'):
                     continue
             if parsed_uri.query and (
-                    parsed_valid_uri.query != parsed_uri.query and
-                    parsed_valid_uri.query != '*'):
+                parsed_valid_uri.query != parsed_uri.query and parsed_valid_uri.query != '*'
+            ):
                 # xxx parameter validation
                 continue
             if parsed_uri.fragment and (
-                    parsed_valid_uri.fragment != parsed_uri.fragment and
-                    parsed_valid_uri.fragment != '*'):
+                parsed_valid_uri.fragment != parsed_uri.fragment and parsed_valid_uri.fragment != '*'
+            ):
                 continue
             return
         raise ValueError('redirect_uri is not declared')
@@ -247,40 +224,33 @@ class OIDCClient(Service):
         elif self.authorization_mode == self.AUTHORIZATION_MODE_BY_OU:
             if not self.ou:
                 raise ValidationError(
-                    _('OU-based authorization requires that the client be '
-                      'within an OU.'))
+                    _('OU-based authorization requires that the client be ' 'within an OU.')
+                )
             sector_identifier = self.ou.slug
         else:
             raise NotImplementedError('unknown self.authorization_mode %s' % self.authorization_mode)
         return sector_identifier
 
     def __repr__(self):
-        return ('<OIDCClient name:%r client_id:%r identifier_policy:%r>' %
-                (self.name, self.client_id, self.get_identifier_policy_display()))
+        return '<OIDCClient name:%r client_id:%r identifier_policy:%r>' % (
+            self.name,
+            self.client_id,
+            self.get_identifier_policy_display(),
+        )
 
 
 class OIDCAuthorization(models.Model):
     client_ct = models.ForeignKey(
-        'contenttypes.ContentType',
-        verbose_name=_('client ct'),
-        on_delete=models.CASCADE)
-    client_id = models.PositiveIntegerField(
-        verbose_name=_('client id'))
+        'contenttypes.ContentType', verbose_name=_('client ct'), on_delete=models.CASCADE
+    )
+    client_id = models.PositiveIntegerField(verbose_name=_('client id'))
     client = GenericForeignKey('client_ct', 'client_id')
-    user = models.ForeignKey(
-        to=settings.AUTH_USER_MODEL,
-        verbose_name=_('user'),
-        on_delete=models.CASCADE)
-    scopes = models.TextField(
-        blank=False,
-        verbose_name=_('scopes'))
+    user = models.ForeignKey(to=settings.AUTH_USER_MODEL, verbose_name=_('user'), on_delete=models.CASCADE)
+    scopes = models.TextField(blank=False, verbose_name=_('scopes'))
 
     # metadata
-    created = models.DateTimeField(
-        verbose_name=_('created'),
-        auto_now_add=True)
-    expired = models.DateTimeField(
-        verbose_name=_('expire'))
+    created = models.DateTimeField(verbose_name=_('created'), auto_now_add=True)
+    expired = models.DateTimeField(verbose_name=_('expire'))
 
     objects = managers.OIDCExpiredManager()
 
@@ -291,7 +261,8 @@ class OIDCAuthorization(models.Model):
         return '<OIDCAuthorization client:%r user:%r scopes:%r>' % (
             self.client_id and six.text_type(self.client),
             self.user_id and six.text_type(self.user),
-            self.scopes)
+            self.scopes,
+        )
 
 
 def get_session(session_key):
@@ -324,41 +295,19 @@ class SessionMixin(object):
 
 
 class OIDCCode(SessionMixin, models.Model):
-    uuid = models.CharField(
-        max_length=128,
-        verbose_name=_('uuid'),
-        default=generate_uuid)
-    client = models.ForeignKey(
-        to=OIDCClient,
-        verbose_name=_('client'),
-        on_delete=models.CASCADE)
-    user = models.ForeignKey(
-        to=settings.AUTH_USER_MODEL,
-        verbose_name=_('user'),
-        on_delete=models.CASCADE)
-    scopes = models.TextField(
-        verbose_name=_('scopes'))
-    state = models.TextField(
-        null=True,
-        verbose_name=_('state'))
-    nonce = models.TextField(
-        null=True,
-        verbose_name=_('nonce'))
-    redirect_uri = models.TextField(
-        verbose_name=_('redirect URI'),
-        validators=[URLValidator()])
-    session_key = models.CharField(
-        verbose_name=_('session key'),
-        max_length=128)
-    auth_time = models.DateTimeField(
-        verbose_name=_('auth time'))
+    uuid = models.CharField(max_length=128, verbose_name=_('uuid'), default=generate_uuid)
+    client = models.ForeignKey(to=OIDCClient, verbose_name=_('client'), on_delete=models.CASCADE)
+    user = models.ForeignKey(to=settings.AUTH_USER_MODEL, verbose_name=_('user'), on_delete=models.CASCADE)
+    scopes = models.TextField(verbose_name=_('scopes'))
+    state = models.TextField(null=True, verbose_name=_('state'))
+    nonce = models.TextField(null=True, verbose_name=_('nonce'))
+    redirect_uri = models.TextField(verbose_name=_('redirect URI'), validators=[URLValidator()])
+    session_key = models.CharField(verbose_name=_('session key'), max_length=128)
+    auth_time = models.DateTimeField(verbose_name=_('auth time'))
 
     # metadata
-    created = models.DateTimeField(
-        verbose_name=_('created'),
-        auto_now_add=True)
-    expired = models.DateTimeField(
-        verbose_name=_('expire'))
+    created = models.DateTimeField(verbose_name=_('created'), auto_now_add=True)
+    expired = models.DateTimeField(verbose_name=_('expire'))
 
     objects = managers.OIDCExpiredManager()
 
@@ -380,36 +329,20 @@ class OIDCCode(SessionMixin, models.Model):
             self.client_id and six.text_type(self.client),
             self.user_id and six.text_type(self.user),
             self.expired,
-            self.scopes)
+            self.scopes,
+        )
 
 
 class OIDCAccessToken(SessionMixin, models.Model):
-    uuid = models.CharField(
-        max_length=128,
-        verbose_name=_('uuid'),
-        default=generate_uuid)
-    client = models.ForeignKey(
-        to=OIDCClient,
-        verbose_name=_('client'),
-        on_delete=models.CASCADE)
-    user = models.ForeignKey(
-        to=settings.AUTH_USER_MODEL,
-        verbose_name=_('user'),
-        on_delete=models.CASCADE)
-    scopes = models.TextField(
-        verbose_name=_('scopes'))
-    session_key = models.CharField(
-        verbose_name=_('session key'),
-        max_length=128,
-        blank=True)
+    uuid = models.CharField(max_length=128, verbose_name=_('uuid'), default=generate_uuid)
+    client = models.ForeignKey(to=OIDCClient, verbose_name=_('client'), on_delete=models.CASCADE)
+    user = models.ForeignKey(to=settings.AUTH_USER_MODEL, verbose_name=_('user'), on_delete=models.CASCADE)
+    scopes = models.TextField(verbose_name=_('scopes'))
+    session_key = models.CharField(verbose_name=_('session key'), max_length=128, blank=True)
 
     # metadata
-    created = models.DateTimeField(
-        verbose_name=_('created'),
-        auto_now_add=True)
-    expired = models.DateTimeField(
-        verbose_name=_('expire'),
-        null=True)
+    created = models.DateTimeField(verbose_name=_('created'), auto_now_add=True)
+    expired = models.DateTimeField(verbose_name=_('expire'), null=True)
 
     objects = managers.OIDCExpiredManager()
 
@@ -434,29 +367,21 @@ class OIDCAccessToken(SessionMixin, models.Model):
             self.client_id and six.text_type(self.client),
             self.user_id and six.text_type(self.user),
             self.expired,
-            self.scopes)
+            self.scopes,
+        )
+
 
 # Add generic field to a2_rbac.OrganizationalUnit
-GenericRelation('authentic2_idp_oidc.OIDCAuthorization',
-                content_type_field='client_ct',
-                object_id_field='client_id').contribute_to_class(
-                    OrganizationalUnit, 'oidc_authorizations')
+GenericRelation(
+    'authentic2_idp_oidc.OIDCAuthorization', content_type_field='client_ct', object_id_field='client_id'
+).contribute_to_class(OrganizationalUnit, 'oidc_authorizations')
 
 
 class OIDCClaim(models.Model):
-    client = models.ForeignKey(
-        to=OIDCClient,
-        verbose_name=_('client'),
-        on_delete=models.CASCADE)
-    name = models.CharField(
-        max_length=128, blank=True,
-        verbose_name=_('attribute name'))
-    value = models.CharField(
-        max_length=128, blank=True,
-        verbose_name=_('attribute value'))
-    scopes = models.CharField(
-        max_length=128, blank=True,
-        verbose_name=_('attribute scopes'))
+    client = models.ForeignKey(to=OIDCClient, verbose_name=_('client'), on_delete=models.CASCADE)
+    name = models.CharField(max_length=128, blank=True, verbose_name=_('attribute name'))
+    value = models.CharField(max_length=128, blank=True, verbose_name=_('attribute value'))
+    scopes = models.CharField(max_length=128, blank=True, verbose_name=_('attribute scopes'))
 
     def __str__(self):
         return '%s - %s - %s' % (self.name, self.value, self.scopes)
diff --git a/src/authentic2_idp_oidc/urls.py b/src/authentic2_idp_oidc/urls.py
index 4dee5e9f..8abcfd39 100644
--- a/src/authentic2_idp_oidc/urls.py
+++ b/src/authentic2_idp_oidc/urls.py
@@ -20,22 +20,10 @@ from . import views
 
 
 urlpatterns = [
-    url(r'^.well-known/openid-configuration$',
-        views.openid_configuration,
-        name='oidc-openid-configuration'),
-    url(r'^idp/oidc/certs/?$',
-        views.certs,
-        name='oidc-certs'),
-    url(r'^idp/oidc/authorize/?$',
-        views.authorize,
-        name='oidc-authorize'),
-    url(r'^idp/oidc/token/?$',
-        views.token,
-        name='oidc-token'),
-    url(r'^idp/oidc/user_info/?$',
-        views.user_info,
-        name='oidc-user-info'),
-    url(r'^idp/oidc/logout/?$',
-        views.logout,
-        name='oidc-logout'),
+    url(r'^.well-known/openid-configuration$', views.openid_configuration, name='oidc-openid-configuration'),
+    url(r'^idp/oidc/certs/?$', views.certs, name='oidc-certs'),
+    url(r'^idp/oidc/authorize/?$', views.authorize, name='oidc-authorize'),
+    url(r'^idp/oidc/token/?$', views.token, name='oidc-token'),
+    url(r'^idp/oidc/user_info/?$', views.user_info, name='oidc-user-info'),
+    url(r'^idp/oidc/logout/?$', views.logout, name='oidc-logout'),
 ]
diff --git a/src/authentic2_idp_oidc/utils.py b/src/authentic2_idp_oidc/utils.py
index e6055378..28d4cca1 100644
--- a/src/authentic2_idp_oidc/utils.py
+++ b/src/authentic2_idp_oidc/utils.py
@@ -77,7 +77,7 @@ def make_idtoken(client, claims):
     '''Make a serialized JWT targeted for this client'''
     if client.idtoken_algo == client.ALGO_HMAC:
         header = {'alg': 'HS256'}
-        k=base64url(client.client_secret.encode('utf-8'))
+        k = base64url(client.client_secret.encode('utf-8'))
         jwk = JWK(kty='oct', k=force_text(k))
     elif client.idtoken_algo == client.ALGO_RSA:
         header = {'alg': 'RS256'}
@@ -129,8 +129,7 @@ def make_pairwise_sub(client, user):
     elif client.identifier_policy == client.POLICY_PAIRWISE_REVERSIBLE:
         return make_pairwise_reversible_sub(client, user)
     else:
-        raise NotImplementedError(
-            'unknown pairwise client.identifier_policy %s' % client.identifier_policy)
+        raise NotImplementedError('unknown pairwise client.identifier_policy %s' % client.identifier_policy)
 
 
 def make_pairwise_unreversible_sub(client, user):
@@ -151,14 +150,16 @@ def make_pairwise_reversible_sub_from_uuid(client, user_uuid):
         return None
     sector_identifier = client.get_sector_identifier()
     return crypto.aes_base64url_deterministic_encrypt(
-        settings.SECRET_KEY.encode('utf-8'), identifier, sector_identifier).decode('utf-8')
+        settings.SECRET_KEY.encode('utf-8'), identifier, sector_identifier
+    ).decode('utf-8')
 
 
 def reverse_pairwise_sub(client, sub):
     sector_identifier = client.get_sector_identifier()
     try:
         return crypto.aes_base64url_deterministic_decrypt(
-            settings.SECRET_KEY.encode('utf-8'), sub, sector_identifier)
+            settings.SECRET_KEY.encode('utf-8'), sub, sector_identifier
+        )
     except crypto.DecryptionError:
         return None
 
@@ -176,16 +177,17 @@ def normalize_claim_values(values):
 
 def create_user_info(request, client, user, scope_set, id_token=False):
     '''Create user info dictionary'''
-    user_info = {
-    }
+    user_info = {}
     if 'openid' in scope_set:
         user_info['sub'] = make_sub(client, user)
-    attributes = get_attributes({
-        'user': user,
-        'request': request,
-        'service': client,
-        '__wanted_attributes': client.get_wanted_attributes(),
-    })
+    attributes = get_attributes(
+        {
+            'user': user,
+            'request': request,
+            'service': client,
+            '__wanted_attributes': client.get_wanted_attributes(),
+        }
+    )
     claims = client.oidcclaim_set.filter(name__isnull=False)
     claims_to_show = set()
     for claim in claims:
@@ -208,9 +210,16 @@ def create_user_info(request, client, user, scope_set, id_token=False):
     for claim in claims_to_show:
         if claim.name not in user_info:
             default_value = None
-            if claim.name in ['given_name', 'family_name', 'full_name', 'name',
-                              'middle_name', 'nickname', 'email',
-                              'preferred_username']:
+            if claim.name in [
+                'given_name',
+                'family_name',
+                'full_name',
+                'name',
+                'middle_name',
+                'nickname',
+                'email',
+                'preferred_username',
+            ]:
                 default_value = ''
             user_info[claim.name] = default_value
     hooks.call_hooks('idp_oidc_modify_user_info', client, user, scope_set, user_info)
@@ -222,8 +231,8 @@ def get_issuer(request):
 
 
 def get_session_id(request, client):
-    '''Derive an OIDC Session Id from the real session identifier, the sector
-       identifier of the RP and the secret key of the Django instance'''
+    """Derive an OIDC Session Id from the real session identifier, the sector
+    identifier of the RP and the secret key of the Django instance"""
     session_key = force_bytes(request.session.session_key)
     sector_identifier = force_bytes(client.get_sector_identifier())
     secret_key = force_bytes(settings.SECRET_KEY)
diff --git a/src/authentic2_idp_oidc/views.py b/src/authentic2_idp_oidc/views.py
index da479d46..9b969a8d 100644
--- a/src/authentic2_idp_oidc/views.py
+++ b/src/authentic2_idp_oidc/views.py
@@ -18,14 +18,18 @@ import logging
 import math
 import datetime
 import base64
+
 try:
     from secrets import compare_digest
 except ImportError:
+
     def compare_digest(a, b):
-        return (a == b)
+        return a == b
+
+
 import time
 
-from django.http import (HttpResponse, HttpResponseNotAllowed, JsonResponse)
+from django.http import HttpResponse, HttpResponseNotAllowed, JsonResponse
 from django.urls import reverse
 from django.utils import six
 from django.utils.encoding import force_text
@@ -43,8 +47,7 @@ from authentic2 import app_settings as a2_app_settings
 from authentic2.compat.misc import Base64Error
 from authentic2.decorators import setting_enabled
 from authentic2.exponential_retry_timeout import ExponentialRetryTimeout
-from authentic2.utils import (login_require, redirect,
-                              last_authentication_event, make_url)
+from authentic2.utils import login_require, redirect, last_authentication_event, make_url
 from authentic2.views import logout as a2_logout
 from authentic2 import hooks
 from django_rbac.utils import get_ou_model
@@ -76,11 +79,17 @@ class OIDCException(Exception):
             content['error_description'] = self.error_description
 
         if self.client:
-            logger.warning('idp_oidc: error "%s" in %s endpoint "%s" for client %s',
-                           self.error_code, endpoint, self.error_description, self.client)
+            logger.warning(
+                'idp_oidc: error "%s" in %s endpoint "%s" for client %s',
+                self.error_code,
+                endpoint,
+                self.error_description,
+                self.client,
+            )
         else:
-            logger.warning('idp_oidc: error "%s" in %s endpoint "%s"',
-                           self.error_code, endpoint, self.error_description)
+            logger.warning(
+                'idp_oidc: error "%s" in %s endpoint "%s"', self.error_code, endpoint, self.error_description
+            )
         return JsonResponse(content, status=self.status)
 
     def redirect_response(self, request, redirect_uri=None, use_fragment=None, state=None, client=None):
@@ -98,17 +107,23 @@ class OIDCException(Exception):
 
         client = client or self.client
         if client:
-            log_method('idp_oidc: error "%s" in authorize endpoint for client %s": %s',
-                       self.error_code, client, self.error_description)
+            log_method(
+                'idp_oidc: error "%s" in authorize endpoint for client %s": %s',
+                self.error_code,
+                client,
+                self.error_description,
+            )
         else:
-            log_method('idp_oidc: error "%s" in authorize endpoint: %s',
-                       self.error_code, self.error_description)
+            log_method(
+                'idp_oidc: error "%s" in authorize endpoint: %s', self.error_code, self.error_description
+            )
 
         if self.show_message:
-            messages.error(request, _('OpenIDConnect Error "%(error_code)s": %(error_description)s') % {
-                'error_code': self.error_code,
-                'error_description': self.error_description
-            })
+            messages.error(
+                request,
+                _('OpenIDConnect Error "%(error_code)s": %(error_description)s')
+                % {'error_code': self.error_code, 'error_description': self.error_description},
+            )
 
         if redirect_uri:
             if use_fragment:
@@ -194,10 +209,13 @@ def openid_configuration(request, *args, **kwargs):
         'response_types_supported': ['code', 'token', 'token id_token'],
         'subject_types_supported': ['public', 'pairwise'],
         'token_endpoint_auth_methods_supported': [
-            'clien_secret_post', 'client_secret_basic',
+            'clien_secret_post',
+            'client_secret_basic',
         ],
         'id_token_signing_alg_values_supported': [
-            'RS256', 'HS256', 'ES256',
+            'RS256',
+            'HS256',
+            'ES256',
         ],
         'userinfo_endpoint': request.build_absolute_uri(reverse('oidc-user-info')),
         'frontchannel_logout_supported': True,
@@ -208,8 +226,7 @@ def openid_configuration(request, *args, **kwargs):
 
 @setting_enabled('ENABLE', settings=app_settings)
 def certs(request, *args, **kwargs):
-    return HttpResponse(utils.get_jwkset().export(private_keys=False),
-                        content_type='application/json')
+    return HttpResponse(utils.get_jwkset().export(private_keys=False), content_type='application/json')
 
 
 @setting_enabled('ENABLE', settings=app_settings)
@@ -230,13 +247,11 @@ def authorize(request, *args, **kwargs):
         try:
             client.validate_redirect_uri(redirect_uri)
         except ValueError:
-            error_description = _(
-                'Redirect URI "%s" is unknown.'
-            ) % redirect_uri
+            error_description = _('Redirect URI "%s" is unknown.') % redirect_uri
             if settings.DEBUG:
-                error_description += _(
-                    ' Known redirect URIs are: %s'
-                ) % ', '.join(client.redirect_uris.split())
+                error_description += _(' Known redirect URIs are: %s') % ', '.join(
+                    client.redirect_uris.split()
+                )
             raise InvalidRequest(error_description)
         state = request.GET.get('state')
         use_fragment = client.authorization_flow == client.FLOW_IMPLICIT
@@ -248,7 +263,8 @@ def authorize(request, *args, **kwargs):
             redirect_uri=validated_redirect_uri,
             state=validated_redirect_uri and state,
             use_fragment=validated_redirect_uri and use_fragment,
-            client=client)
+            client=client,
+        )
 
 
 def authorize_for_client(request, client, redirect_uri):
@@ -264,16 +280,17 @@ def authorize_for_client(request, client, redirect_uri):
     if not response_type:
         raise MissingParameter('response_type')
     if client.authorization_flow == client.FLOW_RESOURCE_OWNER_CRED:
-        raise InvalidRequest(_(
-            'Client is configured for resource owner password credentials grant, '
-            'authorize endpoint is not usable'
-        ))
+        raise InvalidRequest(
+            _(
+                'Client is configured for resource owner password credentials grant, '
+                'authorize endpoint is not usable'
+            )
+        )
     if client.authorization_flow == client.FLOW_AUTHORIZATION_CODE:
         if response_type != 'code':
             raise UnsupportedResponseType(_('Response type must be "code"'))
     elif client.authorization_flow == client.FLOW_IMPLICIT:
-        if not set(filter(None, response_type.split())) in (set(['id_token', 'token']),
-                                                            set(['id_token'])):
+        if not set(filter(None, response_type.split())) in (set(['id_token', 'token']), set(['id_token'])):
             raise UnsupportedResponseType(_('Response type must be "id_token token" or "id_token"'))
     else:
         raise NotImplementedError
@@ -284,15 +301,15 @@ def authorize_for_client(request, client, redirect_uri):
         raise MissingParameter('scope')
     scopes = utils.scope_set(scope)
     if 'openid' not in scopes:
-        raise InvalidScope(
-            _('Scope must contain "openid", received "%s"')
-            % ', '.join(sorted(scopes)))
+        raise InvalidScope(_('Scope must contain "openid", received "%s"') % ', '.join(sorted(scopes)))
     if not is_scopes_allowed(scopes, client):
         raise InvalidScope(
-            _('Scope may contain "%(allowed_scopes)s" scope(s), received "%(scopes)s"') % {
+            _('Scope may contain "%(allowed_scopes)s" scope(s), received "%(scopes)s"')
+            % {
                 'allowed_scopes': ', '.join(sorted(allowed_scopes(client))),
-                'scopes': ', '.join(sorted(scopes))
-            })
+                'scopes': ', '.join(sorted(scopes)),
+            }
+        )
 
     # check max_age
     max_age = request.GET.get('max_age')
@@ -334,8 +351,10 @@ def authorize_for_client(request, client, redirect_uri):
     if client.authorization_mode != client.AUTHORIZATION_MODE_NONE or 'consent' in prompt:
         # authorization by user is mandatory, as per local configuration or per explicit request by
         # the RP
-        if client.authorization_mode in (client.AUTHORIZATION_MODE_NONE,
-                                         client.AUTHORIZATION_MODE_BY_SERVICE):
+        if client.authorization_mode in (
+            client.AUTHORIZATION_MODE_NONE,
+            client.AUTHORIZATION_MODE_BY_SERVICE,
+        ):
             auth_manager = client.authorizations
         elif client.authorization_mode == client.AUTHORIZATION_MODE_BY_OU:
             auth_manager = client.ou.oidc_authorizations
@@ -363,40 +382,46 @@ def authorize_for_client(request, client, redirect_uri):
                             if authorization.scope_set() <= scopes:
                                 pk_to_deletes.append(authorization.pk)
                         auth_manager.create(
-                            user=request.user, scopes=' '.join(sorted(scopes)),
-                            expired=iat + datetime.timedelta(days=365))
+                            user=request.user,
+                            scopes=' '.join(sorted(scopes)),
+                            expired=iat + datetime.timedelta(days=365),
+                        )
                         if pk_to_deletes:
                             auth_manager.filter(pk__in=pk_to_deletes).delete()
                         request.journal.record(
-                            'user.service.sso.authorization',
-                            service=client,
-                            scopes=list(sorted(scopes)))
+                            'user.service.sso.authorization', service=client, scopes=list(sorted(scopes))
+                        )
                         logger.info(
-                            'idp_oidc: authorized scopes %s saved for service %s',
-                            ' '.join(scopes), client)
+                            'idp_oidc: authorized scopes %s saved for service %s', ' '.join(scopes), client
+                        )
                     else:
-                        logger.info(
-                            'idp_oidc: authorized scopes %s for service %s',
-                            ' '.join(scopes),
-                            client)
+                        logger.info('idp_oidc: authorized scopes %s for service %s', ' '.join(scopes), client)
                 else:
                     raise AccessDenied(_('User did not consent'))
             else:
-                return render(request, 'authentic2_idp_oidc/authorization.html',
-                              {
-                                  'client': client,
-                                  'scopes': scopes - set(['openid']),
-                              })
+                return render(
+                    request,
+                    'authentic2_idp_oidc/authorization.html',
+                    {
+                        'client': client,
+                        'scopes': scopes - set(['openid']),
+                    },
+                )
     if response_type == 'code':
         code = models.OIDCCode.objects.create(
-            client=client, user=request.user, scopes=' '.join(scopes),
-            state=state, nonce=nonce, redirect_uri=redirect_uri,
+            client=client,
+            user=request.user,
+            scopes=' '.join(scopes),
+            state=state,
+            nonce=nonce,
+            redirect_uri=redirect_uri,
             expired=iat + datetime.timedelta(seconds=30),
             auth_time=datetime.datetime.fromtimestamp(last_auth['when'], utc),
-            session_key=request.session.session_key)
+            session_key=request.session.session_key,
+        )
         logger.info(
-            'idp_oidc: sending code %s for scopes %s for service %s',
-            code.uuid, ' '.join(scopes), client)
+            'idp_oidc: sending code %s for scopes %s for service %s', code.uuid, ' '.join(scopes), client
+        )
         params = {
             'code': six.text_type(code.uuid),
         }
@@ -417,25 +442,24 @@ def authorize_for_client(request, client, redirect_uri):
                 user=request.user,
                 scopes=' '.join(scopes),
                 session_key=request.session.session_key,
-                expired=expired)
+                expired=expired,
+            )
         acr = '0'
         if nonce is not None and last_auth.get('nonce') == nonce:
             acr = '1'
-        id_token = utils.create_user_info(request,
-                                          client,
-                                          request.user,
-                                          scopes,
-                                          id_token=True)
+        id_token = utils.create_user_info(request, client, request.user, scopes, id_token=True)
         exp = iat + idtoken_duration(client)
-        id_token.update({
-            'iss': utils.get_issuer(request),
-            'aud': client.client_id,
-            'exp': int(exp.timestamp()),
-            'iat': int(iat.timestamp()),
-            'auth_time': last_auth['when'],
-            'acr': acr,
-            'sid': utils.get_session_id(request, client),
-        })
+        id_token.update(
+            {
+                'iss': utils.get_issuer(request),
+                'aud': client.client_id,
+                'exp': int(exp.timestamp()),
+                'iat': int(iat.timestamp()),
+                'auth_time': last_auth['when'],
+                'acr': acr,
+                'sid': utils.get_session_id(request, client),
+            }
+        )
         if nonce is not None:
             id_token['nonce'] = nonce
         params = {
@@ -444,17 +468,16 @@ def authorize_for_client(request, client, redirect_uri):
         if state is not None:
             params['state'] = state
         if need_access_token:
-            params.update({
-                'access_token': access_token.uuid,
-                'token_type': 'Bearer',
-                'expires_in': int(expires_in.total_seconds()),
-            })
+            params.update(
+                {
+                    'access_token': access_token.uuid,
+                    'token_type': 'Bearer',
+                    'expires_in': int(expires_in.total_seconds()),
+                }
+            )
         # query is transfered through the hashtag
         response = redirect(request, redirect_uri + '#%s' % urlencode(params), resolve=False)
-    request.journal.record(
-        'user.service.sso',
-        service=client,
-        how=last_auth and last_auth.get('how'))
+    request.journal.record('user.service.sso', service=client, how=last_auth and last_auth.get('how'))
     hooks.call_hooks('event', name='sso-success', idp='oidc', service=client, user=request.user)
     utils.add_oidc_session(request, client)
     return response
@@ -491,17 +514,19 @@ def authenticate_client_secret(client, client_secret):
     raw_provided_client_secret = client_secret.encode('utf-8')
     if len(raw_client_client_secret) != len(raw_provided_client_secret):
         raise WrongClientSecret(client=client)
-    if not compare_digest(
-            raw_client_client_secret,
-            raw_provided_client_secret):
+    if not compare_digest(raw_client_client_secret, raw_provided_client_secret):
         raise WrongClientSecret(client=client)
     return client
 
 
 def is_ro_cred_grant_ratelimited(request, key='ip', increment=True):
     return is_ratelimited(
-        request, group='ro-cred-grant', increment=increment,
-        key=key, rate=app_settings.PASSWORD_GRANT_RATELIMIT)
+        request,
+        group='ro-cred-grant',
+        increment=increment,
+        key=key,
+        rate=app_settings.PASSWORD_GRANT_RATELIMIT,
+    )
 
 
 def authenticate_client(request, ratelimit=False, client=None):
@@ -539,21 +564,23 @@ def idtoken_from_user_credential(request):
         # increment rate limit by IP
         if is_ro_cred_grant_ratelimited(request):
             raise InvalidRequest(
-                _('Rate limit exceeded for IP address "%s"') % request.META.get('REMOTE_ADDR', ''))
+                _('Rate limit exceeded for IP address "%s"') % request.META.get('REMOTE_ADDR', '')
+            )
         raise
 
     # check rate limit by client id
     if is_ro_cred_grant_ratelimited(request, key=lambda group, request: client.client_id):
         raise InvalidClient(
-            _('Rate limit of %(ratelimit)s exceeded for client "%(client)s"') % {
-                'ratelimit': app_settings.PASSWORD_GRANT_RATELIMIT,
-                'client': client},
-            client=client)
+            _('Rate limit of %(ratelimit)s exceeded for client "%(client)s"')
+            % {'ratelimit': app_settings.PASSWORD_GRANT_RATELIMIT, 'client': client},
+            client=client,
+        )
 
     if request.META.get('CONTENT_TYPE') != 'application/x-www-form-urlencoded':
         raise InvalidRequest(
-            _('Wrong content type. request content type must be '
-              '\'application/x-www-form-urlencoded\''), client=client)
+            _('Wrong content type. request content type must be ' '\'application/x-www-form-urlencoded\''),
+            client=client,
+        )
     username = request.POST.get('username')
     scope = request.POST.get('scope')
     OrganizationalUnit = get_ou_model()
@@ -562,19 +589,24 @@ def idtoken_from_user_credential(request):
 
     if not all((username, request.POST.get('password'))):
         raise InvalidRequest(
-            _('Request must bear both username and password as '
-              'parameters using the "application/x-www-form-urlencoded" '
-              'media type'), client=client)
+            _(
+                'Request must bear both username and password as '
+                'parameters using the "application/x-www-form-urlencoded" '
+                'media type'
+            ),
+            client=client,
+        )
 
     if client.authorization_flow != models.OIDCClient.FLOW_RESOURCE_OWNER_CRED:
         raise UnauthorizedClient(
-            _('Client is not configured for resource owner password '
-              'credential grant'), client=client)
+            _('Client is not configured for resource owner password ' 'credential grant'), client=client
+        )
 
     exponential_backoff = ExponentialRetryTimeout(
         key_prefix='idp-oidc-ro-cred-grant',
         duration=a2_app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_DURATION,
-        factor=a2_app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_FACTOR)
+        factor=a2_app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_FACTOR,
+    )
     backoff_keys = (username, client.client_id)
 
     seconds_to_wait = exponential_backoff.seconds_to_wait(*backoff_keys)
@@ -582,8 +614,10 @@ def idtoken_from_user_credential(request):
         seconds_to_wait = a2_app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MAX_DURATION
     if seconds_to_wait:
         raise InvalidRequest(
-            _('Too many attempts with erroneous RO password, you must wait '
-              '%s seconds to try again.') % int(math.ceil(seconds_to_wait)), client=client)
+            _('Too many attempts with erroneous RO password, you must wait ' '%s seconds to try again.')
+            % int(math.ceil(seconds_to_wait)),
+            client=client,
+        )
 
     ou = None
     if 'ou_slug' in request.POST:
@@ -591,7 +625,8 @@ def idtoken_from_user_credential(request):
             ou = OrganizationalUnit.objects.get(slug=request.POST.get('ou_slug'))
         except OrganizationalUnit.DoesNotExist:
             raise InvalidRequest(
-                _('Parameter "ou_slug" does not match an existing organizational unit'), client=client)
+                _('Parameter "ou_slug" does not match an existing organizational unit'), client=client
+            )
 
     user = authenticate(request, username=username, password=request.POST.get('password'), ou=ou)
     if not user:
@@ -612,33 +647,29 @@ def idtoken_from_user_credential(request):
     else:
         expires_in = client.access_token_duration
     access_token = models.OIDCAccessToken.objects.create(
-        client=client,
-        user=user,
-        scopes=' '.join(scopes),
-        session_key='',
-        expired=iat + expires_in)
+        client=client, user=user, scopes=' '.join(scopes), session_key='', expired=iat + expires_in
+    )
     # make id_token
-    id_token = utils.create_user_info(
-        request,
-        client,
-        user,
-        scopes,
-        id_token=True)
+    id_token = utils.create_user_info(request, client, user, scopes, id_token=True)
     exp = iat + idtoken_duration(client)
-    id_token.update({
-        'iss': utils.get_issuer(request),
-        'aud': client.client_id,
-        'exp': int(exp.timestamp()),
-        'iat': int(iat.timestamp()),
-        'auth_time': int(iat.timestamp()),
-        'acr': '0',
-    })
-    return JsonResponse({
-        'access_token': six.text_type(access_token.uuid),
-        'token_type': 'Bearer',
-        'expires_in': int(expires_in.total_seconds()),
-        'id_token': utils.make_idtoken(client, id_token),
-    })
+    id_token.update(
+        {
+            'iss': utils.get_issuer(request),
+            'aud': client.client_id,
+            'exp': int(exp.timestamp()),
+            'iat': int(iat.timestamp()),
+            'auth_time': int(iat.timestamp()),
+            'acr': '0',
+        }
+    )
+    return JsonResponse(
+        {
+            'access_token': six.text_type(access_token.uuid),
+            'token_type': 'Bearer',
+            'expires_in': int(expires_in.total_seconds()),
+            'id_token': utils.make_idtoken(client, id_token),
+        }
+    )
 
 
 def tokens_from_authz_code(request):
@@ -668,37 +699,39 @@ def tokens_from_authz_code(request):
         user=oidc_code.user,
         scopes=oidc_code.scopes,
         session_key=oidc_code.session_key,
-        expired=expired)
+        expired=expired,
+    )
     start = now()
     acr = '0'
-    if (oidc_code.nonce is not None
-            and last_authentication_event(session=oidc_code.session).get('nonce') == oidc_code.nonce):
+    if (
+        oidc_code.nonce is not None
+        and last_authentication_event(session=oidc_code.session).get('nonce') == oidc_code.nonce
+    ):
         acr = '1'
     # prefill id_token with user info
-    id_token = utils.create_user_info(
-        request,
-        client,
-        oidc_code.user,
-        oidc_code.scope_set(),
-        id_token=True)
+    id_token = utils.create_user_info(request, client, oidc_code.user, oidc_code.scope_set(), id_token=True)
     exp = start + idtoken_duration(client)
-    id_token.update({
-        'iss': utils.get_issuer(request),
-        'sub': utils.make_sub(client, oidc_code.user),
-        'aud': client.client_id,
-        'exp': int(exp.timestamp()),
-        'iat': int(start.timestamp()),
-        'auth_time': int(oidc_code.auth_time.timestamp()),
-        'acr': acr,
-    })
+    id_token.update(
+        {
+            'iss': utils.get_issuer(request),
+            'sub': utils.make_sub(client, oidc_code.user),
+            'aud': client.client_id,
+            'exp': int(exp.timestamp()),
+            'iat': int(start.timestamp()),
+            'auth_time': int(oidc_code.auth_time.timestamp()),
+            'acr': acr,
+        }
+    )
     if oidc_code.nonce is not None:
         id_token['nonce'] = oidc_code.nonce
-    return JsonResponse({
-        'access_token': six.text_type(access_token.uuid),
-        'token_type': 'Bearer',
-        'expires_in': int(expires_in.total_seconds()),
-        'id_token': utils.make_idtoken(client, id_token),
-    })
+    return JsonResponse(
+        {
+            'access_token': six.text_type(access_token.uuid),
+            'token_type': 'Bearer',
+            'expires_in': int(expires_in.total_seconds()),
+            'id_token': utils.make_idtoken(client, id_token),
+        }
+    )
 
 
 @setting_enabled('ENABLE', settings=app_settings)
@@ -746,16 +779,17 @@ def authenticate_access_token(request):
 def user_info(request, *args, **kwargs):
     try:
         access_token = authenticate_access_token(request)
-        user_info = utils.create_user_info(request,
-                                           access_token.client,
-                                           access_token.user,
-                                           access_token.scope_set())
+        user_info = utils.create_user_info(
+            request, access_token.client, access_token.user, access_token.scope_set()
+        )
         return JsonResponse(user_info)
     except OIDCException as e:
         error_response = e.json_response(request, endpoint='user_info')
         if e.status == 401:
             error_response['WWW-Authenticate'] = 'Bearer error="%s", error_description="%s"' % (
-                e.error_code, e.error_description)
+                e.error_code,
+                e.error_description,
+            )
         return error_response
 
 
@@ -765,7 +799,8 @@ def logout(request):
     state = request.GET.get('state')
     if post_logout_redirect_uri:
         providers = models.OIDCClient.objects.filter(
-            post_logout_redirect_uris__contains=post_logout_redirect_uri)
+            post_logout_redirect_uris__contains=post_logout_redirect_uri
+        )
         for provider in providers:
             if post_logout_redirect_uri in provider.post_logout_redirect_uris.split():
                 break
@@ -776,5 +811,4 @@ def logout(request):
             post_logout_redirect_uri = make_url(post_logout_redirect_uri, params={'state': state})
     # FIXME: do something with id_token_hint
     id_token_hint = request.GET.get('id_token_hint')
-    return a2_logout(request, next_url=post_logout_redirect_uri, do_local=False,
-                     check_referer=False)
+    return a2_logout(request, next_url=post_logout_redirect_uri, do_local=False, check_referer=False)
diff --git a/src/django_rbac/apps.py b/src/django_rbac/apps.py
index 312ba8b8..86e0e16c 100644
--- a/src/django_rbac/apps.py
+++ b/src/django_rbac/apps.py
@@ -7,22 +7,15 @@ class DjangoRBACConfig(AppConfig):
 
     def ready(self):
         from . import signal_handlers, utils
-        from django.db.models.signals import post_save, post_delete, \
-            post_migrate
+        from django.db.models.signals import post_save, post_delete, post_migrate
 
         # update role parenting when new role parenting is created
-        post_save.connect(
-            signal_handlers.role_parenting_post_save,
-            sender=utils.get_role_parenting_model())
+        post_save.connect(signal_handlers.role_parenting_post_save, sender=utils.get_role_parenting_model())
         # update role parenting when role parenting is deleted
         post_delete.connect(
-            signal_handlers.role_parenting_post_delete,
-            sender=utils.get_role_parenting_model())
+            signal_handlers.role_parenting_post_delete, sender=utils.get_role_parenting_model()
+        )
         # create CRUD operations and admin
-        post_migrate.connect(
-            signal_handlers.create_base_operations,
-            sender=self)
+        post_migrate.connect(signal_handlers.create_base_operations, sender=self)
         # update role parenting in post migrate
-        post_migrate.connect(
-            signal_handlers.fix_role_parenting_closure,
-            sender=self)
+        post_migrate.connect(signal_handlers.fix_role_parenting_closure, sender=self)
diff --git a/src/django_rbac/backends.py b/src/django_rbac/backends.py
index f4febb68..703b6cc2 100644
--- a/src/django_rbac/backends.py
+++ b/src/django_rbac/backends.py
@@ -39,19 +39,19 @@ class DjangoRBACBackend(object):
         pass
 
     def get_permission_cache(self, user_obj):
-        '''Returns the permission cache for an user
-
-           The permission cache is a dictionnary, key can be of many types:
-           - `'ou.<ou.id>'` ; contains a list of permissions owner by this user as strings
-           (<app_label>.<permission>_<model_name>), those permissions are restricted to objects in
-           this organizational unit,
-           - `'__all__'`: contains a list of global permissions (applicable to any object in any
-           organizaton unit) owner by this user,
-           - `'<content_type.id>.<object.pk>'`: contains permissions restricted to a specific
-           object,
-           - `'<app_label>'`: contains a boolean, it indicates that the user own at least on
-           permision on a model of this application.
-        '''
+        """Returns the permission cache for an user
+
+        The permission cache is a dictionnary, key can be of many types:
+        - `'ou.<ou.id>'` ; contains a list of permissions owner by this user as strings
+        (<app_label>.<permission>_<model_name>), those permissions are restricted to objects in
+        this organizational unit,
+        - `'__all__'`: contains a list of global permissions (applicable to any object in any
+        organizaton unit) owner by this user,
+        - `'<content_type.id>.<object.pk>'`: contains permissions restricted to a specific
+        object,
+        - `'<app_label>'`: contains a boolean, it indicates that the user own at least on
+        permision on a model of this application.
+        """
         if not hasattr(user_obj, '_rbac_perms_cache'):
             perms_cache = {}
             Permission = utils.get_permission_model()
@@ -74,8 +74,11 @@ class DjangoRBACBackend(object):
                     key = '%s.%s' % (permission.target_ct_id, permission.target_id)
                 slug = permission.operation.slug
                 perms = [str('%s.%s_%s' % (app_label, slug, model))]
-                perm_hierarchy = getattr(settings, 'DJANGO_RBAC_PERMISSIONS_HIERARCHY',
-                                         self._DEFAULT_DJANGO_RBAC_PERMISSIONS_HIERARCHY)
+                perm_hierarchy = getattr(
+                    settings,
+                    'DJANGO_RBAC_PERMISSIONS_HIERARCHY',
+                    self._DEFAULT_DJANGO_RBAC_PERMISSIONS_HIERARCHY,
+                )
                 if slug in perm_hierarchy:
                     for other_perm in perm_hierarchy[slug]:
                         perms.append(str('%s.%s_%s' % (app_label, other_perm, model)))
@@ -97,14 +100,12 @@ class DjangoRBACBackend(object):
             if key in perms_cache:
                 permissions.update(perms_cache[key])
             for permission in perms_cache.get('__all__', set([])):
-                if (permission.startswith('%s.' % ct.app_label)
-                        and permission.endswith('_%s' % ct.model)):
+                if permission.startswith('%s.' % ct.app_label) and permission.endswith('_%s' % ct.model):
                     permissions.add(permission)
             if hasattr(obj, 'ou_id') and obj.ou_id:
                 key = 'ou.%s' % obj.ou_id
                 for permission in perms_cache.get(key, ()):
-                    if (permission.startswith('%s.' % ct.app_label)
-                            and permission.endswith('_%s' % ct.model)):
+                    if permission.startswith('%s.' % ct.app_label) and permission.endswith('_%s' % ct.model):
                         permissions.add(permission)
             return permissions
         else:
@@ -163,10 +164,10 @@ class DjangoRBACBackend(object):
         return False
 
     def filter_by_perm_query(self, user_obj, perm_or_perms, qs):
-        '''Create a filter for a queryset for the objects on which the user has
-           the given permission. Permissions can be set on individual objects, globally on
-           a content type or locally for all objects of an organizational unit.
-        '''
+        """Create a filter for a queryset for the objects on which the user has
+        the given permission. Permissions can be set on individual objects, globally on
+        a content type or locally for all objects of an organizational unit.
+        """
         if user_obj.is_anonymous:
             return False
         if not user_obj.is_active:
@@ -200,10 +201,10 @@ class DjangoRBACBackend(object):
         return False
 
     def filter_by_perm(self, user_obj, perm_or_perms, qs):
-        '''Filter a queryset for the objects on which the user has
-           the given permission. Permissions can be set on individual objects, globally on
-           a content type or locally for all objects of an organizational unit.
-        '''
+        """Filter a queryset for the objects on which the user has
+        the given permission. Permissions can be set on individual objects, globally on
+        a content type or locally for all objects of an organizational unit.
+        """
         query = self.filter_by_perm_query(user_obj, perm_or_perms, qs)
         if query is True:
             return copy.deepcopy(qs)
diff --git a/src/django_rbac/context_processors.py b/src/django_rbac/context_processors.py
index 424e6b39..cd55faf4 100644
--- a/src/django_rbac/context_processors.py
+++ b/src/django_rbac/context_processors.py
@@ -57,6 +57,7 @@ def auth(request):
         user = request.user
     else:
         from django.contrib.auth.models import AnonymousUser
+
         user = AnonymousUser()
 
     return {
diff --git a/src/django_rbac/managers.py b/src/django_rbac/managers.py
index e460ec04..767ee425 100644
--- a/src/django_rbac/managers.py
+++ b/src/django_rbac/managers.py
@@ -21,18 +21,17 @@ class OperationManager(models.Manager):
         return self.get(slug=slug)
 
     def has_perm(self, user, operation_slug, object_or_model, ou=None):
-        '''Test if an user can do the operation given by operation_slug
-           on the given object_or_model eventually scoped by an organizational
-           unit given by ou.
+        """Test if an user can do the operation given by operation_slug
+        on the given object_or_model eventually scoped by an organizational
+        unit given by ou.
 
-           Returns True or False.
-        '''
+        Returns True or False.
+        """
         ou_query = query.Q(ou__isnull=True)
         if ou:
             ou_query |= query.Q(ou=ou.as_scope())
         ct = ContentType.objects.get_for_model(object_or_model)
-        target_query = query.Q(target_ct=ContentType.objects.get_for_model(ContentType),
-                               target_id=ct.pk)
+        target_query = query.Q(target_ct=ContentType.objects.get_for_model(ContentType), target_id=ct.pk)
         if isinstance(object_or_model, models.Model):
             target_query |= query.Q(target_ct=ct, target_id=object.pk)
         Permission = utils.get_permission_model()
@@ -68,9 +67,9 @@ class PermissionManagerBase(models.Manager):
 
 class PermissionQueryset(query.QuerySet):
     def by_target_ct(self, target):
-        '''Filter permission whose target content-type matches the content
-           type of the target argument
-        '''
+        """Filter permission whose target content-type matches the content
+        type of the target argument
+        """
         target_ct = ContentType.objects.get_for_model(target)
         return self.filter(target_ct=target_ct)
 
@@ -79,9 +78,9 @@ class PermissionQueryset(query.QuerySet):
         return self.by_target_ct(target).filter(target_id=target.pk)
 
     def for_user(self, user):
-        '''Retrieve all permissions hold by an user through its role and
-           inherited roles.
-        '''
+        """Retrieve all permissions hold by an user through its role and
+        inherited roles.
+        """
         Role = utils.get_role_model()
         roles = Role.objects.for_user(user=user)
         return self.filter(roles__in=roles)
@@ -94,6 +93,7 @@ class PermissionQueryset(query.QuerySet):
                 count += 1
         return count
 
+
 PermissionManager = PermissionManagerBase.from_queryset(PermissionQueryset)
 
 
@@ -127,9 +127,11 @@ class RoleQuerySet(query.QuerySet):
     def all_members(self):
         User = get_user_model()
         prefetch = Prefetch('roles', queryset=self, to_attr='direct')
-        return (User.objects.filter(Q(roles__in=self) | Q(roles__parent_relation__parent__in=self))
-                .distinct()
-                .prefetch_related(prefetch))
+        return (
+            User.objects.filter(Q(roles__in=self) | Q(roles__parent_relation__parent__in=self))
+            .distinct()
+            .prefetch_related(prefetch)
+        )
 
     def by_admin_scope_ct(self, admin_scope):
         admin_scope_ct = ContentType.objects.get_for_model(admin_scope)
@@ -137,8 +139,7 @@ class RoleQuerySet(query.QuerySet):
 
     def cleanup(self):
         count = 0
-        for r in self.filter(
-                Q(admin_scope_ct_id__isnull=False) | Q(admin_scope_id__isnull=False)):
+        for r in self.filter(Q(admin_scope_ct_id__isnull=False) | Q(admin_scope_id__isnull=False)):
             if not r.admin_scope:
                 r.delete()
                 count += 1
@@ -168,10 +169,10 @@ class RoleParentingManager(models.Manager):
         return self.get(parent=parent, child=child, direct=direct)
 
     def update_transitive_closure(self):
-        '''Recompute the transitive closure of the inheritance relation
-           from scratch. Add missing indirect relations and delete
-           obsolete indirect relations.
-        '''
+        """Recompute the transitive closure of the inheritance relation
+        from scratch. Add missing indirect relations and delete
+        obsolete indirect relations.
+        """
         if not self.tls.DO_UPDATE_CLOSURE:
             self.tls.CLOSURE_UPDATED = True
             return
@@ -202,10 +203,9 @@ class RoleParentingManager(models.Manager):
             old_new = new
             new = set()
         # Create new relations
-        self.model.objects.bulk_create(self.model(
-            parent_id=a,
-            child_id=b,
-            direct=False) for a, b in add - old)
+        self.model.objects.bulk_create(
+            self.model(parent_id=a, child_id=b, direct=False) for a, b in add - old
+        )
         # Delete old ones
         obsolete = old - add
         if obsolete:
diff --git a/src/django_rbac/migrations/0001_initial.py b/src/django_rbac/migrations/0001_initial.py
index 5a84cf74..13d70980 100644
--- a/src/django_rbac/migrations/0001_initial.py
+++ b/src/django_rbac/migrations/0001_initial.py
@@ -8,19 +8,20 @@ import authentic2.utils
 
 class Migration(migrations.Migration):
 
-    dependencies = [
-    ]
+    dependencies = []
 
     operations = [
         migrations.CreateModel(
             name='Operation',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('name', models.CharField(max_length=32, verbose_name='name')),
                 ('slug', models.CharField(unique=True, max_length=32, verbose_name='slug')),
             ],
-            options={
-            },
+            options={},
             bases=(models.Model,),
         ),
     ]
diff --git a/src/django_rbac/migrations/0002_organizationalunit_permission_role_roleparenting.py b/src/django_rbac/migrations/0002_organizationalunit_permission_role_roleparenting.py
index 26102493..fef33cd2 100644
--- a/src/django_rbac/migrations/0002_organizationalunit_permission_role_roleparenting.py
+++ b/src/django_rbac/migrations/0002_organizationalunit_permission_role_roleparenting.py
@@ -23,8 +23,19 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='OrganizationalUnit',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('uuid', models.CharField(default=django_rbac.utils.get_hex_uuid, unique=True, max_length=32, verbose_name='uuid')),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
+                (
+                    'uuid',
+                    models.CharField(
+                        default=django_rbac.utils.get_hex_uuid,
+                        unique=True,
+                        max_length=32,
+                        verbose_name='uuid',
+                    ),
+                ),
                 ('name', models.CharField(max_length=256, verbose_name='name')),
                 ('slug', models.SlugField(max_length=256, verbose_name='slug')),
                 ('description', models.TextField(verbose_name='description', blank=True)),
@@ -39,11 +50,33 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='Permission',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('target_id', models.PositiveIntegerField()),
-                ('operation', models.ForeignKey(verbose_name='operation', to='django_rbac.Operation', on_delete=models.CASCADE)),
-                ('ou', models.ForeignKey(related_name='scoped_permission', verbose_name='organizational unit', to=settings.RBAC_OU_MODEL, null=True, on_delete=models.CASCADE)),
-                ('target_ct', models.ForeignKey(related_name='+', to='contenttypes.ContentType', on_delete=models.CASCADE)),
+                (
+                    'operation',
+                    models.ForeignKey(
+                        verbose_name='operation', to='django_rbac.Operation', on_delete=models.CASCADE
+                    ),
+                ),
+                (
+                    'ou',
+                    models.ForeignKey(
+                        related_name='scoped_permission',
+                        verbose_name='organizational unit',
+                        to=settings.RBAC_OU_MODEL,
+                        null=True,
+                        on_delete=models.CASCADE,
+                    ),
+                ),
+                (
+                    'target_ct',
+                    models.ForeignKey(
+                        related_name='+', to='contenttypes.ContentType', on_delete=models.CASCADE
+                    ),
+                ),
             ],
             options={
                 'swappable': 'RBAC_PERMISSION_MODEL',
@@ -55,14 +88,42 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='Role',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('uuid', models.CharField(default=django_rbac.utils.get_hex_uuid, unique=True, max_length=32, verbose_name='uuid')),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
+                (
+                    'uuid',
+                    models.CharField(
+                        default=django_rbac.utils.get_hex_uuid,
+                        unique=True,
+                        max_length=32,
+                        verbose_name='uuid',
+                    ),
+                ),
                 ('name', models.CharField(max_length=256, verbose_name='name')),
                 ('slug', models.SlugField(max_length=256, verbose_name='slug')),
                 ('description', models.TextField(verbose_name='description', blank=True)),
-                ('members', models.ManyToManyField(related_name='roles', to=settings.AUTH_USER_MODEL, blank=True)),
-                ('ou', models.ForeignKey(verbose_name='organizational unit', blank=True, to=settings.RBAC_OU_MODEL, null=True, on_delete=models.CASCADE)),
-                ('permissions', models.ManyToManyField(related_name='role', to=settings.RBAC_PERMISSION_MODEL, blank=True)),
+                (
+                    'members',
+                    models.ManyToManyField(related_name='roles', to=settings.AUTH_USER_MODEL, blank=True),
+                ),
+                (
+                    'ou',
+                    models.ForeignKey(
+                        verbose_name='organizational unit',
+                        blank=True,
+                        to=settings.RBAC_OU_MODEL,
+                        null=True,
+                        on_delete=models.CASCADE,
+                    ),
+                ),
+                (
+                    'permissions',
+                    models.ManyToManyField(
+                        related_name='role', to=settings.RBAC_PERMISSION_MODEL, blank=True
+                    ),
+                ),
             ],
             options={
                 'swappable': 'RBAC_ROLE_MODEL',
@@ -74,10 +135,23 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='RoleParenting',
             fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                (
+                    'id',
+                    models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True),
+                ),
                 ('direct', models.BooleanField(blank=True, default=True)),
-                ('child', models.ForeignKey(related_name='parent_relation', to=settings.RBAC_ROLE_MODEL, on_delete=models.CASCADE)),
-                ('parent', models.ForeignKey(related_name='child_relation', to=settings.RBAC_ROLE_MODEL, on_delete=models.CASCADE)),
+                (
+                    'child',
+                    models.ForeignKey(
+                        related_name='parent_relation', to=settings.RBAC_ROLE_MODEL, on_delete=models.CASCADE
+                    ),
+                ),
+                (
+                    'parent',
+                    models.ForeignKey(
+                        related_name='child_relation', to=settings.RBAC_ROLE_MODEL, on_delete=models.CASCADE
+                    ),
+                ),
             ],
             options={
                 'swappable': 'RBAC_ROLE_PARENTING_MODEL',
diff --git a/src/django_rbac/migrations/0003_add_max_aggregate_for_postgres.py b/src/django_rbac/migrations/0003_add_max_aggregate_for_postgres.py
index d41a3ac3..2510f7c2 100644
--- a/src/django_rbac/migrations/0003_add_max_aggregate_for_postgres.py
+++ b/src/django_rbac/migrations/0003_add_max_aggregate_for_postgres.py
@@ -10,5 +10,4 @@ class Migration(migrations.Migration):
         ('django_rbac', '0002_organizationalunit_permission_role_roleparenting'),
     ]
 
-    operations = [
-    ]
+    operations = []
diff --git a/src/django_rbac/models.py b/src/django_rbac/models.py
index dcb7e9c5..92c91c58 100644
--- a/src/django_rbac/models.py
+++ b/src/django_rbac/models.py
@@ -7,6 +7,7 @@ from django.utils.translation import ugettext_lazy as _
 from django.db import models
 from django.conf import settings
 from django.db.models.query import Q, Prefetch
+
 try:
     from django.contrib.contenttypes.fields import GenericForeignKey
 except ImportError:
@@ -14,31 +15,27 @@ except ImportError:
     from django.contrib.contenttypes.generic import GenericForeignKey
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.auth import get_user_model
-from django.contrib.auth.models import Group, _user_get_all_permissions, \
-    _user_has_perm, _user_has_module_perms, Permission as AuthPermission
+from django.contrib.auth.models import (
+    Group,
+    _user_get_all_permissions,
+    _user_has_perm,
+    _user_has_module_perms,
+    Permission as AuthPermission,
+)
 from django.contrib import auth
 
 from . import utils, constants, managers, backends
 
 
 class AbstractBase(models.Model):
-    '''Abstract base model for all models having a name and uuid and a
-       slug
-    '''
-    uuid = models.CharField(
-        max_length=32,
-        verbose_name=_('uuid'),
-        unique=True,
-        default=utils.get_hex_uuid)
-    name = models.CharField(
-        max_length=256,
-        verbose_name=_('name'))
-    slug = models.SlugField(
-        max_length=256,
-        verbose_name=_('slug'))
-    description = models.TextField(
-        verbose_name=_('description'),
-        blank=True)
+    """Abstract base model for all models having a name and uuid and a
+    slug
+    """
+
+    uuid = models.CharField(max_length=32, verbose_name=_('uuid'), unique=True, default=utils.get_hex_uuid)
+    name = models.CharField(max_length=256, verbose_name=_('name'))
+    slug = models.SlugField(max_length=256, verbose_name=_('slug'))
+    description = models.TextField(verbose_name=_('description'), blank=True)
 
     objects = managers.AbstractBaseManager()
 
@@ -46,16 +43,14 @@ class AbstractBase(models.Model):
         return self.name
 
     def __repr__(self):
-        return '<{0} {1} {2}>'.format(self.__class__.__name__, repr(self.slug),
-                                      repr(self.name))
+        return '<{0} {1} {2}>'.format(self.__class__.__name__, repr(self.slug), repr(self.name))
 
     def save(self, *args, **kwargs):
         # truncate slug and add a hash if it's too long
         if not self.slug:
             self.slug = slugify(six.text_type(self.name)).lstrip('_')
         if len(self.slug) > 256:
-            self.slug = self.slug[:252] + \
-                hashlib.md5(self.slug).hexdigest()[:4]
+            self.slug = self.slug[:252] + hashlib.md5(self.slug).hexdigest()[:4]
         if not self.uuid:
             self.uuid = utils.get_hex_uuid()
         return super(AbstractBase, self).save(*args, **kwargs)
@@ -69,13 +64,15 @@ class AbstractBase(models.Model):
 
 class AbstractOrganizationalUnitScopedBase(models.Model):
     '''Base abstract model class for model needing to be scoped by ou'''
+
     ou = models.ForeignKey(
         to=utils.get_ou_model_name(),
         verbose_name=_('organizational unit'),
         swappable=True,
         blank=True,
         null=True,
-        on_delete=models.CASCADE)
+        on_delete=models.CASCADE,
+    )
 
     class Meta:
         abstract = True
@@ -86,11 +83,11 @@ class OrganizationalUnitAbstractBase(AbstractBase):
         abstract = True
 
     def as_scope(self):
-        '''When used as scope to find permissions. Can return a queryset
-           in a swapped model if for example your OU are hierarchical.
+        """When used as scope to find permissions. Can return a queryset
+        in a swapped model if for example your OU are hierarchical.
 
