From 92214d932d74a24e793d295a4d7b6490ca0ac3ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89loi=20Rivard?= <eloi@yaal.coop>
Date: Sat, 7 Dec 2024 16:34:12 +0100
Subject: [PATCH] wip

---
 canaille/app/themes.py             |    8 +-
 canaille/scim/endpoints.py         |  372 +--
 canaille/scim/models.py            |  291 ++
 doc/development/specifications.rst |   51 +-
 doc/locales/doc.pot                | 4269 +++++++++++++++-------------
 doc/tutorial/index.rst             |    1 +
 doc/tutorial/provisioning.rst      |   19 +
 tests/scim/conftest.py             |    1 +
 tests/scim/test_authentication.py  |   45 -
 tests/scim/test_errors.py          |   76 +
 tests/scim/test_scim_tester.py     |   14 +-
 uv.lock                            |   55 +-
 12 files changed, 2846 insertions(+), 2356 deletions(-)
 create mode 100644 canaille/scim/models.py
 create mode 100644 doc/tutorial/provisioning.rst
 delete mode 100644 tests/scim/test_authentication.py
 create mode 100644 tests/scim/test_errors.py

diff --git a/canaille/app/themes.py b/canaille/app/themes.py
index 728df038..2230e8ff 100644
--- a/canaille/app/themes.py
+++ b/canaille/app/themes.py
@@ -40,10 +40,14 @@ if flask_themer:
 
         @app.errorhandler(404)
         def page_not_found(error):
+            # There is currently no way to make 404 handling generic
+            # https://flask.palletsprojects.com/en/stable/errorhandling/#handling
+            #     However, the blueprint cannot handle 404 routing errors because the
+            #     404 occurs at the routing level before the blueprint can be determined.
             if flask.request.path.startswith("/scim/"):
-                from canaille.scim.endpoints import scim_error_handler
+                from canaille.scim.endpoints import http_error_handler
 
-                return scim_error_handler(error)
+                return http_error_handler(error)
             return render_template("error.html", description=error, error_code=404), 404
 
         @app.errorhandler(500)
diff --git a/canaille/scim/endpoints.py b/canaille/scim/endpoints.py
index 37f56151..606a0886 100644
--- a/canaille/scim/endpoints.py
+++ b/canaille/scim/endpoints.py
@@ -1,56 +1,46 @@
+import json
 from http import HTTPStatus
 
 from authlib.integrations.flask_oauth2 import ResourceProtector
+from authlib.integrations.flask_oauth2.errors import (
+    _HTTPException as AuthlibHTTPException,
+)
 from authlib.oauth2.rfc6750 import BearerTokenValidator
 from flask import Blueprint
 from flask import Response
 from flask import abort
 from flask import request
-from flask import url_for
-from scim2_models import Address
-from scim2_models import AuthenticationScheme
-from scim2_models import Bulk
-from scim2_models import ChangePassword
+from pydantic import ValidationError
 from scim2_models import Context
-from scim2_models import Email
 from scim2_models import EnterpriseUser
 from scim2_models import Error
-from scim2_models import ETag
-from scim2_models import Filter
-from scim2_models import Group
-from scim2_models import GroupMember
-from scim2_models import GroupMembership
 from scim2_models import ListResponse
-from scim2_models import Meta
-from scim2_models import Name
-from scim2_models import Patch
-from scim2_models import PhoneNumber
-from scim2_models import Photo
-from scim2_models import Required
-from scim2_models import Resource
 from scim2_models import ResourceType
 from scim2_models import Schema
 from scim2_models import SearchRequest
-from scim2_models import ServiceProviderConfig
-from scim2_models import Sort
-from scim2_models import User
 from werkzeug.exceptions import HTTPException
 
 from canaille import csrf
 from canaille.app import models
 from canaille.backends import Backend
 
-bp = Blueprint("scim", __name__, url_prefix="/scim")
+from .models import Group
+from .models import User
+from .models import get_resource_types
+from .models import get_schemas
+from .models import get_service_provider_config
+from .models import group_from_canaille_to_scim
+from .models import group_from_scim_to_canaille
+from .models import user_from_canaille_to_scim
+from .models import user_from_scim_to_canaille
 
-# At the difference of the SCIM Group, Canaille Group must have a display_name
-group_schema = Group.to_schema()
-group_schema.attributes[0].required = Required.true
-Group = Resource.from_schema(group_schema)
+bp = Blueprint("scim", __name__, url_prefix="/scim/v2")
 
 
 class SCIMBearerTokenValidator(BearerTokenValidator):
     def authenticate_token(self, token_string: str):
         token = Backend.instance.get(models.Token, access_token=token_string)
+        # At the moment, only client tokens are allowed, and not user tokens
         return token if token and not token.subject else None
 
 
@@ -65,8 +55,33 @@ def add_scim_content_type(response):
 
 
 @bp.errorhandler(HTTPException)
+def http_error_handler(error):
+    obj = Error(detail=str(error), status=error.code)
+    return obj.model_dump(), obj.status
+
+
+@bp.errorhandler(AuthlibHTTPException)
+def oauth2_error(error):
+    body = json.loads(error.body)
+    obj = Error(
+        detail=f"{body['error']}: {body['error_description']}"
+        if "error_description" in body
+        else body["error"],
+        status=error.code,
+    )
+    return obj.model_dump(), error.code
+
+
+@bp.errorhandler(ValidationError)
 def scim_error_handler(error):
-    return Error(detail=str(error), status=error.code).model_dump(), error.code
+    error_details = error.errors()[0]
+    obj = Error(status=400, detail=error_details["msg"])
+    # TODO: maybe the Pydantic <=> SCIM error code mapping could go in scim2_models
+    obj.scim_type = (
+        "invalidValue" if error_details["type"] == "required_error" else None
+    )
+
+    return obj.model_dump(), obj.status
 
 
 def parse_search_request(request) -> SearchRequest:
@@ -86,234 +101,18 @@ def parse_search_request(request) -> SearchRequest:
     return req
 
 
-def get_resource_types():
-    """The resource types implemented by Canaille."""
-
-    return {
-        "User": ResourceType(
-            id="User",
-            name="User",
-            endpoint=url_for("scim.query_users", _external=True),
-            description="User accounts",
-            schema_="urn:ietf:params:scim:schemas:core:2.0:User",
-            meta=Meta(
-                resource_type="ResourceType",
-                location=url_for(
-                    "scim.query_resource_type",
-                    resource_type_name="User",
-                    _external=True,
-                ),
-            ),
-        ),
-        "Group": ResourceType(
-            id="Group",
-            name="Group",
-            endpoint=url_for("scim.query_groups", _external=True),
-            description="Group management",
-            schema_="urn:ietf:params:scim:schemas:core:2.0:Group",
-            meta=Meta(
-                resource_type="ResourceType",
-                location=url_for(
-                    "scim.query_resource_type",
-                    resource_type_name="Group",
-                    _external=True,
-                ),
-            ),
-        ),
-    }
-
-
-def get_schemas():
-    schemas = {
-        "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig": ServiceProviderConfig.to_schema(),
-        "urn:ietf:params:scim:schemas:core:2.0:ResourceType": ResourceType.to_schema(),
-        "urn:ietf:params:scim:schemas:core:2.0:Schema": Schema.to_schema(),
-        "urn:ietf:params:scim:schemas:core:2.0:User": User.to_schema(),
-        "urn:ietf:params:scim:schemas:core:2.0:Group": Group.to_schema(),
-        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": EnterpriseUser.to_schema(),
-    }
-    for schema_id, schema in schemas.items():
-        schema.meta = Meta(
-            resource_type="Schema",
-            location=url_for("scim.query_schema", schema_id=schema_id, _external=True),
-        )
-    return schemas
-
-
-def user_from_canaille_to_scim(user):
-    scim_user = User[EnterpriseUser](
-        meta=Meta(
-            resource_type="User",
-            created=user.created,
-            last_modified=user.last_modified,
-            location=url_for("scim.query_user", user=user, _external=True),
-        ),
-        id=user.id,
-        user_name=user.user_name,
-        # password=user.password,
-        preferred_language=user.preferred_language,
-        name=Name(
-            formatted=user.formatted_name,
-            family_name=user.family_name,
-            given_name=user.given_name,
-        )
-        if (user.formatted_name or user.family_name or user.given_name)
-        else None,
-        display_name=user.display_name,
-        title=user.title,
-        profile_url=user.profile_url,
-        emails=[
-            Email(
-                value=email,
-                primary=email == user.emails[0],
-            )
-            for email in user.emails or []
-        ]
-        or None,
-        phone_numbers=[
-            PhoneNumber(
-                value=phone_number, primary=phone_number == user.phone_numbers[0]
-            )
-            for phone_number in user.phone_numbers or []
-        ]
-        or None,
-        addresses=[
-            Address(
-                formatted=user.formatted_address,
-                street_address=user.street,
-                postal_code=user.postal_code,
-                locality=user.locality,
-                region=user.region,
-                primary=True,
-            )
-        ]
-        if (
-            user.formatted_address
-            or user.street
-            or user.postal_code
-            or user.locality
-            or user.region
-        )
-        else None,
-        photos=[
-            Photo(
-                value=url_for(
-                    "core.account.photo", user=user, field="photo", _external=True
-                ),
-                primary=True,
-                type=Photo.Type.photo,
-            )
-        ]
-        if user.photo
-        else None,
-        groups=[
-            GroupMembership(
-                value=group.id,
-                display=group.display_name,
-                ref=url_for("scim.query_group", group=group, _external=True),
-            )
-            for group in user.groups or []
-        ]
-        or None,
-    )
-    scim_user[EnterpriseUser] = EnterpriseUser(
-        employee_number=user.employee_number,
-        organization=user.organization,
-        department=user.department,
-    )
-    return scim_user
-
-
-def user_from_scim_to_canaille(scim_user: User, user):
-    user.user_name = scim_user.user_name
-    user.password = scim_user.password
-    user.preferred_language = scim_user.preferred_language
-    user.formatted_name = scim_user.name.formatted if scim_user.name else None
-    user.family_name = scim_user.name.family_name if scim_user.name else None
-    user.given_name = scim_user.name.given_name if scim_user.name else None
-    user.display_name = scim_user.display_name
-    user.title = scim_user.title
-    user.profile_url = scim_user.profile_url
-    user.emails = [email.value for email in scim_user.emails or []] or None
-    user.phone_numbers = [
-        phone_number.value for phone_number in scim_user.phone_numbers or []
-    ] or None
-    user.formatted_address = (
-        scim_user.addresses[0].formatted if scim_user.addresses else None
-    )
-    user.street = scim_user.addresses[0].street_address if scim_user.addresses else None
-    user.postal_code = (
-        scim_user.addresses[0].postal_code if scim_user.addresses else None
-    )
-    user.locality = scim_user.addresses[0].locality if scim_user.addresses else None
-    user.region = scim_user.addresses[0].region if scim_user.addresses else None
-    # TODO: delete the photo
-    # if scim_user.photos and scim_user.photos[0].value:
-    #    user.photo = scim_user.photos[0].value
-    user.employee_number = (
-        scim_user[EnterpriseUser].employee_number if scim_user[EnterpriseUser] else None
-    )
-    user.organization = (
-        scim_user[EnterpriseUser].organization if scim_user[EnterpriseUser] else None
-    )
-    user.department = (
-        scim_user[EnterpriseUser].department if scim_user[EnterpriseUser] else None
-    )
-    user.groups = [
-        Backend.instance.get(models.Group, group.value)
-        for group in scim_user.groups or []
-        if group.value
-    ]
-    return user
-
-
-def group_from_canaille_to_scim(group):
-    return Group(
-        id=group.id,
-        meta=Meta(
-            resource_type="Group",
-            created=group.created,
-            last_modified=group.last_modified,
-            location=url_for("scim.query_group", group=group, _external=True),
-        ),
-        display_name=group.display_name,
-        members=[
-            GroupMember(
-                value=user.id,
-                type="User",
-                display=user.display_name,
-                ref=url_for("scim.query_user", user=user, _external=True),
-            )
-            for user in group.members or []
-        ]
-        or None,
-    )
-
-
-def group_from_scim_to_canaille(scim_group: Group, group):
-    group.display_name = scim_group.display_name
-
-    members = []
-    for member in scim_group.members or []:
-        Backend.instance.get(models.User, member.value)
-    group.members = members
-
-    return group
-
-
 @bp.route("/Users", methods=["GET"])
 @csrf.exempt
 @require_oauth()
 def query_users():
     req = parse_search_request(request)
-    start_index_1 = req.start_index or 1
-    start_index_0 = (start_index_1 - 1) or None
-    stop_index_0 = (start_index_1 + req.count - 1) if req.count else None
-    users = list(Backend.instance.query(models.User)[start_index_0:stop_index_0])
+    users = list(
+        Backend.instance.query(models.User)[req.start_index_0 : req.stop_index_0]
+    )
     total = len(users)
     scim_users = [user_from_canaille_to_scim(user) for user in users]
     list_response = ListResponse[User[EnterpriseUser]](
-        start_index=start_index_1,
+        start_index=req.start_index,
         items_per_page=req.count,
         total_results=total,
         resources=scim_users,
@@ -339,14 +138,13 @@ def query_user(user):
 @require_oauth()
 def query_groups():
     req = parse_search_request(request)
-    start_index_1 = req.start_index or 1
-    start_index_0 = (start_index_1 - 1) or None
-    stop_index_0 = (start_index_1 + req.count - 1) if req.count else None
-    groups = list(Backend.instance.query(models.group)[start_index_0:stop_index_0])
+    groups = list(
+        Backend.instance.query(models.group)[req.start_index_0 : req.stop_index_0]
+    )
     total = len(groups)
     scim_groups = [group_from_canaille_to_scim(group) for group in groups]
     list_response = ListResponse[Group](
-        start_index=start_index_1,
+        start_index=req.start_index,
         items_per_page=req.count,
         total_results=total,
         resources=scim_groups,
@@ -372,14 +170,11 @@ def query_group(group):
 @require_oauth()
 def query_schemas():
     req = parse_search_request(request)
-    start_index_1 = req.start_index or 1
-    start_index_0 = (start_index_1 - 1) or None
-    stop_index_0 = (start_index_1 + req.count - 1) if req.count else None
-    schemas = list(get_schemas().values())[start_index_0:stop_index_0]
+    schemas = list(get_schemas().values())[req.start_index_0 : req.stop_index_0]
     response = ListResponse[Schema](
         total_results=len(schemas),
         items_per_page=req.count or len(schemas),
-        start_index=start_index_1,
+        start_index=req.start_index,
         resources=schemas,
     )
     return response.model_dump(scim_ctx=Context.RESOURCE_QUERY_RESPONSE)
@@ -401,14 +196,13 @@ def query_schema(schema_id):
 @require_oauth()
 def query_resource_types():
     req = parse_search_request(request)
-    start_index_1 = req.start_index or 1
-    start_index_0 = (start_index_1 - 1) or None
-    stop_index_0 = (start_index_1 + req.count - 1) if req.count else None
-    resource_types = list(get_resource_types().values())[start_index_0:stop_index_0]
+    resource_types = list(get_resource_types().values())[
+        req.start_index_0 : req.stop_index_0
+    ]
     response = ListResponse[ResourceType](
         total_results=len(resource_types),
         items_per_page=req.count or len(resource_types),
-        start_index=start_index_1,
+        start_index=req.start_index,
         resources=resource_types,
     )
     return response.model_dump(scim_ctx=Context.RESOURCE_QUERY_RESPONSE)
@@ -429,29 +223,7 @@ def query_resource_type(resource_type_name):
 @csrf.exempt
 @require_oauth()
 def query_service_provider_config():
-    spc = ServiceProviderConfig(
-        meta=Meta(
-            resource_type="ServiceProviderConfig",
-            location=url_for("scim.query_service_provider_config", _external=True),
-        ),
-        documentation_uri="https://canaille.readthedocs.io",
-        patch=Patch(supported=False),
-        bulk=Bulk(supported=False, max_operations=0, max_payload_size=0),
-        change_password=ChangePassword(supported=True),
-        filter=Filter(supported=False, max_results=0),
-        sort=Sort(supported=False),
-        etag=ETag(supported=False),
-        authentication_schemes=[
-            AuthenticationScheme(
-                name="OAuth Bearer Token",
-                description="Authentication scheme using the OAuth Bearer Token Standard",
-                spec_uri="http://www.rfc-editor.org/info/rfc6750",
-                documentation_uri="https://canaille.readthedocs.io",
-                type="oauthbearertoken",
-                primary=True,
-            ),
-        ],
-    )
+    spc = get_service_provider_config()
     return spc.model_dump(scim_ctx=Context.RESOURCE_QUERY_RESPONSE)
 
 
@@ -489,13 +261,18 @@ def create_group():
 @csrf.exempt
 @require_oauth()
 def replace_user(user):
-    request_user = User[EnterpriseUser].model_validate(
-        request.json, scim_ctx=Context.RESOURCE_REPLACEMENT_REQUEST
+    original_scim_user = user_from_canaille_to_scim(user)
+    request_scim_user = User[EnterpriseUser].model_validate(
+        request.json,
+        scim_ctx=Context.RESOURCE_REPLACEMENT_REQUEST,
+        original=original_scim_user,
+    )
+    updated_user = user_from_scim_to_canaille(request_scim_user, user)
+    Backend.instance.save(updated_user)
+    response_scim_user = user_from_canaille_to_scim(updated_user)
+    payload = response_scim_user.model_dump(
+        scim_ctx=Context.RESOURCE_REPLACEMENT_RESPONSE
     )
-    user = user_from_scim_to_canaille(request_user, user)
-    Backend.instance.save(user)
-    response_user = user_from_canaille_to_scim(user)
-    payload = response_user.model_dump(scim_ctx=Context.RESOURCE_REPLACEMENT_RESPONSE)
     return payload
 
 
@@ -503,12 +280,15 @@ def replace_user(user):
 @csrf.exempt
 @require_oauth()
 def replace_group(group):
-    request_group = Group.model_validate(
-        request.json, scim_ctx=Context.RESOURCE_REPLACEMENT_REQUEST
+    original_scim_group = group_from_canaille_to_scim(group)
+    request_scim_group = Group.model_validate(
+        request.json,
+        scim_ctx=Context.RESOURCE_REPLACEMENT_REQUEST,
+        original=original_scim_group,
     )
-    group = group_from_scim_to_canaille(request_group, group)
-    Backend.instance.save(group)
-    response_group = group_from_canaille_to_scim(group)
+    updated_group = group_from_scim_to_canaille(request_scim_group, group)
+    Backend.instance.save(updated_group)
+    response_group = group_from_canaille_to_scim(updated_group)
     payload = response_group.model_dump(scim_ctx=Context.RESOURCE_REPLACEMENT_RESPONSE)
     return payload
 
diff --git a/canaille/scim/models.py b/canaille/scim/models.py
new file mode 100644
index 00000000..ce446215
--- /dev/null
+++ b/canaille/scim/models.py
@@ -0,0 +1,291 @@
+from flask import url_for
+from scim2_models import AuthenticationScheme
+from scim2_models import Bulk
+from scim2_models import ChangePassword
+from scim2_models import EnterpriseUser
+from scim2_models import ETag
+from scim2_models import Filter
+from scim2_models import Group
+from scim2_models import Meta
+from scim2_models import Mutability
+from scim2_models import Patch
+from scim2_models import Required
+from scim2_models import Resource
+from scim2_models import ResourceType
+from scim2_models import Schema
+from scim2_models import SchemaExtension
+from scim2_models import ServiceProviderConfig
+from scim2_models import Sort
+from scim2_models import User
+
+from canaille.app import models
+from canaille.backends import Backend
+
+# At the difference of SCIM User, Canaille User need a 'family_name'
+# (because the LDAP 'sn' is mandatory) and the 'user_name'
+# attribute is immutable (because it is part of the LDAP DN).
+user_schema = User.to_schema()
+user_schema["name"].required = Required.true
+user_schema["name"]["familyName"].required = Required.true
+user_schema["userName"].mutability = Mutability.immutable
+User = Resource.from_schema(user_schema)
+
+# At the difference of the SCIM Group, Canaille Group must have a display_name.
+# and 'members' cannot be null.
+group_schema = Group.to_schema()
+group_schema["displayName"].required = Required.true
+group_schema["displayName"].mutability = Mutability.immutable
+group_schema["members"].required = Required.true
+group_schema["members"]["value"].required = Required.true
+group_schema["members"]["$ref"].required = Required.true
+Group = Resource.from_schema(group_schema)
+
+
+def get_service_provider_config():
+    return ServiceProviderConfig(
+        meta=Meta(
+            resource_type="ServiceProviderConfig",
+            location=url_for("scim.query_service_provider_config", _external=True),
+        ),
+        documentation_uri="https://canaille.readthedocs.io",
+        patch=Patch(supported=False),
+        bulk=Bulk(supported=False, max_operations=0, max_payload_size=0),
+        change_password=ChangePassword(supported=True),
+        filter=Filter(supported=False, max_results=0),
+        sort=Sort(supported=False),
+        etag=ETag(supported=False),
+        authentication_schemes=[
+            AuthenticationScheme(
+                name="OAuth Bearer Token",
+                description="Authentication scheme using the OAuth Bearer Token Standard",
+                spec_uri="http://www.rfc-editor.org/info/rfc6750",
+                documentation_uri="https://canaille.readthedocs.io",
+                type="oauthbearertoken",
+                primary=True,
+            ),
+        ],
+    )
+
+
+def get_resource_types():
+    """The resource types implemented by Canaille."""
+
+    return {
+        "User": ResourceType(
+            id="User",
+            name="User",
+            endpoint=url_for("scim.query_users", _external=True),
+            description="User accounts",
+            schema_="urn:ietf:params:scim:schemas:core:2.0:User",
+            schema_extensions=[
+                SchemaExtension(
+                    schema_="urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
+                    required=True,
+                )
+            ],
+            meta=Meta(
+                resource_type="ResourceType",
+                location=url_for(
+                    "scim.query_resource_type",
+                    resource_type_name="User",
+                    _external=True,
+                ),
+            ),
+        ),
+        "Group": ResourceType(
+            id="Group",
+            name="Group",
+            endpoint=url_for("scim.query_groups", _external=True),
+            description="Group management",
+            schema_="urn:ietf:params:scim:schemas:core:2.0:Group",
+            meta=Meta(
+                resource_type="ResourceType",
+                location=url_for(
+                    "scim.query_resource_type",
+                    resource_type_name="Group",
+                    _external=True,
+                ),
+            ),
+        ),
+    }
+
+
+def get_schemas():
+    schemas = {
+        "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig": ServiceProviderConfig.to_schema(),
+        "urn:ietf:params:scim:schemas:core:2.0:ResourceType": ResourceType.to_schema(),
+        "urn:ietf:params:scim:schemas:core:2.0:Schema": Schema.to_schema(),
+        "urn:ietf:params:scim:schemas:core:2.0:User": User.to_schema(),
+        "urn:ietf:params:scim:schemas:core:2.0:Group": Group.to_schema(),
+        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": EnterpriseUser.to_schema(),
+    }
+    for schema_id, schema in schemas.items():
+        schema.meta = Meta(
+            resource_type="Schema",
+            location=url_for("scim.query_schema", schema_id=schema_id, _external=True),
+        )
+    return schemas
+
+
+def user_from_canaille_to_scim(user):
+    scim_user = User[EnterpriseUser](
+        meta=Meta(
+            resource_type="User",
+            created=user.created,
+            last_modified=user.last_modified,
+            location=url_for("scim.query_user", user=user, _external=True),
+        ),
+        id=user.id,
+        user_name=user.user_name,
+        # password=user.password,
+        preferred_language=user.preferred_language,
+        name=User.Name(
+            formatted=user.formatted_name,
+            family_name=user.family_name,
+            given_name=user.given_name,
+        )
+        if (user.formatted_name or user.family_name or user.given_name)
+        else None,
+        display_name=user.display_name,
+        title=user.title,
+        profile_url=user.profile_url,
+        emails=[
+            User.Emails(
+                value=email,
+                primary=email == user.emails[0],
+            )
+            for email in user.emails or []
+        ]
+        or None,
+        phone_numbers=[
+            User.PhoneNumbers(
+                value=phone_number, primary=phone_number == user.phone_numbers[0]
+            )
+            for phone_number in user.phone_numbers or []
+        ]
+        or None,
+        addresses=[
+            User.Addresses(
+                formatted=user.formatted_address,
+                street_address=user.street,
+                postal_code=user.postal_code,
+                locality=user.locality,
+                region=user.region,
+                primary=True,
+            )
+        ]
+        if (
+            user.formatted_address
+            or user.street
+            or user.postal_code
+            or user.locality
+            or user.region
+        )
+        else None,
+        photos=[
+            User.Photos(
+                value=url_for(
+                    "core.account.photo", user=user, field="photo", _external=True
+                ),
+                primary=True,
+                type=User.Photos.Type.photo,
+            )
+        ]
+        if user.photo
+        else None,
+        groups=[
+            User.Groups(
+                value=group.id,
+                display=group.display_name,
+                ref=url_for("scim.query_group", group=group, _external=True),
+            )
+            for group in user.groups or []
+        ]
+        or None,
+    )
+    scim_user[EnterpriseUser] = EnterpriseUser(
+        employee_number=user.employee_number,
+        organization=user.organization,
+        department=user.department,
+    )
+    return scim_user
+
+
+def user_from_scim_to_canaille(scim_user: User, user):
+    user.user_name = scim_user.user_name
+    user.password = scim_user.password
+    user.preferred_language = scim_user.preferred_language
+    user.formatted_name = scim_user.name.formatted if scim_user.name else None
+    user.family_name = scim_user.name.family_name if scim_user.name else None
+    user.given_name = scim_user.name.given_name if scim_user.name else None
+    user.display_name = scim_user.display_name
+    user.title = scim_user.title
+    user.profile_url = scim_user.profile_url
+    user.emails = [email.value for email in scim_user.emails or []] or None
+    user.phone_numbers = [
+        phone_number.value for phone_number in scim_user.phone_numbers or []
+    ] or None
+    user.formatted_address = (
+        scim_user.addresses[0].formatted if scim_user.addresses else None
+    )
+    user.street = scim_user.addresses[0].street_address if scim_user.addresses else None
+    user.postal_code = (
+        scim_user.addresses[0].postal_code if scim_user.addresses else None
+    )
+    user.locality = scim_user.addresses[0].locality if scim_user.addresses else None
+    user.region = scim_user.addresses[0].region if scim_user.addresses else None
+    # TODO: delete the photo
+    # if scim_user.photos and scim_user.photos[0].value:
+    #    user.photo = scim_user.photos[0].value
+    user.employee_number = (
+        scim_user[EnterpriseUser].employee_number if scim_user[EnterpriseUser] else None
+    )
+    user.organization = (
+        scim_user[EnterpriseUser].organization if scim_user[EnterpriseUser] else None
+    )
+    user.department = (
+        scim_user[EnterpriseUser].department if scim_user[EnterpriseUser] else None
+    )
+    user.groups = [
+        Backend.instance.get(models.Group, group.value)
+        for group in scim_user.groups or []
+        if group.value
+    ]
+    return user
+
+
+def group_from_canaille_to_scim(group):
+    return Group(
+        id=group.id,
+        meta=Meta(
+            resource_type="Group",
+            created=group.created,
+            last_modified=group.last_modified,
+            location=url_for("scim.query_group", group=group, _external=True),
+        ),
+        display_name=group.display_name,
+        members=[
+            Group.Members(
+                value=user.id,
+                type="User",
+                display=user.display_name,
+                ref=url_for("scim.query_user", user=user, _external=True),
+            )
+            for user in group.members or []
+        ]
+        or None,
+    )
+
+
+def group_from_scim_to_canaille(scim_group: Group, group):
+    group.display_name = scim_group.display_name
+
+    members = []
+    for member in scim_group.members or []:
+        # extract the user identifier from scim/v2/Users/<identifier>
+        identifier = member.ref.split("/")[-1]
+        members.append(Backend.instance.get(models.User, identifier))
+
+    group.members = members
+
+    return group
diff --git a/doc/development/specifications.rst b/doc/development/specifications.rst
index 35f0299e..ea7e9a73 100644
--- a/doc/development/specifications.rst
+++ b/doc/development/specifications.rst
@@ -48,9 +48,52 @@ OpenID Connect
 SCIM
 ----
 
-- ❌ `RFC7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements <https://www.rfc-editor.org/rfc/rfc7642>`_
-- ❌ `RFC7643: System for Cross-domain Identity Management: Core Schema <https://www.rfc-editor.org/rfc/rfc7642>`_
-- ❌ `RFC7644: System for Cross-domain Identity Management: Protocol <https://www.rfc-editor.org/rfc/rfc7642>`_
+Canaille provides a basic SCIM server implementation.
+
+- 🟠 `RFC7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements <https://www.rfc-editor.org/rfc/rfc7642>`_
+- 🟠 `RFC7643: System for Cross-domain Identity Management: Core Schema <https://www.rfc-editor.org/rfc/rfc7642>`_
+- 🟠 `RFC7644: System for Cross-domain Identity Management: Protocol <https://www.rfc-editor.org/rfc/rfc7642>`_
+
+Client-side implementation (i.e. broadcasting changes on users and groups among clients) and advanced features will be implemented in the future.
+
+What's implemented
+~~~~~~~~~~~~~~~~~~
+
+Endpoints:
+
+- /Users (GET, POST)
+- /Users/<user_id> (GET, PUT, DELETE)
+- /Groups (GET, POST)
+- /Groups/<user_id> (GET, PUT, DELETE)
+- /ServiceProviderConfig (GET)
+- /Schemas (GET)
+- /Schemas/<schema_id> (GET)
+- /ResourceTypes (GET)
+- /ResourceTypes/<resource_type_id> (GET)
+
+Features:
+
+- :rfc:`pagination <7644#section-3.4.2.4>`
+
+.. _scim_unimplemented:
+
+What is not implemented yet
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Endpoints:
+
+- /Users (PATCH)
+- /Groups (PATCH)
+- :rfc:`/Me <7644#section-3.11>` (GET, POST, PUT, PATCH, DELETE)
+- :rfc:`/Bulk <7644#section-3.11>` (POST)
+- :rfc:`/.search <7644#section-3.4.3>` (POST)
+
+Features
+
+- :rfc:`filtering <7644#section-3.4.2.2>`
+- :rfc:`sorting <7644#section-3.4.2.3>`
+- :rfc:`attributes selection <7644#section-3.4.2.5>`
+- :rfc:`ETags <7644#section-3.14>`
 
 Comparison with other providers
 ===============================
@@ -64,7 +107,7 @@ Canaille voluntarily only implements the OpenID Connect protocol to keep its cod
 |               +-------+-----------+------+------+------+------+------+------+-------+
 |               | FLOSS | Language  | LOC  | OIDC | SAML | CAS  | SCIM | LDAP | SQL   |
 +===============+=======+===========+======+======+======+======+======+======+=======+
-| Canaille      | ✅    | Python    | 10k  | ✅   | ❌   | ❌   | ❌   | ✅   | ✅    |
+| Canaille      | ✅    | Python    | 10k  | ✅   | ❌   | ❌   | 🟠   | ✅   | ✅    |
 +---------------+-------+-----------+------+------+------+------+------+------+-------+
 | `Auth0`_      | ❌    | ❔        | ❔   | ✅   | ✅   | ❌   | ✅   | ✅   | ❔    |
 +---------------+-------+-----------+------+------+------+------+------+------+-------+
diff --git a/doc/locales/doc.pot b/doc/locales/doc.pot
index 54621a7d..5e400e82 100644
--- a/doc/locales/doc.pot
+++ b/doc/locales/doc.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: canaille 0.0.56\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-12-09 23:25+0100\n"
+"POT-Creation-Date: 2024-12-11 17:35+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -17,2828 +17,2969 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 
 #: ../development/changelog.rst:2
-#: 3fb33c37ddc0459280f3c58be943008e
+#: 939119e221dc48ccadef61738f593f75
 msgid "Release notes"
 msgstr ""
 
 #: ../development/changelog.rst:4
-#: 67e645fac3b646bba12959afa71710cc
+#: 5c86e0ddf13b4a11afae719b4a8c4213
 msgid "All notable changes to this project will be documented in there."
 msgstr ""
 
 #: ../development/changelog.rst:6
-#: 6c5d0b8435cf4001afa1fe74104daf7a
+#: 61e5050f997c46568da55c6829f11531
 msgid "The format is based on `Keep a Changelog <https://keepachangelog.com/en/1.0.0/>`_, and this project adheres to `Semantic Versioning <https://semver.org/spec/v2.0.0.html>`_."
 msgstr ""
 
 #: ../../CHANGES.rst:2
-#: c415689d242946298da972c97d5bb0c4
+#: 206f6798b58b44e9ade1689d820c7552
 msgid "[0.0.57] - Unreleased"
 msgstr ""
 
 #: ../../CHANGES.rst:5
-#: ../../CHANGES.rst:27
-#: ../../CHANGES.rst:55
-#: ../../CHANGES.rst:74
-#: ../../CHANGES.rst:81
-#: ../../CHANGES.rst:100
-#: ../../CHANGES.rst:160
-#: ../../CHANGES.rst:186
-#: ../../CHANGES.rst:201
-#: ../../CHANGES.rst:250
-#: ../../CHANGES.rst:276
-#: ../../CHANGES.rst:295
-#: ../../CHANGES.rst:303
-#: ../../CHANGES.rst:312
-#: ../../CHANGES.rst:338
-#: ../../CHANGES.rst:373
-#: ../../CHANGES.rst:399
-#: ../../CHANGES.rst:448
-#: ../../CHANGES.rst:476
-#: ../../CHANGES.rst:506
-#: ../../CHANGES.rst:562
-#: ../../CHANGES.rst:595
-#: ../../CHANGES.rst:616
-#: ../../CHANGES.rst:626
-#: ../../CHANGES.rst:649
-#: ../../CHANGES.rst:716
-#: ../../CHANGES.rst:754
-#: ../../CHANGES.rst:771
-#: ../../CHANGES.rst:807
-#: 91a8054efa234209906812cdd41bd586
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: f290d44be0ec48a6b509a60a763954d6
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
-#: 2e9453d4722144fd9ad7f53b28a7cb37
+#: ../../CHANGES.rst:33
+#: ../../CHANGES.rst:61
+#: ../../CHANGES.rst:80
+#: ../../CHANGES.rst:87
+#: ../../CHANGES.rst:106
+#: ../../CHANGES.rst:166
+#: ../../CHANGES.rst:192
+#: ../../CHANGES.rst:207
+#: ../../CHANGES.rst:256
+#: ../../CHANGES.rst:282
+#: ../../CHANGES.rst:301
+#: ../../CHANGES.rst:309
+#: ../../CHANGES.rst:318
+#: ../../CHANGES.rst:344
+#: ../../CHANGES.rst:379
+#: ../../CHANGES.rst:405
+#: ../../CHANGES.rst:454
+#: ../../CHANGES.rst:482
+#: ../../CHANGES.rst:512
+#: ../../CHANGES.rst:568
+#: ../../CHANGES.rst:601
+#: ../../CHANGES.rst:622
+#: ../../CHANGES.rst:632
+#: ../../CHANGES.rst:655
+#: ../../CHANGES.rst:722
+#: ../../CHANGES.rst:760
+#: ../../CHANGES.rst:777
+#: ../../CHANGES.rst:813
+#: 5b2ae28202d249e39370b51c82a35bda
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
+#: a10a871fc6ea42e8a52a1aa323001a53
 msgid "Added"
 msgstr ""
 
 #: ../../CHANGES.rst:6
-#: 05060126fea740ef82fba8246132aa6e
-msgid "Password compromission check :issue:`179`"
+#: 0952593cb9c24691baaf0bbbeafbefd0
+msgid "Multi-factor authentication :issue:`47`"
 msgstr ""
 
 #: ../../CHANGES.rst:7
-#: a90b270f7e144a4b81babbac96f5ff22
-msgid ":attr:`~canaille.core.configuration.CoreSettings.ADMIN_EMAIL` and :attr:`~canaille.core.configuration.CoreSettings.ENABLE_PASSWORD_COMPROMISSION_CHECK` and :attr:`~canaille.core.configuration.CoreSettings.API_URL_HIBP` :issue:`179`"
-msgstr ""
-
-#: ../../CHANGES.rst:11
-#: 2cfcbdba2e9541dbab610bc724a2683a
-msgid "Implement OIDC client_credentials flow. :issue:`207`"
+#: 4eaf987f0daa4715826a62f691583866
+msgid ":attr:`~canaille.core.configuration.CoreSettings.OTP_METHOD` and :attr:`~canaille.core.configuration.CoreSettings.EMAIL_OTP` and :attr:`~canaille.core.configuration.CoreSettings.SMS_OTP` and :attr:`~canaille.core.configuration.CoreSettings.SMPP` :issue:`47`"
 msgstr ""
 
 #: ../../CHANGES.rst:12
-#: 1e36a8464f6045708cf07b39bcdfea1c
-msgid "Button in the client admin page to create client tokens."
+#: ba76f44c46d54198af2dcd0692442ce2
+msgid "Password compromission check :issue:`179`"
 msgstr ""
 
-#: ../../CHANGES.rst:15
-#: ../../CHANGES.rst:35
-#: ../../CHANGES.rst:48
-#: ../../CHANGES.rst:60
-#: ../../CHANGES.rst:85
-#: ../../CHANGES.rst:93
-#: ../../CHANGES.rst:141
-#: ../../CHANGES.rst:167
-#: ../../CHANGES.rst:219
-#: ../../CHANGES.rst:256
-#: ../../CHANGES.rst:325
-#: ../../CHANGES.rst:343
-#: ../../CHANGES.rst:381
-#: ../../CHANGES.rst:420
-#: ../../CHANGES.rst:455
-#: ../../CHANGES.rst:498
-#: ../../CHANGES.rst:602
-#: ../../CHANGES.rst:656
-#: ../../CHANGES.rst:688
-#: ../../CHANGES.rst:702
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-#: 254357b217fe4a309d66a400497a104a
-msgid "Changed"
-msgstr ""
-
-#: ../../CHANGES.rst:16
-#: bb196cd8528b48628628ab53c5288b49
-msgid "PostgreSQL and MySQL extras does not rely on libraries that need to be compiled."
+#: ../../CHANGES.rst:13
+#: 4eaf987f0daa4715826a62f691583866
+msgid ":attr:`~canaille.core.configuration.CoreSettings.ADMIN_EMAIL` and :attr:`~canaille.core.configuration.CoreSettings.ENABLE_PASSWORD_COMPROMISSION_CHECK` and :attr:`~canaille.core.configuration.CoreSettings.API_URL_HIBP` :issue:`179`"
 msgstr ""
 
 #: ../../CHANGES.rst:17
-#: c36865875c264bb4a34d614ea2be23cf
-msgid "``.env`` files are not loaded by default. The ``ENV_FILE`` env var must be passed so ``.env`` files are loaded."
+#: c3938df1d7fc47aa9e9e686b32366a0a
+msgid "Implement OIDC client_credentials flow. :issue:`207`"
 msgstr ""
 
-#: ../../CHANGES.rst:20
-#: 045b041136be49de8d54674ad57fea87
-msgid "[0.0.56] - 2024-11-07"
+#: ../../CHANGES.rst:18
+#: 7412b825ef54497db43d6f157d46fb6b
+msgid "Button in the client admin page to create client tokens."
+msgstr ""
+
+#: ../../CHANGES.rst:21
+#: ../../CHANGES.rst:41
+#: ../../CHANGES.rst:54
+#: ../../CHANGES.rst:66
+#: ../../CHANGES.rst:91
+#: ../../CHANGES.rst:99
+#: ../../CHANGES.rst:147
+#: ../../CHANGES.rst:173
+#: ../../CHANGES.rst:225
+#: ../../CHANGES.rst:262
+#: ../../CHANGES.rst:331
+#: ../../CHANGES.rst:349
+#: ../../CHANGES.rst:387
+#: ../../CHANGES.rst:426
+#: ../../CHANGES.rst:461
+#: ../../CHANGES.rst:504
+#: ../../CHANGES.rst:608
+#: ../../CHANGES.rst:662
+#: ../../CHANGES.rst:694
+#: ../../CHANGES.rst:708
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: f16b19d1f00741a9a6ac39eca0c46f63
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+#: 51ebea9760e04f049db58a8d1e2fdd09
+msgid "Changed"
+msgstr ""
+
+#: ../../CHANGES.rst:22
+#: 5085714dd09e40dcbf2540a73162985c
+msgid "PostgreSQL and MySQL extras does not rely on libraries that need to be compiled."
 msgstr ""
 
 #: ../../CHANGES.rst:23
-#: ../../CHANGES.rst:65
-#: ../../CHANGES.rst:104
-#: ../../CHANGES.rst:112
-#: ../../CHANGES.rst:120
-#: ../../CHANGES.rst:127
-#: ../../CHANGES.rst:134
-#: ../../CHANGES.rst:148
-#: ../../CHANGES.rst:178
-#: ../../CHANGES.rst:191
-#: ../../CHANGES.rst:209
-#: ../../CHANGES.rst:228
-#: ../../CHANGES.rst:236
-#: ../../CHANGES.rst:262
-#: ../../CHANGES.rst:270
-#: ../../CHANGES.rst:290
-#: ../../CHANGES.rst:320
-#: ../../CHANGES.rst:352
-#: ../../CHANGES.rst:360
-#: ../../CHANGES.rst:386
-#: ../../CHANGES.rst:406
-#: ../../CHANGES.rst:430
-#: ../../CHANGES.rst:440
-#: ../../CHANGES.rst:461
-#: ../../CHANGES.rst:469
-#: ../../CHANGES.rst:492
-#: ../../CHANGES.rst:515
-#: ../../CHANGES.rst:527
-#: ../../CHANGES.rst:536
-#: ../../CHANGES.rst:545
-#: ../../CHANGES.rst:554
-#: ../../CHANGES.rst:574
-#: ../../CHANGES.rst:581
-#: ../../CHANGES.rst:631
-#: ../../CHANGES.rst:639
-#: ../../CHANGES.rst:664
-#: ../../CHANGES.rst:672
-#: ../../CHANGES.rst:680
-#: ../../CHANGES.rst:693
-#: ../../CHANGES.rst:707
-#: ../../CHANGES.rst:739
-#: ../../CHANGES.rst:762
-#: ../../CHANGES.rst:793
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: f251ffbac69548f6b747cd4b8ea6f8ec
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: c582172293c74e6e9df5bb65756c4c6c
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 839f52c15ed94f0ba4a9356f392f728b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
-#: 13ee0de3f7db4046b8399917e8d52e0b
+#: 9108b999fecf4abf910d338c13fd0fc0
+msgid "``.env`` files are not loaded by default. The ``ENV_FILE`` env var must be passed so ``.env`` files are loaded."
+msgstr ""
+
+#: ../../CHANGES.rst:26
+#: 56edbd9989cf41c4b9b58dfd5e108991
+msgid "[0.0.56] - 2024-11-07"
+msgstr ""
+
+#: ../../CHANGES.rst:29
+#: ../../CHANGES.rst:71
+#: ../../CHANGES.rst:110
+#: ../../CHANGES.rst:118
+#: ../../CHANGES.rst:126
+#: ../../CHANGES.rst:133
+#: ../../CHANGES.rst:140
+#: ../../CHANGES.rst:154
+#: ../../CHANGES.rst:184
+#: ../../CHANGES.rst:197
+#: ../../CHANGES.rst:215
+#: ../../CHANGES.rst:234
+#: ../../CHANGES.rst:242
+#: ../../CHANGES.rst:268
+#: ../../CHANGES.rst:276
+#: ../../CHANGES.rst:296
+#: ../../CHANGES.rst:326
+#: ../../CHANGES.rst:358
+#: ../../CHANGES.rst:366
+#: ../../CHANGES.rst:392
+#: ../../CHANGES.rst:412
+#: ../../CHANGES.rst:436
+#: ../../CHANGES.rst:446
+#: ../../CHANGES.rst:467
+#: ../../CHANGES.rst:475
+#: ../../CHANGES.rst:498
+#: ../../CHANGES.rst:521
+#: ../../CHANGES.rst:533
+#: ../../CHANGES.rst:542
+#: ../../CHANGES.rst:551
+#: ../../CHANGES.rst:560
+#: ../../CHANGES.rst:580
+#: ../../CHANGES.rst:587
+#: ../../CHANGES.rst:637
+#: ../../CHANGES.rst:645
+#: ../../CHANGES.rst:670
+#: ../../CHANGES.rst:678
+#: ../../CHANGES.rst:686
+#: ../../CHANGES.rst:699
+#: ../../CHANGES.rst:713
+#: ../../CHANGES.rst:745
+#: ../../CHANGES.rst:768
+#: ../../CHANGES.rst:799
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
+#: ada79906de064c77a4cff6eda5238016
 msgid "Fixed"
 msgstr ""
 
-#: ../../CHANGES.rst:24
-#: 10c707b06b884b168b2dd26bffd7bf76
+#: ../../CHANGES.rst:30
+#: 3d50d62c605c4973956375e2229be4f1
 msgid "With LDAP backend, updating another user groups could result in a permission lost for the editor. :issue:`202`"
 msgstr ""
 
-#: ../../CHANGES.rst:28
-#: efa1fc20329f42918fe6a530617cf102
+#: ../../CHANGES.rst:34
+#: ce5db69d7e134a938f544bc4c14c2dbc
 msgid ":attr:`~canaille.core.configuration.CoreSettings.MAX_PASSWORD_LENGHT` and :attr:`~canaille.core.configuration.CoreSettings.MIN_PASSWORD_LENGHT` configuration options :issue:`174`"
 msgstr ""
 
-#: ../../CHANGES.rst:30
-#: cdab69b7537c452caa3eadb572993a40
+#: ../../CHANGES.rst:36
+#: 0952593cb9c24691baaf0bbbeafbefd0
 msgid "Password strength visual indicator. :issue:`174`"
 msgstr ""
 
-#: ../../CHANGES.rst:31
-#: 2ae6bad543d64621886630d3db7832e6
+#: ../../CHANGES.rst:37
+#: 34660cc568ac402485a0ae2a226c3ed9
 msgid "Security events logs. :issue:`177`"
 msgstr ""
 
-#: ../../CHANGES.rst:32
-#: 40ab5f1ed3bc406fb662d0025e5b3212
+#: ../../CHANGES.rst:38
+#: 74390b590e9e4714bff818c8d9d95630
 msgid "Support for Python 3.13. :pr:`186`"
 msgstr ""
 
-#: ../../CHANGES.rst:36
-#: c7940e351aac4939b964ccb80cebd616
+#: ../../CHANGES.rst:42
+#: 962e298f8c7c44a8b3b0f450eb596537
 msgid "Update to `HTMX` 2.0.3. :pr:`184`"
 msgstr ""
 
-#: ../../CHANGES.rst:37
-#: dfc1569ae0ec412d86503a0695522fa5
+#: ../../CHANGES.rst:43
+#: ab78bee0981041d3ade7f68673ab3f12
 msgid "Migrate the Python project management tool from poetry to uv. :pr:`187`"
 msgstr ""
 
-#: ../../CHANGES.rst:38
-#: 40c97bec2553487fa62efc486d3ee444
+#: ../../CHANGES.rst:44
+#: 7cb284d8934d4df7b96b3d995f0ae69a
 msgid "The ``sql`` package extra is now split between ``sqlite``, ``postgresql`` and ``mysql``."
 msgstr ""
 
-#: ../../CHANGES.rst:41
-#: ../../CHANGES.rst:391
-#: ../../CHANGES.rst:799
-#: bc1a20b5783a4fe38fa201438a8075e5
-#: bc1a20b5783a4fe38fa201438a8075e5
-#: bc1a20b5783a4fe38fa201438a8075e5
+#: ../../CHANGES.rst:47
+#: ../../CHANGES.rst:397
+#: ../../CHANGES.rst:805
+#: 06fd8459f24443f5bc2dd961a2174774
+#: 06fd8459f24443f5bc2dd961a2174774
+#: 06fd8459f24443f5bc2dd961a2174774
 msgid "Removed"
 msgstr ""
 
-#: ../../CHANGES.rst:42
-#: 3f97d00692d047dbbecb5c18a2d45b07
+#: ../../CHANGES.rst:48
+#: 7dbb1818231144988378efbcc14e0335
 msgid "End support for Python 3.9. :pr:`179`"
 msgstr ""
 
-#: ../../CHANGES.rst:45
-#: 4a57056601f148969254d2f049e0f460
+#: ../../CHANGES.rst:51
+#: bb731fcd74024f44b0b679df8fd1de3b
 msgid "[0.0.55] - 2024-08-30"
 msgstr ""
 
-#: ../../CHANGES.rst:49
-#: a037ad5da20049ad82e9f9b0d766cfbb
+#: ../../CHANGES.rst:55
+#: e3f7e5b1ec3d471bbaad41ad6afbd38e
 msgid "Use poetry-core build backend. :pr:`178`"
 msgstr ""
 
-#: ../../CHANGES.rst:52
-#: d6bf96b8e5cc4a6f8e099b48c1951a6a
+#: ../../CHANGES.rst:58
+#: 97d86f7b7b6d4df3a78b00068c114b55
 msgid "[0.0.54] - 2024-07-25"
 msgstr ""
 
-#: ../../CHANGES.rst:56
-#: 062bcc176aac499384187fcb06e2a00b
+#: ../../CHANGES.rst:62
+#: 0f6a7830c88b4121b1141a68853d36fd
 msgid "Group member removal can be achieved from the group edition page. :issue:`192`"
 msgstr ""
 
-#: ../../CHANGES.rst:57
-#: 8680469549c74d37a52b1c6252c74d57
+#: ../../CHANGES.rst:63
+#: 761788b232b74eb089dd20c1a57bcf2a
 msgid "Model management commands. :issue:`117` :issue:`54`"
 msgstr ""
 
-#: ../../CHANGES.rst:61
-#: c19428c67d8f4d198d0ab97defe14fb3
+#: ../../CHANGES.rst:67
+#: 1e28ba0fab8947bfbb7b10fc9dfca645
 msgid "Model `identifier_attributes` are fixed."
 msgstr ""
 
-#: ../../CHANGES.rst:62
-#: 571f38b1484b43e2beed6f33eb675700
+#: ../../CHANGES.rst:68
+#: 72287f1ba34c4cc8b2cf0b4af47bbd53
 msgid "Bump to `HTMX` 1.9.12. :pr:`172`"
 msgstr ""
 
-#: ../../CHANGES.rst:67
-#: 9e54da898699471194477836791f08a6
+#: ../../CHANGES.rst:73
+#: 72071aa06de847d29dcd9500881409d0
 msgid "Dark theme colors for better readability."
 msgstr ""
 
-#: ../../CHANGES.rst:68
-#: 4e0f2a8e03a447e59cb0a2b0e6d208f1
+#: ../../CHANGES.rst:74
+#: 600f70e2aecd4eba9ddee16500df48db
 msgid "Crash for passwordless users at login when no SMTP server was configured."
 msgstr ""
 
-#: ../../CHANGES.rst:71
-#: a9273241db7e4137bac5973b20e3ec5d
+#: ../../CHANGES.rst:77
+#: 09953502ecec43198af93b4c10d5dc3e
 msgid "[0.0.53] - 2024-04-22"
 msgstr ""
 
-#: ../../CHANGES.rst:75
-#: 17fbf739a68a4e59b5cc6da8befa1c6f
+#: ../../CHANGES.rst:81
+#: 4627291987094c60b1acc76d520719b4
 msgid "`env_prefix` :meth:`~canaille.create_app` variable can select the environment var prefix."
 msgstr ""
 
-#: ../../CHANGES.rst:78
-#: 7bdc8f732053463b95353cdf5c994838
+#: ../../CHANGES.rst:84
+#: f21535ae9e6643708c8459143e861870
 msgid "[0.0.52] - 2024-04-22"
 msgstr ""
 
-#: ../../CHANGES.rst:82
-#: bc7d1037cdfd40a69044f465467f6834
+#: ../../CHANGES.rst:88
+#: c9c3eb7bdd894b96b0adf60e33691fd4
 msgid "`env_file` create_app variable can customize/disable the .env file."
 msgstr ""
 
-#: ../../CHANGES.rst:86
-#: 9685a5e5a13147f093ac57e2039fe11b
+#: ../../CHANGES.rst:92
+#: 7cda9bf8a22540d0b3233546e130847f
 msgid "Locked users cannot be impersonated anymore."
 msgstr ""
 
-#: ../../CHANGES.rst:87
-#: 1b83a24a97384c2faab67e915701e6b2
+#: ../../CHANGES.rst:93
+#: 965223cd352948c8a77f1b4ce2b50ce4
 msgid "Minimum Python requirement is 3.9."
 msgstr ""
 
-#: ../../CHANGES.rst:90
-#: e88f01e3f89f45f2a63b456f8e304d3d
+#: ../../CHANGES.rst:96
+#: de227140ea8e4d629ffd4189dbd43460
 msgid "[0.0.51] - 2024-04-09"
 msgstr ""
 
-#: ../../CHANGES.rst:94
-#: aae3d126989840578ec2b08058aad688
+#: ../../CHANGES.rst:100
+#: 79f55debd9964020a684739fd256ef14
 msgid "Display the menu bar on error pages."
 msgstr ""
 
-#: ../../CHANGES.rst:97
-#: 22b11dc18595450fa5e7fe5f35824ebe
+#: ../../CHANGES.rst:103
+#: 27a5f8ea8faa41deaf71ae8564fd43a5
 msgid "[0.0.50] - 2024-04-09"
 msgstr ""
 
-#: ../../CHANGES.rst:101
-#: fc1bc503759c4beb943e9dcbf0c4a9cf
+#: ../../CHANGES.rst:107
+#: 8d78dcd06ac84e7d9075dbb55d08b68c
 msgid "Sign in/out events are logged in. :issue:`177`"
 msgstr ""
 
-#: ../../CHANGES.rst:105
-#: cfe0182123c94bcc9ee847739bd2e114
+#: ../../CHANGES.rst:111
+#: f54c1f04263c4f19bf7c01a9e9fb1533
 msgid "`HTMX` and `JAVASCRIPT` configuration settings."
 msgstr ""
 
-#: ../../CHANGES.rst:106
-#: 3bc7c83763d34549bac91df86a22b3a0
+#: ../../CHANGES.rst:112
+#: aac9f0d6bc274a6998bed8663e581445
 msgid "Compatibility with old sessions IDs."
 msgstr ""
 
-#: ../../CHANGES.rst:109
-#: cdee0bee34024d21bace2d77ff637ed9
+#: ../../CHANGES.rst:115
+#: 6c309d659a9d4b00897c0c86136117f2
 msgid "[0.0.49] - 2024-04-08"
 msgstr ""
 
-#: ../../CHANGES.rst:113
-#: f9c9585c305d47628adffcae287229d2
+#: ../../CHANGES.rst:119
+#: e40c5385bf174d4dbdeb1e6c8f2bbca9
 msgid "LDAP user group removal."
 msgstr ""
 
-#: ../../CHANGES.rst:114
-#: c25c5c6a9cca4061be6502cae5e86ba2
+#: ../../CHANGES.rst:120
+#: db426dd917e9449ea1571f6d90fb59cb
 msgid "Display an error message when trying to remove the last user from a group."
 msgstr ""
 
-#: ../../CHANGES.rst:117
-#: 5e0c66b55801444497954839297b97eb
+#: ../../CHANGES.rst:123
+#: aa9c1e96a9d84eb388b2ad22b0b9fa86
 msgid "[0.0.48] - 2024-04-08"
 msgstr ""
 
-#: ../../CHANGES.rst:121
-#: bd9920a130844ee897863a6b649484e2
+#: ../../CHANGES.rst:127
+#: 3bbde6f2fc244902955a6b16a1d9bdc6
 msgid "LDAP ``objectClass`` guessing exception."
 msgstr ""
 
-#: ../../CHANGES.rst:124
-#: 93cf829932204311ba399ae713aff29f
+#: ../../CHANGES.rst:130
+#: f55a477d72624ef691e7a783940c3208
 msgid "[0.0.47] - 2024-04-08"
 msgstr ""
 
-#: ../../CHANGES.rst:128
-#: b7a5d3351a334b0592b12373e1c7afa6
+#: ../../CHANGES.rst:134
+#: aa6227db351548d1a883af36de508805
 msgid "Lazy permission loading exception."
 msgstr ""
 
-#: ../../CHANGES.rst:131
-#: c6000ae4f0fc4d488ab180c3aa9eb144
+#: ../../CHANGES.rst:137
+#: 665fb2129c5f4c498a9eca30a7625d69
 msgid "[0.0.46] - 2024-04-08"
 msgstr ""
 
-#: ../../CHANGES.rst:135
-#: db4476f22ad049f49833696323eb1b33
+#: ../../CHANGES.rst:141
+#: a736243f81d845d5a13e66303db4632d
 msgid "Saving an object with the LDAP backend keeps the ``objectClass`` un-managed by Canaille. :pr:`171`"
 msgstr ""
 
-#: ../../CHANGES.rst:138
-#: d7117b0322b549ff87b73b8e4c839915
+#: ../../CHANGES.rst:144
+#: 23d50243f242497eafeb43190b191910
 msgid "[0.0.45] - 2024-04-04"
 msgstr ""
 
-#: ../../CHANGES.rst:142
-#: 9690ab893eef4290a52b1137f24b9be8
+#: ../../CHANGES.rst:148
+#: 8ca38c12afde4e1d881f0f631dee2180
 msgid "Internal indexation mechanism of :class:`~canaille.backends.memory.model.MemoryModel`."
 msgstr ""
 
-#: ../../CHANGES.rst:145
-#: be79650410904879b53da2c62ac092d5
+#: ../../CHANGES.rst:151
+#: 0ec8aaff2a864d52beaead02de313d2f
 msgid "[0.0.44] - 2024-03-29"
 msgstr ""
 
-#: ../../CHANGES.rst:149
-#: 1c2533bc36b548c59361d7b3e304cce6
+#: ../../CHANGES.rst:155
+#: 23af820d08664c0dbf3229567505e6a9
 msgid "Fix the default LDAP ``USER_FILTER`` value."
 msgstr ""
 
-#: ../../CHANGES.rst:150
-#: c429e79bd5aa46edb7b4cd1bd87c3ad8
+#: ../../CHANGES.rst:156
+#: 695d4f4fe29a4f07960244b87ee1db21
 msgid "Fix the OIDC feature detection."
 msgstr ""
 
-#: ../../CHANGES.rst:153
-#: 51a43a574cc943b5912effdaa67f8690
+#: ../../CHANGES.rst:159
+#: e7f1b082e81e4486b09fc76512e49dc5
 msgid "[0.0.43] - 2024-03-29"
 msgstr ""
 
-#: ../../CHANGES.rst:157
-#: ../../CHANGES.rst:416
-#: 02e8eccba3b74e889a68c78dc51e0a24
-#: 02e8eccba3b74e889a68c78dc51e0a24
+#: ../../CHANGES.rst:163
+#: ../../CHANGES.rst:422
+#: 5cd7f27a291e46298c9a3aa6ee0e5cf0
+#: 5cd7f27a291e46298c9a3aa6ee0e5cf0
 msgid "Configuration files must be updated."
 msgstr ""
 
-#: ../../CHANGES.rst:162
-#: a39fba5f25754fdc9f0f339142ff0320
+#: ../../CHANGES.rst:168
+#: d7d284cc9b424ec69d5240b428964d52
 msgid "Add ``created`` and ``last_modified`` datetime for all models."
 msgstr ""
 
-#: ../../CHANGES.rst:163
-#: b1e37ddf62994798a70a23cff76ed4d6
+#: ../../CHANGES.rst:169
+#: 19050fc882664743866b11a49ca7e398
 msgid "Sitemap to the documentation. :pr:`169`"
 msgstr ""
 
-#: ../../CHANGES.rst:164
-#: 54cf20bc59af4634af6b3f2d0e10c5e9
+#: ../../CHANGES.rst:170
+#: bd7c56451cfa479fb3b8d19275045b6e
 msgid "Configuration management with `pydantic-settings`. :issue:`138` :pr:`170`"
 msgstr ""
 
-#: ../../CHANGES.rst:169
-#: 689b4f88ba4b43db8c8b1a7bff0aebe6
+#: ../../CHANGES.rst:175
+#: d3e65f7666664d4f8ca54f02bf597c71
 msgid "Use default Python logging configuration format. :issue:`188` :pr:`165`"
 msgstr ""
 
-#: ../../CHANGES.rst:170
-#: 7d18c66450654e25a65749ea273b859d
+#: ../../CHANGES.rst:176
+#: ae5e4441862443b9aac1e26cf19a8908
 msgid "Bump to `HTMX` 1.99.11. :pr:`166`"
 msgstr ""
 
-#: ../../CHANGES.rst:171
-#: 9d053f12577548bc8cff1add00376bae
+#: ../../CHANGES.rst:177
+#: e487c2a78a354c6e85ec43fda9f59c4d
 msgid "Use the standard tomllib Python module instead of `toml` starting from Python 3.11. :pr:`167`"
 msgstr ""
 
-#: ../../CHANGES.rst:172
-#: fd8c1c0314b2465c9cacb4ba593eae77
+#: ../../CHANGES.rst:178
+#: e80e66bd46e14c0fae82950444ba043b
 msgid "Use shibuya as the documentation theme :pr:`168`"
 msgstr ""
 
-#: ../../CHANGES.rst:175
-#: abc0b3ba739e4f99866d02027d8128d2
+#: ../../CHANGES.rst:181
+#: 0eb0c4eec73848d283d54626e8538c61
 msgid "[0.0.42] - 2023-12-29"
 msgstr ""
 
-#: ../../CHANGES.rst:180
-#: 74e8932123b744b2809d370b36980326
+#: ../../CHANGES.rst:186
+#: 8e57897d767b4603a54db28c97416ee8
 msgid "Avoid to fail on imports if ``cryptography`` is missing."
 msgstr ""
 
-#: ../../CHANGES.rst:183
-#: 41f209b7a9054599b7b71d4fab3afe8f
+#: ../../CHANGES.rst:189
+#: f4ff69324e6e4a24b2f5aabf9ee71655
 msgid "[0.0.41] - 2023-12-25"
 msgstr ""
 
-#: ../../CHANGES.rst:188
-#: 77ff8fdeadf94e2f8696b2f5b9bd9349
+#: ../../CHANGES.rst:194
+#: 39dd9ec6c6c2415fa90973a715a08d9f
 msgid "OIDC support for the ``create`` value of the ``prompt`` parameter. :issue:`185` :pr:`164`"
 msgstr ""
 
-#: ../../CHANGES.rst:193
-#: 8940d9836a9f46a09613c3646e1d55f8
+#: ../../CHANGES.rst:199
+#: 7d59a023c9bc4a9b94f4339112602d32
 msgid "Correctly set up :attr:`~canaille.oidc.basemodels.Client.audience` during OIDC dynamic registration."
 msgstr ""
 
-#: ../../CHANGES.rst:194
-#: bb9a9230771445b6a7c93f042fb289ee
+#: ../../CHANGES.rst:200
+#: 1e194b3a94034c65936a18174d1078c5
 msgid "``post_logout_redirect_uris`` was ignored during OIDC dynamic registration."
 msgstr ""
 
-#: ../../CHANGES.rst:195
-#: b5d0341447ef443b969d2a48457442f2
+#: ../../CHANGES.rst:201
+#: d9f10cf1c5b3401d95f461f57dbfbece
 msgid "Group field error prevented the registration form validation."
 msgstr ""
 
-#: ../../CHANGES.rst:198
-#: 7bcad6150cbc4883817538eb23bed3bd
+#: ../../CHANGES.rst:204
+#: 6653ebc2588a4ad8989581ca1060f1d9
 msgid "[0.0.40] - 2023-12-22"
 msgstr ""
 
-#: ../../CHANGES.rst:203
-#: aae4204166c443f99e04d84842dd6dd9
+#: ../../CHANGES.rst:209
+#: 1eb728d8f35e4e57bd9b4284c7dd677b
 msgid "The ``THEME`` setting can be a relative path."
 msgstr ""
 
-#: ../../CHANGES.rst:206
-#: 26224cfa5ee647a2b15239a78065f5f7
+#: ../../CHANGES.rst:212
+#: 37f2ef92582741e2985bab37fb6495df
 msgid "[0.0.39] - 2023-12-15"
 msgstr ""
 
-#: ../../CHANGES.rst:211
-#: 14b2b67c379045d681ee712797f44328
+#: ../../CHANGES.rst:217
+#: b46f180dbba54aafb438013586a4100f
 msgid "Crash when no ACL were defined."
 msgstr ""
 
-#: ../../CHANGES.rst:212
-#: 38649598ac954d29843b54b15343dd15
+#: ../../CHANGES.rst:218
+#: 958f8c3ecc57438e835053b3a7d87721
 msgid "OIDC Userinfo endpoint is also available in POST."
 msgstr ""
 
-#: ../../CHANGES.rst:213
-#: ed1da2958a1646fd82c70171a5c04317
+#: ../../CHANGES.rst:219
+#: c37693d772f44c64b03f3baee793c0a1
 msgid "Fix redirection after password reset. :issue:`159`"
 msgstr ""
 
-#: ../../CHANGES.rst:216
-#: 8f2bc47f69554f539aa2836958029d59
+#: ../../CHANGES.rst:222
+#: 9f0b57bb752141079ef51cc0833d3597
 msgid "[0.0.38] - 2023-12-15"
 msgstr ""
 
-#: ../../CHANGES.rst:221
-#: 24f252671c9a4a3590e94e5e563e4d19
+#: ../../CHANGES.rst:227
+#: b208dfe943e64175906f965703dc33dd
 msgid "Convert all the `PNG` pictures in `Webp`. :pr:`162`"
 msgstr ""
 
-#: ../../CHANGES.rst:222
-#: 8a1d423f79f749868c06a775e9c21bd2
+#: ../../CHANGES.rst:228
+#: 3827e636cee240479b1fcedbc86bdfde
 msgid "Update to Flask 3. :issue:`161` :pr:`163`"
 msgstr ""
 
-#: ../../CHANGES.rst:225
-#: 9d53638e5933499baafec12390f02e23
+#: ../../CHANGES.rst:231
+#: acb7a5113f214b84b7f8fd21b48e22de
 msgid "[0.0.37] - 2023-12-01"
 msgstr ""
 
-#: ../../CHANGES.rst:230
-#: 5ed255dd094a4a3aae1b75edf54001ad
+#: ../../CHANGES.rst:236
+#: a22ebfb72b3d4c8c8285d99f4a18ed88
 msgid "Handle 4xx and 5xx error codes with HTMX. :issue:`171` :pr:`161`"
 msgstr ""
 
-#: ../../CHANGES.rst:233
-#: 26d16685ada341a29bf6ee6e98997128
+#: ../../CHANGES.rst:239
+#: 5033ceb76b61492896a738cbabdf0e1a
 msgid "[0.0.36] - 2023-12-01"
 msgstr ""
 
-#: ../../CHANGES.rst:238
-#: 2cfddfd6843e4cbfb1b645c84bc70322
+#: ../../CHANGES.rst:244
+#: df785fb08515480b8205eb8d521d699b
 msgid "Avoid crashing when LDAP groups references unexisting users."
 msgstr ""
 
-#: ../../CHANGES.rst:239
-#: f5714a32e81841e29f2619f6ee5464e8
+#: ../../CHANGES.rst:245
+#: e24d3cf2b5344f3196d44717249eeac9
 msgid "Password reset and initialization mails were only sent to the preferred user email address."
 msgstr ""
 
-#: ../../CHANGES.rst:241
-#: 4e121ada1cc24b7b8051d085b0ce464b
+#: ../../CHANGES.rst:247
+#: 279eb5763cb9437e98472ba23ef09cb9
 msgid "Password reset and initialization mails were not sent at all the user addresses if one email address could not be reached."
 msgstr ""
 
-#: ../../CHANGES.rst:243
-#: c5fc8c86d3df4732b3a06f70dd89af18
+#: ../../CHANGES.rst:249
+#: 8dbbbb93c0d9468db5756b74091a0346
 msgid "Password comparison was too permissive on login."
 msgstr ""
 
-#: ../../CHANGES.rst:244
-#: 36f936a6dd8c41c5bc833d928f347321
+#: ../../CHANGES.rst:250
+#: 2d5c6dab823a45df94ab7061b78fa140
 msgid "Encrypt passwords in the SQL backend."
 msgstr ""
 
-#: ../../CHANGES.rst:247
-#: 76befacfb135435fbee6ee0fe07f40e5
+#: ../../CHANGES.rst:253
+#: 09acf9167bb14934ac3e4b763914df5c
 msgid "[0.0.35] - 2023-11-25"
 msgstr ""
 
-#: ../../CHANGES.rst:252
-#: 14d361d80e4c429f929b943d3321e895
+#: ../../CHANGES.rst:258
+#: b616ae34c6084446b826cbb4bea285ce
 msgid "Refresh token grant supports other client authentication methods. :pr:`157`"
 msgstr ""
 
-#: ../../CHANGES.rst:253
-#: c52cda2685214bcab533db539acee007
+#: ../../CHANGES.rst:259
+#: 5e0cc8d4b2f9482cb0dd7d15578824ca
 msgid "Implement a SQLAlchemy backend. :issue:`30` :pr:`158`"
 msgstr ""
 
-#: ../../CHANGES.rst:258
-#: 57670f55b7644a0888ab65cd2da2fd8c
+#: ../../CHANGES.rst:264
+#: 1379d1aee7ee46fca1a78b6015f8d450
 msgid "Model attributes cardinality is closer to SCIM model. :pr:`155`"
 msgstr ""
 
-#: ../../CHANGES.rst:259
-#: f4ef25b7b38b42a48fb2a32c5cd8888f
+#: ../../CHANGES.rst:265
+#: 08f54a2189ba47dbb2e65e442181d6fd
 msgid "Bump to `HTMX` 1.9.9. :pr:`159`"
 msgstr ""
 
-#: ../../CHANGES.rst:264
-#: 49b0b7da40204fdeaf40c5281235c2a6
+#: ../../CHANGES.rst:270
+#: 001465c19ae140678ce9a78eb0ae7ff5
 msgid "Disable `HTMX` boosting during the OIDC dance. :pr:`160`"
 msgstr ""
 
-#: ../../CHANGES.rst:267
-#: db372dee122e4b4fb18c2c99dd056ce2
+#: ../../CHANGES.rst:273
+#: e063fae1c9984dc0af421058e9bfb500
 msgid "[0.0.34] - 2023-10-02"
 msgstr ""
 
-#: ../../CHANGES.rst:272
-#: a4b5211e96894c5d9d51b2630d6aea17
+#: ../../CHANGES.rst:278
+#: 3aadd82912d6401f8fddc3655ad594b9
 msgid "Canaille installations without account lockabilty could not delete users. :pr:`153`"
 msgstr ""
 
-#: ../../CHANGES.rst:278
-#: 4f4ca04b08a04dcb8f6a2eb6605f0e13
+#: ../../CHANGES.rst:284
+#: 52c2946196324ed2bfacac3fb518a6a1
 msgid "If users register or authenticate during a OAuth Authorization phase, they get redirected back to that page afterwards. :issue:`168` :pr:`151`"
 msgstr ""
 
-#: ../../CHANGES.rst:281
-#: 298ffe26093441918be8b38d13f0cc58
+#: ../../CHANGES.rst:287
+#: e0bb3561373b4651b98fcc1df2e5db94
 msgid "The `flask-babel` and `pytz` libraries are now part of the `front` packaging extras."
 msgstr ""
 
-#: ../../CHANGES.rst:282
-#: ccb502180d634f11ad173619af1b68d8
+#: ../../CHANGES.rst:288
+#: 9cc1748f2a624399ae9983904d6765fc
 msgid "Bump to `fomantic-ui` 2.9.3. :pr:`152`"
 msgstr ""
 
-#: ../../CHANGES.rst:283
-#: 7413676f512d4473972484920ff5f060
+#: ../../CHANGES.rst:289
+#: ec7e3985dc034f43bc0e2411086928e7
 msgid "Bump to `HTMX` 1.9.6. :pr:`154`"
 msgstr ""
 
-#: ../../CHANGES.rst:284
-#: 7905327465c44c09b2a10854abe79960
+#: ../../CHANGES.rst:290
+#: 768b97eabcb04396a1c3f7e3691c3ed2
 msgid "Support for Python 3.12. :pr:`155`"
 msgstr ""
 
-#: ../../CHANGES.rst:287
-#: 808e57e560f74a25b60029fbd6531d2e
+#: ../../CHANGES.rst:293
+#: 4664970b84d545e18a553f8191bc6e8b
 msgid "[0.0.33] - 2023-08-26"
 msgstr ""
 