-           Must return an OrganizationalUnit or a queryset.
-        '''
+        Must return an OrganizationalUnit or a queryset.
+        """
         return self
 
 
@@ -102,10 +99,7 @@ class OrganizationalUnit(OrganizationalUnitAbstractBase):
 
 
 class Operation(models.Model):
-    slug = models.CharField(
-        max_length=32,
-        verbose_name=_('slug'),
-        unique=True)
+    slug = models.CharField(max_length=32, verbose_name=_('slug'), unique=True)
 
     def natural_key(self):
         return [self.slug]
@@ -124,6 +118,7 @@ class Operation(models.Model):
     def register(cls, name, slug):
         cls._registry[slug] = name
         return cls(slug=slug)
+
     _registry = {}
 
     objects = managers.OperationManager()
@@ -133,24 +128,17 @@ Operation._meta.natural_key = ['slug']
 
 
 class PermissionAbstractBase(models.Model):
-    operation = models.ForeignKey(
-        to=Operation,
-        verbose_name=_('operation'),
-        on_delete=models.CASCADE)
+    operation = models.ForeignKey(to=Operation, verbose_name=_('operation'), on_delete=models.CASCADE)
     ou = models.ForeignKey(
         to=utils.get_ou_model_name(),
         verbose_name=_('organizational unit'),
         related_name='scoped_permission',
         null=True,
-        on_delete=models.CASCADE)
-    target_ct = models.ForeignKey(
-        to='contenttypes.ContentType',
-        related_name='+',
-        on_delete=models.CASCADE)
+        on_delete=models.CASCADE,
+    )
+    target_ct = models.ForeignKey(to='contenttypes.ContentType', related_name='+', on_delete=models.CASCADE)
     target_id = models.PositiveIntegerField()
-    target = GenericForeignKey(
-        'target_ct',
-        'target_id')
+    target = GenericForeignKey('target_ct', 'target_id')
 
     objects = managers.PermissionManager()
 
@@ -159,14 +147,15 @@ class PermissionAbstractBase(models.Model):
             self.operation.slug,
             self.ou and self.ou.natural_key(),
             self.target and self.target_ct.natural_key(),
-            self.target and self.target.natural_key()]
+            self.target and self.target.natural_key(),
+        ]
 
     def export_json(self):
         return {
             "operation": self.operation.natural_key_json(),
             "ou": self.ou and self.ou.natural_key_json(),
             'target_ct': self.target_ct.natural_key_json(),
-            "target": self.target.natural_key_json()
+            "target": self.target.natural_key_json(),
         }
 
     def __str__(self):
@@ -176,8 +165,7 @@ class PermissionAbstractBase(models.Model):
             target = ContentType.objects.get_for_id(self.target_id)
             s = u'{0} / {1}'.format(self.operation, target)
         else:
-            s = u'{0} / {1} / {2}'.format(self.operation, ct,
-                                          self.target)
+            s = u'{0} / {1} / {2}'.format(self.operation, ct, self.target)
         if self.ou:
             s += _(u' (scope "{0}")').format(self.ou)
         return s
@@ -185,9 +173,7 @@ class PermissionAbstractBase(models.Model):
     class Meta:
         abstract = True
         # FIXME: it's still allow non-unique permission with ou=null
-        unique_together = (
-            ('operation', 'ou', 'target_ct', 'target_id'),
-        )
+        unique_together = (('operation', 'ou', 'target_ct', 'target_id'),)
 
 
 class Permission(PermissionAbstractBase):
@@ -199,14 +185,11 @@ class Permission(PermissionAbstractBase):
 
 class RoleAbstractBase(AbstractOrganizationalUnitScopedBase, AbstractBase):
     members = models.ManyToManyField(
-        to=settings.AUTH_USER_MODEL,
-        swappable=True,
-        blank=True,
-        related_name='roles')
+        to=settings.AUTH_USER_MODEL, swappable=True, blank=True, related_name='roles'
+    )
     permissions = models.ManyToManyField(
-        to=utils.get_permission_model_name(),
-        related_name='roles',
-        blank=True)
+        to=utils.get_permission_model_name(), related_name='roles', blank=True
+    )
 
     objects = managers.RoleQuerySet.as_manager()
 
@@ -216,8 +199,7 @@ class RoleAbstractBase(AbstractOrganizationalUnitScopedBase, AbstractBase):
 
     def remove_child(self, child):
         RoleParenting = utils.get_role_parenting_model()
-        RoleParenting.objects.filter(parent=self, child=child,
-                                     direct=True).delete()
+        RoleParenting.objects.filter(parent=self, child=child, direct=True).delete()
 
     def add_parent(self, parent):
         RoleParenting = utils.get_role_parenting_model()
@@ -225,24 +207,24 @@ class RoleAbstractBase(AbstractOrganizationalUnitScopedBase, AbstractBase):
 
     def remove_parent(self, parent):
         RoleParenting = utils.get_role_parenting_model()
-        RoleParenting.objects.filter(child=self, parent=parent,
-                                     direct=True).delete()
+        RoleParenting.objects.filter(child=self, parent=parent, direct=True).delete()
 
     def parents(self, include_self=True, annotate=False):
-        return self.__class__.objects.filter(pk=self.pk) \
-            .parents(include_self=include_self, annotate=annotate)
+        return self.__class__.objects.filter(pk=self.pk).parents(include_self=include_self, annotate=annotate)
 
     def children(self, include_self=True, annotate=False):
-        return self.__class__.objects.filter(pk=self.pk) \
-            .children(include_self=include_self, annotate=annotate)
+        return self.__class__.objects.filter(pk=self.pk).children(
+            include_self=include_self, annotate=annotate
+        )
 
     def all_members(self):
         User = get_user_model()
-        prefetch = Prefetch('roles',
-                            queryset=self.__class__.objects.filter(pk=self.pk),
-                            to_attr='direct')
-        return User.objects.filter(
-            Q(roles=self) | Q(roles__parent_relation__parent=self)).distinct().prefetch_related(prefetch)
+        prefetch = Prefetch('roles', queryset=self.__class__.objects.filter(pk=self.pk), to_attr='direct')
+        return (
+            User.objects.filter(Q(roles=self) | Q(roles__parent_relation__parent=self))
+            .distinct()
+            .prefetch_related(prefetch)
+        )
 
     def is_direct(self):
         if hasattr(self, 'direct'):
@@ -267,21 +249,20 @@ class RoleParentingAbstractBase(models.Model):
         to=utils.get_role_model_name(),
         swappable=True,
         related_name='child_relation',
-        on_delete=models.CASCADE)
+        on_delete=models.CASCADE,
+    )
     child = models.ForeignKey(
         to=utils.get_role_model_name(),
         swappable=True,
         related_name='parent_relation',
-        on_delete=models.CASCADE)
-    direct = models.BooleanField(
-        default=True,
-        blank=True)
+        on_delete=models.CASCADE,
+    )
+    direct = models.BooleanField(default=True, blank=True)
 
     objects = managers.RoleParentingManager()
 
     def natural_key(self):
-        return [self.parent.natural_key(), self.child.natural_key(),
-                self.direct]
+        return [self.parent.natural_key(), self.child.natural_key(), self.direct]
 
     class Meta:
         abstract = True
@@ -302,22 +283,32 @@ class PermissionMixin(models.Model):
     A mixin class that adds the fields and methods necessary to support
     Django's Group and Permission model using the ModelBackend.
     """
+
     is_superuser = models.BooleanField(
-        _('superuser status'), default=False,
-        help_text=_('Designates that this user has all permissions '
-                    'without explicitly assigning them.'))
+        _('superuser status'),
+        default=False,
+        help_text=_('Designates that this user has all permissions ' 'without explicitly assigning them.'),
+    )
     groups = models.ManyToManyField(
         to=Group,
         verbose_name=_('groups'),
         blank=True,
-        help_text=_('The groups this user belongs to. A user will get '
-                    'all permissions granted to each of his/her '
-                    'group.'),
-        related_name="user_set", related_query_name="user")
+        help_text=_(
+            'The groups this user belongs to. A user will get '
+            'all permissions granted to each of his/her '
+            'group.'
+        ),
+        related_name="user_set",
+        related_query_name="user",
+    )
     user_permissions = models.ManyToManyField(
-        to=AuthPermission, verbose_name=_('user permissions'),
-        blank=True, help_text=_('Specific permissions for this user.'),
-        related_name="user_set", related_query_name="user")
+        to=AuthPermission,
+        verbose_name=_('user permissions'),
+        blank=True,
+        help_text=_('Specific permissions for this user.'),
+        related_name="user_set",
+        related_query_name="user",
+    )
 
     class Meta:
         abstract = True
diff --git a/src/django_rbac/signal_handlers.py b/src/django_rbac/signal_handlers.py
index 7bdc5c22..24dc25b7 100644
--- a/src/django_rbac/signal_handlers.py
+++ b/src/django_rbac/signal_handlers.py
@@ -19,8 +19,7 @@ def role_parenting_post_delete(sender, instance, **kwargs):
     sender.objects.update_transitive_closure()
 
 
-def create_base_operations(app_config, verbosity=2, interactive=True,
-                           using=DEFAULT_DB_ALIAS, **kwargs):
+def create_base_operations(app_config, verbosity=2, interactive=True, using=DEFAULT_DB_ALIAS, **kwargs):
     '''Create some basic operations, matching permissions from Django'''
     if not router.allow_migrate(using, models.Operation):
         return
@@ -33,8 +32,7 @@ def create_base_operations(app_config, verbosity=2, interactive=True,
     utils.get_operation(models.SEARCH_OP)
 
 
-def fix_role_parenting_closure(app_config, verbosity=2, interactive=True,
-                               using=DEFAULT_DB_ALIAS, **kwargs):
+def fix_role_parenting_closure(app_config, verbosity=2, interactive=True, using=DEFAULT_DB_ALIAS, **kwargs):
     '''Close the role parenting relation after migrations'''
     if not router.allow_migrate(using, utils.get_role_parenting_model()):
         return
diff --git a/src/django_rbac/utils.py b/src/django_rbac/utils.py
index 5128d06e..26d01b25 100644
--- a/src/django_rbac/utils.py
+++ b/src/django_rbac/utils.py
@@ -19,19 +19,19 @@ def get_hex_uuid():
 
 
 def get_swapped_model_name(setting):
-    '''Return a model qualified name given a setting name containing the
-       qualified name of the model, useful to retrieve swappable models
-       name.
-    '''
+    """Return a model qualified name given a setting name containing the
+    qualified name of the model, useful to retrieve swappable models
+    name.
+    """
     if not hasattr(settings, setting):
         setattr(settings, setting, DEFAULT_MODELS[setting])
     return getattr(settings, setting)
 
 
 def get_swapped_model(setting):
-    '''Return a model given a setting name containing the qualified name
-       of the model, useful to retrieve swappable models.
-    '''
+    """Return a model given a setting name containing the qualified name
+    of the model, useful to retrieve swappable models.
+    """
     app, model_name = get_swapped_model_name(setting).rsplit('.', 1)
     return apps.get_model(app, model_name)
 
@@ -78,5 +78,6 @@ def get_permission_model():
 
 def get_operation(operation_tpl):
     from . import models
+
     operation, created = models.Operation.objects.get_or_create(slug=operation_tpl.slug)
     return operation
diff --git a/tests/auth_fc/conftest.py b/tests/auth_fc/conftest.py
index b0df872c..fab54962 100644
--- a/tests/auth_fc/conftest.py
+++ b/tests/auth_fc/conftest.py
@@ -74,8 +74,7 @@ class FranceConnectMock:
         self.state = query['state']
         self.nonce = query['nonce']
         self.code = str(uuid.uuid4().hex)
-        return app.get(
-            make_url(self.callback_url, params={'code': self.code, 'state': self.state}), **kwargs)
+        return app.get(make_url(self.callback_url, params={'code': self.code, 'state': self.state}), **kwargs)
 
     @property
     def callback_url(self):
@@ -92,15 +91,16 @@ class FranceConnectMock:
         if app.session:
             app.session.flush()
         response = app.get(path)
-        self.callback_params = {k: v for k, v in QueryDict(urlparse.urlparse(response.location).query).items()}
+        self.callback_params = {
+            k: v for k, v in QueryDict(urlparse.urlparse(response.location).query).items()
+        }
         response = response.follow()
         response = response.click(href='callback')
         return self.handle_authorization(app, response.location, status=302).follow()
 
     def access_token_response(self, url, request):
         formdata = QueryDict(request.body)
-        assert set(formdata.keys()) == {'code', 'client_id', 'client_secret',
-                                        'redirect_uri', 'grant_type'}
+        assert set(formdata.keys()) == {'code', 'client_id', 'client_secret', 'redirect_uri', 'grant_type'}
         assert formdata['code'] == self.code
         assert formdata['client_id'] == self.client_id
         assert formdata['client_secret'] == self.client_secret
@@ -109,16 +109,17 @@ class FranceConnectMock:
 
         # make response
         id_token = self.id_token.copy()
-        id_token.update({
-            'sub': self.sub,
-            'nonce': self.nonce,
-            'exp': int((self.exp or (now() + datetime.timedelta(seconds=60))).timestamp()),
-        })
+        id_token.update(
+            {
+                'sub': self.sub,
+                'nonce': self.nonce,
+                'exp': int((self.exp or (now() + datetime.timedelta(seconds=60))).timestamp()),
+            }
+        )
         id_token.update(self.user_info)
-        return json.dumps({
-            'access_token': self.access_token,
-            'id_token': self.hmac_jwt(id_token, self.client_secret)
-        })
+        return json.dumps(
+            {'access_token': self.access_token, 'id_token': self.hmac_jwt(id_token, self.client_secret)}
+        )
 
     def hmac_jwt(self, payload, key):
         header = {'alg': 'HS256'}
@@ -136,8 +137,9 @@ class FranceConnectMock:
     @contextlib.contextmanager
     def __call__(self):
         with httmock.HTTMock(
-                httmock.urlmatch(path=r'.*/token$')(self.access_token_response),
-                httmock.urlmatch(path=r'.*userinfo$')(self.user_info_response)):
+            httmock.urlmatch(path=r'.*/token$')(self.access_token_response),
+            httmock.urlmatch(path=r'.*userinfo$')(self.user_info_response),
+        ):
             yield None
 
     def handle_logout(self, app, url):
diff --git a/tests/auth_fc/test_auth_fc.py b/tests/auth_fc/test_auth_fc.py
index 612f7b91..41ebd3fd 100644
--- a/tests/auth_fc/test_auth_fc.py
+++ b/tests/auth_fc/test_auth_fc.py
@@ -130,10 +130,7 @@ def test_create_expired(settings, app, franceconnect, hooks):
 
 def test_login_email_is_unique(settings, app, franceconnect, caplog):
     settings.A2_EMAIL_IS_UNIQUE = True
-    user = User(
-        email='john.doe@example.com',
-        first_name='John',
-        last_name='Doe')
+    user = User(email='john.doe@example.com', first_name='John', last_name='Doe')
     user.set_password('toto')
     user.save()
     franceconnect.user_info['email'] = user.email
@@ -397,5 +394,5 @@ def test_save_account_on_delete_user(db):
         },
         {
             'sub': '4567',
-        }
+        },
     ]
diff --git a/tests/cache_urls.py b/tests/cache_urls.py
index 03486714..a4067873 100644
--- a/tests/cache_urls.py
+++ b/tests/cache_urls.py
@@ -23,6 +23,7 @@ from authentic2.decorators import SessionCache, DjangoCache
 @DjangoCache
 def cached_function():
     import random
+
     return random.random()
 
 
@@ -33,6 +34,7 @@ def cached_view(self):
 @SessionCache()
 def session_cache_function():
     import random
+
     return random.random()
 
 
@@ -40,7 +42,5 @@ def session_cache(request):
     value = session_cache_function()
     return HttpResponse('%s' % value)
 
-urlpatterns = [
-    url(r'^django_cache/$', cached_view),
-    url(r'^session_cache/$', session_cache)
-]
+
+urlpatterns = [url(r'^django_cache/$', cached_view), url(r'^session_cache/$', session_cache)]
diff --git a/tests/conftest.py b/tests/conftest.py
index 6e12af59..d5568a40 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -56,9 +56,7 @@ def pytest_addoption(parser):
 
 def pytest_configure(config):
     # register an additional marker
-    config.addinivalue_line(
-        "markers", "slow: mark test as slow"
-    )
+    config.addinivalue_line("markers", "slow: mark test as slow")
 
 
 def pytest_runtest_setup(item):
@@ -91,8 +89,10 @@ def app_factory():
     wtm = django_webtest.WebTestMixin()
     wtm._patch_settings()
     try:
+
         def factory(hostname='testserver'):
             return django_webtest.DjangoTestApp(extra_environ={'HTTP_HOST': hostname})
+
         yield factory
     finally:
         wtm._unpatch_settings()
@@ -134,27 +134,34 @@ def create_user(**kwargs):
 
 @pytest.fixture
 def simple_user(db, ou1):
-    return create_user(username='user', first_name=u'Jôhn', last_name=u'Dôe',
-                       email='user@example.net', ou=get_default_ou())
+    return create_user(
+        username='user', first_name=u'Jôhn', last_name=u'Dôe', email='user@example.net', ou=get_default_ou()
+    )
 
 
 @pytest.fixture
 def superuser(db):
-    return create_user(username='superuser',
-                       first_name='super', last_name='user',
-                       email='superuser@example.net',
-                       is_superuser=True,
-                       is_staff=True,
-                       is_active=True)
+    return create_user(
+        username='superuser',
+        first_name='super',
+        last_name='user',
+        email='superuser@example.net',
+        is_superuser=True,
+        is_staff=True,
+        is_active=True,
+    )
 
 
 @pytest.fixture
 def admin(db):
-    user = create_user(username='admin',
-                       first_name='global', last_name='admin',
-                       email='admin@example.net',
-                       is_active=True,
-                       ou=get_default_ou())
+    user = create_user(
+        username='admin',
+        first_name='global',
+        last_name='admin',
+        email='admin@example.net',
+        is_active=True,
+        ou=get_default_ou(),
+    )
     Role = get_role_model()
     user.roles.add(Role.objects.get(slug='_a2-manager'))
     return user
@@ -162,44 +169,53 @@ def admin(db):
 
 @pytest.fixture
 def user_ou1(db, ou1):
-    return create_user(username='john.doe', first_name=u'Jôhn', last_name=u'Dôe',
-                       email='john.doe@example.net', ou=ou1)
+    return create_user(
+        username='john.doe', first_name=u'Jôhn', last_name=u'Dôe', email='john.doe@example.net', ou=ou1
+    )
 
 
 @pytest.fixture
 def user_ou2(db, ou2):
-    return create_user(username='john.doe.ou2', first_name=u'Jôhn', last_name=u'Dôe',
-                       email='john.doe@example.net', ou=ou2)
+    return create_user(
+        username='john.doe.ou2', first_name=u'Jôhn', last_name=u'Dôe', email='john.doe@example.net', ou=ou2
+    )
 
 
 @pytest.fixture
 def admin_ou1(db, ou1):
-    user = create_user(username='admin.ou1', first_name=u'Admin', last_name=u'OU1',
-                       email='admin.ou1@example.net', ou=ou1)
+    user = create_user(
+        username='admin.ou1', first_name=u'Admin', last_name=u'OU1', email='admin.ou1@example.net', ou=ou1
+    )
     user.roles.add(ou1.get_admin_role())
     return user
 
 
 @pytest.fixture
 def admin_ou2(db, ou2):
-    user = create_user(username='admin.ou2', first_name=u'Admin', last_name=u'OU2',
-                       email='admin.ou2@example.net', ou=ou2)
+    user = create_user(
+        username='admin.ou2', first_name=u'Admin', last_name=u'OU2', email='admin.ou2@example.net', ou=ou2
+    )
     user.roles.add(ou2.get_admin_role())
     return user
 
 
 @pytest.fixture
 def admin_rando_role(db, role_random, ou_rando):
-    user = create_user(username='admin_rando', first_name='admin', last_name='rando',
-                       email='admin.rando@weird.com', ou=ou_rando)
+    user = create_user(
+        username='admin_rando',
+        first_name='admin',
+        last_name='rando',
+        email='admin.rando@weird.com',
+        ou=ou_rando,
+    )
     user.roles.add(ou_rando.get_admin_role())
     return user
 
 
-@pytest.fixture(params=['superuser', 'user_ou1', 'user_ou2', 'admin_ou1', 'admin_ou2',
-                        'admin_rando_role', 'member_rando'])
-def user(request, superuser, user_ou1, user_ou2, admin_ou1, admin_ou2, admin_rando_role,
-         member_rando):
+@pytest.fixture(
+    params=['superuser', 'user_ou1', 'user_ou2', 'admin_ou1', 'admin_ou2', 'admin_rando_role', 'member_rando']
+)
+def user(request, superuser, user_ou1, user_ou2, admin_ou1, admin_ou2, admin_rando_role, member_rando):
     return locals().get(request.param)
 
 
@@ -236,14 +252,16 @@ def role(request, role_random, role_ou1, role_ou2):
 
 @pytest.fixture
 def member_rando(db, ou_rando):
-    return create_user(username='test', first_name='test', last_name='test', email='test@test.org',
-                       ou=ou_rando)
+    return create_user(
+        username='test', first_name='test', last_name='test', email='test@test.org', ou=ou_rando
+    )
 
 
 @pytest.fixture
 def member_rando2(db, ou_rando):
-    return create_user(username='test2', first_name='test2', last_name='test2', email='test2@test.org',
-                       ou=ou_rando)
+    return create_user(
+        username='test2', first_name='test2', last_name='test2', email='test2@test.org', ou=ou_rando
+    )
 
 
 @pytest.fixture
@@ -263,9 +281,9 @@ def superuser_or_admin(request, superuser, admin):
 
 @pytest.fixture
 def concurrency(settings):
-    '''Select a level of concurrency based on the db. Currently only
-       postgresql is supported.
-    '''
+    """Select a level of concurrency based on the db. Currently only
+    postgresql is supported.
+    """
     return 100
 
 
@@ -280,15 +298,17 @@ def migrations():
 @pytest.fixture
 def oidc_client(db, ou1):
     client = OIDCClient.objects.create(
-        name='example', slug='example', client_id='example',
-        client_secret='example', authorization_flow=1,
+        name='example',
+        slug='example',
+        client_id='example',
+        client_secret='example',
+        authorization_flow=1,
         post_logout_redirect_uris='https://example.net/redirect/',
         identifier_policy=OIDCClient.POLICY_UUID,
         has_api_access=True,
     )
 
     class TestOIDCUser(OIDCUser):
-
         def __init__(self, oidc_client):
             super(TestOIDCUser, self).__init__(oidc_client)
 
@@ -311,10 +331,21 @@ def oidc_client(db, ou1):
     return TestOIDCUser(client)
 
 
-@pytest.fixture(params=['oidc_client', 'superuser', 'user_ou1', 'user_ou2',
-                        'admin_ou1', 'admin_ou2', 'admin_rando_role', 'member_rando'])
-def api_user(request, oidc_client, superuser, user_ou1, user_ou2,
-         admin_ou1, admin_ou2, admin_rando_role, member_rando):
+@pytest.fixture(
+    params=[
+        'oidc_client',
+        'superuser',
+        'user_ou1',
+        'user_ou2',
+        'admin_ou1',
+        'admin_ou2',
+        'admin_rando_role',
+        'member_rando',
+    ]
+)
+def api_user(
+    request, oidc_client, superuser, user_ou1, user_ou2, admin_ou1, admin_ou2, admin_rando_role, member_rando
+):
     return locals().get(request.param)
 
 
@@ -324,8 +355,14 @@ def clear_cache():
 
     cache.clear()
     BaseExpressionValidator.__call__.cache_clear()
-    for cached_el in (OU.cached, a2_hooks.get_hooks, get_providers,
-            get_provider_by_issuer, get_ou_count, has_providers):
+    for cached_el in (
+        OU.cached,
+        a2_hooks.get_hooks,
+        get_providers,
+        get_provider_by_issuer,
+        get_ou_count,
+        has_providers,
+    ):
         cached_el.cache.clear()
 
 
@@ -358,32 +395,37 @@ def hooks(settings):
 
 @pytest.fixture
 def auto_admin_role(db, ou1):
-    role = Role.objects.create(
-        ou=ou1,
-        slug='auto-admin-role',
-        name='Auto Admin Role')
+    role = Role.objects.create(ou=ou1, slug='auto-admin-role', name='Auto Admin Role')
     role.add_self_administration()
     return role
 
 
 @pytest.fixture
 def user_with_auto_admin_role(auto_admin_role, ou1):
-    user = create_user(username='user.with.auto.admin.role', first_name=u'User', last_name=u'With Auto Admin Role',
-                       email='user.with.auto.admin.role@example.net', ou=ou1)
+    user = create_user(
+        username='user.with.auto.admin.role',
+        first_name=u'User',
+        last_name=u'With Auto Admin Role',
+        email='user.with.auto.admin.role@example.net',
+        ou=ou1,
+    )
     user.roles.add(auto_admin_role)
     return user
 
 
 # fixtures to check proper validation of redirect_url
 
+
 @pytest.fixture
 def saml_external_redirect(db):
     from authentic2.saml.models import LibertyProvider
+
     next_url = 'https://saml.example.com/whatever/'
     LibertyProvider.objects.create(
         entity_id='https://saml.example.com/',
         protocol_conformance=3,
-        metadata=utils.saml_sp_metadata('https://example.com'))
+        metadata=utils.saml_sp_metadata('https://example.com'),
+    )
     return next_url, True
 
 
@@ -399,8 +441,9 @@ def whitelist_external_redirect(settings):
 
 
 @pytest.fixture(params=['saml', 'invalid', 'whitelist'])
-def external_redirect(request, saml_external_redirect,
-                      invalid_external_redirect, whitelist_external_redirect):
+def external_redirect(
+    request, saml_external_redirect, invalid_external_redirect, whitelist_external_redirect
+):
     return locals()[request.param + '_external_redirect']
 
 
@@ -413,18 +456,22 @@ def external_redirect_next_url(external_redirect):
 def assert_external_redirect(external_redirect):
     next_url, valid = external_redirect
     if valid:
+
         def check_location(response, default_return):
             assert next_url.endswith(response['Location'])
+
     else:
+
         def check_location(response, default_return):
-            assert urlparse.urljoin('http://testserver/', default_return)\
-                           .endswith(response['Location'])
+            assert urlparse.urljoin('http://testserver/', default_return).endswith(response['Location'])
+
     return check_location
 
 
 @pytest.fixture
 def french_translation():
     from django.utils.translation import activate, deactivate
+
     activate('fr')
     yield
     deactivate()
@@ -437,10 +484,7 @@ def media(settings, tmpdir):
 
 @pytest.fixture
 def service(db):
-    return Service.objects.create(
-        ou=get_default_ou(),
-        slug='service',
-        name='Service')
+    return Service.objects.create(ou=get_default_ou(), slug='service', name='Service')
 
 
 @pytest.fixture()
@@ -470,10 +514,11 @@ def migration(request, transactional_db):
             assert Foo.objects.filter(bar=True).count() == Foo.objects.count()
     Based on: https://gist.github.com/blueyed/4fb0a807104551f103e6
     """
+
     class Migrator(object):
         def before(self, targets, at_end=True):
-            """ Specify app and starting migration names as in:
-                before([('app', '0001_before')]) => app/migrations/0001_before.py
+            """Specify app and starting migration names as in:
+            before([('app', '0001_before')]) => app/migrations/0001_before.py
             """
             executor = MigrationExecutor(connection)
             executor.migrate(targets)
diff --git a/tests/test_a2_rbac.py b/tests/test_a2_rbac.py
index addff0f8..c3cf3818 100644
--- a/tests/test_a2_rbac.py
+++ b/tests/test_a2_rbac.py
@@ -33,7 +33,7 @@ from authentic2.a2_rbac.models import (
     Permission,
     OrganizationalUnit as OU,
     RoleAttribute,
-    MANAGE_MEMBERS_OP
+    MANAGE_MEMBERS_OP,
 )
 from authentic2.utils import get_hex_uuid
 
@@ -63,13 +63,12 @@ def test_delete_role(db):
 
     # There should be two more permissions the manage-members permission on the role
     # and the manage-members permission on the admin role
-    manage_members_perm = Permission.objects.by_target(new_role) \
-        .get(operation__slug='manage_members')
+    manage_members_perm = Permission.objects.by_target(new_role).get(operation__slug='manage_members')
     admin_role = Role.objects.get(
         admin_scope_ct=ContentType.objects.get_for_model(manage_members_perm),
-        admin_scope_id=manage_members_perm.pk)
-    admin_manage_members_perm = Permission.objects.by_target(admin_role) \
-        .get(operation__slug='manage_members')
+        admin_scope_id=manage_members_perm.pk,
+    )
+    admin_manage_members_perm = Permission.objects.by_target(admin_role).get(operation__slug='manage_members')
     assert Permission.objects.count() == pcount + 2
     new_role.delete()
     with pytest.raises(Permission.DoesNotExist):
@@ -84,8 +83,7 @@ def test_delete_role(db):
 
 def test_access_control(db):
     role_ct = ContentType.objects.get_for_model(Role)
-    role_admin_role = Role.objects.get_admin_role(
-        role_ct, 'admin %s' % role_ct, 'admin-role')
+    role_admin_role = Role.objects.get_admin_role(role_ct, 'admin %s' % role_ct, 'admin-role')
     user1 = User.objects.create(username='john.doe')
     assert not user1.has_perm('a2_rbac.change_role')
     assert not user1.has_perm('a2_rbac.view_role')
@@ -159,8 +157,7 @@ def test_role_natural_key(db):
 
 
 def test_basic_role_export_json(db):
-    role = Role.objects.create(
-        name='basic role', slug='basic-role', description='basic role description')
+    role = Role.objects.create(name='basic role', slug='basic-role', description='basic role description')
     role_dict = role.export_json()
     assert role_dict['name'] == role.name
     assert role_dict['slug'] == role.slug
@@ -190,17 +187,13 @@ def test_role_with_service_with_ou_export_json(db):
     service = Service.objects.create(name='service name', slug='service-name', ou=ou)
     role = Role.objects.create(name='some role', service=service)
     role_dict = role.export_json()
-    assert role_dict['service'] == {
-        'slug': service.slug,
-        'ou': {'uuid': ou.uuid, 'slug': 'ou', 'name': 'ou'}}
+    assert role_dict['service'] == {'slug': service.slug, 'ou': {'uuid': ou.uuid, 'slug': 'ou', 'name': 'ou'}}
 
 
 def test_role_with_attributes_export_json(db):
     role = Role.objects.create(name='some role')
-    attr1 = RoleAttribute.objects.create(
-        role=role, name='attr1_name', kind='string', value='attr1_value')
-    attr2 = RoleAttribute.objects.create(
-        role=role, name='attr2_name', kind='string', value='attr2_value')
+    attr1 = RoleAttribute.objects.create(role=role, name='attr1_name', kind='string', value='attr1_value')
+    attr2 = RoleAttribute.objects.create(role=role, name='attr2_name', kind='string', value='attr2_value')
 
     role_dict = role.export_json(attributes=True)
     attributes = role_dict['attributes']
@@ -216,16 +209,12 @@ def test_role_with_attributes_export_json(db):
 
 
 def test_role_with_parents_export_json(db):
-    grand_parent_role = Role.objects.create(
-        name='test grand parent role', slug='test-grand-parent-role')
-    parent_1_role = Role.objects.create(
-        name='test parent 1 role', slug='test-parent-1-role')
+    grand_parent_role = Role.objects.create(name='test grand parent role', slug='test-grand-parent-role')
+    parent_1_role = Role.objects.create(name='test parent 1 role', slug='test-parent-1-role')
     parent_1_role.add_parent(grand_parent_role)
-    parent_2_role = Role.objects.create(
-        name='test parent 2 role', slug='test-parent-2-role')
+    parent_2_role = Role.objects.create(name='test parent 2 role', slug='test-parent-2-role')
     parent_2_role.add_parent(grand_parent_role)
-    child_role = Role.objects.create(
-        name='test child role', slug='test-child-role')
+    child_role = Role.objects.create(name='test child role', slug='test-child-role')
     child_role.add_parent(parent_1_role)
     child_role.add_parent(parent_2_role)
 
@@ -259,19 +248,21 @@ def test_role_with_permission_export_json(db):
     some_ou = OU.objects.create(name='some ou', slug='some-ou')
     role = Role.objects.create(name='role name', slug='role-slug')
     other_role = Role.objects.create(
-        name='other role name', slug='other-role-slug', uuid=get_hex_uuid(), ou=some_ou)
+        name='other role name', slug='other-role-slug', uuid=get_hex_uuid(), ou=some_ou
+    )
     ou = OU.objects.create(name='basic ou', slug='basic-ou', description='basic ou description')
     Permission = get_permission_model()
     op = Operation.objects.get(slug='add')
     perm_saml = Permission.objects.create(
-        operation=op, ou=ou,
+        operation=op,
+        ou=ou,
         target_ct=ContentType.objects.get_for_model(ContentType),
-        target_id=ContentType.objects.get(app_label="saml", model="libertyprovider").pk)
+        target_id=ContentType.objects.get(app_label="saml", model="libertyprovider").pk,
+    )
     role.permissions.add(perm_saml)
     perm_role = Permission.objects.create(
-        operation=op, ou=None,
-        target_ct=ContentType.objects.get_for_model(Role),
-        target_id=other_role.pk)
+        operation=op, ou=None, target_ct=ContentType.objects.get_for_model(Role), target_id=other_role.pk
+    )
     role.permissions.add(perm_role)
 
     export = role.export_json(permissions=True)
@@ -281,25 +272,32 @@ def test_role_with_permission_export_json(db):
         'operation': {'slug': 'add'},
         'ou': {'uuid': ou.uuid, 'slug': ou.slug, 'name': ou.name},
         'target_ct': {'app_label': u'contenttypes', 'model': u'contenttype'},
-        'target': {'model': u'libertyprovider', 'app_label': u'saml'}
+        'target': {'model': u'libertyprovider', 'app_label': u'saml'},
     }
     assert permissions[1] == {
         'operation': {'slug': 'add'},
         'ou': None,
         'target_ct': {'app_label': u'a2_rbac', 'model': u'role'},
         'target': {
-            'slug': u'other-role-slug', 'service': None, 'uuid': other_role.uuid,
-            'ou': {
-                'slug': u'some-ou', 'uuid': some_ou.uuid, 'name': u'some ou'
-            },
-            'name': u'other role name'}
+            'slug': u'other-role-slug',
+            'service': None,
+            'uuid': other_role.uuid,
+            'ou': {'slug': u'some-ou', 'uuid': some_ou.uuid, 'name': u'some ou'},
+            'name': u'other role name',
+        },
     }
 
 
 def test_ou_export_json(db):
     ou = OU.objects.create(
-        name='basic ou', slug='basic-ou', description='basic ou description',
-        username_is_unique=True, email_is_unique=True, default=False, validate_emails=True)
+        name='basic ou',
+        slug='basic-ou',
+        description='basic ou description',
+        username_is_unique=True,
+        email_is_unique=True,
+        default=False,
+        validate_emails=True,
+    )
     ou_dict = ou.export_json()
     assert ou_dict['name'] == ou.name
     assert ou_dict['slug'] == ou.slug
@@ -343,7 +341,8 @@ def test_admin_cleanup_failure(db):
     Role.objects.create(
         name='manager of r1',
         admin_scope_ct=ContentType.objects.get_for_model(Permission),
-        admin_scope_id=9999)
+        admin_scope_id=9999,
+    )
 
     assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 1
 
@@ -356,7 +355,8 @@ def test_admin_cleanup_command(db):
     Role.objects.create(
         name='manager of r1',
         admin_scope_ct=ContentType.objects.get_for_model(Permission),
-        admin_scope_id=9999)
+        admin_scope_id=9999,
+    )
 
     assert Role.objects.filter(name__contains='r1', admin_scope_ct_id__isnull=False).count() == 1
 
@@ -413,8 +413,9 @@ def test_admin_role_user_view(db, settings, app, admin, simple_user, ou1, user_o
     response = response.click('role_ou1')
     select2_json = request_select2(app, response)
     assert select2_json['more'] is False
-    assert (set(result['id'] for result in select2_json['results'])
-            == set([simple_user.id, user_ou1.id, admin.id]))
+    assert set(result['id'] for result in select2_json['results']) == set(
+        [simple_user.id, user_ou1.id, admin.id]
+    )
 
     # with A2_RBAC_ROLE_ADMIN_RESTRICT_TO_OU_USERS after a reload of the admin
     # page, we should only see user from the same OU as the role
@@ -424,21 +425,19 @@ def test_admin_role_user_view(db, settings, app, admin, simple_user, ou1, user_o
     response = response.click('role_ou1')
     select2_json = request_select2(app, response)
     assert select2_json['more'] is False
-    assert (set(result['id'] for result in select2_json['results']) == set([user_ou1.id]))
+    assert set(result['id'] for result in select2_json['results']) == set([user_ou1.id])
 
 
 def test_no_managed_ct(transactional_db, settings):
     from django.core.management.sql import emit_post_migrate_signal
 
-    call_command('flush', verbosity=0, interactive=False,
-                 database='default', reset_sequences=False)
+    call_command('flush', verbosity=0, interactive=False, database='default', reset_sequences=False)
     assert Role.objects.count() == 5
     OU.objects.create(name='OU1', slug='ou1')
     emit_post_migrate_signal(verbosity=0, interactive=False, db='default', created_models=[])
     assert Role.objects.count() == 5 + 4 + 4
     settings.A2_RBAC_MANAGED_CONTENT_TYPES = ()
-    call_command('flush', verbosity=0, interactive=False,
-                 database='default', reset_sequences=False)
+    call_command('flush', verbosity=0, interactive=False, database='default', reset_sequences=False)
     assert Role.objects.count() == 0
     # create ou
     OU.objects.create(name='OU1', slug='ou1')
@@ -474,14 +473,10 @@ def test_manager_roles_multi_ou(db, ou1):
     assert manager.parents(include_self=False).count() == 4
 
     for ou in [get_default_ou(), ou1]:
-        manager = Role.objects.get(ou__isnull=True,
-                                   slug='_a2-managers-of-{ou.slug}'.format(ou=ou))
-        user_manager = Role.objects.get(ou=ou,
-                                        slug='_a2-manager-of-users-{ou.slug}'.format(ou=ou))
-        role_manager = Role.objects.get(ou=ou,
-                                        slug='_a2-manager-of-roles-{ou.slug}'.format(ou=ou))
-        service_manager = Role.objects.get(ou=ou,
-                                           slug='_a2-manager-of-services-{ou.slug}'.format(ou=ou))
+        manager = Role.objects.get(ou__isnull=True, slug='_a2-managers-of-{ou.slug}'.format(ou=ou))
+        user_manager = Role.objects.get(ou=ou, slug='_a2-manager-of-users-{ou.slug}'.format(ou=ou))
+        role_manager = Role.objects.get(ou=ou, slug='_a2-manager-of-roles-{ou.slug}'.format(ou=ou))
+        service_manager = Role.objects.get(ou=ou, slug='_a2-manager-of-services-{ou.slug}'.format(ou=ou))
 
         assert user_manager in manager.parents()
         assert role_manager in manager.parents()
@@ -508,13 +503,13 @@ def test_update_content_types_roles(transactional_db, simple_user):
     role = Role.objects.get(name='Manager of users')
 
     # for the purpose of this test, remove admin perm that inherit manage_authorizations perm
-    admin_perm = [
-        x for x in role.permissions.all() if x.operation.name == 'Management'][0]
+    admin_perm = [x for x in role.permissions.all() if x.operation.name == 'Management'][0]
     role.permissions.remove(admin_perm)
 
     # 'Manager of users' role gives manage_authorizations perm
     manage_authorizations_perm = [
-        x for x in role.permissions.all() if x.operation.name == 'Manage service consents'][0]
+        x for x in role.permissions.all() if x.operation.name == 'Manage service consents'
+    ][0]
     assert manage_authorizations_perm
     simple_user.roles.add(role)
     assert simple_user.has_perm('custom_user.manage_authorizations_user')
@@ -525,22 +520,18 @@ def test_update_content_types_roles(transactional_db, simple_user):
 
     # remove manage_authorizations perm
     manage_authorizations_perm.delete()
-    assert not [x for x in role.permissions.all()
-                if x.operation.name == 'Manage service consents']
+    assert not [x for x in role.permissions.all() if x.operation.name == 'Manage service consents']
     update_user_permissions()
     assert not simple_user.has_perm('custom_user.manage_authorizations_user')
-    assert not [x for x in simple_user.get_all_permissions()
-                if x == 'custom_user.manage_authorizations_user']
+    assert not [x for x in simple_user.get_all_permissions() if x == 'custom_user.manage_authorizations_user']
 
     # manage_authorizations perm is (re-)created on post migrate
     emit_post_migrate_signal(verbosity=0, interactive=False, db='default', created_models=[])
-    assert [x for x in role.permissions.all()
-            if x.operation.name == 'Manage service consents'][0]
+    assert [x for x in role.permissions.all() if x.operation.name == 'Manage service consents'][0]
     # and added to 'Manager of users' role
     update_user_permissions()
     assert simple_user.has_perm('custom_user.manage_authorizations_user')
-    assert [x for x in simple_user.get_all_permissions()
-            if x == 'custom_user.manage_authorizations_user']
+    assert [x for x in simple_user.get_all_permissions() if x == 'custom_user.manage_authorizations_user']
 
 
 @pytest.mark.parametrize('new_perm_exists', [True, False])
@@ -561,12 +552,11 @@ def test_update_self_admin_perm_migration(migration, new_perm_exists):
     role.permissions.add(self_perm)
 
     if new_perm_exists:
-        new_self_perm, _ = Permission.objects.get_or_create(operation=manage_members_op, target_ct=ct,
-                                         target_id=role.pk)
-    else:
-        Permission.objects.filter(
+        new_self_perm, _ = Permission.objects.get_or_create(
             operation=manage_members_op, target_ct=ct, target_id=role.pk
-        ).delete()
+        )
+    else:
+        Permission.objects.filter(operation=manage_members_op, target_ct=ct, target_id=role.pk).delete()
 
     new_apps = migration.apply([('a2_rbac', '0024_fix_self_admin_perm')])
     Role = new_apps.get_model('a2_rbac', 'Role')
diff --git a/tests/test_admin.py b/tests/test_admin.py
index 36d8391f..04e4a6cc 100644
--- a/tests/test_admin.py
+++ b/tests/test_admin.py
@@ -26,21 +26,48 @@ from . import utils
 
 def test_user_admin(db, app, superuser):
     utils.login(app, superuser)
-    Attribute.objects.create(label='SIRET', name='siret', kind='string', required=False,
-                             user_visible=True, user_editable=False, asked_on_registration=False,
-                             multiple=False)
-    Attribute.objects.create(label='Civilité', name='civilite', kind='title', required=False,
-                             user_visible=True, user_editable=True, asked_on_registration=True,
-                             multiple=False)
+    Attribute.objects.create(
+        label='SIRET',
+        name='siret',
+        kind='string',
+        required=False,
+        user_visible=True,
+        user_editable=False,
+        asked_on_registration=False,
+        multiple=False,
+    )
+    Attribute.objects.create(
+        label='Civilité',
+        name='civilite',
+        kind='title',
+        required=False,
+        user_visible=True,
+        user_editable=True,
+        asked_on_registration=True,
+        multiple=False,
+    )
 
     superuser.verified_attributes.first_name = 'John'
     superuser.verified_attributes.last_name = 'Doe'
 
     resp = app.get('/admin/custom_user/user/%s/' % superuser.pk).maybe_follow()
-    assert set(resp.form.fields.keys()) >= set(['username', 'first_name', 'last_name', 'civilite',
-                                                'siret', 'is_staff', 'is_superuser', 'ou', 'groups',
-                                                'date_joined_0', 'date_joined_1', 'last_login_0',
-                                                'last_login_1'])
+    assert set(resp.form.fields.keys()) >= set(
+        [
+            'username',
+            'first_name',
+            'last_name',
+            'civilite',
+            'siret',
+            'is_staff',
+            'is_superuser',
+            'ou',
+            'groups',
+            'date_joined_0',
+            'date_joined_1',
+            'last_login_0',
+            'last_login_1',
+        ]
+    )
     resp.form.set('first_name', 'John')
     resp.form.set('last_name', 'Doe')
     resp.form.set('civilite', 'Mr')
diff --git a/tests/test_all.py b/tests/test_all.py
index c35c30a6..77d39d36 100644
--- a/tests/test_all.py
+++ b/tests/test_all.py
@@ -49,21 +49,19 @@ class SerializerTests(TestCase):
         import json
         from authentic2.models import Attribute, AttributeValue
         from django.core import serializers
+
         User = get_user_model()
         ucount = User.objects.count()
         acount = Attribute.objects.count()
         u = User.objects.create(username='john.doe')
         avcount = AttributeValue.objects.count()
-        a = Attribute.objects.create(name='phone', label='phone',
-                                     kind='string')
-        av = AttributeValue.objects.create(owner=u, attribute=a,
-                                           content='0101010101')
+        a = Attribute.objects.create(name='phone', label='phone', kind='string')
+        av = AttributeValue.objects.create(owner=u, attribute=a, content='0101010101')
         self.assertEqual(User.objects.count(), ucount + 1)
         self.assertEqual(Attribute.objects.count(), acount + 1)
         self.assertEqual(AttributeValue.objects.count(), avcount + 1)
         s = serializers.get_serializer('json')()
-        s.serialize([u, a, av], use_natural_foreign_keys=True,
-                    use_natural_primary_keys=True)
+        s.serialize([u, a, av], use_natural_foreign_keys=True, use_natural_primary_keys=True)
         result = s.getvalue()
         u.delete()
         a.delete()
@@ -92,7 +90,7 @@ class SerializerTests(TestCase):
                     'password': '',
                     'ou': None,
                     'deactivation': None,
-                }
+                },
             },
             {
                 'model': 'authentic2.attribute',
@@ -110,7 +108,7 @@ class SerializerTests(TestCase):
                     'searchable': False,
                     'order': 0,
                     'scopes': '',
-                }
+                },
             },
             {
                 'model': 'authentic2.attributevalue',
@@ -121,8 +119,8 @@ class SerializerTests(TestCase):
                     'multiple': False,
                     'verified': False,
                     'search_vector': None,
-                }
-            }
+                },
+            },
         ]
         expected = json.loads(json.dumps(expected, cls=DjangoJSONEncoder))
         for obj in serializers.deserialize('json', result):
@@ -136,52 +134,49 @@ class SerializerTests(TestCase):
 
 class UtilsTests(Authentic2TestCase):
     def test_assert_equals_url(self):
-        self.assertEqualsURL('/test?coin=1&bob=2&coin=3',
-                             '/test?bob=2&coin=1&coin=3')
+        self.assertEqualsURL('/test?coin=1&bob=2&coin=3', '/test?bob=2&coin=1&coin=3')
 
     def test_make_url(self):
         from authentic2.utils import make_url
+
         self.assertEqualsURL(make_url('../coin'), '../coin')
-        self.assertEqualsURL(make_url('../boob', params={'next': '..'}),
-                             '../boob?next=..')
-        self.assertEqualsURL(make_url('../boob', params={'next': '..'},
-                                      append={'xx': 'yy'}),
-                             '../boob?xx=yy&next=..')
-        self.assertEqualsURL(make_url('../boob', params={'next': '..'},
-                                      append={'next': 'yy'}),
-                             '../boob?next=..&next=yy')
-        self.assertEqualsURL(make_url('auth_login', params={'next': '/zob'}),
-                             '/login/?next=%2Fzob')
-        self.assertEqualsURL(make_url('auth_login', params={'next': '/zob'},
-                                      fragment='a2-panel'),
-                             '/login/?next=%2Fzob#a2-panel')
+        self.assertEqualsURL(make_url('../boob', params={'next': '..'}), '../boob?next=..')
+        self.assertEqualsURL(
+            make_url('../boob', params={'next': '..'}, append={'xx': 'yy'}), '../boob?xx=yy&next=..'
+        )
+        self.assertEqualsURL(
+            make_url('../boob', params={'next': '..'}, append={'next': 'yy'}), '../boob?next=..&next=yy'
+        )
+        self.assertEqualsURL(make_url('auth_login', params={'next': '/zob'}), '/login/?next=%2Fzob')
+        self.assertEqualsURL(
+            make_url('auth_login', params={'next': '/zob'}, fragment='a2-panel'),
+            '/login/?next=%2Fzob#a2-panel',
+        )
 
     def test_redirect(self):
         from authentic2.utils import redirect
         from django.test.client import RequestFactory
+
         rf = RequestFactory()
         request = rf.get('/coin', data={'next': '..'})
         request2 = rf.get('/coin', data={'next': '..', 'token': 'xxx'})
         response = redirect(request, '/boob/', keep_params=True)
         self.assertEqualsURL(response['Location'], '/boob/?next=..')
-        response = redirect(request, '/boob/', keep_params=True,
-                            exclude=['next'])
+        response = redirect(request, '/boob/', keep_params=True, exclude=['next'])
         self.assertEqualsURL(response['Location'], '/boob/')
         response = redirect(request2, '/boob/', keep_params=True)
         self.assertEqualsURL(response['Location'], '/boob/?token=xxx&next=..')
-        response = redirect(request, '/boob/', keep_params=True,
-                            exclude=['token'])
+        response = redirect(request, '/boob/', keep_params=True, exclude=['token'])
         self.assertEqualsURL(response['Location'], '/boob/?next=..')
-        response = redirect(request, '/boob/', keep_params=True,
-                            include=['next'])
+        response = redirect(request, '/boob/', keep_params=True, include=['next'])
         self.assertEqualsURL(response['Location'], '/boob/?next=..')
-        response = redirect(request, '/boob/', keep_params=True,
-                            include=['next'], params={'token': 'uuu'})
+        response = redirect(request, '/boob/', keep_params=True, include=['next'], params={'token': 'uuu'})
         self.assertEqualsURL(response['Location'], '/boob/?token=uuu&next=..')
 
     def test_redirect_to_login(self):
         from authentic2.utils import redirect_to_login
         from django.test.client import RequestFactory
+
         rf = RequestFactory()
         request = rf.get('/coin', data={'next': '..'})
         response = redirect_to_login(request)
@@ -190,6 +185,7 @@ class UtilsTests(Authentic2TestCase):
     def test_continue_to_next_url(self):
         from authentic2.utils import continue_to_next_url
         from django.test.client import RequestFactory
+
         rf = RequestFactory()
         request = rf.get('/coin', data={'next': '/zob/', 'nonce': 'xxx'})
         response = continue_to_next_url(request)
@@ -198,15 +194,15 @@ class UtilsTests(Authentic2TestCase):
     def test_login_require(self):
         from authentic2.utils import login_require
         from django.test.client import RequestFactory
+
         rf = RequestFactory()
         request = rf.get('/coin', data={'next': '/zob/', 'nonce': 'xxx'})
         request.session = SessionStore()
         response = login_require(request, login_hint=['backoffice'])
         self.assertEqualsURL(response['Location'].split('?', 1)[0], '/login/')
         self.assertEqualsURL(
-            urlparse.parse_qs(
-                response['Location'].split('?', 1)[1])['next'][0],
-            '/coin?nonce=xxx&next=/zob/')
+            urlparse.parse_qs(response['Location'].split('?', 1)[1])['next'][0], '/coin?nonce=xxx&next=/zob/'
+        )
         self.assertEqual(request.session['login-hint'], ['backoffice'])
 
 
@@ -229,26 +225,20 @@ class UserProfileTests(TestCase):
             required=True,
             user_visible=True,
             user_editable=True,
-            kind='string')
+            kind='string',
+        )
         models.Attribute.objects.create(
-            label=u'ID',
-            name='national_number',
-            user_editable=True,
-            user_visible=True,
-            kind='string')
-        self.assertTrue(self.client.login(request=None,
-                                          username='testbot',
-                                          password='secret'))
+            label=u'ID', name='national_number', user_editable=True, user_visible=True, kind='string'
+        )
+        self.assertTrue(self.client.login(request=None, username='testbot', password='secret'))
 
         # get the edit page in order to check form's prefix
         response = self.client.get(reverse('profile_edit'))
         form = get_response_form(response)
 
-        kwargs = {'custom': 'random data',
-                  'national_number': 'xx20153566342yy'}
+        kwargs = {'custom': 'random data', 'national_number': 'xx20153566342yy'}
         if form.prefix:
-            kwargs = dict(('%s-%s' % (form.prefix, k), v)
-                          for k, v in kwargs.items())
+            kwargs = dict(('%s-%s' % (form.prefix, k), v) for k, v in kwargs.items())
 
         response = self.client.post(reverse('profile_edit'), kwargs)
         new = {'custom': 'random data', 'next_url': '', 'national_number': 'xx20153566342yy'}
@@ -272,28 +262,19 @@ class UserProfileTests(TestCase):
         models.Attribute.objects.update(disabled=True)
 
         models.Attribute.objects.create(
-            label=u'custom',
-            name='custom',
-            required=False,
-            user_editable=False,
-            kind='string')
+            label=u'custom', name='custom', required=False, user_editable=False, kind='string'
+        )
         models.Attribute.objects.create(
-            label=u'ID',
-            name='national_number',
-            user_editable=False,
-            user_visible=False,
-            kind='string')
-
-        self.assertTrue(self.client.login(request=None,
-                                          username='testbot',
-                                          password='secret'))
+            label=u'ID', name='national_number', user_editable=False, user_visible=False, kind='string'
+        )
+
+        self.assertTrue(self.client.login(request=None, username='testbot', password='secret'))
         response = self.client.get(reverse('profile_edit'))
         form = get_response_form(response)
         self.assertEqual(set(form.fields), set(['next_url']))
 
 
 class CacheTests(TestCase):
-
     @pytest.fixture(autouse=True)
     def cache_settings(self, settings):
         settings.A2_CACHE_ENABLED = True
@@ -323,6 +304,7 @@ class CacheTests(TestCase):
 
         def f2(a, b):
             return a
+
         # few chances the same value comme two times in a row
         self.assertNotEqual(f(), f())
 
@@ -350,12 +332,9 @@ class CacheTests(TestCase):
 
     @override_settings(ROOT_URLCONF='tests.cache_urls')
     def test_django_cache(self):
-        response1 = self.client.get('/django_cache/',
-                                    HTTP_HOST='cache1.example.com')
-        response2 = self.client.get('/django_cache/',
-                                    HTTP_HOST='cache2.example.com')
-        response3 = self.client.get('/django_cache/',
-                                    HTTP_HOST='cache1.example.com')
+        response1 = self.client.get('/django_cache/', HTTP_HOST='cache1.example.com')
+        response2 = self.client.get('/django_cache/', HTTP_HOST='cache2.example.com')
+        response3 = self.client.get('/django_cache/', HTTP_HOST='cache1.example.com')
         self.assertNotEqual(response1.content, response2.content)
         self.assertEqual(response1.content, response3.content)
 
@@ -375,27 +354,23 @@ class AttributeKindsTest(TestCase):
         from django.core.exceptions import ValidationError
         from django import forms
 
-        with self.settings(A2_ATTRIBUTE_KINDS=[
+        with self.settings(
+            A2_ATTRIBUTE_KINDS=[
                 {
                     'label': 'integer',
                     'name': 'integer',
                     'field_class': forms.IntegerField,
-                }]):
+                }
+            ]
+        ):
             title_field = attribute_kinds.get_form_field('title')
             self.assertTrue(isinstance(title_field, forms.ChoiceField))
             self.assertTrue(isinstance(title_field.widget, forms.RadioSelect))
             self.assertIsNotNone(title_field.choices)
-            self.assertTrue(
-                isinstance(attribute_kinds.get_form_field('string'),
-                           forms.CharField))
-            self.assertEqual(
-                attribute_kinds.get_kind('string')['name'], 'string')
-            self.assertTrue(
-                isinstance(attribute_kinds.get_form_field('integer'),
-                           forms.IntegerField))
-            self.assertEqual(
-                attribute_kinds.get_kind('integer')['name'],
-                'integer')
+            self.assertTrue(isinstance(attribute_kinds.get_form_field('string'), forms.CharField))
+            self.assertEqual(attribute_kinds.get_kind('string')['name'], 'string')
+            self.assertTrue(isinstance(attribute_kinds.get_form_field('integer'), forms.IntegerField))
+            self.assertEqual(attribute_kinds.get_kind('integer')['name'], 'integer')
             attribute_kinds.validate_siret('49108189900024')
             with self.assertRaises(ValidationError):
                 attribute_kinds.validate_siret('49108189900044')
@@ -418,8 +393,7 @@ class APITest(TestCase):
 
         ct_user = ContentType.objects.get_for_model(User)
 
-        self.ou = OU.objects.create(slug='ou', name='OU', email_is_unique=True,
-                                    username_is_unique=True)
+        self.ou = OU.objects.create(slug='ou', name='OU', email_is_unique=True, username_is_unique=True)
         self.reguser1 = User.objects.create(username='reguser1')
         self.reguser1.set_password('password')
         self.reguser1.save()
@@ -427,24 +401,22 @@ class APITest(TestCase):
         cred = cred.encode('utf-8')
         self.reguser1_cred = base64.b64encode(cred).decode('ascii')
         self.user_admin_role = Role.objects.get_admin_role(
-            instance=ct_user, name='user admin', slug='user-admin')
+            instance=ct_user, name='user admin', slug='user-admin'
+        )
         self.reguser1.roles.add(self.user_admin_role)
 
-        self.reguser2 = User.objects.create(username='reguser2',
-                                            password='password')
+        self.reguser2 = User.objects.create(username='reguser2', password='password')
         self.reguser2.set_password('password')
         self.reguser2.save()
         cred = '%s:%s' % (self.reguser2.username, 'password')
         cred = cred.encode('utf-8')
         self.reguser2_cred = base64.b64encode(cred).decode('ascii')
         self.ou_user_admin_role = Role.objects.get_admin_role(
-            instance=ct_user, name='user admin', slug='user-admin',
-            ou=self.ou)
+            instance=ct_user, name='user admin', slug='user-admin', ou=self.ou
+        )
         self.ou_user_admin_role.members.add(self.reguser2)
 
-        self.reguser3 = User.objects.create(username='reguser3',
-                                            password='password',
-                                            is_superuser=True)
+        self.reguser3 = User.objects.create(username='reguser3', password='password', is_superuser=True)
         self.reguser3.set_password('password')
         self.reguser3.save()
         cred = '%s:%s' % (self.reguser3.username, 'password')
@@ -485,9 +457,9 @@ class APITest(TestCase):
         }
         outbox_level = len(mail.outbox)
         client.credentials(HTTP_AUTHORIZATION='Basic %s' % cred)
-        response = client.post(reverse('a2-api-register'),
-                               content_type='application/json',
-                               data=json.dumps(payload))
+        response = client.post(
+            reverse('a2-api-register'), content_type='application/json', data=json.dumps(payload)
+        )
         self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
         self.assertIn('result', response.data)
         self.assertEqual(response.data['result'], 1)
@@ -520,11 +492,10 @@ class APITest(TestCase):
             'password': password,
             'return_url': return_url,
         }
-        response = client.post(reverse('a2-api-register'),
-                               content_type='application/json',
-                               data=json.dumps(payload))
-        self.assertEqual(response.data['errors']['__all__'],
-                         [_('Account already exists in this ou')])
+        response = client.post(
+            reverse('a2-api-register'), content_type='application/json', data=json.dumps(payload)
+        )
+        self.assertEqual(response.data['errors']['__all__'], [_('Account already exists in this ou')])
         # Username is required
         payload = {
             'email': '1' + email,
@@ -532,11 +503,10 @@ class APITest(TestCase):
             'password': password,
             'return_url': return_url,
         }
-        response = client.post(reverse('a2-api-register'),
-                               content_type='application/json',
-                               data=json.dumps(payload))
-        self.assertEqual(response.data['errors']['__all__'],
-                         [_('Username is required')])
+        response = client.post(
+            reverse('a2-api-register'), content_type='application/json', data=json.dumps(payload)
+        )
+        self.assertEqual(response.data['errors']['__all__'], [_('Username is required')])
         # Test username is unique
         payload = {
             'email': '1' + email,
@@ -545,11 +515,10 @@ class APITest(TestCase):
             'password': password,
             'return_url': return_url,
         }
-        response = client.post(reverse('a2-api-register'),
-                               content_type='application/json',
-                               data=json.dumps(payload))
-        self.assertEqual(response.data['errors']['__all__'],
-                         [_('Account already exists')])
+        response = client.post(
+            reverse('a2-api-register'), content_type='application/json', data=json.dumps(payload)
+        )
+        self.assertEqual(response.data['errors']['__all__'], [_('Account already exists')])
 
     def test_register_reguser2_wrong_ou(self):
         client = test.APIClient()
@@ -565,9 +534,9 @@ class APITest(TestCase):
             'return_url': return_url,
         }
         client.credentials(HTTP_AUTHORIZATION='Basic %s' % self.reguser2_cred)
-        response = client.post(reverse('a2-api-register'),
-                               content_type='application/json',
-                               data=json.dumps(payload))
+        response = client.post(
+            reverse('a2-api-register'), content_type='application/json', data=json.dumps(payload)
+        )
         self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
         self.assertIn('errors', response.data)
 
@@ -598,9 +567,9 @@ class APITest(TestCase):
         }
         outbox_level = len(mail.outbox)
         client.credentials(HTTP_AUTHORIZATION='Basic %s' % cred)
-        response = client.post(reverse('a2-api-register'),
-                               content_type='application/json',
-                               data=json.dumps(payload))
+        response = client.post(
+            reverse('a2-api-register'), content_type='application/json', data=json.dumps(payload)
+        )
         self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
         self.assertIn('result', response.data)
         self.assertEqual(response.data['result'], 1)
@@ -634,11 +603,10 @@ class APITest(TestCase):
             'password': password,
             'return_url': return_url,
         }
-        response = client.post(reverse('a2-api-register'),
-                               content_type='application/json',
-                               data=json.dumps(payload))
-        self.assertEqual(response.data['errors']['__all__'],
-                         [_('Account already exists in this ou')])
+        response = client.post(
+            reverse('a2-api-register'), content_type='application/json', data=json.dumps(payload)
+        )
+        self.assertEqual(response.data['errors']['__all__'], [_('Account already exists in this ou')])
         # Username is required
         payload = {
             'email': '1' + email,
@@ -646,11 +614,10 @@ class APITest(TestCase):
             'password': password,
             'return_url': return_url,
         }
-        response = client.post(reverse('a2-api-register'),
-                               content_type='application/json',
-                               data=json.dumps(payload))
-        self.assertEqual(response.data['errors']['__all__'],
-                         [_('Username is required')])
+        response = client.post(
+            reverse('a2-api-register'), content_type='application/json', data=json.dumps(payload)
+        )
+        self.assertEqual(response.data['errors']['__all__'], [_('Username is required')])
         # Test username is unique
         payload = {
             'email': '1' + email,
@@ -659,11 +626,10 @@ class APITest(TestCase):
             'password': password,
             'return_url': return_url,
         }
-        response = client.post(reverse('a2-api-register'),
-                               content_type='application/json',
-                               data=json.dumps(payload))
-        self.assertEqual(response.data['errors']['__all__'],
-                         [_('Account already exists')])
+        response = client.post(
+            reverse('a2-api-register'), content_type='application/json', data=json.dumps(payload)
+        )
+        self.assertEqual(response.data['errors']['__all__'], [_('Account already exists')])
 
     @override_settings(A2_REQUIRED_FIELDS=['username'])
     def test_email_username_is_unique_double_registration(self):
@@ -691,9 +657,9 @@ class APITest(TestCase):
         }
         outbox_level = len(mail.outbox)
         client.credentials(HTTP_AUTHORIZATION='Basic %s' % cred)
-        response = client.post(reverse('a2-api-register'),
-                               content_type='application/json',
-                               data=json.dumps(payload))
+        response = client.post(
+            reverse('a2-api-register'), content_type='application/json', data=json.dumps(payload)
+        )
         self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
         self.assertIn('result', response.data)
         self.assertEqual(response.data['result'], 1)
@@ -704,9 +670,9 @@ class APITest(TestCase):
 
         # Second registration
         payload['email'] = 'john.doe2@example.com'
-        response2 = client.post(reverse('a2-api-register'),
-                                content_type='application/json',
-                                data=json.dumps(payload))
+        response2 = client.post(
+            reverse('a2-api-register'), content_type='application/json', data=json.dumps(payload)
+        )
         self.assertEqual(response2.status_code, status.HTTP_202_ACCEPTED)
         self.assertIn('result', response2.data)
         self.assertEqual(response2.data['result'], 1)
@@ -737,5 +703,8 @@ class APITest(TestCase):
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(response.status_code, 200)
         self.assertFormError(
-            response, 'form', 'username',
-            _('This username is already in use. Please supply a different username.'))
+            response,
+            'form',
+            'username',
+            _('This username is already in use. Please supply a different username.'),
+        )
diff --git a/tests/test_api.py b/tests/test_api.py
index aa2693d4..df3f130c 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -64,8 +64,9 @@ def test_api_user(client):
     ou = get_default_ou()
 