-#: ../../CHANGES.rst:292
-#: 1179dc27648248188fdecf5696fd5045
+#: ../../CHANGES.rst:298
+#: 3456a02cbd894fccb45ffc1108226c5a
 msgid "OIDC jwks endpoint do not return empty `kid` claim."
 msgstr ""
 
-#: ../../CHANGES.rst:297
-#: b8b2caca239b4b609143ffd267522a16
+#: ../../CHANGES.rst:303
+#: fd6c83b8455f4402b82ffe670e6c83c1
 msgid "Documentation details on the Canaille models."
 msgstr ""
 
-#: ../../CHANGES.rst:300
-#: dd35ed0e27664b6b954e9b39881f14bc
+#: ../../CHANGES.rst:306
+#: 1f3135eb404e412787af9b4f971ea523
 msgid "[0.0.32] - 2023-08-17"
 msgstr ""
 
-#: ../../CHANGES.rst:305
-#: bdcae061315a4e92a6bc1a48475cb351
+#: ../../CHANGES.rst:311
+#: fe7a0cb646094a3d9b2428f7b7d2f3d4
 msgid "Additional inmemory backend. :issue:`30` :pr:`149`"
 msgstr ""
 
-#: ../../CHANGES.rst:306
-#: c39cbed721254ce5ad9c250de1e7ea41
+#: ../../CHANGES.rst:312
+#: 82523d1da67a46089ffd899f134486dd
 msgid "Installation extras. :issue:`167` :pr:`150`"
 msgstr ""
 
-#: ../../CHANGES.rst:309
-#: 5311648e4c714ed29e89e9644167f963
+#: ../../CHANGES.rst:315
+#: 9b5b3399c9fd4f3bbc8e152ee37e7910
 msgid "[0.0.31] - 2023-08-15"
 msgstr ""
 
-#: ../../CHANGES.rst:314
-#: a6a4b510a0ac4b4ebeb9160510f72d77
+#: ../../CHANGES.rst:320
+#: b2ebe664d67047a5882a33ac5c75875b
 msgid "Configuration option to disable the forced usage of OIDC `nonce` parameter. :pr:`143`"
 msgstr ""
 
-#: ../../CHANGES.rst:315
-#: 37eb24ef005e44da8ae0f4c48bda766c
+#: ../../CHANGES.rst:321
+#: 463b404944d9465fa6a17d3d3c0ea106
 msgid "Validate phone numbers with a regex. :pr:`146`"
 msgstr ""
 
-#: ../../CHANGES.rst:316
-#: 2be2120a0500430a8d854d1b8f19a0bf
+#: ../../CHANGES.rst:322
+#: 0effe02b658f49698ab59c14e9103fbe
 msgid "Email verification. :issue:`41` :pr:`147`"
 msgstr ""
 
-#: ../../CHANGES.rst:317
-#: d3be95492ef348efa77976515d4ffca9
+#: ../../CHANGES.rst:323
+#: ca5e445840644c90980662464ea67abc
 msgid "Account registration. :issue:`55` :pr:`133` :pr:`148`"
 msgstr ""
 
-#: ../../CHANGES.rst:322
-#: 1a3da0153c2b451d99665d2b61c512f2
+#: ../../CHANGES.rst:328
+#: 3792c9999c5a44c892129bce1c222552
 msgid "The `check` command uses the default configuration values."
 msgstr ""
 
-#: ../../CHANGES.rst:327
-#: 15f35fa96af04e508b1a6448d866cb5f
+#: ../../CHANGES.rst:333
+#: 6e0b77065c024ebb96f30998294a3b8d
 msgid "Modals do not need use Javascript at the moment. :issue:`158` :pr:`144`"
 msgstr ""
 
-#: ../../CHANGES.rst:330
-#: add3188842de44b691dfbe3152546f7b
+#: ../../CHANGES.rst:336
+#: e513ff9194cb493fb3273e811b5b96d0
 msgid "[0.0.30] - 2023-07-06"
 msgstr ""
 
-#: ../../CHANGES.rst:334
-#: b96e981450334eee84128d7dffb40d8f
+#: ../../CHANGES.rst:340
+#: 7bd32f1cc1c24ce9a6a7a4f3d7fd6024
 msgid "Configuration files must be updated. Check the new format with ``git diff 0.0.29 0.0.30 canaille/conf/config.sample.toml``"
 msgstr ""
 
-#: ../../CHANGES.rst:340
-#: ab83051dda0b48d185846e49011f2429
+#: ../../CHANGES.rst:346
+#: a3f5487d18624886a2adee2c28346eae
 msgid "Configuration option to disable Javascript. :pr:`141`"
 msgstr ""
 
-#: ../../CHANGES.rst:345
-#: 85fb804c891f444c9de116e6e4771526
+#: ../../CHANGES.rst:351
+#: e6ab42f3565b415f85d7778e5ac18966
 msgid "The configuration parameter ``USER_FILTER`` is parsed with Jinja."
 msgstr ""
 
-#: ../../CHANGES.rst:346
-#: 42d91f7cf5a3438a8bcb0bd5c193f1ea
+#: ../../CHANGES.rst:352
+#: de4e44a5b6324f389effc64a28a69c5d
 msgid "Configuration use ``PRIVATE_KEY_FILE`` instead of ``PRIVATE_KEY`` and ``PUBLIC_KEY_FILE`` instead of ``PUBLIC_KEY``."
 msgstr ""
 
-#: ../../CHANGES.rst:349
-#: 30736e0e4b854b46940e80c38023946a
+#: ../../CHANGES.rst:355
+#: 812f9e5828dd4912bc832214d5ae721d
 msgid "[0.0.29] - 2023-06-30"
 msgstr ""
 
-#: ../../CHANGES.rst:354
-#: 89d319fb81e148cb8f82f4b1a5a5390c
+#: ../../CHANGES.rst:360
+#: 81bf1e1132f44c5399805dc865372873
 msgid "Disabled `HTMX` boosting on OIDC forms to avoid errors."
 msgstr ""
 
-#: ../../CHANGES.rst:357
-#: 68d32ee84fa642dfbf358ef907193eb8
+#: ../../CHANGES.rst:363
+#: 0b442eaa0f7f44919f3793aac59d4b4d
 msgid "[0.0.28] - 2023-06-30"
 msgstr ""
 
-#: ../../CHANGES.rst:362
-#: 5490daf53fd144c0b6b360e90bf5667b
+#: ../../CHANGES.rst:368
+#: 3b645ba8d22642f7ae36a9401a170414
 msgid "A template variable was misnamed."
 msgstr ""
 
-#: ../../CHANGES.rst:365
-#: c65a251ed68a49beaff42740c12ce76a
+#: ../../CHANGES.rst:371
+#: 1c8d7269601c4cbf8c6952063000a5f1
 msgid "[0.0.27] - 2023-06-29"
 msgstr ""
 
-#: ../../CHANGES.rst:369
-#: ccf84fb0d4cd47058c3849498bd92259
+#: ../../CHANGES.rst:375
+#: 3082667648f14f86a48ba1f4c71c6bf1
 msgid "Configuration files must be updated. Check the new format with ``git diff 0.0.26 0.0.27 canaille/conf/config.sample.toml``"
 msgstr ""
 
-#: ../../CHANGES.rst:375
-#: 0856562aad23492aa6efc7f6e4bf8f90
+#: ../../CHANGES.rst:381
+#: d37a0bf60d6a407094dca1df32907bc3
 msgid "Configuration entries can be loaded from files if the entry key has a *_FILE* suffix and the entry value is the path to the file. :issue:`134` :pr:`134`"
 msgstr ""
 
-#: ../../CHANGES.rst:377
-#: 24fa209262e04bcbb46c2ab7c881fbaa
+#: ../../CHANGES.rst:383
+#: b198cedfd2dc4b1ca5caffb7281b2b77
 msgid "Field list support. :issue:`115` :pr:`136`"
 msgstr ""
 
-#: ../../CHANGES.rst:378
-#: eaff808f9ce745c59a1b373ab0ef90ab
+#: ../../CHANGES.rst:384
+#: bda5916225d046aa92eee4df020d31d7
 msgid "Pages are boosted with `HTMX`. :issue:`144` :issue:`145` :pr:`137`"
 msgstr ""
 
-#: ../../CHANGES.rst:383
-#: 8afcdb0ddd8f4e6c9941315ff1b06538
+#: ../../CHANGES.rst:389
+#: f0103671112e414da54f464537b92886
 msgid "Bump to jquery 3.7.0. :pr:`138`"
 msgstr ""
 
-#: ../../CHANGES.rst:388
-#: a6e1f4b8a72f4500ab437a86f6e98d06
+#: ../../CHANGES.rst:394
+#: a3de7cd9d0b74333bbe2252c30b27d24
 msgid "Profile edition when the user RDN was not ``uid``. :issue:`148` :pr:`139`"
 msgstr ""
 
-#: ../../CHANGES.rst:393
-#: cfcf7ee77bb84df1bcd780df223e9044
+#: ../../CHANGES.rst:399
+#: a8ee95c286e44ee190211fc2e7792b41
 msgid "Stop support for Python 3.7. :pr:`131`"
 msgstr ""
 
-#: ../../CHANGES.rst:396
-#: 42eab7328c604747ad6bde0067cb6603
+#: ../../CHANGES.rst:402
+#: 031ef0bde1a142fda5313115f399b305
 msgid "[0.0.26] - 2023-06-03"
 msgstr ""
 
-#: ../../CHANGES.rst:401
-#: b621a029c6ec420d8708f0ddd4b49c85
+#: ../../CHANGES.rst:407
+#: 8cd815265cd245d8ae32992c885e4c63
 msgid "Implemented account expiration based on OpenLDAP ppolicy overlay. Needs OpenLDAP 2.5+. :issue:`13` :pr:`118`"
 msgstr ""
 
-#: ../../CHANGES.rst:403
-#: 05f5b0808e74429b92bf61fa570014cf
+#: ../../CHANGES.rst:409
+#: f7ab79e41d1c400fa0f5be534df749eb
 msgid "Timezone configuration entry. :issue:`137` :pr:`130`"
 msgstr ""
 
-#: ../../CHANGES.rst:408
-#: d7e71d1ce6704911b7e5094538cc1084
+#: ../../CHANGES.rst:414
+#: 01a6b5ffbd164e11a7d13c2a720b6230
 msgid "Avoid setting ``None`` in JWT claims when they have no value."
 msgstr ""
 
-#: ../../CHANGES.rst:409
-#: e16dcca3b764486d874401ba65e22f78
+#: ../../CHANGES.rst:415
+#: 1b9beda783b14033b13b34bb69dcf94e
 msgid "Display password recovery button on OIDC login page. :pr:`129`"
 msgstr ""
 
-#: ../../CHANGES.rst:412
-#: dcbd97e0bc4f44babcdc9ad9a503c162
+#: ../../CHANGES.rst:418
+#: 98f294fe9c78448e92a9340f14812660
 msgid "[0.0.25] - 2023-05-05"
 msgstr ""
 
-#: ../../CHANGES.rst:417
-#: 4109765130284304994ae405858bdd3c
+#: ../../CHANGES.rst:423
+#: b9e80a38348a4fabb577d17c476ef787
 msgid "Check the new format with ``git diff 0.0.25 0.0.24 canaille/conf/config.sample.toml``"
 msgstr ""
 
-#: ../../CHANGES.rst:422
-#: c4645c08f789400bba029897871bb828
+#: ../../CHANGES.rst:428
+#: d72e485b1606403e895166193d518a26
 msgid "Renamed user model attributes to match SCIM naming convention. :pr:`123`"
 msgstr ""
 
-#: ../../CHANGES.rst:423
-#: 3c58d21fdc81418e8ee43179c2d6384f
+#: ../../CHANGES.rst:429
+#: f53dae9936ca4478b6575167779eb297
 msgid "Moved OIDC related configuration entries in ``OIDC``."
 msgstr ""
 
-#: ../../CHANGES.rst:424
-#: 5b002906414e41448a3fadea87d71e45
+#: ../../CHANGES.rst:430
+#: c097b3593a1f42d882167cef3925368a
 msgid "Moved ``LDAP`` configuration entry to ``BACKENDS.LDAP``."
 msgstr ""
 
-#: ../../CHANGES.rst:425
-#: d58c113094474cf3b82e8a3303202bb6
+#: ../../CHANGES.rst:431
+#: 88b8faa16b314ab3bc05c8a24dc7432e
 msgid "Bumped to `HTMX` 1.9.0. :pr:`124`"
 msgstr ""
 
-#: ../../CHANGES.rst:426
-#: 3bbdffb495f74fccbdb9eeb78a8eaf81
+#: ../../CHANGES.rst:432
+#: 391a6692f5de4897ac370fc253b7caf4
 msgid "ACL filters are no more LDAP filters but user attribute mappings. :pr:`125`"
 msgstr ""
 
-#: ../../CHANGES.rst:427
-#: 0d3ea4f8df2542e0a7da5029159f31e0
+#: ../../CHANGES.rst:433
+#: 286baa01210c47ee8a9c71a8c51e72fb
 msgid "Bumped to `HTMX` 1.9.2. :pr:`127`"
 msgstr ""
 
-#: ../../CHANGES.rst:432
-#: 71139e5ab6e34c2a87d51d3d04c0dbc0
+#: ../../CHANGES.rst:438
+#: 2f5e152512fe493c9e5f291f3dc47ca3
 msgid "``OIDC.JWT.MAPPING`` configuration entry is really optional now."
 msgstr ""
 
-#: ../../CHANGES.rst:433
-#: e34b111a3a8b4e2da966a36107a682b5
+#: ../../CHANGES.rst:439
+#: 646ffd29b1694f58a41036fec066e023
 msgid "Fixed empty model attributes registration. :pr:`125`"
 msgstr ""
 
-#: ../../CHANGES.rst:434
-#: 566d49eca850419cbb39c3a78a4160aa
+#: ../../CHANGES.rst:440
+#: 8ef81a1e8e584cab90c6401a07c88b81
 msgid "Password initialization mails were not correctly sent. :pr:`128`"
 msgstr ""
 
-#: ../../CHANGES.rst:437
-#: f461dc48e9c846628f7ddb99b18252c6
+#: ../../CHANGES.rst:443
+#: e9729b8de309453a862cb61a500d83a6
 msgid "[0.0.24] - 2023-04-07"
 msgstr ""
 
-#: ../../CHANGES.rst:442
-#: 007393d26d6e4375a0e05cbbf6c41d65
+#: ../../CHANGES.rst:448
+#: e25900ea2cb9451f9def4f1230cf311b
 msgid "Fixed avatar update. :pr:`122`"
 msgstr ""
 
-#: ../../CHANGES.rst:445
-#: 0ddfaf5df815484f9eb469a884e5f667
+#: ../../CHANGES.rst:451
+#: 6b0ff68eb4d048f9a87c723077b6a917
 msgid "[0.0.23] - 2023-04-05"
 msgstr ""
 
-#: ../../CHANGES.rst:450
-#: 2e7346baddf44a7f9f5b9a05ae826913
+#: ../../CHANGES.rst:456
+#: 45d12b8c7b044a6aa129a826cb589403
 msgid "Organization field. :pr:`116`"
 msgstr ""
 
-#: ../../CHANGES.rst:451
-#: 1c68c43ae90f4e2e944dab12514f06d1
+#: ../../CHANGES.rst:457
+#: 7554a21c2da44a10ae7044507e7e8ef1
 msgid "ETag and Last-Modified headers on user photos. :pr:`116`"
 msgstr ""
 
-#: ../../CHANGES.rst:452
-#: bcaf8fe7d8e940f191ed6ea5178566c1
+#: ../../CHANGES.rst:458
+#: 56e3c78c43bc4ebfb789357d53401f12
 msgid "Dynamic form validation. :pr:`120`"
 msgstr ""
 
-#: ../../CHANGES.rst:457
-#: 2b077ff5215a4b20b8438e82f4366ada
+#: ../../CHANGES.rst:463
+#: eef201e52d6e487fb83b276678dcf6ad
 msgid "UX rework. Submenu addition. :pr:`114`"
 msgstr ""
 
-#: ../../CHANGES.rst:458
-#: 166152fdbf6248e8a4af29f4f3bf5b6e
+#: ../../CHANGES.rst:464
+#: f6dfc94a3486418cb94ebe88c6078543
 msgid "Properly handle LDAP date timezones. :pr:`117`"
 msgstr ""
 
-#: ../../CHANGES.rst:463
-#: 343c4102b6d648018544f151f97540e1
+#: ../../CHANGES.rst:469
+#: c81b6adf5d6e40e8b0aeb2898e40c692
 msgid "CSRF protection on every forms. :pr:`119`"
 msgstr ""
 
-#: ../../CHANGES.rst:466
-#: 7140973831594dacad0bd205ca9b60e5
+#: ../../CHANGES.rst:472
+#: 41e5cc643b4e4c35b9d04ed3c6eba537
 msgid "[0.0.22] - 2023-03-13"
 msgstr ""
 
-#: ../../CHANGES.rst:470
-#: 67dc897fec2946598dbb4fe82db8a94f
+#: ../../CHANGES.rst:476
+#: e510bec507814d5387a49ba6117ef0a7
 msgid "The `Faker` library is not imported anymore when the `clean` command is called."
 msgstr ""
 
-#: ../../CHANGES.rst:473
-#: 58e3c0af1ce74125bf42a5ea16b88fbf
+#: ../../CHANGES.rst:479
+#: 9af418bca29f4c169f5720ea8e14e9ac
 msgid "[0.0.21] - 2023-03-12"
 msgstr ""
 
-#: ../../CHANGES.rst:478
-#: a25f75d9086a4499aa1088e537f21bc3
+#: ../../CHANGES.rst:484
+#: 6c81ccf5040343cebb06fe34cc66221e
 msgid "Display TOS and policy URI on the consent list page. :pr:`102`"
 msgstr ""
 
-#: ../../CHANGES.rst:479
-#: e848a4f5372b44249423579a7e2cdc3d
+#: ../../CHANGES.rst:485
+#: 4d19d14961744e028504787840181114
 msgid "Admin token deletion. :pr:`100` :pr:`101`"
 msgstr ""
 
-#: ../../CHANGES.rst:480
-#: 61b841de5b89407d9912c8c73309111a
+#: ../../CHANGES.rst:486
+#: cf00a4a47f2a4463a3cc06dd126d589d
 msgid "Revoked consents can be restored. :pr:`103`"
 msgstr ""
 
-#: ../../CHANGES.rst:481
-#: 656acd80913242a4820a20bc76d797e8
+#: ../../CHANGES.rst:487
+#: 06108983455940049911e3b8892f8735
 msgid "Pre-consented clients are displayed in the user consent list, and their consents can be revoked. :issue:`69` :pr:`103`"
 msgstr ""
 
-#: ../../CHANGES.rst:483
-#: e08c1586240745fa9537dd7501475c0d
+#: ../../CHANGES.rst:489
+#: 2f26c80f733b42f99df3af94c8774ad5
 msgid "A ``populate`` command can be used to fill the database with random users generated with faker. :pr:`105`"
 msgstr ""
 
-#: ../../CHANGES.rst:485
-#: dc653adfdbc441589c385b956ae9739e
+#: ../../CHANGES.rst:491
+#: 64049d3aa81141f3b29778b9f2f3d188
 msgid "SMTP SSL support. :pr:`108`"
 msgstr ""
 
-#: ../../CHANGES.rst:486
-#: c69d8b01e4194d5b9268b84ab81849d6
+#: ../../CHANGES.rst:492
+#: 6f16cdf0ce864a20b13344f84e6dfefb
 msgid "Server side pagination. :issue:`114` :pr:`111`"
 msgstr ""
 
-#: ../../CHANGES.rst:487
-#: 5b4f3aa107a74df3ba845920503dfdc5
+#: ../../CHANGES.rst:493
+#: 7aeacbe0b4fa48c79db52ed0cf7229fd
 msgid "Department number support. :issue:`129`"
 msgstr ""
 
-#: ../../CHANGES.rst:488
-#: d219e1ac8fa148d5b6e4babc678fbeb2
+#: ../../CHANGES.rst:494
+#: e5bb989cd1fe472cb845dfe3de958f55
 msgid "Address edition support (but not in the OIDC claims yet). :pr:`112`"
 msgstr ""
 
-#: ../../CHANGES.rst:489
-#: 52d2ceda28ab430a984dee19f8766b2a
+#: ../../CHANGES.rst:495
+#: 1140843546bf41dd826bf71bea29ff23
 msgid "Title edition support. :pr:`113`"
 msgstr ""
 
-#: ../../CHANGES.rst:494
-#: c4aca25daa3b491f9208d71f7715800f
+#: ../../CHANGES.rst:500
+#: d9bd3caa1f4f47ebb304efd457802ca1
 msgid "Client deletion also deletes related :class:`~canaille.oidc.basemodels.Consent`, :class:`~canaille.oidc.basemodels.Token` and :class:`~canaille.oidc.basemodels.AuthorizationCode` objects. :issue:`126` :pr:`98`"
 msgstr ""
 
-#: ../../CHANGES.rst:500
-#: a1c057df21a9436a9b149fb91fdb28d0
+#: ../../CHANGES.rst:506
+#: ac1feaf507284b65bab96bc30457d263
 msgid "Removed the `DataTables` Javascript library."
 msgstr ""
 
-#: ../../CHANGES.rst:503
-#: 74a0312b6fff499fa609d0adbe73dfac
+#: ../../CHANGES.rst:509
+#: d0d7087c87844d069df327a34667ef31
 msgid "[0.0.20] - 2023-01-28"
 msgstr ""
 
-#: ../../CHANGES.rst:508
-#: c443970df56e4203b8ee3fd9e4fa2395
+#: ../../CHANGES.rst:514
+#: 6254c6b37dea417d908d7679fa0c2df5
 msgid "Spanish translation. :pr:`85` :pr:`88`"
 msgstr ""
 
-#: ../../CHANGES.rst:509
-#: 9e42a95e59a74c5584d1144c249a57c1
+#: ../../CHANGES.rst:515
+#: 3a8a7c3e462e4388a29c87ea44bbca31
 msgid "Dedicated connectivity test email. :pr:`89`"
 msgstr ""
 
-#: ../../CHANGES.rst:510
-#: e06855259b6f463897acd0f8a23cd05e
+#: ../../CHANGES.rst:516
+#: 6c73a2cff39a4b8caacfca57f27ba60b
 msgid "Update to jquery 3.6.3. :pr:`90`"
 msgstr ""
 
-#: ../../CHANGES.rst:511
-#: 96cb7430946248108d8c97973a4799d5
+#: ../../CHANGES.rst:517
+#: 2a31509ad04a41d4a9ceab66e4447c61
 msgid "Update to fomantic-ui 2.9.1. :pr:`90`"
 msgstr ""
 
-#: ../../CHANGES.rst:512
-#: 5b5784d9aedb4949bac1591395fc7eb9
+#: ../../CHANGES.rst:518
+#: 1b8798a48e73416383644caadcb8c9d0
 msgid "Update to DataTables 1.13.1. :pr:`90`"
 msgstr ""
 
-#: ../../CHANGES.rst:517
-#: e88b90b5e0eb418f99ea2839c1e79943
+#: ../../CHANGES.rst:523
+#: 43bb3fea7c22470bb734e723ae6ec2dc
 msgid "Fix typos and grammar errors. :pr:`84`"
 msgstr ""
 
-#: ../../CHANGES.rst:518
-#: d333115d646f4ccf9a5bb2dc4d23eba0
+#: ../../CHANGES.rst:524
+#: 28f37a5212944339bb10de4c91b1555d
 msgid "Fix wording and punctuations. :pr:`86`"
 msgstr ""
 
-#: ../../CHANGES.rst:519
-#: cfc153afa2ec4bee9c2dd589a234716c
+#: ../../CHANGES.rst:525
+#: 3511a582ca4d4dd5b57f04e945ff2615
 msgid "Fix HTML lang tag. :issue:`122` :pr:`87`"
 msgstr ""
 
-#: ../../CHANGES.rst:520
-#: a2dc7b3677d040c7a43bde721f766029
+#: ../../CHANGES.rst:526
+#: 227f6ecacee547eab969399f3543c1a9
 msgid "Automatically trims the HTML translated strings. :pr:`91`"
 msgstr ""
 
-#: ../../CHANGES.rst:521
-#: 9a91064adb7f414fab73518fbc77b01d
+#: ../../CHANGES.rst:527
+#: ce4262a979b34e588c4d99db8ec9fae6
 msgid "Fixed dynamic registration scope management. :issue:`123` :pr:`93`"
 msgstr ""
 
-#: ../../CHANGES.rst:524
-#: d7a2cda6d8e24cc484f13ee4df40c1ea
+#: ../../CHANGES.rst:530
+#: 3326dbb8be62452d8140320a39612093
 msgid "[0.0.19] - 2023-01-14"
 msgstr ""
 
-#: ../../CHANGES.rst:529
-#: f7c94b5e7545458e8375ef8a8e3dc21c
+#: ../../CHANGES.rst:535
+#: c15def45121b4d30ab4c57c640f5da6a
 msgid "Ensures the token `expires_in` claim and the `access_token` `exp` claim have the same value. :pr:`83`"
 msgstr ""
 
-#: ../../CHANGES.rst:533
-#: 9291df232e4b4a7eb97fb87504f9b8d4
+#: ../../CHANGES.rst:539
+#: 2e2f24525dba4a819e97e6589907d0a5
 msgid "[0.0.18] - 2022-12-28"
 msgstr ""
 
-#: ../../CHANGES.rst:538
-#: c896b9996ab24cfeb217e9ebfdbed090
+#: ../../CHANGES.rst:544
+#: 82745fec4b984965b3d0b81bed5a3941
 msgid "OIDC end_session was not returning the ``state`` parameter in the ``post_logout_redirect_uri``. :pr:`82`"
 msgstr ""
 
-#: ../../CHANGES.rst:542
-#: 2fa2e9a70b8d4ab4bed4d7f0d8d68f37
+#: ../../CHANGES.rst:548
+#: 3bd062d77c0048d3816421ed0de978e6
 msgid "[0.0.17] - 2022-12-26"
 msgstr ""
 
-#: ../../CHANGES.rst:547
-#: cff81f4ef5254cfdb1e6ba76c2c3b9f6
+#: ../../CHANGES.rst:553
+#: 4f0e0feb2cca4a8eb54473f5764cfcc7
 msgid "Fixed group deletion button. :pr:`80`"
 msgstr ""
 
-#: ../../CHANGES.rst:548
-#: 552d92ac7c364f198201b60a3abebae2
+#: ../../CHANGES.rst:554
+#: b6fc018fb2dc41ecaf43a313cf5330b9
 msgid "Fixed post requests in oidc clients views. :pr:`81`"
 msgstr ""
 
-#: ../../CHANGES.rst:551
-#: f7c78b950b184117855277070cb4e548
+#: ../../CHANGES.rst:557
+#: 0e9699c0d5a74e689fdb73d2ac431d28
 msgid "[0.0.16] - 2022-12-15"
 msgstr ""
 
-#: ../../CHANGES.rst:556
-#: 3e522208e81740fba479a43b017311fd
+#: ../../CHANGES.rst:562
+#: a43af598d338438ea64a3352a866610c
 msgid "Fixed LDAP operational attributes handling."
 msgstr ""
 
-#: ../../CHANGES.rst:559
-#: 53e83abb15b24cc0a3d589011cf7c2a3
+#: ../../CHANGES.rst:565
+#: 11d5f04851c847e6b3939176add7c1e2
 msgid "[0.0.15] - 2022-12-15"
 msgstr ""
 
-#: ../../CHANGES.rst:564
-#: 7194a505926740e3b52b81708d2818de
+#: ../../CHANGES.rst:570
+#: ce751d2ad6e44f438e092afbdcfe72ce
 msgid "User can chose their display name. :pr:`77`"
 msgstr ""
 
-#: ../../CHANGES.rst:565
-#: 5c5a59a03bd5497aa7474ae59e88f6bf
+#: ../../CHANGES.rst:571
+#: 008bcd50172d46429d218c6afbd7bc0f
 msgid "Bumped to Authlib 1.2. :pr:`78`"
 msgstr ""
 
-#: ../../CHANGES.rst:566
-#: 0a3d037fae66464b8c2dfeea28dd3eaf
+#: ../../CHANGES.rst:572
+#: 3edcc407205b44918ab63920f9734a50
 msgid "Implemented :rfc:`RFC7592 <7592>` OAuth 2.0 Dynamic Client Registration Management Protocol. :pr:`79`"
 msgstr ""
 
-#: ../../CHANGES.rst:568
-#: 0670727ea1074acf968c49e71dc4062b
+#: ../../CHANGES.rst:574
+#: e327d602ecac448f8f73a848047f6319
 msgid "Add the ``nonce`` parameter to the ``claims_supported`` server metadata list."
 msgstr ""
 
-#: ../../CHANGES.rst:571
-#: eb86b7335b7b4971812f25c9a2d37d1e
+#: ../../CHANGES.rst:577
+#: 74ad576932584357834751ca5edd823a
 msgid "[0.0.14] - 2022-11-29"
 msgstr ""
 
-#: ../../CHANGES.rst:575
-#: 9903a64c05994256813debf83e9a6b21
+#: ../../CHANGES.rst:581
+#: 1205e961f8944bbb8dbc519bbfdf4993
 msgid "Fixed translation catalogs packaging."
 msgstr ""
 
-#: ../../CHANGES.rst:578
-#: eb1e508e7d2c46bdb471cffecbe4d897
+#: ../../CHANGES.rst:584
+#: fc089f22a3a14548b469d6c4668bb3dc
 msgid "[0.0.13] - 2022-11-21"
 msgstr ""
 
-#: ../../CHANGES.rst:583
-#: 6e71d21752234824bc42897b8a434bb3
+#: ../../CHANGES.rst:589
+#: ea1f503e84f04965b18a569cf25d2941
 msgid "Fixed a bug on the contacts field in the admin client form following the LDAP schema update of 0.0.12."
 msgstr ""
 
-#: ../../CHANGES.rst:585
-#: 374bd3f105af42bc8ea5c0de35e7437f
+#: ../../CHANGES.rst:591
+#: 95a73e92dd77499c9109135edf0040cf
 msgid "Fixed a bug happening during RP initiated logout on clients without `post_logout_redirect_uri` defined."
 msgstr ""
 
-#: ../../CHANGES.rst:587
-#: 6244294cde9d429dbab852b0f7721160
+#: ../../CHANGES.rst:593
+#: 5648d45162744cf4956d8d9c7d9bbf3d
 msgid "Gitlab CI fix. :pr:`64`"
 msgstr ""
 
-#: ../../CHANGES.rst:588
-#: 8dc7de6abbd447f4a78272f33cbcb6cf
+#: ../../CHANGES.rst:594
+#: 1b490834cff04cb99ff4b83f9e5dd758
 msgid "Fixed `client_secret` display on the client administration page. :pr:`65`"
 msgstr ""
 
-#: ../../CHANGES.rst:589
-#: be276c6c0aed433987b562fa51a9af06
+#: ../../CHANGES.rst:595
+#: 5d7cd051df4c45eb9b8e2beea6ec9659
 msgid "Fixed non-square logo CSS. :pr:`67`"
 msgstr ""
 
-#: ../../CHANGES.rst:590
-#: 45c4b643c08f4e98b8eb1994cca78051
+#: ../../CHANGES.rst:596
+#: 16e68eaca761436eb1add2beea510963
 msgid "Fixed schema path on installation. :pr:`68`"
 msgstr ""
 
-#: ../../CHANGES.rst:591
-#: 490ff7e15c244e1c80522169f52be22c
+#: ../../CHANGES.rst:597
+#: 5d87e6344c9d474c821419beb33a1d56
 msgid "Fixed RFC7591 ``software_statement`` claim support. :pr:`70`"
 msgstr ""
 
-#: ../../CHANGES.rst:592
-#: 13d139a4ca6b420eb0780952acd8582c
+#: ../../CHANGES.rst:598
+#: b65b8f602a7d4440936987b7c0143cf7
 msgid "Fixed client preconsent disabling. :pr:`72`"
 msgstr ""
 
-#: ../../CHANGES.rst:597
-#: f863beea190c4605afc13c35d7828c7e
+#: ../../CHANGES.rst:603
+#: 05f32b1852b34334be85dc02f3bc2689
 msgid "Python 3.11 support. :pr:`61`"
 msgstr ""
 
-#: ../../CHANGES.rst:598
-#: dfa820f752f64485950bd9f2f4f2f798
+#: ../../CHANGES.rst:604
+#: 33289ea27c844082832e8eea78498d86
 msgid "``apparmor`` slapd configuration instructions in the documentation page for contributions. :pr:`66`"
 msgstr ""
 
-#: ../../CHANGES.rst:599
-#: 33f4b497e723467fb7cca94de105b331
+#: ../../CHANGES.rst:605
+#: d12ad2a4e17244f8b2719ba9d0749597
 msgid "``preferredLanguage`` attribute support. :pr:`75`"
 msgstr ""
 
-#: ../../CHANGES.rst:604
-#: 80931cb05ba54eb0bdd13af0e69ae5c4
+#: ../../CHANGES.rst:610
+#: dac1b885aa8243af874405b4ccce52f2
 msgid "Replaced the use of the deprecated `FLASK_ENV` environment variable by `FLASK_DEBUG`."
 msgstr ""
 
-#: ../../CHANGES.rst:606
-#: 74c0ecca84cb4195b047360a2a12b281
+#: ../../CHANGES.rst:612
+#: b6ca7ce41fa346b8bb3fa325f1e1ac0d
 msgid "Dynamically generate the server metadata. Users won't have to copy and manually edit ``oauth-authorizationserver.json`` and ``openid-configuration.json``. :pr:`71`"
 msgstr ""
 
-#: ../../CHANGES.rst:609
-#: b56f59b2dd124c91a6268830cf4ddecc
+#: ../../CHANGES.rst:615
+#: ae1b6570238e43f1ac83a511fece3cf5
 msgid "The `FROM_ADDR` configuration option is not mandatory anymore. :pr:`73`"
 msgstr ""
 
-#: ../../CHANGES.rst:610
-#: d701256eb4764f81827acd7b0a0dbda3
+#: ../../CHANGES.rst:616
+#: cba8b0fae91a4dfe9f0e05ddb541f667
 msgid "The `JWT.ISS` configuration option is not mandatory anymore. :pr:`74`"
 msgstr ""
 
-#: ../../CHANGES.rst:613
-#: 45607852e443428199051f1ecba9ba24
+#: ../../CHANGES.rst:619
+#: 36caf034f254408aa020410594ab0cce
 msgid "[0.0.12] - 2022-10-24"
 msgstr ""
 
-#: ../../CHANGES.rst:618
-#: 9997d515babd44b4841ef0218885f1f1
+#: ../../CHANGES.rst:624
+#: 319c8b51be714d25ab11b9a83241970d
 msgid "Basic WebFinger endpoint. :pr:`59`"
 msgstr ""
 
-#: ../../CHANGES.rst:619
-#: 509a601f77664756bc01064f20359cf6
+#: ../../CHANGES.rst:625
+#: 97c9f28850884353be68c0ada430c443
 msgid "Bumped to FomanticUI 2.9.0."
 msgstr ""
 
-#: ../../CHANGES.rst:620
-#: 2cfcbdba2e9541dbab610bc724a2683a
+#: ../../CHANGES.rst:626
+#: c3938df1d7fc47aa9e9e686b32366a0a
 msgid "Implemented Dynamic Client Registration. :pr:`60`"
 msgstr ""
 
-#: ../../CHANGES.rst:623
-#: 4acb242ffb5440d1a468e2d3c3856fe8
+#: ../../CHANGES.rst:629
+#: 5fbfc5c654b0443bac204c4743931636
 msgid "[0.0.11] - 2022-08-11"
 msgstr ""
 
-#: ../../CHANGES.rst:628
-#: 0c4bd2691ba9453b88a686a22ede18ef
+#: ../../CHANGES.rst:634
+#: d3758c7b32f54dc38b34ab4f54a526ba
 msgid "Default theme has a dark variant. :pr:`57`"
 msgstr ""
 
-#: ../../CHANGES.rst:633
-#: d3cabac68def4f77a693a6159bf2f5c0
+#: ../../CHANGES.rst:639
+#: eac5e673605c44bebeab671117d02935
 msgid "Fixed missing ``canaille`` binary. :pr:`58`"
 msgstr ""
 
-#: ../../CHANGES.rst:636
-#: 735459f4aeea42c6b0f7be4a2b06802f
+#: ../../CHANGES.rst:642
+#: be7d08fe65be48d09396c1c7af7f0e49
 msgid "[0.0.10] - 2022-07-07"
 msgstr ""
 
-#: ../../CHANGES.rst:641
-#: f9dfd87d0fa145579e2297b27b61a11b
+#: ../../CHANGES.rst:647
+#: f2759b5afad84126b4041f583edb72eb
 msgid "Online demo. :pr:`55`"
 msgstr ""
 
-#: ../../CHANGES.rst:642
-#: 5e5eef7b53ce470ab0a0137617552a9c
+#: ../../CHANGES.rst:648
+#: e3d980415ffb4cccb2272b1cf96719cc
 msgid "The consent page was displaying scopes not supported by clients. :pr:`56`"
 msgstr ""
 
-#: ../../CHANGES.rst:643
-#: f7b8675a05b64bafb3efbbad603537ce
+#: ../../CHANGES.rst:649
+#: d936dc556a9f4503b0802988273649d3
 msgid "Fixed end session when user are already disconnected."
 msgstr ""
 
-#: ../../CHANGES.rst:646
-#: a14c8084a27d463f82c1573d946a6676
+#: ../../CHANGES.rst:652
+#: 1732d28f09b24b89854f21bfe7942840
 msgid "[0.0.9] - 2022-06-05"
 msgstr ""
 
-#: ../../CHANGES.rst:651
-#: d04e2396209641cc84fa39d8bb397eaa
+#: ../../CHANGES.rst:657
+#: a298893156394c80b5f843c7193b0ca8
 msgid "``DISABLE_PASSWORD_RESET`` configuration option to disable password recovery. :pr:`46`"
 msgstr ""
 
-#: ../../CHANGES.rst:652
-#: 01acc147a456445eb3858de7b0586dca
+#: ../../CHANGES.rst:658
+#: c831a4847472435881495bdc121788f9
 msgid "``edit_self`` ACL permission to control user self edition. :pr:`47`"
 msgstr ""
 
-#: ../../CHANGES.rst:653
-#: dafb92303cb147909db73fdc619f1267
+#: ../../CHANGES.rst:659
+#: 312e6a546170436ea1fa95b58e7d91e1
 msgid "`RP-initiated logout` implementation. :pr:`54`"
 msgstr ""
 
-#: ../../CHANGES.rst:658
-#: f672b1443aa9498994204b20952103e4
+#: ../../CHANGES.rst:664
+#: 797b8359f6a449e5ba16bcc78088768f
 msgid "Bumped to Authlib 1. :pr:`48`"
 msgstr ""
 
-#: ../../CHANGES.rst:659
-#: 18c1456a82f748cd9ee0d6abcb40801f
+#: ../../CHANGES.rst:665
+#: 4d9126ad1c3742759d3d204f1cf76dac
 msgid "Various documentation improvements. :pr:`50`"
 msgstr ""
 
-#: ../../CHANGES.rst:660
-#: 77c7a3b3242647718a3a94a1fc4d05a1
+#: ../../CHANGES.rst:666
+#: 36dc25439ee04162b5a0a808de0e823e
 msgid "Use poetry instead of setuptools as project management tool. :pr:`51`"
 msgstr ""
 
-#: ../../CHANGES.rst:661
-#: 3b65181a80b64d0d8a474a5e643d3f80
+#: ../../CHANGES.rst:667
+#: f1fc01004b2f41349cbe787739c40b03
 msgid "Additional tests for the OIDC ``nonce`` parameter. :pr:`52`"
 msgstr ""
 
-#: ../../CHANGES.rst:665
-#: 35eef6ab06b940e8ad49bf31b7620404
+#: ../../CHANGES.rst:671
+#: 0183302671b24cb0b537b104dc58a9ea
 msgid "``HIDE_INVALID_LOGIN`` behavior and default value."
 msgstr ""
 
-#: ../../CHANGES.rst:666
-#: 2792732f7d154df2b11a35b13114939b
+#: ../../CHANGES.rst:672
+#: 781578064d2347228773e4f950d612b2
 msgid "Compiled translation catalogs are not versioned anymore. :pr:`49` :pr:`53`"
 msgstr ""
 
-#: ../../CHANGES.rst:669
-#: 8766634316d146ab8929259434391f34
+#: ../../CHANGES.rst:675
+#: d816db34635d4549985bb9d94d9a7862
 msgid "[0.0.8] - 2022-03-15"
 msgstr ""
 
-#: ../../CHANGES.rst:674
-#: f053b2fe7153473a81cb24bfc2b90c7d
+#: ../../CHANGES.rst:680
+#: 5c82cce323c6462687804d2c7f006f8d
 msgid "Fixed dependencies."
 msgstr ""
 
-#: ../../CHANGES.rst:677
-#: 6fe1289ea759485b9c3c7658461a409d
+#: ../../CHANGES.rst:683
+#: e6ab77996ddc43dab6022173bbd8eae0
 msgid "[0.0.7] - 2022-03-15"
 msgstr ""
 
-#: ../../CHANGES.rst:682
-#: f40f5e320ea4412fadc8f1bc1d99198c
+#: ../../CHANGES.rst:688
+#: db3701add4984f8c8dd764706a9639fd
 msgid "Fixed spaces and escaped special char in LDAP ``cn/dn`` attributes. :pr:`43`"
 msgstr ""
 
-#: ../../CHANGES.rst:685
-#: ac9b3059b303486a9b31536f1726d873
+#: ../../CHANGES.rst:691
+#: 099a78c093eb4078914a63b9f15403b7
 msgid "[0.0.6] - 2022-03-08"
 msgstr ""
 
-#: ../../CHANGES.rst:690
-#: 357a41c66f054b9b830d9ae20551690d
+#: ../../CHANGES.rst:696
+#: 4598be258efa4e99ab34d7bd5648a824
 msgid "Access token are JWT. :pr:`38`"
 msgstr ""
 
-#: ../../CHANGES.rst:695
-#: 20b619f456934ab09712d95d37ef12cd
+#: ../../CHANGES.rst:701
+#: 19eb39b5f802426f9c1380f0d3c0dfbb
 msgid "Default groups on invitations. :pr:`41`"
 msgstr ""
 
-#: ../../CHANGES.rst:696
-#: 74f8d8568cd1405bbef739de7b92f380
+#: ../../CHANGES.rst:702
+#: 81b3f2d331284cd1bd5d5a148b5d3b77
 msgid "LDAP schemas are shipped within the Canaille package. :pr:`42`"
 msgstr ""
 
-#: ../../CHANGES.rst:699
-#: 936cdbdb780241beb677c1a3c5d21735
+#: ../../CHANGES.rst:705
+#: bc34ed5400c7449886a6d25b679c7ae2
 msgid "[0.0.5] - 2022-02-17"
 msgstr ""
 
-#: ../../CHANGES.rst:704
-#: b49925c79428413ca8c31eff4f42a588
+#: ../../CHANGES.rst:710
+#: 45fc46e1672846778b27bc8766c1aeae
 msgid "LDAP model objects have new identifiers. :pr:`37`"
 msgstr ""
 
-#: ../../CHANGES.rst:709
-#: 21e3bd1145ce480ea8a82394722cef34
+#: ../../CHANGES.rst:715
+#: 8973b4acdebf481783a30266f9502cc2
 msgid "Admin menu dropdown display. :pr:`39`"
 msgstr ""
 
-#: ../../CHANGES.rst:710
-#: b50bd877e6fa4055a450f65d4e0e6951
+#: ../../CHANGES.rst:716
+#: b5deb21feb4d45e58f0b010788916ecd
 msgid "``GROUP_ID_ATTRIBUTE`` configuration typo. :pr:`40`"
 msgstr ""
 
-#: ../../CHANGES.rst:713
-#: 93523c049fd2438b9f8dbb942b657b7c
+#: ../../CHANGES.rst:719
+#: 3dad472d941b4b5392930e039a934df2
 msgid "[0.0.4] - 2022-02-16"
 msgstr ""
 
-#: ../../CHANGES.rst:718
-#: 9cc5e4c0be3e43f98a84d076d254a7a8
+#: ../../CHANGES.rst:724
+#: 3086c540c13844a3b626a211f86a856b
 msgid "Client pre-authorization. :pr:`11`"
 msgstr ""
 
-#: ../../CHANGES.rst:719
-#: b1444e5514e3495f8f05b00bfb31e54b
+#: ../../CHANGES.rst:725
+#: b621896643ca409cac8c3007137ed084
 msgid "LDAP permissions check with the check command. :pr:`12`"
 msgstr ""
 
-#: ../../CHANGES.rst:720
-#: 81badbb21dfe4dd0bd990037947c24cf
+#: ../../CHANGES.rst:726
+#: ac5232266c154c829a210031f4d8a1bc
 msgid "Update consents when a scope required is larger than the scope of an already given consent. :pr:`13`"
 msgstr ""
 
-#: ../../CHANGES.rst:722
-#: 5f6092f6103d401e9fe4554e04ad12cb
+#: ../../CHANGES.rst:728
+#: 7af42dde14864ada93162b9ea16e7cd4
 msgid "Theme customization. :pr:`15`"
 msgstr ""
 
-#: ../../CHANGES.rst:723
-#: 7e99d3a9c9134144a8e18989e6d0d633
+#: ../../CHANGES.rst:729
+#: b8096ecde48d430b91666fa493e4fffe
 msgid "Logging configuration. :pr:`16`"
 msgstr ""
 
-#: ../../CHANGES.rst:724
-#: abd6618054b443efbb5101e9c32f0c90
+#: ../../CHANGES.rst:730
+#: 0db8075af2664c10be1433c0426592e5
 msgid "Installation command. :pr:`17`"
 msgstr ""
 
-#: ../../CHANGES.rst:725
-#: 18c69372e28c42c4b0ac0cae51fcd8aa
+#: ../../CHANGES.rst:731
+#: 5a0d7f3aca6b446fba5f0d36512be8c1
 msgid "Invitation links. :pr:`18`"
 msgstr ""
 
-#: ../../CHANGES.rst:726
-#: 2e35dc7cf246485c97650451d1f41d93
+#: ../../CHANGES.rst:732
+#: 900b1cb1421848c78ccd8559ce8aa513
 msgid "Advanced permissions. :pr:`20`"
 msgstr ""
 
-#: ../../CHANGES.rst:727
-#: ef3b8ab7e89448089a9d09363832c7cc
+#: ../../CHANGES.rst:733
+#: be2815e3ce9b44f6aeb64d24d7cd75ee
 msgid "An option to not use OIDC. :pr:`23`"
 msgstr ""
 
-#: ../../CHANGES.rst:728
-#: 4d5d5581283a4eaabab00c6df18077a0
+#: ../../CHANGES.rst:734
+#: 6fe21ccaf0474887a8c6c04e69154ada
 msgid "Disable some features when no SMTP server is configured. :pr:`24`"
 msgstr ""
 
-#: ../../CHANGES.rst:729
-#: a54b117ff68e47eabb66aa0a741790b1
+#: ../../CHANGES.rst:735
+#: 7fcdcf093e8849e59445af91ec4cfab6
 msgid "Login placeholder dynamically generated according to the configuration. :pr:`25`"
 msgstr ""
 
-#: ../../CHANGES.rst:730
-#: 8593aca44439457296e5591823f56739
+#: ../../CHANGES.rst:736
+#: 9bebc076e1b64cb3be67690a3e46e808
 msgid "Added an option to tune object IDs. :pr:`26`"
 msgstr ""
 
-#: ../../CHANGES.rst:731
-#: 548d5d09a1da4104aed49324dd3d96b6
+#: ../../CHANGES.rst:737
+#: 983fa51b51db46409b73d0ba279c76d5
 msgid "Avatar support. :pr:`27`"
 msgstr ""
 
-#: ../../CHANGES.rst:732
-#: e6275bae918547beab8caabaf64f57db
+#: ../../CHANGES.rst:738
+#: 94758b3cf72342d2948e727f6deb10a7
 msgid "Dynamical and configurable JWT claims. :pr:`28`"
 msgstr ""
 
-#: ../../CHANGES.rst:733
-#: 82bbcaaa7973438696de021fbff14354
+#: ../../CHANGES.rst:739
+#: 33402d7e6d47455cbfc52aeb276a12f2
 msgid "UI improvements. :pr:`29`"
 msgstr ""
 
-#: ../../CHANGES.rst:734
-#: 70cd1dd3d81d4288b1c6bca674492944
+#: ../../CHANGES.rst:740
+#: 181fed73a01445ea9865aadc802e9642
 msgid "Invitation links expiration. :pr:`30`"
 msgstr ""
 
-#: ../../CHANGES.rst:735
-#: af865fef102c44bc801e8aec157c2835
+#: ../../CHANGES.rst:741
+#: eeaa39f7f6c842d39c1d8d40c6e4fbf8
 msgid "Invitees can choose their IDs. :pr:`31`"
 msgstr ""
 
-#: ../../CHANGES.rst:736
-#: d194b87cfbd94dd398f1c58bec6e4c37
+#: ../../CHANGES.rst:742
+#: 8123032bb5d341ec82aa2b0ac8caf886
 msgid "LDAP backend refactoring. :pr:`35`"
 msgstr ""
 
-#: ../../CHANGES.rst:741
-#: 2409763cd25243c9a80678c470fa336d
+#: ../../CHANGES.rst:747
+#: c9a12647745f472890eff2ceb165a8b8
 msgid "Fixed ghost members in a group. :pr:`14`"
 msgstr ""
 
-#: ../../CHANGES.rst:742
-#: ae04a8fa1896467792d8aaaf161fed29
+#: ../../CHANGES.rst:748
+#: 834311277daf401e9c654cfe0751d4f2
 msgid "Fixed email sender names. :pr:`19`"
 msgstr ""
 
-#: ../../CHANGES.rst:743
-#: 596c5956ebc6442984251ca5c558834e
+#: ../../CHANGES.rst:749
+#: 5fa1016aa05747ca84948a30c452d5a4
 msgid "Fixed filter being not escaped. :pr:`21`"
 msgstr ""
 
-#: ../../CHANGES.rst:744
-#: bbf97ea202404efd8708cfbed4bbfe74
+#: ../../CHANGES.rst:750
+#: a221c0e18ffd40e3986f7d20f6eac01a
 msgid "Demo script good practices. :pr:`32`"
 msgstr ""
 
-#: ../../CHANGES.rst:745
-#: 8d176b7d4da5419d8768430eeb01036c
+#: ../../CHANGES.rst:751
+#: 7e90135fab824314847bb5f4e9ab0664
 msgid "Binary path for Debian. :pr:`33`"
 msgstr ""
 
-#: ../../CHANGES.rst:746
-#: 004ecd0e934049ef823bbf0d63f75c14
+#: ../../CHANGES.rst:752
+#: 39205a39be2c4d4bbc2359ba32796266
 msgid "Last name was not mandatory in the forms while this was mandatory in the LDAP server. :pr:`34`"
 msgstr ""
 
-#: ../../CHANGES.rst:748
-#: c6de3dbeeb5f40ff85c60e062271bfdb
+#: ../../CHANGES.rst:754
+#: bef3030603fa42ccaeffb936e450cfeb
 msgid "Spelling typos. :pr:`36`"
 msgstr ""
 
-#: ../../CHANGES.rst:751
-#: d49aed2f00e346cc8adaa26aa54f470a
+#: ../../CHANGES.rst:757
+#: 2dc8f2d4014f4eb9805a19921e4e336a
 msgid "[0.0.3] - 2021-10-13"
 msgstr ""
 
-#: ../../CHANGES.rst:756
-#: 0b32a6319c044bba95b3a00f245c6956
+#: ../../CHANGES.rst:762
+#: f0b73ca5d1da4a728d770d11887f9754
 msgid "Two-steps sign-in. :issue:`49`"
 msgstr ""
 
-#: ../../CHANGES.rst:757
-#: 4cf53569893c4b0ba8eab17b44a4a15b
+#: ../../CHANGES.rst:763
+#: d8353e939a4341fdb9d8b51ac4e03c75
 msgid "Tokens can have several audiences. :issue:`62` :pr:`9`"
 msgstr ""
 
-#: ../../CHANGES.rst:758
-#: 2956507b8bba47839fef6f9a63d5321a
+#: ../../CHANGES.rst:764
+#: a8bf6576f8214a6299aadf379a50f282
 msgid "Configuration check command. :issue:`66` :pr:`8`"
 msgstr ""
 
-#: ../../CHANGES.rst:759
-#: 0415c157cb414913b3d7748afba41cda
+#: ../../CHANGES.rst:765
+#: 05a103a6101241a9afbfeffb28b04ee2
 msgid "Groups management. :issue:`12` :pr:`6`"
 msgstr ""
 
-#: ../../CHANGES.rst:764
-#: e08a9eafc49f45cbb361ed3bd89d4649
+#: ../../CHANGES.rst:770
+#: f9681903b632489e99eb53fdf5301bb7
 msgid "Introspection access bugfix. :issue:`63` :pr:`10`"
 msgstr ""
 
-#: ../../CHANGES.rst:765
-#: 48e63a4a411d4aab8259f74b1d257a37
+#: ../../CHANGES.rst:771
+#: 08202024eda84dd2b15e255de912389d
 msgid "Introspection sub claim. :issue:`64` :pr:`7`"
 msgstr ""
 
-#: ../../CHANGES.rst:768
-#: 2a9047b937be481f811eb403d6bf7fd9
+#: ../../CHANGES.rst:774
+#: c8cf3465674b4ecb94bf3a4548fc5601
 msgid "[0.0.2] - 2021-01-06"
 msgstr ""
 
-#: ../../CHANGES.rst:773
-#: 9f74458dacff435998774594822a1506
+#: ../../CHANGES.rst:779
+#: a52712c92f57496f9cbaf32727c9a2df
 msgid "Login page is responsive. :issue:`1`"
 msgstr ""
 
-#: ../../CHANGES.rst:774
-#: 8a87683d8d524cd482264473256b3777
+#: ../../CHANGES.rst:780
+#: 3e40e18b9ffa4afd9036177b6d1a0393
 msgid "Adapt mobile keyboards to login page fields. :issue:`2`"
 msgstr ""
 
-#: ../../CHANGES.rst:775
-#: c777083179094cd994619adcfc8499d9
+#: ../../CHANGES.rst:781
+#: cf124fc4d201473f9a1d604b092c8c0a
 msgid "Password recovery interface. :issue:`3`"
 msgstr ""
 
-#: ../../CHANGES.rst:776
-#: c7393dc1bb6a4290bfdb2d59a3fef0c9
+#: ../../CHANGES.rst:782
+#: 6a024dfd785b44f09e231f0f3b6a1bdd
 msgid "User profile interface. :issue:`4`"
 msgstr ""
 
-#: ../../CHANGES.rst:777
-#: e874e0e97cae4310ba62553c3d31cd16
+#: ../../CHANGES.rst:783
+#: 295718a0674c41749936c9ee63d895b2
 msgid "Renamed the project *Canaille*. :issue:`5`"
 msgstr ""
 
-#: ../../CHANGES.rst:778
-#: 27a300eabaaf4644989d134ccca22dd8
+#: ../../CHANGES.rst:784
+#: 5572ba58f8934db484ed5914858c1f61
 msgid "Command to remove old tokens. :issue:`17`"
 msgstr ""
 
-#: ../../CHANGES.rst:779
-#: 8e168b1583984a71848678112365d1c7
+#: ../../CHANGES.rst:785
+#: da0ebb8c52d34d209bbbc13ec7a1902a
 msgid "Improved password recovery email. :issue:`14` :issue:`26`"
 msgstr ""
 
-#: ../../CHANGES.rst:780
-#: 901de9a21dd94541b3c23946ada4cd88
+#: ../../CHANGES.rst:786
+#: 2eca9a011ae64f8788ff5b22428f2b63
 msgid "Use Flask `SERVER_NAME` configuration variable instead of `URL`. :issue:`24`"
 msgstr ""
 
-#: ../../CHANGES.rst:781
-#: 62c1e3da0a87437aaa529dcc936c7dbc
+#: ../../CHANGES.rst:787
+#: 42eb9a40233047e4a8d632b8b60a4220
 msgid "Improved consents page. :issue:`27`"
 msgstr ""
 
-#: ../../CHANGES.rst:782
-#: f816ffeb73244ae0b1171b8c156d1e12
+#: ../../CHANGES.rst:788
+#: 4511807efd4b4f6ea558d2632d914cae
 msgid "Admin user page. :issue:`8`"
 msgstr ""
 
-#: ../../CHANGES.rst:783
-#: 2241f2b45f1e426f99f68ccc516c6b60
+#: ../../CHANGES.rst:789
+#: 9928a9d6301649a2bb80e54f26506c4e
 msgid "Project logo. :pr:`29`"
 msgstr ""
 
-#: ../../CHANGES.rst:784
-#: dd802cef3e384fdc928fc43178ab119a
+#: ../../CHANGES.rst:790
+#: 4403f90b28a249c2b38248bf0c9f77f7
 msgid "User account self-deletion can be enabled in the configuration with `SELF_DELETION`. :issue:`35`"
 msgstr ""
 
-#: ../../CHANGES.rst:785
-#: 75d6d908a827424284ea63478783cbf9
+#: ../../CHANGES.rst:791
+#: 21fd51a849844a03b830dc97bc05ab0c
 msgid "Admins can impersonate users. :issue:`39`"
 msgstr ""
 
-#: ../../CHANGES.rst:786
-#: b4eee6e748f94ba9b6e62e2e7fd4d86b
+#: ../../CHANGES.rst:792
+#: 31d73c9489164e0e92e62ac84bc8c22a
 msgid "Forgotten page UX improvement. :pr:`43`"
 msgstr ""
 
-#: ../../CHANGES.rst:787
-#: 44489482b8d54ae78c70959758d6f825
+#: ../../CHANGES.rst:793
+#: 2b400ada80514bc68dd82d954fff040d
 msgid "Admins can remove clients. :pr:`45`"
 msgstr ""
 
-#: ../../CHANGES.rst:788
-#: be6e5371ee2a48efa0d9d276e9caa9a0
+#: ../../CHANGES.rst:794
+#: 2355c3ec7d674d50ace6ac3ad2065627
 msgid "Option `HIDE_INVALID_LOGIN` that can be unactivated to let the user know if the login he attempt to sign in with exists or not. :pr:`48`"
 msgstr ""
 
-#: ../../CHANGES.rst:790
-#: b1df16b2411a440d8d2a0745c972f368
+#: ../../CHANGES.rst:796
+#: ad8e32ede8504576b73db0b8b7bf303a
 msgid "Password initialization mail. :pr:`51`"
 msgstr ""
 
-#: ../../CHANGES.rst:795
-#: ba317999584d46d7b5bfda36157bc111
+#: ../../CHANGES.rst:801
+#: 0f2d8650e76545438f92a8ca420e65e9
 msgid "Form translations. :issue:`19` :issue:`23`"
 msgstr ""
 
-#: ../../CHANGES.rst:796
-#: e0d773fd3f814a438321528df1c4d67d
+#: ../../CHANGES.rst:802
+#: 6f367157d7464c9492c0f8a528dbd11f
 msgid "Avoid to use Google Fonts. :issue:`21`"
 msgstr ""
 
-#: ../../CHANGES.rst:801
-#: d7c5d0509cfe422ab95beb9c1929e413
+#: ../../CHANGES.rst:807
+#: ae2646eead6a4983998e7b76396f3862
 msgid "'My tokens' page. :issue:`22`"
 msgstr ""
 
-#: ../../CHANGES.rst:804
-#: 35ab727ebe564ff2a2aa3e28f9392f5b
+#: ../../CHANGES.rst:810
+#: b2a9ee20e0214e2eb650a3c0c80c6a8f
 msgid "[0.0.1] - 2020-10-21"
 msgstr ""
 
-#: ../../CHANGES.rst:809
-#: 487e834d3b154f69991d042f97ce3734
+#: ../../CHANGES.rst:815
+#: 974217beadfa4205ad58a4fff852a8d4
 msgid "Initial release."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:2
-#: 77d0a023f5f34e7c804011fd50b75bc3
+#: a96f68b7ad98474ba59c1cc935c2fab4
 msgid "Contributions"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:4
-#: 9955ba6bbfb54c74930043f9d86335dc
+#: f190f6b5c4a1498eadcb7fae2bcdf493
 msgid "Contributions are welcome!"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:6
-#: dd58980e1983404d8bc93b9e0866785d
+#: 26f13dddd093492789f21e4db847d7a9
 msgid "The repository is hosted at `gitlab.com/yaal/canaille <https://gitlab.com/yaal/canaille>`_."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:9
-#: 880fd4b263fa4f5aa77f826cf6d7a13e
+#: 25361fdaed76435db19183cb37a4ee83
 msgid "Discuss"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:11
-#: 0e5a0bf82cd4444ebc3ff1dd43a4362c
+#: b8e752ea3b8f4591a9c8616ed7f0d9af
 msgid "If you want to implement a feature or a bugfix, please start by discussing it with us on the `bugtracker <https://gitlab.com/yaal/canaille/-/issues>`_ or the `matrix room <https://matrix.to/#/#canaille-discuss:yaal.coop>`_."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:16
-#: 032421a7ce0548e38943bb37b9e46f90
+#: 5e0c1113f29742f89b251b5903f73e36
 msgid "Development environment"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:18
-#: 464b7af189da4cf2ba346183c47e6264
+#: 710016d6c25b4193925b83445146a358
 msgid "You can either run the demo locally or with Docker."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:20
-#: b918844970c545a3826d0b39a79cb08c
+#: 62ee7de4d731446fa1b2df4e3805803b
 msgid "The only tool required for local development is `uv`. Make sure to have uv `installed on your computer <https://docs.astral.sh/uv/getting-started/installation/>`_ to be able to hack Canaille."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:24
-#: 56f217cf35444c72b1bc1a1cb3ee9e53
+#: b95dab6a28fb472bba445e43148ff6bc
 msgid "Initialize your development environment with:"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:26
-#: 9cf0a292c2bb408fa660e14ab61f0e43
+#: 8724e2b7dec24128988b2a3ffb199a4d
 msgid "``uv sync --extra front --extra oidc`` to have a minimal working development environment. This will allow you to run the tests with ``uv pytest --backend memory``."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:27
-#: 8d29fc6ad3bd43c5b232963f5137c91a
+#: ef925e13845f4ec1abf9cae0f0e64140
 msgid "``uv sync --extra front --extra oidc --extra sqlite`` to have a minimal working development environment with SQLite backend support. This will allow you to run the tests with ``uv pytest --backend sql``."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:28
-#: 928d535d56314259b20055eea3a4ceb4
+#: 2a07d0fc832b4178be5633d02a0f1d07
 msgid "``uv sync --extra front --extra oidc --extra ldap`` to have a minimal working development environment with LDAP backend support. This will allow you to run the tests with ``uv pytest --backend ldap``."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:29
-#: 56b8780399064aec89d3099841d1b017
+#: 77b8e98fabe140a28382d44b936baa18
 msgid "``uv sync --all-extras`` if you want to have everything at your fingertips. Note that it may compile some Python dependencies that would expect things to be installed on your system; Some dependencies of Canaille might need to be compiled, so you probably want to check that `GCC` and `cargo` are available on your computer."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:32
-#: 1a514a3605f243979b2d04e1a329368a
+#: a69af4c344d546e4abf52e4a3aa35cf8
 msgid "After having launched the demo you have access to several services:"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:34
-#: bbde54dc79ba4241bd97323b5152b50b
+#: dda88353032541b9a70440211ee1a89b
 msgid "A canaille server at `localhost:5000 <http://localhost:5000>`_"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:35
-#: d028b9cbae714b2d945ba4d70a75fb99
+#: 5d2493dbe0924c578cbce67b64f80d14
 msgid "A dummy client at `localhost:5001 <http://localhost:5001>`_"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:36
-#: dbd0340fc974432798237b9b3efe01ea
+#: 595602fe39c040259d1e0346e45efdb7
 msgid "Another dummy client at `localhost:5002 <http://localhost:5002>`_"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:38
-#: 9ff28ddd679b42f4a5bf288242e8c827
+#: 6de7e48182d648f89fe8b2c0b30634fd
 msgid "The canaille server has some default users:"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:40
-#: 324e9f4f1d744fa49a0c3e7fe60cf46b
+#: 05cc64bd64b3425f8c727e448bac1904
 msgid "A regular user which login and password are **user**;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:41
-#: 30a3f2679a4b456791471ac6d4c15e2b
+#: 526ece6f767c4728a86ccc832ed77f3e
 msgid "A moderator user which login and password are **moderator**;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:42
-#: d5e4f771a0854678af55e11ae4c8fc3d
+#: bb69c0dfc3e64ceeba0152302e50d5d2
 msgid "An admin user which admin and password are **admin**;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:43
-#: 325a060f0844402d80a7267a46291010
+#: c188d453c64c47869a6c1bba24c32639
 msgid "A new user which login is **james**. This user has no password yet, and his first attempt to log-in would result in sending a password initialization email (if a smtp server is configured)."
 msgstr ""
 
-#: ../development/specifications.rst:63
+#: ../development/specifications.rst:106
 #: ../../CONTRIBUTING.rst:48
-#: c01f125a22914f369ef28ef090a728b1
-#: 01a043d4a4364011b8a22a53549b20da
+#: f9d8d16e7fd1478ea154c65fddc0c109
+#: 30174a5d8c1f479eaf739cfb67550caa
 msgid "Backends"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:50
-#: 12c4afcb316c448797ed9784ef9fbaa1
+#: 0ec216a61a0f4d0c81ef8859f4b8e775
 msgid "Canaille comes with several backends:"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:52
-#: 853d2b906b80415db33c707e29640f4c
+#: d49ccb7bb5d349b3b97dcb367e9f50db
 msgid "a lightweight test purpose `memory` backend"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:53
-#: b280dce615cb48ec8456abf65fec4a9e
+#: 2b5961e3d4d34b41a03f5f4e1b305f14
 msgid "a `sql` backend, based on sqlalchemy"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:54
-#: ad6d07459c274a9e8282e290875d5bfb
+#: 3db6bec104534cbbb972fef81e090786
 msgid "a production-ready `LDAP` backend"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:57
-#: 7db1494e281b4b89949e18e1ece1cb6c
+#: b800e3599701462b8ad5f4449e0a62b4
 msgid "Docker environment"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:59
-#: c8e61bddd24e4af0ab8ee2bd2709652d
+#: 39ea2b50603a473cb167b4e1a6a135ca
 msgid "If you want to develop with docker, your browser needs to be able to reach the `canaille` container. The docker-compose file exposes the right ports, but front requests are from outside the docker network: the `canaille` url that makes sense for docker, points nowhere from your browser. As exposed ports are on `localhost`, you need to tell your computer that `canaille` url means `localhost`."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:64
-#: 0e3e6469d25f43998fce20bcb1291b86
+#: dd86e0f0a4204a77ba9927f1768aa33e
 msgid "To do that, you can add the following line to your `/etc/hosts`:"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:70
-#: c0dce613d6384dd18a1d6abce742bf55
+#: 5572861cc5114b9b9e7f520fee49b975
 msgid "To launch containers, use:"
 msgstr ""
 
-#: ../development/specifications.rst:65
+#: ../development/specifications.rst:108
 #: ../tutorial/databases.rst:16
 #: ../../CONTRIBUTING.rst:73
 #: ../../CONTRIBUTING.rst:106
-#: 32e05154931e4a6fadcba3b0720e0655
-#: f1b0c988daa54dd4a0c5b30a062cf012
-#: 94f958ac7cab437580604c64cdfa27be
-#: 528aa40e3cd04297b5ebf44fc955e9a9
+#: 7a0d8968fcbe4d8693ac6cf593f51106
+#: fafde474a9ed41dab483dfb87f46dda3
+#: f210968f704646b2a4b35d9f6a5baa90
+#: e8a3d979968c4e05ab1fb5630eb8fc6b
 msgid "SQL"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:74
 #: ../../CONTRIBUTING.rst:107
-#: c66d8a018f064cb3ba36abf12473b5f4
-#: 15c287c63f7f441f991033e23cbb9f95
+#: a1183f0e179942889b697fccf6fde014
+#: f12297286ea648a7a4f8723cd900dd74
 msgid "With the SQL backend, the demo instance will load and save data in a local sqlite database."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:76
 #: ../../CONTRIBUTING.rst:109
-#: 6ddf226447fa4bb89cbf73cc8376c371
-#: c72bd69b5ad94f5992bfe2d30f5b0e8d
+#: 2f256843b3974bfe82ebbd54b22758a0
+#: 03535ba511ef42feb8d6fb77934fb88b
 msgid "Run the demo instance with the SQL backend"
 msgstr ""
 
 #: ../tutorial/databases.rst:8
 #: ../../CONTRIBUTING.rst:83
 #: ../../CONTRIBUTING.rst:115
-#: e5f82f8945b747ac81b31a20cc241e5d
-#: 9a11f967d4c74ad8b9dff673e77d2315
-#: 84a192a56d404fb1baf97b065f6ceaa8
+#: 3216b8433f1847809573eaaa434fe9a7
+#: 6323f7ec77464e2ba7d399f7ccc6f590
+#: d63a7ad080eb47be9529226d4685cf76
 msgid "Memory"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:84
 #: ../../CONTRIBUTING.rst:116
-#: 9c56b31ca9724e62a5aee62e28196764
-#: 22784d30d5a748d2b73ebe7c423c64bc
+#: 96e1856006aa4151b406b7f7922e84ff
+#: 74b6ac7aa3c144f9be537b2c60010548
 msgid "With the memory backend, all data is lost when Canaille stops."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:86
 #: ../../CONTRIBUTING.rst:118
-#: da0af4f3bc5147ae8130399630381126
-#: c1436f14bd2049479ac16384a47f2d38
+#: 6751970e321642cb9cfabd3395bdf82b
+#: b4933b104b004ed39073970b595e9b5f
 msgid "Run the demo instance with the memory backend"
 msgstr ""
 
-#: ../development/specifications.rst:65
+#: ../development/specifications.rst:108
 #: ../tutorial/databases.rst:32
 #: ../../CONTRIBUTING.rst:93
 #: ../../CONTRIBUTING.rst:124
-#: 6f4008249f544ff4afa4e2a7ccebfab2
-#: ce4afa36ab774346b11322758b51325e
-#: f9a9bf9c1c6d49b99edee201000ea0a0
-#: 2e130a461dc64b989f22d4f932976a65
+#: fdfa320e4c4445e5a0c5443e647c0835
+#: 44d5d5bd5737458d81975f70b3477b17
+#: bbe1b4e1618b44fb9651929f4e459099
+#: 2794653a6dd64b5f8a13bc552aa7acc9
 msgid "LDAP"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:94
 #: ../../CONTRIBUTING.rst:125
-#: 4f3a2e440337421f95f937952e7dc9be
-#: db5ad48ecaa94207ab2b7d84bbebf569
+#: c8a1e8a894ef4fa9a4ea60027c3b73a1
+#: 8733bd5bbf5b4744ab8896570d709291
 msgid "With the LDAP backend, all data is lost when Canaille stops."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:96
 #: ../../CONTRIBUTING.rst:127
-#: 50095289006e499588719acc50eb5a56
-#: 80a55900cfc34f4e8b34b5e653a7fdfb
+#: ac813d37940b4d189a3957eeba2ffb08
+#: 73ef2cc1d55f45acbe1568f8da59c158
 msgid "Run the demo instance with the LDAP backend"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:103
-#: 9e2c9acef9184e34b00d62c97980467d
+#: 80000162aaf447eda038a20ae12973c7
 msgid "Local environment"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:133
-#: 5fffaf4bff884b5a839078ad5a889fc9
+#: 8b346e3f0ae84b289a7e819279283718
 msgid "If you want to run the demo locally with the LDAP backend, you need to have `OpenLDAP <https://www.openldap.org/>`_ installed on your system. It is generally shipped under the ``slapd`` or ``openldap`` package name."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:138
-#: aa9aab912ff04dd68c3b59bf1e36575a
+#: ad84a2866902456b8f29498783fd665b
 msgid "On Debian or Ubuntu systems, the OpenLDAP `slapd` binary usage might be restricted by apparmor, and thus makes the tests and the demo fail. This can be mitigated by removing apparmor restrictions on `slapd`."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:148
-#: 3d21757ba34c4721af043c150330c2e4
+#: cdab025ce1dc48fa97161a955423b957
 msgid "Populate the database"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:150
-#: a412d39e98cf44f6b911566e1ebcdbde
+#: 319a37a58be44aac8e617f300e3c3afb
 msgid "The demo database comes populated with some random users and groups. If you need more, you can generate users and groups with the ``populate`` command:"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:161
-#: cdf90f875bcc44d5b41197a7cdbb275c
+#: 4bf45406e18a4505999dca7b84c4e8f0
 msgid "Adapt to use either the `ldap` or the `sql` configuration file. Note that this will not work with the memory backend."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:164
-#: 2db32f774df8429fa4c9e83d00616a96
+#: 62c234c473324a82a1038d3f4610a338
 msgid "Unit tests"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:166
-#: 5d6a9b57b35d49c48e2b615f8128ebcc
+#: 314f0cc4c01c47f4bca6c87e7460b03b
 msgid "To run the tests, you just can run `uv run pytest` and/or `uv run tox` to test all the supported python environments. Everything must be green before patches get merged."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:169
-#: e1e6e475ff78404f930bb453f1f26e3b
+#: b9dc93b982bf4fc98eddf47c5730b09c
 msgid "To test a specific backend you can pass ``--backend memory``, ``--backend sql`` or ``--backend ldap`` to pytest and tox."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:171
-#: 2cb85029b4274de388878da3d3285369
+#: 13c7913d62db412bb4e66637a79cd789
 msgid "The test coverage is 100%, patches won't be accepted if not entirely covered. You can check the test coverage with ``uv run pytest --cov --cov-report=html`` or ``uv run tox -e coverage -- --cov-report=html``. You can check the HTML coverage report in the newly created `htmlcov` directory."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:176
-#: 4408d499056c480f86f450a781d2ca0d
+#: 6a901706012a4004b1dbb87ef68c803a
 msgid "Code style"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:178
-#: 93e483f2a66a4d8f82feb8ca9a739818
+#: 9fa3a042eca848fe9b9af832c325142c
 msgid "We use `ruff <https://docs.astral.sh/ruff/>`_ along with other tools to format our code. Please run ``uv run tox -e style`` on your patches before submitting them. In order to perform a style check and correction at each commit you can use our `pre-commit <https://pre-commit.com/>`_ configuration with ``uv run pre-commit install``."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:184
-#: 0dca6207e6734ab487cb3fe72c3e90e8
+#: 831a60fcf8ee4e37828421e71b2931c0
 msgid "Front"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:186
-#: 930e01d770324dc68f73095cd5456a8e
+#: f9ab478278ef4d39bee37c056fb937f2
 msgid "The interface is built upon the `Fomantic UI <https://fomantic-ui.com/>`_ CSS framework. The dynamical parts of the interface use `htmx <https://htmx.org/>`_."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:189
-#: fc0da8a2736e461dab5a7d242c1cfa9a
+#: 115550e00eb74a80828b6acae2948606
 msgid "Using Javascript in the interface is tolerated, but the whole website MUST be accessible for browsers without Javascript support, and without any feature loss."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:191
-#: a13b055a65244362a025440451de998d
+#: 4d3ab5a48a9d49a6aaef6c5c583e938d
 msgid "Because of Fomantic UI we have a dependency to jQuery, however new contributions should not depend on jQuery at all. See the `related issue <https://gitlab.com/yaal/canaille/-/issues/130>`_."
 msgstr ""
 