     Attribute.objects.create(kind='birthdate', name='birthdate', label='birthdate', required=True)
-    user = User.objects.create(ou=ou, username='john.doe', first_name=u'Jôhn',
-                               last_name=u'Doe', email='john.doe@example.net')
+    user = User.objects.create(
+        ou=ou, username='john.doe', first_name=u'Jôhn', last_name=u'Doe', email='john.doe@example.net'
+    )
     user.attributes.birthdate = datetime.date(2019, 2, 2)
     user.set_password('password')
     user.save()
@@ -89,10 +90,23 @@ def test_api_user(client):
     response = client.get('/api/user/', HTTP_ORIGIN='http://testserver')
     data = json.loads(force_text(response.content))
     assert isinstance(data, dict)
-    assert set(data.keys()) == set(['uuid', 'username', 'first_name',
-                                    'ou__slug', 'ou__uuid', 'ou__name',
-                                    'last_name', 'email', 'roles', 'services',
-                                    'is_superuser', 'ou', 'birthdate'])
+    assert set(data.keys()) == set(
+        [
+            'uuid',
+            'username',
+            'first_name',
+            'ou__slug',
+            'ou__uuid',
+            'ou__name',
+            'last_name',
+            'email',
+            'roles',
+            'services',
+            'is_superuser',
+            'ou',
+            'birthdate',
+        ]
+    )
     assert data['uuid'] == user.uuid
     assert data['username'] == user.username
     assert data['first_name'] == user.first_name
@@ -107,31 +121,33 @@ def test_api_user(client):
     assert isinstance(data['roles'], list)
     assert len(data['roles']) == 2
     for role in data['roles']:
-        assert set(role.keys()) == set(['uuid', 'name', 'slug', 'is_admin',
-                                        'is_service', 'ou__uuid', 'ou__name',
-                                        'ou__slug'])
-        assert (role['uuid'] == role1.uuid and
-                role['name'] == role1.name and
-                role['slug'] == role1.slug and
-                role['is_admin'] is False and
-                role['is_service'] is False and
-                role['ou__uuid'] == ou.uuid and
-                role['ou__name'] == ou.name and
-                role['ou__slug'] == ou.slug) or \
-               (role['uuid'] == role2.uuid and
-                role['name'] == role2.name and
-                role['slug'] == role2.slug and
-                role['is_admin'] is False and
-                role['is_service'] is True and
-                role['ou__uuid'] == ou.uuid and
-                role['ou__name'] == ou.name and
-                role['ou__slug'] == ou.slug)
+        assert set(role.keys()) == set(
+            ['uuid', 'name', 'slug', 'is_admin', 'is_service', 'ou__uuid', 'ou__name', 'ou__slug']
+        )
+        assert (
+            role['uuid'] == role1.uuid
+            and role['name'] == role1.name
+            and role['slug'] == role1.slug
+            and role['is_admin'] is False
+            and role['is_service'] is False
+            and role['ou__uuid'] == ou.uuid
+            and role['ou__name'] == ou.name
+            and role['ou__slug'] == ou.slug
+        ) or (
+            role['uuid'] == role2.uuid
+            and role['name'] == role2.name
+            and role['slug'] == role2.slug
+            and role['is_admin'] is False
+            and role['is_service'] is True
+            and role['ou__uuid'] == ou.uuid
+            and role['ou__name'] == ou.name
+            and role['ou__slug'] == ou.slug
+        )
 
     assert isinstance(data['services'], list)
     assert len(data['services']) == 1
     s = data['services'][0]
-    assert set(s.keys()) == set(['name', 'slug', 'ou', 'ou__name', 'ou__slug',
-                                 'ou__uuid', 'roles'])
+    assert set(s.keys()) == set(['name', 'slug', 'ou', 'ou__name', 'ou__slug', 'ou__uuid', 'roles'])
     assert s['name'] == service.name
     assert s['slug'] == service.slug
     assert s['ou'] == ou.name
@@ -141,25 +157,28 @@ def test_api_user(client):
     assert isinstance(s['roles'], list)
     assert len(s['roles']) == 2
     for role in s['roles']:
-        assert set(role.keys()) == set(['uuid', 'name', 'slug', 'is_admin',
-                                        'is_service', 'ou__uuid', 'ou__name',
-                                        'ou__slug'])
-        assert (role['uuid'] == role1.uuid and
-                role['name'] == role1.name and
-                role['slug'] == role1.slug and
-                role['is_admin'] is False and
-                role['is_service'] is False and
-                role['ou__uuid'] == ou.uuid and
-                role['ou__name'] == ou.name and
-                role['ou__slug'] == ou.slug) or \
-               (role['uuid'] == role2.uuid and
-                role['name'] == role2.name and
-                role['slug'] == role2.slug and
-                role['is_admin'] is False and
-                role['is_service'] is True and
-                role['ou__uuid'] == ou.uuid and
-                role['ou__name'] == ou.name and
-                role['ou__slug'] == ou.slug)
+        assert set(role.keys()) == set(
+            ['uuid', 'name', 'slug', 'is_admin', 'is_service', 'ou__uuid', 'ou__name', 'ou__slug']
+        )
+        assert (
+            role['uuid'] == role1.uuid
+            and role['name'] == role1.name
+            and role['slug'] == role1.slug
+            and role['is_admin'] is False
+            and role['is_service'] is False
+            and role['ou__uuid'] == ou.uuid
+            and role['ou__name'] == ou.name
+            and role['ou__slug'] == ou.slug
+        ) or (
+            role['uuid'] == role2.uuid
+            and role['name'] == role2.name
+            and role['slug'] == role2.slug
+            and role['is_admin'] is False
+            and role['is_service'] is True
+            and role['ou__uuid'] == ou.uuid
+            and role['ou__name'] == ou.name
+            and role['ou__slug'] == ou.slug
+        )
 
 
 def test_api_users_list(app, user):
@@ -173,6 +192,7 @@ def test_api_users_list(app, user):
 
 def test_api_users_update_with_email_verified(settings, app, admin, simple_user):
     from django.contrib.auth import get_user_model
+
     simple_user.email_verified = True
     simple_user.save()
 
@@ -185,8 +205,9 @@ def test_api_users_update_with_email_verified(settings, app, admin, simple_user)
         'email_verified': True,
     }
     headers = basic_authorization_header(admin)
-    resp = app.put_json('/api/users/{}/'.format(simple_user.uuid),
-            params=payload, headers=headers, status=200)
+    resp = app.put_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=200
+    )
     user = User.objects.get(id=simple_user.id)
     assert user.email_verified
     assert resp.json['email_verified']
@@ -195,8 +216,9 @@ def test_api_users_update_with_email_verified(settings, app, admin, simple_user)
     user.email = 'johnny.doeny@foo.bar'
     user.save()
 
-    resp = app.patch_json('/api/users/{}/'.format(simple_user.uuid),
-            params=payload, headers=headers, status=200)
+    resp = app.patch_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=200
+    )
     user = User.objects.get(id=simple_user.id)
     assert user.email_verified
     assert resp.json['email_verified']
@@ -204,6 +226,7 @@ def test_api_users_update_with_email_verified(settings, app, admin, simple_user)
 
 def test_api_users_update_without_email_verified(settings, app, admin, simple_user):
     from django.contrib.auth import get_user_model
+
     simple_user.email_verified = True
     simple_user.save()
 
@@ -215,8 +238,9 @@ def test_api_users_update_without_email_verified(settings, app, admin, simple_us
         'last_name': 'Doeny',
     }
     headers = basic_authorization_header(admin)
-    resp = app.put_json('/api/users/{}/'.format(simple_user.uuid),
-            params=payload, headers=headers, status=200)
+    resp = app.put_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=200
+    )
     user = User.objects.get(id=simple_user.id)
     assert not user.email_verified
     assert not resp.json['email_verified']
@@ -225,8 +249,9 @@ def test_api_users_update_without_email_verified(settings, app, admin, simple_us
     user.email = 'johnny.doeny@foo.bar'
     user.save()
 
-    resp = app.patch_json('/api/users/{}/'.format(simple_user.uuid),
-            params=payload, headers=headers, status=200)
+    resp = app.patch_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=200
+    )
     user = User.objects.get(id=simple_user.id)
     assert not user.email_verified
     assert not resp.json['email_verified']
@@ -234,6 +259,7 @@ def test_api_users_update_without_email_verified(settings, app, admin, simple_us
 
 def test_api_users_update_with_same_unique_email(settings, app, admin, simple_user):
     from django.contrib.auth import get_user_model
+
     ou = get_default_ou()
     ou.email_is_unique = True
     ou.save()
@@ -246,12 +272,14 @@ def test_api_users_update_with_same_unique_email(settings, app, admin, simple_us
         'last_name': 'Doeny',
     }
     headers = basic_authorization_header(admin)
-    resp = app.put_json('/api/users/{}/'.format(simple_user.uuid),
-            params=payload, headers=headers, status=200)
+    resp = app.put_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=200
+    )
     user = User.objects.get(id=simple_user.id)
 
-    resp = app.patch_json('/api/users/{}/'.format(simple_user.uuid),
-            params=payload, headers=headers, status=200)
+    resp = app.patch_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=200
+    )
 
 
 def test_api_users_create_with_email_verified(settings, app, admin):
@@ -265,8 +293,7 @@ def test_api_users_create_with_email_verified(settings, app, admin):
         'email_verified': True,
     }
     headers = basic_authorization_header(admin)
-    resp = app.post_json('/api/users/', headers=headers, params=payload,
-            status=201)
+    resp = app.post_json('/api/users/', headers=headers, params=payload, status=201)
     assert resp.json['email_verified']
     user = User.objects.get(uuid=resp.json['uuid'])
     assert user.email_verified
@@ -282,8 +309,7 @@ def test_api_users_create_without_email_verified(settings, app, admin):
         'last_name': 'Doe',
     }
     headers = basic_authorization_header(admin)
-    resp = app.post_json('/api/users/', headers=headers, params=payload,
-            status=201)
+    resp = app.post_json('/api/users/', headers=headers, params=payload, status=201)
     assert not resp.json['email_verified']
     user = User.objects.get(uuid=resp.json['uuid'])
     assert not user.email_verified
@@ -291,6 +317,7 @@ def test_api_users_create_without_email_verified(settings, app, admin):
 
 def test_api_email_unset_verification(settings, app, admin, simple_user):
     from django.contrib.auth import get_user_model
+
     simple_user.email_verified = True
     simple_user.save()
 
@@ -298,15 +325,15 @@ def test_api_email_unset_verification(settings, app, admin, simple_user):
         'email': 'john.doe@nowhere.null',
     }
     headers = basic_authorization_header(admin)
-    resp = app.post_json('/api/users/{}/email/'.format(simple_user.uuid),
-            params=payload, headers=headers, status=200)
+    resp = app.post_json(
+        '/api/users/{}/email/'.format(simple_user.uuid), params=payload, headers=headers, status=200
+    )
     user = User.objects.get(id=simple_user.id)
     assert not user.email_verified
 
 
 def test_api_users_boolean_attribute(app, superuser):
-    at = Attribute.objects.create(
-            kind='boolean', name='boolean', label='boolean', required=True)
+    at = Attribute.objects.create(kind='boolean', name='boolean', label='boolean', required=True)
     superuser.attributes.boolean = True
     app.authorization = ('Basic', (superuser.username, superuser.username))
     resp = app.get('/api/users/%s/' % superuser.uuid)
@@ -314,8 +341,7 @@ def test_api_users_boolean_attribute(app, superuser):
 
 
 def test_api_users_boolean_attribute_optional(app, superuser):
-    at = Attribute.objects.create(
-        kind='boolean', name='boolean', label='boolean', required=False)
+    at = Attribute.objects.create(kind='boolean', name='boolean', label='boolean', required=False)
     superuser.attributes.boolean = True
     app.authorization = ('Basic', (superuser.username, superuser.username))
     resp = app.get('/api/users/%s/' % superuser.uuid)
@@ -412,13 +438,34 @@ def test_api_users_create(settings, app, api_user):
 
     resp = app.post_json('/api/users/', params=payload, status=status)
     if api_user.is_superuser or api_user.roles.exists():
-        assert set(['ou', 'id', 'uuid', 'is_staff', 'is_superuser',
-                    'first_name', 'first_name_verified', 'last_name',
-                    'last_name_verified', 'date_joined', 'last_login',
-                    'username', 'password', 'email', 'is_active', 'title',
-                    'title_verified', 'modified', 'email_verified',
+        assert (
+            set(
+                [
+                    'ou',
+                    'id',
+                    'uuid',
+                    'is_staff',
+                    'is_superuser',
+                    'first_name',
+                    'first_name_verified',
+                    'last_name',
+                    'last_name_verified',
+                    'date_joined',
+                    'last_login',
+                    'username',
+                    'password',
+                    'email',
+                    'is_active',
+                    'title',
+                    'title_verified',
+                    'modified',
+                    'email_verified',
                     'last_account_deletion_alert',
-                    'deactivation']) == set(resp.json.keys())
+                    'deactivation',
+                ]
+            )
+            == set(resp.json.keys())
+        )
         assert resp.json['first_name'] == payload['first_name']
         assert resp.json['last_name'] == payload['last_name']
         assert resp.json['email'] == payload['email']
@@ -443,12 +490,10 @@ def test_api_users_create(settings, app, api_user):
         assert AttributeValue.objects.with_owner(new_user).count() == 3
         assert AttributeValue.objects.with_owner(new_user).filter(verified=True).count() == 0
         assert AttributeValue.objects.with_owner(new_user).filter(attribute=at).exists()
-        assert (AttributeValue.objects.with_owner(new_user).get(attribute=at).content ==
-                payload['title'])
+        assert AttributeValue.objects.with_owner(new_user).get(attribute=at).content == payload['title']
         resp2 = app.get('/api/users/%s/' % resp.json['uuid'])
         assert resp.json == resp2.json
-        payload.update({'uuid': '1234567890', 'email': 'foo@example.com',
-                        'username': 'foobar'})
+        payload.update({'uuid': '1234567890', 'email': 'foo@example.com', 'username': 'foobar'})
         resp = app.post_json('/api/users/', params=payload, status=status)
         assert resp.json['uuid'] == '1234567890'
         assert 'title' in resp.json
@@ -480,13 +525,34 @@ def test_api_users_create(settings, app, api_user):
 
     resp = app.post_json('/api/users/', params=payload, status=status)
     if api_user.is_superuser or api_user.roles.exists():
-        assert set(['ou', 'id', 'uuid', 'is_staff', 'is_superuser',
-                    'first_name', 'first_name_verified', 'last_name',
-                    'last_name_verified', 'date_joined', 'last_login',
-                    'username', 'password', 'email', 'is_active', 'title',
-                    'title_verified', 'modified', 'email_verified',
+        assert (
+            set(
+                [
+                    'ou',
+                    'id',
+                    'uuid',
+                    'is_staff',
+                    'is_superuser',
+                    'first_name',
+                    'first_name_verified',
+                    'last_name',
+                    'last_name_verified',
+                    'date_joined',
+                    'last_login',
+                    'username',
+                    'password',
+                    'email',
+                    'is_active',
+                    'title',
+                    'title_verified',
+                    'modified',
+                    'email_verified',
                     'last_account_deletion_alert',
-                    'deactivation']) == set(resp.json.keys())
+                    'deactivation',
+                ]
+            )
+            == set(resp.json.keys())
+        )
         user = get_user_model().objects.get(pk=resp.json['id'])
         assert AttributeValue.objects.with_owner(user).filter(verified=True).count() == 3
         assert AttributeValue.objects.with_owner(user).filter(verified=False).count() == 0
@@ -496,8 +562,7 @@ def test_api_users_create(settings, app, api_user):
         assert resp.json['first_name_verified']
         assert resp.json['last_name_verified']
         assert resp.json['title_verified']
-        resp2 = app.patch_json('/api/users/%s/' % resp.json['uuid'],
-                               params={'title_verified': False})
+        resp2 = app.patch_json('/api/users/%s/' % resp.json['uuid'], params={'title_verified': False})
         assert resp.json['first_name_verified']
         assert resp.json['last_name_verified']
         assert not resp2.json['title_verified']
@@ -549,8 +614,7 @@ def test_api_users_create_email_is_unique(settings, app, superuser):
     uuid = resp.json['uuid']
 
     app.patch_json('/api/users/%s/' % uuid, params={'email': 'john.doe3@example.net'})
-    resp = app.patch_json('/api/users/%s/' % uuid, params={'email': 'john.doe@example.net'},
-                          status=400)
+    resp = app.patch_json('/api/users/%s/' % uuid, params={'email': 'john.doe@example.net'}, status=400)
     assert resp.json['result'] == 0
     assert resp.json['errors']['email']
     settings.A2_EMAIL_IS_UNIQUE = False
@@ -560,8 +624,7 @@ def test_api_users_create_email_is_unique(settings, app, superuser):
     resp = app.post_json('/api/users/', params=payload)
     assert User.objects.filter(ou=ou2).count() == 2
     uuid = resp.json['uuid']
-    resp = app.patch_json('/api/users/%s/' % uuid, params={'email': 'john.doe@example.net'},
-                          status=400)
+    resp = app.patch_json('/api/users/%s/' % uuid, params={'email': 'john.doe@example.net'}, status=400)
     assert resp.json['result'] == 0
     assert resp.json['errors']['email']
 
@@ -630,8 +693,7 @@ def test_api_role_add_member(app, api_user, role, member):
     else:
         status = 403
 
-    resp = app.post_json('/api/roles/{0}/members/{1}/'.format(role.uuid, member.uuid),
-                         status=status)
+    resp = app.post_json('/api/roles/{0}/members/{1}/'.format(role.uuid, member.uuid), status=status)
     if status == 404:
         pass
     elif authorized:
@@ -654,8 +716,7 @@ def test_api_role_remove_member(app, api_user, role, member):
     else:
         status = 403
 
-    resp = app.delete_json('/api/roles/{0}/members/{1}/'.format(role.uuid, member.uuid),
-                           status=status)
+    resp = app.delete_json('/api/roles/{0}/members/{1}/'.format(role.uuid, member.uuid), status=status)
 
     if status == 404:
         pass
@@ -681,16 +742,14 @@ def test_api_role_add_members(app, api_user, role, member, member_rando2):
     else:
         status = 201
 
-    payload = {
-        "data": []
-    }
+    payload = {"data": []}
 
-    for m in [member, member_rando2, member_rando2]: # test no duplicate
+    for m in [member, member_rando2, member_rando2]:  # test no duplicate
         payload['data'].append({"uuid": m.uuid})
 
     resp = app.post_json(
-            '/api/roles/{}/relationships/members/'.format(role.uuid),
-            params=payload, status=status)
+        '/api/roles/{}/relationships/members/'.format(role.uuid), params=payload, status=status
+    )
 
     if status in (400, 404):
         pass
@@ -718,16 +777,14 @@ def test_api_role_remove_members(app, api_user, role, member, member_rando2):
     else:
         status = 200
 
-    payload = {
-        "data": []
-    }
+    payload = {"data": []}
 
-    for m in [member, member_rando2, member_rando2]: # test no duplicate
+    for m in [member, member_rando2, member_rando2]:  # test no duplicate
         payload['data'].append({"uuid": m.uuid})
 
     resp = app.delete_json(
-            '/api/roles/{}/relationships/members/'.format(role.uuid),
-            params=payload, status=status)
+        '/api/roles/{}/relationships/members/'.format(role.uuid), params=payload, status=status
+    )
 
     if status in (400, 404):
         pass
@@ -755,16 +812,14 @@ def test_api_role_set_members(app, api_user, role, member, member_rando2):
     else:
         status = 200
 
-    payload = {
-        "data": []
-    }
+    payload = {"data": []}
 
-    for m in [member, member_rando2, member_rando2]: # test no duplicate
+    for m in [member, member_rando2, member_rando2]:  # test no duplicate
         payload['data'].append({"uuid": m.uuid})
 
     resp = app.put_json(
-            '/api/roles/{}/relationships/members/'.format(role.uuid),
-            params=payload, status=status)
+        '/api/roles/{}/relationships/members/'.format(role.uuid), params=payload, status=status
+    )
 
     if status in (400, 404):
         pass
@@ -783,8 +838,9 @@ def test_api_role_set_empty_members(app, api_user):
     app.authorization = ('Basic', (api_user.username, api_user.username))
     ou = get_default_ou()
 
-    user = User.objects.create(ou=ou, username='john.doe', first_name=u'Jôhn',
-                               last_name=u'Doe', email='john.doe@example.net')
+    user = User.objects.create(
+        ou=ou, username='john.doe', first_name=u'Jôhn', last_name=u'Doe', email='john.doe@example.net'
+    )
     user.save()
 
     role = Role.objects.create(name='Role1', ou=ou)
@@ -795,8 +851,8 @@ def test_api_role_set_empty_members(app, api_user):
         status = 403
 
     resp = app.put_json(
-            '/api/roles/{}/relationships/members/'.format(role.uuid),
-            params={'data': []}, status=status)
+        '/api/roles/{}/relationships/members/'.format(role.uuid), params={'data': []}, status=status
+    )
     if api_user.has_perm('a2_rbac.change_role', role):
         assert len(role.members.all()) == 0
     else:
@@ -816,51 +872,39 @@ def test_api_role_members_payload_missing(app, api_user, role):
     authorized = api_user.has_perm('a2_rbac.change_role', role)
     status = 400 if authorized else 403
 
-    app.post_json(
-            '/api/roles/{}/relationships/members/'.format(role.uuid),
-            status=status)
+    app.post_json('/api/roles/{}/relationships/members/'.format(role.uuid), status=status)
 
-    app.delete_json(
-            '/api/roles/{}/relationships/members/'.format(role.uuid),
-            status=status)
+    app.delete_json('/api/roles/{}/relationships/members/'.format(role.uuid), status=status)
 
-    app.put_json(
-            '/api/roles/{}/relationships/members/'.format(role.uuid),
-            status=status)
+    app.put_json('/api/roles/{}/relationships/members/'.format(role.uuid), status=status)
 
 
 def test_api_role_members_wrong_payload_types(app, superuser, role_random, member_rando2):
     app.authorization = ('Basic', (superuser.username, superuser.username))
 
-    payload = [{
-        "data": [{'uuid': member_rando2.uuid}]
-    }]
+    payload = [{"data": [{'uuid': member_rando2.uuid}]}]
 
     resp = app.post_json(
-            '/api/roles/{}/relationships/members/'.format(role_random.uuid),
-            params=payload, status=400)
+        '/api/roles/{}/relationships/members/'.format(role_random.uuid), params=payload, status=400
+    )
 
     assert resp.json['result'] == 0
     assert resp.json['errors'] == ['Payload must be a dictionary']
 
-    payload = {
-        "data": [[member_rando2.uuid]]
-    }
+    payload = {"data": [[member_rando2.uuid]]}
 
     resp = app.post_json(
-            '/api/roles/{}/relationships/members/'.format(role_random.uuid),
-            params=payload, status=400)
+        '/api/roles/{}/relationships/members/'.format(role_random.uuid), params=payload, status=400
+    )
 
     assert resp.json['result'] == 0
     assert resp.json['errors'] == ["List elements of the 'data' dict entry must be dictionaries"]
 
-    payload = {
-        "data": [member_rando2.uuid]
-    }
+    payload = {"data": [member_rando2.uuid]}
 
     resp = app.post_json(
-            '/api/roles/{}/relationships/members/'.format(role_random.uuid),
-            params=payload, status=400)
+        '/api/roles/{}/relationships/members/'.format(role_random.uuid), params=payload, status=400
+    )
 
     assert resp.json['result'] == 0
     assert resp.json['errors'] == ["List elements of the 'data' dict entry must be dictionaries"]
@@ -884,8 +928,7 @@ def test_register_no_email_validation(settings, app, admin, django_user_model):
     }
     headers = basic_authorization_header(admin)
     assert len(mail.outbox) == 0
-    response = app.post_json(reverse('a2-api-register'), params=payload, headers=headers,
-                             status=400)
+    response = app.post_json(reverse('a2-api-register'), params=payload, headers=headers, status=400)
     assert 'errors' in response.json
     assert response.json['result'] == 0
     assert response.json['errors'] == {
@@ -943,8 +986,7 @@ def test_register_ou_no_email_validation(settings, app, admin, django_user_model
     }
     headers = basic_authorization_header(admin)
     assert len(mail.outbox) == 0
-    response = app.post_json(reverse('a2-api-register'), params=payload, headers=headers,
-                             status=400)
+    response = app.post_json(reverse('a2-api-register'), params=payload, headers=headers, status=400)
     assert 'errors' in response.json
     assert response.json['result'] == 0
     assert response.json['errors'] == {
@@ -998,10 +1040,9 @@ def test_user_synchronization(app, simple_user):
     response = app.post_json(url, params=content, headers=headers, status=403)
 
     # give custom_user.search_user permission to user
-    r = Role.objects.get_admin_role(ContentType.objects.get_for_model(User),
-                                    name='role',
-                                    slug='role',
-                                    operation=SEARCH_OP)
+    r = Role.objects.get_admin_role(
+        ContentType.objects.get_for_model(User), name='role', slug='role', operation=SEARCH_OP
+    )
 
     r.members.add(simple_user)
     response = app.post_json(url, params=content, headers=headers)
@@ -1181,11 +1222,7 @@ def test_api_patch_role_unauthorized(app, simple_user, role_ou1):
 def test_api_put_role(app, admin_ou1, role_ou1, ou1):
     app.authorization = ('Basic', (admin_ou1.username, admin_ou1.username))
 
-    role_data = {
-        'name': 'updated-role',
-        'slug': 'updated-role',
-        'ou': 'ou2'
-    }
+    role_data = {'name': 'updated-role', 'slug': 'updated-role', 'ou': 'ou2'}
     app.put_json('/api/roles/{}/'.format(role_ou1.uuid), params=role_data)
     role_ou1.refresh_from_db()
     assert role_ou1.name == 'updated-role'
@@ -1195,11 +1232,7 @@ def test_api_put_role(app, admin_ou1, role_ou1, ou1):
 
 def test_api_put_role_unauthorized(app, simple_user, role_ou1, ou1):
     app.authorization = ('Basic', (simple_user.username, simple_user.username))
-    role_data = {
-        'name': 'updated-role',
-        'slug': 'updated-role',
-        'ou': 'ou2'
-    }
+    role_data = {'name': 'updated-role', 'slug': 'updated-role', 'ou': 'ou2'}
     app.put_json('/api/roles/{}/'.format(role_ou1.uuid), params=role_data, status=404)
     role_ou1.refresh_from_db()
     assert role_ou1.name == 'role_ou1'
@@ -1210,11 +1243,7 @@ def test_api_put_role_unauthorized(app, simple_user, role_ou1, ou1):
 def test_api_post_role(app, admin_ou1, ou1):
     app.authorization = ('Basic', (admin_ou1.username, admin_ou1.username))
 
-    role_data = {
-        'slug': 'coffee-manager',
-        'name': 'Coffee Manager',
-        'ou': 'ou1'
-        }
+    role_data = {'slug': 'coffee-manager', 'name': 'Coffee Manager', 'ou': 'ou1'}
     resp = app.post_json('/api/roles/', params=role_data)
     assert isinstance(resp.json, dict)
     uuid = resp.json['uuid']
@@ -1234,7 +1263,7 @@ def test_api_post_role_no_ou(app, superuser):
     role_data = {
         'slug': 'tea-manager',
         'name': 'Tea Manager',
-        }
+    }
     resp = app.post_json('/api/roles/', params=role_data)
     uuid = resp.json['uuid']
     role = Role.objects.get(uuid=uuid)
@@ -1245,7 +1274,7 @@ def test_api_post_role_no_slug(app, superuser):
     app.authorization = ('Basic', (superuser.username, superuser.username))
     role_data = {
         'name': 'Some Role',
-        }
+    }
     resp = app.post_json('/api/roles/', params=role_data)
     uuid = resp.json['uuid']
     role = Role.objects.get(uuid=uuid)
@@ -1254,16 +1283,16 @@ def test_api_post_role_no_slug(app, superuser):
     # another call with same role name
     role_data = {
         'name': 'Some Role',
-        }
+    }
     resp = app.post_json('/api/roles/', params=role_data, status=400)
     assert resp.json['errors']['__all__'] == [
-            'The fields name, ou must make a unique set.',
-            'The fields slug, ou must make a unique set.',
-        ]
+        'The fields name, ou must make a unique set.',
+        'The fields slug, ou must make a unique set.',
+    ]
     # no slug no name
     role_data = {
         'id': 42,
-        }
+    }
     resp = app.post_json('/api/roles/', params=role_data, status=400)
     assert resp.json['errors']['name'] == ['This field is required.']
 
@@ -1274,7 +1303,7 @@ def test_api_post_ou_no_slug(app, superuser):
 
     ou_data = {
         'name': 'Some Organizational Unit',
-        }
+    }
     resp = app.post_json('/api/ous/', params=ou_data)
     uuid = resp.json['uuid']
     ou = OU.objects.get(uuid=uuid)
@@ -1284,16 +1313,16 @@ def test_api_post_ou_no_slug(app, superuser):
     # another call with same ou name
     ou_data = {
         'name': 'Some Organizational Unit',
-        }
+    }
     resp = app.post_json('/api/ous/', params=ou_data, status=400)
     assert resp.json['errors']['__all__'] == [
-            "The fields name must make a unique set.",
-            "The fields slug must make a unique set."
-        ]
+        "The fields name must make a unique set.",
+        "The fields slug must make a unique set.",
+    ]
     # no slug no name
     ou_data = {
         'id': 42,
-        }
+    }
     resp = app.post_json('/api/ous/', params=ou_data, status=400)
     assert resp.json['errors']['name'] == ['This field is required.']
 
@@ -1304,7 +1333,7 @@ def test_api_post_ou_get_or_create(app, superuser):
     # first get-or-create? -> create
     ou_data = {
         'name': 'Some Organizational Unit',
-        }
+    }
     resp = app.post_json('/api/ous/', params=ou_data)
     uuid = resp.json['uuid']
     ou = OU.objects.get(uuid=uuid)
@@ -1312,14 +1341,14 @@ def test_api_post_ou_get_or_create(app, superuser):
     ou_data = {
         'name': 'Some Organizational Unit',
         'slug': ou.slug,
-        }
+    }
     resp = app.post_json('/api/ous/?get_or_create=slug', params=ou_data)
     assert resp.json['uuid'] == ou.uuid
     # update-or-create? -> update
     ou_data = {
         'name': 'Another name',
         'slug': ou.slug,
-        }
+    }
     resp = app.post_json('/api/ous/?update_or_create=slug', params=ou_data)
     assert resp.json['uuid'] == ou.uuid
     assert OU.objects.get(uuid=resp.json['uuid']).name == ou_data['name']
@@ -1328,11 +1357,7 @@ def test_api_post_ou_get_or_create(app, superuser):
 def test_api_post_role_unauthorized(app, simple_user, ou1):
     app.authorization = ('Basic', (simple_user.username, simple_user.username))
 
-    role_data = {
-        'slug': 'mocca-manager',
-        'name': 'Mocca Manager',
-        'ou': 'ou1'
-        }
+    role_data = {'slug': 'mocca-manager', 'name': 'Mocca Manager', 'ou': 'ou1'}
 
     app.post_json('/api/roles/', params=role_data, status=403)
     assert not len(Role.objects.filter(slug='mocca-manager'))
@@ -1373,10 +1398,11 @@ def test_no_opened_session_cookie_on_api(app, user, settings):
 
 def test_validate_password_default(app):
     for password, ok, length, lower, digit, upper in (
-            ('.',            False, False, False, False, False),
-            ('x' * 8,        False,  True,  True, False, False),
-            ('x' * 8 + '1',  False,  True,  True,  True, False),
-            ('x' * 8 + '1X',  True,  True,  True,  True,  True)):
+        ('.', False, False, False, False, False),
+        ('x' * 8, False, True, True, False, False),
+        ('x' * 8 + '1', False, True, True, True, False),
+        ('x' * 8 + '1X', True, True, True, True, True),
+    ):
         response = app.post_json('/api/validate-password/', params={'password': password})
         assert response.json['result'] == 1
         assert response.json['ok'] is ok
@@ -1508,12 +1534,7 @@ def test_api_users_get_or_create_email_not_unique(settings, app, admin):
     ou2 = OU.objects.create(name='OU2', slug='ou2', email_is_unique=False)
 
     app.authorization = ('Basic', (admin.username, admin.username))
-    payload = {
-        'email': 'john.doe@example.net',
-        'first_name': 'John',
-        'last_name': 'Doe',
-        'ou': 'ou1'
-    }
+    payload = {'email': 'john.doe@example.net', 'first_name': 'John', 'last_name': 'Doe', 'ou': 'ou1'}
     # 1. create
     resp = app.post_json('/api/users/?get_or_create=email', params=payload, status=201)
     id_user = resp.json['id']
@@ -1532,7 +1553,10 @@ def test_api_users_get_or_create_email_not_unique(settings, app, admin):
     assert User.objects.get(id=id_user2).ou == ou2
     # 4. fail to retrieve a single instance for an ambiguous get-or-create key
     resp = app.post_json('/api/users/?get_or_create=email', params=payload, status=409)
-    assert resp.json['errors'] == "retrieved several instances of model User for key attributes {'email': 'john.doe@example.net'}"
+    assert (
+        resp.json['errors']
+        == "retrieved several instances of model User for key attributes {'email': 'john.doe@example.net'}"
+    )
 
 
 def test_api_users_get_or_create_multi_key(settings, app, admin):
@@ -1543,13 +1567,17 @@ def test_api_users_get_or_create_multi_key(settings, app, admin):
         'first_name': 'John',
         'last_name': 'Doe',
     }
-    resp = app.post_json('/api/users/?get_or_create=first_name&get_or_create=last_name', params=payload, status=201)
+    resp = app.post_json(
+        '/api/users/?get_or_create=first_name&get_or_create=last_name', params=payload, status=201
+    )
     id = resp.json['id']
     assert User.objects.get(id=id).first_name == 'John'
     assert User.objects.get(id=id).last_name == 'Doe'
     password = User.objects.get(id=id).password
 
-    resp = app.post_json('/api/users/?get_or_create=first_name&get_or_create=last_name', params=payload, status=200)
+    resp = app.post_json(
+        '/api/users/?get_or_create=first_name&get_or_create=last_name', params=payload, status=200
+    )
     assert id == resp.json['id']
     assert User.objects.get(id=id).first_name == 'John'
     assert User.objects.get(id=id).last_name == 'Doe'
@@ -1558,8 +1586,8 @@ def test_api_users_get_or_create_multi_key(settings, app, admin):
     payload['email'] = 'john.doe@example2.net'
     payload['password'] = 'secret'
     resp = app.post_json(
-        '/api/users/?update_or_create=first_name&update_or_create=last_name',
-        params=payload, status=200)
+        '/api/users/?update_or_create=first_name&update_or_create=last_name', params=payload, status=200
+    )
     assert id == resp.json['id']
     assert User.objects.get(id=id).email == 'john.doe@example2.net'
     assert User.objects.get(id=id).password != password
@@ -1648,19 +1676,25 @@ def test_api_users_required_attribute(settings, app, admin, simple_user):
 
     # update from missing value to blank field fails
     payload['last_name'] = ''
-    resp = app.put_json('/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=400)
+    resp = app.put_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=400
+    )
     assert resp.json['result'] == 0
     assert resp.json['errors']['last_name'] == ['This field may not be blank.']
 
     # update with value pass
     payload['last_name'] = 'Foobar'
-    resp = app.put_json('/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=200)
+    resp = app.put_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=200
+    )
     user = User.objects.get(id=simple_user.id)
     assert user.last_name == 'Foobar'
 
     # update from non-empty value to blank fails
     payload['last_name'] = ''
-    resp = app.put_json('/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=400)
+    resp = app.put_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=400
+    )
     assert resp.json['result'] == 0
     assert resp.json['errors']['last_name'] == ['This field may not be blank.']
 
@@ -1690,7 +1724,9 @@ def test_api_users_required_date_attributes(settings, app, admin, simple_user):
     payload['prefered_color'] = ''
     payload['date'] = ''
     payload['birthdate'] = ''
-    resp = app.put_json('/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=400)
+    resp = app.put_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=400
+    )
     assert resp.json['result'] == 0
     assert resp.json['errors']['prefered_color'] == ['This field may not be blank.']
     assert resp.json['errors']['date'] == ['This field may not be blank.']
@@ -1700,17 +1736,23 @@ def test_api_users_required_date_attributes(settings, app, admin, simple_user):
     payload['prefered_color'] = '?' * 257
     payload['date'] = '0000-00-00'
     payload['birthdate'] = '1899-12-31'
-    resp = app.put_json('/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=400)
+    resp = app.put_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=400
+    )
     assert resp.json['result'] == 0
     assert resp.json['errors']['prefered_color'] == ['Ensure this field has no more than 256 characters.']
     assert any(error.startswith('Date has wrong format.') for error in resp.json['errors']['date'])
-    assert resp.json['errors']['birthdate'] == ['birthdate must be in the past and greater or equal than 1900-01-01.']
+    assert resp.json['errors']['birthdate'] == [
+        'birthdate must be in the past and greater or equal than 1900-01-01.'
+    ]
 
     # update with values pass
     payload['prefered_color'] = 'blue'
     payload['date'] = '1515-1-15'
     payload['birthdate'] = '1900-2-22'
-    resp = app.put_json('/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=200)
+    resp = app.put_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=200
+    )
 
     # value are properly returned on a get
     resp = app.get('/api/users/{}/'.format(simple_user.uuid), headers=headers, status=200)
@@ -1732,10 +1774,10 @@ def test_api_users_optional_date_attributes(settings, app, admin, simple_user):
         'last_name': 'Doe',
     }
     headers = basic_authorization_header(admin)
-    resp = app.put_json('/api/users/{}/'.format(simple_user.uuid),
-            params=payload, headers=headers, status=200)
-    resp = app.get('/api/users/{}/'.format(simple_user.uuid),
-            headers=headers, status=200)
+    resp = app.put_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=200
+    )
+    resp = app.get('/api/users/{}/'.format(simple_user.uuid), headers=headers, status=200)
     payload['prefered_color'] = None
     payload['date'] = None
     payload['birthdate'] = None
@@ -1743,10 +1785,10 @@ def test_api_users_optional_date_attributes(settings, app, admin, simple_user):
     payload['prefered_color'] = ''
     payload['date'] = ''
     payload['birthdate'] = ''
-    resp = app.put_json('/api/users/{}/'.format(simple_user.uuid),
-            params=payload, headers=headers, status=200)
-    resp = app.get('/api/users/{}/'.format(simple_user.uuid),
-            headers=headers, status=200)
+    resp = app.put_json(
+        '/api/users/{}/'.format(simple_user.uuid), params=payload, headers=headers, status=200
+    )
+    resp = app.get('/api/users/{}/'.format(simple_user.uuid), headers=headers, status=200)
     payload['prefered_color'] = None
     payload['date'] = None
     payload['birthdate'] = None
@@ -1790,7 +1832,9 @@ def test_free_text_search(app, admin, settings):
     settings.LANGUAGE_CODE = 'fr'  # use fr date format
 
     app.authorization = ('Basic', (admin.username, admin.username))
-    Attribute.objects.create(kind='birthdate', name='birthdate', label='birthdate', required=False, searchable=True)
+    Attribute.objects.create(
+        kind='birthdate', name='birthdate', label='birthdate', required=False, searchable=True
+    )
 
     user = User.objects.create()
     user.attributes.birthdate = datetime.date(1982, 2, 10)
@@ -1862,7 +1906,9 @@ def test_find_duplicates_birthdate(app, admin, settings):
     settings.LANGUAGE_CODE = 'fr'
     app.authorization = ('Basic', (admin.username, admin.username))
 
-    Attribute.objects.create(kind='birthdate', name='birthdate', label='birthdate', required=False, searchable=True)
+    Attribute.objects.create(
+        kind='birthdate', name='birthdate', label='birthdate', required=False, searchable=True
+    )
 
     user = User.objects.create(first_name='Jean', last_name='Dupont')
     homonym = User.objects.create(first_name='Jean', last_name='Dupont')
@@ -1876,12 +1922,12 @@ def test_find_duplicates_birthdate(app, admin, settings):
     resp = app.get('/api/users/find_duplicates/', params=params)
     assert len(resp.json['data']) == 2
 
-    params['birthdate'] = '1980-01-2',
+    params['birthdate'] = ('1980-01-2',)
     resp = app.get('/api/users/find_duplicates/', params=params)
     assert len(resp.json['data']) == 2
     assert resp.json['data'][0]['id'] == user.pk
 
-    params['birthdate'] = '1980-01-3',
+    params['birthdate'] = ('1980-01-3',)
     resp = app.get('/api/users/find_duplicates/', params=params)
     assert len(resp.json['data']) == 2
     assert resp.json['data'][0]['id'] == homonym.pk
@@ -1954,7 +2000,7 @@ def test_phone_normalization_nok(settings, app, admin):
         'first_name': 'Jane',
         'last_name': 'Doe',
     }
-    payload['phone'] = ' + 334-99+98.56/43',
+    payload['phone'] = (' + 334-99+98.56/43',)
     app.post_json('/api/users/', headers=headers, params=payload, status=400)
 
     payload['phone'] = '1#2'
@@ -1962,7 +2008,7 @@ def test_phone_normalization_nok(settings, app, admin):
 
 
 def test_api_users_create_user_delete(app, settings, admin):
-    email='foo@example.net'
+    email = 'foo@example.net'
     user1 = User.objects.create(username='foo', email=email)
     user1.delete()
     user2 = User.objects.create(username='foo2', email=email)
@@ -2009,23 +2055,19 @@ def test_api_register_user_delete(app, settings, admin):
         'return_url': 'http://sp.example.com/validate/',
         'ou': 'default',
     }
-    response = app.post_json(
-            reverse('a2-api-register'), params=payload, headers=headers, status=400)
+    response = app.post_json(reverse('a2-api-register'), params=payload, headers=headers, status=400)
     assert response.json['errors'] == {'__all__': ['Account already exists']}
 
     user.delete()
-    response = app.post_json(
-            reverse('a2-api-register'), params=payload, headers=headers, status=201)
+    response = app.post_json(reverse('a2-api-register'), params=payload, headers=headers, status=201)
 
 
 def test_api_password_change_user_delete(app, settings, admin, ou1):
     app.authorization = ('Basic', (admin.username, admin.username))
-    user1 = User.objects.create(
-            username='john.doe', email='john.doe@example.com', ou=ou1)
+    user1 = User.objects.create(username='john.doe', email='john.doe@example.com', ou=ou1)
     user1.set_password('password')
     user1.save()
-    user2 = User.objects.create(
-            username='john.doe2', email='john.doe@example.com', ou=ou1)
+    user2 = User.objects.create(username='john.doe2', email='john.doe@example.com', ou=ou1)
     user2.set_password('password')
     user1.save()
 
@@ -2105,14 +2147,14 @@ def test_api_statistics_list(app, admin):
     service.save()
     login_stats['filters'][1]['options'][1]['id'] = 'service2 second'
     login_stats['filters'].append(
-            {
-                'id': 'services_ou',
-                'label': 'Services organizational unit',
-                'options': [
-                    {'id': 'default', 'label': 'Default organizational unit'},
-                    {'id': 'second', 'label': 'Second OU'}
-                ],
-            }
+        {
+            'id': 'services_ou',
+            'label': 'Services organizational unit',
+            'options': [
+                {'id': 'default', 'label': 'Default organizational unit'},
+                {'id': 'second', 'label': 'Second OU'},
+            ],
+        }
     )
     resp = app.get('/api/statistics/', headers=headers)
     assert login_stats in resp.json['data']
@@ -2120,14 +2162,14 @@ def test_api_statistics_list(app, admin):
     # same goes with users
     user = User.objects.create(username='john.doe', email='john.doe@example.com', ou=ou)
     login_stats['filters'].append(
-            {
-                'id': 'users_ou',
-                'label': 'Users organizational unit',
-                'options': [
-                    {'id': 'default', 'label': 'Default organizational unit'},
-                    {'id': 'second', 'label': 'Second OU'}
-                ],
-            }
+        {
+            'id': 'users_ou',
+            'label': 'Users organizational unit',
+            'options': [
+                {'id': 'default', 'label': 'Default organizational unit'},
+                {'id': 'second', 'label': 'Second OU'},
+            ],
+        }
     )
     resp = app.get('/api/statistics/', headers=headers)
     assert login_stats in resp.json['data']
@@ -2196,7 +2238,8 @@ def test_api_statistics(app, admin, freezer, event_type_name, event_name):
     assert services_ou_data == data
 
     resp = app.get(
-        '/api/statistics/%s/?time_interval=month&users_ou=default&service=agendas default' % event_name, headers=headers
+        '/api/statistics/%s/?time_interval=month&users_ou=default&service=agendas default' % event_name,
+        headers=headers,
     )
     data = resp.json['data']
     assert data == {
@@ -2230,9 +2273,7 @@ def test_api_statistics(app, admin, freezer, event_type_name, event_name):
     data = resp.json['data']
     assert data == {'x_labels': ['2020-02'], 'series': [{'label': 'password', 'data': [2]}]}
 
-    resp = app.get(
-        '/api/statistics/%s/?time_interval=month&end=2020-03-01' % event_name, headers=headers
-    )
+    resp = app.get('/api/statistics/%s/?time_interval=month&end=2020-03-01' % event_name, headers=headers)
     data = resp.json['data']
     assert data == {'x_labels': ['2020-02'], 'series': [{'label': 'password', 'data': [2]}]}
 
@@ -2274,4 +2315,6 @@ def test_api_statistics_no_crash_older_drf(app, admin):
 
 def test_find_duplicates_put(app, admin, settings):
     app.authorization = ('Basic', (admin.username, admin.username))
-    app.put_json('/api/users/find_duplicates/', params={'first_name': 'Eleonore', 'last_name': 'aeiou'}, status=405)
+    app.put_json(
+        '/api/users/find_duplicates/', params={'first_name': 'Eleonore', 'last_name': 'aeiou'}, status=405
+    )
diff --git a/tests/test_attribute_kinds.py b/tests/test_attribute_kinds.py
index eecedf8f..65d0efdc 100644
--- a/tests/test_attribute_kinds.py
+++ b/tests/test_attribute_kinds.py
@@ -30,8 +30,9 @@ from webtest import Upload
 
 
 def test_string(db, app, admin, mailoutbox):
-    Attribute.objects.create(name='nom_de_naissance', label='Nom de naissance', kind='string',
-                             asked_on_registration=True)
+    Attribute.objects.create(
+        name='nom_de_naissance', label='Nom de naissance', kind='string', asked_on_registration=True
+    )
     qs = User.objects.filter(first_name='John')
 
     response = app.get('/accounts/register/')
@@ -79,7 +80,6 @@ def test_string(db, app, admin, mailoutbox):
 
 
 def test_fr_postcode(db, app, admin, mailoutbox):
-
     def register_john():
         response = app.get('/accounts/register/')
         form = response.form
@@ -88,8 +88,9 @@ def test_fr_postcode(db, app, admin, mailoutbox):
         assert 'john.doe@example.com' in response
         return get_link_from_mail(mailoutbox[-1])
 
-    Attribute.objects.create(name='postcode', label='postcode', kind='fr_postcode',
-                             asked_on_registration=True)
+    Attribute.objects.create(
+        name='postcode', label='postcode', kind='fr_postcode', asked_on_registration=True
+    )
     qs = User.objects.filter(first_name='John')
 
     url = register_john()
@@ -198,8 +199,9 @@ def test_phone_number(db, app, admin, mailoutbox, settings):
         assert 'john.doe@example.com' in response
         return get_link_from_mail(mailoutbox[-1])
 
-    Attribute.objects.create(name='phone_number', label='phone', kind='phone_number',
-                             asked_on_registration=True)
+    Attribute.objects.create(
+        name='phone_number', label='phone', kind='phone_number', asked_on_registration=True
+    )
     qs = User.objects.filter(first_name='John')
 
     url = register_john()
@@ -267,7 +269,6 @@ def test_phone_number(db, app, admin, mailoutbox, settings):
 
 
 def test_birthdate(db, app, admin, mailoutbox, freezer):
-
     def register_john():
         response = app.get('/accounts/register/')
         form = response.form
@@ -277,8 +278,9 @@ def test_birthdate(db, app, admin, mailoutbox, freezer):
         return get_link_from_mail(mailoutbox[-1])
 
     freezer.move_to('2018-01-01')
-    Attribute.objects.create(name='birthdate', label='birthdate', kind='birthdate',
-                             asked_on_registration=True)
+    Attribute.objects.create(
+        name='birthdate', label='birthdate', kind='birthdate', asked_on_registration=True
+    )
     qs = User.objects.filter(first_name='John')
 
     url = register_john()
@@ -321,8 +323,9 @@ def test_birthdate(db, app, admin, mailoutbox, freezer):
 
 def test_birthdate_api(db, app, admin, mailoutbox, freezer):
     freezer.move_to('2018-01-01')
-    Attribute.objects.create(name='birthdate', label='birthdate', kind='birthdate',
-                             asked_on_registration=True)
+    Attribute.objects.create(
+        name='birthdate', label='birthdate', kind='birthdate', asked_on_registration=True
+    )
     qs = User.objects.filter(first_name='John')
     app.authorization = ('Basic', (admin.username, admin.username))
 
@@ -360,9 +363,15 @@ def test_birthdate_api(db, app, admin, mailoutbox, freezer):
 
 
 def test_profile_image(db, app, admin, mailoutbox):
-    Attribute.objects.create(name='cityscape_image', label='cityscape', kind='profile_image',
-                             asked_on_registration=True, required=False,
-                             user_visible=True, user_editable=True)
+    Attribute.objects.create(
+        name='cityscape_image',
+        label='cityscape',
+        kind='profile_image',
+        asked_on_registration=True,
+        required=False,
+        user_visible=True,
+        user_editable=True,
+    )
 
     def john():
         return User.objects.get(first_name='John')
@@ -398,7 +407,10 @@ def test_profile_image(db, app, admin, mailoutbox):
     # verify API serves absolute URL for profile images
     app.authorization = ('Basic', (admin.username, admin.username))
     response = app.get('/api/users/%s/' % john().uuid)
-    assert response.json['cityscape_image'] == 'http://testserver/media/%s' % john().attributes.cityscape_image.name
+    assert (
+        response.json['cityscape_image']
+        == 'http://testserver/media/%s' % john().attributes.cityscape_image.name
+    )
     app.authorization = None
 
     # verify we can clear the image
@@ -432,8 +444,15 @@ def test_profile_image(db, app, admin, mailoutbox):
 
 
 def test_multiple_attribute_setter(db, app, simple_user):
-    nicks = Attribute.objects.create(name='nicknames', label='Nicknames', kind='string',
-                             required=False, multiple=True, user_visible=True, user_editable=True)
+    nicks = Attribute.objects.create(
+        name='nicknames',
+        label='Nicknames',
+        kind='string',
+        required=False,
+        multiple=True,
+        user_visible=True,
+        user_editable=True,
+    )
 
     simple_user.attributes.nicknames = ['Roger', 'Tony', 'Robie']
     simple_user.save()
diff --git a/tests/test_auth_oidc.py b/tests/test_auth_oidc.py
index d48cc71d..c9a8d72d 100644
--- a/tests/test_auth_oidc.py
+++ b/tests/test_auth_oidc.py
@@ -42,8 +42,13 @@ from django.utils.timezone import utc
 from django_rbac.utils import get_ou_model
 
 from authentic2_auth_oidc.utils import (
-    parse_id_token, IDToken, get_providers, has_providers, register_issuer,
-    IDTokenError)
+    parse_id_token,
+    IDToken,
+    get_providers,
+    has_providers,
+    register_issuer,
+    IDTokenError,
+)
 from authentic2_auth_oidc.models import OIDCProvider, OIDCClaimMapping, OIDCAccount
 from authentic2.models import Attribute
 from authentic2.models import AttributeValue
@@ -63,6 +68,7 @@ def test_base64url_decode():
         base64url_decode('x')
     base64url_decode('aa')
 
+
 KID_RSA = '1e9gdk7'
 KID_EC = 'jb20Cg8'
 header_rsa_decoded = {'alg': 'RS256', 'kid': KID_RSA}
@@ -79,9 +85,11 @@ payload_decoded = {
 header_rsa = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ'
 header_ec = 'eyJhbGciOiJFUzI1NiIsImtpZCI6ImpiMjBDZzgifQ'
 header_hmac = 'eyJhbGciOiJIUzI1NiJ9'
-payload = ('eyJhdWQiOiJzNkJoZFJrcXQzIiwiZXhwIjoyMjAxMDk0Mjc4LCJpYXQiOjEzMTEyOD'
-           'A5NzAsImlzcyI6Imh0dHA6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLCJub25jZSI6Im4t'
-           'MFM2X1d6QTJNaiIsInN1YiI6IjI0ODI4OTc2MTAwMSJ9')
+payload = (
+    'eyJhdWQiOiJzNkJoZFJrcXQzIiwiZXhwIjoyMjAxMDk0Mjc4LCJpYXQiOjEzMTEyOD'
+    'A5NzAsImlzcyI6Imh0dHA6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLCJub25jZSI6Im4t'
+    'MFM2X1d6QTJNaiIsInN1YiI6IjI0ODI4OTc2MTAwMSJ9'
+)
 
 
 def test_parse_id_token(code, oidc_provider, oidc_provider_jwkset):
@@ -123,6 +131,7 @@ def oidc_provider_jwkset():
     jwkset.add(key_ec)
     return jwkset
 
+
 OIDC_PROVIDER_PARAMS = [
     {},
     {
@@ -133,7 +142,7 @@ OIDC_PROVIDER_PARAMS = [
     },
     {
         'claims_parameter_supported': True,
-    }
+    },
 ]
 
 
@@ -145,25 +154,25 @@ def oidc_provider(request, db, oidc_provider_jwkset):
     return make_oidc_provider(
         idtoken_algo=idtoken_algo,
         jwkset=oidc_provider_jwkset,
-        claims_parameter_supported=claims_parameter_supported)
+        claims_parameter_supported=claims_parameter_supported,
+    )
 
 
 @pytest.fixture
 def oidc_provider_rsa(request, db, oidc_provider_jwkset):
-    return make_oidc_provider(
-        idtoken_algo=OIDCProvider.ALGO_RSA,
-        jwkset=oidc_provider_jwkset)
+    return make_oidc_provider(idtoken_algo=OIDCProvider.ALGO_RSA, jwkset=oidc_provider_jwkset)
 
 
 def make_oidc_provider(
-        name='Server',
-        slug=None,
-        issuer=None,
-        max_auth_age=10,
-        strategy=OIDCProvider.STRATEGY_CREATE,
-        idtoken_algo=OIDCProvider._meta.get_field('idtoken_algo').default,
-        jwkset=None,
-        claims_parameter_supported=False):
+    name='Server',
+    slug=None,
+    issuer=None,
+    max_auth_age=10,
+    strategy=OIDCProvider.STRATEGY_CREATE,
+    idtoken_algo=OIDCProvider._meta.get_field('idtoken_algo').default,
+    jwkset=None,
+    claims_parameter_supported=False,
+):
     slug = slug or name.lower()
     issuer = issuer or ('https://%s.example.com' % slug)
     jwkset = json.loads(jwkset.export()) if jwkset else None
@@ -184,36 +193,24 @@ def make_oidc_provider(
         claims_parameter_supported=claims_parameter_supported,
     )
     provider.full_clean()
-    OIDCClaimMapping.objects.create(
-        provider=provider,
-        claim='sub',
-        attribute='username',
-        idtoken_claim=True)
-    OIDCClaimMapping.objects.create(
-        provider=provider,
-        claim='email',
-        attribute='email')
-    OIDCClaimMapping.objects.create(
-        provider=provider,
-        claim='email',
-        required=True,
-        attribute='email')
+    OIDCClaimMapping.objects.create(provider=provider, claim='sub', attribute='username', idtoken_claim=True)
+    OIDCClaimMapping.objects.create(provider=provider, claim='email', attribute='email')
+    OIDCClaimMapping.objects.create(provider=provider, claim='email', required=True, attribute='email')
     OIDCClaimMapping.objects.create(
         provider=provider,
         claim='given_name',
         required=True,
         verified=OIDCClaimMapping.ALWAYS_VERIFIED,
-        attribute='first_name')
+        attribute='first_name',
+    )
     OIDCClaimMapping.objects.create(
         provider=provider,
         claim='family_name',
         required=True,
         verified=OIDCClaimMapping.VERIFIED_CLAIM,
-        attribute='last_name')
-    OIDCClaimMapping.objects.create(
-        provider=provider,
-        claim='ou',
-        attribute='ou__slug')
+        attribute='last_name',
+    )
+    OIDCClaimMapping.objects.create(provider=provider, claim='ou', attribute='ou__slug')
     return provider
 
 
@@ -238,18 +235,24 @@ def _signature(oidc_provider):
         key = oidc_provider.jwkset.get_key(kid=KID_EC)
         header_decoded = header_ec_decoded
     elif oidc_provider.idtoken_algo == OIDCProvider.ALGO_HMAC:
-        key = JWK(kty='oct',
-                  k=base64url_encode(
-                      oidc_provider.client_secret.encode('utf-8')))
+        key = JWK(kty='oct', k=base64url_encode(oidc_provider.client_secret.encode('utf-8')))
         header_decoded = header_hmac_decoded
     jws = JWS(payload=json_encode(payload_decoded))
     jws.add_signature(key=key, protected=header_decoded)
     return json.loads(jws.serialize())['signature']
 
 
-def oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, extra_id_token=None,
-                       extra_user_info=None, sub='john.doe', nonce=None,
-                       provides_kid_header=False, kid=None):
+def oidc_provider_mock(
+    oidc_provider,
+    oidc_provider_jwkset,
+    code,
+    extra_id_token=None,
+    extra_user_info=None,
+    sub='john.doe',
+    nonce=None,
+    provides_kid_header=False,
+    kid=None,
+):
     token_endpoint = urlparse.urlparse(oidc_provider.token_endpoint)
     userinfo_endpoint = urlparse.urlparse(oidc_provider.userinfo_endpoint)
     token_revocation_endpoint = urlparse.urlparse(oidc_provider.token_revocation_endpoint)
@@ -278,10 +281,13 @@ def oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, extra_id_token
                 }.get(oidc_provider.idtoken_algo)
                 jwk = None
                 for key in oidc_provider_jwkset['keys']:
-                    if key.key_type == {
+                    if (
+                        key.key_type
+                        == {
                             OIDCProvider.ALGO_RSA: 'RSA',
                             OIDCProvider.ALGO_EC: 'EC',
-                    }.get(oidc_provider.idtoken_algo):
+                        }.get(oidc_provider.idtoken_algo)
+                    ):
                         jwk = key
                         break
                 if provides_kid_header:
@@ -291,12 +297,9 @@ def oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, extra_id_token
                 jwt = JWT(header=header, claims=id_token)
                 jwt.make_signed_token(jwk)
             else:  # hmac
-                jwt = JWT(header={'alg': 'HS256'},
-                          claims=id_token)
+                jwt = JWT(header={'alg': 'HS256'}, claims=id_token)
                 k = base64url_encode(oidc_provider.client_secret.encode('utf-8'))
-                jwt.make_signed_token(
-                    JWK(kty='oct',
-                        k=force_text(k)))
+                jwt.make_signed_token(JWK(kty='oct', k=force_text(k)))
 
             content = {
                 'access_token': '1234',
@@ -348,6 +351,7 @@ def oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, extra_id_token
         return {
             'status_code': 200,
         }
+
     return HTTMock(token_endpoint_mock, user_info_endpoint_mock, token_revocation_endpoint_mock)
 
 
@@ -374,7 +378,7 @@ def test_providers_on_login_page(oidc_provider, app):
         strategy=OIDCProvider.STRATEGY_CREATE,
         jwkset_json=None,
         idtoken_algo=OIDCProvider.ALGO_RSA,
-        claims_parameter_supported=False
+        claims_parameter_supported=False,
     )
 
     response = app.get('/login/')
@@ -388,23 +392,14 @@ def test_login_with_conditional_authenticators(oidc_provider, app, settings, cap
     assert 'My IDP' in response
     assert 'Server' in response
 
-    settings.AUTH_FRONTENDS_KWARGS = {
-        'oidc': {
-            'show_condition': {
-                'myidp': 'remote_addr==\'0.0.0.0\''
-            }
-        }
-    }
+    settings.AUTH_FRONTENDS_KWARGS = {'oidc': {'show_condition': {'myidp': 'remote_addr==\'0.0.0.0\''}}}
     response = app.get('/login/')
     assert 'Server' in response
     assert 'My IDP' not in response
 
     settings.AUTH_FRONTENDS_KWARGS = {
         'oidc': {
-            'show_condition': {
-                'myid': 'remote_addr==\'0.0.0.0\'',
-                'server': 'remote_addr==\'127.0.0.1\''
-            }
+            'show_condition': {'myid': 'remote_addr==\'0.0.0.0\'', 'server': 'remote_addr==\'127.0.0.1\''}
         }
     }
     response = app.get('/login/')
@@ -413,21 +408,14 @@ def test_login_with_conditional_authenticators(oidc_provider, app, settings, cap
 
     settings.AUTH_FRONTENDS_KWARGS = {
         'oidc': {
-            'show_condition': {
-                'myidp': 'remote_addr==\'0.0.0.0\'',
-                'server': 'remote_addr==\'127.0.0.1\''
-            }
+            'show_condition': {'myidp': 'remote_addr==\'0.0.0.0\'', 'server': 'remote_addr==\'127.0.0.1\''}
         }
     }
     response = app.get('/login/')
     assert 'Server' in response
     assert 'My IDP' not in response
 