 #: ../index.rst:71
 #: ../../CONTRIBUTING.rst:196
-#: e3ff6afa466e4e61aa4f677cd58d3ed2
-#: a08d8d5331494e7d93508eaf25f41a07
+#: 03d0d76bba134693bed77e50d1911dd9
+#: 84410d2758484c01b8b48461c40d0a7c
 msgid "Documentation"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:198
-#: 2e1fdcae75de46a6b50db7e4155758af
+#: 5eb4ba179d0444fd9647504055935495
 msgid "The documentation is generated when the tests run:"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:204
-#: 94405109592b47c09c8726c305fa5edc
+#: 7f28cb743dcb44d9b66a31febcc8a6d0
 msgid "You can also run sphinx by hand, that should be faster since it avoids the tox environment initialization:"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:210
-#: fe4610d142474897ae4f97d321448fac
+#: 4e73e6c26d164591bd5edf84fc921cc4
 msgid "The generated documentation is located at ``build/sphinx/html/en``."
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:213
-#: bf09dd8ed31742bca2fa80175ae85bb3
+#: 3fd3b7e2ec184cf8b2a81f87177f48fb
 msgid "Code translation"
 msgstr ""
 
 #: ../../canaille/translations/README.rst:1
-#: 35fff9d115334ec6aa6a99ec5da8a27f
+#: 3f134d116261469d8e6e9a05b5c47b47
 msgid "Translations are done with `Weblate <https://hosted.weblate.org/projects/canaille/canaille>`__."
 msgstr ""
 
 #: ../../canaille/translations/README.rst:3
-#: b72ee2174a9b42c493780415e3d3fcfd
+#: f5045b02a67f426188352a5d6ff207e1
 msgid "The following commands are there as documentation, only the message extraction is needed for contributors. All the other steps are automatically done with Weblate."
 msgstr ""
 
 #: readme.rst:6
 #: ../../canaille/translations/README.rst:8
 #: readme.rst:6
-#: ea5bd05b09984bcaa643efa7a1a7618c
-#: ea5bd05b09984bcaa643efa7a1a7618c
-#: 33490a8ff4a3465fb8648393ff65eb75
+#: 24b270040aba498184edc6fd3b60c94e
+#: 2056f7130ccd40b7b3b34c0c572a6578
+#: 41a918a2d4a74a5b9b2817c613ca08f4
 msgid "Message extraction"
 msgstr ""
 
 #: readme.rst:8
 #: ../../canaille/translations/README.rst:10
 #: readme.rst:8
-#: 210e9ff98db74777830a5a1f4746df44
-#: 210e9ff98db74777830a5a1f4746df44
-#: 16b22e2bc3cf495bbef529f5732887e3
+#: 3d0d46dbb4b849429d1b20c8d4655b71
+#: ca03937bab89437aaca273df6d905a44
+#: 5743021622e04712918dcadbabc6c7f7
 msgid "After you have edited translatable strings, you should extract the messages with:"
 msgstr ""
 
 #: readme.rst:15
 #: ../../canaille/translations/README.rst:17
 #: readme.rst:15
-#: 54ecd51acf494402964ae281c6cd639b
-#: 54ecd51acf494402964ae281c6cd639b
-#: 02fa7225075346f89ad702cba8aabdeb
+#: 33a52dea69f84cdd8031217438609b01
+#: 1bdb41af37fb4b29970caa32ceb9f68e
+#: fcdbb11edc8c403dba19ddcc30f0c74a
 msgid "Language addition"
 msgstr ""
 
 #: readme.rst:17
 #: ../../canaille/translations/README.rst:19
 #: readme.rst:17
-#: 5429b47768e2472ea597ed48140a5621
-#: 5429b47768e2472ea597ed48140a5621
-#: 015d6a437f7e4d099c8cad60986c0b68
+#: 85155247ccbe4cdda3c379b515fd2413
+#: 04039c23ea56483b9ccf96d20f26f2bd
+#: ba0855443a6f465d9274426f59f251de
 msgid "You can add a new language manually with the following command, however this should not be needed as Weblate takes car of this:"
 msgstr ""
 
 #: ../../canaille/translations/README.rst:26
-#: bdfbb4ef60c54b26abf457ba930b7fcf
+#: d186ca49fae24bbd9d3c28120601a60e
 msgid "Catalog update"
 msgstr ""
 
 #: ../../canaille/translations/README.rst:28
-#: 94b8fc10d3aa4e05b54d619c4b1aaa25
+#: 0ed1087f30a74059b6c7e0e06de6573d
 msgid "You can update the catalogs with the following command, however this should not be needed as Weblate automatically update language catalogs when it detects new strings or when someone translate some existing strings. Weblate pushes happen every 24h."
 msgstr ""
 
 #: ../../canaille/translations/README.rst:36
-#: f232cbfdd201463ab74fe71353c8e23b
+#: ddf0e21cf51b4dc79d6250343d97b0d1
 msgid "Catalog compilation"
 msgstr ""
 
 #: ../../canaille/translations/README.rst:38
-#: 3c756dd105564866a8d74e994e65f2b6
+#: 6ef8340ccc2c46ea99f8d0de91ee483a
 msgid "You can compile the catalogs with the following command, however this should not be needed as catalogs are automatically compiled before running the unit tests, before launching the demo and before compiling the Canaille python package:"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:219
-#: 4ff341d941384c029ed9c0b49d1062f9
+#: 1de2a285415949c49cad5e827186884c
 msgid "Documentation translation"
 msgstr ""
 
 #: readme.rst:1
 #: readme.rst:1
-#: 35fff9d115334ec6aa6a99ec5da8a27f
-#: 7abe83f2eeb54b3f9f3d1a8542696765
+#: 3f134d116261469d8e6e9a05b5c47b47
+#: 82307c31bbd04c86b438e8a4e005cbfd
 msgid "Translations are done with `Weblate <https://hosted.weblate.org/projects/canaille/documentation>`__."
 msgstr ""
 
 #: readme.rst:3
 #: readme.rst:3
-#: de92a131ecf44614963dd89770f593ae
-#: 0ca00925251d48668c7673ddece41d66
+#: e68bab4e55074d099971067e8585e7bc
+#: 36d72bb59c6442f0ac0078ec35cff7db
 msgid "The following commands are there as documentation, only the message extraction and the language addition is needed for contributors."
 msgstr ""
 
 #: readme.rst:24
 #: readme.rst:24
-#: 3d142fe9f633400ea029e949f1e869ee
-#: 74cc2740b1584972aa3c0e672dff5f3e
+#: 2249c8bd3ebb4123b1b85e55d501a414
+#: 592956cc63d849ad8f23d530a03daa2a
 msgid "Build the documentation in another language"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:224
-#: 4b1dc3dae99f4c6fbbeec3e54be3e922
+#: ccb55b67aa5c4d8baf4a4a56eb19fe8c
 msgid "Publish a new release"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:226
-#: 975b37a07edc4a42bbef14c2ca80a34f
+#: a2df8944754246d4a92c6e7f76b8273a
 msgid "Check that dependencies are up to date with ``uv sync --all-extras --upgrade`` and update dependencies accordingly in separated commits;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:227
-#: e9bd8386c6c64ef99aac12ee831f39d1
+#: 4d2be841e11345a7a9f62a7f7e0d46b3
 msgid "Check that tests are still green for every supported python version, and that coverage is still at 100%, by running ``uv run tox``;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:228
-#: 3e7d5493a8e44c1a9067010115678723
+#: 69338c8be69e45659eada1ffe5c0f67c
 msgid "Check that the demo environments are still working, both the local and the Docker one;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:229
-#: fe7867ea9416424e81c518f77853958a
+#: 8bba3fab5e164ade8916c47fb38a9c19
 msgid "Check that the :ref:`development/changelog:Release notes` section is correctly filled up;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:230
-#: 7d89adc1c3e6478ab9e8faa02f97bf03
+#: 7be3604476174714a93fb5c8673febf7
 msgid "Increase the version number in ``pyproject.toml``;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:231
-#: a376131776cd4e469611fa3ad6749be9
+#: e8b5c52d84d94d809eb6fd08e9a61939
 msgid "Commit with ``git commit``;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:232
-#: 655fd489e5324dc5b6172d438a6b8e3e
+#: 70de3f18c0d144c8b5e6ad264629491e
 msgid "Build with ``uv build``;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:233
-#: 79fc61b7c13647a285a918a0c126ea53
+#: 54bbdc2762b14df98894d94d760597b9
 msgid "Publish on test PyPI with ``uv publish --publish-url https://test.pypi.org/legacy/``;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:234
-#: 93540129ce0c440eba4da63ed3ddb769
+#: 327a4abb66b14f95821cf861312ff6be
 msgid "Install the test package somewhere with ``pip install --extra-index-url https://test.pypi.org/simple --upgrade canaille``. Check that everything looks fine;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:235
-#: 8a73b31d1fe14fdda15e6c2dea0cafc9
+#: 270ce1780553422780cddbbca1791bbd
 msgid "Publish on production PyPI ``uv publish``;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:236
-#: 93131bb37ccc4207825449d393f92201
+#: 35cf31b173f34bb2b6ffc0d5cb0931a9
 msgid "Tag the commit with ``git tag XX.YY.ZZ``;"
 msgstr ""
 
 #: ../../CONTRIBUTING.rst:237
-#: a98a5168d5f949ec9e96f16d8ff8b6f5
+#: 673bf114db3945dbbe806b281a6bc1d6
 msgid "Push the release commit and the new tag on the repository with ``git push --tags``."
 msgstr ""
 
 #: ../development/index.rst:2
-#: c0f14bad2988468fa0700bbd47fe1de0
+#: 82f9846032eb48449059b9b21039acf3
 msgid "Development"
 msgstr ""
 
 #: ../development/specifications.rst:2
-#: 156d2082306649a89c7c6ff9b0879911
+#: 68b9e4a665f74983994ec7f7820a6555
 msgid "Specifications"
 msgstr ""
 
 #: ../development/specifications.rst:4
-#: 2c830d15b604470ca1912e9a07b2deb6
+#: a91f12df80654d7a9159894525f0a1fa
 msgid "This page details which specifications are implemented in Canaille, and compares Canaille with other well-known identity providers."
 msgstr ""
 
 #: ../development/specifications.rst:7
-#: bfa87dc7f42445fb96172a2ce7643950
+#: 798ff9024fa049a5889c4e9f725985f4
 msgid "State of the specs in Canaille"
 msgstr ""
 
 #: ../development/specifications.rst:10
-#: b57576e6aa1e46c0ab9b0d74e40f7a1c
+#: faec5be28e9d4a0380914450cb563d74
 msgid "OAuth2"
 msgstr ""
 
 #: ../development/specifications.rst:12
-#: 44156ac1d21c44f89d2090ae27ad397e
+#: bc158a2abfdf4e669db0bf71ac12e539
 msgid "✅ `RFC6749: OAuth 2.0 Framework <https://tools.ietf.org/html/rfc6749>`_"
 msgstr ""
 
 #: ../development/specifications.rst:13
-#: 3dd5d1bc312e4808b9dfb7e906f9a1b3
+#: 41aacf25a278469488576916b0dc1100
 msgid "✅ `RFC6750: OAuth 2.0 Bearer Tokens <https://tools.ietf.org/html/rfc6750>`_"
 msgstr ""
 
 #: ../development/specifications.rst:14
-#: 3f7c67f6ca7049a0a99455d27e7b9278
+#: c84b09e12da74d1e9bb498f4abd41cef
 msgid "✅ `RFC7009: OAuth 2.0 Token Revocation <https://tools.ietf.org/html/rfc7009>`_"
 msgstr ""
 
 #: ../development/specifications.rst:15
-#: b11098fcf9e64dfca026aa25e97624cc
+#: 319878f12ee94c71bcd20839b8e9cdf2
 msgid "❌ `RFC7523: JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants <https://tools.ietf.org/html/rfc7523>`_"
 msgstr ""
 
 #: ../development/specifications.rst:16
-#: 0213796d176a4938a10c902cfb737a18
+#: 7c8c430d14b04548a82b1f6c5b41edef
 msgid "✅ `RFC7591: OAuth 2.0 Dynamic Client Registration Protocol <https://tools.ietf.org/html/rfc7591>`_"
 msgstr ""
 
 #: ../development/specifications.rst:17
-#: afdc8def073c495e8bb24a1ec6a0d62a
+#: a0eeca49247d4d0a858fbd68b8feae7a
 msgid "✅ `RFC7592: OAuth 2.0 Dynamic Client Registration Management Protocol <https://tools.ietf.org/html/rfc7592>`_"
 msgstr ""
 
 #: ../development/specifications.rst:18
-#: f592e7f0f2074289b67beb893604277d
+#: 6ba8732c85c743c3ac3f63b40fbf3aa2
 msgid "✅ `RFC7636: Proof Key for Code Exchange by OAuth Public Clients <https://tools.ietf.org/html/rfc7636>`_"
 msgstr ""
 
 #: ../development/specifications.rst:19
-#: bc914d1d327d4ce6a638c5245c4cfcc3
+#: 338bb06b2df547edbe50a150b4d8c146
 msgid "✅ `RFC7662: OAuth 2.0 Token Introspection <https://tools.ietf.org/html/rfc7662>`_"
 msgstr ""
 
 #: ../development/specifications.rst:20
-#: 08bbaa19162d456899ba99be7b0f9e3d
+#: 1663509c8aa249af8ec326ae877e7044
 msgid "✅ `RFC8414: OAuth 2.0 Authorization Server Metadata <https://tools.ietf.org/html/rfc8414>`_"
 msgstr ""
 
 #: ../development/specifications.rst:21
-#: abbbc93f57ba4660bafa5396616419d8
+#: 37a881c253ff4c87b340587a85546041
 msgid "❌ `RFC8428: OAuth 2.0 Device Authorization Grant <https://tools.ietf.org/html/rfc8428>`_"
 msgstr ""
 
 #: ../development/specifications.rst:22
-#: a9adf95822164ad9a91366b631a095ab
+#: 5398a841990f4e6ea8b40b97e9a32097
 msgid "❌ `RFC8693: OAuth 2.0 Token Exchange <https://tools.ietf.org/html/rfc8693>`_"
 msgstr ""
 
 #: ../development/specifications.rst:23
-#: fac77fd04d2c457cbdda2f46d21a549d
+#: 2045b4c2c1bf4d808e03894e4b365fb8
 msgid "❌ `RFC8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens <https://tools.ietf.org/html/rfc8705>`_"
 msgstr ""
 
 #: ../development/specifications.rst:24
-#: 772cbe80f8cd44faa3230ee4e690e5f3
+#: 107a0959842641af8fa7f1382928f2e1
 msgid "❌ `RFC8707: Resource Indicators for OAuth 2.0 <https://tools.ietf.org/html/rfc8707>`_"
 msgstr ""
 
 #: ../development/specifications.rst:25
-#: 8b06eb72e70742fc821332a4676ba48e
+#: b6b8eaed434f47bfb07f5d077c670b22
 msgid "❌ `RFC9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens <https://tools.ietf.org/html/rfc9068>`_"
 msgstr ""
 
 #: ../development/specifications.rst:26
-#: 088615a4afdc48a5b6449df856cb1eb3
+#: 48f411a150274d74b09dd3111d70d4ef
 msgid "❌ `RFC9101: OAuth 2.0 JWT-Secured Authorization Request (JAR) <https://tools.ietf.org/html/rfc9101>`_"
 msgstr ""
 
 #: ../development/specifications.rst:27
-#: 4bd307887c6a4dcebb9d5ff9b9c3176a
+#: 68ff3ad36aa1400e85a6f6703f5d75ae
 msgid "❌ `RFC9126: OAuth 2.0 Pushed Authorization Requests <https://tools.ietf.org/html/rfc9126>`_"
 msgstr ""
 
 #: ../development/specifications.rst:28
-#: bf777af155ec47bb85265068ff053b85
+#: 312945002b5f49a5ac6e6d797e9322d0
 msgid "❌ `RFC9207: OAuth 2.0 Authorization Server Issuer Identification <https://tools.ietf.org/html/rfc9207>`_"
 msgstr ""
 
 #: ../development/specifications.rst:29
-#: 06b84e457b3f423099a45450e8be7b96
+#: 6f0f83d947a3442c84f44b67f11184b3
 msgid "❌ `RFC9394: OAuth 2.0 Rich Authorization Requests <https://www.rfc-editor.org/rfc/rfc9396.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:30
-#: 17a488e183c64a7696ff1f8b3f02e3d8
+#: f11bf858bc1342a781c9139f05938eae
 msgid "❌ `OAuth2 Multiple Response Types <https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:31
-#: 28df30b698994c9ebb429fbe577701ac
+#: d2e5d74b4dd94d85a5d431f60f875dbc
 msgid "❌ `OAuth2 Form Post Response Mode <https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:34
-#: ../features.rst:212
-#: 273611a66c514122bd1b8986c81f8464
-#: 511272a32c844e4cb9ca0d2c2b0aeb42
+#: ../features.rst:223
+#: 8f72523ff51c4575b94efb2d3ce15f6b
+#: f36365f798bf4a29a1c762d3d984b773
 msgid "OpenID Connect"
 msgstr ""
 
 #: ../development/specifications.rst:36
-#: 1b811c589c884281a965b470a69c935c
+#: cf8887ca156c4c1c9888a84fc8065530
 msgid "✅ `OpenID Connect Core <https://openid.net/specs/openid-connect-core-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:37
-#: 8eb4c67d2de84a09ba6681ab0ad1dcf0
+#: 5c4310f0f040430fbc2a843183e96fd8
 msgid "✅ `OpenID Connect Discovery <https://openid.net/specs/openid-connect-discovery-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:38
-#: 3dd0ab1827034c7f8bb58dd56463cb2a
+#: 5d5801df6b9c4bf4a6a02e97b8ced460
 msgid "✅ `OpenID Connect Dynamic Client Registration <https://openid.net/specs/openid-connect-registration-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:39
-#: 5202769d4fed46999e56f7d6a0a03c5d
+#: 7d48e73edb044c8e85e6210edc4c327b
 msgid "✅ `OpenID Connect RP Initiated Logout <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:40
-#: 768d7dd2182a418fb9344db3f5cba48a
+#: cdef4546f7dc4de8865f7a1302d4ba5d
 msgid "❌ `OpenID Connect Session Management <https://openid.net/specs/openid-connect-session-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:41
-#: bffbc632d9bf4c89b64bb51cdece0844
+#: 21aa2648b1f64ffeabe2a6123a75c27d
 msgid "❌ `OpenID Connect Front Channel Logout <https://openid.net/specs/openid-connect-frontchannel-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:42
-#: 3001306e82cc4e9b80078a4631c791f9
+#: dac849b7b0ae48afb3e07330a4155e85
 msgid "❌ `OpenID Connect Back Channel Logout <https://openid.net/specs/openid-connect-backchannel-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:43
-#: 3e1058c4a8154eb58a563e171a03a51b
+#: 9465d51e2c23461486052de55942bbea
 msgid "❌ `OpenID Connect Back Channel Authentication Flow <https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:44
-#: 7d20317b02f54007a0d6e9e79b82b243
+#: b4f2991cded34e7190e7e7185828536c
 msgid "❌ `OpenID Connect Core Error Code unmet_authentication_requirements <https://openid.net/specs/openid-connect-unmet-authentication-requirements-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:45
-#: cc695337a4a4431c9a62bdc2471f489d
+#: 1cb0fe5d644c49b2a1c6c7af780c407a
 msgid "✅ `Initiating User Registration via OpenID Connect 1.0 <https://openid.net/specs/openid-connect-prompt-create-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:46
-#: 6cfd3e82e2bb4f80a58d8864be2ef301
+#: 7c15c3d629b44469bb0feba2b79e0522
 msgid "❌  `OpenID Connect Profile for SCIM Services <https://openid.net/specs/openid-connect-scim-profile-1_0.html>`_"
 msgstr ""
 
 #: ../development/specifications.rst:49
-#: ../development/specifications.rst:65
-#: d9278a9cbe784818b57f9fd9d76dda68
-#: d9278a9cbe784818b57f9fd9d76dda68
+#: ../development/specifications.rst:108
+#: 81a42181f7ed4f43b5fc6af1bae15e65
+#: 81a42181f7ed4f43b5fc6af1bae15e65
 msgid "SCIM"
 msgstr ""
 
 #: ../development/specifications.rst:51
-#: c91f11a0512e4782981c5bb98a8038d7
-msgid "❌ `RFC7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements <https://www.rfc-editor.org/rfc/rfc7642>`_"
-msgstr ""
-
-#: ../development/specifications.rst:52
-#: 2f4ea31b4c80425a8e3075b8597ae8e5
-msgid "❌ `RFC7643: System for Cross-domain Identity Management: Core Schema <https://www.rfc-editor.org/rfc/rfc7642>`_"
+#: c3e061fe92e4451ea24e50dacd112c46
+msgid "Canaille provides a basic SCIM server implementation."
 msgstr ""
 
 #: ../development/specifications.rst:53
-#: 6ffdb285557144afb301b05c33fecddf
-msgid "❌ `RFC7644: System for Cross-domain Identity Management: Protocol <https://www.rfc-editor.org/rfc/rfc7642>`_"
+#: aefb1b937f7a4e35a4eae6d8648c6303
+msgid "🟠 `RFC7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements <https://www.rfc-editor.org/rfc/rfc7642>`_"
 msgstr ""
 
-#: ../development/specifications.rst:56
-#: ac600b38603f4fb999aebf5ffbe33cc7
-msgid "Comparison with other providers"
+#: ../development/specifications.rst:54
+#: 6193cd6fb48643e99f0e2018dbdaba83
+msgid "🟠 `RFC7643: System for Cross-domain Identity Management: Core Schema <https://www.rfc-editor.org/rfc/rfc7642>`_"
 msgstr ""
 
-#: ../development/specifications.rst:58
-#: 2ef9567e17694a669ed5071c882661ad
-msgid "Here is a feature comparison with other OpenID Connect server software."
+#: ../development/specifications.rst:55
+#: 9b124b409b3041f5bdefedf9b0593d06
+msgid "🟠 `RFC7644: System for Cross-domain Identity Management: Protocol <https://www.rfc-editor.org/rfc/rfc7642>`_"
+msgstr ""
+
+#: ../development/specifications.rst:57
+#: e6062c405e8948d38ec280a762370179
+msgid "Client-side implementation (i.e. broadcasting changes on users and groups among clients) and advanced features will be implemented in the future."
 msgstr ""
 
 #: ../development/specifications.rst:60
-#: d6d241980d3e46e192dd54a5082b0197
-msgid "Canaille voluntarily only implements the OpenID Connect protocol to keep its codebase simple."
+#: da7a2a26dbfb494abca9e21b3178087e
+msgid "What's implemented"
 msgstr ""
 
-#: ../development/specifications.rst:63
-#: 0b9a4fba353c483692ed6fb04227691e
-msgid "Software"
-msgstr ""
-
-#: ../development/specifications.rst:63
-#: 62c2fe7c97644cfa8e7d297a337bfe36
-msgid "Project"
-msgstr ""
-
-#: ../development/specifications.rst:63
-#: f4700ad912314bfc8d66be8471a4c772
-msgid "Protocols implementations"
-msgstr ""
-
-#: ../development/specifications.rst:65
-#: ea237be2a99a4940be67516a1b95d97d
-msgid "FLOSS"
-msgstr ""
-
-#: ../development/specifications.rst:65
-#: 55d5dd9174f94ca9850b999864598259
-msgid "Language"
-msgstr ""
-
-#: ../development/specifications.rst:65
-#: 27002c409c6440d29ae89e91559a6994
-msgid "LOC"
-msgstr ""
-
-#: ../development/specifications.rst:65
-#: 3ba35fd6c6d44150b4b049cf603e4a85
-msgid "OIDC"
-msgstr ""
-
-#: ../development/specifications.rst:65
-#: dc762bcd6eca4fc79dae1ca65c411351
-msgid "SAML"
-msgstr ""
-
-#: ../development/specifications.rst:65
-#: 6ae5803282c4439a9e7b1c1570e4c505
-msgid "CAS"
-msgstr ""
-
-#: ../development/specifications.rst:67
-#: f4c4ac6fdea74558a74bc9a3cefbb5c7
-msgid "Canaille"
-msgstr ""
-
-#: ../development/specifications.rst:67
-#: ../development/specifications.rst:69
-#: ../development/specifications.rst:71
-#: ../development/specifications.rst:73
-#: ../development/specifications.rst:75
-#: ../development/specifications.rst:77
-#: ../development/specifications.rst:79
-#: ../development/specifications.rst:81
+#: ../development/specifications.rst:62
 #: ../development/specifications.rst:83
-#: ../development/specifications.rst:85
-#: ../development/specifications.rst:87
-#: ../development/specifications.rst:89
-#: c2035a448fa9405a92d51c9c90277394
-#: c2035a448fa9405a92d51c9c90277394
-#: b4f8f14c2ccd48d7a2df4514e072872c
-#: c2035a448fa9405a92d51c9c90277394
-#: ae10fc61ac05465c88b82d0432b9f6f3
-#: c2035a448fa9405a92d51c9c90277394
-#: aa47e755d8094a54a72e5a984eca8212
-#: c2035a448fa9405a92d51c9c90277394
-#: c2035a448fa9405a92d51c9c90277394
-#: c2035a448fa9405a92d51c9c90277394
-#: 33e7166b401144bcadff959d61e03c4c
-#: c2035a448fa9405a92d51c9c90277394
-#: c2035a448fa9405a92d51c9c90277394
-#: 01a61d6ece794b39adc441233aef3a3d
-#: 7bba6b8427854a41b99c15b883290007
-#: c2035a448fa9405a92d51c9c90277394
-#: 35d2af03a40c44f3be85f38d56883d26
-#: c2035a448fa9405a92d51c9c90277394
-#: c2035a448fa9405a92d51c9c90277394
-#: 588ab8a50fca4528b9a471dbddfb7d4a
-#: c2035a448fa9405a92d51c9c90277394
-#: 5b92e201931a462c90a3d3883c2bd94a
-#: ba65de35554741a48a7eb4a72fc66433
-#: c2035a448fa9405a92d51c9c90277394
-#: c2035a448fa9405a92d51c9c90277394
-#: b845153d9ebc4c2e83791da5c5d0bf5a
-#: 4dd20636352243038f0bdad8d15e8449
-#: 5b23071246ab41f1abd1bfa5596a4b46
-#: e9195a6880cc4824bb5fbfce4b1d26dc
-#: c2035a448fa9405a92d51c9c90277394
-#: d95ce6d1875045fc8442060795ebfe22
-#: c2035a448fa9405a92d51c9c90277394
-#: c1aa2d442f2047f9a1194e38c2b1ddd1
-#: c2035a448fa9405a92d51c9c90277394
-#: c2035a448fa9405a92d51c9c90277394
-#: ce03d94ab7954c02968bfb44eb0f72fd
-#: 9fb4e3e247d846419051f2852ffa3f31
-#: f5e5911bcb704af19c073370f437c1b4
-#: 2a75e780caa141b798c8b207bcc8fcbe
-#: c2035a448fa9405a92d51c9c90277394
-#: c2035a448fa9405a92d51c9c90277394
-#: e063ffcc58474df4a66b2814eb4c0f61
-#: c2035a448fa9405a92d51c9c90277394
-#: 1b724ec2c443410fa224420a2dc57059
-#: c2035a448fa9405a92d51c9c90277394
-#: c2035a448fa9405a92d51c9c90277394
-#: b96e91bf613c4f4cb6ac463fad5a68fe
-#: cff48ca4a13545309d9e1b58c3dede80
-#: e55ccef99f4a45be8fb35a1ed8bb1ac4
-#: a5b3f91649094efebe4e858d745ccb2e
-#: 4b09487097334807804aaba873d4dc7b
-#: c2035a448fa9405a92d51c9c90277394
-#: c2035a448fa9405a92d51c9c90277394
-#: c9b45500d9d145a8862c978d95329330
-#: c34b7940cbbd4218af2cb94e8eb24fc7
-#: c2035a448fa9405a92d51c9c90277394
-#: 8a394726b7b941dfbbd8af3e546782c1
-#: c2035a448fa9405a92d51c9c90277394
-#: 78eb76570364482583c3cb19d0303903
-#: c2035a448fa9405a92d51c9c90277394
-#: 888a30003d764dd28c8744ea11295da4
-#: f5320617a03e47dea905ac5a70208c70
-#: c2035a448fa9405a92d51c9c90277394
-msgid "✅"
+#: f00bbd829f164b10bea0b4a04ac7123d
+#: e66e2017457c4526a39df9630674c5ac
+msgid "Endpoints:"
+msgstr ""
+
+#: ../development/specifications.rst:64
+#: 0eb744fd5a6c4e60a41e71982f000800
+msgid "/Users (GET, POST)"
+msgstr ""
+
+#: ../development/specifications.rst:65
+#: f537052ae8b94a3a83c0e84c52855dc7
+msgid "/Users/<user_id> (GET, PUT, DELETE)"
+msgstr ""
+
+#: ../development/specifications.rst:66
+#: 3b4e9d3e1079430b97611c8dadee4395
+msgid "/Groups (GET, POST)"
 msgstr ""
 
 #: ../development/specifications.rst:67
-#: ../development/specifications.rst:73
-#: 86f975b8aaab4af9bfc62ef2df91ba28
-#: 86f975b8aaab4af9bfc62ef2df91ba28
-msgid "Python"
+#: 3e673b4744e945b89c77ced8145f54fc
+msgid "/Groups/<user_id> (GET, PUT, DELETE)"
 msgstr ""
 
-#: ../development/specifications.rst:67
-#: 3a757539fafc4e3aa92dbdec5227a2df
-msgid "10k"
-msgstr ""
-
-#: ../development/specifications.rst:67
-#: ../development/specifications.rst:69
-#: ../development/specifications.rst:71
-#: ../development/specifications.rst:73
-#: ../development/specifications.rst:75
-#: ../development/specifications.rst:77
-#: ../development/specifications.rst:79
-#: ../development/specifications.rst:83
-#: ../development/specifications.rst:87
-#: ../development/specifications.rst:89
-#: 0baee04e46584b46ab2b5bd83dea4c0d
-#: cab3dd361d004e25bc0250cb2e0ffe9a
-#: d1129a1abbbe451393139f636f972160
-#: d1129a1abbbe451393139f636f972160
-#: d1129a1abbbe451393139f636f972160
-#: 465d3f3e0fd74093b25163100de425b3
-#: 7d6b64f2f3bd472bac864db31a8369db
-#: d1129a1abbbe451393139f636f972160
-#: d1129a1abbbe451393139f636f972160
-#: d1129a1abbbe451393139f636f972160
-#: d1129a1abbbe451393139f636f972160
-#: d1129a1abbbe451393139f636f972160
-#: fd884c4495c144699d4ed019e0264719
-#: d1129a1abbbe451393139f636f972160
-#: 94a1a61f502a42569788cfe93ad6bcf7
-#: d1129a1abbbe451393139f636f972160
-#: d1129a1abbbe451393139f636f972160
-#: d1129a1abbbe451393139f636f972160
-#: d1129a1abbbe451393139f636f972160
-msgid "❌"
+#: ../development/specifications.rst:68
+#: c279b1a6193b4de49c1ac392b9c9f1f8
+msgid "/ServiceProviderConfig (GET)"
 msgstr ""
 
 #: ../development/specifications.rst:69
-#: 41d7747dc9384c6b908b8394168b5b5a
-msgid "`Auth0`_"
+#: 833aa61f227c44bebf4cab293e712391
+msgid "/Schemas (GET)"
 msgstr ""
 
-#: ../development/specifications.rst:69
-#: ../development/specifications.rst:79
-#: ../development/specifications.rst:81
-#: ../development/specifications.rst:89
-#: 8f85eeab9d6945af894c55e2a4aa0b9b
-#: b391b0e5e2724d7f9d457a4e64303697
-#: b391b0e5e2724d7f9d457a4e64303697
-#: 9d4e74c78b2b439785310a334d06a1c7
-#: b391b0e5e2724d7f9d457a4e64303697
-#: b391b0e5e2724d7f9d457a4e64303697
-#: b391b0e5e2724d7f9d457a4e64303697
-#: f682275b9cb14280a7f2654d727c75d1
-#: b391b0e5e2724d7f9d457a4e64303697
-msgid "❔"
+#: ../development/specifications.rst:70
+#: 437a13d677eb4961a96df34b5f5081dc
+msgid "/Schemas/<schema_id> (GET)"
 msgstr ""
 
 #: ../development/specifications.rst:71
-#: 47ff7b1213464f85b246c4282f3af933
-msgid "`Authelia`_"
+#: 31b2a6d444504b8c88257b25f6fd6467
+msgid "/ResourceTypes (GET)"
 msgstr ""
 
-#: ../development/specifications.rst:71
-#: ../development/specifications.rst:75
-#: ../development/specifications.rst:83
-#: 5db56fd3e64948f5a108d2f74f7070b4
-#: 5db56fd3e64948f5a108d2f74f7070b4
-#: 5db56fd3e64948f5a108d2f74f7070b4
-msgid "Go"
+#: ../development/specifications.rst:72
+#: e9a55c28a7944c5fbaa20d14508ac6ed
+msgid "/ResourceTypes/<resource_type_id> (GET)"
 msgstr ""
 
-#: ../development/specifications.rst:71
-#: ../development/specifications.rst:83
-#: 741e97755b8c4478b7e19ba006898401
-#: 741e97755b8c4478b7e19ba006898401
-msgid "50k"
+#: ../development/specifications.rst:74
+#: 7bd6fb34cea64198b21ae7f53d85a6a5
+msgid "Features:"
 msgstr ""
 
-#: ../development/specifications.rst:73
-#: 7fb71b70103e40eeb178e1281ea81de3
-msgid "`Authentic2`_"
-msgstr ""
-
-#: ../development/specifications.rst:73
-#: cb26c38797d9416fafe5d1a1b5c5b03b
-msgid "65k"
-msgstr ""
-
-#: ../development/specifications.rst:75
-#: 6f7fc7bbb2694f09a12393a74ffc8013
-msgid "`Authentik`_"
-msgstr ""
-
-#: ../development/specifications.rst:75
-#: bb964534c0704925b6d856bd54af7c7f
-msgid "55k"
-msgstr ""
-
-#: ../development/specifications.rst:77
-#: 4604cb0778044b63807b2be23ced893c
-msgid "`CAS`_"
-msgstr ""
-
-#: ../development/specifications.rst:77
-#: ../development/specifications.rst:81
-#: ../development/specifications.rst:85
-#: aa3618e441ac413e83acdfe56631d15a
-#: aa3618e441ac413e83acdfe56631d15a
-#: aa3618e441ac413e83acdfe56631d15a
-msgid "Java"
-msgstr ""
-
-#: ../development/specifications.rst:77
-#: c316893b4f00454a8c5745071e0888b1
-msgid "360k"
-msgstr ""
-
-#: ../development/specifications.rst:79
-#: c8a158afb8d841209c20b9ef42e563cb
-msgid "`Connect2id`_"
+#: ../development/specifications.rst:76
+#: bb39dc2c17084a99bfe91991bff98c65
+msgid ":rfc:`pagination <7644#section-3.4.2.4>`"
 msgstr ""
 
 #: ../development/specifications.rst:81
-#: a264cd68201c442faf08474397c550aa
-msgid "`Gluu`_"
-msgstr ""
-
-#: ../development/specifications.rst:83
-#: e54b53bfeafd4764b01095c1cd0077b7
-msgid "`Hydra`_"
+#: da7a2a26dbfb494abca9e21b3178087e
+msgid "What is not implemented yet"
 msgstr ""
 
 #: ../development/specifications.rst:85
-#: 87594578370246d494ef5e63196a3a92
-msgid "`Keycloak`_"
+#: 3f5bbff2d4e645e2bac778dfde9ed8dc
+msgid "/Users (PATCH)"
 msgstr ""
 
-#: ../development/specifications.rst:85
-#: d6304d1f41714ad5af15edb6febbfbc5
-msgid "600k"
+#: ../development/specifications.rst:86
+#: b04a230b285c4f929df30d29d39f4adc
+msgid "/Groups (PATCH)"
 msgstr ""
 
 #: ../development/specifications.rst:87
-#: 2efe7957b848447dacfecb082a95c438
-msgid "`LemonLDAP`_"
+#: a9624bebc96e4cde8a86dca7891fc608
+msgid ":rfc:`/Me <7644#section-3.11>` (GET, POST, PUT, PATCH, DELETE)"
 msgstr ""
 
-#: ../development/specifications.rst:87
-#: cdd25b565e5d4de4b4202f82f4407843
-msgid "Perl"
-msgstr ""
-
-#: ../development/specifications.rst:87
-#: 51b2d4fcc1fc43d2a692826a2b2c62d1
-msgid "130k"
+#: ../development/specifications.rst:88
+#: 0d99d94d47e2444bb6f01c2ec9473a56
+msgid ":rfc:`/Bulk <7644#section-3.11>` (POST)"
 msgstr ""
 
 #: ../development/specifications.rst:89
-#: 4c2a5d27487345f7bc3c1bbd0c897c47
-msgid "`Okta`_"
+#: 506274526a7647ceb7d2e5261bbf9651
+msgid ":rfc:`/.search <7644#section-3.4.3>` (POST)"
 msgstr ""
 
+#: ../development/specifications.rst:91
 #: ../features.rst:9
-#: 61a68141a485477a9fb49921e7b8aa3a
+#: 5939a5db19484022bdfaec1794dc1516
+#: f057b88a8b504465b8ed8e332fd5a830
 msgid "Features"
 msgstr ""
 
+#: ../development/specifications.rst:93
+#: 6296feda85f44091a6fc410094a96b28
+msgid ":rfc:`filtering <7644#section-3.4.2.2>`"
+msgstr ""
+
+#: ../development/specifications.rst:94
+#: 85a81b4268b44d729dfb8c5e7de75331
+msgid ":rfc:`sorting <7644#section-3.4.2.3>`"
+msgstr ""
+
+#: ../development/specifications.rst:95
+#: 48122d4760344fb9ae3744592a4391d1
+msgid ":rfc:`attributes selection <7644#section-3.4.2.5>`"
+msgstr ""
+
+#: ../development/specifications.rst:96
+#: 2b86a717dda044408341557e54acab93
+msgid ":rfc:`ETags <7644#section-3.14>`"
+msgstr ""
+
+#: ../development/specifications.rst:99
+#: efa9edcb4c094b339af9010d82b9f505
+msgid "Comparison with other providers"
+msgstr ""
+
+#: ../development/specifications.rst:101
+#: cb82439c48684c8d919147a88247f36f
+msgid "Here is a feature comparison with other OpenID Connect server software."
+msgstr ""
+
+#: ../development/specifications.rst:103
+#: 47f5af9436b14ce8afaae2e08adceb8d
+msgid "Canaille voluntarily only implements the OpenID Connect protocol to keep its codebase simple."
+msgstr ""
+
+#: ../development/specifications.rst:106
+#: 230957da07d14930aac58e75241f769b
+msgid "Software"
+msgstr ""
+
+#: ../development/specifications.rst:106
+#: 1e53a394ee3f4824ac843953a1c6f6a4
+msgid "Project"
+msgstr ""
+
+#: ../development/specifications.rst:106
+#: da7a2a26dbfb494abca9e21b3178087e
+msgid "Protocols implementations"
+msgstr ""
+
+#: ../development/specifications.rst:108
+#: 54e482c6722046fc9cad9abdf6501ebf
+msgid "FLOSS"
+msgstr ""
+
+#: ../development/specifications.rst:108
+#: 27466fe335f14fc58651275455bc3b85
+msgid "Language"
+msgstr ""
+
+#: ../development/specifications.rst:108
+#: a62b0ccd1e3642f1922043446575891c
+msgid "LOC"
+msgstr ""
+
+#: ../development/specifications.rst:108
+#: 8a0ae563aeb34a48afdd436dfb90bdfb
+msgid "OIDC"
+msgstr ""
+
+#: ../development/specifications.rst:108
+#: 988a35af2eef476299eb83b8ae5a3849
+msgid "SAML"
+msgstr ""
+
+#: ../development/specifications.rst:108
+#: 32c77efb6cff4149868aa5ae1ea6e9d4
+msgid "CAS"
+msgstr ""
+
+#: ../development/specifications.rst:110
+#: f48994303e73429c9073af002d2cbe8b
+msgid "Canaille"
+msgstr ""
+
+#: ../development/specifications.rst:110
+#: ../development/specifications.rst:112
+#: ../development/specifications.rst:114
+#: ../development/specifications.rst:116
+#: ../development/specifications.rst:118
+#: ../development/specifications.rst:120
+#: ../development/specifications.rst:122
+#: ../development/specifications.rst:124
+#: ../development/specifications.rst:126
+#: ../development/specifications.rst:128
+#: ../development/specifications.rst:130
+#: ../development/specifications.rst:132
+#: 4384675732a44a5699eadf3db840ea68
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: a2b336de60474811a85371ac9b8fc936
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: f1e4ba474c2545f788b426e174b25269
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: 45623bf338bb42e8b4a3f1276d08dbf8
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: 5c1d5b1b5b9947169a6512526bf1354c
+#: bca0227caf0541afac9dde2ef357f96a
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: 99c49b778a0248848dc909e7e9de6327
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: 646e26dbbb6d4c158ff400b6c7ac4752
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: 047de5aa45d14d57a0f7c65c16a25060
+#: 374cb94f40a9471e95364d0dca1f9a0c
+#: 726b27f2dcf347c0b5421f3e41bf3dba
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: 9fc1f509353c4f6cab3f7c3b21883cf6
+#: eea6bc914188401e8e132b973e250a62
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: 92e87b99f7a1479aaa8dbca7200356e4
+#: 6f79ec5e229a4675b9b9a8c0d2700567
+#: cdd868b8d08c488f9f47c95e0acf3f1b
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: b36371c9f8004f0788446980ea23685a
+#: fc2c732457544aeab7c028832e170afd
+#: 47f38426ae2d4daf866ba55ca0fb065c
+#: 764feb42eb4f4c218bc5764f8d1076f3
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: a80e2f550fd842f3bdf85a6b83f985cd
+#: d2a83a7da92c4f599843afcaacff9727
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+#: cecfeb6d9fb7420ca837b206d1d6764c
+msgid "✅"
+msgstr ""
+
+#: ../development/specifications.rst:110
+#: ../development/specifications.rst:116
+#: c38bff66a17c471fabb1344102a537ea
+#: c38bff66a17c471fabb1344102a537ea
+msgid "Python"
+msgstr ""
+
+#: ../development/specifications.rst:110
+#: 2898d3796e7c4b88b8b7a9f519d2fc45
+msgid "10k"
+msgstr ""
+
+#: ../development/specifications.rst:110
+#: ../development/specifications.rst:112
+#: ../development/specifications.rst:114
+#: ../development/specifications.rst:116
+#: ../development/specifications.rst:118
+#: ../development/specifications.rst:120
+#: ../development/specifications.rst:122
+#: ../development/specifications.rst:126
+#: ../development/specifications.rst:130
+#: ../development/specifications.rst:132
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: fff8dea44f12432098ca99ba6d1b5c2e
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+#: 3a76f65f9cc740a5ac8954efd498ae76
+msgid "❌"
+msgstr ""
+
+#: ../development/specifications.rst:110
+#: 5cfccc6b8c584d5cbdd54736cddb3502
+msgid "🟠"
+msgstr ""
+
+#: ../development/specifications.rst:112
+#: d9d78032f92a41c7bf30d755415a3cbb
+msgid "`Auth0`_"
+msgstr ""
+
+#: ../development/specifications.rst:112
+#: ../development/specifications.rst:122
+#: ../development/specifications.rst:124
+#: ../development/specifications.rst:132
+#: 517701d2d9ae411db882f60fd1747fd0
+#: 517701d2d9ae411db882f60fd1747fd0
+#: 517701d2d9ae411db882f60fd1747fd0
+#: 517701d2d9ae411db882f60fd1747fd0
+#: 517701d2d9ae411db882f60fd1747fd0
+#: 517701d2d9ae411db882f60fd1747fd0
+#: 517701d2d9ae411db882f60fd1747fd0
+#: 517701d2d9ae411db882f60fd1747fd0
+#: 517701d2d9ae411db882f60fd1747fd0
+msgid "❔"
+msgstr ""
+
+#: ../development/specifications.rst:114
+#: 1682bb5887184cd9bff0b61796d76876
+msgid "`Authelia`_"
+msgstr ""
+
+#: ../development/specifications.rst:114
+#: ../development/specifications.rst:118
+#: ../development/specifications.rst:126
+#: d82982be3ee7475a983ce04e39624c7b
+#: d82982be3ee7475a983ce04e39624c7b
+#: d82982be3ee7475a983ce04e39624c7b
+msgid "Go"
+msgstr ""
+
+#: ../development/specifications.rst:114
+#: ../development/specifications.rst:126
+#: 44c24ba16cb6419abd4d3af84403a709
+#: 44c24ba16cb6419abd4d3af84403a709
+msgid "50k"
+msgstr ""
+
+#: ../development/specifications.rst:116
+#: 9110311d7f6e48b38ba0b32706d706e8
+msgid "`Authentic2`_"
+msgstr ""
+
+#: ../development/specifications.rst:116
+#: d5b5b77fa7e544278f1e017ebe7b9b73
+msgid "65k"
+msgstr ""
+
+#: ../development/specifications.rst:118
+#: 0f7c8328ceb74a3286d140ea99595441
+msgid "`Authentik`_"
+msgstr ""
+
+#: ../development/specifications.rst:118
+#: 9b22f0bb6f364ffba33f4906e6bca29d
+msgid "55k"
+msgstr ""
+
+#: ../development/specifications.rst:120
+#: 935dcdae37fe48a68e5dfb04ab8f64f8
+msgid "`CAS`_"
+msgstr ""
+
+#: ../development/specifications.rst:120
+#: ../development/specifications.rst:124
+#: ../development/specifications.rst:128
+#: a9de8918cec743a1a9d325a74233ece4
+#: a9de8918cec743a1a9d325a74233ece4
+#: a9de8918cec743a1a9d325a74233ece4
+msgid "Java"
+msgstr ""
+
+#: ../development/specifications.rst:120
+#: fd1f63cd853f44e885dd67b3a6094f9a
+msgid "360k"
+msgstr ""
+
+#: ../development/specifications.rst:122
+#: f10eb07a326744518a2f6b631cb88d15
+msgid "`Connect2id`_"
+msgstr ""
+
+#: ../development/specifications.rst:124
+#: 4c26496dd0e544ef97d8d345c3d9169f
+msgid "`Gluu`_"
+msgstr ""
+
+#: ../development/specifications.rst:126
+#: b505e8661bf24fe287f1fc77d1326ab2
+msgid "`Hydra`_"
+msgstr ""
+
+#: ../development/specifications.rst:128
+#: 53abb4819cbf4fb7ad273fa25556814e
+msgid "`Keycloak`_"
+msgstr ""
+
+#: ../development/specifications.rst:128
+#: 5d8e6ef889ba4715986a7a237b753297
+msgid "600k"
+msgstr ""
+
+#: ../development/specifications.rst:130
+#: 30fe26bf61584e29ac73c07d679ba6a5
+msgid "`LemonLDAP`_"
+msgstr ""
+
+#: ../development/specifications.rst:130
+#: 12a5b8832f2b4831a41af30522055343
+msgid "Perl"
+msgstr ""
+
+#: ../development/specifications.rst:130
+#: 42f8e0deef9246a5a4f9a3cb69a5966f
+msgid "130k"
+msgstr ""
+
+#: ../development/specifications.rst:132
+#: 8bcf4b8cde474ff49b0e8bbc96e52986
+msgid "`Okta`_"
+msgstr ""
+
 #: ../features.rst:11
-#: 5dd070084abb440ebf87c36df501f197
+#: ede71f0291474638a54b3c73dbf2e4bf
 msgid "Here are the different features that Canaille provides. You can enable any of those features with the :doc:`configuration <references/configuration>` to fit any :doc:`use cases <usecases>` you may meet. Check our  :ref:`roadmap <features:Roadmap>` to see what is coming next."
 msgstr ""
 
 #: ../features.rst:15
-#: 83eef1f1157b4d37b4627438618f31ab
+#: cf814f15959a43cfaa0392cd83755fce
 msgid "Users can interact with Canaille through its :ref:`web interface <features:Web interface>` and administrators can also use its :ref:`command line interface <feature_cli>`. Canaille can handle data stored in different :ref:`database backends <feature_databases>`."
 msgstr ""
 
 #: ../features.rst:19
-#: 73c7e363c37147fc825deea06ee26975
+#: 02e100abc6e44fe49224f9e4046dc49e
 msgid "User and group management"
 msgstr ""
 
 #: ../features.rst:21
-#: e19b2b99a8544219b61bbedc1229e77c
+#: 09d69566150048b4a17d192bfc4d5112
 msgid "Canaille web interface can be used either in :doc:`production environments <tutorial/deployment>` or locally for development purposes."
 msgstr ""
 
 #: ../features.rst:26
 #: ../index.rst:27
-#: 759b0714ba194bc5a5d043350cb4cd14
-#: dd79223676e0465293d1499d8929fa26
+#: 4a8e8cfdbaaf4d86a28840ef0939d7d9
+#: 947ce49c0ff9406fb81b5e3cc5329c24
 msgid "Profile management"
 msgstr ""
 
-#: ../features.rst:28
-#: ../features.rst:220
-#: 53e5483c51ae4df28138ae990c16de07
-#: 0a36f2261b84450b98131ff740f7ceb9
+#: ../features.rst:-1
+#: d4de0b07d24e47b9aba16e48ed9cbe27
+#: 542fdff284144a8c805b4824d03d6b76
 msgid "Profile"
 msgstr ""
 
 #: ../features.rst:33
-#: 864adfa77693422cad803b08d9187a5e
+#: c59d37a518514008bc2c6f2c18dd6326
 msgid "Canaille provides an interface to manage user profiles."
 msgstr ""
 
 #: ../features.rst:35
-#: 505ce537381249ec82445d38a4e093df
+#: 8b67e3a00af440328b615d2921dc27a6
 msgid "The exact list of displayed fields, and whether they are :attr:`writable <canaille.core.configuration.ACLSettings.WRITE>` or :attr:`read-only <canaille.core.configuration.ACLSettings.READ>` depends on the user :class:`Access Control List settings (ACL) <canaille.core.configuration.ACLSettings>`."
 msgstr ""
 
 #: ../features.rst:37
-#: 625c7cea8a034a7ba263a71ce0587a26
+#: eb4ca5b563c44281aefc8d4ad4c549e8
 msgid "Depending on their ACL :class:`permissions <canaille.core.configuration.Permission>`, users can either be allowed to edit their own profile, edit any user profile, or do nothing at all."
 msgstr ""
 
 #: ../features.rst:42
-#: 530dac22b587444cbd5de9ba2d7a3a90
+#: e4d34befed5941bab9161eb3c0330fad
 msgid "Email confirmation"
 msgstr ""
 
 #: ../features.rst:44
-#: 2c3acd412bb944ab81ff2631784bff71
+#: 28a9397d838e4ffaaf5c8f8558416355
 msgid "If the :attr:`email confirmation feature <canaille.core.configuration.CoreSettings.EMAIL_CONFIRMATION>` is enabled, any modification or addition of a profile email will send a confirmation mail to the new address. The mail will contain a link that users will need to click on to confirm their email address."
 msgstr ""
 
 #: ../features.rst:46
-#: 8d597149b59e45f896eff2baa716fc20
+#: d3563178a13d42268ae8a3f0cb15b90f
 msgid "Users with :attr:`user management permission <canaille.core.configuration.Permission.MANAGE_USERS>` can set user emails without confirmation though."
 msgstr ""
 
 #: ../features.rst:51
-#: 4a6be5a6b71a4a5ea35d7c4a41630e35
+#: 280cf35bfcbe4a25b39bb567780bafdb
 msgid "Group management"
 msgstr ""
 
-#: ../features.rst:53
-#: ../features.rst:140
-#: 4824338c1fbf4fdd8c2e01534219ee98
-#: 3d8b9fc086e945d890bf9b3e01c82984
+#: ../features.rst:-1
+#: 1d74522e450c43f5adec93c195b5a356
+#: ca799065d4684b54940c65062bed411b
 msgid "Group edition"
 msgstr ""
 
 #: ../features.rst:58
-#: afc7e192d41148e0a2ef8ec6f8944729
+#: 1471f707ae604de8b2b0222ca43eb2c2
 msgid "In a similar fashion than :ref:`profile management <feature_profile_management>` Canaille provides an interface to manage user groups."
 msgstr ""
 
 #: ../features.rst:60
-#: b83c6d0af7fe45228496bb2c594cf88c
+#: 08eb7bac987947149589e0b40c938b0c
 msgid "The group management is quite simple at the moment and consists in a group name and description, and the list of its members. Group membership can be use as :attr:`ACL Filter <canaille.core.configuration.ACLSettings.FILTER>` to define user permissions."
 msgstr ""
 
@@ -2846,750 +2987,772 @@ msgstr ""
 #: ../features.rst:83
 #: ../features.rst:149
 #: ../tutorial/deployment.rst:13
-#: 6fdf0a969ccb49e1bf9bfc28f4df9169
-#: 4065a0b70a1444058df3bb16f0abc445
-#: bc0be7a805e04b5f91b89db28d7dffae
-#: 7ab21494d11e4287acffeb771f8f5244
+#: ../tutorial/provisioning.rst:13
+#: 4ca7b990ff9c429aa56f1ec0ab57aef9
+#: 2cf4c2bbf0ab431f857b4fe0f7b840a0
+#: 1382b05cef654b76b8fb57324f33b950
+#: 757f761fb4724713bdc1308505431bfb
+#: 12614607f99a412c9cf9f161db77c3ac
 msgid "Todo"
 msgstr ""
 
 #: ../features.rst:64
-#: 60eafd84b6934482b1ec0831e6aaa3b7
+#: 89199041503f41d3b7cad73267f4cf96
 msgid "At the moment adding an user to a group can only be achieved by the user settings page, but we are :issue:`working to improve this <192>`."
 msgstr ""
 
 #: ../features.rst:66
-#: 6440e19e527d4d5f8abc44d99c8a3dba
+#: fcdf9f9d5f1e4723b46a2ca1fc89539e
 msgid "Group management can be enable with a :attr:`dedicated user permission <canaille.core.configuration.Permission.MANAGE_GROUPS>`."
 msgstr ""
 
 #: ../features.rst:69
-#: 2382414ec97641a4925e741a26ae3148
+#: 95eff978c7994138a3200e090c84471d
 msgid "Due to limitations in the :ref:`LDAP backend <tutorial/databases:LDAP>`, groups must have at least one member. Thus it is not possible to remove the last user of a group without removing the group."
 msgstr ""
 
 #: ../features.rst:75
 #: ../index.rst:34
-#: b136f97d836d4c8dbb63cd671ceebe4e
-#: 76d8725ced9e421f98de5fb1e1ee01a2
+#: 177c53d2c6094d43875d87ca2a55ed98
+#: 937baa96f2514cdaad76f4d28816abe7
 msgid "User authentication"
 msgstr ""
 
 #: ../features.rst:77
-#: 022b43e4ff7f4932aa151eaade78aeb6
+#: d461efae4b9d41e4b7dba32a75588df0
 msgid "Unless their account is :ref:`locked <feature_account_locking>`, users can authenticate with a login and a password."
 msgstr ""
 
 #: ../features.rst:81
-#: 1a8cb7dc227a452b81768be3758a8fb4
+#: 3c53cd1507ce48c780297457fc4efd97
 msgid "For security reasons, it won't be told to users if they try to sign in with an unexisting logging, unless explicitly :attr:`set in the configuration <canaille.core.configuration.CoreSettings.HIDE_INVALID_LOGINS>`."
 msgstr ""
 
 #: ../features.rst:83
-#: 778349cb3c344689bd8cc06184005e10
+#: 80eee19145c64fbc9ea0c26464fab965
 msgid ":ref:`LDAP backend <tutorial/databases:LDAP>` users can define which :class:`user field <canaille.core.models.User>` should be used as the login (such as :attr:`~canaille.core.models.User.user_name` or :attr:`~canaille.core.models.User.emails`) using a :attr:`configuration parameter <canaille.backends.ldap.configuration.LDAPSettings.USER_FILTER>`, but other backends can only login using :attr:`~canaille.core.models.User.user_name`. We are :issue:`working to improve this <196>`."
 msgstr ""
 
 #: ../features.rst:88
-#: aa467ae3118543ed94401a8ca23776f1
+#: 560be09061014d5485f75f3c90d3790c
 msgid "User registration"
 msgstr ""
 
 #: ../features.rst:90
-#: c81ba8ba520c4d8bb6c8475fe023404b
+#: 4780fab4d36744c6991df9ae3919e4a0
 msgid "Users can create accounts on Canaille if the :attr:`registration feature <canaille.core.configuration.CoreSettings.ENABLE_REGISTRATION>` is enabled. They will be able to fill a registration form with the fields detailed in the default :class:`ACL settings <canaille.core.configuration.ACLSettings>`."
 msgstr ""
 
 #: ../features.rst:92
-#: c1f2442a948d414e9b9983d79aa91ae4
+#: f1e0991feda34f918887bf7653c16801
 msgid "If :attr:`email confirmation <canaille.core.configuration.CoreSettings.EMAIL_CONFIRMATION>` is also enabled, users will be sent a confirmation link to their email address, on which they will need to click in order to finalize their registration."
 msgstr ""
 
+#: ../features.rst:-1
 #: ../features.rst:97
-#: ../features.rst:99
-#: 3d200c871e19420db3ce1885f7414a3c
-#: 7bf61d1ad01240f7b1ed2db4ab0fdf77
+#: 6edf18a1ecff4430baaed61db6717c23
+#: a2293ea9f6564b6b8bc9c02c5a8f0f40
 msgid "User invitation"
 msgstr ""
 
 #: ../features.rst:104
-#: 134f042cb892434e922c01d62222ed54
+#: 7f4e56bdbb9842beba1644e2fabad41f
 msgid "If a :class:`mail server <canaille.core.configuration.SMTPSettings>` is configured, users with :attr:`user management permission <canaille.core.configuration.Permission.MANAGE_USERS>` can create an invitation link for one user."
 msgstr ""
 
 #: ../features.rst:106
-#: e054dbb49f644364a6aaadcb2f5a0024
+#: 05145189cce34c4d80a56aa785cee5f5
 msgid "The link goes to a registration form, even if regular :ref:`user registration <feature_user_registration>` is disabled."
 msgstr ""
 
 #: ../features.rst:108
-#: 536cbb5eff1444dda4ac45998d356fe6
+#: 24a4d13134934174aaedf461e03f2363
 msgid "It can be automatically sent by email to the new user."
 msgstr ""
 
 #: ../features.rst:113
-#: c24731829c1949aeb3f54f0167ed8b37
+#: a05444b5846248f9aebaa28b316be1b8
 msgid "Account locking"
 msgstr ""
 
 #: ../features.rst:115
-#: 48e7bf2282b5487f9437be3863edc5ed
+#: 1c40bbaf596c4a28993904e4aab8b076
 msgid "If Canaille is plugged to a :ref:`backend <feature_databases>` that supports it, user accounts can be locked by users with :attr:`user management permission <canaille.core.configuration.Permission.MANAGE_USERS>`. The lock date can be set instantly or at a given date in the future."
 msgstr ""
 
 #: ../features.rst:118
-#: 31e7e6b90652414ab1b450f98ddb7d53
+#: e6053c7a0e4c4feabd77b2aa14c50018
 msgid "At the moment a user account is locked:"
 msgstr ""
 
 #: ../features.rst:120
-#: 6be8caf7464643e99cb2614ce0138045
+#: 1614c2a9020a4da58427064a8b480050
 msgid "their open sessions will be closed;"
 msgstr ""
 
 #: ../features.rst:121
-#: 93da628150674abe85e3ff8f27e83c0a
+#: bd083a39c3e94f20b0ca06eb45a6ee68
 msgid "they won't be able to sign in again;"
 msgstr ""
 
 #: ../features.rst:122
-#: e5196d576eb445d9aa83989d6f241c42
+#: 3f671916358b469d91fb687a638b5c39
 msgid "no new OIDC token will be issued;"
 msgstr ""
 
 #: ../features.rst:124
-#: c784a99a157b46028eb5c3543da73e38
+#: 2cc679d736b341e4bde79d159d806618
 msgid "User accounts must be manually unlocked by an administrator for the users to regain access to those actions."
 msgstr ""
 
 #: ../features.rst:129
-#: da2f0b388508475cbb3fd080de1ff44c
+#: fb080216984840ba99f095aece85255d
 msgid "Account deletion"
 msgstr ""
 
 #: ../features.rst:131
-#: 5bc09c4f89764a1a950c44dc255b98d2
+#: 1339699fc6974a4e8e1ab03633a79a69
 msgid "Users with the :attr:`account deletion permission <canaille.core.configuration.Permission.DELETE_ACCOUNT>` are allowed to delete their own account."
 msgstr ""
 
 #: ../features.rst:133
-#: 85f4ea778e8f45f7841ddf39f1bc8b41
+#: 65b2e1806f3a437aa8b5238f022e0352
 msgid "Users that also have the :attr:`user management permission <canaille.core.configuration.Permission.MANAGE_USERS>` are also allowed to delete other users accounts."
 msgstr ""
 
 #: ../features.rst:138
-#: 86a66e197de94dcbb90d559730b89318
+#: 278ed12bce6b4b318f677aa6d22138f5
 msgid "Password recovery"
 msgstr ""
 
 #: ../features.rst:145
-#: 6693db5e96354da69ed660a259c109ce
+#: c2409768ec7a46d584ed1ed235e7a4d0
 msgid "If a :class:`mail server <canaille.core.configuration.SMTPSettings>` is configured and the :attr:`password recovery feature <canaille.core.configuration.CoreSettings.ENABLE_PASSWORD_RECOVERY>` is enabled, then users can ask for a password reset email if they cannot remember their password."
 msgstr ""
 
 #: ../features.rst:147
-#: 2f356fab771549f9bdca5fa4f3ca2e5e
+#: 7dbfa07474cd40c7a7c17748fbb21a07
 msgid "The email will be sent to the email addresses filled in their profile, and will contain a link that will allow them to choose a new password. ."
 msgstr ""
 
 #: ../features.rst:151
-#: a603b57c4fc54e67ba04056b0037ae8e
+#: 410c54a611eb4b1c8a372b80f744f941
 msgid "Check that password recovery is disabled on locked accounts."
 msgstr ""
 
 #: ../features.rst:156
-#: 1bdb193d14a444a2a823f0dcef03e8ad
+#: 2c4f6c64da0c42eab5520711fca1dc46
 msgid "Password reset"
 msgstr ""
 
 #: ../features.rst:158
-#: 077ee41f3059484dad80b08733aae520
+#: 383eb7a045cd41f0909ad9aad2601065
 msgid "If a :class:`mail server <canaille.core.configuration.SMTPSettings>` is configured, :attr:`user management permission <canaille.core.configuration.Permission.MANAGE_USERS>` can send password reset mails to users. The mails contains a link that allow users to choose a new password without having to retrieve the old one."
 msgstr ""
 
 #: ../features.rst:164
-#: c4e7b07761674e608a0e2bfdd50a659a
+#: 7be9af4a393e4203b3da626d93d71d69
 msgid "Password initialization"
 msgstr ""
 
 #: ../features.rst:166
-#: 5043df71775449a78e19ce0296f8d9ee
+#: 02bd8f9a76fd4b66a8f803288246c0ef
 msgid "User :attr:`passwords <canaille.core.models.User.password>` are optional. If a :class:`mail server <canaille.core.configuration.SMTPSettings>` is configured, when users with no password attempt to sign in, they are invited to click a button that will send them a password initialization mail. The mail contains a link that leads to a form that allows users to choose a password."
 msgstr ""
 
 #: ../features.rst:173
-#: 412b386c0c794b5d8c71ea7b51278da8
+#: 4f60c7a56e5544afa1bbaee9df0805e0
 msgid "Password compromission check"
 msgstr ""
 
 #: ../features.rst:175
-#: 35e11da6bbdf4e2da05a3a66c24e1dbe
+#: 3dc13b94cd014d6f976426da9840a3d6
 msgid "If :attr:`password compromission check feature <canaille.core.configuration.CoreSettings.ENABLE_PASSWORD_COMPROMISSION_CHECK>` is enabled, Canaille will check for password compromise on HIBP (https://haveibeenpwned.com/) every time a new password is register. You will need to set an :attr:`admin email <canaille.core.configuration.CoreSettings.ADMIN_EMAIL>`."
 msgstr ""
 
-#: ../features.rst:178
-#: cbba3fccd9f84230b6eb0774cfd7e109
+#: ../features.rst:180
+#: d0049b96f7c1401a91d968aa93715930
+msgid "Multi-factor authentication"
+msgstr ""
+
+#: ../features.rst:182
+#: c480b36838b64abbbe3986a7295613d5
+msgid "If the :attr:`one-time password feature <canaille.core.configuration.CoreSettings.OTP_METHOD>` is set, then users will need to authenticate themselves using a one-time password via an authenticator app. Two options are supported : \"TOTP\" for time one-time password, and \"HOTP\" for HMAC-based one-time password. In case of lost token, TOTP/HOTP authentication can be reset by users with :attr:`user management permission <canaille.core.configuration.Permission.MANAGE_USERS>`. If a :class:`mail server <canaille.core.configuration.SMTPSettings>` is configured and the :attr:`email one-time password feature <canaille.core.configuration.CoreSettings.EMAIL_OTP>` is enabled, then users will need to authenticate themselves via a one-time password sent to their primary email address. If a :class:`smpp server <canaille.core.configuration.SMPPSettings>` is configured and the :attr:`sms one-time password feature <canaille.core.configuration.CoreSettings.SMS_OTP>` is enabled, then users will need to authenticate themselves via a one-time password sent to their primary phone number."
+msgstr ""
+
+#: ../features.rst:189
+#: a9118911f6a341a3b529fd8882c4e3e4
 msgid "Web interface"
 msgstr ""
 
-#: ../features.rst:183
-#: fab0081b9bd4460098de6df7d8c317b5
+#: ../features.rst:194
+#: 277603f8de354f15857ad0068f148115
 msgid "Internationalization"
 msgstr ""
 
-#: ../features.rst:185
-#: 46cf7a3a3e9047439aa7fa6654b07921
+#: ../features.rst:-1
+#: 6bc7d90be4bf486d8a2e84a48cc76b66
 msgid "Translation state"
 msgstr ""
 
-#: ../features.rst:190
-#: 0a5afedc31de47a28d0bf7842a8558cd
+#: ../features.rst:201
+#: a1f40124b57e452a85abf8af401dc2b1
 msgid "Canaile will display in your :attr:`preferred language <canaille.core.models.User.preferred_language>` if available, or your browser language if available (and if it is not you can :ref:`help us with the translation <development/contributing:Code translation>`). If you prefer, you can also :attr:`force a language <canaille.core.configuration.CoreSettings.FAVICON>` for every users."
 msgstr ""
 
-#: ../features.rst:196
-#: 2caebf718cab47029a83bb91253e36e5
+#: ../features.rst:207
+#: 8bf0ddac3fee4b4f931bd704bbb167dc
 msgid "Lightweight"
 msgstr ""
 
-#: ../features.rst:198
-#: e3cbad3b2af0422287a92a4094559d8b
+#: ../features.rst:209
+#: 3774910a87b34b9dba3b6c28a1e6ba68
 msgid "The web interface is lightweight, so everything should load quickly. There is a few Javascript here and there to smooth the experience, but no Javascript at all is needed to use Canaille."
 msgstr ""
 
-#: ../features.rst:202
-#: a7db848b637a46b1874f04fb542009e2
+#: ../features.rst:213
+#: 0da766448075460d9360204e6975a0f4
 msgid "Customizable"
 msgstr ""
 
-#: ../features.rst:204
-#: 0c829a128889493fbc97247a60390954
+#: ../features.rst:215
+#: 737f45bc79a542ee903e8349947c3b5f
 msgid "The default theme should be good enough for most usages. It has a dark theme, display well on mobile, and let you choose a :attr:`logo <canaille.core.configuration.CoreSettings.LOGO>` and a :attr:`favicon <canaille.core.configuration.CoreSettings.FAVICON>`."
 msgstr ""
 
-#: ../features.rst:207
-#: 3a69d40c024744af967a1408c054aca0
+#: ../features.rst:218
+#: 36b615461b0c49e9aca81c65a60c3308
 msgid "If you need more you can also use a :attr:`custom theme <canaille.core.configuration.CoreSettings.THEME>`."
 msgstr ""
 
-#: ../features.rst:214
-#: 003c4e8eee334a9d89486e2c0ae5d106
+#: ../features.rst:225
+#: 02908b4590a0462cac7afbc2fd17d7f6
 msgid "Canaille implements a :ref:`subset<development/specifications:State of the specs in Canaille>` of the OAuth2/OpenID Connect specifications . This allows to provide :abbr:`SSO (Single Sign-On)` and :abbr:`SLO (Single Log-On)` to applications plugged to Canaille."
 msgstr ""
 
-#: ../features.rst:218
-#: 51e9a6e1ddb04b99a6a73135fc8728e7
+#: ../features.rst:229
+#: f8c59847b97049d19a13ccaa6539f863
 msgid "Consent management"
 msgstr ""
 
-#: ../features.rst:226
-#: a613e3d10f1243f3bc5d4e796b278c89
+#: ../features.rst:237
+#: 8e7afe2e2e6943feb664ab03ae9da770
 msgid "Users can give their consent to application requesting access to their personal information, and then revoke those consent at their will."
 msgstr ""
 
-#: ../features.rst:230
-#: 115bec7ea8944f6ab98641d9bd2540ec
+#: ../features.rst:241
+#: c7a8da519165448ebc4e1c53eb25f207
 msgid "Application management"
 msgstr ""
 