-    settings.AUTH_FRONTENDS_KWARGS = {
-        'oidc': {
-            'show_condition': 'remote_addr==\'127.0.0.1\''
-        }
-    }
+    settings.AUTH_FRONTENDS_KWARGS = {'oidc': {'show_condition': 'remote_addr==\'127.0.0.1\''}}
     response = app.get('/login/')
     assert 'Server' in response
     assert 'My IDP' in response
@@ -502,24 +490,19 @@ def test_sso(app, caplog, code, oidc_provider, oidc_provider_jwkset, hooks):
         with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code):
             response = app.get(login_callback_url(oidc_provider), params={'code': 'yyyy', 'state': state})
     with utils.check_log(caplog, 'invalid id_token'):
-        with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code,
-                                extra_id_token={'iss': None}):
+        with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, extra_id_token={'iss': None}):
             response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})
     with utils.check_log(caplog, 'invalid id_token'):
-        with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code,
-                                extra_id_token={'sub': None}):
+        with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, extra_id_token={'sub': None}):
             response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})
     with utils.check_log(caplog, 'authentication is too old'):
-        with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code,
-                                extra_id_token={'iat': 1}):
+        with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, extra_id_token={'iat': 1}):
             response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})
     with utils.check_log(caplog, 'invalid id_token'):
-        with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code,
-                                extra_id_token={'exp': 1}):
+        with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, extra_id_token={'exp': 1}):
             response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})
     with utils.check_log(caplog, 'invalid id_token audience'):
-        with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code,
-                                extra_id_token={'aud': 'zz'}):
+        with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, extra_id_token={'aud': 'zz'}):
             response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})
     with utils.check_log(caplog, 'expected nonce'):
         with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code):
@@ -530,7 +513,8 @@ def test_sso(app, caplog, code, oidc_provider, oidc_provider_jwkset, hooks):
             response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})
     assert len(hooks.auth_oidc_backend_modify_user) == 1
     assert set(hooks.auth_oidc_backend_modify_user[0]['kwargs']) >= set(
-        ['user', 'provider', 'user_info', 'id_token', 'access_token'])
+        ['user', 'provider', 'user_info', 'id_token', 'access_token']
+    )
     assert urlparse.urlparse(response['Location']).path == '/admin/'
     assert User.objects.count() == 1
     user = User.objects.get()
@@ -545,14 +529,16 @@ def test_sso(app, caplog, code, oidc_provider, oidc_provider_jwkset, hooks):
     assert AttributeValue.objects.filter(content='Doe', verified=False).count() == 1
     assert last_authentication_event(session=app.session)['nonce'] == nonce
 
-    with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code,
-                            extra_user_info={'family_name_verified': True}, nonce=nonce):
+    with oidc_provider_mock(
+        oidc_provider, oidc_provider_jwkset, code, extra_user_info={'family_name_verified': True}, nonce=nonce
+    ):
         response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})
     assert AttributeValue.objects.filter(content='Doe', verified=False).count() == 0
     assert AttributeValue.objects.filter(content='Doe', verified=True).count() == 1
 
-    with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code,
-                            extra_user_info={'ou': 'cassis'}, nonce=nonce):
+    with oidc_provider_mock(
+        oidc_provider, oidc_provider_jwkset, code, extra_user_info={'ou': 'cassis'}, nonce=nonce
+    ):
         response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})
     assert User.objects.count() == 1
     user = User.objects.get()
@@ -684,36 +670,37 @@ def test_register_issuer(db, app, caplog, oidc_provider_jwkset):
         return oidc_provider_jwkset.export()
 
     with HTTMock(jwks_mock):
-        register_issuer(
-            name='test_issuer',
-            issuer='https://default.issuer',
-            openid_configuration=oidc_conf)
+        register_issuer(name='test_issuer', issuer='https://default.issuer', openid_configuration=oidc_conf)
 
     oidc_conf['id_token_signing_alg_values_supported'] = ['HS256']
     with HTTMock(jwks_mock):
         register_issuer(
-            name='test_issuer_hmac_only',
-            issuer='https://hmac_only.issuer',
-            openid_configuration=oidc_conf)
+            name='test_issuer_hmac_only', issuer='https://hmac_only.issuer', openid_configuration=oidc_conf
+        )
 
 
 def test_required_keys(db, oidc_provider, caplog):
-    erroneous_payload = base64url_encode(json.dumps({
-        'sub': '248289761001',
-        'iss': 'http://server.example.com',
-        'iat': 1311280970,
-        'exp': 1311281970,  # Missing 'aud' and 'nonce' required claims
-        'extra_stuff': 'hi there',  # Wrong claim
-    }).encode('ascii'))
+    erroneous_payload = base64url_encode(
+        json.dumps(
+            {
+                'sub': '248289761001',
+                'iss': 'http://server.example.com',
+                'iat': 1311280970,
+                'exp': 1311281970,  # Missing 'aud' and 'nonce' required claims
+                'extra_stuff': 'hi there',  # Wrong claim
+            }
+        ).encode('ascii')
+    )
 
     with pytest.raises(IDTokenError):
         with utils.check_log(caplog, 'missing field'):
-            token = IDToken('{}.{}.{}'.format(_header(oidc_provider), erroneous_payload, _signature(oidc_provider)))
+            token = IDToken(
+                '{}.{}.{}'.format(_header(oidc_provider), erroneous_payload, _signature(oidc_provider))
+            )
             token.deserialize(oidc_provider)
 
 
-def test_invalid_kid(app, caplog, code, oidc_provider_rsa,
-                     oidc_provider_jwkset, simple_user):
+def test_invalid_kid(app, caplog, code, oidc_provider_rsa, oidc_provider_jwkset, simple_user):
 
     # no mapping please
     OIDCClaimMapping.objects.all().delete()
@@ -730,28 +717,23 @@ def test_invalid_kid(app, caplog, code, oidc_provider_rsa,
 
     # test invalid kid
     with utils.check_log(caplog, message='not in key set', levelname='WARNING'):
-        with oidc_provider_mock(oidc_provider_rsa, oidc_provider_jwkset, code,
-                                nonce=nonce, provides_kid_header=True,
-                                kid='coin'):
-            response = app.get(login_callback_url(oidc_provider_rsa),
-                               params={'code': code, 'state': state})
+        with oidc_provider_mock(
+            oidc_provider_rsa, oidc_provider_jwkset, code, nonce=nonce, provides_kid_header=True, kid='coin'
+        ):
+            response = app.get(login_callback_url(oidc_provider_rsa), params={'code': code, 'state': state})
 
     # test missing kid
     with utils.check_log(caplog, message='Key ID None not in key set', levelname='WARNING'):
-        with oidc_provider_mock(oidc_provider_rsa, oidc_provider_jwkset, code,
-                                nonce=nonce, provides_kid_header=True,
-                                kid=None):
-            response = app.get(login_callback_url(oidc_provider_rsa),
-                               params={'code': code, 'state': state})
+        with oidc_provider_mock(
+            oidc_provider_rsa, oidc_provider_jwkset, code, nonce=nonce, provides_kid_header=True, kid=None
+        ):
+            response = app.get(login_callback_url(oidc_provider_rsa), params={'code': code, 'state': state})
 
 
 def test_templated_claim_mapping(app, caplog, code, oidc_provider, oidc_provider_jwkset):
 
     Attribute.objects.create(
-        name='pro_phone',
-        label='professonial phone',
-        kind='phone_number',
-        asked_on_registration=True
+        name='pro_phone', label='professonial phone', kind='phone_number', asked_on_registration=True
     )
     # no default mapping
     OIDCClaimMapping.objects.all().delete()
@@ -800,8 +782,9 @@ def test_templated_claim_mapping(app, caplog, code, oidc_provider, oidc_provider
     nonce = query['nonce']
 
     with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, nonce=nonce):
-        response = app.get(login_callback_url(oidc_provider),
-                           params={'code': code, 'state': state}).maybe_follow()
+        response = app.get(
+            login_callback_url(oidc_provider), params={'code': code, 'state': state}
+        ).maybe_follow()
 
     assert User.objects.count() == 1
     user = User.objects.first()
diff --git a/tests/test_auth_saml.py b/tests/test_auth_saml.py
index 2e40f80a..f6834d58 100644
--- a/tests/test_auth_saml.py
+++ b/tests/test_auth_saml.py
@@ -75,11 +75,7 @@ def idp():
                 'saml_attribute': 'mail',
                 'mandatory': True,
             },
-            {
-                'action': 'rename',
-                'from': 'http://fucking/attribute/givenName',
-                'to': 'first_name'
-            },
+            {'action': 'rename', 'from': 'http://fucking/attribute/givenName', 'to': 'first_name'},
             {
                 'attribute': 'title',
                 'saml_attribute': 'title',
@@ -87,7 +83,7 @@ def idp():
             {
                 'attribute': 'first_name',
                 'saml_attribute': 'first_name',
-            }
+            },
         ]
     }
 
@@ -134,14 +130,18 @@ def test_lookup_user_missing_mandatory_attribute(adapter, idp, saml_attributes,
     assert User.objects.count() == 0
 
 
-def test_apply_attribute_mapping_missing_attribute_logged(caplog, adapter, idp, saml_attributes, title_attribute, user):
+def test_apply_attribute_mapping_missing_attribute_logged(
+    caplog, adapter, idp, saml_attributes, title_attribute, user
+):
     caplog.set_level('WARNING')
     saml_attributes['http://fucking/attribute/givenName'] = []
     adapter.apply_attribute_mapping(user, idp, saml_attributes, idp['A2_ATTRIBUTE_MAPPING'])
     assert re.match('.*no value.*first_name', caplog.records[-1].message)
 
 
-def test_apply_attribute_mapping_missing_attribute_exception(adapter, idp, saml_attributes, title_attribute, user):
+def test_apply_attribute_mapping_missing_attribute_exception(
+    adapter, idp, saml_attributes, title_attribute, user
+):
     saml_attributes['http://fucking/attribute/givenName'] = []
     idp['A2_ATTRIBUTE_MAPPING'][-1]['mandatory'] = True
     with pytest.raises(MappingError, match='no value'):
@@ -222,35 +222,20 @@ def test_login_with_conditionnal_authenticators(db, app, settings, caplog):
     response = app.get('/login/')
     assert 'login-saml-0' in response
 
-    settings.AUTH_FRONTENDS_KWARGS = {
-        'saml': {
-            'show_condition': 'remote_addr==\'0.0.0.0\''
-        }
-    }
+    settings.AUTH_FRONTENDS_KWARGS = {'saml': {'show_condition': 'remote_addr==\'0.0.0.0\''}}
     response = app.get('/login/')
     assert 'login-saml-0' not in response
 
     settings.MELLON_IDENTITY_PROVIDERS.append(
         {"METADATA": os.path.join(os.path.dirname(__file__), 'metadata.xml')}
     )
-    settings.AUTH_FRONTENDS_KWARGS = {
-        'saml': {
-            'show_condition': {
-                '0': 'remote_addr==\'0.0.0.0\''
-            }
-        }
-    }
+    settings.AUTH_FRONTENDS_KWARGS = {'saml': {'show_condition': {'0': 'remote_addr==\'0.0.0.0\''}}}
     response = app.get('/login/')
     assert 'login-saml-0' not in response
     assert 'login-saml-1' in response
 
     settings.AUTH_FRONTENDS_KWARGS = {
-        'saml': {
-            'show_condition': {
-                '0': 'remote_addr==\'0.0.0.0\'',
-                '1': 'remote_addr==\'0.0.0.0\''
-            }
-        }
+        'saml': {'show_condition': {'0': 'remote_addr==\'0.0.0.0\'', '1': 'remote_addr==\'0.0.0.0\''}}
     }
     response = app.get('/login/')
     assert 'login-saml-0' not in response
@@ -287,5 +272,5 @@ def test_save_account_on_delete_user(db):
         {
             'issuer': 'https://idp2.com/',
             'name_id': '4567',
-        }
+        },
     ]
diff --git a/tests/test_commands.py b/tests/test_commands.py
index 468fbe73..72f03bee 100644
--- a/tests/test_commands.py
+++ b/tests/test_commands.py
@@ -46,6 +46,7 @@ if six.PY2:
     FileType = file  # noqa: F821
 else:
     from io import TextIOWrapper, BufferedReader, BufferedWriter
+
     FileType = (TextIOWrapper, BufferedReader, BufferedWriter)
 
 
@@ -64,14 +65,9 @@ def test_changepassword(db, simple_user, monkeypatch):
 
 def test_clean_unused_account(db, simple_user, mailoutbox, freezer, settings):
     settings.LDAP_AUTH_SETTINGS = [{'realm': 'ldap', 'url': 'ldap://ldap.com/', 'basedn': 'dc=ldap,dc=com'}]
-    ldap_user = User.objects.create(username='ldap-user',
-                                    email='ldap-user@example.com',
-                                    ou=simple_user.ou)
-    oidc_user = User.objects.create(username='oidc-user',
-                                    email='oidc-user@example.com',
-                                    ou=simple_user.ou)
-    UserExternalId.objects.create(user=ldap_user, source='ldap',
-                                  external_id='whatever')
+    ldap_user = User.objects.create(username='ldap-user', email='ldap-user@example.com', ou=simple_user.ou)
+    oidc_user = User.objects.create(username='oidc-user', email='oidc-user@example.com', ou=simple_user.ou)
+    UserExternalId.objects.create(user=ldap_user, source='ldap', external_id='whatever')
     provider = OIDCProvider.objects.create(name='oidc', ou=simple_user.ou)
     OIDCAccount.objects.create(user=oidc_user, provider=provider, sub='1')
 
@@ -160,8 +156,9 @@ def test_clean_unused_account_always_alert(db, simple_user, mailoutbox, freezer)
     assert len(mailoutbox) == 1
 
 
-@pytest.mark.parametrize("deletion_delay,formatted",
-                         [(730, u'2\xa0years'), (500, u'1\xa0year'), (65, u'2\xa0months')])
+@pytest.mark.parametrize(
+    "deletion_delay,formatted", [(730, u'2\xa0years'), (500, u'1\xa0year'), (65, u'2\xa0months')]
+)
 def test_clean_unused_account_human_duration_format(simple_user, mailoutbox, deletion_delay, formatted):
     simple_user.ou.clean_unused_accounts_alert = deletion_delay - 1
     simple_user.ou.clean_unused_accounts_deletion = deletion_delay
@@ -213,11 +210,9 @@ def test_load_ldif(db, monkeypatch, tmpdir):
         def parse(self):
             pass
 
-    oidc_cmd = importlib.import_module(
-        'authentic2.management.commands.load-ldif')
+    oidc_cmd = importlib.import_module('authentic2.management.commands.load-ldif')
     monkeypatch.setattr(oidc_cmd, 'DjangoUserLDIFParser', MockPArser)
-    call_command(
-        'load-ldif', ldif.strpath, result='result', extra_attribute={'ldap_attr': 'first_name'})
+    call_command('load-ldif', ldif.strpath, result='result', extra_attribute={'ldap_attr': 'first_name'})
 
     # test ExtraAttributeAction
     class MockPArser(object):
@@ -225,8 +220,7 @@ def test_load_ldif(db, monkeypatch, tmpdir):
             self.users = []
             assert len(args) == 1
             assert isinstance(args[0], FileType)
-            assert kwargs['options']['extra_attribute'] == {
-                'ldap_attr': 'first_name'}
+            assert kwargs['options']['extra_attribute'] == {'ldap_attr': 'first_name'}
             assert kwargs['options']['result'] == 'result'
 
         def parse(self):
@@ -234,8 +228,8 @@ def test_load_ldif(db, monkeypatch, tmpdir):
 
     monkeypatch.setattr(oidc_cmd, 'DjangoUserLDIFParser', MockPArser)
     call_command(
-        'load-ldif', '--extra-attribute', 'ldap_attr', 'first_name',
-        '--result', 'result', ldif.strpath)
+        'load-ldif', '--extra-attribute', 'ldap_attr', 'first_name', '--result', 'result', ldif.strpath
+    )
 
 
 def test_oidc_register_issuer(db, tmpdir, monkeypatch):
@@ -243,26 +237,27 @@ def test_oidc_register_issuer(db, tmpdir, monkeypatch):
     with oidc_conf_f.open() as f:
         oidc_conf = json.load(f)
 
-    def register_issuer(
-            name, issuer=None, openid_configuration=None, verify=True, timeout=None,
-            ou=None):
+    def register_issuer(name, issuer=None, openid_configuration=None, verify=True, timeout=None, ou=None):
         OU = get_ou_model()
         ou = OU.objects.get(default=True)
         return OIDCProvider.objects.create(
-            name=name, ou=ou, issuer=issuer, strategy='create',
+            name=name,
+            ou=ou,
+            issuer=issuer,
+            strategy='create',
             authorization_endpoint=openid_configuration['authorization_endpoint'],
             token_endpoint=openid_configuration['token_endpoint'],
             userinfo_endpoint=openid_configuration['userinfo_endpoint'],
-            end_session_endpoint=openid_configuration['end_session_endpoint'])
+            end_session_endpoint=openid_configuration['end_session_endpoint'],
+        )
 
-    oidc_cmd = importlib.import_module(
-        'authentic2_auth_oidc.management.commands.oidc-register-issuer')
+    oidc_cmd = importlib.import_module('authentic2_auth_oidc.management.commands.oidc-register-issuer')
     monkeypatch.setattr(oidc_cmd, 'register_issuer', register_issuer)
 
     oidc_conf = py.path.local(__file__).dirpath('openid_configuration.json').strpath
     call_command(
-        'oidc-register-issuer', '--openid-configuration', oidc_conf, '--issuer', 'issuer',
-        'somename')
+        'oidc-register-issuer', '--openid-configuration', oidc_conf, '--issuer', 'issuer', 'somename'
+    )
 
     provider = OIDCProvider.objects.get(name='somename')
     assert provider.issuer == 'issuer'
@@ -289,12 +284,13 @@ def test_check_and_repair_managers_of_roles(db, capsys):
     ou1 = get_ou_model().objects.create(name='Orgunit1', slug='orgunit1')
     role1 = Role.objects.create(name='Role 1', slug='role-1', ou=default_ou)
     perm1 = Permission.objects.create(
-        operation=admin_op, target_id=role1.id,
+        operation=admin_op,
+        target_id=role1.id,
         ou=default_ou,
-        target_ct=ContentType.objects.get_for_model(Role))
+        target_ct=ContentType.objects.get_for_model(Role),
+    )
 
-    manager_role1 = Role.objects.create(
-        name='Managers of Role 1', slug='_a2-managers-of-role-role1')
+    manager_role1 = Role.objects.create(name='Managers of Role 1', slug='_a2-managers-of-role-role1')
     manager_role1.permissions.add(perm1)
     manager_role1.save()
     manager_role1_id = manager_role1.id
@@ -306,8 +302,7 @@ def test_check_and_repair_managers_of_roles(db, capsys):
     assert 'Managers of Role 1" wrong ou, should be "Default organizational unit"' in captured.out
     assert 'invalid permission "Management / role / Role 1": not manage_members operation' in captured.out
     assert (
-        'invalid permission "Management / role / Role 1": '
-        'not admin_scope and not self manage permission'
+        'invalid permission "Management / role / Role 1": ' 'not admin_scope and not self manage permission'
     ) in captured.out
     assert (
         'invalid admin role "Managers of Role 1" '
@@ -319,11 +314,15 @@ def test_check_and_repair_managers_of_roles(db, capsys):
     manager_role1 = role1.get_admin_role()
     assert manager_role1.ou == get_default_ou()
     assert manager_role1.permissions.count() == 3
-    assert manager_role1.permissions.get(operation=get_operation(MANAGE_MEMBERS_OP), target_id=manager_role1.id)
+    assert manager_role1.permissions.get(
+        operation=get_operation(MANAGE_MEMBERS_OP), target_id=manager_role1.id
+    )
     assert manager_role1.permissions.get(operation=get_operation(MANAGE_MEMBERS_OP), target_id=role1.id)
-    assert manager_role1.permissions.get(operation=get_operation(VIEW_OP),
-                                         target_ct=ContentType.objects.get_for_model(ContentType),
-                                         target_id=ContentType.objects.get_for_model(User).pk)
+    assert manager_role1.permissions.get(
+        operation=get_operation(VIEW_OP),
+        target_ct=ContentType.objects.get_for_model(ContentType),
+        target_id=ContentType.objects.get_for_model(User).pk,
+    )
 
     manage_members_op = get_operation(MANAGE_MEMBERS_OP)
     perm1.op = manage_members_op
@@ -332,18 +331,19 @@ def test_check_and_repair_managers_of_roles(db, capsys):
     perm1 = Permission.objects.get(operation=manage_members_op, target_id=role1.id)
     assert perm1.ou is None
 
+
 def test_check_and_delete_unused_permissions(db, capsys, simple_user):
     Permission = get_permission_model()
     role1 = get_role_model().objects.create(name='Role1', slug='role1')
     op1 = Operation.objects.create(slug='operation-1')
     used_perm = Permission.objects.create(
-        operation=op1, target_id=role1.id,
-        target_ct=ContentType.objects.get_for_model(get_role_model()))
+        operation=op1, target_id=role1.id, target_ct=ContentType.objects.get_for_model(get_role_model())
+    )
     role1.admin_scope = used_perm
     role1.save()
     Permission.objects.create(
-        operation=op1, target_id=simple_user.id,
-        target_ct=ContentType.objects.get_for_model(get_user_model()))
+        operation=op1, target_id=simple_user.id, target_ct=ContentType.objects.get_for_model(get_user_model())
+    )
 
     call_command('check-and-repair', '--fake', '--noinput')
     n_perm = len(Permission.objects.all())
@@ -359,14 +359,14 @@ def test_check_identifiers_uniqueness(db, capsys, settings):
     ou.save()
 
     user1 = User.objects.create(
-            username='foo', email='foo@example.net',
-            first_name='Toto', last_name='Foo', ou=ou)
+        username='foo', email='foo@example.net', first_name='Toto', last_name='Foo', ou=ou
+    )
     user2 = User.objects.create(
-            username='foo', email='bar@example.net',
-            first_name='Bar', last_name='Foo', ou=ou)
+        username='foo', email='bar@example.net', first_name='Bar', last_name='Foo', ou=ou
+    )
     user3 = User.objects.create(
-            username='bar', email='bar@example.net',
-            first_name='Tutu', last_name='Bar', ou=ou)
+        username='bar', email='bar@example.net', first_name='Tutu', last_name='Bar', ou=ou
+    )
 
     settings.A2_EMAIL_IS_UNIQUE = True
     settings.A2_USERNAME_IS_UNIQUE = True
diff --git a/tests/test_concurrency.py b/tests/test_concurrency.py
index 4bfe9277..6874d53f 100644
--- a/tests/test_concurrency.py
+++ b/tests/test_concurrency.py
@@ -30,21 +30,14 @@ def test_attribute_value_uniqueness(migrations, transactional_db, simple_user, c
 
     acount = Attribute.objects.count()
 
-    single_at = Attribute.objects.create(
-        name='single',
-        label='single',
-        kind='string',
-        multiple=False)
-    multiple_at = Attribute.objects.create(
-        name='multiple',
-        label='multiple',
-        kind='string',
-        multiple=True)
+    single_at = Attribute.objects.create(name='single', label='single', kind='string', multiple=False)
+    multiple_at = Attribute.objects.create(name='multiple', label='multiple', kind='string', multiple=True)
     assert Attribute.objects.count() == acount + 2
 
     AttributeValue.objects.all().delete()
 
     for i in range(10):
+
         def map_threads(f, l):
             threads = []
             for i in l:
@@ -56,6 +49,7 @@ def test_attribute_value_uniqueness(migrations, transactional_db, simple_user, c
         def f(i):
             simple_user.attributes.multiple = [str(i)]
             connection.close()
+
         map_threads(f, range(concurrency))
         map_threads(f, range(concurrency))
         assert AttributeValue.objects.filter(attribute=multiple_at).count() == 1
@@ -63,5 +57,6 @@ def test_attribute_value_uniqueness(migrations, transactional_db, simple_user, c
         def f(i):
             simple_user.attributes.single = str(i)
             connection.close()
+
         map_threads(f, range(concurrency))
         assert AttributeValue.objects.filter(attribute=single_at).count() == 1
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index f2e81306..b3aaf7ae 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -58,8 +58,12 @@ def test_deterministic_encryption():
 
     for hash_name in ['md5', 'sha1', 'sha256', 'sha384', 'sha512']:
         for count in [1, 50]:
-            crypted1 = crypto.aes_base64url_deterministic_encrypt(key, raw, salt, hash_name=hash_name, count=count)
-            crypted2 = crypto.aes_base64url_deterministic_encrypt(key, raw, salt, hash_name=hash_name, count=count)
+            crypted1 = crypto.aes_base64url_deterministic_encrypt(
+                key, raw, salt, hash_name=hash_name, count=count
+            )
+            crypted2 = crypto.aes_base64url_deterministic_encrypt(
+                key, raw, salt, hash_name=hash_name, count=count
+            )
             assert crypted1 == crypted2
             assert crypto.aes_base64url_deterministic_decrypt(key, crypted1, salt, max_count=count) == raw
 
diff --git a/tests/test_csv_import.py b/tests/test_csv_import.py
index ea85fcad..c3764920 100644
--- a/tests/test_csv_import.py
+++ b/tests/test_csv_import.py
@@ -65,6 +65,7 @@ def csv_importer_factory(encoding, style):
         run = importer.run
         importer.run = lambda *args, **kwargs: run(content, *args, encoding=encoding, **kwargs)
         return importer
+
     return factory
 
 
@@ -78,6 +79,7 @@ def user_csv_importer_factory(encoding, style):
         run = importer.run
         importer.run = lambda *args, **kwargs: run(content, *args, encoding=encoding, **kwargs)
         return importer
+
     return factory
 
 
@@ -424,9 +426,7 @@ app1,2,tnoel@entrouvert.com,Thomas,Noël,1234
     assert not importer.has_errors
     assert len(importer.rows) == 2
     for external_id in ['1', '2']:
-        thomas = User.objects.get(
-            userexternalid__source='app1',
-            userexternalid__external_id=external_id)
+        thomas = User.objects.get(userexternalid__source='app1', userexternalid__external_id=external_id)
 
         assert thomas.ou == get_default_ou()
         assert thomas.email_verified is True
@@ -476,8 +476,9 @@ def test_user_roles_csv(profile, user_csv_importer_factory):
     assert thomas not in role2.members.all()
 
     thomas.roles.remove(role)
-    content_name_add_multiple = '\n'.join((base_header + '_role_name', base_user + role_name,
-                                           base_user + 'test2'))
+    content_name_add_multiple = '\n'.join(
+        (base_header + '_role_name', base_user + role_name, base_user + 'test2')
+    )
     importer = user_csv_importer_factory(content_name_add_multiple)
     assert importer.run()
     thomas.refresh_from_db()
@@ -486,9 +487,9 @@ def test_user_roles_csv(profile, user_csv_importer_factory):
 
     thomas.roles.remove(role)
     thomas.roles.remove(role2)
-    content_name_clear_multiple = '\n'.join((base_header + '_role_name clear',
-                                             base_user + role_name,
-                                             base_user + 'test2'))
+    content_name_clear_multiple = '\n'.join(
+        (base_header + '_role_name clear', base_user + role_name, base_user + 'test2')
+    )
     importer = user_csv_importer_factory(content_name_clear_multiple)
     assert importer.run()
     thomas.refresh_from_db()
@@ -516,8 +517,9 @@ tnoel@entrouvert.com,test_name'''
     assert importer.has_errors
     assert importer.rows[0].cells[-1].errors[0].code == 'role-not-found'
 
-    content_header_error = '\n'.join((base_header + '_role_name,_role_slug',
-                                      base_user + ','.join((role_name, role_slug))))
+    content_header_error = '\n'.join(
+        (base_header + '_role_name,_role_slug', base_user + ','.join((role_name, role_slug)))
+    )
     importer = user_csv_importer_factory(content_header_error)
     assert not importer.run()
     assert importer.has_errors
@@ -584,18 +586,21 @@ remote,8,john.doe,,,
     assert importer.headers_by_name['username'].globally_unique
     assert importer.headers_by_name['email'].unique
     assert not importer.headers_by_name['email'].globally_unique
-    row_errors = {row.line: [error.description for error in row.errors] for row in importer.rows if row.errors}
+    row_errors = {
+        row.line: [error.description for error in row.errors] for row in importer.rows if row.errors
+    }
     assert row_errors == {
-        6: ['Unique constraint on column "email" failed: value already appear on line 2',
-            'Unique constraint on column "email" failed'],
+        6: [
+            'Unique constraint on column "email" failed: value already appear on line 2',
+            'Unique constraint on column "email" failed',
+        ],
         7: ['Unique constraint on column "username" failed: value already appear on line 3'],
-        9: ['Unique constraint on column "username" failed']
+        9: ['Unique constraint on column "username" failed'],
     }
     cell_errors = {
-        row.line: {
-            cell.header.name: [error for error in cell.errors] for cell in row.cells if cell.errors
-        }
-        for row in importer.rows if any(cell.errors for cell in row.cells)
+        row.line: {cell.header.name: [error for error in cell.errors] for cell in row.cells if cell.errors}
+        for row in importer.rows
+        if any(cell.errors for cell in row.cells)
     }
     assert cell_errors == {}
 
diff --git a/tests/test_custom_user.py b/tests/test_custom_user.py
index 68c4cd6d..00af792c 100644
--- a/tests/test_custom_user.py
+++ b/tests/test_custom_user.py
@@ -81,16 +81,10 @@ def fts(db):
     Attribute.objects.create(name='telephone', label='telephone', searchable=True, kind='phone_number')
     Attribute.objects.create(name='dob', label='dob', searchable=True, kind='birthdate')
     user1 = User.objects.create(
-        username='foo1234',
-        first_name='Jo',
-        last_name='darmettein',
-        email='jean.darmette@example.net'
+        username='foo1234', first_name='Jo', last_name='darmettein', email='jean.darmette@example.net'
     )
     user2 = User.objects.create(
-        username='bar1234',
-        first_name='Lea',
-        last_name='darmettein',
-        email='micheline.darmette@example.net'
+        username='bar1234', first_name='Lea', last_name='darmettein', email='micheline.darmette@example.net'
     )
     user3 = User.objects.create(
         first_name='',
@@ -123,7 +117,9 @@ def test_fts_dob(fts):
 
 def test_fts_email(fts):
     assert User.objects.free_text_search('jean.darmette@example.net').count() == 1
-    assert User.objects.free_text_search('jean.damrette@example.net').count() == 2  # no exact match, lookup by trigrams
+    assert (
+        User.objects.free_text_search('jean.damrette@example.net').count() == 2
+    )  # no exact match, lookup by trigrams
     assert User.objects.free_text_search('micheline.darmette@example.net').count() == 1
     assert User.objects.free_text_search('@example.net').count() == 2
     assert User.objects.free_text_search('@example').count() == 2
diff --git a/tests/test_customfields.py b/tests/test_customfields.py
index 5f4a2a9d..91c9137e 100644
--- a/tests/test_customfields.py
+++ b/tests/test_customfields.py
@@ -25,15 +25,19 @@ class CustomDataType(str):
     pass
 
 
-@pytest.mark.parametrize('value', [
-    u'\xe9',
-    b'\xc3\xa9',
-    {1: 1, 2: 4, 3: 6, 4: 8, 5: 10},
-    'Hello World',
-    (1, 2, 3, 4, 5),
-    [1, 2, 3, 4, 5],
-    CustomDataType('Hello World'),
-], ids=repr)
+@pytest.mark.parametrize(
+    'value',
+    [
+        u'\xe9',
+        b'\xc3\xa9',
+        {1: 1, 2: 4, 3: 6, 4: 8, 5: 10},
+        'Hello World',
+        (1, 2, 3, 4, 5),
+        [1, 2, 3, 4, 5],
+        CustomDataType('Hello World'),
+    ],
+    ids=repr,
+)
 def test_pickled_data_integrity(value, db):
     """Tests that data remains the same when saved to and fetched from the database."""
     KeyValue.objects.create(key='a', value=value)
@@ -52,5 +56,4 @@ def test_multiselectfield_data_integrity(db):
 def test_multiselectfield_lookup(db):
     value = [x[0] for x in NAME_ID_FORMATS_CHOICES]
     SPOptionsIdPPolicy.objects.create(name='spp', accepted_name_id_format=value)
-    assert SPOptionsIdPPolicy.objects.get(accepted_name_id_format=value).accepted_name_id_format \
-        == value
+    assert SPOptionsIdPPolicy.objects.get(accepted_name_id_format=value).accepted_name_id_format == value
diff --git a/tests/test_data_transfer.py b/tests/test_data_transfer.py
index f05465a9..1ee2b0fd 100644
--- a/tests/test_data_transfer.py
+++ b/tests/test_data_transfer.py
@@ -30,7 +30,8 @@ from authentic2.data_transfer import (
     ImportContext,
     RoleDeserializer,
     search_role,
-    import_ou)
+    import_ou,
+)
 from authentic2.utils import get_hex_uuid
 
 
@@ -50,15 +51,17 @@ def test_export_basic_role(db):
 
 def test_export_role_with_parents(db):
     grand_parent_role = Role.objects.create(
-        name='test grand parent role', slug='test-grand-parent-role', uuid=get_hex_uuid())
+        name='test grand parent role', slug='test-grand-parent-role', uuid=get_hex_uuid()
+    )
     parent_1_role = Role.objects.create(
-        name='test parent 1 role', slug='test-parent-1-role', uuid=get_hex_uuid())
+        name='test parent 1 role', slug='test-parent-1-role', uuid=get_hex_uuid()
+    )
     parent_1_role.add_parent(grand_parent_role)
     parent_2_role = Role.objects.create(
-        name='test parent 2 role', slug='test-parent-2-role', uuid=get_hex_uuid())
+        name='test parent 2 role', slug='test-parent-2-role', uuid=get_hex_uuid()
+    )
     parent_2_role.add_parent(grand_parent_role)
-    child_role = Role.objects.create(
-        name='test child role', slug='test-child-role', uuid=get_hex_uuid())
+    child_role = Role.objects.create(name='test child role', slug='test-child-role', uuid=get_hex_uuid())
     child_role.add_parent(parent_1_role)
     child_role.add_parent(parent_2_role)
 
@@ -111,16 +114,16 @@ def test_search_role_by_uuid(db):
 def test_search_role_by_slug(db):
     role_d = {'uuid': get_hex_uuid(), 'slug': 'role-slug'}
     role = Role.objects.create(**role_d)
-    assert role == search_role({
-        'uuid': get_hex_uuid(), 'slug': 'role-slug',
-        'ou': None, 'service': None})
+    assert role == search_role({'uuid': get_hex_uuid(), 'slug': 'role-slug', 'ou': None, 'service': None})
 
 
 def test_search_role_not_found(db):
-    assert search_role(
-        {
-            'uuid': get_hex_uuid(), 'slug': 'role-slug', 'name': 'role name',
-            'ou': None, 'service': None}) is None
+    assert (
+        search_role(
+            {'uuid': get_hex_uuid(), 'slug': 'role-slug', 'name': 'role name', 'ou': None, 'service': None}
+        )
+        is None
+    )
 
 
 def test_search_role_slug_not_unique(db):
@@ -133,9 +136,17 @@ def test_search_role_slug_not_unique(db):
 
 
 def test_role_deserializer(db):
-    rd = RoleDeserializer({
-        'name': 'some role', 'description': 'some role description', 'slug': 'some-role',
-        'uuid': get_hex_uuid(), 'ou': None, 'service': None}, ImportContext())
+    rd = RoleDeserializer(
+        {
+            'name': 'some role',
+            'description': 'some role description',
+            'slug': 'some-role',
+            'uuid': get_hex_uuid(),
+            'ou': None,
+            'service': None,
+        },
+        ImportContext(),
+    )
     assert rd._parents is None
     assert rd._attributes is None
     assert rd._obj is None
@@ -149,18 +160,33 @@ def test_role_deserializer(db):
 
 def test_role_deserializer_with_ou(db):
     ou = OU.objects.create(name='some ou', slug='some-ou')
-    rd = RoleDeserializer({
-        'uuid': get_hex_uuid(), 'name': 'some role', 'description': 'some role description',
-        'slug': 'some-role', 'ou': {'slug': 'some-ou'}, 'service': None}, ImportContext())
+    rd = RoleDeserializer(
+        {
+            'uuid': get_hex_uuid(),
+            'name': 'some role',
+            'description': 'some role description',
+            'slug': 'some-role',
+            'ou': {'slug': 'some-ou'},
+            'service': None,
+        },
+        ImportContext(),
+    )
     role, status = rd.deserialize()
     assert role.ou == ou
 
 
 def test_role_deserializer_missing_ou(db):
-    rd = RoleDeserializer({
-        'uuid': get_hex_uuid(), 'name': 'some role', 'description': 'role description',
-        'slug': 'some-role', 'ou': {'slug': 'some-ou'}, 'service': None},
-        ImportContext())
+    rd = RoleDeserializer(
+        {
+            'uuid': get_hex_uuid(),
+            'name': 'some role',
+            'description': 'role description',
+            'slug': 'some-role',
+            'ou': {'slug': 'some-ou'},
+            'service': None,
+        },
+        ImportContext(),
+    )
     with pytest.raises(ValidationError):
         rd.deserialize()
 
@@ -171,9 +197,10 @@ def test_role_deserializer_update_ou(db):
     uuid = get_hex_uuid()
     assert Role.objects.exclude(slug__startswith='_').count() == 0
     existing_role = Role.objects.create(uuid=uuid, slug='some-role', ou=ou1)
-    rd = RoleDeserializer({
-        'uuid': uuid, 'name': 'some-role', 'slug': 'some-role',
-        'ou': {'slug': 'ou-2'}, 'service': None}, ImportContext())
+    rd = RoleDeserializer(
+        {'uuid': uuid, 'name': 'some-role', 'slug': 'some-role', 'ou': {'slug': 'ou-2'}, 'service': None},
+        ImportContext(),
+    )
     role, status = rd.deserialize()
     existing_role.refresh_from_db()
     assert existing_role.ou == ou2
@@ -184,9 +211,10 @@ def test_role_deserializer_update_fields(db):
     uuid = get_hex_uuid()
     assert Role.objects.exclude(slug__startswith='_').count() == 0
     existing_role = Role.objects.create(uuid=uuid, slug='some-role', name='some role')
-    rd = RoleDeserializer({
-        'uuid': uuid, 'slug': 'some-role', 'name': 'some role changed',
-        'ou': None, 'service': None}, ImportContext())
+    rd = RoleDeserializer(
+        {'uuid': uuid, 'slug': 'some-role', 'name': 'some role changed', 'ou': None, 'service': None},
+        ImportContext(),
+    )
     role, status = rd.deserialize()
     existing_role.refresh_from_db()
     assert role == existing_role
@@ -198,12 +226,20 @@ def test_role_deserializer_with_attributes(db):
 
     attributes_data = {
         'attr1_name': dict(name='attr1_name', kind='string', value='attr1_value'),
-        'attr2_name': dict(name='attr2_name', kind='string', value='attr2_value')
+        'attr2_name': dict(name='attr2_name', kind='string', value='attr2_value'),
     }
-    rd = RoleDeserializer({
-        'uuid': get_hex_uuid(), 'name': 'some role', 'description': 'some role description',
-        'slug': 'some-role', 'attributes': list(attributes_data.values()),
-        'ou': None, 'service': None}, ImportContext())
+    rd = RoleDeserializer(
+        {
+            'uuid': get_hex_uuid(),
+            'name': 'some role',
+            'description': 'some role description',
+            'slug': 'some-role',
+            'attributes': list(attributes_data.values()),
+            'ou': None,
+            'service': None,
+        },
+        ImportContext(),
+    )
     role, status = rd.deserialize()
     created, deleted = rd.attributes()
     assert status == 'created'
@@ -220,8 +256,12 @@ def test_role_deserializer_with_attributes(db):
 
 def test_role_deserializer_creates_admin_role(db):
     role_dict = {
-        'name': 'some role', 'slug': 'some-role', 'uuid': get_hex_uuid(),
-        'ou': None, 'service': None}
+        'name': 'some role',
+        'slug': 'some-role',
+        'uuid': get_hex_uuid(),
+        'ou': None,
+        'service': None,
+    }
     rd = RoleDeserializer(role_dict, ImportContext())
     rd.deserialize()
     Role.objects.get(slug='_a2-managers-of-role-some-role')
@@ -229,12 +269,21 @@ def test_role_deserializer_creates_admin_role(db):
 
 def test_role_deserializer_parenting_existing_parent(db):
     parent_role_dict = {
-        'name': 'grand parent role', 'slug': 'grand-parent-role', 'uuid': get_hex_uuid(),
-        'ou': None, 'service': None}
+        'name': 'grand parent role',
+        'slug': 'grand-parent-role',
+        'uuid': get_hex_uuid(),
+        'ou': None,
+        'service': None,
+    }
     parent_role = Role.objects.create(**parent_role_dict)
     child_role_dict = {
-        'name': 'child role', 'slug': 'child-role', 'parents': [parent_role_dict],
-        'uuid': get_hex_uuid(), 'ou': None, 'service': None}
+        'name': 'child role',
+        'slug': 'child-role',
+        'parents': [parent_role_dict],
+        'uuid': get_hex_uuid(),
+        'ou': None,
+        'service': None,
+    }
 
     rd = RoleDeserializer(child_role_dict, ImportContext())
     child_role, status = rd.deserialize()
@@ -250,11 +299,20 @@ def test_role_deserializer_parenting_existing_parent(db):
 
 def test_role_deserializer_parenting_non_existing_parent(db):
     parent_role_dict = {
-        'name': 'grand parent role', 'slug': 'grand-parent-role', 'uuid': get_hex_uuid(),
-        'ou': None, 'service': None}
+        'name': 'grand parent role',
+        'slug': 'grand-parent-role',
+        'uuid': get_hex_uuid(),
+        'ou': None,
+        'service': None,
+    }
     child_role_dict = {
-        'name': 'child role', 'slug': 'child-role', 'parents': [parent_role_dict],
-        'uuid': get_hex_uuid(), 'ou': None, 'service': None}
+        'name': 'child role',
+        'slug': 'child-role',
+        'parents': [parent_role_dict],
+        'uuid': get_hex_uuid(),
+        'ou': None,
+        'service': None,
+    }
     rd = RoleDeserializer(child_role_dict, ImportContext())
     rd.deserialize()
     with pytest.raises(ValidationError) as excinfo:
@@ -265,38 +323,32 @@ def test_role_deserializer_parenting_non_existing_parent(db):
 
 def test_role_deserializer_permissions(db):
     ou = OU.objects.create(slug='some-ou')
-    other_role_dict = {
-        'name': 'other role', 'slug': 'other-role-slug', 'uuid': get_hex_uuid(), 'ou': ou}
+    other_role_dict = {'name': 'other role', 'slug': 'other-role-slug', 'uuid': get_hex_uuid(), 'ou': ou}
     other_role = Role.objects.create(**other_role_dict)
     other_role_dict['permisison'] = {
-        "operation": {
-            "slug": "admin"
-        },
-        "ou": {
-            "slug": "default",
-            "name": "Collectivit\u00e9 par d\u00e9faut"
-        },
+        "operation": {"slug": "admin"},
+        "ou": {"slug": "default", "name": "Collectivit\u00e9 par d\u00e9faut"},
         'target_ct': {'app_label': u'a2_rbac', 'model': u'role'},
         "target": {
             "slug": "role-deux",
-            "ou": {
-                "slug": "default",
-                "name": "Collectivit\u00e9 par d\u00e9faut"
-            },
+            "ou": {"slug": "default", "name": "Collectivit\u00e9 par d\u00e9faut"},
             "service": None,
-            "name": "role deux"
-        }
+            "name": "role deux",
+        },
     }
     some_role_dict = {
-        'name': 'some role', 'slug': 'some-role', 'uuid': get_hex_uuid(),
-        'ou': None, 'service': None}
+        'name': 'some role',
+        'slug': 'some-role',
+        'uuid': get_hex_uuid(),
+        'ou': None,
+        'service': None,
+    }
     some_role_dict['permissions'] = [
         {
             'operation': {'slug': 'add'},
             'ou': None,
             'target_ct': {'app_label': u'a2_rbac', 'model': u'role'},
-            'target': {
-                "slug": u'other-role-slug', 'ou': {'slug': 'some-ou'}, 'service': None}
+            'target': {"slug": u'other-role-slug', 'ou': {'slug': 'some-ou'}, 'service': None},
         }
     ]
 
@@ -328,27 +380,20 @@ def test_permission_on_role(db):
     perm_ou = OU.objects.create(slug='perm-ou', name='perm ou')
     perm_role = Role.objects.create(slug='perm-role', ou=perm_ou, name='perm role')
 
-    some_role_dict = {
-        'name': 'some role', 'slug': 'some-role-slug', 'ou': None, 'service': None}
-    some_role_dict['permissions'] = [{
-        "operation": {
-            "slug": "admin"
-        },
-        "ou": {
-            "slug": "perm-ou",
-            "name": "perm-ou"
-        },
-        'target_ct': {'app_label': u'a2_rbac', 'model': u'role'},
-        "target": {
-            "slug": "perm-role",
-            "ou": {
-                "slug": "perm-ou",
-                "name": "perm ou"
+    some_role_dict = {'name': 'some role', 'slug': 'some-role-slug', 'ou': None, 'service': None}
+    some_role_dict['permissions'] = [
+        {
+            "operation": {"slug": "admin"},
+            "ou": {"slug": "perm-ou", "name": "perm-ou"},
+            'target_ct': {'app_label': u'a2_rbac', 'model': u'role'},
+            "target": {
+                "slug": "perm-role",
+                "ou": {"slug": "perm-ou", "name": "perm ou"},
+                "service": None,
+                "name": "perm role",
             },
-            "service": None,
-            "name": "perm role"
         }
-    }]
+    ]
 
     import_context = ImportContext()
     rd = RoleDeserializer(some_role_dict, import_context)
@@ -363,19 +408,15 @@ def test_permission_on_role(db):
 
 def test_permission_on_contentype(db):
     perm_ou = OU.objects.create(slug='perm-ou', name='perm ou')
-    some_role_dict = {
-        'name': 'some role', 'slug': 'some-role-slug', 'ou': None, 'service': None}
-    some_role_dict['permissions'] = [{
-        "operation": {
-            "slug": "admin"
-        },
-        "ou": {
-            "slug": "perm-ou",
-            "name": "perm-ou"
-        },
-        'target_ct': {"model": "contenttype", "app_label": "contenttypes"},
-        "target": {"model": "logentry", "app_label": "admin"}
-    }]
+    some_role_dict = {'name': 'some role', 'slug': 'some-role-slug', 'ou': None, 'service': None}
+    some_role_dict['permissions'] = [
+        {
+            "operation": {"slug": "admin"},
+            "ou": {"slug": "perm-ou", "name": "perm-ou"},
+            'target_ct': {"model": "contenttype", "app_label": "contenttypes"},
+            "target": {"model": "logentry", "app_label": "admin"},
+        }
+    ]
 
     import_context = ImportContext()
     rd = RoleDeserializer(some_role_dict, import_context)
@@ -416,15 +457,21 @@ def testi_import_site_empty():
 
 def test_import_site_roles(db):
     parent_role_dict = {
-        'name': 'grand parent role', 'slug': 'grand-parent-role', 'uuid': get_hex_uuid(),
-        'ou': None, 'service': None}
+        'name': 'grand parent role',
+        'slug': 'grand-parent-role',
+        'uuid': get_hex_uuid(),
+        'ou': None,
+        'service': None,
+    }
     child_role_dict = {
-        'name': 'child role', 'slug': 'child-role', 'parents': [parent_role_dict],
-        'uuid': get_hex_uuid(), 'ou': None, 'service': None}
-    roles = [
-        parent_role_dict,
-        child_role_dict
-    ]
+        'name': 'child role',
+        'slug': 'child-role',
+        'parents': [parent_role_dict],
+        'uuid': get_hex_uuid(),
+        'ou': None,
+        'service': None,
+    }
+    roles = [parent_role_dict, child_role_dict]
     res = import_site({'roles': roles}, ImportContext())
     created_roles = res.roles['created']
     assert len(created_roles) == 2
@@ -436,35 +483,45 @@ def test_import_site_roles(db):
 
     assert len(res.parentings['created']) == 1
     assert res.parentings['created'][0] == RoleParenting.objects.get(
-        child=child_role, parent=parent_role, direct=True)
+        child=child_role, parent=parent_role, direct=True
+    )
 
 
 def test_roles_import_ignore_technical_role(db):
-    roles = [{
-        'name': 'some role', 'description': 'some role description', 'slug': '_some-role'}]
+    roles = [{'name': 'some role', 'description': 'some role description', 'slug': '_some-role'}]
     res = import_site({'roles': roles}, ImportContext())
     assert res.roles == {'created': [], 'updated': []}
 
 
 def test_roles_import_ignore_technical_role_with_service(db):
-    roles = [{
-        'name': 'some role', 'description': 'some role description', 'slug': '_some-role'}]
+    roles = [{'name': 'some role', 'description': 'some role description', 'slug': '_some-role'}]
     res = import_site({'roles': roles}, ImportContext())
     assert res.roles == {'created': [], 'updated': []}
 
 
 def test_import_role_handle_manager_role_parenting(db):
     parent_role_dict = {
-        'name': 'grand parent role', 'slug': 'grand-parent-role', 'uuid': get_hex_uuid(),
-        'ou': None, 'service': None}
+        'name': 'grand parent role',
+        'slug': 'grand-parent-role',
+        'uuid': get_hex_uuid(),
+        'ou': None,
+        'service': None,
+    }
     parent_role_manager_dict = {
         'name': 'Administrateur du role grand parent role',
-        'slug': '_a2-managers-of-role-grand-parent-role', 'uuid': get_hex_uuid(),
-        'ou': None, 'service': None}
+        'slug': '_a2-managers-of-role-grand-parent-role',
+        'uuid': get_hex_uuid(),
+        'ou': None,
+        'service': None,
+    }
     child_role_dict = {
-        'name': 'child role', 'slug': 'child-role',
+        'name': 'child role',
+        'slug': 'child-role',
         'parents': [parent_role_dict, parent_role_manager_dict],
-        'uuid': get_hex_uuid(), 'ou': None, 'service': None}
+        'uuid': get_hex_uuid(),
+        'ou': None,
+        'service': None,
+    }
     import_site({'roles': [child_role_dict, parent_role_dict]}, ImportContext())
     child = Role.objects.get(slug='child-role')
     manager = Role.objects.get(slug='_a2-managers-of-role-grand-parent-role')
@@ -473,8 +530,7 @@ def test_import_role_handle_manager_role_parenting(db):
 
 
 def test_import_roles_role_delete_orphans(db):
-    roles = [{
-        'name': 'some role', 'description': 'some role description', 'slug': '_some-role'}]
+    roles = [{'name': 'some role', 'description': 'some role description', 'slug': '_some-role'}]
     with pytest.raises(ValidationError):
         import_site({'roles': roles}, ImportContext(role_delete_orphans=True))
 
@@ -511,12 +567,14 @@ def test_import_ou_already_existing(db):
 
 def test_import_context_flags(db):
     ous = [{'uuid': get_hex_uuid(), 'slug': 'ou-slug', 'name': 'ou name'}]
-    roles = [{
-        'name': 'other role',
-        'slug': 'other-role-slug',
-        'uuid': get_hex_uuid(),
-        'ou': {'slug': 'ou-slug'},
-    }]
+    roles = [
+        {
+            'name': 'other role',
+            'slug': 'other-role-slug',
+            'uuid': get_hex_uuid(),
+            'ou': {'slug': 'ou-slug'},
+        }
+    ]
     d = {'ous': ous, 'roles': roles}
     import_site(d, ImportContext(import_roles=False, import_ous=False))
     assert Role.objects.exclude(slug__startswith='_').count() == 0
diff --git a/tests/test_fields.py b/tests/test_fields.py
index 56c55d3b..beb6f209 100644
--- a/tests/test_fields.py
+++ b/tests/test_fields.py
@@ -27,11 +27,7 @@ def test_phonenumber_field():
     field = PhoneNumberField()
 
     # positive
-    for value in [
-            '01 01 01 01 01',
-            '+01 01 01 01 01',
-            ' + 01/01.01-01.01',
-            '+01/01.01-01.01']:
+    for value in ['01 01 01 01 01', '+01 01 01 01 01', ' + 01/01.01-01.01', '+01/01.01-01.01']:
         field.clean(value)
 
     # negative
diff --git a/tests/test_hashers.py b/tests/test_hashers.py
index 0223a585..d3c7debd 100644
--- a/tests/test_hashers.py
+++ b/tests/test_hashers.py
@@ -23,17 +23,19 @@ def test_sha256_hasher():
     hasher = hashers.SHA256PasswordHasher()
     hashed = hasher.encode('admin', '')
     assert hasher.verify('admin', hashed)
-    assert hashed == 'sha256$$8c6976e5b5410415b' \
-        'de908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918'
+    assert hashed == 'sha256$$8c6976e5b5410415b' 'de908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918'
 
 
 def test_openldap_hashers():
-    VECTORS = [x.split() for x in '''\
+    VECTORS = [
+        x.split()
+        for x in '''\
 coin {SHA}NHj+acfc68FPYrMipEBZ3t8ABGY=
 250523 {SHA}4zuJhPW1w0upqG7beAlxDcvtBj0=
 coin {SSHA}zLPxfZ3RSNkIwVdHWEyB4Tpr6fT9LiVX
 coin {SMD5}+x9QkU2T/wlPp6NK3bfYYxPYwaE=
-coin {MD5}lqlRm4/d0X6MxLugQI///Q=='''.splitlines()]
+coin {MD5}lqlRm4/d0X6MxLugQI///Q=='''.splitlines()
+    ]
     for password, oldap_hash in VECTORS:
         dj_hash = hashers.olap_password_to_dj(oldap_hash)
         assert check_password(password, dj_hash)
@@ -50,9 +52,7 @@ def test_joomla_hasher():
 
 def test_plone_hasher():
     hasher = hashers.PloneSHA1PasswordHasher()
-    assert hasher.verify(
-            'Azerty!123',
-            'plonesha1${SSHA}vS4g4MtzJyAjvhyW7vsrgjpJ6lDCU+Y42a6p')
+    assert hasher.verify('Azerty!123', 'plonesha1${SSHA}vS4g4MtzJyAjvhyW7vsrgjpJ6lDCU+Y42a6p')
 
 
 def test_drupal_hasher():
diff --git a/tests/test_idp_cas.py b/tests/test_idp_cas.py
index 5c4aeb62..0e684d34 100644
--- a/tests/test_idp_cas.py
+++ b/tests/test_idp_cas.py
@@ -54,36 +54,49 @@ class CasTests(Authentic2TestCase):
     PGT_URL = 'https://casclient.con/pgt/'
 
     def setUp(self):
-        self.user = User.objects.create_user(self.LOGIN,
-                password=self.PASSWORD, email=self.EMAIL,
-                first_name=self.FIRST_NAME, last_name=self.LAST_NAME)
-        self.service = Service.objects.create(name=self.NAME, slug=self.SLUG,
-                urls=self.URL, identifier_attribute='django_user_username',
-                ou=get_default_ou(), logout_url=self.URL + 'logout/')
+        self.user = User.objects.create_user(
+            self.LOGIN,
+            password=self.PASSWORD,
+            email=self.EMAIL,
+            first_name=self.FIRST_NAME,
+            last_name=self.LAST_NAME,
+        )
+        self.service = Service.objects.create(
+            name=self.NAME,
+            slug=self.SLUG,
+            urls=self.URL,
+            identifier_attribute='django_user_username',
+            ou=get_default_ou(),
+            logout_url=self.URL + 'logout/',
+        )
         self.service_attribute1 = Attribute.objects.create(
-                service=self.service,
-                slug='email',
-                attribute_name='django_user_email')
-        self.service2 = Service.objects.create(name=self.NAME2,
-                slug=self.SLUG2, urls=self.URL2,
-                ou=get_default_ou(), identifier_attribute='django_user_email')
+            service=self.service, slug='email', attribute_name='django_user_email'
+        )
+        self.service2 = Service.objects.create(
+            name=self.NAME2,
+            slug=self.SLUG2,
+            urls=self.URL2,
+            ou=get_default_ou(),
+            identifier_attribute='django_user_email',
+        )
         self.service2_attribute1 = Attribute.objects.create(
-                service=self.service2,
-                slug='username',
-                attribute_name='django_user_username')
+            service=self.service2, slug='username', attribute_name='django_user_username'
+        )
         self.authorized_service = Role.objects.create(name='rogue', ou=get_default_ou())
         self.factory = RequestFactory()
 
     def test_long_urls(self):
-        self.service.urls = 'https://casclient.com/%C3%A9/'\
-            'lorem/ipsum/dolor/sit/amet/consectetur/adipiscing/elit/sed/do/'\
-            'eiusmod/tempor/incididunt/ut/labore/et/dolore/magna/aliqua/ut/'\
-            'enim/ad/minim/veniam/quis/nostrud/exercitation/ullamco/laboris/'\
-            'nisi/ut/aliquip/ex/ea/commodo/consequat/duis/aute/irure/dolor/'\
-            'in/reprehenderit/in/voluptate/velit/esse/cillum/dolore/eu/'\
-            'fugiat/nulla/pariatur/excepteur/sint/occaecat/cupidatat/non/'\
-            'proident/sunt/in/culpa/qui/officia/deserunt/mollit/anim/id/est/'\
+        self.service.urls = (
+            'https://casclient.com/%C3%A9/'
+            'lorem/ipsum/dolor/sit/amet/consectetur/adipiscing/elit/sed/do/'
+            'eiusmod/tempor/incididunt/ut/labore/et/dolore/magna/aliqua/ut/'
+            'enim/ad/minim/veniam/quis/nostrud/exercitation/ullamco/laboris/'
+            'nisi/ut/aliquip/ex/ea/commodo/consequat/duis/aute/irure/dolor/'
+            'in/reprehenderit/in/voluptate/velit/esse/cillum/dolore/eu/'
+            'fugiat/nulla/pariatur/excepteur/sint/occaecat/cupidatat/non/'
+            'proident/sunt/in/culpa/qui/officia/deserunt/mollit/anim/id/est/'
             'laborum'
+        )
         self.service.save()
 
     def test_service_matching(self):
@@ -101,11 +114,14 @@ class CasTests(Authentic2TestCase):
         self.assertIn('no service', force_text(response.content))
         response = client.get('/idp/cas/login', {constants.SERVICE_PARAM: 'http://google.com/'})
         self.assertRedirectsComplex(response, 'http://google.com/')
-        response = client.get('/idp/cas/login', {constants.SERVICE_PARAM: self.URL,
-            constants.RENEW_PARAM: '', constants.GATEWAY_PARAM: ''})
+        response = client.get(
+            '/idp/cas/login',
+            {constants.SERVICE_PARAM: self.URL, constants.RENEW_PARAM: '', constants.GATEWAY_PARAM: ''},
+        )
         self.assertRedirectsComplex(response, self.URL)
-        response = client.get('/idp/cas/login', {constants.SERVICE_PARAM: self.URL,
-            constants.GATEWAY_PARAM: ''})
+        response = client.get(
+            '/idp/cas/login', {constants.SERVICE_PARAM: self.URL, constants.GATEWAY_PARAM: ''}
+        )
         self.assertRedirectsComplex(response, self.URL)
 
     def test_role_access_control_denied(self):
@@ -121,8 +137,11 @@ class CasTests(Authentic2TestCase):
         next_url, next_url_query = query['next'][0].split('?')
         next_url_query = urlparse.parse_qs(next_url_query)
         response = client.get(location)
-        response = client.post(location, {'login-password-submit': '',
-                               'username': self.LOGIN, 'password': self.PASSWORD}, follow=False)
+        response = client.post(
+            location,
+            {'login-password-submit': '', 'username': self.LOGIN, 'password': self.PASSWORD},
+            follow=False,
+        )
         response = client.get(response.url)
         self.assertIn('https://casclient.com/loser/', force_text(response.content))
 
@@ -138,13 +157,17 @@ class CasTests(Authentic2TestCase):
         next_url, next_url_query = query['next'][0].split('?')
         next_url_query = urlparse.parse_qs(next_url_query)
         response = client.get(location)
-        response = client.post(location, {'login-password-submit': '',
-                               'username': self.LOGIN, 'password': self.PASSWORD}, follow=False)
+        response = client.post(
+            location,
+            {'login-password-submit': '', 'username': self.LOGIN, 'password': self.PASSWORD},
+            follow=False,
+        )
         response = client.get(response.url)
         client = Client()
         ticket_id = urlparse.parse_qs(response.url.split('?')[1])[constants.TICKET_PARAM][0]
-        response = client.get('/idp/cas/validate', {constants.TICKET_PARAM:
-                              ticket_id, constants.SERVICE_PARAM: self.URL})
+        response = client.get(
+            '/idp/cas/validate', {constants.TICKET_PARAM: ticket_id, constants.SERVICE_PARAM: self.URL}
+        )
 
     def test_login_validate(self):
         response = self.client.get('/idp/cas/login', {constants.SERVICE_PARAM: self.URL})
@@ -160,13 +183,15 @@ class CasTests(Authentic2TestCase):
         next_url, next_url_query = query['next'][0].split('?')
         next_url_query = urlparse.parse_qs(next_url_query)
         self.assertEqual(next_url, '/idp/cas/continue/')
-        self.assertEqual(set(next_url_query.keys()),
-                set([constants.SERVICE_PARAM, NONCE_FIELD_NAME]))
+        self.assertEqual(set(next_url_query.keys()), set([constants.SERVICE_PARAM, NONCE_FIELD_NAME]))
         self.assertEqual(next_url_query[constants.SERVICE_PARAM], [self.URL])
         self.assertEqual(next_url_query[NONCE_FIELD_NAME], [ticket.ticket_id])
         response = self.client.get(location)
-        response = self.client.post(location, {'login-password-submit': '',
-            'username': self.LOGIN, 'password': self.PASSWORD}, follow=False)
+        response = self.client.post(
+            location,
+            {'login-password-submit': '', 'username': self.LOGIN, 'password': self.PASSWORD},
+            follow=False,
+        )
         self.assertIn(AUTHENTICATION_EVENTS_SESSION_KEY, self.client.session)
         self.assertIn('nonce', self.client.session[AUTHENTICATION_EVENTS_SESSION_KEY][0])
         self.assertIn(ticket.ticket_id, self.client.session[AUTHENTICATION_EVENTS_SESSION_KEY][0]['nonce'])
@@ -176,15 +201,24 @@ class CasTests(Authentic2TestCase):
         # Check logout state has been updated
         ticket = Ticket.objects.get()
         self.assertIn(constants.SESSION_CAS_LOGOUTS, self.client.session)
-        self.assertEqual(self.client.session[constants.SESSION_CAS_LOGOUTS],
-                [[ticket.service.name, ticket.service.logout_url, ticket.service.logout_use_iframe,
-                    ticket.service.logout_use_iframe_timeout]])
+        self.assertEqual(
+            self.client.session[constants.SESSION_CAS_LOGOUTS],
+            [
+                [
+                    ticket.service.name,
+                    ticket.service.logout_url,
+                    ticket.service.logout_use_iframe,
+                    ticket.service.logout_use_iframe_timeout,
+                ]
+            ],
+        )
         # Do not the same client for direct calls from the CAS service provider
         # to prevent use of the user session
         client = Client()
         ticket_id = urlparse.parse_qs(response.url.split('?')[1])[constants.TICKET_PARAM][0]
-        response = client.get('/idp/cas/validate', {constants.TICKET_PARAM:
-            ticket_id, constants.SERVICE_PARAM: self.URL})
+        response = client.get(
+            '/idp/cas/validate', {constants.TICKET_PARAM: ticket_id, constants.SERVICE_PARAM: self.URL}
+        )
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response['content-type'], 'text/plain')
         self.assertEqual(force_text(response.content), 'yes\n%s\n' % self.LOGIN)
@@ -206,13 +240,15 @@ class CasTests(Authentic2TestCase):
         next_url, next_url_query = query['next'][0].split('?')
         next_url_query = urlparse.parse_qs(next_url_query)
         self.assertEqual(next_url, '/idp/cas/continue/')
-        self.assertEqual(set(next_url_query.keys()),
-                set([constants.SERVICE_PARAM, NONCE_FIELD_NAME]))
+        self.assertEqual(set(next_url_query.keys()), set([constants.SERVICE_PARAM, NONCE_FIELD_NAME]))
         self.assertEqual(next_url_query[constants.SERVICE_PARAM], [self.URL])
         self.assertEqual(next_url_query[NONCE_FIELD_NAME], [ticket.ticket_id])
         response = self.client.get(location)
-        response = self.client.post(location, {'login-password-submit': '',
-            'username': self.LOGIN, 'password': self.PASSWORD}, follow=False)
+        response = self.client.post(
+            location,
+            {'login-password-submit': '', 'username': self.LOGIN, 'password': self.PASSWORD},
+            follow=False,
+        )
         self.assertIn(AUTHENTICATION_EVENTS_SESSION_KEY, self.client.session)
         self.assertIn('nonce', self.client.session[AUTHENTICATION_EVENTS_SESSION_KEY][0])
         self.assertIn(ticket.ticket_id, self.client.session[AUTHENTICATION_EVENTS_SESSION_KEY][0]['nonce'])
@@ -222,22 +258,29 @@ class CasTests(Authentic2TestCase):
         # Check logout state has been updated
         ticket = Ticket.objects.get()
         self.assertIn(constants.SESSION_CAS_LOGOUTS, self.client.session)
-        self.assertEqual(self.client.session[constants.SESSION_CAS_LOGOUTS],
-                [[ticket.service.name, ticket.service.logout_url, ticket.service.logout_use_iframe,
-                    ticket.service.logout_use_iframe_timeout]])
+        self.assertEqual(
+            self.client.session[constants.SESSION_CAS_LOGOUTS],
+            [
+                [
+                    ticket.service.name,
+                    ticket.service.logout_url,
+                    ticket.service.logout_use_iframe,
+                    ticket.service.logout_use_iframe_timeout,
+                ]
+            ],
+        )
         # Do not the same client for direct calls from the CAS service provider
         # to prevent use of the user session
         client = Client()
         ticket_id = urlparse.parse_qs(response.url.split('?')[1])[constants.TICKET_PARAM][0]
-        response = client.get('/idp/cas/serviceValidate', {constants.TICKET_PARAM:
-            ticket_id, constants.SERVICE_PARAM: self.URL})
+        response = client.get(
+            '/idp/cas/serviceValidate', {constants.TICKET_PARAM: ticket_id, constants.SERVICE_PARAM: self.URL}
+        )
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response['content-type'], 'text/xml')
         constraints = (
-                ('/cas:serviceResponse/cas:authenticationSuccess/cas:user',
-                    self.LOGIN),
-                ('/cas:serviceResponse/cas:authenticationSuccess/cas:attributes/cas:email',
-                    self.EMAIL),
+            ('/cas:serviceResponse/cas:authenticationSuccess/cas:user', self.LOGIN),
+            ('/cas:serviceResponse/cas:authenticationSuccess/cas:attributes/cas:email', self.EMAIL),
         )
         self.assertXPathConstraints(response, constraints, CAS_NAMESPACES)
         # Verify ticket has been deleted
@@ -258,13 +301,15 @@ class CasTests(Authentic2TestCase):
         next_url, next_url_query = query['next'][0].split('?')
         next_url_query = urlparse.parse_qs(next_url_query)
         self.assertEqual(next_url, '/idp/cas/continue/')
-        self.assertEqual(set(next_url_query.keys()),
-                set([constants.SERVICE_PARAM, NONCE_FIELD_NAME]))
+        self.assertEqual(set(next_url_query.keys()), set([constants.SERVICE_PARAM, NONCE_FIELD_NAME]))
         self.assertEqual(next_url_query[constants.SERVICE_PARAM], [self.URL])
         self.assertEqual(next_url_query[NONCE_FIELD_NAME], [ticket.ticket_id])
         response = self.client.get(location)
-        response = self.client.post(location, {'login-password-submit': '',
-            'username': self.LOGIN, 'password': self.PASSWORD}, follow=False)
+        response = self.client.post(
+            location,
+            {'login-password-submit': '', 'username': self.LOGIN, 'password': self.PASSWORD},
+            follow=False,
+        )
         self.assertIn(AUTHENTICATION_EVENTS_SESSION_KEY, self.client.session)
         self.assertIn('nonce', self.client.session[AUTHENTICATION_EVENTS_SESSION_KEY][0])
         self.assertIn(ticket.ticket_id, self.client.session[AUTHENTICATION_EVENTS_SESSION_KEY][0]['nonce'])
@@ -274,21 +319,28 @@ class CasTests(Authentic2TestCase):
         # Check logout state has been updated
         ticket = Ticket.objects.get()
         self.assertIn(constants.SESSION_CAS_LOGOUTS, self.client.session)
-        self.assertEqual(self.client.session[constants.SESSION_CAS_LOGOUTS],
-                [[ticket.service.name, ticket.service.logout_url, ticket.service.logout_use_iframe,
-                    ticket.service.logout_use_iframe_timeout]])
+        self.assertEqual(
+            self.client.session[constants.SESSION_CAS_LOGOUTS],
+            [
+                [
+                    ticket.service.name,
+                    ticket.service.logout_url,
+                    ticket.service.logout_use_iframe,
+                    ticket.service.logout_use_iframe_timeout,
+                ]
+            ],
+        )
         # Do not the same client for direct calls from the CAS service provider
         # to prevent use of the user session
         client = Client()
         ticket_id = urlparse.parse_qs(response.url.split('?')[1])[constants.TICKET_PARAM][0]
-        response = client.get('/idp/cas/serviceValidate', {constants.TICKET_PARAM:
-            ticket_id, constants.SERVICE_PARAM: self.URL, constants.RENEW_PARAM: ''})
+        response = client.get(
+            '/idp/cas/serviceValidate',
+            {constants.TICKET_PARAM: ticket_id, constants.SERVICE_PARAM: self.URL, constants.RENEW_PARAM: ''},
+        )
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response['content-type'], 'text/xml')
-        constraints = (
-                ('/cas:serviceResponse/cas:authenticationFailure/@code',
-                 'INVALID_TICKET_SPEC'),
-        )
+        constraints = (('/cas:serviceResponse/cas:authenticationFailure/@code', 'INVALID_TICKET_SPEC'),)
         self.assertXPathConstraints(response, constraints, CAS_NAMESPACES)
         # Verify ticket has been deleted
         with self.assertRaises(Ticket.DoesNotExist):
@@ -308,13 +360,15 @@ class CasTests(Authentic2TestCase):
         next_url, next_url_query = query['next'][0].split('?')
         next_url_query = urlparse.parse_qs(next_url_query)
         self.assertEqual(next_url, '/idp/cas/continue/')
-        self.assertEqual(set(next_url_query.keys()),
-                set([constants.SERVICE_PARAM, NONCE_FIELD_NAME]))
+        self.assertEqual(set(next_url_query.keys()), set([constants.SERVICE_PARAM, NONCE_FIELD_NAME]))
         self.assertEqual(next_url_query[constants.SERVICE_PARAM], [self.URL])
         self.assertEqual(next_url_query[NONCE_FIELD_NAME], [ticket.ticket_id])
         response = self.client.get(location)
-        response = self.client.post(location, {'login-password-submit': '',
-            'username': self.LOGIN, 'password': self.PASSWORD}, follow=False)
+        response = self.client.post(
+            location,
+            {'login-password-submit': '', 'username': self.LOGIN, 'password': self.PASSWORD},
+            follow=False,
+        )
         self.assertIn(AUTHENTICATION_EVENTS_SESSION_KEY, self.client.session)
         self.assertIn('nonce', self.client.session[AUTHENTICATION_EVENTS_SESSION_KEY][0])
         self.assertIn(ticket.ticket_id, self.client.session[AUTHENTICATION_EVENTS_SESSION_KEY][0]['nonce'])
@@ -324,22 +378,29 @@ class CasTests(Authentic2TestCase):
         # Check logout state has been updated
         ticket = Ticket.objects.get()
         self.assertIn(constants.SESSION_CAS_LOGOUTS, self.client.session)
-        self.assertEqual(self.client.session[constants.SESSION_CAS_LOGOUTS],
-                [[ticket.service.name, ticket.service.logout_url, ticket.service.logout_use_iframe,
-                    ticket.service.logout_use_iframe_timeout]])
+        self.assertEqual(
+            self.client.session[constants.SESSION_CAS_LOGOUTS],
+            [
+                [
+                    ticket.service.name,
+                    ticket.service.logout_url,
+                    ticket.service.logout_use_iframe,
+                    ticket.service.logout_use_iframe_timeout,
+                ]
+            ],
+        )
         # Do not the same client for direct calls from the CAS service provider
         # to prevent use of the user session
         client = Client()
         ticket_id = urlparse.parse_qs(response.url.split('?')[1])[constants.TICKET_PARAM][0]
-        response = client.get('/idp/cas/proxyValidate', {constants.TICKET_PARAM:
-            ticket_id, constants.SERVICE_PARAM: self.URL})
+        response = client.get(
+            '/idp/cas/proxyValidate', {constants.TICKET_PARAM: ticket_id, constants.SERVICE_PARAM: self.URL}
+        )
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response['content-type'], 'text/xml')
         constraints = (
-                ('/cas:serviceResponse/cas:authenticationSuccess/cas:user',
-                    self.LOGIN),
-                ('/cas:serviceResponse/cas:authenticationSuccess/cas:attributes/cas:email',
-                    self.EMAIL),
+            ('/cas:serviceResponse/cas:authenticationSuccess/cas:user', self.LOGIN),
+            ('/cas:serviceResponse/cas:authenticationSuccess/cas:attributes/cas:email', self.EMAIL),
         )
         self.assertXPathConstraints(response, constraints, CAS_NAMESPACES)
         # Verify ticket has been deleted
@@ -361,13 +422,15 @@ class CasTests(Authentic2TestCase):
         next_url, next_url_query = query['next'][0].split('?')
         next_url_query = urlparse.parse_qs(next_url_query)
         self.assertEqual(next_url, '/idp/cas/continue/')
-        self.assertEqual(set(next_url_query.keys()),
-                set([constants.SERVICE_PARAM, NONCE_FIELD_NAME]))
+        self.assertEqual(set(next_url_query.keys()), set([constants.SERVICE_PARAM, NONCE_FIELD_NAME]))
         self.assertEqual(next_url_query[constants.SERVICE_PARAM], [self.URL])
         self.assertEqual(next_url_query[NONCE_FIELD_NAME], [ticket.ticket_id])
         response = self.client.get(location)
-        response = self.client.post(location, {'login-password-submit': '',
-            'username': self.LOGIN, 'password': self.PASSWORD}, follow=False)
+        response = self.client.post(
+            location,
+            {'login-password-submit': '', 'username': self.LOGIN, 'password': self.PASSWORD},
+            follow=False,
+        )
         self.assertIn(AUTHENTICATION_EVENTS_SESSION_KEY, self.client.session)
         self.assertIn('nonce', self.client.session[AUTHENTICATION_EVENTS_SESSION_KEY][0])
         self.assertIn(ticket.ticket_id, self.client.session[AUTHENTICATION_EVENTS_SESSION_KEY][0]['nonce'])
@@ -377,15 +440,29 @@ class CasTests(Authentic2TestCase):
         # Check logout state has been updated
         ticket = Ticket.objects.get()
         self.assertIn(constants.SESSION_CAS_LOGOUTS, self.client.session)
-        self.assertEqual(self.client.session[constants.SESSION_CAS_LOGOUTS],
-                [[ticket.service.name, ticket.service.logout_url, ticket.service.logout_use_iframe,
-                    ticket.service.logout_use_iframe_timeout]])
+        self.assertEqual(
+            self.client.session[constants.SESSION_CAS_LOGOUTS],
+            [
+                [
+                    ticket.service.name,
+                    ticket.service.logout_url,
+                    ticket.service.logout_use_iframe,
+                    ticket.service.logout_use_iframe_timeout,
+                ]
+            ],
+        )
         # Do not the same client for direct calls from the CAS service provider
         # to prevent use of the user session
         client = Client()
         ticket_id = urlparse.parse_qs(response.url.split('?')[1])[constants.TICKET_PARAM][0]
-        response = client.get('/idp/cas/serviceValidate', {constants.TICKET_PARAM:
-            ticket_id, constants.SERVICE_PARAM: self.URL, constants.PGT_URL_PARAM: self.PGT_URL})
+        response = client.get(
+            '/idp/cas/serviceValidate',
+            {
+                constants.TICKET_PARAM: ticket_id,
+                constants.SERVICE_PARAM: self.URL,
+                constants.PGT_URL_PARAM: self.PGT_URL,
+            },
+        )
         for key in client.session.keys():
             if key.startswith(constants.PGT_IOU_PREFIX):
                 pgt_iou = key
@@ -396,9 +473,8 @@ class CasTests(Authentic2TestCase):
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response['content-type'], 'text/xml')
         constraints = (
-                ('/cas:serviceResponse/cas:authenticationSuccess/cas:user',
-                 self.LOGIN),
-                ('/cas:serviceResponse/cas:authenticationSuccess/cas:proxyGrantingTicket', pgt_iou),
+            ('/cas:serviceResponse/cas:authenticationSuccess/cas:user', self.LOGIN),
+            ('/cas:serviceResponse/cas:authenticationSuccess/cas:proxyGrantingTicket', pgt_iou),
         )
         self.assertXPathConstraints(response, constraints, CAS_NAMESPACES)
         # Verify service ticket has been deleted
@@ -414,45 +490,36 @@ class CasTests(Authentic2TestCase):
         # Try to get a proxy ticket for service 2
         # it should fail since no proxy authorization exists
         client = Client()
-        response = client.get('/idp/cas/proxy', {
-            constants.PGT_PARAM: pgt,
-            constants.TARGET_SERVICE_PARAM: self.SERVICE2_URL
-        })
-        constraints = (
-                ('/cas:serviceResponse/cas:proxyFailure/@code',
-                 'PROXY_UNAUTHORIZED'),
+        response = client.get(
+            '/idp/cas/proxy', {constants.PGT_PARAM: pgt, constants.TARGET_SERVICE_PARAM: self.SERVICE2_URL}
         )
+        constraints = (('/cas:serviceResponse/cas:proxyFailure/@code', 'PROXY_UNAUTHORIZED'),)
         self.assertXPathConstraints(response, constraints, CAS_NAMESPACES)
         # Set proxy authorization
         self.service2.proxy.add(self.service)
         # Try again !
-        response = client.get('/idp/cas/proxy', {
-            constants.PGT_PARAM: pgt,
-            constants.TARGET_SERVICE_PARAM: self.SERVICE2_URL
-        })
+        response = client.get(
+            '/idp/cas/proxy', {constants.PGT_PARAM: pgt, constants.TARGET_SERVICE_PARAM: self.SERVICE2_URL}
+        )
         pt = Ticket.objects.get(ticket_id__startswith=constants.PT_PREFIX)
         self.assertEqual(pt.user, self.user)
         self.assertIsNotNone(pt.expire)
         self.assertEqual(pt.service, self.service2)
         self.assertEqual(pt.service_url, self.SERVICE2_URL)
         self.assertEqual(pt.proxies, self.PGT_URL)
-        constraints = (
-                ('/cas:serviceResponse/cas:proxySuccess/cas:proxyTicket',
-                 pt.ticket_id),
-        )
+        constraints = (('/cas:serviceResponse/cas:proxySuccess/cas:proxyTicket', pt.ticket_id),)
         self.assertXPathConstraints(response, constraints, CAS_NAMESPACES)
         # Now service2 try to resolve the proxy ticket
         client = Client()
-        response = client.get('/idp/cas/proxyValidate', {
-            constants.TICKET_PARAM: pt.ticket_id,
-            constants.SERVICE_PARAM: self.SERVICE2_URL})
+        response = client.get(
+            '/idp/cas/proxyValidate',
+            {constants.TICKET_PARAM: pt.ticket_id, constants.SERVICE_PARAM: self.SERVICE2_URL},
+        )
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response['content-type'], 'text/xml')
         constraints = (
-                ('/cas:serviceResponse/cas:authenticationSuccess/cas:user',
-                    self.EMAIL),
-                ('/cas:serviceResponse/cas:authenticationSuccess/cas:attributes/cas:username',
-                    self.LOGIN),
+            ('/cas:serviceResponse/cas:authenticationSuccess/cas:user', self.EMAIL),
+            ('/cas:serviceResponse/cas:authenticationSuccess/cas:attributes/cas:username', self.LOGIN),
         )
         self.assertXPathConstraints(response, constraints, CAS_NAMESPACES)
         # Verify ticket has been deleted
@@ -460,14 +527,11 @@ class CasTests(Authentic2TestCase):
             Ticket.objects.get(ticket_id=pt.ticket_id)
         # Check invalidation of PGT when session is closed
         self.client.logout()
-        response = client.get('/idp/cas/proxy', {
-            constants.PGT_PARAM: pgt,
-            constants.TARGET_SERVICE_PARAM: self.SERVICE2_URL
-        })
+        response = client.get(
+            '/idp/cas/proxy', {constants.PGT_PARAM: pgt, constants.TARGET_SERVICE_PARAM: self.SERVICE2_URL}
+        )
         constraints = (
-                ('/cas:serviceResponse/cas:proxyFailure',
-                 'session has expired'),
-                ('/cas:serviceResponse/cas:proxyFailure/@code',
-                 'BAD_PGT'),
+            ('/cas:serviceResponse/cas:proxyFailure', 'session has expired'),
+            ('/cas:serviceResponse/cas:proxyFailure/@code', 'BAD_PGT'),
         )
         self.assertXPathConstraints(response, constraints, CAS_NAMESPACES)
diff --git a/tests/test_idp_oidc.py b/tests/test_idp_oidc.py
index 09c61341..7ffb0a02 100644
--- a/tests/test_idp_oidc.py
+++ b/tests/test_idp_oidc.py
@@ -66,7 +66,7 @@ JWKSET = {
             "dq": "QuUNEHYTjZTbo8n2-4FumarXKGBAalbwM8jyc7cYemnTpWfKt8M_gd4T99oMK2IC3h_DhZ3ZK3pE6DKCb76sMLtczH8C1RziTMsATWdc5_zDMtl07O4b-ZQ5_g51P8w515pc0JwRzFFi0z3Y2aZdMKgNX1id5SES5nXOshHhICE",
             "n": "0lN6CiJGFD8BSPV_azLoEl6Nq-WlHkU743D5rqvzw1sOaxstMGxAhVk2YIhWwfvapV6XjO_yvc4778VBTELOdjRw6BGUdBJepdwkL__TPyjEVhqMQj9MKhEU4GUy9w0Lsilb5D01kfrOKpmdcYw4jhcDvb0H4-LZgh1Vk84vF4WaQCUg_AX4drVDQOjoU8kuWIM8gz9w6zEsbIw-gtMRpFwS8ncA0zDX5VfyC77iMxzFftDIP2gM5GvdevMzvP9IRkRRBhP9vV4JchBFPHSA9OPJcnySjJJNW6aAJn6P6JasN1z68khjufM09J8UzmLAZYOq7gUG95Ox1KsV-g337Q",
             "e": "AQAB",
-            "p": "-Nyj_Sw3f2HUqSssCZv84y7b3blOtGGAhfYN_JtGfcTQv2bOtxrIUzeonCi-Z_1W4hO10tqxJcOB0ibtDqkDlLhnLaIYOBfriITRFK83EJG5sC-0KTmFzUXFTA2aMc1QgP-Fu6gUfQpPqLgWxhx8EFhkBlBZshKU5-C-385Sco0"
+            "p": "-Nyj_Sw3f2HUqSssCZv84y7b3blOtGGAhfYN_JtGfcTQv2bOtxrIUzeonCi-Z_1W4hO10tqxJcOB0ibtDqkDlLhnLaIYOBfriITRFK83EJG5sC-0KTmFzUXFTA2aMc1QgP-Fu6gUfQpPqLgWxhx8EFhkBlBZshKU5-C-385Sco0",
         },
         {
             "kty": "EC",
@@ -75,8 +75,8 @@ JWKSET = {
             "crv": "P-256",
             "x": "HZMHZkX-63heqA5pvWn-UR7bgcXZNEcQa5wfvG_BzTw",
             "y": "SUCuwjjiyKvGq5Odr0sjDqjha_CBqks0JQFrR7Ei5OQ",
-            "alg": "ES256"
-        }
+            "alg": "ES256",
+        },
     ]
 }
 
@@ -90,6 +90,7 @@ def oidc_settings(settings):
 
 def test_get_jwkset(oidc_settings):
     from authentic2_idp_oidc.utils import get_jwkset
+
     get_jwkset()
 
 
@@ -146,7 +147,8 @@ def test_admin(other_attributes, app, superuser, oidc_settings):
         asked_on_registration=True,
         required=False,
         user_visible=True,
-        user_editable=True)
+        user_editable=True,
+    )
 
     url = reverse('admin:authentic2_idp_oidc_oidcclient_add')
     assert OIDCClient.objects.count() == 0
@@ -170,24 +172,24 @@ def make_client(app, superuser, params=None):
         asked_on_registration=True,
         required=False,
         user_visible=True,
-        user_editable=True)
+        user_editable=True,
+    )
 
     client = OIDCClient(
         name='oidcclient',
         slug='oidcclient',
         ou=get_default_ou(),
         unauthorized_url='https://example.com/southpark/',
-        redirect_uris='https://example.com/callbac%C3%A9')
+        redirect_uris='https://example.com/callbac%C3%A9',
+    )
 
     for key, value in (params or {}).items():
         setattr(client, key, value)
     client.save()
     for mapping in app_settings.DEFAULT_MAPPINGS:
         OIDCClaim.objects.create(
-            client=client,
-            name=mapping['name'],
-            value=mapping['value'],
-            scopes=mapping['scopes'])
+            client=client, name=mapping['name'], value=mapping['value'], scopes=mapping['scopes']
+        )
     return client
 
 
@@ -231,7 +233,9 @@ def bearer_authentication_headers(access_token):
 @pytest.mark.parametrize('oidc_client', OIDC_CLIENT_PARAMS, indirect=True)
 @pytest.mark.parametrize('do_not_ask_again', [(True,), (False,)])
 @pytest.mark.parametrize('login_first', [(True,), (False,)])
-def test_authorization_code_sso(login_first, do_not_ask_again, oidc_client, oidc_settings, simple_user, app, caplog):
+def test_authorization_code_sso(
+    login_first, do_not_ask_again, oidc_client, oidc_settings, simple_user, app, caplog
+):
     redirect_uri = oidc_client.redirect_uris.split()[0]
     params = {
         'client_id': oidc_client.client_id,
@@ -277,13 +281,20 @@ def test_authorization_code_sso(login_first, do_not_ask_again, oidc_client, oidc
             assert authz.expired >= now()
         else:
             assert OIDCAuthorization.objects.count() == 0
-        utils.assert_event('user.service.sso.authorization',
-                           session=app.session,
-                           user=simple_user, service=oidc_client,
-                           scopes=['email', 'openid', 'profile'])
-    utils.assert_event('user.service.sso', session=app.session,
-                       user=simple_user, service=oidc_client,
-                       how='password-on-https')
+        utils.assert_event(
+            'user.service.sso.authorization',
+            session=app.session,
+            user=simple_user,
+            service=oidc_client,
+            scopes=['email', 'openid', 'profile'],
+        )
+    utils.assert_event(
+        'user.service.sso',
+        session=app.session,
+        user=simple_user,
+        service=oidc_client,
+        how='password-on-https',
+    )
     if oidc_client.authorization_flow == oidc_client.FLOW_AUTHORIZATION_CODE:
         assert OIDCCode.objects.count() == 1
         code = OIDCCode.objects.get()
@@ -306,11 +317,15 @@ def test_authorization_code_sso(login_first, do_not_ask_again, oidc_client, oidc
         assert query['state'] == ['xxx']
 
         token_url = make_url('oidc-token')
-        response = app.post(token_url, params={
-            'grant_type': 'authorization_code',
-            'code': code,
-            'redirect_uri': oidc_client.redirect_uris.split()[0],
-        }, headers=client_authentication_headers(oidc_client))
+        response = app.post(
+            token_url,
+            params={
+                'grant_type': 'authorization_code',
+                'code': code,
+                'redirect_uri': oidc_client.redirect_uris.split()[0],
+            },
+            headers=client_authentication_headers(oidc_client),
+        )
         assert 'error' not in response.json
         assert 'access_token' in response.json
         assert 'expires_in' in response.json
@@ -323,8 +338,7 @@ def test_authorization_code_sso(login_first, do_not_ask_again, oidc_client, oidc
         query = urlparse.parse_qs(location.fragment)
         assert OIDCAccessToken.objects.count() == 1
         access_token = OIDCAccessToken.objects.get()
-        assert set(query.keys()) == set(['access_token', 'token_type', 'expires_in', 'id_token',
-                                         'state'])
+        assert set(query.keys()) == set(['access_token', 'token_type', 'expires_in', 'id_token', 'state'])
         assert query['access_token'] == [access_token.uuid]
         assert query['token_type'] == ['Bearer']
         assert query['state'] == ['xxx']
@@ -378,12 +392,12 @@ def test_authorization_code_sso(login_first, do_not_ask_again, oidc_client, oidc
     # when adding extra attributes
     OIDCClaim.objects.create(client=oidc_client, name='ou', value='django_user_ou_name', scopes='profile')
     OIDCClaim.objects.create(client=oidc_client, name='roles', value='a2_role_names', scopes='profile, role')
-    OIDCClaim.objects.create(client=oidc_client,
-                             name='cityscape_image',
-                             value='django_user_cityscape_image',
-                             scopes='profile')
-    simple_user.roles.add(get_role_model().objects.create(
-        name='Whatever', slug='whatever', ou=get_default_ou()))
+    OIDCClaim.objects.create(
+        client=oidc_client, name='cityscape_image', value='django_user_cityscape_image', scopes='profile'
+    )
+    simple_user.roles.add(
+        get_role_model().objects.create(name='Whatever', slug='whatever', ou=get_default_ou())
+    )
     response = app.get(user_info_url, headers=bearer_authentication_headers(access_token))
     assert response.json['ou'] == simple_user.ou.name
     assert response.json['roles'][0] == 'Whatever'
@@ -422,8 +436,9 @@ def test_authorization_code_sso(login_first, do_not_ask_again, oidc_client, oidc
                 assert iframes.attr('onload').endswith(', 300)')
 
 
-def check_authorize_error(response, error, error_description, fragment, caplog,
-                          check_next=True, redirect_uri=None, message=True):
+def check_authorize_error(
+    response, error, error_description, fragment, caplog, check_next=True, redirect_uri=None, message=True
+):
     # check next_url qs
     if message:
         location = urlparse.urlparse(response.location)
@@ -483,252 +498,355 @@ def test_invalid_request(oidc_client, caplog, oidc_settings, simple_user, app):
         raise NotImplementedError
 
     assert_authorize_error = functools.partial(
-        check_authorize_error,
-        caplog=caplog,
-        fragment=fragment,
-        redirect_uri=redirect_uri)
+        check_authorize_error, caplog=caplog, fragment=fragment, redirect_uri=redirect_uri
+    )
 
     # missing client_id
     response = app.get(make_url('oidc-authorize', params={}))
     assert_authorize_error(response, 'invalid_request', 'Missing parameter "client_id"', check_next=False)
 
     # missing redirect_uri
-    response = app.get(make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-    }))
+    response = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': oidc_client.client_id,
+            },
+        )
+    )
     assert_authorize_error(response, 'invalid_request', 'Missing parameter "redirect_uri"', check_next=False)
 
     # invalid client_id
-    authorize_url = app.get(make_url('oidc-authorize', params={
-        'client_id': 'xxx',
-        'redirect_uri': redirect_uri,
-    }))
+    authorize_url = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': 'xxx',
+                'redirect_uri': redirect_uri,
+            },
+        )
+    )
     assert_authorize_error(response, 'invalid_request', 'Unknown client identifier: "xxx"', check_next=False)
 
     # invalid redirect_uri
-    response = app.get(make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': 'xxx',
-        'response_type': 'code',
-        'scope': 'openid',
-    }), status=302)
+    response = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': oidc_client.client_id,
+                'redirect_uri': 'xxx',
+                'response_type': 'code',
+                'scope': 'openid',
+            },
+        ),
+        status=302,
+    )
     continue_response = assert_authorize_error(
-        response, 'invalid_request', 'Redirect URI "xxx" is unknown.', check_next=False)
+        response, 'invalid_request', 'Redirect URI "xxx" is unknown.', check_next=False
+    )
     assert 'Known' not in continue_response.pyquery('.error').text()
 
     # invalid redirect_uri with DEBUG=True, list of redirect_uris is shown
     with override_settings(DEBUG=True):
-        response = app.get(make_url('oidc-authorize', params={
-            'client_id': oidc_client.client_id,
-            'redirect_uri': 'xxx',
-            'response_type': 'code',
-            'scope': 'openid',
-        }), status=302)
+        response = app.get(
+            make_url(
+                'oidc-authorize',
+                params={
+                    'client_id': oidc_client.client_id,
+                    'redirect_uri': 'xxx',
+                    'response_type': 'code',
+                    'scope': 'openid',
+                },
+            ),
+            status=302,
+        )
         continue_response = assert_authorize_error(
-            response, 'invalid_request', 'Redirect URI "xxx" is unknown.', check_next=False)
+            response, 'invalid_request', 'Redirect URI "xxx" is unknown.', check_next=False
+        )
         assert (
             'Known redirect URIs are: https://example.com/callbac%C3%A9'
             in continue_response.pyquery('.error').text()
         )
 
     # missing response_type
-    response = app.get(make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-    }))
+    response = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': oidc_client.client_id,
+                'redirect_uri': redirect_uri,
+            },
+        )
+    )
     assert_authorize_error(response, 'invalid_request', 'Missing parameter "response_type"')
 
     # unsupported response_type
-    response = app.get(make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': 'xxx',
-    }))
+    response = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': oidc_client.client_id,
+                'redirect_uri': redirect_uri,
+                'response_type': 'xxx',
+            },
+        )
+    )
 
     if oidc_client.authorization_flow == oidc_client.FLOW_AUTHORIZATION_CODE:
         assert_authorize_error(response, 'unsupported_response_type', 'Response type must be "code"')
     elif oidc_client.authorization_flow == oidc_client.FLOW_IMPLICIT:
         assert_authorize_error(
-            response, 'unsupported_response_type', 'Response type must be "id_token token" or "id_token"')
+            response, 'unsupported_response_type', 'Response type must be "id_token token" or "id_token"'
+        )
 
     # missing scope
-    response = app.get(make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': response_type,
-    }))
+    response = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': oidc_client.client_id,
+                'redirect_uri': redirect_uri,
+                'response_type': response_type,
+            },
+        )
+    )
     assert_authorize_error(response, 'invalid_request', 'Missing parameter "scope"')
 
     # invalid max_age : not an integer
-    response = app.get(make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': response_type,
-        'scope': 'openid',
-        'max_age': 'xxx',
-    }))
+    response = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': oidc_client.client_id,
+                'redirect_uri': redirect_uri,
+                'response_type': response_type,
+                'scope': 'openid',
+                'max_age': 'xxx',
+            },
+        )
+    )
     assert_authorize_error(response, 'invalid_request', 'Parameter "max_age" must be a positive integer')
 
     # invalid max_age : not positive
-    response = app.get(make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': response_type,
-        'scope': 'openid',
-        'max_age': '-1',
-    }))
+    response = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': oidc_client.client_id,
+                'redirect_uri': redirect_uri,
+                'response_type': response_type,
+                'scope': 'openid',
+                'max_age': '-1',
+            },
+        )
+    )
     assert_authorize_error(response, 'invalid_request', 'Parameter "max_age" must be a positive integer')
 
     # openid scope is missing
-    authorize_url = make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': response_type,
-        'scope': 'profile',
-    })
+    authorize_url = make_url(
+        'oidc-authorize',
+        params={
+            'client_id': oidc_client.client_id,
+            'redirect_uri': redirect_uri,
+            'response_type': response_type,
+            'scope': 'profile',
+        },
+    )
 
     response = app.get(authorize_url)
     assert_authorize_error(response, 'invalid_scope', 'Scope must contain "openid", received "profile"')
 
     # use of an unknown scope
-    authorize_url = make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': response_type,
-        'scope': 'openid email profile zob',
-    })
+    authorize_url = make_url(
+        'oidc-authorize',
+        params={
+            'client_id': oidc_client.client_id,
+            'redirect_uri': redirect_uri,
+            'response_type': response_type,
+            'scope': 'openid email profile zob',
+        },
+    )
 
     response = app.get(authorize_url)
     assert_authorize_error(
         response,
         'invalid_scope',
-        'Scope may contain "email, openid, profile" scope(s), received "email, openid, profile, zob"')
+        'Scope may contain "email, openid, profile" scope(s), received "email, openid, profile, zob"',
+    )
 
     # restriction on scopes
     with override_settings(A2_IDP_OIDC_SCOPES=['openid']):
-        response = app.get(make_url('oidc-authorize', params={
-            'client_id': oidc_client.client_id,
-            'redirect_uri': redirect_uri,
-            'response_type': response_type,
-            'scope': 'openid email',
-        }))
+        response = app.get(
+            make_url(
+                'oidc-authorize',
+                params={
+                    'client_id': oidc_client.client_id,
+                    'redirect_uri': redirect_uri,
+                    'response_type': response_type,
+                    'scope': 'openid email',
+                },
+            )
+        )
         assert_authorize_error(
-            response,
-            'invalid_scope',
-            'Scope may contain "openid" scope(s), received "email, openid"')
+            response, 'invalid_scope', 'Scope may contain "openid" scope(s), received "email, openid"'
+        )
 
     # cancel
-    response = app.get(make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': response_type,
-        'scope': 'openid email profile',
-        'cancel': '1',
-    }))
+    response = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': oidc_client.client_id,
+                'redirect_uri': redirect_uri,
+                'response_type': response_type,
+                'scope': 'openid email profile',
+                'cancel': '1',
+            },
+        )
+    )
     assert_authorize_error(response, 'access_denied', 'Authentication cancelled by user', message=False)
 
     # prompt=none
-    response = app.get(make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': response_type,
-        'scope': 'openid email profile',
-        'prompt': 'none',
-    }))
-    assert_authorize_error(response,
-                           'login_required',
-                           error_description='Login is required but prompt parameter is "none"',
-                           message=False)
+    response = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': oidc_client.client_id,
+                'redirect_uri': redirect_uri,
+                'response_type': response_type,
+                'scope': 'openid email profile',
+                'prompt': 'none',
+            },
+        )
+    )
+    assert_authorize_error(
+        response,
+        'login_required',
+        error_description='Login is required but prompt parameter is "none"',
+        message=False,
+    )
 
     utils.login(app, simple_user)
 
     # prompt=none max_age=0
-    response = app.get(make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': response_type,
-        'scope': 'openid email profile',
-        'max_age': '0',
-        'prompt': 'none',
-    }))
-    assert_authorize_error(response, 'login_required',
-                           error_description='Login is required because of max_age, but prompt parameter is "none"',
-                           message=False)
+    response = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': oidc_client.client_id,
+                'redirect_uri': redirect_uri,
+                'response_type': response_type,
+                'scope': 'openid email profile',
+                'max_age': '0',
+                'prompt': 'none',
+            },
+        )
+    )
+    assert_authorize_error(
+        response,
+        'login_required',
+        error_description='Login is required because of max_age, but prompt parameter is "none"',
+        message=False,
+    )
 
     # max_age=0
-    response = app.get(make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': response_type,
-        'scope': 'openid email profile',
-        'max_age': '0',
-    }))
+    response = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': oidc_client.client_id,
+                'redirect_uri': redirect_uri,
+                'response_type': response_type,
+                'scope': 'openid email profile',
+                'max_age': '0',
+            },
+        )
+    )
     assert response.location.startswith(reverse('auth_login') + '?')
 
     # prompt=login
-    authorize_url = make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': response_type,
-        'scope': 'openid email profile',
-        'prompt': 'login',
-    })
+    authorize_url = make_url(
+        'oidc-authorize',
+        params={
+            'client_id': oidc_client.client_id,
+            'redirect_uri': redirect_uri,
+            'response_type': response_type,
+            'scope': 'openid email profile',
+            'prompt': 'login',
+        },
+    )
     response = app.get(authorize_url)
     assert urlparse.urlparse(response['Location']).path == reverse('auth_login')
 
     if oidc_client.authorization_mode != oidc_client.AUTHORIZATION_MODE_NONE:
         # prompt is none, but consent is required
-        response = app.get(make_url('oidc-authorize', params={
-            'client_id': oidc_client.client_id,
-            'redirect_uri': redirect_uri,
-            'response_type': response_type,
-            'scope': 'openid email profile',
-            'prompt': 'none',
-        }))
+        response = app.get(
+            make_url(
+                'oidc-authorize',
+                params={
+                    'client_id': oidc_client.client_id,
+                    'redirect_uri': redirect_uri,
+                    'response_type': response_type,
+                    'scope': 'openid email profile',
+                    'prompt': 'none',
+                },
+            )
+        )
         assert_authorize_error(
-            response,
-            'consent_required',
-            'Consent is required but prompt parameter is "none"',
-            message=False)
+            response, 'consent_required', 'Consent is required but prompt parameter is "none"', message=False
+        )
 
         # user do not consent
-        response = app.get(make_url('oidc-authorize', params={
-            'client_id': oidc_client.client_id,
-            'redirect_uri': redirect_uri,
-            'response_type': response_type,
-            'scope': 'openid email profile',
-        }))
+        response = app.get(
+            make_url(
+                'oidc-authorize',
+                params={
+                    'client_id': oidc_client.client_id,
+                    'redirect_uri': redirect_uri,
+                    'response_type': response_type,
+                    'scope': 'openid email profile',
+                },
+            )
+        )
         response = response.form.submit('refuse')
-        assert_authorize_error(
-            response,
-            'access_denied',
-            'User did not consent',
-            message=False)
+        assert_authorize_error(response, 'access_denied', 'User did not consent', message=False)
 
     # authorization exists
     authorize = OIDCAuthorization.objects.create(
-        client=oidc_client, user=simple_user, scopes='openid profile email',
-        expired=now() + datetime.timedelta(days=2))
-    response = app.get(make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': response_type,
-        'scope': 'openid email profile',
-    }))
+        client=oidc_client,
+        user=simple_user,
+        scopes='openid profile email',
+        expired=now() + datetime.timedelta(days=2),
+    )
+    response = app.get(
+        make_url(
+            'oidc-authorize',
+            params={
+                'client_id': oidc_client.client_id,
+                'redirect_uri': redirect_uri,
+                'response_type': response_type,
+                'scope': 'openid email profile',
+            },
+        )
+    )
     if oidc_client.authorization_flow == oidc_client.FLOW_AUTHORIZATION_CODE:
         assert_authorization_response(response, code=None)
     elif oidc_client.authorization_flow == oidc_client.FLOW_IMPLICIT:
-        assert_authorization_response(response, access_token=None, id_token=None, expires_in=None,
-                                      token_type=None, fragment=True)
+        assert_authorization_response(
+            response, access_token=None, id_token=None, expires_in=None, token_type=None, fragment=True
+        )
 
     # client ask for explicit authorization
-    authorize_url = make_url('oidc-authorize', params={
-        'client_id': oidc_client.client_id,
-        'redirect_uri': redirect_uri,
-        'response_type': response_type,
-        'scope': 'openid email profile',
-        'prompt': 'consent',
-    })
+    authorize_url = make_url(
+        'oidc-authorize',
+        params={
+            'client_id': oidc_client.client_id,
+            'redirect_uri': redirect_uri,
+            'response_type': response_type,
+            'scope': 'openid email profile',
+            'prompt': 'consent',
+        },
+    )
     response = app.get(authorize_url)
     assert 'a2-oidc-authorization-form' in response.text
     # check all authorization have been deleted, it's our policy
@@ -772,22 +890,27 @@ def test_invalid_request(oidc_client, caplog, oidc_settings, simple_user, app):
             'grant_type': 'authorization_code',
             'redirect_uri': oidc_client.redirect_uris.split()[0],
         }
-        response = app.post(token_url, params=params,
-                            headers=client_authentication_headers(oidc_client), status=400)
+        response = app.post(
+            token_url, params=params, headers=client_authentication_headers(oidc_client), status=400
+        )
         assert response.json['error'] == 'invalid_request'
         assert response.json['error_description'] == 'Missing parameter "code"'
 
         params['code'] = code
-        response = app.post(token_url, params=params,
-                            headers=client_authentication_headers(oidc_client), status=400)
+        response = app.post(
+            token_url, params=params, headers=client_authentication_headers(oidc_client), status=400
+        )
         assert 'error' in response.json
         assert response.json['error'] == 'invalid_request'
         assert response.json['error_description'] == 'Parameter "code" has expired or user is disconnected'
 
     # invalid logout
-    logout_url = make_url('oidc-logout', params={
-        'post_logout_redirect_uri': 'https://whatever.com/',
-    })
+    logout_url = make_url(
+        'oidc-logout',
+        params={
+            'post_logout_redirect_uri': 'https://whatever.com/',
+        },
+    )
     response = app.get(logout_url)
     assert '_auth_user_id' in app.session
     assert 'Location' in response.headers
@@ -801,11 +924,16 @@ def test_invalid_request(oidc_client, caplog, oidc_settings, simple_user, app):
         utils.logout(app)
         code = OIDCCode.objects.get()
         assert not code.is_valid()
-        response = app.post(token_url, params={
-            'grant_type': 'authorization_code',
-            'code': code.uuid,
-            'redirect_uri': oidc_client.redirect_uris.split()[0],
-        }, headers=client_authentication_headers(oidc_client), status=400)
+        response = app.post(
+            token_url,
+            params={
+                'grant_type': 'authorization_code',
+                'code': code.uuid,
+                'redirect_uri': oidc_client.redirect_uris.split()[0],
+            },
+            headers=client_authentication_headers(oidc_client),
+            status=400,
+        )
         assert 'error' in response.json
         assert response.json['error'] == 'invalid_request'
         assert response.json['error_description'] == 'Parameter "code" has expired or user is disconnected'
@@ -815,20 +943,10 @@ def test_expired_manager(db, simple_user):
     expired = now() - datetime.timedelta(seconds=1)
     not_expired = now() + datetime.timedelta(days=1)
     client = OIDCClient.objects.create(
-        name='client',
-        slug='client',
-        ou=get_default_ou(),
-        redirect_uris='https://example.com/')
-    OIDCAuthorization.objects.create(
-        client=client,
-        user=simple_user,
-        scopes='openid',
-        expired=expired)
-    OIDCAuthorization.objects.create(
-        client=client,
-        user=simple_user,
-        scopes='openid',
-        expired=not_expired)
+        name='client', slug='client', ou=get_default_ou(), redirect_uris='https://example.com/'
+    )
+    OIDCAuthorization.objects.create(client=client, user=simple_user, scopes='openid', expired=expired)
+    OIDCAuthorization.objects.create(client=client, user=simple_user, scopes='openid', expired=not_expired)
     assert OIDCAuthorization.objects.count() == 2
     OIDCAuthorization.objects.cleanup()
     assert OIDCAuthorization.objects.count() == 1
@@ -840,7 +958,8 @@ def test_expired_manager(db, simple_user):
         redirect_uri='https://example.com/',
         session_key='xxx',
         auth_time=now(),
-        expired=expired)
+        expired=expired,
+    )
     OIDCCode.objects.create(
         client=client,
         user=simple_user,
@@ -848,23 +967,18 @@ def test_expired_manager(db, simple_user):
         redirect_uri='https://example.com/',
         session_key='xxx',
         auth_time=now(),
-        expired=not_expired)
+        expired=not_expired,
+    )
     assert OIDCCode.objects.count() == 2
     OIDCCode.objects.cleanup()
     assert OIDCCode.objects.count() == 1
 
     OIDCAccessToken.objects.create(
-        client=client,
-        user=simple_user,
-        scopes='openid',
-        session_key='xxx',
-        expired=expired)
+        client=client, user=simple_user, scopes='openid', session_key='xxx', expired=expired
+    )
     OIDCAccessToken.objects.create(
-        client=client,
-        user=simple_user,
-        scopes='openid',
-        session_key='xxx',
-        expired=not_expired)
+        client=client, user=simple_user, scopes='openid', session_key='xxx', expired=not_expired
+    )
     assert OIDCAccessToken.objects.count() == 2
     OIDCAccessToken.objects.cleanup()
     assert OIDCAccessToken.objects.count() == 1
@@ -873,10 +987,8 @@ def test_expired_manager(db, simple_user):
 @pytest.fixture
 def simple_oidc_client(db):
     return OIDCClient.objects.create(
-        name='client',
-        slug='client',
-        ou=get_default_ou(),
-        redirect_uris='https://example.com/')
+        name='client', slug='client', ou=get_default_ou(), redirect_uris='https://example.com/'
+    )
 
 
 def test_client_secret_post_authentication(oidc_settings, app, simple_oidc_client, simple_user):
@@ -899,13 +1011,16 @@ def test_client_secret_post_authentication(oidc_settings, app, simple_oidc_clien
     query = urlparse.parse_qs(location.query)
     code = query['code'][0]
     token_url = make_url('oidc-token')
-    response = app.post(token_url, params={
-        'grant_type': 'authorization_code',
-        'code': code,
-        'redirect_uri': redirect_uri,
-        'client_id': simple_oidc_client.client_id,
-        'client_secret': simple_oidc_client.client_secret,
-    })
+    response = app.post(
+        token_url,
+        params={
+            'grant_type': 'authorization_code',
+            'code': code,
+            'redirect_uri': redirect_uri,
+            'client_id': simple_oidc_client.client_id,
+            'client_secret': simple_oidc_client.client_secret,
+        },
+    )
 
     assert 'error' not in response.json
     assert 'access_token' in response.json
@@ -917,8 +1032,7 @@ def test_client_secret_post_authentication(oidc_settings, app, simple_oidc_clien
 @pytest.mark.parametrize('login_first', [(True,), (False,)])
 def test_role_control_access(login_first, oidc_settings, oidc_client, simple_user, app):
     # authorized_role
-    role_authorized = get_role_model().objects.create(
-        name='Goth Kids', slug='goth-kids', ou=get_default_ou())
+    role_authorized = get_role_model().objects.create(name='Goth Kids', slug='goth-kids', ou=get_default_ou())
     oidc_client.add_authorized_role(role_authorized)
 
     redirect_uri = oidc_client.redirect_uris.split()[0]
@@ -965,11 +1079,15 @@ def test_role_control_access(login_first, oidc_settings, oidc_client, simple_use
         query = urlparse.parse_qs(location.query)
         code = query['code'][0]
         token_url = make_url('oidc-token')
-        response = app.post(token_url, params={
-            'grant_type': 'authorization_code',
-            'code': code,
-            'redirect_uri': oidc_client.redirect_uris.split()[0],
-        }, headers=client_authentication_headers(oidc_client))
+        response = app.post(
+            token_url,
+            params={
+                'grant_type': 'authorization_code',
+                'code': code,
+                'redirect_uri': oidc_client.redirect_uris.split()[0],
+            },
+            headers=client_authentication_headers(oidc_client),
+        )
         id_token = response.json['id_token']
     elif oidc_client.authorization_flow == oidc_client.FLOW_IMPLICIT:
         query = urlparse.parse_qs(location.fragment)
@@ -992,8 +1110,7 @@ def test_role_control_access(login_first, oidc_settings, oidc_client, simple_use
         assert claims['acr'] == '1'
 
 
-def test_registration_service_slug(oidc_settings, app, simple_oidc_client, simple_user, hooks,
-                                   mailoutbox):
+def test_registration_service_slug(oidc_settings, app, simple_oidc_client, simple_user, hooks, mailoutbox):
     redirect_uri = simple_oidc_client.redirect_uris.split()[0]
 
     params = {
@@ -1072,22 +1189,25 @@ def test_oidclient_preferred_username_as_identifier_data_migration(migration):
         if client.name == 'test1':
             continue
         if client.name == 'test3':
-            OIDCClaim.objects.create(client=client, name='preferred_username',
-                                     value='django_user_full_name',
-                                     scopes='profile')
+            OIDCClaim.objects.create(
+                client=client, name='preferred_username', value='django_user_full_name', scopes='profile'
+            )
         else:
-            OIDCClaim.objects.create(client=client, name='preferred_username',
-                                     value='django_user_username',
-                                     scopes='profile')
-        OIDCClaim.objects.create(client=client, name='given_name', value='django_user_first_name', scopes='profile')
-        OIDCClaim.objects.create(client=client, name='family_name', value='django_user_last_name', scopes='profile')
+            OIDCClaim.objects.create(
+                client=client, name='preferred_username', value='django_user_username', scopes='profile'
+            )
+        OIDCClaim.objects.create(
+            client=client, name='given_name', value='django_user_first_name', scopes='profile'
+        )
+        OIDCClaim.objects.create(
+            client=client, name='family_name', value='django_user_last_name', scopes='profile'
+        )
         if client.name == 'test2':
             continue
-        OIDCClaim.objects.create(client=client, name='email',
-                                 value='django_user_email', scopes='email')
-        OIDCClaim.objects.create(client=client, name='email_verified',
-                                 value='django_user_email_verified',
-                                 scopes='email')
+        OIDCClaim.objects.create(client=client, name='email', value='django_user_email', scopes='email')
+        OIDCClaim.objects.create(
+            client=client, name='email_verified', value='django_user_email_verified', scopes='email'
+        )
 
     new_apps = migration.apply(migrate_to)
     OIDCClient = new_apps.get_model('authentic2_idp_oidc', 'OIDCClient')
@@ -1097,38 +1217,48 @@ def test_oidclient_preferred_username_as_identifier_data_migration(migration):
         claims = client.oidcclaim_set.all()
         if client.name == 'test':
             assert claims.count() == 5
-            assert (
-                sorted(claims.values_list('name', flat=True))
-                == ['email', 'email_verified', 'family_name', 'given_name', 'preferred_username']
-            )
-            assert (
-                sorted(claims.values_list('value', flat=True))
-                == ['django_user_email', 'django_user_email_verified',
-                    'django_user_first_name', 'django_user_identifier',
-                    'django_user_last_name']
-            )
+            assert sorted(claims.values_list('name', flat=True)) == [
+                'email',
+                'email_verified',
+                'family_name',
+                'given_name',
+                'preferred_username',
+            ]
+            assert sorted(claims.values_list('value', flat=True)) == [
+                'django_user_email',
+                'django_user_email_verified',
+                'django_user_first_name',
+                'django_user_identifier',
+                'django_user_last_name',
+            ]
         elif client.name == 'test2':
             assert claims.count() == 3
-            assert (
-                sorted(claims.values_list('name', flat=True))
-                == ['family_name', 'given_name', 'preferred_username']
-            )
-            assert (
-                sorted(claims.values_list('value', flat=True))
-                == ['django_user_first_name', 'django_user_last_name', 'django_user_username']
-            )
+            assert sorted(claims.values_list('name', flat=True)) == [
+                'family_name',
+                'given_name',
+                'preferred_username',
+            ]
+            assert sorted(claims.values_list('value', flat=True)) == [
+                'django_user_first_name',
+                'django_user_last_name',
+                'django_user_username',
+            ]
         elif client.name == 'test3':
             assert claims.count() == 5
-            assert (
-                sorted(claims.values_list('name', flat=True))
-                == ['email', 'email_verified', 'family_name', 'given_name', 'preferred_username']
-            )
-            assert (
-                sorted(claims.values_list('value', flat=True))
-                == ['django_user_email', 'django_user_email_verified',
-                    'django_user_first_name', 'django_user_full_name',
-                    'django_user_last_name']
-            )
+            assert sorted(claims.values_list('name', flat=True)) == [
+                'email',
+                'email_verified',
+                'family_name',
+                'given_name',
+                'preferred_username',
+            ]
+            assert sorted(claims.values_list('value', flat=True)) == [
+                'django_user_email',
+                'django_user_email_verified',
+                'django_user_first_name',
+                'django_user_full_name',
+                'django_user_last_name',
+            ]
         else:
             assert claims.count() == 0
 
@@ -1145,10 +1275,11 @@ def test_api_synchronization(app, oidc_client):
     status = 200
     if oidc_client.identifier_policy not in (OIDCClient.POLICY_PAIRWISE_REVERSIBLE, OIDCClient.POLICY_UUID):
         status = 401
-    response = app.post_json('/api/users/synchronization/',
-                             params={
-                                 'known_uuids': [make_sub(oidc_client, user) for user in users]},
-                             status=status)
+    response = app.post_json(
+        '/api/users/synchronization/',
+        params={'known_uuids': [make_sub(oidc_client, user) for user in users]},
+        status=status,
+    )
     if status == 200:
         assert response.json['result'] == 1
         assert set(response.json['unknown_uuids']) == deleted_subs
@@ -1163,8 +1294,11 @@ def test_claim_default_value(oidc_settings, normal_oidc_client, simple_user, app
         asked_on_registration=False,
         required=False,
         user_visible=False,
-        user_editable=False)
-    OIDCClaim.objects.create(client=normal_oidc_client, name='phone', value='django_user_phone', scopes='phone')
+        user_editable=False,
+    )
+    OIDCClaim.objects.create(
+        client=normal_oidc_client, name='phone', value='django_user_phone', scopes='phone'
+    )
     normal_oidc_client.authorization_flow = normal_oidc_client.FLOW_AUTHORIZATION_CODE
     normal_oidc_client.authorization_mode = normal_oidc_client.AUTHORIZATION_MODE_NONE
     normal_oidc_client.save()
@@ -1195,11 +1329,15 @@ def test_claim_default_value(oidc_settings, normal_oidc_client, simple_user, app
         code = query['code'][0]
 
         token_url = make_url('oidc-token')
-        response = app.post(token_url, params={
-            'grant_type': 'authorization_code',
-            'code': code,
-            'redirect_uri': oidc_client.redirect_uris.split()[0],
-        }, headers=client_authentication_headers(oidc_client))
+        response = app.post(
+            token_url,
+            params={
+                'grant_type': 'authorization_code',
+                'code': code,
+                'redirect_uri': oidc_client.redirect_uris.split()[0],
+            },
+            headers=client_authentication_headers(oidc_client),
+        )
         access_token = response.json['access_token']
         id_token = response.json['id_token']
 
@@ -1259,12 +1397,14 @@ def test_claim_templated(oidc_settings, normal_oidc_client, simple_user, app):
         client=normal_oidc_client,
         name='given_name',
         value='{{ django_user_first_name|add:"ounet" }}',
-        scopes='profile')
+        scopes='profile',
+    )
     OIDCClaim.objects.create(
         client=normal_oidc_client,
         name='family_name',
         value='{{ "Von der "|add:django_user_last_name }}',
-        scopes='profile')
+        scopes='profile',
+    )
     normal_oidc_client.authorization_flow = normal_oidc_client.FLOW_AUTHORIZATION_CODE
     normal_oidc_client.authorization_mode = normal_oidc_client.AUTHORIZATION_MODE_NONE
     normal_oidc_client.save()
@@ -1292,11 +1432,15 @@ def test_claim_templated(oidc_settings, normal_oidc_client, simple_user, app):
         code = query['code'][0]
 
         token_url = make_url('oidc-token')
-        response = app.post(token_url, params={
-            'grant_type': 'authorization_code',
-            'code': code,
-            'redirect_uri': oidc_client.redirect_uris.split()[0],
-        }, headers=client_authentication_headers(oidc_client))
+        response = app.post(
+            token_url,
+            params={
+                'grant_type': 'authorization_code',
+                'code': code,
+                'redirect_uri': oidc_client.redirect_uris.split()[0],
+            },
+            headers=client_authentication_headers(oidc_client),
+        )
         access_token = response.json['access_token']
         id_token = response.json['id_token']
 
@@ -1323,7 +1467,8 @@ def test_claim_templated(oidc_settings, normal_oidc_client, simple_user, app):
 
 
 def test_client_validate_redirect_uri():
-    client = OIDCClient(redirect_uris='''http://example.com
+    client = OIDCClient(
+        redirect_uris='''http://example.com
 http://example2.com/
 http://example3.com/toto
 http://*example4.com/
@@ -1331,40 +1476,43 @@ http://example5.com/toto*
 http://example6.com/#*
 http://example7.com/?*
 http://example8.com/?*#*
-''')
+'''
+    )
     # ok
     for uri in [
-            'http://example.com',
-            'http://example.com/',
-            'http://example2.com',
-            'http://example2.com/',
-            'http://example3.com/toto',
-            'http://example3.com/toto/',
-            'http://example4.com/',
-            'http://example4.com',
-            'http://coin.example4.com',
-            'http://coin.example4.com/',
-            'http://example5.com/toto',
-            'http://example5.com/toto/',
-            'http://example5.com/toto/tata',
-            'http://example5.com/toto/tata/',
-            'http://example6.com/#some-fragment',
-            'http://example7.com/?foo=bar',
-            'http://example8.com/?foo=bar#some-fragment']:
+        'http://example.com',
+        'http://example.com/',
+        'http://example2.com',
+        'http://example2.com/',
+        'http://example3.com/toto',
+        'http://example3.com/toto/',
+        'http://example4.com/',
+        'http://example4.com',
+        'http://coin.example4.com',
+        'http://coin.example4.com/',
+        'http://example5.com/toto',
+        'http://example5.com/toto/',
+        'http://example5.com/toto/tata',
+        'http://example5.com/toto/tata/',
+        'http://example6.com/#some-fragment',
+        'http://example7.com/?foo=bar',
+        'http://example8.com/?foo=bar#some-fragment',
+    ]:
         client.validate_redirect_uri(uri)
     # nok
     for uri in [
-            'http://coin.example.com/',
-            'http://example.com/toto/',
-            'http://coin.example.com',
-            'http://example3.com/',
-            'http://example3.com',
-            'http://coinexample4.com',
-            'http://coinexample4.com/',
-            'http://example5.com/tototata/',
-            'http://example5.com/tototata',
-            'http://example6.com/?foo=bar',
-            'http://example7.com/#some-fragment']:
+        'http://coin.example.com/',
+        'http://example.com/toto/',
+        'http://coin.example.com',
+        'http://example3.com/',
+        'http://example3.com',
+        'http://coinexample4.com',
+        'http://coinexample4.com/',
+        'http://example5.com/tototata/',
+        'http://example5.com/tototata',
+        'http://example6.com/?foo=bar',
+        'http://example7.com/#some-fragment',
+    ]:
         with pytest.raises(ValueError, match=r'is not declared'):
             client.validate_redirect_uri(uri)
     client.validate_redirect_uri('http://example5.com/toto/' + 'a' * 500)
@@ -1376,8 +1524,7 @@ def test_filter_api_users(app, oidc_client, admin, simple_user, role_random):
     oidc_client.has_api_access = True
     oidc_client.save()
 
-    if (oidc_client.identifier_policy not in
-            (oidc_client.POLICY_UUID, oidc_client.POLICY_PAIRWISE_REVERSIBLE)):
+    if oidc_client.identifier_policy not in (oidc_client.POLICY_UUID, oidc_client.POLICY_PAIRWISE_REVERSIBLE):
         return
 
     app.authorization = ('Basic', (oidc_client.client_id, oidc_client.client_secret))
@@ -1450,7 +1597,8 @@ def test_credentials_grant(app, oidc_client, admin, simple_user):
 
 
 def test_credentials_grant_ratelimitation_invalid_client(
-        app, oidc_client, admin, simple_user, oidc_settings, freezer):
+    app, oidc_client, admin, simple_user, oidc_settings, freezer
+):
     freezer.move_to('2020-01-01')
 
     oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
@@ -1473,7 +1621,8 @@ def test_credentials_grant_ratelimitation_invalid_client(
 
 
 def test_credentials_grant_ratelimitation_valid_client(
-        app, oidc_client, admin, simple_user, oidc_settings, freezer):
+    app, oidc_client, admin, simple_user, oidc_settings, freezer
+):
     freezer.move_to('2020-01-01')
 
     oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
@@ -1493,8 +1642,7 @@ def test_credentials_grant_ratelimitation_valid_client(
     assert response.json['error_description'] == 'Rate limit of 100/m exceeded for client "oidcclient"'
 