-#: ../features.rst:232
-#: 526d36374a8747d6ad6280379bcf664c
+#: ../features.rst:243
+#: 2e65c0c497da4a77bc85c9500a074047
 msgid "Users with the right :attr:`permission <canaille.core.configuration.Permission.MANAGE_OIDC>` can manager OIDC clients through the web interface."
 msgstr ""
 
-#: ../features.rst:234
-#: 79f0217902dc4b2ca73128ff6c16e7b5
+#: ../features.rst:245
+#: bafe35db98f749d99557feec3ceaf4e7
 msgid "In some cases, it might be useful to avoid the consent page for some trusted applications, so clients can be pre-consented."
 msgstr ""
 
-#: ../features.rst:237
-#: d1f7f85df6404afe91d29e4dee44be1d
+#: ../features.rst:248
+#: 76b48b09fc1c44038a697dfa816afbcc
 msgid "Discovery"
 msgstr ""
 
-#: ../features.rst:239
-#: 8b306f1c76664574a0f3d85805a46d87
+#: ../features.rst:250
+#: f251fff6b3374ecd9fde5bdebced6313
 msgid "Canaille implements the :doc:`Discovery specifications <development/specifications>` so most of the applications plugged to Canaille can auto-configure themselves."
 msgstr ""
 
-#: ../features.rst:242
-#: d5a2f0c4fa2f4363b5e87c4243376aaa
+#: ../features.rst:253
+#: 4fac1fe3bcd346aeb34e8c600df0d542
 msgid "Dynamic Client Registration"
 msgstr ""
 
-#: ../features.rst:244
-#: 800aec57df82487f80fc7da359dc5c34
+#: ../features.rst:255
+#: f53321a9a89d40c0b7fdc48be51240a4
 msgid "Canaille implements the :doc:`Dynamic Client Registration specifications <development/specifications>`, so when the :attr:`feature is enabled <canaille.oidc.configuration.OIDCSettings.DYNAMIC_CLIENT_REGISTRATION_OPEN>`, clients can register themselves on Canaille without an administrator intervention."
 msgstr ""
 
-#: ../features.rst:247
-#: 9cae9e0af58f499dac34354e9c12785d
+#: ../features.rst:258
+#: ec8846e6d8404a8185860b509814e54c
 msgid "System administration"
 msgstr ""
 
-#: ../features.rst:252
+#: ../features.rst:263
 #: ../references/commands.rst:2
-#: 9b5fcf18f6214856ae377f83005f8309
-#: e2a97a5dfb5844f9a74c78b1a28ed23f
+#: 511d3810fbd4411dbf14065b1f014256
+#: a07ec9235c4347858a3f9dd667ade4b6
 msgid "Command Line Interface"
 msgstr ""
 
-#: ../features.rst:254
-#: 98ef5f39d74944668dfff8b63d9d6199
+#: ../features.rst:265
+#: 446a668dea4548ffb184afa168ed6115
 msgid "Canaille comes with a :abbr:`CLI (Command Line Interface)` to help administrators in hosting and management."
 msgstr ""
 
-#: ../features.rst:256
-#: 9a30112ff2eb47c69263e73aa3c4ee15
+#: ../features.rst:267
+#: 1b76ec06f2f841ccb8396a5345014ffd
 msgid "There are tools to :ref:`check your configuration <cli_check>` or to :ref:`install missing parts <cli_install>`. You can use the CLI to :ref:`create <cli_create>`, :ref:`read <cli_get>`, :ref:`update <cli_set>` and :ref:`delete <cli_delete>` models such as :class:`users <canaille.core.models.User>`, :class:`groups <canaille.core.models.Group>` or  :class:`OIDC clients <canaille.oidc.basemodels.Client>`."
 msgstr ""
 
-#: ../features.rst:259
-#: 02d13c90aa8f41f5b1007cd67fcea510
+#: ../features.rst:270
+#: 9f10d5a6354c4cda8b1a4e652c129231
 msgid "There are also tools to :ref:`fill your database <cli_populate>` with random objects, for tests purpose for instance."
 msgstr ""
 
-#: ../features.rst:264
+#: ../features.rst:275
 #: ../tutorial/databases.rst:2
-#: 0225297b7d884971a952f5ec904a15ac
-#: cf1fc0e0abb74b3ca66c1e92a5e773e9
+#: 3f06ed32b21149799d58c75cad1db5ff
+#: fbfabda71be84552b6583acdaa13af3e
 msgid "Databases"
 msgstr ""
 
-#: ../features.rst:266
-#: 1a7af5dc07fa4f6c9231664737ee46a7
+#: ../features.rst:277
+#: 004f29ea7eb74ee2912627a929e87f1c
 msgid "Canaille can handle data from the most :ref:`common SQL databases <tutorial/databases:SQL>` such as PostgreSQL, MariaDB or SQLite, as well as :ref:`OpenLDAP <tutorial/databases:LDAP>`. It also comes with a no-dependency :ref:`in-memory database <tutorial/databases:Memory>` that can be used in unit tests suites."
 msgstr ""
 
-#: ../features.rst:272
-#: a6a6a7334af54051aebed82d83027ea8
+#: ../features.rst:283
+#: 8add6581a16b4877a66ba7c8827152ca
 msgid "Logging"
 msgstr ""
 
-#: ../features.rst:274
-#: 9bc7705bd378459abf2f813381aa58a6
+#: ../features.rst:285
+#: 1179b565c1de4b11a03ca824cce52977
 msgid "Canaille writes :attr:`logs <canaille.core.configuration.CoreSettings.LOGGING>` for every important event happening, to help administrators understand what is going on and debug funky situations."
 msgstr ""
 
-#: ../features.rst:276
-#: 2aeb5161276a4f048c40a7256c3d7f0e
-msgid "The following security events are logged with the tag [SECURITY] for easy retrieval:"
+#: ../features.rst:287
+#: a6282bdfca0b4e2c8ecfd02478d3623d
+msgid "The following security events are logged with the log level \"security\" for easy retrieval :"
 msgstr ""
 
-#: ../features.rst:278
-#: ed4be0b57afe4ce9976c45f03c249444
+#: ../features.rst:289
+#: 49f7ec7627e7414aa616f1060c33d110
 msgid "Authentication attempt"
 msgstr ""
 
-#: ../features.rst:279
-#: 452456f9907e4bbd89439903c2fc9ebc
+#: ../features.rst:290
+#: a26713f492ff4f14a2e3a881e7ab19f1
 msgid "Password update"
 msgstr ""
 
-#: ../features.rst:280
-#: 9ccb4ef2a139403c85223576eb87a182
+#: ../features.rst:291
+#: ca7c103705f14293950cc12dedd96378
 msgid "Email update"
 msgstr ""
 
-#: ../features.rst:281
-#: bd0936deb7994f8fb59f2f0a47115edc
+#: ../features.rst:292
+#: 0e01ba62ff054e4e849ae1d4c1f6fdee
 msgid "Forgotten password mail sent to user"
 msgstr ""
 
-#: ../features.rst:282
-#: 02079fe76d2041aaba48a6b2079630f1
+#: ../features.rst:293
+#: 0e01ba62ff054e4e849ae1d4c1f6fdee
+msgid "One-time password mail sent to user"
+msgstr ""
+
+#: ../features.rst:294
+#: d0049b96f7c1401a91d968aa93715930
+msgid "Multi-factor authentication reset"
+msgstr ""
+
+#: ../features.rst:295
+#: 8f4e5a1567114749b944d391c43ad2bb
 msgid "Token emission"
 msgstr ""
 
-#: ../features.rst:283
-#: 814519684d8c47a5b0b5ae6eaa9aa66e
+#: ../features.rst:296
+#: 04cf77b4e9514ab7805b4f4156209cff
 msgid "Token refresh"
 msgstr ""
 
-#: ../features.rst:284
-#: 4489f99b64dd40248f28453fb8b4b0df
+#: ../features.rst:297
+#: ec6501d110694e58b6181468d6154bda
 msgid "Token revokation"
 msgstr ""
 
-#: ../features.rst:285
-#: 99abcc04f85649c1b184e22e67b36f18
+#: ../features.rst:298
+#: 76f7ecd101a541d3a1dbb7b3090db868
 msgid "New consent given for client application"
 msgstr ""
 
-#: ../features.rst:286
-#: c64802d623a74d678c4aca29f82c39d7
+#: ../features.rst:299
+#: 100d9e39db3644c78ed000b9d27342a4
 msgid "Consent revokation"
 msgstr ""
 
-#: ../features.rst:291
-#: f9d92f5f76a745ee97ea36afc853c516
+#: ../features.rst:304
+#: 267852d80a8f4235af2ca961f8de8f09
 msgid "Development and testing tool"
 msgstr ""
 
-#: ../features.rst:296
-#: 9c0500515a5847c2bec5b1bb743f42fc
+#: ../features.rst:309
+#: 3dd5b1afcdf74705a07096fb3d7fd788
 msgid "Unit-testing tool"
 msgstr ""
 
-#: ../features.rst:298
-#: b1dc62a0c2024ff1bd6682408301766a
+#: ../features.rst:311
+#: 8c74a6c31d294bcb85e4fd0db0bb40fd
 msgid "Thanks to its lightweight :ref:`in-memory database <tutorial/databases:Memory>` and its curated :ref:`dependency list <tutorial/install:Get the code>`, Canaille can be used in the unit test suite of your application, so you can check how it behaves against a real world OpenID Connect server. If you work with python you might want to check :doc:`pytest-iam:index`."
 msgstr ""
 
-#: ../features.rst:301
-#: ff4f45059bc2485eb5fa0145f5f01f9a
+#: ../features.rst:314
+#: 197c22656e1b44b89c3587f95b3bb5c8
 msgid "Development server"
 msgstr ""
 
-#: ../features.rst:303
-#: a430530dc1ac42b680a9024e920dad7d
+#: ../features.rst:316
+#: 5f930c719ffe484d9680e8d7f3169e54
 msgid "It can also being launched in your development environment, if you find that launching a Keycloak in a Docker container is too heavy for your little web application."
 msgstr ""
 
-#: ../features.rst:308
-#: 3594d882079a4c89b28f0d9b25b5a647
+#: ../features.rst:321
+#: e9cc836cf3d54a32ad7b1d691826bc39
 msgid "Continuous Integration tools"
 msgstr ""
 
-#: ../features.rst:310
-#: f7bb141a215c46df915ce63b47f13cdb
+#: ../features.rst:323
+#: a4c714c1c0d44b7ab7a10dff7105a725
 msgid "It also fits well in continuous integration scenarios. Thanks to its :ref:`CLI <feature_cli>`, you can prepare data in Canaille, let your application interact with it, and then check the side effects."
 msgstr ""
 
-#: ../features.rst:313
-#: beb39ccb89e040118104ba0c0f41eb71
+#: ../features.rst:326
+#: cef90af6922045ccb06933f9c96c6f6e
 msgid "Roadmap"
 msgstr ""
 
-#: ../features.rst:316
-#: 4fee3c311fe844bbb345bd5b562844ad
+#: ../features.rst:329
+#: 35efac03aaf843308e6941fa96ff921b
 msgid "Bêta version"
 msgstr ""
 
-#: ../features.rst:318
-#: f699343ae7fe4f12a9d12f4692c22827
+#: ../features.rst:331
+#: 390267ac81744daf95a62fffcd0af834
 msgid "To go out of the current Alpha version we want to achieve the following tasks:"
 msgstr ""
 
-#: ../features.rst:320
-#: c8aec1fe7d574a789319e75cc64bd2e7
+#: ../features.rst:333
+#: 16cbac25ee2f420abda2992cd351559c
 msgid ":issue:`Configuration validation using pydantic <138>`"
 msgstr ""
 
-#: ../features.rst:323
-#: 706d590389f54c40ba1b219877946bb5
+#: ../features.rst:336
+#: 9f7d9a2a96974645bd8fc63a44d1a2c8
 msgid "Stable version"
 msgstr ""
 
-#: ../features.rst:325
-#: 54c0d4cc60054a5ebe7456575b1b70c3
+#: ../features.rst:338
+#: 2736b944f850403f9592ba3265b6f986
 msgid "Before we push Canaille in stable version we want to achieve the following tasks:"
 msgstr ""
 
-#: ../features.rst:328
-#: 7807e2d92e264bc78fd5b6a3c63beb3a
+#: ../features.rst:341
+#: 4a9ef596fb13405185ef106cd2dda007
 msgid "Security"
 msgstr ""
 
-#: ../features.rst:330
-#: 577ab46503ee45e89daa8c42938635e5
+#: ../features.rst:343
+#: a09c2af5ad3e424eba893efd02faf213
 msgid ":issue:`Password hashing configuration <175>`"
 msgstr ""
 
-#: ../features.rst:331
-#: a337cb0aac704dbca90dd70f1d68456d
+#: ../features.rst:344
+#: 3001ee87077c4479b3f3c8b3b5aecd33
 msgid ":issue:`Authentication logging policy <177>`"
 msgstr ""
 
-#: ../features.rst:332
-#: 39adf64b80444b27bb6f9f11747a6960
+#: ../features.rst:345
+#: e4387f0454dd483eb1c33ce14ef1d9ea
 msgid ":issue:`Intruder lockout <173>`"
 msgstr ""
 
-#: ../features.rst:333
-#: 3eeac7b1dec04fe9b990864b8810db50
+#: ../features.rst:346
+#: e38560428a8f48528d9f02a5e00197fb
 msgid ":issue:`Password expiry policy <176>`"
 msgstr ""
 
-#: ../features.rst:334
-#: 4ad4707b7d02481ab507ded2d410eb70
+#: ../features.rst:347
+#: de013ed91c4443d190d9783c5cff060a
 msgid ":issue:`Multi-factor authentication: Email <47>`"
 msgstr ""
 
-#: ../features.rst:335
-#: 478b4f7b443f4f728085a2ea686b0248
+#: ../features.rst:348
+#: d0049b96f7c1401a91d968aa93715930
 msgid ":issue:`Multi-factor authentication: SMS <47>`"
 msgstr ""
 
-#: ../features.rst:336
-#: fd624a7e3d404428830928ee05ec5348
+#: ../features.rst:349
+#: e5e2f43901ae4d00bd1c675076fb846d
 msgid ":issue:`Multi-factor authentication: OTP <47>`"
 msgstr ""
 
-#: ../features.rst:339
-#: a6acbc89a16a4fad8658fb33764830ad
+#: ../features.rst:352
+#: 277364ce7ca04a169409ad5acf68d075
 msgid "Packaging"
 msgstr ""
 
-#: ../features.rst:341
-#: 575b556539994d1190e50cbfd0133bd4
+#: ../features.rst:354
+#: dece9c7d75d441cdbdce48eb7a4bebcf
 msgid ":issue:`Nix package <190>`"
 msgstr ""
 
-#: ../features.rst:342
-#: f8facef108bf4d668509e57200f732bb
+#: ../features.rst:355
+#: a53f52a497344bb6b889fa63de7d9c26
 msgid ":issue:`Docker / OCI package <59>`"
 msgstr ""
 
-#: ../features.rst:345
-#: 92825d26f07c4b718121c2784a9b6b81
+#: ../features.rst:358
+#: 6a738414fcb944ac9c4d5b61a53f0d11
 msgid "And beyond"
 msgstr ""
 
-#: ../features.rst:347
-#: ac17ddb06c4d400ebc190454535608c2
+#: ../features.rst:360
+#: 66a95c24a32940118517f6bb3bf27838
 msgid ":issue:`OpenID Connect certification <182>`"
 msgstr ""
 
-#: ../features.rst:348
-#: 1b80703b0f434fe6ade3288840b9cf3c
+#: ../features.rst:361
+#: 73307b368d454e338ff4bbd05657bbcc
 msgid ":issue:`SCIM support <116>`"
 msgstr ""
 
 #: ../index.rst:15
-#: 2c1f5afe842843a6bbedd65606fde0f5
+#: 8d018998cb4b4ff38d92f2a73326716e
 msgid "Lightweight Identity and Authorization Management"
 msgstr ""
 
 #: ../index.rst:19
-#: 0fa9dc97ee984c00a9460a07144eba66
+#: 55ed7b7eb88e42f78ef42eb5b55a3555
 msgid "**Canaille** is a French word meaning *rascal*. It is roughly pronounced **Can I?**, as in *Can I access your data?* Canaille is a lightweight identity and authorization management software. It aims to be very light, simple to install and simple to maintain. Its main features are :"
 msgstr ""
 
 #: ../index.rst:31
-#: 8b56e6fd5b374afbadf70d3371ad8538
+#: d12af997fa5e48da987d2ecfcb4f149f
 msgid "User profile and groups management, Basic permissions"
 msgstr ""
 
 #: ../index.rst:38
-#: ae2a113a2f63489ebb6a9696df422ed1
+#: ea53cfd918924c97a6726cfd357f5ce5
 msgid "Authentication, registration, email confirmation, \"I forgot my password\" emails"
 msgstr ""
 
 #: ../index.rst:40
-#: c4659885674a4b848e904b352c94b89c
+#: 127cca0af1054bf08a8ce05d1c55d539
 msgid "SSO"
 msgstr ""
 
 #: ../index.rst:44
-#: 3dabf6a8010d4aff943f07dbf6fe52aa
+#: f4b6d7b278ba480da9d7c964849ba988
 msgid "OpenID Connect identity provider"
 msgstr ""
 
 #: ../index.rst:46
-#: f7caa27d43354246a89db295901976cb
+#: be1ff5f7d2ca468fa300f595696d9c10
 msgid "Multi-database support"
 msgstr ""
 
 #: ../index.rst:50
-#: 73b988c55cc241eeafe075a55fd037a0
+#: 92a7a7f6ee474890bf705bd67945dd9e
 msgid "PostgreSQL, Mariadb and OpenLDAP first-class citizenship"
 msgstr ""
 
 #: ../index.rst:52
-#: 9caead4464284ccca1a59bff67fbec2d
+#: b1569cdc9eef44d68ed3b52496ef75b3
 msgid "Customization"
 msgstr ""
 
 #: ../index.rst:56
-#: e2604712b57b4583b53181a9fefcda0e
+#: 68415646dbfa4be79d953583749246fe
 msgid "Put Canaille at yours colors by choosing a logo or use a custom theme!"
 msgstr ""
 
 #: ../index.rst:58
-#: b168d0612c04400e8b259edb581dc6c7
+#: 2a6a4e752e494f65b7766a082624d1a4
 msgid "Developers friendliness"
 msgstr ""
 
 #: ../index.rst:62
-#: 8b5f849ae22348f19d5d8feca1590032
+#: 42693164646349bcbe9f680b08cd904b
 msgid "Canaille can easily fit in your unit tests suite or in your Continuous Integration."
 msgstr ""
 
 #: ../index.rst:66
-#: a4dbd4558bda425cab549061b5952854
+#: bc563a309b784f2cbc15399c3ad8f51c
 msgid ":doc:`Full feature list <features>` :doc:`Common use cases <usecases>`"
 msgstr ""
 
 #: ../references/commands.rst:4
-#: 574cb073f7584f8599a4cc129a337c4a
+#: aebb427c91ed41da9c0b7ecdfcaf590a
 msgid "Canaille provide several commands to help administrator manage their data."
 msgstr ""
 
 #: ../references/commands.rst:6
-#: aa7436e81d0347aca49e76837769f92b
+#: b907889f6d0d4dabb1a963c60758fedf
 msgid "Generally, some configuration has to be loaded by `Canaille`. This can be achieved by :ref:`configuration loading method<references/configuration:Load the configuration>` available, but most of the time a ``CONFIG`` environment variable is used. For the sake of readability, it is omitted in the following examples."
 msgstr ""
 
 #: ../../canaille check:1
-#: d3880ac07b8641fbb96a657384193437
+#: e48a730fe9c94efcb41a272f5478ed19
 msgid "Test the configuration file."
 msgstr ""
 
 #: ../../canaille check:1
-#: 8edd9caa824f4c3aa3298a3e0b28a418
+#: 41aae9c8d46743aba9e79f57c079d0c7
 msgid "Attempt to reach the database and the SMTP server with the provided credentials."
 msgstr ""
 
 #: ../../canaille clean:1
-#: 15fc7dadf416460fb034401cb2298ddc
+#: e4dceb9281e14cf0adbd56154fffbc04
 msgid "Remove expired tokens and authorization codes."
 msgstr ""
 
 #: ../../canaille install:1
-#: f58f2f270c9642208409eab2a078aa10
+#: fade86f4801a403dab35e0e1cf5bb2a9
 msgid "Installs canaille elements from the configuration."
 msgstr ""
 
 #: ../../canaille install:1
-#: ee828128d3684eaea85f63a4d8efb295
+#: 59f7082a6fc74329965dacbbd4b29d74
 msgid "For instance, depending on the configuration, this can generate OIDC keys or install LDAP schemas."
 msgstr ""
 
 #: ../../canaille populate:1
-#: df2355b792904bae8c2adfdc44e3abc1
+#: 10dd1f2f8dfd4382ba79586e84d228b6
 msgid "Populate the database with generated random data."
 msgstr ""
 
 #: ../references/commands.rst:0
-#: 25c273b3659241e5a58c4ccfc4d1aa62
-#: 23e595a7ef3e40738c72964260d647d4
-#: b9df5380bb904ef3b2c158886514b1f4
-#: 810cab23bf5f4e0bbe5e403092b4739f
-#: 2b944a79e15441a28501202fb405ceec
-#: 337385bfcd154b46942fd5cc685e3c53
-#: 3c51398f5ef14fafac576c18c1938015
-#: f7857604a6af425d92b5f49a3a571724
-#: 50ab489bedfa413b941eaca1514e779e
-#: 817fa12a167549c2b2dcda5cf8aca990
-#: e144249ab1e4497a8e2b59433d28dd94
-#: 8e13e364d31643ebbcbea2ec3c48cebb
-#: 93521a77f0084af9b274926a73bb1866
-#: 979aef4626814c74bd3208394714d692
-#: 145d1e9e3fe74947b6695497c7f75b40
-#: 7e7e2edd89534686997d302f673e5005
-#: 2d123fd2ca8b46dbb63d2f8cd67b8a9b
-#: 658ca5556e9b484884784c60355dcaba
-#: ecc2c5a1d0ee4d75a8dabc1519c9b46f
-#: e9427573b4fd4fea8baa73d3dfd6c901
+#: eef93c8f7efa4bcca26a9984edfec552
+#: ab621caa7a2c4d8fa849e7797625d3ba
+#: f8d114457ca741bf800ee8c4b3f942a1
+#: 6fbad5feee934277bdbbbd04f071fe34
+#: b61fa1c2360748b999a9aced4bd164ab
+#: 7c65f97affff43a2a78f72e6d2a8b2bf
+#: 20f752045a96446387d44095a57eca5c
+#: 14304e9889da477c8a93cf9b9dd6c1e5
+#: bb0e8261f2454b65aa180dd68ad176d8
+#: 16a6ff9805e447789f9cee87d357b936
+#: a7c4100a940e41fe9440ad6b0bbd28dd
+#: 296c95633a584e4e924f2f36676c1c2f
+#: e0d5e5ab4bf9456aa3c194dbb343ffd8
+#: 230b27138fe641e19ac2bda6f21d1507
+#: 682d03c24b1349d1be236737cf9c8478
+#: 0201087fa2f8445c9c291d4cc4ba3700
+#: a537cbb030a84e5b96ca899c18aaef63
+#: aa0eedc786284ae49d37dab255457175
+#: 1715de5f32c34e7cab8f1379549071f9
+#: f9c437d0c28c4079995fd7bc83ed2ec9
 msgid "Options"
 msgstr ""
 
 #: ../../canaille populate:1
-#: 757aacf7045343ac87f0d6123fe1e181
+#: 94ba9e16305a484ea1415b3237723cf1
 msgid "Number of items to create"
 msgstr ""
 
 #: ../../canaille populate groups:1
-#: 0e4a01018e724dc6a6ca0b638d66852a
+#: 379afc690fa147acb76c519bccb010a6
 msgid "Populate the database with generated random groups."
 msgstr ""
 
 #: ../../canaille populate groups:1
-#: b8f050417d3e4d5cb1abef74d5b23fef
+#: da4cf29b95b846119a772e8d9f73f96b
 msgid "The maximum number of users that will randomly be affected in the group"
 msgstr ""
 
 #: ../../canaille populate users:1
-#: 27cbff2cac6c4d0ba3a881e593e6d298
+#: b87d2b5df82a46e0a11fccb84a997ab9
 msgid "Populate the database with generated random users."
 msgstr ""
 
 #: ../../canaille get:1
-#: a991a3b616044f2c932b1b5781575930
+#: ce45ebf26cf149d3b0fd406e1ed2b5a9
 msgid "Read information about models."
 msgstr ""
 
 #: ../../canaille get:1
-#: ff29fb8d5ce14bc291589af023d25348
+#: 00dbea345e914dafb4a736214b895b1c
 msgid "Options can be used to filter models::"
 msgstr ""
 
 #: ../../canaille get:1
-#: ebb9a30bb4ad418b937898f33eb3154d
+#: 43207b9c3af4494e9714cbf6ff2c473d
 msgid "Displays the matching models in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille get authorizationcode:1
-#: 3b7cec01bf904fbd95a74ecc629450d4
+#: 8f0d2152f80d49e8be0e904a850cacdd
 msgid "Search for authorizationcodes and display the matching models as JSON."
 msgstr ""
 
 #: ../../canaille get client:1
-#: 04713bc174844fbc90ffcd66309a32d7
+#: bef20cbd666c49ff993234428725ddd3
 msgid "Search for clients and display the matching models as JSON."
 msgstr ""
 
 #: ../../canaille get consent:1
-#: 3d85785b1e954ca48fb3600e102060dc
+#: 173ac74323844b969fdb2ce7bb9632c7
 msgid "Search for consents and display the matching models as JSON."
 msgstr ""
 
 #: ../../canaille get group:1
-#: a7f5ed4db7ca4b6e990d3008e3df40dd
+#: 8cc4308278af4625bc3d625a22ea5aa3
 msgid "Search for groups and display the matching models as JSON."
 msgstr ""
 
 #: ../../canaille get token:1
-#: f28ab88c832f4310ba8fce02409a0471
+#: 5307294d0c7a49d6ad21d0d505f11aab
 msgid "Search for tokens and display the matching models as JSON."
 msgstr ""
 
 #: ../../canaille get user:1
-#: 243977ad7e504fedbd9646f89f934592
+#: db01fd1777f4431793d3885c834b7680
 msgid "Search for users and display the matching models as JSON."
 msgstr ""
 
 #: ../../canaille set:1
-#: f1db85f49bf44d11a4bb25bef94995c7
+#: cec2b45a156b461faacc323380171e6f
 msgid "Update models."
 msgstr ""
 
 #: ../../canaille set:1
-#: 81f6f6bde2db46419feea67dae446a01
+#: e5fc377719b04495a57faa42a87be86a
 msgid "The command takes an model ID and edit one or several attributes::"
 msgstr ""
 
 #: ../../canaille set:1
-#: 2605d2f99fff4a3685e4acb6c7d08749
+#: 4e8bb50216e741f0bb44ecc365265370
 msgid "Displays the edited model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille set authorizationcode:1
-#: 0e3e63095aaa4d10827812a9df412418
+#: 03d1eebac72e42b58b3aef5a429dee1b
 msgid "Update a authorizationcode and display the edited model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille delete authorizationcode:1
 #: ../../canaille set authorizationcode:1
-#: 272d0df08f904f519632f9fd2fe65385
-#: 2f9f07b54e574b76b44a885d2edcee5f
+#: ddbdb0447cd34e59b5e1c6f9f852c619
+#: 4abf794613df4e5c8472ce2a6e7dc989
 msgid "IDENTIFIER should be a authorizationcode id or authorization_code_id"
 msgstr ""
 
 #: ../references/commands.rst:0
-#: 68201cc09cab43ae872191c5e1e0de51
-#: 797f38593b54447e9abe286cd709857c
-#: 5f7b7a34cec54b7bb8813914c7b1da9e
-#: e2da0bdb8e364ad4ac3fa9a24108e9c9
-#: 7a653436ae5244b3915e22f7b337b441
-#: 83d05fec78e043fcbf55d763d9664075
-#: 314878b93dce45baac9f4ab7248087c2
-#: 59d47562162a44fcb07558824e722d39
-#: 811906b3e60e4f96bb46272adf7a2702
-#: 9f85ada6864146db941a9b74f9dccdcc
-#: e15f98264ca3466aa879164b237471d4
-#: 23cb9085c4df46c5919811da9786751a
+#: f2adfafce0754af79d2770a34dae5309
+#: 283f0c7412de4a97bb4e7954f008ff3e
+#: 46a35e9dcc73463db8ff772da3638b31
+#: fae552d2703d4a2186332c0847506798
+#: 4fafb5c0151f445c9c573b6472b4d0f5
+#: 3115c2cba5f04f9094165896feac1cc9
+#: e3c459094f734f6382847753305e76aa
+#: 4e8a2cd6e1224733b644484774cf0621
+#: 6f97567dcca64c4a92c0b869a6ce337d
+#: fea5ce77581940eabec5498e9347643b
+#: 7b57a6d1d40d40eaa51b6bba807602b5
+#: 0c5b1219cf2c4d97bc0cf7717c7b4ef3
 msgid "Arguments"
 msgstr ""
 
@@ -3605,356 +3768,358 @@ msgstr ""
 #: ../../canaille set group:1
 #: ../../canaille set token:1
 #: ../../canaille set user:1
-#: cafe88a3ce2e428eac214691a4cceb5a
-#: 7b2ff0501238407193726c30d9eca3c9
-#: 0ba51222ad4a4533b4b41b1757a35c64
-#: ea0c5446d43d40c49f2b92c5b3541ce9
-#: 9ac86d8bfd664383a081e3c1ede9c96e
-#: cd7e04caa435456ca0cf597a4cf2b866
-#: 8d3a56d3d2d8434a96e06ee1db5c7f74
-#: ee33e52044104463b44bf754ebc2bfd3
-#: ec1ed557213c433f960f06a20c6305f0
-#: 79fcf662ca834cb9bad46e70395f5c0d
-#: a2446c9d8a43489f95b98774f9e95af2
-#: c84e4574c2934d05b8911fbf5ff07255
+#: c0f3d574bd3640aca180dbe7695f53e9
+#: 61c7448c4a41497a8b923a636124b2be
+#: e523b87636874d088f2ef6e7c2d8c79a
+#: 3e12bc882bce4c71928c127525ee8358
+#: ef0be6baac8a4a44bd4a317601ea2018
+#: f60f6b4edba24b98a79df93768b3041f
+#: c1192e9d2ddc429f911056db63d54e6c
+#: 4e3ae120210c4d62bfd1cc1d7c199f7a
+#: 3b9c5a9904f74f9e8308a21d4ee8da42
+#: a6ecc5cf2bb54dfe98d8553f7f49c5d6
+#: 6492e2a92bac400c990cc3182c8b1cb0
+#: ca2ec2ca915e40438b1b18eb27c46670
 msgid "Required argument"
 msgstr ""
 
 #: ../../canaille set client:1
-#: 8fd29a2556aa4939a91f5dff64f750f9
+#: f2b0a1421fdf46d684fbe616a1771b62
 msgid "Update a client and display the edited model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille delete client:1
 #: ../../canaille set client:1
-#: 1fe7624c6c204327b3dea4672369b25c
-#: a507a2cde7be4e01b653d88b1143bcc1
+#: 04f98ee9b5254ad58f59cba6824a2ef0
+#: db9ef2c5ffc342fe858b000bc05fbcc8
 msgid "IDENTIFIER should be a client id or client_id"
 msgstr ""
 
 #: ../../canaille set consent:1
-#: bc9887077625496493e99ffd14864f21
+#: d8dbf4d59a0e4afcac26174972d6804c
 msgid "Update a consent and display the edited model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille delete consent:1
 #: ../../canaille set consent:1
-#: c40a621613bb4a57ae61d0bf635d4be1
-#: 36c566d3a8d64d98b3139d1d408e6e33
+#: ecded87087fb4018854b4d14a277df8f
+#: bfebd623b59243cb8efe4178994c8209
 msgid "IDENTIFIER should be a consent id or consent_id"
 msgstr ""
 
 #: ../../canaille set group:1
-#: 24bf72192e064a11ba8f4408dc6cd2f2
+#: 1f36d3e6d60343989097aac3e4424ed4
 msgid "Update a group and display the edited model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille delete group:1
 #: ../../canaille set group:1
-#: f9bb7a0e3cb74e87bd9647b1d854d4c5
-#: 2b44dcf76741473980e37c9fb1f972c9
+#: 772ff82f2ff54593b9ef8dc8e0af8d4f
+#: f5e84ce4a1dc4bcdbf5a660209e2d7d9
 msgid "IDENTIFIER should be a group id or display_name"
 msgstr ""
 
 #: ../../canaille set token:1
-#: ed64c8271e11430f829f537ac1c9fb03
+#: 6534c48546d94e76a03c8ea1521c5cd4
 msgid "Update a token and display the edited model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille delete token:1
 #: ../../canaille set token:1
-#: 5872d15912fa4904bc7429f1e6c4e4e5
-#: 2e473a0a6bc4446eb92d334a50bad9e0
+#: edecbc4f0f9946c48834bf53a5fbf0f8
+#: 3dacc05a5d1240ea812eb792ed737810
 msgid "IDENTIFIER should be a token id or token_id"
 msgstr ""
 
 #: ../../canaille set user:1
-#: 6db0783b2700470888b19c5bc6144406
+#: da1f8e5fba5f40ad8f20a017e886aa02
 msgid "Update a user and display the edited model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille delete user:1
 #: ../../canaille set user:1
-#: e98462e8df9b4465af9a63c0bbf21546
-#: d7cebb3763ed4824afd5b69c0a82f605
+#: bf3b446f2eda4b26a9ef702f4c6dd0b9
+#: 881aab67b4fb4777a160e9affc77be0c
 msgid "IDENTIFIER should be a user id or user_name"
 msgstr ""
 
 #: ../../canaille create:1
-#: 3f6211fedcff4c49a1a05bb0d923b452
+#: 563f23f330bc43ed951ca8812fa0c2fc
 msgid "Create models."
 msgstr ""
 
 #: ../../canaille create:1
-#: dabf2e993c7e4f4e958ecf36a3a64cfa
+#: 9d4c06295f304ac093848a3de8b716bb
 msgid "The model attributes can be passed as command options::"
 msgstr ""
 
 #: ../../canaille create:1
-#: 88fc347eb7814471b13dc9a6b562dd75
+#: 63735ef4eb924ae1ab2a244a018dc3be
 msgid "Displays the created model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille create authorizationcode:1
-#: 428bc4494e3f4f6d875f2a701295e030
+#: a96e7d0b6bed4a7bb8e0257b08600be1
 msgid "Create a new authorizationcode and display the created model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille create client:1
-#: 4f234a94637b44698b95c220d5c3d59e
+#: 41428e12aeae44479602c0f92a840d2c
 msgid "Create a new client and display the created model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille create consent:1
-#: 741d27c2f5fb448da39ad4955e77518e
+#: 994455a2e844478bbffe389520751a33
 msgid "Create a new consent and display the created model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille create group:1
-#: 973102f969a0499692c7a2416dd0f469
+#: c3b6e110307b45c4b7e8ce07a66a4cf9
 msgid "Create a new group and display the created model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille create token:1
-#: 4f44ca45c9f8454b950534b228e8ef12
+#: 3774f3cf8635474fb6ba63ac1b57aa1b
 msgid "Create a new token and display the created model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille create user:1
-#: 35ce000da38042699e6154f107a3e814
+#: ae4b9357629c41f2bd3443048f12f734
 msgid "Create a new user and display the created model in JSON format in the standard output."
 msgstr ""
 
 #: ../../canaille delete:1
-#: fd758e22b29a4fd4b7f1c92876768518
+#: 416fbf5d468742f6af7aa3afe222389c
 msgid "Delete models."
 msgstr ""
 
 #: ../../canaille delete:1
-#: 42450f0ac5674556be84bcf4cc34c98f
+#: 05ea570bc20b42c9943f9073f58c19f9
 msgid "The command takes a model ID and deletes it::"
 msgstr ""
 
 #: ../../canaille delete authorizationcode:1
-#: 4607eae8cf4c40a3a37bef887f2254a1
+#: e73a91f3f9d347d082621014cb60fd7f
 msgid "Delete a authorizationcode."
 msgstr ""
 
 #: ../../canaille delete client:1
-#: 01b65f6e61a848c490034606d1d00095
+#: d376d0088bff46ca817210c0ae84ccec
 msgid "Delete a client."
 msgstr ""
 