 
-def test_credentials_grant_retrytimout(
-        app, oidc_client, admin, simple_user, settings, freezer):
+def test_credentials_grant_retrytimout(app, oidc_client, admin, simple_user, settings, freezer):
     freezer.move_to('2020-01-01')
 
     settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_DURATION = 2
@@ -1525,8 +1673,7 @@ def test_credentials_grant_retrytimout(
     assert 'id_token' in response.json
 
 
-def test_credentials_grant_invalid_flow(
-        app, oidc_client, admin, simple_user, settings):
+def test_credentials_grant_invalid_flow(app, oidc_client, admin, simple_user, settings):
     params = {
         'client_id': oidc_client.client_id,
         'client_secret': oidc_client.client_secret,
@@ -1540,8 +1687,7 @@ def test_credentials_grant_invalid_flow(
     assert 'is not configured' in response.json['error_description']
 
 
-def test_credentials_grant_invalid_client(
-        app, oidc_client, admin, simple_user, settings):
+def test_credentials_grant_invalid_client(app, oidc_client, admin, simple_user, settings):
     oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
     oidc_client.save()
     params = {
@@ -1557,8 +1703,7 @@ def test_credentials_grant_invalid_client(
     assert response.json['error_description'] == 'Wrong client secret'
 
 
-def test_credentials_grant_unauthz_client(
-        app, oidc_client, admin, simple_user, settings):
+def test_credentials_grant_unauthz_client(app, oidc_client, admin, simple_user, settings):
     params = {
         'client_id': oidc_client.client_id,
         'client_secret': oidc_client.client_secret,
@@ -1572,8 +1717,7 @@ def test_credentials_grant_unauthz_client(
     assert 'Client is not configured for resource owner' in response.json['error_description']
 
 
-def test_credentials_grant_invalid_content_type(
-        app, oidc_client, admin, simple_user, settings):
+def test_credentials_grant_invalid_content_type(app, oidc_client, admin, simple_user, settings):
     oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
     oidc_client.save()
     params = {
@@ -1584,16 +1728,14 @@ def test_credentials_grant_invalid_content_type(
         'password': simple_user.username,
     }
     token_url = make_url('oidc-token')
-    response = app.post(
-        token_url, params=params,
-        content_type='multipart/form-data',
-        status=400)
+    response = app.post(token_url, params=params, content_type='multipart/form-data', status=400)
     assert response.json['error'] == 'invalid_request'
     assert 'Wrong content type' in response.json['error_description']
 
 
 def test_credentials_grant_ou_selection_simple(
-        app, oidc_client, admin, user_ou1, user_ou2, ou1, ou2, settings):
+    app, oidc_client, admin, user_ou1, user_ou2, ou1, ou2, settings
+):
     oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
     oidc_client.save()
     params = {
@@ -1615,7 +1757,8 @@ def test_credentials_grant_ou_selection_simple(
 
 
 def test_credentials_grant_ou_selection_username_not_unique(
-        app, oidc_client, admin, user_ou1, admin_ou2, ou1, ou2, settings):
+    app, oidc_client, admin, user_ou1, admin_ou2, ou1, ou2, settings
+):
     settings.A2_USERNAME_IS_UNIQUE = False
     oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
     oidc_client.save()
@@ -1640,7 +1783,8 @@ def test_credentials_grant_ou_selection_username_not_unique(
 
 
 def test_credentials_grant_ou_selection_username_not_unique_wrong_ou(
-        app, oidc_client, admin, user_ou1, admin_ou2, ou1, ou2, settings):
+    app, oidc_client, admin, user_ou1, admin_ou2, ou1, ou2, settings
+):
     settings.A2_USERNAME_IS_UNIQUE = False
     oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
     oidc_client.save()
@@ -1663,8 +1807,7 @@ def test_credentials_grant_ou_selection_username_not_unique_wrong_ou(
     assert response.json['error_description'] == 'Invalid user credentials'
 
 
-def test_credentials_grant_ou_selection_invalid_ou(
-        app, oidc_client, admin, user_ou1, settings):
+def test_credentials_grant_ou_selection_invalid_ou(app, oidc_client, admin, user_ou1, settings):
     oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED
     oidc_client.save()
     params = {
@@ -1678,37 +1821,42 @@ def test_credentials_grant_ou_selection_invalid_ou(
     token_url = make_url('oidc-token')
     response = app.post(token_url, params=params, status=400)
     assert response.json['error'] == 'invalid_request'
-    assert response.json['error_description'] == 'Parameter "ou_slug" does not match an existing organizational unit'
+    assert (
+        response.json['error_description']
+        == 'Parameter "ou_slug" does not match an existing organizational unit'
+    )
 
 
 def test_oidc_client_clean():
     OIDCClient(
-        redirect_uris='https://example.com/ https://example2.com/',
-        identifier_policy=OIDCClient.POLICY_UUID).clean()
+        redirect_uris='https://example.com/ https://example2.com/', identifier_policy=OIDCClient.POLICY_UUID
+    ).clean()
 
     with pytest.raises(ValidationError, match=r'same domain'):
         OIDCClient(
             redirect_uris='https://example.com/ https://example2.com/',
-            identifier_policy=OIDCClient.POLICY_PAIRWISE_REVERSIBLE).clean()
+            identifier_policy=OIDCClient.POLICY_PAIRWISE_REVERSIBLE,
+        ).clean()
 
     with pytest.raises(ValidationError, match=r'same domain'):
         OIDCClient(
             redirect_uris='https://example.com/ https://example2.com/',
-            identifier_policy=OIDCClient.POLICY_PAIRWISE).clean()
+            identifier_policy=OIDCClient.POLICY_PAIRWISE,
+        ).clean()
 
     with pytest.raises(ValidationError, match=r'same domain'):
         OIDCClient(
             redirect_uris='https://example.com/ https://example2.com/',
-            identifier_policy=OIDCClient.POLICY_PAIRWISE).clean()
+            identifier_policy=OIDCClient.POLICY_PAIRWISE,
+        ).clean()
 
     with pytest.raises(ValidationError, match=r'within an OU'):
-        OIDCClient(
-            authorization_mode=OIDCClient.AUTHORIZATION_MODE_BY_OU,
-            ou=None).clean()
+        OIDCClient(authorization_mode=OIDCClient.AUTHORIZATION_MODE_BY_OU, ou=None).clean()
 
     OIDCClient(
         redirect_uris='https://example.com/ https://example2.com/',
-        sector_identifier_uri='https://example.com/').clean()
+        sector_identifier_uri='https://example.com/',
+    ).clean()
 
 
 def test_oidc_authorized_oauth_services_view(app, oidc_client, simple_user):
@@ -1726,49 +1874,56 @@ def test_oidc_authorized_oauth_services_view(app, oidc_client, simple_user):
     OU = get_ou_model()
     ou1 = OU.objects.create(name='Orgunit1', slug='orgunit1')
     OIDCAuthorization.objects.create(
-        client=ou1, user=simple_user, scopes='openid profile email',
-        expired=now() + datetime.timedelta(days=2))
+        client=ou1,
+        user=simple_user,
+        scopes='openid profile email',
+        expired=now() + datetime.timedelta(days=2),
+    )
     # create service authzs
     OIDCAuthorization.objects.create(
-        client=oidc_client, user=simple_user, scopes='openid',
-        expired=now() + datetime.timedelta(days=2))
+        client=oidc_client, user=simple_user, scopes='openid', expired=now() + datetime.timedelta(days=2)
+    )
     OIDCAuthorization.objects.create(
-        client=oidc_client, user=simple_user, scopes='openid profile',
-        expired=now() + datetime.timedelta(days=2))
+        client=oidc_client,
+        user=simple_user,
+        scopes='openid profile',
+        expired=now() + datetime.timedelta(days=2),
+    )
     OIDCAuthorization.objects.create(
-        client=oidc_client, user=simple_user, scopes='openid profile email',
-        expired=now() + datetime.timedelta(days=2))
+        client=oidc_client,
+        user=simple_user,
+        scopes='openid profile email',
+        expired=now() + datetime.timedelta(days=2),
+    )
 
     response = app.get(url, status=200)
     assert "You have given authorizations to access your account profile data." in response.text
-    assert len(response.html.find_all(
-        'button', {'class': 'authorized-oauth-services--revoke-button'})) == 4
+    assert len(response.html.find_all('button', {'class': 'authorized-oauth-services--revoke-button'})) == 4
 
     # revoke two service authz
     response = response.forms[1].submit()
     response = response.follow()
-    assert len(response.html.find_all(
-        'button', {'class': 'authorized-oauth-services--revoke-button'})) == 3
-    assert OIDCAuthorization.objects.filter(
-        client_ct=ContentType.objects.get_for_model(OIDCClient)).count() == 2
+    assert len(response.html.find_all('button', {'class': 'authorized-oauth-services--revoke-button'})) == 3
+    assert (
+        OIDCAuthorization.objects.filter(client_ct=ContentType.objects.get_for_model(OIDCClient)).count() == 2
+    )
     response = response.forms[1].submit()
     response = response.follow()
-    assert len(response.html.find_all(
-        'button', {'class': 'authorized-oauth-services--revoke-button'})) == 2
-    assert OIDCAuthorization.objects.filter(
-        client_ct=ContentType.objects.get_for_model(OIDCClient)).count() == 1
+    assert len(response.html.find_all('button', {'class': 'authorized-oauth-services--revoke-button'})) == 2
+    assert (
+        OIDCAuthorization.objects.filter(client_ct=ContentType.objects.get_for_model(OIDCClient)).count() == 1
+    )
 
     # revoke the only OU authz
     response = response.forms[0].submit()
     response = response.follow()
-    assert len(response.html.find_all(
-        'button', {'class': 'authorized-oauth-services--revoke-button'})) == 1
-    assert OIDCAuthorization.objects.filter(
-        client_ct=ContentType.objects.get_for_model(OU)).count() == 0
+    assert len(response.html.find_all('button', {'class': 'authorized-oauth-services--revoke-button'})) == 1
+    assert OIDCAuthorization.objects.filter(client_ct=ContentType.objects.get_for_model(OU)).count() == 0
 
 
 def test_oidc_good_next_url_hook(app, oidc_client):
     from django.test.client import RequestFactory
+
     rf = RequestFactory()
     request = rf.get('/')
     assert good_next_url(request, 'https://example.com/')
@@ -1780,15 +1935,15 @@ def access_token(client, simple_user):
         client=client,
         user=simple_user,
         scopes='openid profile email',
-        expired=now() + datetime.timedelta(seconds=3600))
+        expired=now() + datetime.timedelta(seconds=3600),
+    )
 
 
 def test_user_info(app, client, access_token, freezer):
     def get_user_info(**kwargs):
         return app.get(
-            '/idp/oidc/user_info/',
-            headers=bearer_authentication_headers(access_token.uuid),
-            **kwargs)
+            '/idp/oidc/user_info/', headers=bearer_authentication_headers(access_token.uuid), **kwargs
+        )
 
     response = app.get('/idp/oidc/user_info/', status=401)
     assert (
@@ -1796,8 +1951,7 @@ def test_user_info(app, client, access_token, freezer):
         == 'Bearer error="invalid_request", error_description="Bearer authentication is mandatory"'
     )
 
-    response = app.get('/idp/oidc/user_info/',
-                       headers={'Authorization': 'Bearer'}, status=401)
+    response = app.get('/idp/oidc/user_info/', headers={'Authorization': 'Bearer'}, status=401)
     assert (
         response['WWW-Authenticate']
         == 'Bearer error="invalid_request", error_description="Invalid Bearer authentication"'
@@ -1827,10 +1981,7 @@ def test_user_info(app, client, access_token, freezer):
     # token is unknown
     access_token.delete()
     response = get_user_info(status=401)
-    assert (
-        response['WWW-Authenticate']
-        == 'Bearer error="invalid_token", error_description="Token unknown"'
-    )
+    assert response['WWW-Authenticate'] == 'Bearer error="invalid_token", error_description="Token unknown"'
 
     utils.login(app, access_token.user)
     access_token.expired = now() + datetime.timedelta(seconds=1)
@@ -1858,10 +2009,8 @@ def session(settings, db, simple_user):
 
 def test_access_token_is_valid_session(simple_oidc_client, simple_user, session):
     token = OIDCAccessToken.objects.create(
-        client=simple_oidc_client,
-        user=simple_user,
-        scopes='openid',
-        session_key=session.session_key)
+        client=simple_oidc_client, user=simple_user, scopes='openid', session_key=session.session_key
+    )
 
     assert token.is_valid()
     session.flush()
@@ -1873,10 +2022,8 @@ def test_access_token_is_valid_expired(simple_oidc_client, simple_user, freezer)
     expired = start + datetime.timedelta(seconds=30)
 
     token = OIDCAccessToken.objects.create(
-        client=simple_oidc_client,
-        user=simple_user,
-        scopes='openid',
-        expired=expired)
+        client=simple_oidc_client, user=simple_user, scopes='openid', expired=expired
+    )
 
     assert token.is_valid()
     freezer.move_to(expired)
@@ -1885,9 +2032,7 @@ def test_access_token_is_valid_expired(simple_oidc_client, simple_user, freezer)
     assert not token.is_valid()
 
 
-def test_access_token_is_valid_session_and_expired(simple_oidc_client,
-                                                   simple_user,
-                                                   session, freezer):
+def test_access_token_is_valid_session_and_expired(simple_oidc_client, simple_user, session, freezer):
     start = now()
     expired = start + datetime.timedelta(seconds=30)
 
@@ -1896,7 +2041,8 @@ def test_access_token_is_valid_session_and_expired(simple_oidc_client,
         user=simple_user,
         scopes='openid',
         session_key=session.session_key,
-        expired=expired)
+        expired=expired,
+    )
 
     assert token.is_valid()
     freezer.move_to(expired)
diff --git a/tests/test_idp_saml2.py b/tests/test_idp_saml2.py
index 209a434a..98931c38 100644
--- a/tests/test_idp_saml2.py
+++ b/tests/test_idp_saml2.py
@@ -59,7 +59,9 @@ def get_idp_metadata(app):
     response = app.get('/idp/saml2/metadata')
     # FIXME: add better test of well formedness for metadata
     assert response['Content-type'] == 'text/xml', 'metadata endpoint did not return an XML document'
-    assert 'IDPSSODescriptor' in response.text, 'metadata endpoint does not contain an IDPSSODescriptor element'
+    assert (
+        'IDPSSODescriptor' in response.text
+    ), 'metadata endpoint does not contain an IDPSSODescriptor element'
     return response.text
 
 
@@ -80,12 +82,8 @@ def keys():
 @pytest.fixture()
 def idp(saml_settings, db):
     code_attribute = Attribute.objects.create(kind='string', name='code', label='Code')
-    mobile_attribute = Attribute.objects.create(kind='string', name='mobile',
-                                                     label='Mobile')
-    avatar_attribute = Attribute.objects.create(
-        kind='profile_image',
-        name='avatar',
-        label='Avatar')
+    mobile_attribute = Attribute.objects.create(kind='string', name='mobile', label='Mobile')
+    avatar_attribute = Attribute.objects.create(kind='profile_image', name='avatar', label='Avatar')
     default_ou = OrganizationalUnit.objects.get()
     return Raw(locals())
 
@@ -96,11 +94,7 @@ def user(idp):
     username = 'john.doe'
     first_name = 'John'
     last_name = 'Doe'
-    user = User.objects.create(
-        email=email,
-        username=username,
-        first_name=first_name,
-        last_name=last_name)
+    user = User.objects.create(email=email, username=username, first_name=first_name, last_name=last_name)
     idp.code_attribute.set_value(user, '1234', verified=True)
     idp.mobile_attribute.set_value(user, '5678', verified=True)
     with open('tests/200x200.jpg', 'rb') as fd:
@@ -155,85 +149,76 @@ class SamlSP(object):
         self.base_url = 'https://sp.example.com'
         self.name = 'Test SP'
         self.slug = 'test-sp'
-        self.idp_entity_idp = 'http://testserver/idp/saml2/metadata',
+        self.idp_entity_idp = ('http://testserver/idp/saml2/metadata',)
         self.default_name_id_format = 'email'
         self.accepted_name_id_format = ['email', 'persistent', 'transient', 'username']
         self.ou = OrganizationalUnit.objects.get()
         self.__dict__.update(kwargs)
 
         self.provider = saml_models.LibertyProvider(
-            name=self.name,
-            slug=self.slug,
-            ou=self.ou,
-            metadata=self.get_metadata())
+            name=self.name, slug=self.slug, ou=self.ou, metadata=self.get_metadata()
+        )
         self.provider.clean()
         self.provider.save()
         self.service = saml_models.LibertyServiceProvider.objects.create(
-            liberty_provider=self.provider,
-            enabled=True)
+            liberty_provider=self.provider, enabled=True
+        )
         self.default_sp_options_idp_policy = saml_models.SPOptionsIdPPolicy.objects.create(
             name='Default',
             enabled=True,
             authn_request_signed=False,
             default_name_id_format=self.default_name_id_format,
-            accepted_name_id_format=self.accepted_name_id_format)
+            accepted_name_id_format=self.accepted_name_id_format,
+        )
 
         # Admin role
         self.admin_role = Role.objects.create(
-            name='Administrator',
-            slug='administrator',
-            service=self.provider)
-        self.admin_role.attributes.create(
-            name='superuser',
-            kind='string',
-            value='true')
+            name='Administrator', slug='administrator', service=self.provider
+        )
+        self.admin_role.attributes.create(name='superuser', kind='string', value='true')
 
         # SAML attributes mapping
         self.saml_first_name_attribute = self.provider.attributes.create(
             name_format='basic',
             name='first-name',
             friendly_name='First name',
-            attribute_name='django_user_first_name')
+            attribute_name='django_user_first_name',
+        )
         self.saml_last_name_attribute = self.provider.attributes.create(
             name_format='basic',
             name='last-name',
             friendly_name='Last name',
-            attribute_name='django_user_last_name')
+            attribute_name='django_user_last_name',
+        )
         self.saml_superuser_attribute = self.provider.attributes.create(
             name_format='basic',
             name='superuser',
             friendly_name='Superuser status',
-            attribute_name='superuser')
+            attribute_name='superuser',
+        )
         self.saml_code_attribute = self.provider.attributes.create(
-            name_format='basic',
-            name='code_code',
-            friendly_name='code',
-            attribute_name='django_user_code')
+            name_format='basic', name='code_code', friendly_name='code', attribute_name='django_user_code'
+        )
         self.saml_mobile_attribute = self.provider.attributes.create(
-            name_format='basic',
-            name='mobile',
-            friendly_name='mobile',
-            attribute_name='django_user_mobile')
+            name_format='basic', name='mobile', friendly_name='mobile', attribute_name='django_user_mobile'
+        )
         self.saml_verified_attributes = self.provider.attributes.create(
             name_format='basic',
             name='verified_attributes',
             friendly_name='Verified attributes',
-            attribute_name='@verified_attributes@')
+            attribute_name='@verified_attributes@',
+        )
         self.saml_avatar_attribute = self.provider.attributes.create(
-            name_format='basic',
-            name='avatar',
-            friendly_name='Avatar',
-            attribute_name='django_user_avatar')
+            name_format='basic', name='avatar', friendly_name='Avatar', attribute_name='django_user_avatar'
+        )
         self.role_authorized = Role.objects.create(name='PC Delta', slug='pc-delta')
         self.provider.unauthorized_url = 'https://whatever.com/loser/'
         self.provider.save()
 
     def get_metadata(self):
         return Template(self.METADATA_TPL).render(
-            Context(dict(
-                base_url=self.base_url,
-                binding=self.binding,
-                keys=self.keys)))
+            Context(dict(base_url=self.base_url, binding=self.binding, keys=self.keys))
+        )
 
     def get_server(self):
         if not self.server:
@@ -245,17 +230,18 @@ class SamlSP(object):
         return self.server
 
     def make_authn_request(
-            self,
-            entity_id=None,
-            method=lasso.HTTP_METHOD_REDIRECT,
-            allow_create=True,
-            format=lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
-            relay_state=None,
-            force_authn=None,
-            is_passive=None,
-            sp_name_qualifier=None,
-            name_id_policy=True,
-            login_hints=None):
+        self,
+        entity_id=None,
+        method=lasso.HTTP_METHOD_REDIRECT,
+        allow_create=True,
+        format=lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
+        relay_state=None,
+        force_authn=None,
+        is_passive=None,
+        sp_name_qualifier=None,
+        name_id_policy=True,
+        login_hints=None,
+    ):
         server = self.get_server()
         login = self.login = lasso.Login(server)
         if not self.keys:
@@ -280,12 +266,12 @@ class SamlSP(object):
             request.nameIdPolicy = None
         request.extensions = lasso.Samlp2Extensions()
         # extension with unicode characters !! test dumping in saml2_endpoints and continue_sso
-        request.extensions.any = (
-            force_str('<extension xmlns="http://example.com/">éé</extension>'),
-        )
+        request.extensions.any = (force_str('<extension xmlns="http://example.com/">éé</extension>'),)
         if login_hints:
             request.extensions.any = (
-                force_str('<login-hint xmlns="https://www.entrouvert.com/">%s</login-hint>' % ' '.join(login_hints)),
+                force_str(
+                    '<login-hint xmlns="https://www.entrouvert.com/">%s</login-hint>' % ' '.join(login_hints)
+                ),
             )
         login.buildAuthnRequestMsg()
         url_parsed = urlparse.urlparse(login.msgUrl)
@@ -314,9 +300,8 @@ class SamlSP(object):
         login.initRequest(force_str(query_string), method)
         login.buildRequestMsg()
         response = self.app.post(
-            login.msgUrl,
-            params=force_bytes(login.msgBody),
-            headers={'content-type': str('text/xml')})
+            login.msgUrl, params=force_bytes(login.msgBody), headers={'content-type': str('text/xml')}
+        )
         login.processResponseMsg(force_str(response.text))
         login.acceptSso()
 
@@ -348,10 +333,9 @@ class Scenario(object):
             **{
                 'nonce': '*',
                 SERVICE_FIELD_NAME: 'default ' + self.sp.slug,
-                REDIRECT_FIELD_NAME: make_url(
-                    'a2-idp-saml-continue',
-                    params={NONCE_FIELD_NAME: request_id}),
-            })
+                REDIRECT_FIELD_NAME: make_url('a2-idp-saml-continue', params={NONCE_FIELD_NAME: request_id}),
+            },
+        )
         self.nonce = urlparse.parse_qs(urlparse.urlparse(response['Location']).query)['nonce'][0]
         url = response['Location']
         response = self.app.get(url)
@@ -365,15 +349,15 @@ class Scenario(object):
         response.form.set('username', user.username)
         response.form.set('password', user.username)
         response = response.form.submit(name='login-password-submit')
-        utils.assert_redirects_complex(response, reverse('a2-idp-saml-continue'),
-                                       nonce=self.nonce)
+        utils.assert_redirects_complex(response, reverse('a2-idp-saml-continue'), nonce=self.nonce)
         self.idp_response = response.follow()
         return response
 
     def cancel(self):
         response = self.login_page_response.form.submit(name='cancel')
-        utils.assert_redirects_complex(response, reverse('a2-idp-saml-continue'),
-                                       cancel='*', nonce=self.nonce)
+        utils.assert_redirects_complex(
+            response, reverse('a2-idp-saml-continue'), cancel='*', nonce=self.nonce
+        )
         self.idp_response = response.follow()
         return response
 
@@ -402,8 +386,10 @@ class Scenario(object):
         assertion = login.assertion
         session_not_on_or_after = login.assertion.authnStatement[0].sessionNotOnOrAfter
         assert session_not_on_or_after is not None
-        assert datetime.datetime.strptime(
-            session_not_on_or_after, '%Y-%m-%dT%H:%M:%SZ') > datetime.datetime.utcnow()
+        assert (
+            datetime.datetime.strptime(session_not_on_or_after, '%Y-%m-%dT%H:%M:%SZ')
+            > datetime.datetime.utcnow()
+        )
         assertion_xml = assertion.exportToXml()
         namespaces = {
             'saml': lasso.SAML2_ASSERTION_HREF,
@@ -421,78 +407,128 @@ class Scenario(object):
                     assert name_id.format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED
                     assert force_text(name_id.content) == user.uuid
                 else:
-                    raise NotImplementedError('unknown default_name_id_format %s' % self.sp.default_name_id_format)
+                    raise NotImplementedError(
+                        'unknown default_name_id_format %s' % self.sp.default_name_id_format
+                    )
             elif nid_format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
                 federation = saml_models.LibertyFederation.objects.get()
                 constraints += (
-                    ('/saml:Assertion/saml:Subject/saml:NameID',
-                        federation.name_id_content),
-                    ('/saml:Assertion/saml:Subject/saml:NameID/@Format',
-                        lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT),
-                    ('/saml:Assertion/saml:Subject/saml:NameID/@SPNameQualifier',
-                        '%s/' % self.sp.base_url),
-
+                    ('/saml:Assertion/saml:Subject/saml:NameID', federation.name_id_content),
+                    (
+                        '/saml:Assertion/saml:Subject/saml:NameID/@Format',
+                        lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
+                    ),
+                    ('/saml:Assertion/saml:Subject/saml:NameID/@SPNameQualifier', '%s/' % self.sp.base_url),
                 )
-            elif (nid_format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL
-                  or (not nid_format and self.sp.default_name_id_format == 'email')):
+            elif nid_format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL or (
+                not nid_format and self.sp.default_name_id_format == 'email'
+            ):
                 constraints += (
-                    ('/saml:Assertion/saml:Subject/saml:NameID',
-                        self.email),
-                    ('/saml:Assertion/saml:Subject/saml:NameID/@Format',
-                        lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL),
+                    ('/saml:Assertion/saml:Subject/saml:NameID', self.email),
+                    (
+                        '/saml:Assertion/saml:Subject/saml:NameID/@Format',
+                        lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL,
+                    ),
                 )
         constraints += (
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='first-name']/"
-                "@NameFormat", lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC),
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='first-name']/"
-                "@FriendlyName", 'First name'),
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='first-name']/"
-                "saml:AttributeValue", 'John'),
-
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='last-name']/"
-                "@NameFormat", lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC),
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='last-name']/"
-                "@FriendlyName", 'Last name'),
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='last-name']/"
-                "saml:AttributeValue", 'Doe'),
-
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='code_code']/"
-                "@NameFormat", lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC),
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='code_code']/"
-                "@FriendlyName", 'code'),
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='code_code']/"
-                "saml:AttributeValue", '1234'),
-
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='mobile']/"
-                "@NameFormat", lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC),
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='mobile']/"
-                "@FriendlyName", 'mobile'),
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='mobile']/"
-                "saml:AttributeValue", '5678'),
-
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='avatar']/"
-                "@NameFormat", lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC),
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='avatar']/"
-                "@FriendlyName", 'Avatar'),
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='avatar']/"
-                "saml:AttributeValue", re.compile('^http://testserver/media/profile-image/.*$')),
-
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='verified_attributes']/"
-                "@NameFormat", lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC),
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='verified_attributes']/"
-                "@FriendlyName", 'Verified attributes'),
-            ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='verified_attributes']/"
-                "saml:AttributeValue", set(['code_code', 'mobile'])),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='first-name']/" "@NameFormat",
+                lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC,
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='first-name']/" "@FriendlyName",
+                'First name',
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='first-name']/"
+                "saml:AttributeValue",
+                'John',
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='last-name']/" "@NameFormat",
+                lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC,
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='last-name']/" "@FriendlyName",
+                'Last name',
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='last-name']/"
+                "saml:AttributeValue",
+                'Doe',
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='code_code']/" "@NameFormat",
+                lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC,
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='code_code']/" "@FriendlyName",
+                'code',
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='code_code']/"
+                "saml:AttributeValue",
+                '1234',
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='mobile']/" "@NameFormat",
+                lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC,
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='mobile']/" "@FriendlyName",
+                'mobile',
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='mobile']/"
+                "saml:AttributeValue",
+                '5678',
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='avatar']/" "@NameFormat",
+                lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC,
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='avatar']/" "@FriendlyName",
+                'Avatar',
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='avatar']/"
+                "saml:AttributeValue",
+                re.compile('^http://testserver/media/profile-image/.*$'),
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='verified_attributes']/"
+                "@NameFormat",
+                lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC,
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='verified_attributes']/"
+                "@FriendlyName",
+                'Verified attributes',
+            ),
+            (
+                "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='verified_attributes']/"
+                "saml:AttributeValue",
+                set(['code_code', 'mobile']),
+            ),
         )
         if user is not None and self.sp.admin_role in user.roles.all():
             constraints += (
-
-                ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='superuser']/"
-                    "@NameFormat", lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC),
-                ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='superuser']/"
-                    "@FriendlyName", 'Superuser status'),
-                ("/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='superuser']/"
-                    "saml:AttributeValue", 'true'),
+                (
+                    "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='superuser']/"
+                    "@NameFormat",
+                    lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC,
+                ),
+                (
+                    "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='superuser']/"
+                    "@FriendlyName",
+                    'Superuser status',
+                ),
+                (
+                    "/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name='superuser']/"
+                    "saml:AttributeValue",
+                    'true',
+                ),
             )
 
         utils.assert_xpath_constraints(assertion_xml, constraints, namespaces)
@@ -508,9 +544,8 @@ def test_sso_redirect_post(app, idp, user):
 
 def test_sso_post_post(app, idp, user):
     scenario = Scenario(
-        app,
-        make_authn_request_kwargs={'method': lasso.HTTP_METHOD_POST},
-        sp_kwargs=dict(binding='post'))
+        app, make_authn_request_kwargs={'method': lasso.HTTP_METHOD_POST}, sp_kwargs=dict(binding='post')
+    )
     scenario.launch_authn_request()
     scenario.login(user)
     scenario.handle_post_response()
@@ -542,12 +577,12 @@ def test_sso_no_name_id_policy_redirect(app, idp, user):
 
 
 def test_sso_nid_username(app, idp, user):
-    scenario = Scenario(app,
-                        sp_kwargs=dict(
-                            default_name_id_format='username'),
-                        make_authn_request_kwargs=dict(
-                            name_id_policy=False),
-                        check_federation=True)
+    scenario = Scenario(
+        app,
+        sp_kwargs=dict(default_name_id_format='username'),
+        make_authn_request_kwargs=dict(name_id_policy=False),
+        check_federation=True,
+    )
     scenario.launch_authn_request()
     scenario.login(user=user)
     scenario.handle_post_response()
@@ -555,12 +590,12 @@ def test_sso_nid_username(app, idp, user):
 
 
 def test_sso_nid_uuid(app, idp, user):
-    scenario = Scenario(app,
-                        sp_kwargs=dict(
-                            default_name_id_format='uuid'),
-                        make_authn_request_kwargs=dict(
-                            name_id_policy=False),
-                        check_federation=True)
+    scenario = Scenario(
+        app,
+        sp_kwargs=dict(default_name_id_format='uuid'),
+        make_authn_request_kwargs=dict(name_id_policy=False),
+        check_federation=True,
+    )
     scenario.launch_authn_request()
     scenario.login(user=user)
     scenario.handle_post_response()
@@ -586,8 +621,11 @@ def test_sso_authorized_role_nok(app, idp, user):
 
 
 def test_sso_redirect_artifact_login_hints(app, user, keys):
-    scenario = Scenario(app, sp_kwargs=dict(binding='artifact', keys=keys),
-                        make_authn_request_kwargs={'login_hints': ['backoffice']})
+    scenario = Scenario(
+        app,
+        sp_kwargs=dict(binding='artifact', keys=keys),
+        make_authn_request_kwargs={'login_hints': ['backoffice']},
+    )
     scenario.launch_authn_request()
     assert app.session['login-hint'] == ['backoffice']
     scenario.login(user)
@@ -598,23 +636,26 @@ def test_sso_redirect_artifact_login_hints(app, user, keys):
 @pytest.fixture
 def add_attributes(rf):
     with mock.patch('authentic2.idp.saml.saml2_endpoints.get_attribute_definitions') as get_definitions:
-        with mock.patch('authentic2.idp.saml.saml2_endpoints.get_attributes',
-                        wraps=saml2_endpoints.get_attributes) as get_attributes:
+        with mock.patch(
+            'authentic2.idp.saml.saml2_endpoints.get_attributes', wraps=saml2_endpoints.get_attributes
+        ) as get_attributes:
             request = rf.get('/')
             request.user = None
             assertion = lasso.Saml2Assertion()
             provider = Service()
 
             def func():
-                saml2_endpoints.add_attributes(func.request,
-                                               saml2_endpoints.get_entity_id(func.request),
-                                               func.assertion,
-                                               func.provider,
-                                               func.nid_format)
+                saml2_endpoints.add_attributes(
+                    func.request,
+                    saml2_endpoints.get_entity_id(func.request),
+                    func.assertion,
+                    func.provider,
+                    func.nid_format,
+                )
                 return {
-                    at.name: set([
-                        ''.join(force_text(mtn.dump()) for mtn in atv.any)
-                        for atv in at.attributeValue])
+                    at.name: set(
+                        [''.join(force_text(mtn.dump()) for mtn in atv.any) for atv in at.attributeValue]
+                    )
                     for at in assertion.attributeStatement[0].attribute
                 }
 
@@ -636,12 +677,8 @@ def test_add_attributes_empty_assertion(add_attributes):
         'last_name': ['Rigby'],
     }
     add_attributes.get_definitions.return_value = [
-        SAMLAttribute(name_format='basic',
-                      name='prenom',
-                      attribute_name='first_name'),
-        SAMLAttribute(name_format='basic',
-                      name='nom',
-                      attribute_name='last_name'),
+        SAMLAttribute(name_format='basic', name='prenom', attribute_name='first_name'),
+        SAMLAttribute(name_format='basic', name='nom', attribute_name='last_name'),
     ]
 
     # run
@@ -663,23 +700,19 @@ def test_add_attributes_initialized_assertion(add_attributes):
         'last_name': ['Rigby'],
     }
     add_attributes.get_definitions.return_value = [
-        SAMLAttribute(name_format='basic',
-                      name='prenom',
-                      attribute_name='first_name'),
-        SAMLAttribute(name_format='basic',
-                      name='nom',
-                      attribute_name='last_name'),
+        SAMLAttribute(name_format='basic', name='prenom', attribute_name='first_name'),
+        SAMLAttribute(name_format='basic', name='nom', attribute_name='last_name'),
     ]
 
     assertion = add_attributes.assertion
-    statement, = assertion.attributeStatement = [lasso.Saml2AttributeStatement()]
-    attribute, = statement.attribute = [
+    (statement,) = assertion.attributeStatement = [lasso.Saml2AttributeStatement()]
+    (attribute,) = statement.attribute = [
         lasso.Saml2Attribute(),
     ]
     attribute.name = 'prenom'
     attribute.nameFormat = lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC
-    atv, = attribute.attributeValue = [lasso.Saml2AttributeValue()]
-    mtn, = atv.any = [
+    (atv,) = attribute.attributeValue = [lasso.Saml2AttributeValue()]
+    (mtn,) = atv.any = [
         lasso.MiscTextNode.newWithString('coucou'),
     ]
     mtn.textChild = True
@@ -743,16 +776,16 @@ def test_make_edu_person_targeted_id(db, settings, rf):
         '_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5'
     )
 
-    assert saml2_endpoints.make_edu_person_targeted_id_value(provider, user) == '_' + hashlib.sha256(
-        b'b' + b'https://sp.com/' + b'a').hexdigest().upper()
+    assert (
+        saml2_endpoints.make_edu_person_targeted_id_value(provider, user)
+        == '_' + hashlib.sha256(b'b' + b'https://sp.com/' + b'a').hexdigest().upper()
+    )
 
     edpt = saml2_endpoints.make_edu_person_targeted_id('http://testserver/idp/saml2/metadata', provider, user)
     assert edpt is not None
     node = lasso.Node.newFromXmlNode(force_str(ET.tostring(edpt)))
     assert isinstance(node, lasso.Saml2NameID)
-    assert force_text(node.content) == (
-        '_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5'
-    )
+    assert force_text(node.content) == ('_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5')
     assert node.format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
 
     assert node.nameQualifier == 'http://testserver/idp/saml2/metadata'
@@ -769,12 +802,8 @@ def test_add_attributes_edu_person_targeted_id_nid_format(db, settings, rf, add_
     add_attributes.request.user = user
     add_attributes.nid_format = 'edupersontargetedid'
     add_attributes.get_definitions.return_value = [
-        SAMLAttribute(name_format='basic',
-                      name='prenom',
-                      attribute_name='django_user_first_name'),
-        SAMLAttribute(name_format='basic',
-                      name='nom',
-                      attribute_name='django_user_last_name'),
+        SAMLAttribute(name_format='basic', name='prenom', attribute_name='django_user_first_name'),
+        SAMLAttribute(name_format='basic', name='nom', attribute_name='django_user_last_name'),
     ]
 
     # run
@@ -789,9 +818,7 @@ def test_add_attributes_edu_person_targeted_id_nid_format(db, settings, rf, add_
     assert len(attributes[edu_name]) == 1
     node = lasso.Node.newFromXmlNode(force_str(list(attributes[edu_name])[0]))
     assert isinstance(node, lasso.Saml2NameID)
-    assert force_text(node.content) == (
-        '_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5'
-    )
+    assert force_text(node.content) == ('_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5')
     assert node.format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
     assert node.nameQualifier == 'http://testserver/idp/saml2/metadata'
     assert node.spNameQualifier == 'https://sp.com/'
@@ -807,15 +834,9 @@ def test_add_attributes_edu_person_targeted_id_attribute(db, settings, rf, add_a
     add_attributes.request.user = user
     add_attributes.nid_format = 'transient'
     add_attributes.get_definitions.return_value = [
-        SAMLAttribute(name_format='basic',
-                      name='prenom',
-                      attribute_name='django_user_first_name'),
-        SAMLAttribute(name_format='basic',
-                      name='nom',
-                      attribute_name='django_user_last_name'),
-        SAMLAttribute(name_format='basic',
-                      name='edupersontargetedid',
-                      attribute_name='edupersontargetedid'),
+        SAMLAttribute(name_format='basic', name='prenom', attribute_name='django_user_first_name'),
+        SAMLAttribute(name_format='basic', name='nom', attribute_name='django_user_last_name'),
+        SAMLAttribute(name_format='basic', name='edupersontargetedid', attribute_name='edupersontargetedid'),
     ]
 
     # run
@@ -829,9 +850,7 @@ def test_add_attributes_edu_person_targeted_id_attribute(db, settings, rf, add_a
     assert len(attributes['edupersontargetedid']) == 1
     node = lasso.Node.newFromXmlNode(force_str(list(attributes['edupersontargetedid'])[0]))
     assert isinstance(node, lasso.Saml2NameID)
-    assert force_text(node.content) == (
-        '_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5'
-    )
+    assert force_text(node.content) == ('_A485C0ACEEF43A6D39145F5CFE25D9D3B6F15DC6443F412263C76D81C72DA8D5')
     assert node.format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
     assert node.nameQualifier == 'http://testserver/idp/saml2/metadata'
     assert node.spNameQualifier == 'https://sp.com/'
@@ -877,14 +896,13 @@ def add_attributes_all(add_attributes):
         'a2_service_ou_role_uuids',
     ]
     add_attributes.get_definitions.return_value = list(
-        SAMLAttribute(name_format='basic',
-                      name=name,
-                      attribute_name=name)
-        for name in attribute_names)
+        SAMLAttribute(name_format='basic', name=name, attribute_name=name) for name in attribute_names
+    )
 
     def func(user):
         add_attributes.request.user = user
         return add_attributes()
+
     for key in dir(add_attributes):
         if not key.startswith(('func_', '__')):
             setattr(func, key, getattr(add_attributes, key))
@@ -902,21 +920,14 @@ def test_add_attributes_user_ou1_role_ou2(add_attributes_all, user_ou1, role_ou2
     add_attributes_all.provider.save()
 
     service_role = Role.objects.create(
-        name='Role of service',
-        slug='role-of-service',
-        ou=ou1,
-        service=add_attributes_all.provider)
-
-    service_role.attributes.create(
-        name='is_admin',
-        kind='string',
-        value='true')
+        name='Role of service', slug='role-of-service', ou=ou1, service=add_attributes_all.provider
+    )
+
+    service_role.attributes.create(name='is_admin', kind='string', value='true')
     user_ou1.roles.add(service_role)
 
     add_attributes_all.get_definitions.return_value.append(
-        SAMLAttribute(name_format='basic',
-                      name='is_admin',
-                      attribute_name='is_admin'),
+        SAMLAttribute(name_format='basic', name='is_admin', attribute_name='is_admin'),
     )
 
     attributes = add_attributes_all(user_ou1)
diff --git a/tests/test_import_export_site_cmd.py b/tests/test_import_export_site_cmd.py
index a7578eed..14bf1fe1 100644
--- a/tests/test_import_export_site_cmd.py
+++ b/tests/test_import_export_site_cmd.py
@@ -38,6 +38,7 @@ def json_fixture(tmpdir):
         with outfile.open('w') as f:
             f.write(json.dumps(content))
         return outfile.strpath
+
     return f
 
 
@@ -47,8 +48,8 @@ def dummy_export_site(*args):
 
 def test_export_role_cmd_stdout(db, capsys, monkeypatch):
     import authentic2.management.commands.export_site
-    monkeypatch.setattr(
-        authentic2.management.commands.export_site, 'export_site', dummy_export_site)
+
+    monkeypatch.setattr(authentic2.management.commands.export_site, 'export_site', dummy_export_site)
     management.call_command('export_site')
     out, err = capsys.readouterr()
     assert json.loads(out) == dummy_export_site()
@@ -56,8 +57,8 @@ def test_export_role_cmd_stdout(db, capsys, monkeypatch):
 
 def test_export_role_cmd_to_file(db, monkeypatch, tmpdir):
     import authentic2.management.commands.export_site
-    monkeypatch.setattr(
-        authentic2.management.commands.export_site, 'export_site', dummy_export_site)
+
+    monkeypatch.setattr(authentic2.management.commands.export_site, 'export_site', dummy_export_site)
     outfile = tmpdir.join('export.json')
     management.call_command('export_site', '--output', outfile.strpath)
     with outfile.open('r') as f:
@@ -76,7 +77,7 @@ def test_import_site_cmd_infos_on_stdout(db, monkeypatch, capsys, json_fixture):
                 'slug': 'role-slug',
                 'name': 'role-name',
                 'ou': None,
-                'service': None
+                'service': None,
             }
         ]
     }
@@ -95,8 +96,8 @@ def test_import_site_transaction_rollback_on_error(db, monkeypatch, capsys, json
         raise Exception()
 
     import authentic2.management.commands.import_site
-    monkeypatch.setattr(
-        authentic2.management.commands.import_site, 'import_site', exception_import_site)
+
+    monkeypatch.setattr(authentic2.management.commands.import_site, 'import_site', exception_import_site)
 
     with pytest.raises(Exception):
         management.call_command('import_site', json_fixture({'roles': []}))
@@ -113,7 +114,7 @@ def test_import_site_transaction_rollback_on_dry_run(db, monkeypatch, capsys, js
                 'slug': 'role-slug',
                 'name': 'role-name',
                 'ou': None,
-                'service': None
+                'service': None,
             }
         ]
     }
@@ -132,7 +133,7 @@ def test_import_site_cmd_unhandled_context_option(db, monkeypatch, capsys, json_
                 'slug': 'role-slug',
                 'name': 'role-name',
                 'ou': None,
-                'service': None
+                'service': None,
             }
         ]
     }
@@ -140,20 +141,18 @@ def test_import_site_cmd_unhandled_context_option(db, monkeypatch, capsys, json_
     Role.objects.create(uuid='dqfewrvesvews2532', slug='role-slug', name='role-name')
 
     with pytest.raises(ValidationError):
-        management.call_command(
-            'import_site', '-o', 'role-delete-orphans', json_fixture(content))
+        management.call_command('import_site', '-o', 'role-delete-orphans', json_fixture(content))
 
 
 def test_import_site_cmd_unknown_context_option(db, tmpdir, monkeypatch, capsys):
     from django.core.management.base import CommandError
+
     export_file = tmpdir.join('roles-export.json')
     with pytest.raises(CommandError):
         management.call_command('import_site', '-o', 'unknown-option', export_file.strpath)
 
 
-@pytest.mark.skipif(
-        VERSION >= (2, 0),
-        reason="'stdin' command kwarg deprecated from django 2 onwards")
+@pytest.mark.skipif(VERSION >= (2, 0), reason="'stdin' command kwarg deprecated from django 2 onwards")
 def test_import_site_confirm_prompt_yes(db, monkeypatch, json_fixture):
     content = {
         'roles': [
@@ -162,7 +161,7 @@ def test_import_site_confirm_prompt_yes(db, monkeypatch, json_fixture):
                 'slug': 'role-slug',
                 'name': 'role-name',
                 'ou': None,
-                'service': None
+                'service': None,
             }
         ]
     }
@@ -210,14 +209,13 @@ def test_import_site_update_roles(db, json_fixture):
 
 def test_import_site_empty_uuids(db, monkeypatch, json_fixture):
     with pytest.raises(ValidationError):
-        management.call_command('import_site', json_fixture({
-            'roles': [
+        management.call_command(
+            'import_site',
+            json_fixture(
                 {
-                    'uuid': '',
-                    'slug': 'role-slug',
-                    'name': 'role-name',
-                    'ou': None,
-                    'service': None
+                    'roles': [
+                        {'uuid': '', 'slug': 'role-slug', 'name': 'role-name', 'ou': None, 'service': None}
+                    ]
                 }
-            ]
-        }))
+            ),
+        )
diff --git a/tests/test_journal.py b/tests/test_journal.py
index 98ad0bb5..7c79661c 100644
--- a/tests/test_journal.py
+++ b/tests/test_journal.py
@@ -100,8 +100,8 @@ def test_models(db, django_assert_num_queries):
     assert Event.objects.which_references(service).count() == 6
     assert Event.objects.which_references(Service).count() == 11
     assert Event.objects.from_cursor(ev1.cursor).count() == 12
-    assert list(Event.objects.all()[ev2.cursor:2]) == events[6:8]
-    assert list(Event.objects.all()[-4:ev2.cursor]) == events[3:7]
+    assert list(Event.objects.all()[ev2.cursor : 2]) == events[6:8]
+    assert list(Event.objects.all()[-4 : ev2.cursor]) == events[3:7]
     assert set(Event.objects.which_references(service)[0].references) == set([service])
 
     # verify type, user and service are prefetched
@@ -163,6 +163,7 @@ def test_event_types(clean_event_types_definition_registry):
     assert EventTypeDefinition.get_for_name('user.sso') is SSO
 
     with pytest.raises(AssertionError, match='already registered'):
+
         class SSO2(UserEventTypes):
             name = 'user.sso'
             label = 'Single Sign On'
@@ -287,7 +288,7 @@ def test_journal_form_pagination(random_events, rf):
     assert page.is_last_page
     assert not page.next_page_url
     assert page.previous_page_url
-    assert page.events == random_events[-page.limit:]
+    assert page.events == random_events[-page.limit :]
 
     request = rf.get('/' + page.previous_page_url)
     page = JournalForm(data=request.GET).page
@@ -295,7 +296,7 @@ def test_journal_form_pagination(random_events, rf):
     assert not page.is_last_page
     assert page.next_page_url
     assert page.previous_page_url
-    assert page.events == random_events[-2 * page.limit:-page.limit]
+    assert page.events == random_events[-2 * page.limit : -page.limit]
 
     request = rf.get('/' + page.previous_page_url)
     page = JournalForm(data=request.GET).page
@@ -303,7 +304,7 @@ def test_journal_form_pagination(random_events, rf):
     assert not page.is_last_page
     assert page.next_page_url
     assert page.previous_page_url
-    assert page.events == random_events[-3 * page.limit:-2 * page.limit]
+    assert page.events == random_events[-3 * page.limit : -2 * page.limit]
 
     request = rf.get('/' + page.next_page_url)
     form = JournalForm(data=request.GET)
@@ -312,7 +313,7 @@ def test_journal_form_pagination(random_events, rf):
     assert not page.is_last_page
     assert page.next_page_url
     assert page.previous_page_url
-    assert page.events == random_events[-2 * page.limit:-page.limit]
+    assert page.events == random_events[-2 * page.limit : -page.limit]
 
     event_after_the_first_page = random_events[page.limit]
     request = rf.get('/' + form.make_url('before_cursor', event_after_the_first_page.cursor))
@@ -417,7 +418,9 @@ def test_record_exception_handling(db, some_event_types, caplog):
     journal = Journal()
     journal.record('user.registration.request', email='john.doe@example.com')
     assert len(caplog.records) == 0
-    with mock.patch.object(some_event_types['UserRegistrationRequest'], 'record', side_effect=Exception('boum')):
+    with mock.patch.object(
+        some_event_types['UserRegistrationRequest'], 'record', side_effect=Exception('boum')
+    ):
         journal.record('user.registration.request', email='john.doe@example.com')
     assert len(caplog.records) == 1
     assert caplog.records[0].levelname == 'ERROR'
@@ -431,7 +434,7 @@ def test_message_in_context_exception_handling(db, some_event_types, caplog):
     event = Event.objects.get()
 
     event.message
-    assert not(caplog.records)
+    assert not (caplog.records)
 
     caplog.clear()
     with mock.patch.object(some_event_types['UserLogin'], 'get_message', side_effect=Exception('boum')):
@@ -500,7 +503,9 @@ def test_statistics(db, event_type_name, freezer):
     stats = event_type_definition.get_method_statistics('timestamp', start=start, end=end)
     assert stats == {
         'x_labels': ['2020-02-03T13:00:00+00:00'],
-        'series': [{'label': 'FranceConnect', 'data': [2]},],
+        'series': [
+            {'label': 'FranceConnect', 'data': [2]},
+        ],
     }
 
     stats = event_type_definition.get_method_statistics('month')
@@ -517,7 +522,9 @@ def test_statistics(db, event_type_name, freezer):
     stats = event_type_definition.get_method_statistics('month', services_ou=get_default_ou())
     assert stats == {
         'x_labels': ['2020-03'],
-        'series': [{'label': 'password', 'data': [2]},],
+        'series': [
+            {'label': 'password', 'data': [2]},
+        ],
     }
 
     stats = event_type_definition.get_method_statistics('month', services_ou=ou)
diff --git a/tests/test_large_userbase.py b/tests/test_large_userbase.py
index d2063456..c6c54bf5 100644
--- a/tests/test_large_userbase.py
+++ b/tests/test_large_userbase.py
@@ -33,10 +33,8 @@ pytestmark = pytest.mark.slow
 @pytest.fixture
 def large_userbase(db, freezer):
     dob_attribute = Attribute.objects.create(
-        kind='birthdate',
-        name='birthdate',
-        label='birthdate',
-        required=True)
+        kind='birthdate', name='birthdate', label='birthdate', required=True
+    )
 
     # fix time window
     freezer.move_to('2020-01-01')
@@ -48,7 +46,10 @@ def large_userbase(db, freezer):
             User(
                 first_name=fake.first_name() + ' ' + fake.first_name(),
                 last_name=fake.last_name(),
-                email=fake.ascii_safe_email()) for i in range(1000))
+                email=fake.ascii_safe_email(),
+            )
+            for i in range(1000)
+        )
 
     user_ids = User.objects.values_list('id', flat=True)
     user_ct = ContentType.objects.get_for_model(User)
@@ -60,8 +61,10 @@ def large_userbase(db, freezer):
             attribute=dob_attribute,
             verified=True,
             multiple=False,
-            content=fake.date())
-        for user_id in user_ids)
+            content=fake.date(),
+        )
+        for user_id in user_ids
+    )
 
 
 def test_large_userbase_find_duplicates(large_userbase, app, admin):
diff --git a/tests/test_ldap.py b/tests/test_ldap.py
index 70edcc86..fb2d5524 100644
--- a/tests/test_ldap.py
+++ b/tests/test_ldap.py
@@ -78,21 +78,17 @@ def slapd():
     with create_slapd() as s:
         yield s
 
+
 @pytest.fixture
 def slapd_ppolicy():
     with create_slapd() as slapd:
         conn = slapd.get_connection_admin()
         assert conn.protocol_version == ldap.VERSION3
-        conn.modify_s(
-            'cn=module{0},cn=config',
-            [
-                (ldap.MOD_ADD, 'olcModuleLoad', [
-                    force_bytes('ppolicy')
-                ])
-            ])
+        conn.modify_s('cn=module{0},cn=config', [(ldap.MOD_ADD, 'olcModuleLoad', [force_bytes('ppolicy')])])
         with open('/etc/ldap/schema/ppolicy.ldif') as fd:
             slapd.add_ldif(fd.read())
-        slapd.add_ldif('''
+        slapd.add_ldif(
+            '''
 dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config
 objectclass: olcOverlayConfig
 objectclass: olcPPolicyConfig
@@ -101,13 +97,16 @@ olcppolicydefault: cn=default,ou=ppolicies,o=ôrga
 olcppolicyforwardupdates: FALSE
 olcppolicyhashcleartext: TRUE
 olcppolicyuselockout: TRUE
-''')
+'''
+        )
 
-        slapd.add_ldif('''
+        slapd.add_ldif(
+            '''
 dn: ou=ppolicies,o=ôrga
 objectclass: organizationalUnit
 ou: ppolicies
-''')
+'''
+        )
         yield slapd
 
 
@@ -121,7 +120,8 @@ def tls_slapd():
 def create_slapd(slapd=None):
     slapd = slapd or Slapd()
     slapd.add_db('o=ôrga')
-    slapd.add_ldif('''dn: o=ôrga
+    slapd.add_ldif(
+        '''dn: o=ôrga
 objectClass: organization
 o: ôrga
 
@@ -161,12 +161,24 @@ postalAddress: {ee_street}
 postalCode: {ee_postalcode}
 l: {ee_city}
 
-'''.format(dn=DN, uid=UID, password=PASS, cl=CARLICENSE,
-           eo_o=EO_O, eo_street=EO_STREET, eo_postalcode=EO_POSTALCODE, eo_city=EO_CITY,
-           ee_o=EE_O, ee_street=EE_STREET, ee_postalcode=EE_POSTALCODE, ee_city=EE_CITY
-    ))
+'''.format(
+            dn=DN,
+            uid=UID,
+            password=PASS,
+            cl=CARLICENSE,
+            eo_o=EO_O,
+            eo_street=EO_STREET,
+            eo_postalcode=EO_POSTALCODE,
+            eo_city=EO_CITY,
+            ee_o=EE_O,
+            ee_street=EE_STREET,
+            ee_postalcode=EE_POSTALCODE,
+            ee_city=EE_CITY,
+        )
+    )
     for i in range(5):
-        slapd.add_ldif('''dn: uid=mïchu{i},o=ôrga
+        slapd.add_ldif(
+            '''dn: uid=mïchu{i},o=ôrga
 objectClass: inetOrgPerson
 userPassword: {password}
 uid: mïchu{i}
@@ -176,12 +188,17 @@ gn: Étienne
 l: locality{i}
 mail: etienne.michu@example.net
 
-'''.format(i=i, password=PASS))
+'''.format(
+                i=i, password=PASS
+            )
+        )
     group_ldif = '''dn: cn=group2,o=ôrga
 gidNumber: 10
 objectClass: posixGroup
 memberUid: {uid}
-'''.format(uid=UID)
+'''.format(
+        uid=UID
+    )
     group_ldif += '\n\n'
     slapd.add_ldif(group_ldif)
     return slapd
@@ -193,15 +210,17 @@ def test_connection(slapd):
 
 
 def test_simple(slapd, settings, client, db):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'attributes': ['jpegPhoto'],
-    }]
-    result = client.post('/login/', {'login-password-submit': '1',
-                                     'username': USERNAME,
-                                     'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'attributes': ['jpegPhoto'],
+        }
+    ]
+    result = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     assert result.status_code == 200
     assert force_bytes('Étienne Michu') in result.content
     assert User.objects.count() == 1
@@ -219,39 +238,45 @@ def test_simple(slapd, settings, client, db):
 
 
 def test_deactivate_orphaned_users(slapd, settings, client, db):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+        }
+    ]
 
     # create users as a side effect
     list(ldap_backend.LDAPBackend.get_users())
     block = settings.LDAP_AUTH_SETTINGS[0]
-    assert ldap_backend.UserExternalId.objects.filter(
-        user__is_active=False, source=block['realm']).count() == 0
+    assert (
+        ldap_backend.UserExternalId.objects.filter(user__is_active=False, source=block['realm']).count() == 0
+    )
 
     conn = slapd.get_connection_admin()
     conn.delete_s(DN)
 
     ldap_backend.LDAPBackend.deactivate_orphaned_users()
 
-    assert ldap_backend.UserExternalId.objects.filter(
-        user__is_active=False, source=block['realm']).count() == 1
+    assert (
+        ldap_backend.UserExternalId.objects.filter(user__is_active=False, source=block['realm']).count() == 1
+    )
 
 
 @pytest.mark.django_db
 def test_simple_with_binddn(slapd, settings, client):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'binddn': force_text(DN),
-        'bindpw': PASS,
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-    }]
-    result = client.post('/login/', {'login-password-submit': '1',
-                                     'username': USERNAME,
-                                     'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'binddn': force_text(DN),
+            'bindpw': PASS,
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+        }
+    ]
+    result = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     assert result.status_code == 200
     assert force_bytes('Étienne Michu') in result.content
     assert User.objects.count() == 1
@@ -269,25 +294,29 @@ def test_simple_with_binddn(slapd, settings, client):
 
 
 def test_double_login(slapd, simple_user, settings, app, db):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'is_superuser': True,
-        'is_staff': True,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'is_superuser': True,
+            'is_staff': True,
+        }
+    ]
     utils.login(app, simple_user, path='/admin/')
     utils.login(app, UID, password=PASS, path='/admin/')
 
 
 def test_login_failure(slapd, simple_user, settings, app, db):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'is_superuser': True,
-        'is_staff': True,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'is_superuser': True,
+            'is_staff': True,
+        }
+    ]
     # create ldap user
     utils.login(app, UID, password=PASS, path='/admin/')
     utils.logout(app)
@@ -301,15 +330,17 @@ def test_login_failure(slapd, simple_user, settings, app, db):
 
 
 def test_keep_password_in_session(slapd, settings, client, db):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'keep_password_in_session': True,
-    }]
-    result = client.post('/login/', {'login-password-submit': '1',
-                                     'username': USERNAME,
-                                     'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'keep_password_in_session': True,
+        }
+    ]
+    result = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     assert result.status_code == 200
     assert force_bytes('Étienne Michu') in result.content
     assert User.objects.count() == 1
@@ -322,17 +353,19 @@ def test_keep_password_in_session(slapd, settings, client, db):
     assert client.session['ldap-data']['password']
     assert DN.lower() in result.context['request'].user.ldap_data['password']
     assert crypto.aes_base64_decrypt(
-        settings.SECRET_KEY,
-        force_bytes(result.context['request'].user.ldap_data['password'][DN.lower()])) == force_bytes(PASS)
+        settings.SECRET_KEY, force_bytes(result.context['request'].user.ldap_data['password'][DN.lower()])
+    ) == force_bytes(PASS)
 
 
 def test_keep_password_true_or_false(slapd, settings, db):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'keep_password': True,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'keep_password': True,
+        }
+    ]
     user = authenticate(username=USERNAME, password=PASS)
     assert User.objects.count() == 1
     user = User.objects.get()
@@ -349,15 +382,17 @@ def test_keep_password_true_or_false(slapd, settings, db):
 def test_custom_ou(slapd, settings, client):
     OU = get_ou_model()
     ou = OU.objects.create(name='test', slug='test')
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'ou_slug': 'test',
-    }]
-    result = client.post('/login/', {'login-password-submit': '1',
-                                     'username': USERNAME,
-                                     'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'ou_slug': 'test',
+        }
+    ]
+    result = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     assert result.status_code == 200
     assert force_bytes('Étienne Michu') in result.content
     assert User.objects.count() == 1
@@ -370,20 +405,23 @@ def test_custom_ou(slapd, settings, client):
 
 
 def test_wrong_ou(slapd, settings, client, db):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'ou_slug': 'test',
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'ou_slug': 'test',
+        }
+    ]
     with pytest.raises(ImproperlyConfigured):
-        client.post('/login/', {'login-password-submit': '1',
-                                'username': USERNAME,
-                                'password': PASS}, follow=True)
+        client.post(
+            '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+        )
 
 
 def test_dn_formatter():
     from authentic2.ldap_utils import DnFormatter, FilterFormatter
+
     formatter = FilterFormatter()
 
     assert formatter.format('uid={uid}', uid='john doe') == 'uid=john doe'
@@ -400,19 +438,21 @@ def test_dn_formatter():
 def test_group_mapping(slapd, settings, client, db):
     from django.contrib.auth.models import Group
 
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'create_group': True,
-        'group_mapping': [
-            [u'cn=group1,o=ôrga', ['Group1']],
-        ],
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'create_group': True,
+            'group_mapping': [
+                [u'cn=group1,o=ôrga', ['Group1']],
+            ],
+        }
+    ]
     assert Group.objects.filter(name='Group1').count() == 0
-    response = client.post('/login/', {'login-password-submit': '1',
-                                       'username': USERNAME,
-                                       'password': PASS}, follow=True)
+    response = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     assert Group.objects.filter(name='Group1').count() == 1
     assert response.context['user'].username == u'%s@ldap' % USERNAME
     assert response.context['user'].groups.count() == 1
@@ -421,20 +461,22 @@ def test_group_mapping(slapd, settings, client, db):
 def test_posix_group_mapping(slapd, settings, client, db):
     from django.contrib.auth.models import Group
 
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'create_group': True,
-        'group_mapping': [
-            [u'cn=group2,o=ôrga', ['Group2']],
-        ],
-        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'create_group': True,
+            'group_mapping': [
+                [u'cn=group2,o=ôrga', ['Group2']],
+            ],
+            'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
+        }
+    ]
     assert Group.objects.filter(name='Group2').count() == 0
-    response = client.post('/login/', {'login-password-submit': '1',
-                                       'username': USERNAME,
-                                       'password': PASS}, follow=True)
+    response = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     assert Group.objects.filter(name='Group2').count() == 1
     assert response.context['user'].username == u'%s@ldap' % USERNAME
     assert response.context['user'].groups.count() == 1
@@ -444,56 +486,62 @@ def test_group_to_role_mapping(slapd, settings, client, db):
     Role.objects.get_or_create(name='Role1')
     Role.objects.get_or_create(name='Role2')
 
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        # memberOf is not defined on OpenLDAP so we use street for storing DN like
-        # memberOf values
-        'member_of_attribute': 'STReet',
-        'group_to_role_mapping': [
-            ['cn=GrouP1,o=ôrga', ['Role1']],
-            ['cn=GrouP2,o=ôrga', ['Role2']],
-        ],
-    }]
-    response = client.post('/login/', {'login-password-submit': '1',
-                                       'username': USERNAME,
-                                       'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            # memberOf is not defined on OpenLDAP so we use street for storing DN like
+            # memberOf values
+            'member_of_attribute': 'STReet',
+            'group_to_role_mapping': [
+                ['cn=GrouP1,o=ôrga', ['Role1']],
+                ['cn=GrouP2,o=ôrga', ['Role2']],
+            ],
+        }
+    ]
+    response = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     assert response.context['user'].username == u'%s@ldap' % USERNAME
     assert set(response.context['user'].roles.values_list('name', flat=True)) == set(['Role1', 'Role2'])
 
 
 def test_posix_group_to_role_mapping(slapd, settings, client, db):
     Role.objects.get_or_create(name='Role2')
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'group_to_role_mapping': [
-            ['cn=group2,o=ôrga', ['Role2']],
-        ],
-        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
-    }]
-    response = client.post('/login/', {'login-password-submit': '1',
-                                       'username': USERNAME,
-                                       'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'group_to_role_mapping': [
+                ['cn=group2,o=ôrga', ['Role2']],
+            ],
+            'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
+        }
+    ]
+    response = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     assert response.context['user'].username == u'%s@ldap' % USERNAME
     assert response.context['user'].roles.count() == 1
 
 
 def test_group_to_role_mapping_modify_disabled(slapd, settings, db, app, admin, client):
     role = Role.objects.create(name='Role3')
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'group_to_role_mapping': [
-            ['cn=group1,o=ôrga', ['Role3']],
-        ],
-    }]
-    response = client.post('/login/', {'login-password-submit': '1',
-                                       'username': USERNAME,
-                                       'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'group_to_role_mapping': [
+                ['cn=group1,o=ôrga', ['Role3']],
+            ],
+        }
+    ]
+    response = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     user = response.context['user']
     assert user.roles.count() == 1
 
@@ -524,15 +572,17 @@ def test_group_to_role_mapping_modify_disabled(slapd, settings, db, app, admin,
 def test_group_su(slapd, settings, client, db):
     from django.contrib.auth.models import Group
 
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': 'o=ôrga',
-        'use_tls': False,
-        'groupsu': [u'cn=group1,o=ôrga'],
-    }]
-    response = client.post('/login/', {'login-password-submit': '1',
-                                       'username': USERNAME,
-                                       'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': 'o=ôrga',
+            'use_tls': False,
+            'groupsu': [u'cn=group1,o=ôrga'],
+        }
+    ]
+    response = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     assert Group.objects.count() == 0
     assert response.context['user'].username == u'%s@ldap' % USERNAME
     assert response.context['user'].is_superuser
@@ -542,15 +592,17 @@ def test_group_su(slapd, settings, client, db):
 def test_group_staff(slapd, settings, client, db):
     from django.contrib.auth.models import Group
 
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'groupstaff': [u'cn=group1,o=ôrga'],
-    }]
-    response = client.post('/login/', {'login-password-submit': '1',
-                                       'username': 'etienne.michu',
-                                       'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'groupstaff': [u'cn=group1,o=ôrga'],
+        }
+    ]
+    response = client.post(
+        '/login/', {'login-password-submit': '1', 'username': 'etienne.michu', 'password': PASS}, follow=True
+    )
     assert Group.objects.count() == 0
     assert response.context['user'].username == u'%s@ldap' % USERNAME
     assert response.context['user'].is_staff
@@ -562,24 +614,28 @@ def test_get_users(slapd, settings, db, monkeypatch, caplog):
     from types import MethodType
     from django.contrib.auth.models import Group
 
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'create_group': True,
-        'group_mapping': [
-            [u'cn=group2,o=ôrga', ['Group2']],
-        ],
-        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
-        'group_to_role_mapping': [
-            ['cn=unknown,o=dn', ['Role2']],
-        ]
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'create_group': True,
+            'group_mapping': [
+                [u'cn=group2,o=ôrga', ['Group2']],
+            ],
+            'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
+            'group_to_role_mapping': [
+                ['cn=unknown,o=dn', ['Role2']],
+            ],
+        }
+    ]
     save = mock.Mock(wraps=ldap_backend.LDAPUser.save)
     bulk_create = mock.Mock(wraps=django.db.models.query.QuerySet.bulk_create)
 
     monkeypatch.setattr(ldap_backend.LDAPUser, 'save', lambda *args, **kwargs: save(*args, **kwargs))
-    monkeypatch.setattr(django.db.models.query.QuerySet, 'bulk_create', lambda *args, **kwargs: bulk_create(*args, **kwargs))
+    monkeypatch.setattr(
+        django.db.models.query.QuerySet, 'bulk_create', lambda *args, **kwargs: bulk_create(*args, **kwargs)
+    )
 
     assert Group.objects.count() == 0
     # Provision all users and their groups
@@ -627,8 +683,7 @@ def test_get_users(slapd, settings, db, monkeypatch, caplog):
     save.reset_mock()
     bulk_create.reset_mock()
     u = ldap_backend.LDAPUser.objects.create(username=UID.capitalize())
-    ldap_backend.UserExternalId.objects.create(external_id=UID.capitalize(),
-                                               source='ldap', user=u)
+    ldap_backend.UserExternalId.objects.create(external_id=UID.capitalize(), source='ldap', user=u)
     # set user login time as if he logged in
     user = ldap_backend.LDAPUser.objects.get(username='%s@ldap' % UID)
     user.last_login = timezone.now()
@@ -644,34 +699,38 @@ def test_set_mandatory_roles(slapd, settings, db):
 
     Role.objects.get_or_create(name='tech')
     Role.objects.get_or_create(name='admin')
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'create_group': True,
-        'group_mapping': [
-            [u'cn=group2,o=ôrga', ['Group2']],
-        ],
-        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
-        'set_mandatory_roles': ['tech', 'admin'],
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'create_group': True,
+            'group_mapping': [
+                [u'cn=group2,o=ôrga', ['Group2']],
+            ],
+            'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
+            'set_mandatory_roles': ['tech', 'admin'],
+        }
+    ]
 
     list(ldap_backend.LDAPBackend.get_users())
     assert User.objects.first().roles.count() == 2
 
 
 def test_nocreate_mandatory_roles(slapd, settings, db):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'create_group': True,
-        'group_mapping': [
-            [u'cn=group2,o=ôrga', ['Group2']],
-        ],
-        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
-        'set_mandatory_roles': ['tech', 'admin'],
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'create_group': True,
+            'group_mapping': [
+                [u'cn=group2,o=ôrga', ['Group2']],
+            ],
+            'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
+            'set_mandatory_roles': ['tech', 'admin'],
+        }
+    ]
 
     list(ldap_backend.LDAPBackend.get_users())
     assert User.objects.first().roles.count() == 0
@@ -682,17 +741,19 @@ def test_from_slug_set_mandatory_roles(slapd, settings, db):
 
     Role.objects.get_or_create(name='Tech', slug='tech')
     Role.objects.get_or_create(name='Admin', slug='admin')
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'create_group': True,
-        'group_mapping': [
-            [u'cn=group2,o=ôrga', ['Group2']],
-        ],
-        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
-        'set_mandatory_roles': ['tech', 'admin'],
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'create_group': True,
+            'group_mapping': [
+                [u'cn=group2,o=ôrga', ['Group2']],
+            ],
+            'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
+            'set_mandatory_roles': ['tech', 'admin'],
+        }
+    ]
 
     list(ldap_backend.LDAPBackend.get_users())
     assert User.objects.first().roles.count() == 2
@@ -705,17 +766,19 @@ def test_multiple_slug_set_mandatory_roles(slapd, settings, db):
     service2 = Service.objects.create(name='s2', slug='s2')
     Role.objects.create(name='foo', slug='tech', service=service1)
     Role.objects.create(name='bar', slug='tech', service=service2)
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'create_group': True,
-        'group_mapping': [
-            [u'cn=group2,o=ôrga', ['Group2']],
-        ],
-        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
-        'set_mandatory_roles': ['tech'],
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'create_group': True,
+            'group_mapping': [
+                [u'cn=group2,o=ôrga', ['Group2']],
+            ],
+            'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
+            'set_mandatory_roles': ['tech'],
+        }
+    ]
 
     list(ldap_backend.LDAPBackend.get_users())
     assert User.objects.first().roles.count() == 0
@@ -729,17 +792,19 @@ def test_multiple_name_set_mandatory_roles(slapd, settings, db):
     ou2 = OU.objects.create(name='test2', slug='test2')
     Role.objects.create(name='tech', slug='foo', ou=ou1)
     Role.objects.create(name='tech', slug='bar', ou=ou2)
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'create_group': True,
-        'group_mapping': [
-            [u'cn=group2,o=ôrga', ['Group2']],
-        ],
-        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
-        'set_mandatory_roles': ['tech'],
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'create_group': True,
+            'group_mapping': [
+                [u'cn=group2,o=ôrga', ['Group2']],
+            ],
+            'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
+            'set_mandatory_roles': ['tech'],
+        }
+    ]
 
     list(ldap_backend.LDAPBackend.get_users())
     assert User.objects.first().roles.count() == 0
@@ -749,34 +814,30 @@ def test_multiple_name_set_mandatory_roles(slapd, settings, db):
 def slapd_strict_acl(slapd):
     # forbid modifications by user themselves
     conn = slapd.get_connection_external()
-    result = conn.search_s(
-        'cn=config',
-        ldap.SCOPE_SUBTREE,
-        'olcSuffix=o=ôrga')
+    result = conn.search_s('cn=config', ldap.SCOPE_SUBTREE, 'olcSuffix=o=ôrga')
     dn = result[0][0]
     conn.modify_s(
         dn,
-        [
-            (ldap.MOD_REPLACE, 'olcAccess', [
-                force_bytes('{0}to * by dn.subtree="o=ôrga" none by * manage')
-            ])
-        ])
+        [(ldap.MOD_REPLACE, 'olcAccess', [force_bytes('{0}to * by dn.subtree="o=ôrga" none by * manage')])],
+    )
     return slapd
 
 
 def test_no_connect_with_user_credentials(slapd_strict_acl, db, settings, app):
     slapd = slapd_strict_acl
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'create_group': True,
-        'group_mapping': [
-            ['cn=group2,o=ôrga', ['Group2']],
-        ],
-        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
-        'set_mandatory_roles': ['tech', 'admin'],
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'create_group': True,
+            'group_mapping': [
+                ['cn=group2,o=ôrga', ['Group2']],
+            ],
+            'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
+            'set_mandatory_roles': ['tech', 'admin'],
+        }
+    ]
     response = app.get('/login/')
     response.form.set('username', USERNAME)
     response.form.set('password', PASS)
@@ -826,13 +887,15 @@ def reset_password_ldap_user(settings, app):
 
 
 def test_reset_password_ldap_user(slapd, settings, app, db):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'binddn': force_text(slapd.root_bind_dn),
-        'bindpw': force_text(slapd.root_bind_password),
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'binddn': force_text(slapd.root_bind_dn),
+            'bindpw': force_text(slapd.root_bind_password),
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+        }
+    ]
     new_password = reset_password_ldap_user(settings, app)
     # verify password has changed
     slapd.get_connection().bind_s(DN, new_password)
@@ -842,14 +905,16 @@ def test_reset_password_ldap_user(slapd, settings, app, db):
 
 
 def test_user_cannot_change_password(slapd, settings, app, db):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'binddn': force_text(slapd.root_bind_dn),
-        'bindpw': force_text(slapd.root_bind_password),
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'user_can_change_password': False,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'binddn': force_text(slapd.root_bind_dn),
+            'bindpw': force_text(slapd.root_bind_password),
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'user_can_change_password': False,
+        }
+    ]
     assert User.objects.count() == 0
     # first login
     response = app.get('/login/')
@@ -864,67 +929,78 @@ def test_user_cannot_change_password(slapd, settings, app, db):
 
 def test_tls(db, tls_slapd, settings, client):
     conn = tls_slapd.get_connection_admin()
-    conn.modify_s('cn=config', [
-        (ldap.MOD_ADD, 'olcTLSCACertificateFile', force_bytes(cert_file)),
-        (ldap.MOD_ADD, 'olcTLSVerifyClient', b'demand'),
-    ])
+    conn.modify_s(
+        'cn=config',
+        [
+            (ldap.MOD_ADD, 'olcTLSCACertificateFile', force_bytes(cert_file)),
+            (ldap.MOD_ADD, 'olcTLSVerifyClient', b'demand'),
+        ],
+    )
 
     # without TLS it does not work
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [tls_slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-    }]
-    result = client.post('/login/', {'login-password-submit': '1',
-                                     'username': USERNAME,
-                                     'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [tls_slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+        }
+    ]
+    result = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     assert result.status_code == 200
     assert force_bytes('Étienne Michu') not in result.content
     assert force_bytes('name="username"') in result.content
 
     # without TLS client authentication it does not work
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [tls_slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': True,
-        'cacertfile': cert_file,
-    }]
-    result = client.post('/login/', {'login-password-submit': '1',
-                                     'username': USERNAME,
-                                     'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [tls_slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': True,
+            'cacertfile': cert_file,
+        }
+    ]
+    result = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     assert result.status_code == 200
     assert force_bytes('Étienne Michu') not in result.content
     assert force_bytes('name="username"') in result.content
 
     # now it works !
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [tls_slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': True,
-        'cacertfile': cert_file,
-        'certfile': cert_file,
-        'keyfile': key_file,
-    }]
-    result = client.post('/login/', {'login-password-submit': '1',
-                                     'username': USERNAME,
-                                     'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [tls_slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': True,
+            'cacertfile': cert_file,
+            'certfile': cert_file,
+            'keyfile': key_file,
+        }
+    ]
+    result = client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     assert result.status_code == 200
     assert force_bytes('Étienne Michu') in result.content
     assert force_bytes('name="username"') not in result.content
 
 
 def test_user_attributes(slapd, settings, client, db):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'user_attributes': [
-            {
-                'from_ldap': 'l',
-                'to_user': 'locality',
-            },
-        ]
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'user_attributes': [
+                {
+                    'from_ldap': 'l',
+                    'to_user': 'locality',
+                },
+            ],
+        }
+    ]
 
     # create a locality attribute
     models.Attribute.objects.create(
@@ -935,27 +1011,26 @@ def test_user_attributes(slapd, settings, client, db):
         user_visible=True,
         user_editable=False,
         asked_on_registration=False,
-        multiple=False)
+        multiple=False,
+    )
 
-    client.post('/login/',
-                {
-                    'login-password-submit': '1',
-                    'username': USERNAME,
-                    'password': PASS
-                },
-                follow=True)
+    client.post(
+        '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    )
     username = u'%s@ldap' % USERNAME
     user = User.objects.get(username=username)
     assert user.attributes.locality == u'Paris'
     client.session.flush()
     for i in range(5):
-        client.post('/login/',
-                    {
-                        'login-password-submit': '1',
-                        'username': u'mïchu%s' % i,
-                        'password': PASS,
-                    },
-                    follow=True)
+        client.post(
+            '/login/',
+            {
+                'login-password-submit': '1',
+                'username': u'mïchu%s' % i,
+                'password': PASS,
+            },
+            follow=True,
+        )
         username = u'mïchu%s@ldap' % i
         user = User.objects.get(username=username)
         assert user.attributes.locality == u'locality%s' % i
@@ -963,11 +1038,13 @@ def test_user_attributes(slapd, settings, client, db):
 
 
 def test_set_password(slapd, settings, db):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+        }
+    ]
     user = authenticate(username=u'etienne.michu', password=u'passé')
     assert user
     assert user.check_password(u'passé')
@@ -978,14 +1055,17 @@ def test_set_password(slapd, settings, db):
 
 
 def test_login_ppolicy_pwdMaxFailure(slapd_ppolicy, settings, db, app):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd_ppolicy.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd_ppolicy.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+        }
+    ]
 
     pwdMaxFailure = 2
-    slapd_ppolicy.add_ldif('''
+    slapd_ppolicy.add_ldif(
+        '''
 dn: cn=default,ou=ppolicies,o=ôrga
 cn: default
 objectclass: top
@@ -1008,7 +1088,10 @@ pwdFailureCountInterval: 0
 pwdMustChange: FALSE
 pwdAllowUserChange: FALSE
 pwdSafeModify: FALSE
-'''.format(pwdMaxFailure=pwdMaxFailure))
+'''.format(
+            pwdMaxFailure=pwdMaxFailure
+        )
+    )
 
     for _ in range(pwdMaxFailure):
         response = app.get('/login/')
@@ -1026,7 +1109,8 @@ pwdSafeModify: FALSE
 
 def ppolicy_authenticate_exactly_pwdMaxFailure(slapd_ppolicy, caplog):
     pwdMaxFailure = 2
-    slapd_ppolicy.add_ldif('''
+    slapd_ppolicy.add_ldif(
+        '''
 dn: cn=default,ou=ppolicies,o=ôrga
 cn: default
 objectclass: top
@@ -1049,7 +1133,10 @@ pwdFailureCountInterval: 0
 pwdMustChange: FALSE
 pwdAllowUserChange: FALSE
 pwdSafeModify: FALSE
-'''.format(pwdMaxFailure=pwdMaxFailure))
+'''.format(
+            pwdMaxFailure=pwdMaxFailure
+        )
+    )
 
     for _ in range(pwdMaxFailure):
         assert authenticate(username=USERNAME, password='incorrect') is None
@@ -1057,11 +1144,13 @@ pwdSafeModify: FALSE
 
 
 def test_authenticate_ppolicy_pwdMaxFailure(slapd_ppolicy, settings, db, caplog):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd_ppolicy.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd_ppolicy.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+        }
+    ]
 
     ppolicy_authenticate_exactly_pwdMaxFailure(slapd_ppolicy, caplog)
     assert 'account is locked' not in caplog.text
@@ -1074,12 +1163,14 @@ def test_do_not_use_controls(slapd_ppolicy, settings, db, caplog):
     Same as test_authenticate_ppolicy_pwdMaxFailure but with use_controls
     deactivated and therefore not logging when an account is locked.
     """
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd_ppolicy.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'use_controls': False,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd_ppolicy.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'use_controls': False,
+        }
+    ]
 
     ppolicy_authenticate_exactly_pwdMaxFailure(slapd_ppolicy, caplog)
     assert 'account is locked' not in caplog.text
@@ -1089,15 +1180,18 @@ def test_do_not_use_controls(slapd_ppolicy, settings, db, caplog):
 
 
 def test_authenticate_ppolicy_pwdGraceAuthnLimit(slapd_ppolicy, settings, db, caplog):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd_ppolicy.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd_ppolicy.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+        }
+    ]
 
     pwdMaxAge = 1
     pwdGraceAuthnLimit = 2
-    slapd_ppolicy.add_ldif('''
+    slapd_ppolicy.add_ldif(
+        '''
 dn: cn=default,ou=ppolicies,o=ôrga
 cn: default
 objectclass: top
@@ -1120,7 +1214,10 @@ pwdFailureCountInterval: 0
 pwdMustChange: FALSE
 pwdAllowUserChange: TRUE
 pwdSafeModify: FALSE
-'''.format(pwdMaxAge=pwdMaxAge, pwdGraceAuthnLimit=pwdGraceAuthnLimit))
+'''.format(
+            pwdMaxAge=pwdMaxAge, pwdGraceAuthnLimit=pwdGraceAuthnLimit
+        )
+    )
 
     user = authenticate(username=USERNAME, password=UPASS)
     assert user.check_password(UPASS)
@@ -1139,14 +1236,17 @@ pwdSafeModify: FALSE
 
 
 def test_authenticate_ppolicy_pwdExpireWarning(slapd_ppolicy, settings, db, caplog):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd_ppolicy.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd_ppolicy.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+        }
+    ]
 
     pwdMaxAge = 3600
-    slapd_ppolicy.add_ldif('''
+    slapd_ppolicy.add_ldif(
+        '''
 dn: cn=default,ou=ppolicies,o=ôrga
 cn: default
 objectclass: top
@@ -1169,7 +1269,10 @@ pwdFailureCountInterval: 0
 pwdMustChange: FALSE
 pwdAllowUserChange: TRUE
 pwdSafeModify: FALSE
-'''.format(pwdMaxAge=pwdMaxAge))
+'''.format(
+            pwdMaxAge=pwdMaxAge
+        )
+    )
 
     user = authenticate(username=USERNAME, password=UPASS)
     assert user.check_password(UPASS)
@@ -1184,16 +1287,19 @@ pwdSafeModify: FALSE
 
 
 def test_login_ppolicy_pwdExpireWarning(slapd_ppolicy, settings, app, db, caplog):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd_ppolicy.ldap_url],
-        'binddn': force_text(slapd_ppolicy.root_bind_dn),
-        'bindpw': force_text(slapd_ppolicy.root_bind_password),
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd_ppolicy.ldap_url],
+            'binddn': force_text(slapd_ppolicy.root_bind_dn),
+            'bindpw': force_text(slapd_ppolicy.root_bind_password),
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+        }
+    ]
 
     pwdMaxAge = 3600
-    slapd_ppolicy.add_ldif('''
+    slapd_ppolicy.add_ldif(
+        '''
 dn: cn=default,ou=ppolicies,o=ôrga
 cn: default
 objectclass: top
@@ -1216,7 +1322,10 @@ pwdFailureCountInterval: 0
 pwdMustChange: FALSE
 pwdAllowUserChange: TRUE
 pwdSafeModify: FALSE
-'''.format(pwdMaxAge=pwdMaxAge))
+'''.format(
+            pwdMaxAge=pwdMaxAge
+        )
+    )
 
     password = reset_password_ldap_user(settings, app)
 
@@ -1230,13 +1339,16 @@ pwdSafeModify: FALSE
 
 
 def test_authenticate_ppolicy_pwdAllowUserChange(slapd_ppolicy, settings, db, caplog):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd_ppolicy.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-    }]
-
-    slapd_ppolicy.add_ldif('''
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd_ppolicy.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+        }
+    ]
+
+    slapd_ppolicy.add_ldif(
+        '''
 dn: cn=default,ou=ppolicies,o=ôrga
 cn: default
 objectclass: top
@@ -1258,7 +1370,8 @@ pwdFailureCountInterval: 0
 pwdMustChange: FALSE
 pwdAllowUserChange: FALSE
 pwdSafeModify: FALSE
-''')
+'''
+    )
 
     user = authenticate(username=USERNAME, password=UPASS)
     assert user.set_password(u'ogutOmyetew4') is None
@@ -1266,14 +1379,16 @@ pwdSafeModify: FALSE
 
 
 def test_ou_selector(slapd, settings, app, ou1):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'binddn': force_text(DN),
-        'bindpw': PASS,
-        'basedn': u'o=ôrga',
-        'ou_slug': ou1.slug,
-        'use_tls': False,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'binddn': force_text(DN),
+            'bindpw': PASS,
+            'basedn': u'o=ôrga',
+            'ou_slug': ou1.slug,
+            'use_tls': False,
+        }
+    ]
     settings.A2_LOGIN_FORM_OU_SELECTOR = True
 
     # Check login to the wrong ou does not work
@@ -1295,13 +1410,15 @@ def test_ou_selector(slapd, settings, app, ou1):
 
 
 def test_ou_selector_default_ou(slapd, settings, app, ou1):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'binddn': force_text(DN),
-        'bindpw': PASS,
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'binddn': force_text(DN),
+            'bindpw': PASS,
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+        }
+    ]
     settings.A2_LOGIN_FORM_OU_SELECTOR = True
 
     # Check login to the wrong ou does not work
@@ -1323,17 +1440,19 @@ def test_ou_selector_default_ou(slapd, settings, app, ou1):
 
 
 def test_sync_ldap_users(slapd, settings, app, db, capsys):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'user_attributes': [
-            {
-                'from_ldap': 'l',
-                'to_user': 'locality',
-            },
-        ]
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'user_attributes': [
+                {
+                    'from_ldap': 'l',
+                    'to_user': 'locality',
+                },
+            ],
+        }
+    ]
 
     # create a locality attribute
     models.Attribute.objects.create(
@@ -1344,7 +1463,8 @@ def test_sync_ldap_users(slapd, settings, app, db, capsys):
         user_visible=True,
         user_editable=False,
         asked_on_registration=False,
-        multiple=False)
+        multiple=False,
+    )
 
     assert User.objects.count() == 0
     capsys.readouterr()
@@ -1355,37 +1475,46 @@ def test_sync_ldap_users(slapd, settings, app, db, capsys):
     assert all(user.attributes.first_name == u'Étienne' for user in User.objects.all())
     assert all(user.last_name == u'Michu' for user in User.objects.all())
     assert all(user.attributes.last_name == u'Michu' for user in User.objects.all())
-    assert all(user.attributes.locality == u'Paris' or user.attributes.locality.startswith('locality')
-               for user in User.objects.all())
-    assert all([user.userexternalid_set.first().external_id
-                == urlparse.quote(user.username.split('@')[0].encode('utf-8'))
-                for user in User.objects.all()])
+    assert all(
+        user.attributes.locality == u'Paris' or user.attributes.locality.startswith('locality')
+        for user in User.objects.all()
+    )
+    assert all(
+        [
+            user.userexternalid_set.first().external_id
+            == urlparse.quote(user.username.split('@')[0].encode('utf-8'))
+            for user in User.objects.all()
+        ]
+    )
     capsys.readouterr()
     management.call_command('sync-ldap-users', verbosity=2)
     assert len(capsys.readouterr().out.splitlines()) == 1
 
 
 def test_alert_on_wrong_user_filter(slapd, settings, client, db, caplog):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'user_filter': '(&(objectClass=user)(sAMAccountName=*)', #wrong
-
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'user_filter': '(&(objectClass=user)(sAMAccountName=*)',  # wrong
+        }
+    ]
     with utils.check_log(caplog, "account name authentication filter doesn't contain '%s'"):
-        response = client.post('/login/', {'login-password-submit': '1',
-                                           'username': USERNAME,
-                                           'password': PASS}, follow=True)
+        response = client.post(
+            '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+        )
 
 
 def test_get_attributes(slapd, settings, db, rf):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': u'o=ôrga',
-        'use_tls': False,
-        'attributes': ['uid', 'carLicense'],
-    }]
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'attributes': ['uid', 'carLicense'],
+        }
+    ]
     user = authenticate(username=USERNAME, password=UPASS)
     assert user
     assert user.get_attributes(object(), {}) == {
@@ -1426,31 +1555,33 @@ def test_get_attributes(slapd, settings, db, rf):
 
 @pytest.mark.django_db
 def test_get_extra_attributes(slapd, settings, client):
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': 'o=ôrga',
-        'use_tls': False,
-        'groupstaff': ['cn=group1,o=ôrga'],
-        'attributes': ['uid'],
-        'extra_attributes': {
-            'orga': {
-                'loop_over_attribute': 'o',
-                'filter': '(&(objectclass=organization)(o={item}))',
-                'basedn': 'o=ôrga',
-                'scope': 'sub',
-                'mapping': {
-                    'id': 'o',
-                    'street': 'postalAddress',
-                    'city': 'l',
-                    'postal_code': 'postalCode',
-                },
-                'serialization': 'json'
-            }
-        },
-    }]
-    response = client.post('/login/', {'login-password-submit': '1',
-                                       'username': 'etienne.michu',
-                                       'password': PASS}, follow=True)
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'basedn': 'o=ôrga',
+            'use_tls': False,
+            'groupstaff': ['cn=group1,o=ôrga'],
+            'attributes': ['uid'],
+            'extra_attributes': {
+                'orga': {
+                    'loop_over_attribute': 'o',
+                    'filter': '(&(objectclass=organization)(o={item}))',
+                    'basedn': 'o=ôrga',
+                    'scope': 'sub',
+                    'mapping': {
+                        'id': 'o',
+                        'street': 'postalAddress',
+                        'city': 'l',
+                        'postal_code': 'postalCode',
+                    },
+                    'serialization': 'json',
+                }
+            },
+        }
+    ]
+    response = client.post(
+        '/login/', {'login-password-submit': '1', 'username': 'etienne.michu', 'password': PASS}, follow=True
+    )
     user = response.context['user']
     fetched_attrs = user.get_attributes(object(), {})
     assert UID in fetched_attrs.get('uid')
@@ -1487,7 +1618,7 @@ def test_config_to_lowercase():
                 'from_ldap': 'ABC',
                 'to_user': 'Phone',
             }
-        ]
+        ],
     }
 
     config_normalized = dict(config, url='ldap://example.net', basedn='dc=coin,dc=fr')
@@ -1507,12 +1638,16 @@ def test_config_to_lowercase():
         "member_of_attribute": "memberof",
         "group_mapping": [["cn=coin,ou=groups,dc=coin,dc=fr", ["Group 1"]]],
         "group_to_role_mapping": [["cn=coin,ou=groups,dc=coin,dc=fr", ["Group 1"]]],
-        "attribute_mappings": [["xxx", "yyy"],],
-        "external_id_tuples": [["a", "b", "c"],],
+        "attribute_mappings": [
+            ["xxx", "yyy"],
+        ],
+        "external_id_tuples": [
+            ["a", "b", "c"],
+        ],
         'user_attributes': [
             {
                 'from_ldap': 'abc',
                 'to_user': 'Phone',
             }
-        ]
+        ],
     }
diff --git a/tests/test_login.py b/tests/test_login.py
index 535e28bb..7addbe2e 100644
--- a/tests/test_login.py
+++ b/tests/test_login.py
@@ -198,8 +198,9 @@ def test_ou_selector(app, settings, simple_user, ou1, ou2, user_ou1, role_ou1):
     assert not response.pyquery('.errorlist')
     assert response.pyquery.find('select#id_ou')
     assert len(response.pyquery.find('select#id_ou optgroup')) == 0
-    assert (set([elt.text for elt in response.pyquery.find('select#id_ou option')])
-            == set([u'Default organizational unit', u'OU1', u'OU2', u'---------']))
+    assert set([elt.text for elt in response.pyquery.find('select#id_ou option')]) == set(
+        [u'Default organizational unit', u'OU1', u'OU2', u'---------']
+    )
     # Check selector is required
     response.form.set('username', simple_user.username)
     response.form.set('password', simple_user.username)
@@ -224,8 +225,9 @@ def test_ou_selector(app, settings, simple_user, ou1, ou2, user_ou1, role_ou1):
     response = app.get('/login/')
     assert response.pyquery.find('select#id_ou')
     assert len(response.pyquery.find('select#id_ou optgroup')) == 2
-    assert (set([elt.text for elt in response.pyquery.find('select#id_ou option')])
-            == set([u'Default organizational unit', u'OU1', u'OU2', u'---------']))
+    assert set([elt.text for elt in response.pyquery.find('select#id_ou option')]) == set(
+        [u'Default organizational unit', u'OU1', u'OU2', u'---------']
+    )
     assert response.pyquery.find('select#id_ou option[selected]')[0].text == u'Default organizational unit'
 
     # Create a service
diff --git a/tests/test_manager.py b/tests/test_manager.py
index d4b5fb21..a03fe420 100644
--- a/tests/test_manager.py
+++ b/tests/test_manager.py
@@ -30,8 +30,7 @@ from authentic2.a2_rbac.models import MANAGE_MEMBERS_OP
 from authentic2.a2_rbac.utils import get_default_ou
 from authentic2.validators import EmailValidator
 
-from django_rbac.utils import (get_ou_model, get_role_model,
-                               get_permission_model, get_operation)
+from django_rbac.utils import get_ou_model, get_role_model, get_permission_model, get_operation
 from django_rbac.models import VIEW_OP
 from django.contrib.auth import get_user_model
 from django.contrib.contenttypes.models import ContentType
@@ -120,8 +119,7 @@ def test_manager_create_role(superuser_or_admin, app):
 
 def test_manager_edit_role_slug(superuser_or_admin, app, simple_role):
     assert Role.objects.get(name='simple role').slug == 'simple-role'
-    resp = login(app, superuser_or_admin,
-                 reverse('a2-manager-role-edit', kwargs={'pk': simple_role.pk}))
+    resp = login(app, superuser_or_admin, reverse('a2-manager-role-edit', kwargs={'pk': simple_role.pk}))
     form = resp.form
     assert 'slug' in form.fields
     form.set('slug', 'new-simple-role-slug')
@@ -130,8 +128,7 @@ def test_manager_edit_role_slug(superuser_or_admin, app, simple_role):
 
 
 def test_manager_user_password_reset(app, superuser, simple_user):
-    resp = login(app, superuser,
-                 reverse('a2-manager-user-detail', kwargs={'pk': simple_user.pk}))
+    resp = login(app, superuser, reverse('a2-manager-user-detail', kwargs={'pk': simple_user.pk}))
     assert len(mail.outbox) == 0
     resp = resp.forms['object-actions'].submit('password_reset')
     assert 'A mail was sent to' in resp
@@ -429,8 +426,7 @@ def test_manager_many_ou(app, superuser, admin, simple_role, role_ou1, admin_ou1
         # verify table shown
         q = response.pyquery.remove_namespaces()
         assert len(q('table tbody tr')) == 3
-        assert set([e.text for e in q('table tbody td.username')]) == {'admin', 'superuser',
-                                                                       'admin.ou1'}
+        assert set([e.text for e in q('table tbody td.username')]) == {'admin', 'superuser', 'admin.ou1'}
 
         # test user's role page
         response = app.get('/manage/users/%d/roles/' % admin.pk)
@@ -492,8 +488,13 @@ def test_manager_many_ou(app, superuser, admin, simple_role, role_ou1, admin_ou1
         q = response.pyquery.remove_namespaces()
         assert len(q('table tbody tr')) == 15
         for elt in q('table tbody td.name a'):
-            assert ('OU1' in elt.text or 'Default' in elt.text or 'Manager' in elt.text
-                    or elt.text == u'simple role' or elt.text == u'role_ou1')
+            assert (
+                'OU1' in elt.text
+                or 'Default' in elt.text
+                or 'Manager' in elt.text
+                or elt.text == u'simple role'
+                or elt.text == u'role_ou1'
+            )
 
         response.form.set('search-ou', 'none')
         response.form.set('search-internals', True)
@@ -629,8 +630,7 @@ def test_manager_many_ou_auto_admin_role(app, ou1, admin, user_with_auto_admin_r
 
 def test_manager_deactivate_user(app, admin, settings):
     default_ou = OU.objects.get()
-    User.objects.create(username='foo', ou=default_ou,
-                        first_name='Foo', last_name='Bar')
+    User.objects.create(username='foo', ou=default_ou, first_name='Foo', last_name='Bar')
     response = login(app, admin, '/manage/users/')
     response = response.click('Foo Bar')
     assert 'Deactivated on' not in response.text
@@ -698,20 +698,24 @@ def test_manager_site_import(app, db, superuser):
     site_export = {
         'roles': [
             {
-                "description": "", "service": None, "name": "basic",
+                "description": "",
+                "service": None,
+                "name": "basic",
                 "attributes": [],
                 "ou": {
                     "slug": "default",
                     "uuid": "ba60d9e6c2874636883bdd604b23eab2",
-                    "name": "Collectivit\u00e9 par d\u00e9faut"
+                    "name": "Collectivit\u00e9 par d\u00e9faut",
                 },
                 "external_id": "",
                 "slug": "basic",
-                "uuid": "6eb7bbf64bf547119120f925f0e560ac"
-            }]
+                "uuid": "6eb7bbf64bf547119120f925f0e560ac",
+            }
+        ]
     }
     form['site_json'] = Upload(
-        'site_export.json', force_bytes(json.dumps(site_export).encode('ascii')), 'application/octet-stream')
+        'site_export.json', force_bytes(json.dumps(site_export).encode('ascii')), 'application/octet-stream'
+    )
     res = form.submit()
     assert res.status_code == 302
     assert Role.objects.get(slug='basic')
@@ -723,28 +727,27 @@ def test_manager_site_import_error(app, db, superuser):
     site_export = {
         'roles': [
             {
-                "description": "", "service": None, "name": "basic",
+                "description": "",
+                "service": None,
+                "name": "basic",
                 "attributes": [],
-                "ou": {
-                    "slug": "unkown-ou",
-                    "uuid": "ba60d9e6c2874636883bdd604b23eab2",
-                    "name": "unkown ou"
-                },
+                "ou": {"slug": "unkown-ou", "uuid": "ba60d9e6c2874636883bdd604b23eab2", "name": "unkown ou"},
                 "external_id": "",
                 "slug": "basic",
-                "uuid": "6eb7bbf64bf547119120f925f0e560ac"
-            }]
+                "uuid": "6eb7bbf64bf547119120f925f0e560ac",
+            }
+        ]
     }
     form['site_json'] = Upload(
-        'site_export.json', force_bytes(json.dumps(site_export).encode('ascii')), 'application/octet-stream')
+        'site_export.json', force_bytes(json.dumps(site_export).encode('ascii')), 'application/octet-stream'
+    )
     res = form.submit()
     assert res.status_code == 200
     assert 'missing Organizational Unit' in res.text
     with pytest.raises(Role.DoesNotExist):
         Role.objects.get(slug='basic')
 
-    form['site_json'] = Upload(
-        'site_export.json', force_bytes(json.dumps([])), 'application/octet-stream')
+    form['site_json'] = Upload('site_export.json', force_bytes(json.dumps([])), 'application/octet-stream')
     res = form.submit()
     assert res.status_code == 200
 
@@ -769,7 +772,9 @@ def test_manager_homepage_import_export_hidden(admin, app):
 def test_manager_ou(app, superuser_or_admin, ou1):
     manager_home_page = login(app, superuser_or_admin, reverse('a2-manager-homepage'))
     ou_homepage = manager_home_page.click(href='organizational-units')
-    assert set([e.text for e in ou_homepage.pyquery('td.name')]) == set(['OU1', 'Default organizational unit'])
+    assert set([e.text for e in ou_homepage.pyquery('td.name')]) == set(
+        ['OU1', 'Default organizational unit']
+    )
     assert [x.text for x in ou_homepage.pyquery('td.slug')] == ['default', 'ou1']
 
     # add a new ou
@@ -778,7 +783,9 @@ def test_manager_ou(app, superuser_or_admin, ou1):
     add_ou_page.form.set('default', True)
     ou_homepage = add_ou_page.form.submit().follow()
     ou2 = OU.objects.get(name='ou2')
-    assert set([e.text for e in ou_homepage.pyquery('td.name')]) == set(['OU1', 'Default organizational unit', 'ou2'])
+    assert set([e.text for e in ou_homepage.pyquery('td.name')]) == set(
+        ['OU1', 'Default organizational unit', 'ou2']
+    )
     assert len(ou_homepage.pyquery('tr[data-pk="%s"] td.default span.true' % ou2.pk)) == 1
     assert len(ou_homepage.pyquery('tr[data-url="%s/"] td.default span.true' % ou2.pk)) == 1
 
@@ -791,7 +798,9 @@ def test_manager_ou(app, superuser_or_admin, ou1):
     ou1_detail_page = app.get(reverse('a2-manager-ou-detail', kwargs={'pk': ou1.pk}))
     ou1_delete_page = ou1_detail_page.click('Delete')
     ou_homepage = ou1_delete_page.form.submit().follow()
-    assert set([e.text for e in ou_homepage.pyquery('td.name')]) == set(['Default organizational unit', 'ou2'])
+    assert set([e.text for e in ou_homepage.pyquery('td.name')]) == set(
+        ['Default organizational unit', 'ou2']
+    )
 
     # remake old default ou the default one
     old_default = OU.objects.get(name__contains='Default')
@@ -804,7 +813,9 @@ def test_manager_ou(app, superuser_or_admin, ou1):
     assert old_default_detail_page.pyquery('input[name="default"][checked="checked"]')
     # check ou homepage has changed too
     ou_homepage = old_default_detail_page.click('Organizational unit')
-    assert set([e.text for e in ou_homepage.pyquery('td.name')]) == set(['Default organizational unit', 'ou2'])
+    assert set([e.text for e in ou_homepage.pyquery('td.name')]) == set(
+        ['Default organizational unit', 'ou2']
+    )
     assert len(ou_homepage.pyquery('span.true')) == 1
     assert len(ou_homepage.pyquery('tr[data-pk="%s"] td.default span.true' % ou2.pk)) == 0
     assert len(ou_homepage.pyquery('tr[data-pk="%s"] td.default span.true' % old_default.pk)) == 1
@@ -926,9 +937,8 @@ def test_manager_role_admin_permissions(app, simple_user, admin, simple_role):
     # user can act on role inheritance
     role = Role.objects.create(name='test_role')
     view_role_perm = get_permission_model().objects.create(
-        operation=get_operation(VIEW_OP),
-        target_ct=ContentType.objects.get_for_model(Role),
-        target_id=role.pk)
+        operation=get_operation(VIEW_OP), target_ct=ContentType.objects.get_for_model(Role), target_id=role.pk
+    )
     simple_role.permissions.add(view_role_perm)
     simple_user.roles.add(simple_role)
     admin.roles.add(role)
@@ -975,7 +985,8 @@ def test_manager_permission_inheritance(app, simple_user, admin, simple_role):
     view_role_perm = get_permission_model().objects.create(
         operation=get_operation(VIEW_OP),
         target_ct=ContentType.objects.get_for_model(Role),
-        target_id=simple_role.pk)
+        target_id=simple_role.pk,
+    )
     simple_role.permissions.add(view_role_perm)
     simple_user.roles.add(simple_role)
     login(app, simple_user, '/manage/')
@@ -991,13 +1002,20 @@ def test_manager_permission_inheritance(app, simple_user, admin, simple_role):
 
 def test_manager_widget_fields_validation(app, simple_user, simple_role):
     '''Verify that fields corresponding to widget implement queryset restrictions.'''
-    from authentic2.manager.forms import (ChooseUserForm, ChooseRoleForm,
-                                          UsersForm, RolesForm, ChooseUserRoleForm,
-                                          RoleParentsForm)
+    from authentic2.manager.forms import (
+        ChooseUserForm,
+        ChooseRoleForm,
+        UsersForm,
+        RolesForm,
+        ChooseUserRoleForm,
+        RoleParentsForm,
+    )
+
     error_message = 'Select a valid choice'
 
     class DummyRequest:
         user = simple_user
+
     request = DummyRequest()
 
     visible_role = Role.objects.create(name='visible_role', ou=simple_user.ou)
@@ -1008,11 +1026,13 @@ def test_manager_widget_fields_validation(app, simple_user, simple_role):
     view_role_perm = get_permission_model().objects.create(
         operation=get_operation(VIEW_OP),
         target_ct=ContentType.objects.get_for_model(Role),
-        target_id=visible_role.pk)
+        target_id=visible_role.pk,
+    )
     view_user_perm = get_permission_model().objects.create(
         operation=get_operation(VIEW_OP),
         target_ct=ContentType.objects.get_for_model(User),
-        target_id=visible_user.pk)
+        target_id=visible_user.pk,
+    )
     simple_role.permissions.add(view_role_perm)
     simple_role.permissions.add(view_user_perm)
     simple_user.roles.add(simple_role)
@@ -1047,7 +1067,8 @@ def test_manager_widget_fields_validation(app, simple_user, simple_role):
     change_role_perm = get_permission_model().objects.create(
         operation=get_operation(MANAGE_MEMBERS_OP),
         target_ct=ContentType.objects.get_for_model(Role),
-        target_id=visible_role.pk)
+        target_id=visible_role.pk,
+    )
     simple_role.permissions.add(change_role_perm)
     del simple_user._rbac_perms_cache
 
@@ -1059,7 +1080,6 @@ def test_manager_widget_fields_validation(app, simple_user, simple_role):
 
 
 def test_manager_role_widgets_choices(app, simple_user, simple_role):
-
     def get_choices(response):
         select2_json = request_select2(app, response)
         assert select2_json['more'] is False
@@ -1073,7 +1093,8 @@ def test_manager_role_widgets_choices(app, simple_user, simple_role):
     view_role_perm = get_permission_model().objects.create(
         operation=get_operation(VIEW_OP),
         target_ct=ContentType.objects.get_for_model(Role),
-        target_id=visible_role.pk)
+        target_id=visible_role.pk,
+    )
     simple_role.permissions.add(view_role_perm)
     simple_user.roles.add(simple_role)
 
@@ -1100,8 +1121,7 @@ def test_manager_widgets_field_id_other_user(app, admin, simple_user, simple_rol
     assert select2_json['more'] is False
 
     # admin can see every roles
-    assert set([simple_role.pk, other_role.pk]) == \
-        set(result['id'] for result in select2_json['results'])
+    assert set([simple_role.pk, other_role.pk]) == set(result['id'] for result in select2_json['results'])
 
     login(app, simple_user)
     # same request from the page served for admin
@@ -1116,7 +1136,7 @@ def test_manager_widgets_field_id_other_user(app, admin, simple_user, simple_rol
 
 def test_display_parent_roles_on_role_page(app, superuser, settings):
     ou1 = get_default_ou()
-    ou1.name = ('ou1')
+    ou1.name = 'ou1'
     ou1.save()
 
     child = Role.objects.create(name='child', slug='role', ou=ou1)
@@ -1132,16 +1152,20 @@ def test_display_parent_roles_on_role_page(app, superuser, settings):
     response = app.get(url, status=200)
     parent_roles_html = response.html.find_all('div', {'class': 'role-inheritance'})[3]
     assert 'Parent roles:' in parent_roles_html.text
-    assert [x.text.strip() for x in parent_roles_html.find_all('a', {'class': 'role'})] == \
-        ['parent1', 'parent2']
+    assert [x.text.strip() for x in parent_roles_html.find_all('a', {'class': 'role'})] == [
+        'parent1',
+        'parent2',
+    ]
 
     # display parent roles if we have multiple OUs
     ou2 = OU.objects.create(name='ou2')
     response = app.get(url, status=200)
     parent_roles_html = response.html.find_all('div', {'class': 'role-inheritance'})[3]
     assert 'Parent roles:' in parent_roles_html.text
-    assert [x.text.strip() for x in parent_roles_html.find_all('a', {'class': 'role'})] == \
-        ['parent1', 'ou1 - parent2']
+    assert [x.text.strip() for x in parent_roles_html.find_all('a', {'class': 'role'})] == [
+        'parent1',
+        'ou1 - parent2',
+    ]
 
     # display parent roles sorted by OU
     parent3 = Role.objects.create(name='parent3', slug='role3', ou=ou2)
@@ -1152,5 +1176,9 @@ def test_display_parent_roles_on_role_page(app, superuser, settings):
     response = app.get(url, status=200)
     parent_roles_html = response.html.find_all('div', {'class': 'role-inheritance'})[3]
     assert 'Parent roles:' in parent_roles_html.text
-    assert [x.text.strip() for x in parent_roles_html.find_all('a', {'class': 'role'})] == \
-        ['parent1', 'ou1 - parent2', 'ou1 - parent4', 'ou2 - parent3']
+    assert [x.text.strip() for x in parent_roles_html.find_all('a', {'class': 'role'})] == [
+        'parent1',
+        'ou1 - parent2',
+        'ou1 - parent4',
+        'ou2 - parent3',
+    ]
diff --git a/tests/test_manager_journal.py b/tests/test_manager_journal.py
index b2020d76..b5a896d2 100644
--- a/tests/test_manager_journal.py
+++ b/tests/test_manager_journal.py
@@ -64,7 +64,11 @@ def events(db, freezer):
     make = EventFactory()
     make("user.registration.request", email=user.email)
     make(
-        "user.registration", user=user, session=session1, service=service, how="franceconnect",
+        "user.registration",
+        user=user,
+        session=session1,
+        service=service,
+        how="franceconnect",
     )
     make("user.logout", user=user, session=session1)
 
@@ -103,30 +107,48 @@ def events(db, freezer):
     change_email_form.instance = user
     change_email_form.cleaned_data = {'new_email': "jane@example.com"}
     make(
-        "manager.user.email.change.request", user=agent, session=session2, form=change_email_form,
+        "manager.user.email.change.request",
+        user=agent,
+        session=session2,
+        form=change_email_form,
     )
 
     password_change_form = mock.Mock(spec=["instance", "cleaned_data"])
     password_change_form.instance = user
     password_change_form.cleaned_data = {'generate_password': False, 'send_mail': False}
     make(
-        "manager.user.password.change", user=agent, session=session2, form=password_change_form,
+        "manager.user.password.change",
+        user=agent,
+        session=session2,
+        form=password_change_form,
     )
 
     password_change_form.cleaned_data["send_mail"] = True
     make(
-        "manager.user.password.change", user=agent, session=session2, form=password_change_form,
+        "manager.user.password.change",
+        user=agent,
+        session=session2,
+        form=password_change_form,
     )
 
     make(
-        "manager.user.password.reset.request", user=agent, session=session2, target_user=user,
+        "manager.user.password.reset.request",
+        user=agent,
+        session=session2,
+        target_user=user,
     )
 
     make(
-        "manager.user.password.change.force", user=agent, session=session2, target_user=user,
+        "manager.user.password.change.force",
+        user=agent,
+        session=session2,
+        target_user=user,
     )
     make(
-        "manager.user.password.change.unforce", user=agent, session=session2, target_user=user,
+        "manager.user.password.change.unforce",
+        user=agent,
+        session=session2,
+        target_user=user,
     )
 
     make("manager.user.activation", user=agent, session=session2, target_user=user)
@@ -147,21 +169,41 @@ def events(db, freezer):
     role_edit_form.changed_data = ["name"]
     role_edit_form.cleaned_data = {'name': "changed role name"}
     make(
-        "manager.role.edit", user=agent, session=session2, role=role_user, form=role_edit_form,
+        "manager.role.edit",
+        user=agent,
+        session=session2,
+        role=role_user,
+        form=role_edit_form,
     )
     make("manager.role.deletion", user=agent, session=session2, role=role_user)
     make(
-        "manager.role.membership.grant", user=agent, session=session2, role=role_user, member=user,
+        "manager.role.membership.grant",
+        user=agent,
+        session=session2,
+        role=role_user,
+        member=user,
     )
     make(
-        "manager.role.membership.removal", user=agent, session=session2, role=role_user, member=user,
+        "manager.role.membership.removal",
+        user=agent,
+        session=session2,
+        role=role_user,
+        member=user,
     )
 
     make(
-        "manager.role.inheritance.addition", user=agent, session=session2, parent=role_agent, child=role_user,
+        "manager.role.inheritance.addition",
+        user=agent,
+        session=session2,
+        parent=role_agent,
+        child=role_user,
     )
     make(
-        "manager.role.inheritance.removal", user=agent, session=session2, parent=role_agent, child=role_user,
+        "manager.role.inheritance.removal",
+        user=agent,
+        session=session2,
+        parent=role_agent,
+        child=role_user,
     )
 
     make(
diff --git a/tests/test_natural_key.py b/tests/test_natural_key.py
index 79fa51a0..f136f73d 100644
--- a/tests/test_natural_key.py
+++ b/tests/test_natural_key.py
@@ -41,8 +41,11 @@ def test_natural_key_json(db, ou1):
         ou_nk = role.ou and role.ou.natural_key_json()
         service_nk = role.service and role.service.natural_key_json()
         assert nk == {
-            'uuid': role.uuid, 'slug': role.slug, 'name': role.name, 'ou': ou_nk,
-            'service': service_nk
+            'uuid': role.uuid,
+            'slug': role.slug,
+            'name': role.name,
+            'ou': ou_nk,
+            'service': service_nk,
         }
         assert role == Role.objects.get_by_natural_key_json(nk)
         assert role == Role.objects.get_by_natural_key_json({'uuid': role.uuid})
@@ -57,9 +60,11 @@ def test_natural_key_json(db, ou1):
         else:
             assert Role.objects.get_by_natural_key_json({'name': role.name, 'ou': ou_nk}) == role
         assert role == Role.objects.get_by_natural_key_json(
-            {'slug': role.slug, 'ou': ou_nk, 'service': service_nk})
+            {'slug': role.slug, 'ou': ou_nk, 'service': service_nk}
+        )
         assert role == Role.objects.get_by_natural_key_json(
-            {'name': role.name, 'ou': ou_nk, 'service': service_nk})
+            {'name': role.name, 'ou': ou_nk, 'service': service_nk}
+        )
 
     for permission in Permission.objects.all():
         ou_nk = permission.ou and permission.ou.natural_key_json()
diff --git a/tests/test_ou_manager.py b/tests/test_ou_manager.py
index e8bfeeef..31075bc1 100644
--- a/tests/test_ou_manager.py
+++ b/tests/test_ou_manager.py
@@ -73,11 +73,13 @@ def test_manager_ou_import(app, admin, ou1, role_ou1, ou2, role_ou2):
     assert new_export['ous'][2]['uuid'] == export['ous'][2]['uuid']
 
     # in case roles are present in export file, they must not be imported
-    export['roles'] = [{
-        "uuid": "27255f404cb140df9a577da76b59f285",
-        "slug": "should_not_exist",
-        "name": "should_not_exist",
-    }]
+    export['roles'] = [
+        {
+            "uuid": "27255f404cb140df9a577da76b59f285",
+            "slug": "should_not_exist",
+            "name": "should_not_exist",
+        }
+    ]
     resp = resp.click('Import')
     resp.form['site_json'] = Upload('export.json', json.dumps(export).encode(), 'application/json')
     resp = resp.form.submit().follow()
diff --git a/tests/test_password_reset.py b/tests/test_password_reset.py
index 71fada84..9f1a2d90 100644
--- a/tests/test_password_reset.py
+++ b/tests/test_password_reset.py
@@ -22,6 +22,7 @@ from . import utils
 
 def test_send_password_reset_email(app, simple_user, mailoutbox):
     from authentic2.utils import send_password_reset_mail
+
     assert len(mailoutbox) == 0
     with utils.run_on_commit_hooks():
         send_password_reset_mail(
diff --git a/tests/test_passwords.py b/tests/test_passwords.py
index f229c34d..2ad2ba2e 100644
--- a/tests/test_passwords.py
+++ b/tests/test_passwords.py
@@ -29,5 +29,6 @@ def test_generate_password():
     assert len(passwords) == 10
     for password in passwords:
         assert len(password) >= max(app_settings.A2_PASSWORD_POLICY_MIN_LENGTH, 8)
-        assert (sum(any(char in char_class for char in password) for char_class in char_classes)
-                == max(app_settings.A2_PASSWORD_POLICY_MIN_CLASSES, 3))
+        assert sum(any(char in char_class for char in password) for char_class in char_classes) == max(
+            app_settings.A2_PASSWORD_POLICY_MIN_CLASSES, 3
+        )
diff --git a/tests/test_profile.py b/tests/test_profile.py
index e04481f6..c46aa79a 100644
--- a/tests/test_profile.py
+++ b/tests/test_profile.py
@@ -37,14 +37,14 @@ def test_account_edit_view(app, simple_user):
     resp = app.get(url, status=200)
 
     phone = Attribute.objects.create(
-        name='phone', label='phone',
-        kind='phone_number', user_visible=True, user_editable=True)
+        name='phone', label='phone', kind='phone_number', user_visible=True, user_editable=True
+    )
     title = Attribute.objects.create(
-        name='title', label='title',
-        kind='title', user_visible=True, user_editable=True)
+        name='title', label='title', kind='title', user_visible=True, user_editable=True
+    )
     agreement = Attribute.objects.create(
-        name='agreement', label='agreement',
-        kind='boolean', user_visible=True, user_editable=True)
+        name='agreement', label='agreement', kind='boolean', user_visible=True, user_editable=True
+    )
 
     resp = old_resp = app.get(url, status=200)
     resp.form['phone'] = '1234'
@@ -59,14 +59,16 @@ def test_account_edit_view(app, simple_user):
     assert agreement.get_value(simple_user) is False
 
     resp = resp.follow()
-    profile = [(dt.text.split('\xa0')[0], dd.text.strip())
-               for dt, dd in zip(resp.pyquery('dl dt'), resp.pyquery('dl dd'))]
+    profile = [
+        (dt.text.split('\xa0')[0], dd.text.strip())
+        for dt, dd in zip(resp.pyquery('dl dt'), resp.pyquery('dl dd'))
+    ]
     assert profile == [
         ('First name', 'Jôhn'),
         ('Last name', 'Dôe'),
         ('Email address', 'user@example.net'),
         ('Phone', '1234'),
-        ('Title', 'Mrs')
+        ('Title', 'Mrs'),
     ]
 
     resp = app.get(url, status=200)
@@ -117,9 +119,8 @@ def test_account_edit_next_url(app, simple_user, external_redirect_next_url, ass
     url = reverse('profile_edit')
 
     attribute = Attribute.objects.create(
-        name='phone', label='phone',
-        kind='string', user_visible=True,
-        user_editable=True)
+        name='phone', label='phone', kind='string', user_visible=True, user_editable=True
+    )
 
     resp = app.get(url + '?next=%s' % external_redirect_next_url, status=200)
     resp.form.set('phone', '0123456789')
@@ -138,25 +139,39 @@ def test_account_edit_scopes(app, simple_user):
     utils.login(app, simple_user)
     url = reverse('profile_edit')
 
-    Attribute.objects.create(name='phone', label='phone',
-                             kind='string', user_visible=True,
-                             user_editable=True, scopes='contact')
-    Attribute.objects.create(name='mobile', label='mobile phone',
-                             kind='string', user_visible=True,
-                             user_editable=True, scopes='contact')
+    Attribute.objects.create(
+        name='phone', label='phone', kind='string', user_visible=True, user_editable=True, scopes='contact'
+    )
+    Attribute.objects.create(
+        name='mobile',
+        label='mobile phone',
+        kind='string',
+        user_visible=True,
+        user_editable=True,
+        scopes='contact',
+    )
 
-    Attribute.objects.create(name='city', label='city',
-                             kind='string', user_visible=True,
-                             user_editable=True, scopes='address')
-    Attribute.objects.create(name='zipcode', label='zipcode', kind='string',
-                             user_visible=True, user_editable=True,
-                             scopes='address')
+    Attribute.objects.create(
+        name='city', label='city', kind='string', user_visible=True, user_editable=True, scopes='address'
+    )
+    Attribute.objects.create(
+        name='zipcode',
+        label='zipcode',
+        kind='string',
+        user_visible=True,
+        user_editable=True,
+        scopes='address',
+    )
 
     def get_fields(resp):
-        return set(key for key in resp.form.fields.keys() if key and key not in ['csrfmiddlewaretoken', 'cancel'])
+        return set(
+            key for key in resp.form.fields.keys() if key and key not in ['csrfmiddlewaretoken', 'cancel']
+        )
 
     resp = app.get(url, status=200)
-    assert get_fields(resp) == set(['first_name', 'last_name', 'phone', 'mobile', 'city', 'zipcode', 'next_url'])
+    assert get_fields(resp) == set(
+        ['first_name', 'last_name', 'phone', 'mobile', 'city', 'zipcode', 'next_url']
+    )
 
     resp = app.get(url + '?scope=contact', status=200)
     assert get_fields(resp) == set(['phone', 'mobile', 'next_url'])
@@ -167,19 +182,15 @@ def test_account_edit_scopes(app, simple_user):
     resp = app.get(url + '?scope=contact address', status=200)
     assert get_fields(resp) == set(['phone', 'mobile', 'city', 'zipcode', 'next_url'])
 
-    resp = app.get(reverse('profile_edit_with_scope', kwargs={'scope': 'contact'}),
-                   status=200)
+    resp = app.get(reverse('profile_edit_with_scope', kwargs={'scope': 'contact'}), status=200)
     assert get_fields(resp) == set(['phone', 'mobile', 'next_url'])
 
-    resp = app.get(reverse('profile_edit_with_scope', kwargs={'scope': 'address'}),
-                   status=200)
+    resp = app.get(reverse('profile_edit_with_scope', kwargs={'scope': 'address'}), status=200)
     assert get_fields(resp) == set(['city', 'zipcode', 'next_url'])
 
 
 def test_account_edit_locked_title(app, simple_user):
-    Attribute.objects.create(
-        name='title', label='title',
-        kind='title', user_visible=True, user_editable=True)
+    Attribute.objects.create(name='title', label='title', kind='title', user_visible=True, user_editable=True)
     simple_user.attributes.title = 'Monsieur'
 
     utils.login(app, simple_user)
@@ -204,21 +215,19 @@ def test_account_view(app, simple_user, settings):
     assert [x['href'] for x in response.html.find('div', {'id': 'a2-profile'}).find_all('a')] == [
         reverse('email-change'),
         reverse('profile_edit'),
-        reverse('delete_account')
+        reverse('delete_account'),
     ]
 
     # oidc client defined -> authorization management
     client = OIDCClient.objects.create(
-        name='client',
-        slug='client',
-        ou=get_default_ou(),
-        redirect_uris='https://example.com/')
+        name='client', slug='client', ou=get_default_ou(), redirect_uris='https://example.com/'
+    )
     response = app.get(url, status=200)
     assert [x['href'] for x in response.html.find('div', {'id': 'a2-profile'}).find_all('a')] == [
         reverse('email-change'),
         reverse('profile_edit'),
         reverse('authorized-oauth-services'),
-        reverse('delete_account')
+        reverse('delete_account'),
     ]
 
     # oidc client defined but no authorization mode -> no authorization management
@@ -228,7 +237,7 @@ def test_account_view(app, simple_user, settings):
     assert [x['href'] for x in response.html.find('div', {'id': 'a2-profile'}).find_all('a')] == [
         reverse('email-change'),
         reverse('profile_edit'),
-        reverse('delete_account')
+        reverse('delete_account'),
     ]
 
     # restore authorization mode
@@ -242,7 +251,7 @@ def test_account_view(app, simple_user, settings):
     assert [x['href'] for x in response.html.find('div', {'id': 'a2-profile'}).find_all('a')] == [
         reverse('email-change'),
         reverse('profile_edit'),
-        reverse('delete_account')
+        reverse('delete_account'),
     ]
     settings.INSTALLED_APPS += ('authentic2_idp_oidc',)
 
diff --git a/tests/test_registration.py b/tests/test_registration.py
index 2a803bfb..a0b5a39a 100644
--- a/tests/test_registration.py
+++ b/tests/test_registration.py
@@ -278,8 +278,7 @@ def test_username_is_unique(app, db, settings, mailoutbox):
     response.form.set('password1', 'T0==toto')
     response.form.set('password2', 'T0==toto')
     response = response.form.submit()
-    assert ('This username is already in use. Please supply a different username.' in
-            response.text)
+    assert 'This username is already in use. Please supply a different username.' in response.text
 
 
 def test_email_is_unique(app, db, settings, mailoutbox):
@@ -332,22 +331,11 @@ def test_attribute_model(app, db, settings, mailoutbox):
     # disable existing attributes
     models.Attribute.objects.update(disabled=True)
 
+    models.Attribute.objects.create(label=u'Prénom', name='prenom', required=True, kind='string')
     models.Attribute.objects.create(
-        label=u'Prénom',
-        name='prenom',
-        required=True,
-        kind='string')
-    models.Attribute.objects.create(
-        label=u'Nom',
-        name='nom',
-        asked_on_registration=True,
-        user_visible=True,
-        kind='string')
-    models.Attribute.objects.create(
-        label='Profession',
-        name='profession',
-        user_editable=True,
-        kind='string')
+        label=u'Nom', name='nom', asked_on_registration=True, user_visible=True, kind='string'
+    )
+    models.Attribute.objects.create(label='Profession', name='profession', user_editable=True, kind='string')
 
     response = app.get(reverse('registration_register'))
     response.form.set('email', 'testbot@entrouvert.com')
@@ -410,6 +398,7 @@ def test_registration_email_blacklist(app, settings, db):
         response.form.set('email', email)
         response = response.form.submit()
         return response.status_code == 302
+
     settings.A2_REGISTRATION_EMAIL_BLACKLIST = [r'a*@example\.com']
     assert not test_register('aaaa@example.com')
     assert test_register('aaaa@example.com.zob')
@@ -423,8 +412,7 @@ def test_registration_email_blacklist(app, settings, db):
 def test_registration_bad_email(app, db, settings):
     settings.LANGUAGE_CODE = 'en-us'
 
-    response = app.post(reverse('registration_register'), params={'email': 'fred@0d..be'},
-                        status=200)
+    response = app.post(reverse('registration_register'), params={'email': 'fred@0d..be'}, status=200)
     assert 'Enter a valid email address.' in response.context['form'].errors['email']
 
     response = app.post(reverse('registration_register'), params={'email': u'ééééé'}, status=200)
@@ -436,9 +424,7 @@ def test_registration_bad_email(app, db, settings):
 
 def test_registration_confirm_data(app, settings, db, rf):
     # make first name not required
-    models.Attribute.objects.filter(
-        name='first_name').update(
-            required=False)
+    models.Attribute.objects.filter(name='first_name').update(required=False)
 
     activation_url = utils.build_activation_url(
         rf.post('/accounts/register/'),
@@ -447,7 +433,8 @@ def test_registration_confirm_data(app, settings, db, rf):
         first_name='John',
         last_name='Doe',
         no_password=True,
-        confirm_data=False)
+        confirm_data=False,
+    )
 
     response = app.get(activation_url, status=302)
 
@@ -457,7 +444,8 @@ def test_registration_confirm_data(app, settings, db, rf):
         next_url='/',
         last_name='Doe',
         no_password=True,
-        confirm_data=False)
+        confirm_data=False,
+    )
 
     response = app.get(activation_url, status=200)
     assert 'form' in response.context
@@ -469,7 +457,8 @@ def test_registration_confirm_data(app, settings, db, rf):
         next_url='/',
         last_name='Doe',
         no_password=True,
-        confirm_data='required')
+        confirm_data='required',
+    )
     response = app.get(activation_url, status=302)
 
 
@@ -479,11 +468,8 @@ def test_revalidate_email(app, rf, db, settings, mailoutbox):
     # disable existing attributes
     models.Attribute.objects.update(disabled=True)
     url = utils.build_activation_url(
-        rf.get('/'),
-        'testbot@entrouvert.com',
-        next_url=None,
-        valid_email=False,
-        franceconnect=True)
+        rf.get('/'), 'testbot@entrouvert.com', next_url=None, valid_email=False, franceconnect=True
+    )
 
     assert len(mailoutbox) == 0
     # register
@@ -515,7 +501,8 @@ def test_email_is_unique_multiple_objects_returned(app, db, settings, mailoutbox
         password='ABcd12345',
         next_url=None,
         valid_email=False,
-        franceconnect=True)
+        franceconnect=True,
+    )
 
     response = app.get(url)
     assert 'This email address is already in use.' in response.text
@@ -539,7 +526,8 @@ def test_username_is_unique_multiple_objects_returned(app, db, settings, mailout
         password='ABcd12345',
         next_url=None,
         valid_email=False,
-        franceconnect=True)
+        franceconnect=True,
+    )
 
     response = app.get(url)
     assert 'This username is already in use.' in response.text
@@ -648,7 +636,8 @@ def test_authentication_method(app, db, rf, hooks):
         first_name='John',
         last_name='Doe',
         no_password=True,
-        confirm_data=False)
+        confirm_data=False,
+    )
     app.get(activation_url)
 
     assert len(hooks.calls['event']) == 2
@@ -665,7 +654,8 @@ def test_authentication_method(app, db, rf, hooks):
         last_name='Doe',
         no_password=True,
         authentication_method='another',
-        confirm_data=False)
+        confirm_data=False,
+    )
     app.get(activation_url)
 
     assert len(hooks.calls['event']) == 4
@@ -688,11 +678,7 @@ def test_registration_with_email_suggestions(app, db, settings):
 
 
 def test_registration_no_email_full_profile_no_password(app, db, rf, mailoutbox):
-    models.Attribute.objects.create(
-        kind='birthdate',
-        name='birthdate',
-        label='birthdate',
-        required=True)
+    models.Attribute.objects.create(kind='birthdate', name='birthdate', label='birthdate', required=True)
 
     data = {
         'email': 'john.doe@example.com',
@@ -705,10 +691,7 @@ def test_registration_no_email_full_profile_no_password(app, db, rf, mailoutbox)
         'authentication_method': 'france-connect',
     }
 
-    activation_url = utils.build_activation_url(
-        rf.post('/accounts/register/'),
-        next_url='/',
-        **data)
+    activation_url = utils.build_activation_url(rf.post('/accounts/register/'), next_url='/', **data)
 
     response = app.get(activation_url)
     response.form.set('first_name', data['first_name'])
@@ -778,15 +761,11 @@ def test_double_registration_impossible(app, db, mailoutbox):
 
 def test_registration_email_not_verified_required_and_unrequired_attributes(app, db, rf, mailoutbox):
     models.Attribute.objects.create(
-        kind='birthdate',
-        name='birthdate',
-        label='birthdate',
-        asked_on_registration=False)
+        kind='birthdate', name='birthdate', label='birthdate', asked_on_registration=False
+    )
     models.Attribute.objects.create(
-        kind='string',
-        name='preferred_color',
-        label='couleur préférée',
-        required=True)
+        kind='string', name='preferred_color', label='couleur préférée', required=True
+    )
 
     data = {
         'email': 'john.doe@example.com',
@@ -799,10 +778,7 @@ def test_registration_email_not_verified_required_and_unrequired_attributes(app,
         'authentication_method': 'france-connect',
     }
 
-    activation_url = utils.build_activation_url(
-        rf.post('/accounts/register/'),
-        next_url='/',
-        **data)
+    activation_url = utils.build_activation_url(rf.post('/accounts/register/'), next_url='/', **data)
 
     response = app.get(activation_url)
     response.form.set('first_name', data['first_name'])
@@ -827,11 +803,14 @@ def test_honeypot(app, db, settings, mailoutbox):
     settings.DEFAULT_FROM_EMAIL = 'show only addr <noreply@example.net>'
 
     response = app.get(utils.make_url('registration_register'))
-    response = app.post(utils.make_url('registration_register'), params={
-        'email': 'testbot@entrouvert.com',
-        'csrfmiddlewaretoken': response.context['csrf_token'],
-        'robotcheck': 'a',
-    })
+    response = app.post(
+        utils.make_url('registration_register'),
+        params={
+            'email': 'testbot@entrouvert.com',
+            'csrfmiddlewaretoken': response.context['csrf_token'],
+            'robotcheck': 'a',
+        },
+    )
     response = response.follow()
     assert len(mailoutbox) == 0
     assert 'Your registration request has been refused' in response
diff --git a/tests/test_role_manager.py b/tests/test_role_manager.py
index 003c0b40..749a726e 100644
--- a/tests/test_role_manager.py
+++ b/tests/test_role_manager.py
@@ -40,11 +40,13 @@ def test_manager_role_export(app, admin, ou1, role_ou1, ou2, role_ou2):
     assert set([role['slug'] for role in export['roles']]) == set(['role_ou1', 'role_ou2'])
 
     export_response = response.click('CSV')
-    reader = csv.reader([force_text(line) for line in export_response.body.split(force_bytes('\r\n'))], delimiter=',')
+    reader = csv.reader(
+        [force_text(line) for line in export_response.body.split(force_bytes('\r\n'))], delimiter=','
+    )
     rows = [row for row in reader]
 
     assert rows[0] == ['name', 'slug', 'members', 'ou']
-    assert len(rows)-2 == 2 # csv header and last EOL
+    assert len(rows) - 2 == 2  # csv header and last EOL
     assert set([row[1] for row in rows[1:3]]) == set(['role_ou1', 'role_ou2'])
     assert set([row[3] for row in rows[1:3]]) == set(['OU1', 'OU2'])
 
@@ -59,11 +61,13 @@ def test_manager_role_export(app, admin, ou1, role_ou1, ou2, role_ou2):
     assert export['roles'][0]['slug'] == 'role_ou1'
 
     export_response = search_response.click('CSV')
-    reader = csv.reader([force_text(line) for line in export_response.body.split(force_bytes('\r\n'))], delimiter=',')
+    reader = csv.reader(
+        [force_text(line) for line in export_response.body.split(force_bytes('\r\n'))], delimiter=','
+    )
     rows = [row for row in reader]
 
     assert rows[0] == ['name', 'slug', 'members', 'ou']
-    assert len(rows)-2 == 1 # csv header and last EOL
+    assert len(rows) - 2 == 1  # csv header and last EOL
     assert rows[1][1] == 'role_ou1'
 
 
@@ -110,9 +114,13 @@ def test_role_members_via(app, admin):
     user2.roles.add(role2)
 
     response = login(app, admin, '/manage/roles/%s/' % role1.id)
-    rows = list(zip([text_content(el) for el in response.pyquery('tr td.username')],
-               [text_content(el) for el in response.pyquery('tr td.direct')],
-               [text_content(el) for el in response.pyquery('tr td.via')]))
+    rows = list(
+        zip(
+            [text_content(el) for el in response.pyquery('tr td.username')],
+            [text_content(el) for el in response.pyquery('tr td.direct')],
+            [text_content(el) for el in response.pyquery('tr td.via')],
+        )
+    )
     assert rows == [
         ('user1', '✔', ''),
         ('user2', '✘', 'role2'),
@@ -157,11 +165,13 @@ def test_manager_role_import(app, admin, ou1, role_ou1, ou2, role_ou2):
     assert Role.objects.filter(ou=ou1).count() == 4
 
     # in case ous are present in export file, they must not be imported
-    export['ous'] = [{
-        "uuid": "27255f404cb140df9a577da76b59f285",
-        "slug": "should_not_exist",
-        "name": "should_not_exist",
-    }]
+    export['ous'] = [
+        {
+            "uuid": "27255f404cb140df9a577da76b59f285",
+            "slug": "should_not_exist",
+            "name": "should_not_exist",
+        }
+    ]
     resp = app.get('/manage/roles/')  # unselect ou1
     resp = resp.click('Import')
     resp.form['site_json'] = Upload('export.json', json.dumps(export).encode(), 'application/json')
@@ -225,9 +235,12 @@ def test_roles_displayed_fields(app, admin, ou1, ou2):
 
     # check OUTable
     response = app.get('/manage/roles/')
-    rows = list(zip([text_content(el) for el in response.pyquery('tr td.name')],
-                    [text_content(el) for el in response.pyquery('tr td.member_count')],
-                    ))
+    rows = list(
+        zip(
+            [text_content(el) for el in response.pyquery('tr td.name')],
+            [text_content(el) for el in response.pyquery('tr td.member_count')],
+        )
+    )
     assert rows == [
         ('role1', '2'),
         ('role2 (LDAP)', '0'),
@@ -235,9 +248,12 @@ def test_roles_displayed_fields(app, admin, ou1, ou2):
 
     # check UserRolesTable
     response = app.get('/manage/users/%s/roles/?search-ou=all' % user2.pk)
-    rows = list(zip([text_content(el) for el in response.pyquery('tr td.name')],
-                    [text_content(el) for el in response.pyquery('tr td.via')],
-                    ))
+    rows = list(
+        zip(
+            [text_content(el) for el in response.pyquery('tr td.name')],
+            [text_content(el) for el in response.pyquery('tr td.via')],
+        )
+    )
     assert rows == [
         ('role1', ''),
         ('role2 (LDAP)', 'role1 '),
@@ -245,11 +261,14 @@ def test_roles_displayed_fields(app, admin, ou1, ou2):
 
     # check OuUserRolesTable
     response = app.get('/manage/users/%s/roles/?search-ou=' % user2.pk)
-    rows = list(zip([text_content(el) for el in response.pyquery('tr td.name')],
-                    [text_content(el) for el in response.pyquery('tr td.via')],
-                    [el.attrib.get('checked') for el in response.pyquery('tr td.member input')],
-                    [el.attrib.get('disabled') for el in response.pyquery('tr td.member input')],
-                    ))
+    rows = list(
+        zip(
+            [text_content(el) for el in response.pyquery('tr td.name')],
+            [text_content(el) for el in response.pyquery('tr td.via')],
+            [el.attrib.get('checked') for el in response.pyquery('tr td.member input')],
+            [el.attrib.get('disabled') for el in response.pyquery('tr td.member input')],
+        )
+    )
     assert rows == [
         ('role1', '', 'checked', None),
         ('role2 (LDAP)', 'role1 ', None, 'disabled'),
diff --git a/tests/test_saml_x509utils.py b/tests/test_saml_x509utils.py
index b748525c..f2cce460 100644
--- a/tests/test_saml_x509utils.py
+++ b/tests/test_saml_x509utils.py
@@ -68,11 +68,14 @@ pkkt86tIOLEtaNO97CcF/t+Un5QAh9MqLmQv5pwUDo4Lqo7qo1bAfyHjOlr5kdaP
 8eM47A92x9uplD/sN550pTKM7XLhHBvEfLujUoGHpWQxGA==
 -----END RSA PRIVATE KEY-----'''
     assert check_key_pair_consistency(cert, key)
-    assert get_xmldsig_rsa_key_value(cert) == '''\
+    assert (
+        get_xmldsig_rsa_key_value(cert)
+        == '''\
 <RSAKeyValue xmlns="http://www.w3.org/2000/09/xmldsig#">
 	<Modulus>rU2w03vy6w/oLytEoH/657wIOM3HP7yXBHbIhrCd7IU7Huzj3+XyGg+5a8vo5rRV+tZ/EZ9XdYsPsIbmG6xukdzoQ8OdL7n29ka0UhwTgOwnH4ikA+gk9qd9ZrL/goh2xpqB0Rcrdgp0RsthQl9jos3+asX4x2iRF7tLZP0nTdk=</Modulus>
 	<Exponent>AQAB</Exponent>
 </RSAKeyValue>'''
+    )
     assert get_rsa_public_key_modulus(cert) is not None
     assert get_rsa_public_key_exponent(cert) is not None
     assert len(decapsulate_pem_file(key).splitlines()) == len(key.splitlines()) - 2
diff --git a/tests/test_template.py b/tests/test_template.py
index 3187c491..cbdbbc4e 100644
--- a/tests/test_template.py
+++ b/tests/test_template.py
@@ -52,10 +52,7 @@ def test_render_template():
     # 1.3. test set operator
     value = '{% if foo in bar %}Found{% else %}Missing{% endif %}'
     template = Template(value=value)
-    context = {
-        'foo': 'john',
-        'bar': ['miles', 'john', 'red', 'paul', 'philly joe']
-    }
+    context = {'foo': 'john', 'bar': ['miles', 'john', 'red', 'paul', 'philly joe']}
     assert template.render(context=context) == 'Found'
 
     context['bar'] = ['miles', 'wayne', 'herbie', 'ron', 'tony']
@@ -77,7 +74,7 @@ def test_render_template():
     value = '{% with name=user.name age=user.age %}{{ name }}: {{ age }}{% endwith %}'
     template = Template(value=value)
 
-    context = {'user': {'name': 'Robert', 'age': 39 }}
+    context = {'user': {'name': 'Robert', 'age': 39}}
     assert template.render(context=context) == 'Robert: 39'
 
     # 4. test 'firstof' tag
@@ -92,7 +89,7 @@ def test_render_template():
 
 
 def test_render_template_syntax_error():
-    value = '{% if foo %}John{% else %}Jim{% endif %' # oops
+    value = '{% if foo %}John{% else %}Jim{% endif %'  # oops
     template = Template(value=value)
 
     context = {'foo': True}
@@ -132,8 +129,7 @@ def test_service_in_template(app, simple_user, service):
     assert resp.pyquery('body').attr('data-service-name') == service.name
 
     # if user comes back from a different service, the information is updated
-    new_service = Service.objects.create(ou=get_default_ou(), slug='service2',
-                                         name='Service2')
+    new_service = Service.objects.create(ou=get_default_ou(), slug='service2', name='Service2')
     resp = app.get(reverse('account_management') + '?service=%s' % new_service.slug)
     assert resp.pyquery('body').attr('data-service-slug') == new_service.slug
     assert resp.pyquery('body').attr('data-service-name') == new_service.name
diff --git a/tests/test_user_manager.py b/tests/test_user_manager.py
index 24a0c529..30558a22 100644
--- a/tests/test_user_manager.py
+++ b/tests/test_user_manager.py
@@ -236,13 +236,16 @@ def test_manager_user_change_email(app, superuser_or_admin, simple_user, mailout
 
     assert NEW_EMAIL != simple_user.email
 
-    response = login(app, superuser_or_admin,
-                     reverse('a2-manager-user-by-uuid-detail',
-                             kwargs={'slug': text_type(simple_user.uuid)}))
+    response = login(
+        app,
+        superuser_or_admin,
+        reverse('a2-manager-user-by-uuid-detail', kwargs={'slug': text_type(simple_user.uuid)}),
+    )
     assert 'Change user email' in response.text
     # cannot click it's a submit button :/
-    response = app.get(reverse('a2-manager-user-by-uuid-change-email',
-                               kwargs={'slug': text_type(simple_user.uuid)}))
+    response = app.get(
+        reverse('a2-manager-user-by-uuid-change-email', kwargs={'slug': text_type(simple_user.uuid)})
+    )
     assert response.form['new_email'].value == simple_user.email
     response.form.set('new_email', NEW_EMAIL)
     assert len(mailoutbox) == 0
@@ -259,9 +262,7 @@ def test_manager_user_change_email(app, superuser_or_admin, simple_user, mailout
 
     link = get_link_from_mail(mailoutbox[0])
     response = app.get(link).maybe_follow()
-    assert (
-        'your request for changing your email for john.doe@example.com is successful'
-        in response.text)
+    assert 'your request for changing your email for john.doe@example.com is successful' in response.text
     simple_user.refresh_from_db()
     assert simple_user.email == NEW_EMAIL
 
@@ -275,13 +276,16 @@ def test_manager_user_change_email_no_change(app, superuser_or_admin, simple_use
 
     assert NEW_EMAIL != simple_user.email
 
-    response = login(app, superuser_or_admin,
-                     reverse('a2-manager-user-by-uuid-detail',
-                             kwargs={'slug': text_type(simple_user.uuid)}))
+    response = login(
+        app,
+        superuser_or_admin,
+        reverse('a2-manager-user-by-uuid-detail', kwargs={'slug': text_type(simple_user.uuid)}),
+    )
     assert 'Change user email' in response.text
     # cannot click it's a submit button :/
-    response = app.get(reverse('a2-manager-user-by-uuid-change-email',
-                               kwargs={'slug': text_type(simple_user.uuid)}))
+    response = app.get(
+        reverse('a2-manager-user-by-uuid-change-email', kwargs={'slug': text_type(simple_user.uuid)})
+    )
     assert response.form['new_email'].value == simple_user.email
     assert len(mailoutbox) == 0
     response = response.form.submit().follow()
@@ -331,8 +335,12 @@ def test_export_csv(settings, app, superuser, django_assert_num_queries):
     ContentType.objects.get_for_model(User)
     atvs = []
     for i in range(USER_COUNT):
-        atvs.extend([AttributeValue(
-            owner=users[i], attribute=ats[j], content='value-%s-%s' % (i, j)) for j in range(AT_COUNT)])
+        atvs.extend(
+            [
+                AttributeValue(owner=users[i], attribute=ats[j], content='value-%s-%s' % (i, j))
+                for j in range(AT_COUNT)
+            ]
+        )
     AttributeValue.objects.bulk_create(atvs)
 
     response = login(app, superuser, reverse('a2-manager-users'))
@@ -428,8 +436,8 @@ def test_user_import(encoding, transactional_db, app, admin, ou1, admin_ou1):
     Attribute.objects.create(name='phone', kind='phone_number', label='Numéro de téléphone')
 
     deleted_user = User.objects.create(
-        email='john.doe@entrouvert.com', username='jdoe',
-        first_name='John', last_name='doe')
+        email='john.doe@entrouvert.com', username='jdoe', first_name='John', last_name='doe'
+    )
     deleted_user.delete()
 
     user_count = User.objects.count()
@@ -439,15 +447,20 @@ def test_user_import(encoding, transactional_db, app, admin, ou1, admin_ou1):
     response = login(app, admin, '/manage/users/')
 
     response = response.click('Import users')
-    response.form.set('import_file',
-                      Upload(
-                          'users.csv',
-                          '''email key verified,first_name,last_name,phone
+    response.form.set(
+        'import_file',
+        Upload(
+            'users.csv',
+            '''email key verified,first_name,last_name,phone
 tnoel@entrouvert.com,Thomas,Noël,1234
 fpeters@entrouvert.com,Frédéric,Péters,5678
 john.doe@entrouvert.com,John,Doe,9101112
-x,x,x,x'''.encode(encoding),
-                          'application/octet-stream'))
+x,x,x,x'''.encode(
+                encoding
+            ),
+            'application/octet-stream',
+        ),
+    )
     response.form.set('encoding', encoding)
     response.form.set('ou', str(get_default_ou().pk))
     response = response.form.submit()
@@ -513,21 +526,33 @@ x,x,x,x'''.encode(encoding),
     response = assert_timeout(2, wait_finished)
 
     assert User.objects.count() == user_count + 3
-    assert User.objects.filter(
-        email='tnoel@entrouvert.com',
-        first_name='Thomas',
-        last_name='Noël',
-        attribute_values__content='1234').count() == 1
-    assert User.objects.filter(
-        email='fpeters@entrouvert.com',
-        first_name='Frédéric',
-        last_name='Péters',
-        attribute_values__content='5678').count() == 1
-    assert User.objects.filter(
-        email='john.doe@entrouvert.com',
-        first_name='John',
-        last_name='Doe',
-        attribute_values__content='9101112').count() == 1
+    assert (
+        User.objects.filter(
+            email='tnoel@entrouvert.com',
+            first_name='Thomas',
+            last_name='Noël',
+            attribute_values__content='1234',
+        ).count()
+        == 1
+    )
+    assert (
+        User.objects.filter(
+            email='fpeters@entrouvert.com',
+            first_name='Frédéric',
+            last_name='Péters',
+            attribute_values__content='5678',
+        ).count()
+        == 1
+    )
+    assert (
+        User.objects.filter(
+            email='john.doe@entrouvert.com',
+            first_name='John',
+            last_name='Doe',
+            attribute_values__content='9101112',
+        ).count()
+        == 1
+    )
 
     # logout
     app.session.flush()
@@ -578,8 +603,8 @@ def import_csv(csv_content, app):
     response = response.click('Import users')
     index = [i for i in response.forms if 'import_file' in response.forms[i].fields][0]
     response.forms[index].set(
-        'import_file',
-        Upload('users.csv', csv_content.encode('utf-8'), 'application/octet-stream'))
+        'import_file', Upload('users.csv', csv_content.encode('utf-8'), 'application/octet-stream')
+    )
     response.forms[index].set('encoding', 'utf-8-sig')
     response.forms[index].set('ou', str(get_default_ou().pk))
     response = response.forms[index].submit().follow()
@@ -590,7 +615,7 @@ def import_csv(csv_content, app):
     while 'Running' in response.text:
         response = response.click('Users Import')
         assert time.time() - start < 2
-        time.sleep(.1)
+        time.sleep(0.1)
 
     # report
     urls = re.findall('<a href="(/manage/users/import/[^/]+/[^/]+/)">', response.text)
@@ -613,7 +638,8 @@ def test_user_import_attributes(transactional_db, app, admin):
     csv_lines = [
         u"email key verified,first_name,last_name,more,title,bike,saintsday,birthdate,zip,phone",
         u"elliot@universalpictures.com,Elliott,Thomas,petit,Mr,True,2019-7-20,1972-05-26,75014,1234",
-        u"et@universalpictures.com,ET,the Extra-Terrestrial,long,??,False,1/2/3/4,0002-2-22,42,home"]
+        u"et@universalpictures.com,ET,the Extra-Terrestrial,long,??,False,1/2/3/4,0002-2-22,42,home",
+    ]
     response = import_csv('\n'.join(csv_lines), app)
     urls = re.findall('<a href="(/manage/users/import/[^/]+/[^/]+/)">', response.text)
     response = app.get(urls[0])
@@ -633,8 +659,7 @@ def test_user_import_attributes(transactional_db, app, admin):
     assert elliot.attributes.values['zip'].content == '75014'
     assert elliot.attributes.values['phone'].content == '1234'
 
-    csv_lines[2] = \
-        u"et@universalpictures.com,ET,the Extra-Terrestrial,,,,,,42000,+888 5678"
+    csv_lines[2] = u"et@universalpictures.com,ET,the Extra-Terrestrial,,,,,,42000,+888 5678"
     response = import_csv('\n'.join(csv_lines), app)
     assert '0 rows have errors' in response.text
 
@@ -733,8 +758,8 @@ Elliott,3'''
     response = response.click('Import users')
     index = [i for i in response.forms if 'import_file' in response.forms[i].fields][0]
     response.forms[index].set(
-        'import_file',
-        Upload('users.csv', csv_content.encode('utf-8'), 'application/octet-stream'))
+        'import_file', Upload('users.csv', csv_content.encode('utf-8'), 'application/octet-stream')
+    )
     response.forms[index].set('encoding', 'utf-8-sig')
     response.forms[index].set('ou', str(get_default_ou().pk))
     response = response.forms[index].submit().follow()
@@ -745,7 +770,7 @@ Elliott,3'''
     while 'Running' in response.text:
         response = response.click('Users Import')
         assert time.time() - start < 2
-        time.sleep(.1)
+        time.sleep(0.1)
 
     urls = re.findall('<a href="(/manage/users/import/[^/]+/[^/]+/)">', response.text)
     response = app.get(urls[0])
@@ -756,7 +781,7 @@ Elliott,3'''
     while 'Running' in response.text:
         response = response.click('Users Import')
         assert time.time() - start < 2
-        time.sleep(.1)
+        time.sleep(0.1)
 
     assert User.objects.filter(first_name='Elliott').exists()
 
@@ -809,16 +834,16 @@ def test_manager_edit_user_next_form_error(superuser_or_admin, app, ou1, simple_
 
 
 def test_user_add_settings(settings, admin, app, db):
-    passwd_options = ('generate_password', 'reset_password_at_next_login',
-                      'send_mail', 'send_password_reset')
+    passwd_options = ('generate_password', 'reset_password_at_next_login', 'send_mail', 'send_password_reset')
     for policy in [choice[0] for choice in OU.USER_ADD_PASSWD_POLICY_CHOICES]:
         ou = get_default_ou()
         ou.user_add_password_policy = policy
         ou.save()
         user_add = login(app, admin, '/manage/users/add/').follow()
         for option, i in zip(passwd_options, range(4)):
-            assert (user_add.form.get(option).value
-                    == {False: None, True: 'on'}.get(OU.USER_ADD_PASSWD_POLICY_VALUES[policy][i]))
+            assert user_add.form.get(option).value == {False: None, True: 'on'}.get(
+                OU.USER_ADD_PASSWD_POLICY_VALUES[policy][i]
+            )
         app.get('/logout/').form.submit()
 
 
@@ -866,8 +891,12 @@ def test_manager_edit_user_address_autocomplete(app, simple_user, superuser_or_a
     login(app, superuser_or_admin, '/manage/')
 
     Attribute.objects.create(
-        name='address_autocomplete', label='Address (autocomplete)',
-        kind='address_auto', user_visible=True, user_editable=True)
+        name='address_autocomplete',
+        label='Address (autocomplete)',
+        kind='address_auto',
+        user_visible=True,
+        user_editable=True,
+    )
 
     resp = app.get(url)
     assert resp.html.find('select', {'name': 'address_autocomplete'})
@@ -937,8 +966,12 @@ def test_manager_user_username_field(app, superuser, simple_user):
 def test_manager_user_address_autocomplete_field(app, superuser, simple_user):
     login(app, superuser, '/manage/')
     Attribute.objects.create(
-        name='address_autocomplete', label='Address (autocomplete)',
-        kind='address_auto', user_visible=True, user_editable=True)
+        name='address_autocomplete',
+        label='Address (autocomplete)',
+        kind='address_auto',
+        user_visible=True,
+        user_editable=True,
+    )
     resp = app.get(reverse('a2-manager-user-detail', kwargs={'pk': simple_user.id}))
     assert not resp.html.find('select', {'name': 'address_autocomplete'})
     assert not resp.html.find('input', {'id': 'manual-address'})
@@ -962,14 +995,14 @@ def test_manager_user_roles_visibility(app, simple_user, admin, ou1, ou2):
 
     app.get('/logout/').form.submit()
 
-    other_user = get_user_model().objects.create(
-        username='other_user', ou=ou1)
+    other_user = get_user_model().objects.create(username='other_user', ou=ou1)
     other_user.set_password('auietsrn')
     other_role = Role.objects.create(name='Other role', slug='other-role', ou=ou1)
     view_role1_perm = get_permission_model().objects.create(
         operation=get_operation(VIEW_OP),
         target_ct=ContentType.objects.get_for_model(Role),
-        target_id=role1.pk)
+        target_id=role1.pk,
+    )
     other_role.permissions.add(get_view_user_perm())
     other_role.permissions.add(view_role1_perm)
     other_role.save()
@@ -986,53 +1019,55 @@ def test_manager_user_roles_visibility(app, simple_user, admin, ou1, ou2):
 
 
 def test_manager_user_authorizations(app, superuser, simple_user):
-    '''
+    """
     for 3 kind of users:
     * check if a button is provided on user detail page
     * access user service consents page
     * try to remove a service consent
-    '''
+    """
     from django_rbac.utils import get_role_model, get_operation, get_permission_model
     from django_rbac.models import VIEW_OP
     from authentic2.a2_rbac.models import MANAGE_AUTHORIZATIONS_OP
     from tests.conftest import create_user
+
     Role = get_role_model()
     user_detail_url = reverse('a2-manager-user-detail', kwargs={'pk': simple_user.id})
-    user_authorizations_url = reverse(
-        'a2-manager-user-authorizations', kwargs={'pk': simple_user.id})
+    user_authorizations_url = reverse('a2-manager-user-authorizations', kwargs={'pk': simple_user.id})
 
     resp = login(app, superuser)
     resp = app.get(user_detail_url, status=200)
     assert user_authorizations_url not in [
-        x['href'] for x in resp.html.find('ul', {'class': 'extra-actions-menu'}).find_all('a')]
+        x['href'] for x in resp.html.find('ul', {'class': 'extra-actions-menu'}).find_all('a')
+    ]
 
     # add a service consent to simple_user
     oidc_client = OIDCClient.objects.create(
-        name='client',
-        slug='client',
-        ou=simple_user.ou,
-        redirect_uris='https://example.com/')
+        name='client', slug='client', ou=simple_user.ou, redirect_uris='https://example.com/'
+    )
 
     resp = app.get(user_detail_url, status=200)
     assert user_authorizations_url in [
-        x['href'] for x in resp.html.find('ul', {'class': 'extra-actions-menu'}).find_all('a')]
+        x['href'] for x in resp.html.find('ul', {'class': 'extra-actions-menu'}).find_all('a')
+    ]
 
     auth = OIDCAuthorization.objects.create(
-        client=oidc_client, user=simple_user, scopes='openid',
-        expired='2020-01-01T12:01:01Z')
+        client=oidc_client, user=simple_user, scopes='openid', expired='2020-01-01T12:01:01Z'
+    )
     assert OIDCAuthorization.objects.count() == 1
 
     view_user_perm = get_permission_model().objects.create(
         operation=get_operation(VIEW_OP),
         target_ct=ContentType.objects.get_for_model(User),
-        target_id=simple_user.pk)
+        target_id=simple_user.pk,
+    )
     view_user_role = Role.objects.create(name='view_user', ou=simple_user.ou)
     view_user_role.permissions.add(view_user_perm)
 
     manage_auth_perm = get_permission_model().objects.create(
         operation=get_operation(MANAGE_AUTHORIZATIONS_OP),
         target_ct=ContentType.objects.get_for_model(User),
-        target_id=simple_user.pk)
+        target_id=simple_user.pk,
+    )
     manage_auth_role = Role.objects.create(name='manage_auth', ou=simple_user.ou)
     manage_auth_role.permissions.add(manage_auth_perm)
 
@@ -1056,7 +1091,8 @@ def test_manager_user_authorizations(app, superuser, simple_user):
     resp = login(app, user2)
     resp = app.get(user_detail_url, status=200)
     assert user_authorizations_url in [
-        x['href'] for x in resp.html.find('ul', {'class': 'extra-actions-menu'}).find_all('a')]
+        x['href'] for x in resp.html.find('ul', {'class': 'extra-actions-menu'}).find_all('a')
+    ]
     resp = resp.click('Consents')
     assert resp.html.find('h2').text == 'Consent Management'
     assert resp.html.find('td', {'class': 'remove-icon-column'}).a['class'] == ['disabled']
@@ -1070,7 +1106,8 @@ def test_manager_user_authorizations(app, superuser, simple_user):
     resp = login(app, user3)
     resp = app.get(user_detail_url, status=200)
     assert user_authorizations_url in [
-        x['href'] for x in resp.html.find('ul', {'class': 'extra-actions-menu'}).find_all('a')]
+        x['href'] for x in resp.html.find('ul', {'class': 'extra-actions-menu'}).find_all('a')
+    ]
     resp = resp.click('Consents')
     resp = app.get(user_authorizations_url, status=200)
     assert resp.html.find('h2').text == 'Consent Management'
@@ -1081,40 +1118,53 @@ def test_manager_user_authorizations(app, superuser, simple_user):
     resp = app.post(user_authorizations_url, params=params, status=302)
     assert OIDCAuthorization.objects.count() == 0
     resp = resp.follow()
-    assert resp.html.find('td').text == \
-        'This user has not granted profile data access to any service yet.'
+    assert resp.html.find('td').text == 'This user has not granted profile data access to any service yet.'
 
 
 def test_manager_user_authorizations_breadcrumb(app, superuser, simple_user):
     resp = login(app, superuser)
-    user_authorizations_url = reverse(
-        'a2-manager-user-authorizations', kwargs={'pk': simple_user.id})
+    user_authorizations_url = reverse('a2-manager-user-authorizations', kwargs={'pk': simple_user.id})
     resp = app.get(user_authorizations_url, status=200)
     assert [x.text for x in resp.html.find('span', {'id': 'breadcrumb'}).find_all('a')] == [
-        'Homepage', 'Administration', 'Users', 'Default organizational unit',
-        'Jôhn Dôe', 'Consent Management']
-    user_authorizations_url = reverse(
-        'a2-manager-user-authorizations', kwargs={'pk': superuser.id})
+        'Homepage',
+        'Administration',
+        'Users',
+        'Default organizational unit',
+        'Jôhn Dôe',
+        'Consent Management',
+    ]
+    user_authorizations_url = reverse('a2-manager-user-authorizations', kwargs={'pk': superuser.id})
     resp = app.get(user_authorizations_url, status=200)
     assert [x.text for x in resp.html.find('span', {'id': 'breadcrumb'}).find_all('a')] == [
-        'Homepage', 'Administration', 'Users',
-        'super user', 'Consent Management']
+        'Homepage',
+        'Administration',
+        'Users',
+        'super user',
+        'Consent Management',
+    ]
 
 
 def test_manager_user_roles_breadcrumb(app, superuser, simple_user):
     resp = login(app, superuser)
-    user_roles_url = reverse(
-        'a2-manager-user-roles', kwargs={'pk': simple_user.id})
+    user_roles_url = reverse('a2-manager-user-roles', kwargs={'pk': simple_user.id})
     resp = app.get(user_roles_url, status=200)
     assert [x.text for x in resp.html.find('span', {'id': 'breadcrumb'}).find_all('a')] == [
-        'Homepage', 'Administration', 'Users', 'Default organizational unit',
-        'Jôhn Dôe', 'Roles']
-    user_roles_url = reverse(
-        'a2-manager-user-roles', kwargs={'pk': superuser.id})
+        'Homepage',
+        'Administration',
+        'Users',
+        'Default organizational unit',
+        'Jôhn Dôe',
+        'Roles',
+    ]
+    user_roles_url = reverse('a2-manager-user-roles', kwargs={'pk': superuser.id})
     resp = app.get(user_roles_url, status=200)
     assert [x.text for x in resp.html.find('span', {'id': 'breadcrumb'}).find_all('a')] == [
-        'Homepage', 'Administration', 'Users',
-        'super user', 'Roles']
+        'Homepage',
+        'Administration',
+        'Users',
+        'super user',
+        'Roles',
+    ]
 
 
 def test_manager_create_user_duplicates(admin, app, ou1, settings):
@@ -1176,5 +1226,7 @@ def test_delete_user(app, superuser, simple_user):
     assert User.objects.count() == 1
     assert (
         Event.objects.filter(user=superuser, type__name='manager.user.deletion')
-        .which_references(simple_user).count() == 1
+        .which_references(simple_user)
+        .count()
+        == 1
     )
diff --git a/tests/test_user_model.py b/tests/test_user_model.py
index 3d626cb4..a6f26808 100644
--- a/tests/test_user_model.py
+++ b/tests/test_user_model.py
@@ -69,8 +69,7 @@ def test_user_has_verified_attributes(db, settings):
     user = User(username='john.doe', email='john.doe2@example.net')
     user.save()
     assert user.has_verified_attributes() is False
-    attribute_value = AttributeValue.objects.create(
-        owner=user, attribute=attribute, content='0101010101')
+    attribute_value = AttributeValue.objects.create(owner=user, attribute=attribute, content='0101010101')
     attribute_value.save()
     assert user.has_verified_attributes() is False
     attribute_value.verified = True
@@ -79,8 +78,7 @@ def test_user_has_verified_attributes(db, settings):
 
 
 def test_sync_first_name(db, settings):
-    Attribute.objects.get_or_create(name='first_name', defaults={'label': 'First Name', 'kind':
-                                                                 'string'})
+    Attribute.objects.get_or_create(name='first_name', defaults={'label': 'First Name', 'kind': 'string'})
 
     user = User(username='john.doe', email='john.doe2@example.net')
     user.save()
@@ -256,7 +254,7 @@ def test_save_userexternalid_on_delete_user(db):
         {
             'source': 'ldap2',
             'external_id': '4567',
-        }
+        },
     ]
 
 
diff --git a/tests/test_utils.py b/tests/test_utils.py
index bdfde1b7..a7e5d68b 100644
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@@ -24,10 +24,16 @@ from django.utils.functional import lazy
 from django_rbac.utils import get_ou_model
 
 from authentic2.journal import Journal
-from authentic2.utils import (good_next_url, same_origin, select_next_url,
-                              user_can_change_password, login,
-                              get_authentication_events, authenticate,
-                              send_templated_mail)
+from authentic2.utils import (
+    good_next_url,
+    same_origin,
+    select_next_url,
+    user_can_change_password,
+    login,
+    get_authentication_events,
+    authenticate,
+    send_templated_mail,
+)
 from authentic2.utils.lazy import lazy_join
 
 
@@ -203,6 +209,7 @@ def test_lazy_join():
 
     def f():
         return a
+
     f = lazy(f, str)
 
     joined = lazy_join(',', ['a', f()])
diff --git a/tests/test_utils_evaluate.py b/tests/test_utils_evaluate.py
index 69a21795..4101dbb9 100644
--- a/tests/test_utils_evaluate.py
+++ b/tests/test_utils_evaluate.py
@@ -20,16 +20,20 @@ import ast
 import pytest
 
 from authentic2.utils.evaluate import (
-    BaseExpressionValidator, ConditionValidator, ExpressionError,
-    evaluate_condition, HTTPHeaders)
+    BaseExpressionValidator,
+    ConditionValidator,
+    ExpressionError,
+    evaluate_condition,
+    HTTPHeaders,
+)
 
 
 def test_base():
     v = BaseExpressionValidator()
 
-#    assert v('1')[0] is False
-#    assert v('\'a\'')[0] is False
-#    assert v('x')[0] is False
+    #    assert v('1')[0] is False
+    #    assert v('\'a\'')[0] is False
+    #    assert v('x')[0] is False
 
     v = BaseExpressionValidator(authorized_nodes=[ast.Num, ast.Str])
 
diff --git a/tests/test_validators.py b/tests/test_validators.py
index 077b60bc..2f978b2b 100644
--- a/tests/test_validators.py
+++ b/tests/test_validators.py
@@ -48,10 +48,22 @@ def test_digits_password_policy(settings):
     validate_password('12345678')
 
 
-@pytest.mark.parametrize('email', ['nok', '@nok.com', 'foo@bar\x00',
-                                   'foo&@bar', '|a@nok.com', 'a/../b@nok.com',
-                                   'a%b@nok.com', 'a!b@nok.com', 'a#b@nok.com',
-                                   'a&b@nok.com', 'a?b@nok.com'])
+@pytest.mark.parametrize(
+    'email',
+    [
+        'nok',
+        '@nok.com',
+        'foo@bar\x00',
+        'foo&@bar',
+        '|a@nok.com',
+        'a/../b@nok.com',
+        'a%b@nok.com',
+        'a!b@nok.com',
+        'a#b@nok.com',
+        'a&b@nok.com',
+        'a?b@nok.com',
+    ],
+)
 def test_email_validator_nok(email):
     with pytest.raises(ValidationError):
         EmailValidator()(email)
@@ -108,7 +120,7 @@ def test_email_validator_rcpt_check(settings, smtp):
         validator('ok@ok.com')
 
         smtp.rcpt.return_value = 100, None
-        smtp.connect.side_effect = smtplib.SMTPConnectError(1,2)
+        smtp.connect.side_effect = smtplib.SMTPConnectError(1, 2)
         validator('ok@ok.com')
 
     assert smtp.connect.call_count == 4
diff --git a/tests/test_views.py b/tests/test_views.py
index f60ca918..9b90e271 100644
--- a/tests/test_views.py
+++ b/tests/test_views.py
@@ -86,8 +86,10 @@ def test_account_delete_when_logged_out(app, simple_user, mailoutbox):
     link = get_link_from_mail(mailoutbox[0])
     logout(app)
     page = app.get(link)
-    assert 'You are about to delete the account of <strong>%s</strong>.' % escape(
-        simple_user.get_full_name()) in page.text
+    assert (
+        'You are about to delete the account of <strong>%s</strong>.' % escape(simple_user.get_full_name())
+        in page.text
+    )
     response = page.form.submit(name='delete')
     assert User.objects.filter(id=simple_user.id).count() == 0
     assert DeletedUser.objects.filter(old_user_id=simple_user.id).count() == 1
@@ -109,8 +111,10 @@ def test_account_delete_by_other_user(app, simple_user, user_ou1, mailoutbox):
     logout(app)
     login(app, user_ou1, path=reverse('account_management'))
     page = app.get(link)
-    assert 'You are about to delete the account of <strong>%s</strong>.' % escape(
-        simple_user.get_full_name()) in page.text
+    assert (
+        'You are about to delete the account of <strong>%s</strong>.' % escape(simple_user.get_full_name())
+        in page.text
+    )
     response = page.form.submit(name='delete')
     assert app.session['_auth_user_id'] == str(user_ou1.id)
     assert User.objects.filter(id=simple_user.id).count() == 0
@@ -124,8 +128,7 @@ def test_account_delete_by_other_user(app, simple_user, user_ou1, mailoutbox):
 
 def test_account_delete_fake_token(app, simple_user, mailoutbox):
     response = (
-        app.get(reverse('validate_deletion',
-                kwargs={'deletion_token': 'thisismostlikelynotavalidtoken'}))
+        app.get(reverse('validate_deletion', kwargs={'deletion_token': 'thisismostlikelynotavalidtoken'}))
         .follow()
         .follow()
     )
diff --git a/tests/utils.py b/tests/utils.py
index 4da3eb26..a48ae357 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -91,13 +91,13 @@ def get_response_form(response, form='form'):
 
 
 def assert_equals_url(url1, url2, **kwargs):
-    '''Check that url1 is equals to url2 augmented with parameters kwargs
-       in its query string.
+    """Check that url1 is equals to url2 augmented with parameters kwargs
+    in its query string.
 
-       The string '*' is a special value, when used it just check that the
-       given parameter exist in the first url, it does not check the exact
-       value.
-    '''
+    The string '*' is a special value, when used it just check that the
+    given parameter exist in the first url, it does not check the exact
+    value.
+    """
     url1 = iri_to_uri(utils.make_url(url1, params=None))
     splitted1 = urlparse.urlsplit(url1)
     url2 = iri_to_uri(utils.make_url(url2, params=kwargs))
@@ -119,8 +119,7 @@ def assert_equals_url(url1, url2, **kwargs):
 def assert_redirects_complex(response, expected_url, **kwargs):
     assert response.status_code == 302, 'code should be 302'
     scheme, netloc, path, query, fragment = urlparse.urlsplit(response.url)
-    e_scheme, e_netloc, e_path, e_query, e_fragment = \
-        urlparse.urlsplit(expected_url)
+    e_scheme, e_netloc, e_path, e_query, e_fragment = urlparse.urlsplit(expected_url)
     e_scheme = e_scheme if e_scheme else scheme
     e_netloc = e_netloc if e_netloc else netloc
     expected_url = urlparse.urlunsplit((e_scheme, e_netloc, e_path, e_query, e_fragment))
@@ -137,7 +136,11 @@ def assert_xpath_constraints(xml, constraints, namespaces):
         if isinstance(content, six.string_types):
             for node in nodes:
                 if hasattr(node, 'text'):
-                    assert node.text == content, 'xpath %s does not contain %s but %s' % (xpath, content, node.text)
+                    assert node.text == content, 'xpath %s does not contain %s but %s' % (
+                        xpath,
+                        content,
+                        node.text,
+                    )
                 else:
                     assert node == content, 'xpath %s does not contain %s but %s' % (xpath, content, node)
         else:
@@ -148,11 +151,14 @@ def assert_xpath_constraints(xml, constraints, namespaces):
                 assert values == content
             elif hasattr(content, 'pattern'):
                 for value in values:
-                    assert content.match(value), 'xpath %s does not match regexp %s' % (xpath, content.pattern)
+                    assert content.match(value), 'xpath %s does not match regexp %s' % (
+                        xpath,
+                        content.pattern,
+                    )
             else:
                 raise NotImplementedError(
-                    'comparing xpath result to type %s: %r is not implemented' % (
-                        type(content), content))
+                    'comparing xpath result to type %s: %r is not implemented' % (type(content), content)
+                )
 
 
 class Authentic2TestCase(TestCase):
@@ -170,9 +176,11 @@ class Authentic2TestCase(TestCase):
 def check_log(caplog, message, levelname=None):
     idx = len(caplog.records)
     yield
-    assert any(message in record.message for record in caplog.records[idx:]
-               if not levelname or record.levelname == levelname), \
-        '%r not found in log records' % message
+    assert any(
+        message in record.message
+        for record in caplog.records[idx:]
+        if not levelname or record.levelname == levelname
+    ), ('%r not found in log records' % message)
 
 
 def get_links_from_mail(mail):
@@ -210,7 +218,9 @@ def saml_sp_metadata(base_url):
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
      Location="{base_url}/mellon/artifactResponse" />
  </SPSSODescriptor>
-</EntityDescriptor>'''.format(base_url=base_url)
+</EntityDescriptor>'''.format(
+        base_url=base_url
+    )
 
 
 def find_free_tcp_port():
@@ -223,7 +233,9 @@ def find_free_tcp_port():
 def request_select2(app, response, term='', get_kwargs=None):
     select2_url = response.pyquery('select')[0].attrib['data-ajax--url']
     select2_field_id = response.pyquery('select')[0].attrib['data-field_id']
-    select2_response = app.get(select2_url, params={'field_id': select2_field_id, 'term': term}, **(get_kwargs or {}))
+    select2_response = app.get(
+        select2_url, params={'field_id': select2_field_id, 'term': term}, **(get_kwargs or {})
+    )
     if select2_response['content-type'] == 'application/json':
         return select2_response.json
     else:
@@ -249,8 +261,8 @@ def call_command(*args, **kwargs):
 
 
 def text_content(node):
-    '''Extract text content from node and all its children. Equivalent to
-       xmlNodeGetContent from libxml.'''
+    """Extract text content from node and all its children. Equivalent to
+    xmlNodeGetContent from libxml."""
     return u''.join(node.itertext()) if node is not None else ''
 
 
@@ -275,8 +287,11 @@ def assert_event(event_type_name, user=None, session=None, service=None, **data)
         event = qs.get()
         assert event.data, 'no event.data, should be %s' % data
         for key, value in data.items():
-            assert event.data.get(key) == value, (
-                'event.data[%s] != data[%s] (%s != %s)' % (key, key, event.data.get(key), value)
+            assert event.data.get(key) == value, 'event.data[%s] != data[%s] (%s != %s)' % (
+                key,
+                key,
+                event.data.get(key),
+                value,
             )
 
 
diff --git a/tests_rbac/conftest.py b/tests_rbac/conftest.py
index 55f512aa..791c5edb 100644
--- a/tests_rbac/conftest.py
+++ b/tests_rbac/conftest.py
@@ -27,9 +27,7 @@ def pytest_addoption(parser):
 
 def pytest_configure(config):
     # register an additional marker
-    config.addinivalue_line(
-        "markers", "slow: mark test as slow"
-    )
+    config.addinivalue_line("markers", "slow: mark test as slow")
 
 
 def pytest_runtest_setup(item):
diff --git a/tests_rbac/test_rbac.py b/tests_rbac/test_rbac.py
index 1942d6dd..f954b3e7 100644
--- a/tests_rbac/test_rbac.py
+++ b/tests_rbac/test_rbac.py
@@ -39,9 +39,7 @@ def test_role_parenting(db):
     assert Role.objects.count() == 10
     assert RoleParenting.objects.count() == 0
     for i in range(1, 3):
-        RoleParenting.objects.create(
-            parent=roles[i - 1],
-            child=roles[i])
+        RoleParenting.objects.create(parent=roles[i - 1], child=roles[i])
     assert RoleParenting.objects.filter(direct=True).count() == 2
     assert RoleParenting.objects.filter(direct=False).count() == 1
     for i, role in enumerate(roles[:3]):
@@ -51,9 +49,7 @@ def test_role_parenting(db):
         assert role.parents(False).count() == i
 
     for i in range(4, 6):
-        RoleParenting.objects.create(
-            parent=roles[i - 1],
-            child=roles[i])
+        RoleParenting.objects.create(parent=roles[i - 1], child=roles[i])
     assert RoleParenting.objects.filter(direct=True).count() == 4
     assert RoleParenting.objects.filter(direct=False).count() == 2
     for i, role in enumerate(roles[3:6]):
@@ -71,8 +67,7 @@ def test_role_parenting(db):
         assert role.parents().count() == i + 1
         assert role.children(False).count() == 6 - i - 1
         assert role.parents(False).count() == i
-    RoleParenting.objects.filter(parent=roles[2], child=roles[3],
-                                 direct=True).delete()
+    RoleParenting.objects.filter(parent=roles[2], child=roles[3], direct=True).delete()
     assert RoleParenting.objects.filter(direct=True).count() == 4
     assert RoleParenting.objects.filter(direct=False).count() == 2
     # test that it works with cycles
@@ -82,6 +77,7 @@ def test_role_parenting(db):
         assert role.children().count() == 6
         assert role.parents().count() == 6
 
+
 SIZE = 1000
 SPAN = 50
 
@@ -98,22 +94,21 @@ def test_massive_role_parenting(db):
     # Try a depth=10 tree of roles
     for i in range(0, SIZE):
         name = 'role%s' % i
-        roles.append(
-            Role(pk=i + 1, name=name, slug=name))
+        roles.append(Role(pk=i + 1, name=name, slug=name))
     Role.objects.bulk_create(roles)
     relations = []
     for i in range(0, SIZE):
         if not i:
             continue
-        relations.append(
-            RoleParenting(parent=roles[i], child=roles[(i - 1) // SPAN]))
+        relations.append(RoleParenting(parent=roles[i], child=roles[(i - 1) // SPAN]))
     RoleParenting.objects.bulk_create(relations)
     RoleParenting.objects.update_transitive_closure()
     operation, created = models.Operation.objects.get_or_create(slug='admin')
     perm, created = Permission.objects.get_or_create(
         operation=operation,
         target_ct=ContentType.objects.get_for_model(ContentType),
-        target_id=ContentType.objects.get_for_model(User).id)
+        target_id=ContentType.objects.get_for_model(User).id,
+    )
     roles[0].members.add(user)
     Role.objects.get(pk=roles[-1].pk).permissions.add(perm)
     b = time.time()
@@ -123,8 +118,7 @@ def test_massive_role_parenting(db):
     assert float(t) / 1000 < 0.01
     b = time.time()
     for i in range(1000):
-        assert (list(Role.objects.for_user(user).order_by('pk')) ==
-                list(Role.objects.order_by('pk')))
+        assert list(Role.objects.for_user(user).order_by('pk')) == list(Role.objects.order_by('pk'))
     t = time.time() - b
     assert float(t) / 1000 < 0.1
     b = time.time()
@@ -145,77 +139,81 @@ def test_rbac_backend(db):
     delete_op = models.Operation.objects.get(slug='delete')
     add_op = models.Operation.objects.get(slug='add')
     admin_op = models.Operation.objects.get(slug='admin')
-    perm1 = Permission.objects.create(operation=change_op, target_ct=ct_ct,
-                                      target_id=role_ct.pk)
-    perm2 = Permission.objects.create(operation=view_op, target_ct=ct_ct,
-                                      target_id=role_ct.pk)
+    perm1 = Permission.objects.create(operation=change_op, target_ct=ct_ct, target_id=role_ct.pk)
+    perm2 = Permission.objects.create(operation=view_op, target_ct=ct_ct, target_id=role_ct.pk)
     role1 = Role.objects.create(name='role1')
     role2 = Role.objects.create(name='role2', ou=ou1)
     role1.permissions.add(perm1)
     role2.permissions.add(perm2)
     role1.add_child(role2)
     role2.members.add(user1)
-    perm3 = Permission.objects.create(
-        operation=delete_op,
-        target_ct=role_ct,
-        target_id=role1.pk)
-    perm4 = Permission.objects.create(
-        operation=add_op,
-        ou=ou1,
-        target_ct=ct_ct,
-        target_id=role_ct.pk)
+    perm3 = Permission.objects.create(operation=delete_op, target_ct=role_ct, target_id=role1.pk)
+    perm4 = Permission.objects.create(operation=add_op, ou=ou1, target_ct=ct_ct, target_id=role_ct.pk)
     role1.permissions.add(perm3)
     role1.permissions.add(perm4)
 
     rbac_backend = backends.DjangoRBACBackend()
     ctx = CaptureQueriesContext(connection)
     with ctx:
-        assert rbac_backend.get_all_permissions(user1) == set(['django_rbac.change_role',
-                                                               'django_rbac.search_role',
-                                                               'django_rbac.view_role'])
-        assert rbac_backend.get_all_permissions(user1, obj=role1) == set(['django_rbac.delete_role',
-                                                                          'django_rbac.change_role',
-                                                                          'django_rbac.search_role',
-                                                                          'django_rbac.view_role'])
-        assert rbac_backend.get_all_permissions(user1, obj=role2) == set(['django_rbac.change_role',
-                                                                          'django_rbac.view_role',
-                                                                          'django_rbac.search_role',
-                                                                          'django_rbac.add_role'])
+        assert rbac_backend.get_all_permissions(user1) == set(
+            ['django_rbac.change_role', 'django_rbac.search_role', 'django_rbac.view_role']
+        )
+        assert rbac_backend.get_all_permissions(user1, obj=role1) == set(
+            [
+                'django_rbac.delete_role',
+                'django_rbac.change_role',
+                'django_rbac.search_role',
+                'django_rbac.view_role',
+            ]
+        )
+        assert rbac_backend.get_all_permissions(user1, obj=role2) == set(
+            [
+                'django_rbac.change_role',
+                'django_rbac.view_role',
+                'django_rbac.search_role',
+                'django_rbac.add_role',
+            ]
+        )
         assert not rbac_backend.has_perm(user1, 'django_rbac.delete_role', obj=role2)
         assert rbac_backend.has_perm(user1, 'django_rbac.delete_role', obj=role1)
-        assert rbac_backend.has_perms(user1, ['django_rbac.delete_role', 'django_rbac.change_role',
-                                              'django_rbac.view_role'],
-                                      obj=role1)
+        assert rbac_backend.has_perms(
+            user1, ['django_rbac.delete_role', 'django_rbac.change_role', 'django_rbac.view_role'], obj=role1
+        )
         assert rbac_backend.has_module_perms(user1, 'django_rbac')
         assert not rbac_backend.has_module_perms(user1, 'contenttypes')
     assert len(ctx.captured_queries) == 1
-    assert (set(rbac_backend.filter_by_perm(user1, 'django_rbac.add_role', Role.objects.all())) ==
-            set([role2]))
-    assert (set(rbac_backend.filter_by_perm(user1, 'django_rbac.delete_role', Role.objects.all()))
-            == set([role1]))
-    assert set(rbac_backend.filter_by_perm(user1, ['django_rbac.delete_role',
-                                                   'django_rbac.add_role'],
-                                           Role.objects.all())) == set([role1, role2])
-    assert (set(rbac_backend.filter_by_perm(user1, 'django_rbac.view_role', Role.objects.all())) ==
-            set([role1, role2]))
-    assert (set(rbac_backend.filter_by_perm(user1, 'django_rbac.change_role', Role.objects.all()))
-            == set([role1, role2]))
+    assert set(rbac_backend.filter_by_perm(user1, 'django_rbac.add_role', Role.objects.all())) == set([role2])
+    assert set(rbac_backend.filter_by_perm(user1, 'django_rbac.delete_role', Role.objects.all())) == set(
+        [role1]
+    )
+    assert set(
+        rbac_backend.filter_by_perm(
+            user1, ['django_rbac.delete_role', 'django_rbac.add_role'], Role.objects.all()
+        )
+    ) == set([role1, role2])
+    assert set(rbac_backend.filter_by_perm(user1, 'django_rbac.view_role', Role.objects.all())) == set(
+        [role1, role2]
+    )
+    assert set(rbac_backend.filter_by_perm(user1, 'django_rbac.change_role', Role.objects.all())) == set(
+        [role1, role2]
+    )
 
     # Test admin op as a generalization of other ops
     user2 = User.objects.create(username='donald.knuth')
     role3 = Role.objects.create(name='role3')
     role3.members.add(user2)
-    perm5 = Permission.objects.create(
-        operation=admin_op,
-        target_ct=ct_ct,
-        target_id=role_ct.pk)
+    perm5 = Permission.objects.create(operation=admin_op, target_ct=ct_ct, target_id=role_ct.pk)
     role3.permissions.add(perm5)
-    assert rbac_backend.get_all_permissions(user2) == set(['django_rbac.add_role',
-                                                           'django_rbac.change_role',
-                                                           'django_rbac.search_role',
-                                                           'django_rbac.admin_role',
-                                                           'django_rbac.view_role',
-                                                           'django_rbac.delete_role'])
+    assert rbac_backend.get_all_permissions(user2) == set(
+        [
+            'django_rbac.add_role',
+            'django_rbac.change_role',
+            'django_rbac.search_role',
+            'django_rbac.admin_role',
+            'django_rbac.view_role',
+            'django_rbac.delete_role',
+        ]
+    )
 
     # test ous_with_perm
     assert set(rbac_backend.ous_with_perm(user1, 'django_rbac.add_role')) == set([ou1])
-- 
2.20.1