 #: ../../canaille delete consent:1
-#: b1dfdb33eba94dc2a71f9172cff74acb
+#: 2cd2f844ba974bbaa3c2a84cd7fa1a68
 msgid "Delete a consent."
 msgstr ""
 
 #: ../../canaille delete group:1
-#: 6c79a439e1f54f4f81194cc8d6fc5944
+#: bf80244164a54ae887b7caadf7914dc1
 msgid "Delete a group."
 msgstr ""
 
 #: ../../canaille delete token:1
-#: 1fb9fa8740c442ff82297d480fbba5ca
+#: 3bf34916fadf48139dbcf439545c4276
 msgid "Delete a token."
 msgstr ""
 
 #: ../../canaille delete user:1
-#: b0298caa666647268cd204cbd1cccd4d
+#: 22a78b7140094b6ebe34988f5b37fec3
 msgid "Delete a user."
 msgstr ""
 
 #: ../references/configuration.rst:2
-#: 6c3d1ad364a84afb9586b1b62e42dedb
+#: e23c84272ce74d1d87f815825cb4a488
 msgid "Configuration"
 msgstr ""
 
 #: ../references/configuration.rst:5
-#: fca2326d4bf84702b7d8d0f5d3a65f20
+#: 90eeb71ed1294fd7bc6bf7f8c8ed5c8c
 msgid "Load the configuration"
 msgstr ""
 
 #: ../references/configuration.rst:7
-#: 51e2253170d4489ab9598217182b6f1d
+#: f2621ade958b4ffb9815fa8322ca64e5
 msgid "Canaille can be configured either by a environment variables, environment file, or by a configuration file."
 msgstr ""
 
 #: ../references/configuration.rst:10
-#: 1560e71d7b2d42aa8ec0accc06131b3d
+#: 37d9f514da104c6aa15bf83cb6303487
 msgid "Configuration file"
 msgstr ""
 
 #: ../references/configuration.rst:12
-#: 0fc2b0bc764345caba3f9402376e279a
+#: 88467c2beaea43a19228f85c1f398494
 msgid "The configuration can be written in `toml` configuration file which path is passed in the :envvar:`CONFIG` environment variable."
 msgstr ""
 
 #: ../../canaille/app/configuration.py:docstring of canaille.app.configuration.RootSettings:11
 #: ../references/configuration.rst:14
-#: ../references/configuration.rst:94
+#: ../references/configuration.rst:95
 #: ../tutorial/databases.rst:23
 #: ../tutorial/databases.rst:37
-#: 3626de52eeca4eecbda8f1d47354a80c
-#: f59eab2f20b542f1af3ae7e6e4856266
-#: f59eab2f20b542f1af3ae7e6e4856266
-#: c1e56e5ab5ba40228c68cd9eb470348d
-#: 8acf4c15626e4f6897aa81c2e5e8ef42
+#: ../tutorial/databases.rst:138
+#: 1b8aaa7b767b49eb9a81d6663fb6c1e8
+#: bb4c8f23d29248f5abfd0d96af2d80bf
+#: ee90ce99e8a4449fbb7cb28d559147b5
+#: 84cfcdaa79ef439cb013e00e3c4cd792
+#: cb517d061c4a4d16ae4a868999611801
+#: 3fc7e3d6f94f47579174c1ebcb598f6a
 msgid "config.toml"
 msgstr ""
 
 #: ../references/configuration.rst:26
-#: 4b63b3891e1c45788780ea1af554d1db
+#: 4f4e3b14ad79434b93659ff0d99e92d5
 msgid "You can have a look at the :ref:`example file <references/configuration:Example file>` for inspiration."
 msgstr ""
 
 #: ../references/configuration.rst:29
-#: 8cbac0cd9e3e4bc3ad5fc60d82180568
+#: 52e72a243eda4c6d8c20601ec11d21ea
 msgid "Environment variables"
 msgstr ""
 
 #: ../references/configuration.rst:31
-#: b909831b5aed44a4b439b37701feabb7
+#: 5a5db358ab214e86b11ce341a71a4abb
 msgid "In addition, parameters that have not been set in the configuration file can be read from environment variables. The way environment variables are parsed can be read from the `pydantic-settings documentation <https://docs.pydantic.dev/latest/concepts/pydantic_settings/#parsing-environment-variable-values>`_."
 msgstr ""
 
 #: ../references/configuration.rst:36
-#: fd22a354c18f4733b8b1962cfcbe2139
+#: 9c85a8e682a74e9d9d8c3aa79e2d02ba
 msgid "For environment vars, the separator between sections and variables is a double underscore: ``__``. For instance, the ``NAME`` var in the ``CANAILLE`` section shown above is ``CANAILLE__NAME``."
 msgstr ""
 
 #: ../references/configuration.rst:40
-#: f12f0cbb606e4627be2fa3b2a895f162
+#: 26c9129f81c54386966cffd31c323f14
 msgid "Environment file"
 msgstr ""
 
 #: ../references/configuration.rst:42
-#: 434c11ee0d6a4a118f9b8802d407d447
+#: 54056c93ac3b40e882bf20789d72fded
 msgid "Any environment variable can also be written in an environment file, which path should be passed in the ``ENV_FILE`` environment variable. For instance, set ``ENV_FILE=.env`` to load a ``.env`` file."
 msgstr ""
 
 #: ../references/configuration.rst:45
-#: 83d91b20c3204d09b61a4a6de8c84769
+#: ba796d7f6bdb4ef5a32865f844ead63e
 msgid ".env"
 msgstr ""
 
 #: ../references/configuration.rst:63
-#: 8fc48610072c4e248c494befe2a4c8f6
+#: 3c2136aab27c4650acf0d25ced3636e2
 msgid "Configuration methods priority"
 msgstr ""
 
 #: ../references/configuration.rst:65
-#: d3fdde7c8d9841e49e92bcba763e33d8
+#: 6e85c7ec407f4fc68adff17adb6652b2
 msgid "If a same configuration option is defined by different ways, here is how Canaille will choose which one to use:"
 msgstr ""
 
 #: ../references/configuration.rst:67
-#: b79bfecad485446b85a8866657222448
+#: 8857be48d8f54be7aa8d350d5346887a
 msgid "environment vars have priority over the environment file and the configuration file;"
 msgstr ""
 
 #: ../references/configuration.rst:68
-#: 63800f5a14d44e1fa3ed0266e19f5482
+#: d946c715e1c34f55acfe97acc96cab68
 msgid "environment file will have priority over the configuration file."
 msgstr ""
 
 #: ../references/configuration.rst:71
-#: e8e7a0f78d68479a9586036adf25e183
+#: 369d25ff21b042fbabf703be7b66e138
 msgid "Parameters"
 msgstr ""
 
 #: ../../canaille/app/configuration.py:docstring of canaille.app.configuration.RootSettings:1
-#: ba32908d458e4689a5d90a46b386fdf3
+#: 2226ecd0f90440d58a4089df736be757
 msgid "The top-level namespace contains the configuration settings unrelated to Canaille."
 msgstr ""
 
 #: ../../canaille/app/configuration.py:docstring of canaille.app.configuration.RootSettings:4
-#: fffc30ea67ab47d99472750172be2a29
+#: f53fd6edbc9148c781006d112688f022
 msgid "The configuration parameters from the following libraries can be used:"
 msgstr ""
 
 #: ../../canaille/app/configuration.py:docstring of canaille.app.configuration.RootSettings:6
-#: ae9ceb139bfc47f8b383dec852b507c2
+#: 0a1ba7d3d9d24c598640a87301549190
 msgid ":doc:`Flask <flask:config>`"
 msgstr ""
 
 #: ../../canaille/app/configuration.py:docstring of canaille.app.configuration.RootSettings:7
-#: 3d01d0dc9cdc47e59420f5b121370277
+#: 6288bee773454f6fb13d7c3c43c0acfe
 msgid ":doc:`Flask-WTF <flask-wtf:config>`"
 msgstr ""
 
 #: ../../canaille/app/configuration.py:docstring of canaille.app.configuration.RootSettings:8
-#: d573a04c56154eaf857d49c057690bfd
+#: 8dc449c88676405aa689c232c0c17eaa
 msgid ":doc:`Flask-Babel <flask-babel:index>`"
 msgstr ""
 
 #: ../../canaille/app/configuration.py:docstring of canaille.app.configuration.RootSettings:9
-#: 552391e3f12c4385abb3e1a2e3929cfa
+#: f0f21a8b4661490ea85203669e05fe2a
 msgid ":doc:`Authlib <authlib:flask/2/authorization-server>`"
 msgstr ""
 
 #: ../../docstring of canaille.app.configuration.RootSettings.DEBUG:1
-#: 4309008dba2c4aa79584299f19987ac4
+#: aee2c3dead184d3ab7655e0df3b9f66c
 msgid "The Flask :external:py:data:`DEBUG` configuration setting."
 msgstr ""
 
 #: ../../docstring of canaille.app.configuration.RootSettings.DEBUG:3
-#: f8cb9ba68ed14b818c2fb2bcfbffb16a
+#: da1c3a1146284b0597c12fab8ac713a9
 msgid "This enables debug options."
 msgstr ""
 
 #: ../../docstring of canaille.app.configuration.RootSettings.DEBUG:7
-#: 553b378e895a4b74aa242c08cd29450f
+#: 22813fdeb3ad46729bf6d91f1a6a799b
 msgid "This is useful for development but should be absolutely avoided in production environments."
 msgstr ""
 
 #: ../../docstring of canaille.app.configuration.RootSettings.PREFERRED_URL_SCHEME:1
-#: cb2cc7437e4a4d3c90895c4148186b25
+#: 8d9650f0f1c34ab7b888fce27cfcc459
 msgid "The Flask :external:py:data:`PREFERRED_URL_SCHEME` configuration setting."
 msgstr ""
 
 #: ../../docstring of canaille.app.configuration.RootSettings.PREFERRED_URL_SCHEME:4
-#: 530f78ce6f4842c983c10b38fe4c4b93
+#: 33538d7dda284e2da14720d9ecf5b81f
 msgid "This sets the url scheme by which canaille will be served."
 msgstr ""
 
 #: ../../docstring of canaille.app.configuration.RootSettings.SECRET_KEY:1
-#: 42e179fea274407eb26dd67e4a6d14a5
+#: ca299cb1b21a4aff913e478725dee516
 msgid "The Flask :external:py:data:`SECRET_KEY` configuration setting."
 msgstr ""
 
 #: ../../docstring of canaille.app.configuration.RootSettings.SECRET_KEY:3
-#: b16e239dce5c4f199a2fba1707c82d1a
+#: e0e842ea56e7409da386c9fa3b44f45f
 msgid "You MUST change this."
 msgstr ""
 
 #: ../../docstring of canaille.app.configuration.RootSettings.SERVER_NAME:1
-#: 0f0f60195f334cf597f67857740b2ace
+#: 8aaa9ab83eb245a996e82b25f47a18be
 msgid "The Flask :external:py:data:`SERVER_NAME` configuration setting."
 msgstr ""
 
 #: ../../docstring of canaille.app.configuration.RootSettings.SERVER_NAME:3
-#: 39edb89e79af4a10a154a5c42d51e86e
+#: a7a33ff93b6d471e9395fffab55b8497
 msgid "This sets domain name on which canaille will be served."
 msgstr ""
 
 #: ../../canaille/core/configuration.py:docstring of canaille.core.configuration.CoreSettings:1
-#: d831c1b108eb4e96bb11a6ddc92ed45e
+#: 49b29a899f644466acba509b0b3e9f00
 msgid "The settings from the ``CANAILLE`` namespace."
 msgstr ""
 
 #: ../../canaille/core/configuration.py:docstring of canaille.core.configuration.CoreSettings:3
-#: a51801e81d914eb3bfe1fa4e649133c1
+#: 63104b7fc45e4ef39f55f96c7a093f33
 msgid "Those are all the configuration parameters that controls the behavior of Canaille."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.ACL:1
-#: 89de24471b434051a4a84e39bc47aded
+#: 1c134db317ea498d8b595a7a3b2f610e
 msgid "Mapping of permission groups. See :class:`ACLSettings` for more details."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.ACL:3
-#: 1f85af06bed64d9da4417c6e6f7e244e
+#: c2f72f20b39c4706b4e5ba01db79eb2c
 msgid "The ACL name can be freely chosen. For example:"
 msgstr ""
 
@@ -3962,676 +4127,726 @@ msgstr ""
 #: ../../docstring of canaille.core.configuration.ACLSettings.PERMISSIONS:6
 #: ../../docstring of canaille.core.configuration.CoreSettings.ACL:5
 #: ../../docstring of canaille.core.configuration.CoreSettings.LOGGING:12
-#: 56ce67b55d3b4d8eba9a07b4feed2587
-#: d9b0f4816c2644679233ec3b797c2fc4
-#: ea4face810944c2e934e593ccfe99a84
-#: ea4face810944c2e934e593ccfe99a84
+#: 7f4c9bc691c14d29b0465e0af9e49012
+#: 7e37e8d6e156472e9a7a39fac9d88ff2
+#: f9cab605f9cd4a48ace060c109339896
+#: d723924be3cf4f0bbfc5f4f454c9fd17
 msgid "..code-block:: toml"
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.ACL:7
-#: dc73b62baf4f465598787ebb33191c7b
+#: c5d39ea293234d4aa11c0494ddc011b6
 msgid "[CANAILLE.ACL.DEFAULT] PERMISSIONS = [\"edit_self\", \"use_oidc\"] READ = [\"user_name\", \"groups\"] WRITE = [\"given_name\", \"family_name\"]"
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.ACL:12
-#: 56d15bcfdbcc4556a3848702228b970f
+#: 27f179210a5a4bae899d38bc6d1963c0
 msgid "[CANAILLE.ACL.ADMIN] WRITE = [\"user_name\", \"groups\"]"
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.ADMIN_EMAIL:1
-#: e07c109febe5434e95b532da3dadf454
+#: da428b02fcc6465ca83593370a8c52c1
 msgid "Administration email contact."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.ADMIN_EMAIL:3
-#: 7a5e93e36d434fcb96b85beea8f1adc6
+#: 80265b26992742b4a55529bb9514ef19
 msgid "In certain special cases (example : questioning about password corruption), it is necessary to provide an administration contact email."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.EMAIL_CONFIRMATION:1
-#: 478effaaf0da47a1a31b996b06b8c650
+#: aae582f58bfa47f2a6f5b32a1b5c3ead
 msgid "If :py:data:`True`, users will need to click on a confirmation link sent by email when they want to add a new email."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.EMAIL_CONFIRMATION:4
-#: b82dc4dc6818409eb5fa256462c4ac19
+#: 35bd824b2f8d4040898ed4dbdb7e599d
 msgid "By default, this is true if ``SMTP`` is configured, else this is false. If explicitly set to true and ``SMTP`` is disabled, the email field will be read-only."
 msgstr ""
 
+#: ../../docstring of canaille.core.configuration.CoreSettings.EMAIL_OTP:1
+#: 15d696ce895d4517964f6a9fe0269d30
+msgid "If :py:data:`True`, then users will need to authenticate themselves via a one-time password sent to their primary email address."
+msgstr ""
+
 #: ../../docstring of canaille.core.configuration.CoreSettings.ENABLE_PASSWORD_COMPROMISSION_CHECK:1
-#: cb4478169a09415a9f17e3df16239ecd
+#: 2bb9ee1a4a1f4c3dac7cd54259173873
 msgid "If :py:data:`True`, Canaille will check if passwords appears in compromission databases such as `HIBP <https://haveibeenpwned.com>`_ when users choose a new one."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.ENABLE_PASSWORD_RECOVERY:1
-#: b70cf94037df4bd1ae8a74acc370b3a5
+#: 9b83a2bb7e5a45358efb53447ed21cda
 msgid "If :py:data:`False`, then users cannot ask for a password recovery link by email."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.ENABLE_REGISTRATION:1
-#: 6ee78ec59c21456e8761778153d4f700
+#: ad8746125fae4336a86e7a5a47949ea4
 msgid "If :py:data:`True`, then users can freely create an account at this instance."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.ENABLE_REGISTRATION:4
-#: 979b9444b9c04354add2e781bd324752
+#: 4519e48effe84001a82418bf3a2da190
 msgid "If email verification is available, users must confirm their email before the account is created."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.FAVICON:1
-#: 8931d55b0c264be0982765f04f83ae38
+#: ad1dce6bc9dd49608f1556cebf0f44fe
 msgid "You favicon."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.FAVICON:3
-#: 7991e0eec12c457dad401f49b34ad835
+#: 36086dc79c1b485fa6594ef442028011
 msgid "If unset and :attr:`LOGO` is set, then the logo will be used."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.HIDE_INVALID_LOGINS:1
-#: 8e19d8a485fe456191ab16773f84483e
+#: 15d696ce895d4517964f6a9fe0269d30
 msgid "If :py:data:`True`, when users try to sign in with an invalid login, a message is shown indicating that the password is wrong, but does not give a clue whether the login exists or not."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.HIDE_INVALID_LOGINS:5
-#: dffe6e218f4f48e981ac5a9fa9a21e37
+#: 8203d7591b394141b0beec099e5a0c8d
 msgid "If :py:data:`False`, when a user tries to sign in with an invalid login, a message is shown indicating that the login does not exist."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.HTMX:1
-#: b200882d189b46f3a83f217ff8b59551
+#: fca447a64b184732b6664c3c20ade0ce
 msgid "Accelerates webpages loading with asynchronous requests."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.INVITATION_EXPIRATION:1
-#: 2dc15bd9ea8a4386b7202dbdbab5de36
+#: c3295518c8ce46359cb5fc8012267002
 msgid "The validity duration of registration invitations, in seconds."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.INVITATION_EXPIRATION:3
-#: c6aaae8719c34838aec54b8fea2d5101
+#: cca98367f271454987d915c9da1deecc
 msgid "Defaults to 2 days."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.JAVASCRIPT:1
-#: 70d5c7fa2dfa4e6695c84f2b4ab547c9
+#: f10d5dbbd4054185b5caff2aa7b4602c
 msgid "Enables Javascript to smooth the user experience."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.LANGUAGE:1
-#: 1e1cda3ec4c04a4aaeb2069ccc8f376f
+#: caa7570c19d343d8a5350b38ab890a08
 msgid "If a language code is set, it will be used for every user."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.LANGUAGE:3
-#: 6818acfcf652444db48e1c61878b6bb6
+#: 2f02910686974fa68a6b3af15a9e1c42
 msgid "If unset, the language is guessed according to the users browser."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.LOGGING:1
-#: 63800f5a14d44e1fa3ed0266e19f5482
+#: aad50a21706943fda6f1cde1c79762fb
 msgid "Configures the logging output using the python logging configuration format:"
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.LOGGING:3
-#: 62d20006362a45ca8ff0f0a8fbb82bf4
+#: 75bb9ce97f514d3eb50ed11a5fcaf986
 msgid "If :data:`None`, everything is logged in the standard error output. The log level is :data:`~logging.DEBUG` if the :attr:`~canaille.app.configuration.RootSettings.DEBUG` setting is :py:data:`True`, else this is :py:data:`~logging.INFO`."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.LOGGING:6
-#: 44c6ded187ab4e44aac024c2cdb85303
+#: a8552f90740e4287bd06aab66b4dc85d
 msgid "If this is a :class:`dict`, it is passed to :func:`logging.config.dictConfig`:"
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.LOGGING:7
-#: 6e269ac8b9144e9699a5856c375d7a37
+#: 1987a5781d6e42af97e3df073b29599b
 msgid "If this is a :class:`str`, it is expected to be a file path that will be passed to :func:`logging.config.fileConfig`."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.ACLSettings.PERMISSIONS:4
 #: ../../docstring of canaille.core.configuration.CoreSettings.LOGGING:10
-#: ba8b9d6794e2459492abfa778736328a
-#: 4d1ff118c1a44a50a962e527d1a8e2a2
+#: edd8ec5aad1047688bbbc5613d9896f5
+#: edd8ec5aad1047688bbbc5613d9896f5
 msgid "For example:"
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.LOGGING:14
-#: 2eedaa2fba4545698dfd11007a2e0c9c
+#: 397db3f41bce4260b537ae55755badaf
 msgid "[CANAILLE.LOGGING] version = 1 formatters.default.format = \"[%(asctime)s] %(levelname)s in %(module)s: %(message)s\" root = {level = \"INFO\", handlers = [\"canaille\"]}"
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.LOGGING:19
-#: 4b44c1c288c3433fb0edba70dd9c1343
+#: 623ab6abfdc84ec38448df94e0562f97
 msgid "[CANAILLE.LOGGING.handlers.canaille] class = \"logging.handlers.WatchedFileHandler\" filename = \"/var/log/canaille.log\" formatter = \"default\""
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.LOGO:1
-#: 851b93aeb7b54426872a6b4a2ed973b9
+#: 40c46d3aa7bb4e81a857540a99eb3df9
 msgid "The logo of your organization, this is useful to make your organization recognizable on login screens."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.MAX_PASSWORD_LENGTH:1
-#: 88cd67b65c954dc7a261df77d1823cda
+#: 04c3b3e362a74164bd49cbedad027ea8
 msgid "User password maximum length."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.MAX_PASSWORD_LENGTH:3
-#: 435e72d3f33642da9016c521a88f15e6
+#: a40eddffe3bc4c46ac7624a5f7d40c8f
 msgid "There is a technical of 4096 characters with the SQL backend. If the value is 0, :data:`None`, or greater than 4096, then 4096 will be retained."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.MIN_PASSWORD_LENGTH:1
-#: b15846ed6b2a4ad49bbb19cde177023a
+#: 129e3bbcdb1c40bbb45933fe156f00b1
 msgid "User password minimum length."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.MIN_PASSWORD_LENGTH:3
-#: 820670101aa7436eb014aa61e1c1a7eb
+#: 1f84fb34d6234361b2c215fda0d8a6d9
 msgid "If 0 or :data:`None`, password won't have a minimum length."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.NAME:1
-#: a41944f564f5438fb8572449b5d13995
+#: befe22deda144065bcee73d9d0404dea
 msgid "Your organization name."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.NAME:3
-#: d61df1326c344b45b6d1c7b24e12b207
+#: 0a659d2aa1994859a59506e97a715ea7
 msgid "Used for display purpose."
 msgstr ""
 
+#: ../../docstring of canaille.core.configuration.CoreSettings.OTP_METHOD:1
+#: c0ade835e0164d5e9dcb405ff53f299e
+msgid "If OTP_METHOD is defined, then users will need to authenticate themselves using a one-time password (OTP) via an authenticator app. If set to :py:data:`TOTP`, the application will use time one-time passwords, If set to :py:data:`HOTP`, the application will use HMAC-based one-time passwords."
+msgstr ""
+
 #: ../../docstring of canaille.core.configuration.CoreSettings.PASSWORD_COMPROMISSION_CHECK_API_URL:1
-#: 4501d236ecc142e2ad045599ee19ac19
+#: 6ab659ea03d349d88fef1b5cdc9da5f8
 msgid "Have i been pwned api url for compromission checks."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.SENTRY_DSN:1
-#: 0b234cbe21824f31b27a3b3c893fd37b
+#: 42626c8f0fa24a3fbfc131099bae6302
 msgid "A `Sentry <https://sentry.io>`_ DSN to collect the exceptions."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.SENTRY_DSN:3
-#: 2eab9799f4c0478aa5479f62e826b170
+#: b29a9995f9b04c71a953d7ea902bd1f5
 msgid "This is useful for tracking errors in test and production environments."
 msgstr ""
 
+#: ../../docstring of canaille.core.configuration.CoreSettings.SMPP:1
+#: 78b26880da2746c583f686747b26f179
+msgid "The settings related to SMPP configuration."
+msgstr ""
+
+#: ../../docstring of canaille.core.configuration.CoreSettings.SMPP:3
+#: 24787179b702424697f1fe11214d1f9c
+msgid "If unset, sms-related features like sms one-time passwords won't be enabled."
+msgstr ""
+
+#: ../../docstring of canaille.core.configuration.CoreSettings.SMS_OTP:1
+#: 15d696ce895d4517964f6a9fe0269d30
+msgid "If :py:data:`True`, then users will need to authenticate themselves via a one-time password sent to their primary phone number."
+msgstr ""
+
 #: ../../docstring of canaille.core.configuration.CoreSettings.SMTP:1
-#: 79d66e38b7d94974a21563fac9a58149
+#: 78b26880da2746c583f686747b26f179
 msgid "The settings related to SMTP and mail configuration."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.SMTP:3
-#: 41d396512e7d40b28223841b21f8ed09
+#: 24787179b702424697f1fe11214d1f9c
 msgid "If unset, mail-related features like password recovery won't be enabled."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.THEME:1
-#: e327a089ace6495285f29ade69226d1b
+#: 65f9f8cf44c347b9b18a9bd8e3624c6b
 msgid "The name of a theme in the 'theme' directory, or a path to a theme."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.THEME:3
-#: 641146b41ecc461d9fa7280687a462d9
+#: a930cadcbbaf40e59f78c34a6fea099e
 msgid "Defaults to ``default``. Theming is done with `flask-themer <https://github.com/tktech/flask-themer>`_."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.TIMEZONE:1
-#: 421c3427b77b4cc4af9619406463c1c2
+#: 60a19e875a924f2ca2f466cc2a3de293
 msgid "The timezone in which datetimes will be displayed to the users (e.g. ``CEST``)."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.CoreSettings.TIMEZONE:4
-#: d8d80524578e4697a5bb9f7e83c7d113
+#: 3674c492480c4bc8877913002b54efa1
 msgid "If unset, the server timezone will be used."
 msgstr ""
 
 #: ../../canaille/core/configuration.py:docstring of canaille.core.configuration.SMTPSettings:1
-#: 2f0178f9dbe747c695273f89e42da8c2
+#: 0513a51a39d44f719e5bf3b7abfe7224
 msgid "The SMTP configuration. Belong in the ``CANAILLE.SMTP`` namespace. If unset, mail related features will be disabled, such as mail verification or password recovery emails."
 msgstr ""
 
 #: ../../canaille/core/configuration.py:docstring of canaille.core.configuration.SMTPSettings:5
-#: 598e1ca109154455ad98b50d8853891d
+#: 2b30db6216b44d98973d7401cd778e03
 msgid "By default, Canaille will try to send mails from localhost without authentication."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.SMTPSettings.FROM_ADDR:1
-#: 8ab9425f8a6b42dc9097b69e3eaa334a
+#: 60a234eca526445b86c8669fbfda12c5
 msgid "The sender for Canaille mails."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.SMTPSettings.FROM_ADDR:3
-#: f8f5f1377e5147d4baf9782ff95b4aa3
+#: 0ed3035ba98243e3814d51329ceac05f
 msgid "Some mail provider might require a valid sender address."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.SMTPSettings.HOST:1
-#: 9059b29ae44849efb180f3b2da128c19
+#: 734742323e1a40e482a2433adbed3cf9
 msgid "The SMTP host."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.SMTPSettings.LOGIN:1
-#: 0bf8168dc84545cb810a8f25bbb4abf7
+#: 6b56c482d9274a7d9b308055ce3d8b07
 msgid "The SMTP login."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.SMTPSettings.PASSWORD:1
-#: ec1b4f81894e45f5abcae80dfaee87a9
+#: 8ca424cbdc7647a99400ae460510a183
 msgid "The SMTP password."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.SMTPSettings.PORT:1
-#: 514104bb8bcc4331b1e7fff12e550ba3
+#: f581660baf5a4637974640c3d253692f
 msgid "The SMTP port."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.SMTPSettings.SSL:1
-#: f4e65d7811cb43d5b7d86ec07af2576d
+#: 129075d9b7284662b50893663f3b3c74
 msgid "Whether to use SSL to connect to the SMTP server."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.SMTPSettings.TLS:1
-#: bd8dac0e38f14b6583d024fca1768b7d
+#: b34e44fef5b24697bab696419b926d6d
 msgid "Whether to use TLS to connect to the SMTP server."
 msgstr ""
 
+#: ../../canaille/core/configuration.py:docstring of canaille.core.configuration.SMPPSettings:1
+#: 0513a51a39d44f719e5bf3b7abfe7224
+msgid "The SMPP configuration. Belong in the ``CANAILLE.SMPP`` namespace. If not set, sms related features such as sms one-time passwords will be disabled."
+msgstr ""
+
+#: ../../docstring of canaille.core.configuration.SMPPSettings.HOST:1
+#: 734742323e1a40e482a2433adbed3cf9
+msgid "The SMPP host."
+msgstr ""
+
+#: ../../docstring of canaille.core.configuration.SMPPSettings.LOGIN:1
+#: 6b56c482d9274a7d9b308055ce3d8b07
+msgid "The SMPP login."
+msgstr ""
+
+#: ../../docstring of canaille.core.configuration.SMPPSettings.PASSWORD:1
+#: 8ca424cbdc7647a99400ae460510a183
+msgid "The SMPP password."
+msgstr ""
+
+#: ../../docstring of canaille.core.configuration.SMPPSettings.PORT:1
+#: 0780176282814cd1ad4ceb1567e2f160
+msgid "The SMPP port. Use 8775 for SMPP over TLS (recommended)."
+msgstr ""
+
 #: ../../canaille/core/configuration.py:docstring of canaille.core.configuration.ACLSettings:1
-#: 45f3089188214078ab06f2b1cff3b0e0
+#: ddbf39ff35684a7c8be7dd8442348d9b
 msgid "Access Control List settings. Belong in the ``CANAILLE.ACL`` namespace."
 msgstr ""
 
 #: ../../canaille/core/configuration.py:docstring of canaille.core.configuration.ACLSettings:3
-#: 733df203b313404eb417f40ed8708a2e
+#: fb2bf8e9b559475fa0da8a5a9a716d1b
 msgid "You can define access controls that define what users can do on canaille. An access control consists in a :attr:`FILTER` to match users, a list of :attr:`PERMISSIONS` matched users will be able to perform, and fields users will be able to :attr:`READ` and :attr:`WRITE`. Users matching several filters will cumulate permissions."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.ACLSettings.FILTER:1
-#: a14933a4c7244138bb59a43c9d288955
+#: 44a6412c07e74f10991a803bec3ffd5b
 msgid ":attr:`FILTER` can be:"
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.ACLSettings.FILTER:3
-#: d0f71dfab2ec47fca2184767e58eec59
+#: a46c99d48a184f8f9cbbd60fd0113bd9
 msgid ":py:data:`None`, in which case all the users will match this access control"
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.ACLSettings.FILTER:4
-#: e33849bb0c954228951cb18c56a9e70d
+#: 3b80807a79704eb9b5c53f31319a334f
 msgid "a mapping where keys are user attributes name and the values those user attribute values. All the values must be matched for the user to be part of the access control."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.ACLSettings.FILTER:7
-#: 2ed07fdd7da94cfd90167b2d1f4cb4eb
+#: 53ad291e288c490abd5b1e854132a0ef
 msgid "a list of those mappings. If a user values match at least one mapping, then the user will be part of the access control"
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.ACLSettings.FILTER:10
-#: 657a11f5921947b88bfc47cf8affbe00
+#: eb01b4eb724941cab7f44d69c0627b1e
 msgid "Here are some examples::"
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.ACLSettings.PERMISSIONS:1
-#: df95253032c647229909e34386b1e5cc
+#: 75a4d0c394fa4aebbb48d077e63aa0f0
 msgid "A list of :class:`Permission` users in the access control will be able to manage."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.ACLSettings.PERMISSIONS:8
-#: 700fa74aeea44e9aa6dd204df7870e90
+#: 721eb691ae3e4151a5eaf811c2a1b01c
 msgid "PERMISSIONS = [\"manage_users\", \"manage_groups\", \"manage_oidc\", \"delete_account\", \"impersonate_users\"]"
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.ACLSettings.READ:1
-#: ab801708874c4b1bb937f62969614340
+#: d3e143b82c304e238a797124231f644f
 msgid "A list of :class:`~canaille.core.models.User` attributes that users in the ACL will be able to read."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.ACLSettings.WRITE:1
-#: 384d296240314638a1f1b6b7719c6bb6
+#: cd5c4a6863b3455795388ea58d2f8ff1
 msgid "A list of :class:`~canaille.core.models.User` attributes that users in the ACL will be able to edit."
 msgstr ""
 
 #: ../../canaille/core/configuration.py:docstring of canaille.core.configuration.Permission:1
-#: f9eec27878c64e608b2783b5e89172ed
+#: d0fc68105eb54d359eb01628902767b5
 msgid "The permissions that can be assigned to users."
 msgstr ""
 
 #: ../../canaille/core/configuration.py:docstring of canaille.core.configuration.Permission:3
-#: 217cf0cc0b9b4a48a26abeaad488c131
+#: 8f3355f64e2c490ab0e8b4765dca8781
 msgid "The permissions are intended to be used in :attr:`ACLSettings <canaille.core.configuration.ACLSettings.PERMISSIONS>`."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.Permission.DELETE_ACCOUNT:1
-#: 370dec6e2b8049d0b7353b085340b102
+#: 500cfd5a09554ac0b3efb8801a314e38
 msgid "Allows users to delete their account."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.Permission.DELETE_ACCOUNT:3
-#: f7be239942c94727a948d27c6c93408e
+#: cca431c321484569862b3a05616c7907
 msgid "If used with :attr:`~canaille.core.configuration.Permission.MANAGE_USERS`, users can delete any account."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.Permission.EDIT_SELF:1
-#: 1f716bb0d0ec481ab5dff0a02f5c9e37
+#: 6dc188b41f5440319e87c333aea28060
 msgid "Allows users to edit their own profile."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.Permission.IMPERSONATE_USERS:1
-#: c9018bb9aceb40bc9536cc03320c5bad
+#: 113e6c4d2b714be79d746c84a0bde30a
 msgid "Allows users to take the identity of another user."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.Permission.MANAGE_GROUPS:1
-#: 1072c369689f4922997715eb5337795a
+#: 9531fd7773fe46f78f3da23f5d7e6f02
 msgid "Allows group edition and creation."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.Permission.MANAGE_OIDC:1
-#: 014b4028381e4f4d8dcc8dc8a5e3a26f
+#: 6a14ecfbecc7402b90c1f984af552750
 msgid "Allows OpenID Connect client managements."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.Permission.MANAGE_USERS:1
-#: ff39df8edc7143c7b23d22bb773b5198
+#: 7d115497bd7e4284b71cee12f6012e06
 msgid "Allows other users management."
 msgstr ""
 
 #: ../../docstring of canaille.core.configuration.Permission.USE_OIDC:1
-#: c7e27c4618a9460e8373c17f558f8d1e
+#: 5e48261fd5c9437eb453e703f93703b5
 msgid "Allows OpenID Connect authentication."
 msgstr ""
 
 #: ../../canaille/oidc/configuration.py:docstring of canaille.oidc.configuration.OIDCSettings:1
-#: e2e226bd197b4d6f87291ee45a3004ef
+#: 63057e3d73a14c63bbe40bc95a0e4c84
 msgid "OpenID Connect settings."
 msgstr ""
 
 #: ../../canaille/oidc/configuration.py:docstring of canaille.oidc.configuration.OIDCSettings:3
-#: db9af81a48ac4b1a914370a2e47bf4e0
+#: 035105e6e931419a8302feadec577ed6
 msgid "Belong in the ``CANAILLE_OIDC`` namespace."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.OIDCSettings.DYNAMIC_CLIENT_REGISTRATION_OPEN:1
-#: 092f0d4259994eb8b834b256a8f72453
+#: fba0c11bf0f648909450d12e1ceffdb9
 msgid "Whether a token is needed for the RFC7591 dynamical client registration."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.OIDCSettings.DYNAMIC_CLIENT_REGISTRATION_OPEN:3
-#: 506f1fcd0f424df4bdafd9a69307f645
+#: f5ba930ce26f4588b539da7703aafd4d
 msgid "If :py:data:`True`, no token is needed to register a client. If :py:data:`False`, dynamical client registration needs a token defined in :attr:`DYNAMIC_CLIENT_REGISTRATION_TOKENS`."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.OIDCSettings.DYNAMIC_CLIENT_REGISTRATION_TOKENS:1
-#: 30861c9a3a294daf8105dd5ac9007282
+#: 092b15419a354a5888a9f80ab6194696
 msgid "A list of tokens that can be used for dynamic client registration."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.OIDCSettings.JWT:1
-#: 04e054bb3d094e4ea8f23ab6fdec9bf6
+#: 9cd2e236fdb14317b0ffed9a3d2608bb
 msgid "JSON Web Token settings."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.OIDCSettings.REQUIRE_NONCE:1
-#: 95b1ee4fd0da4ec2b30beb3e25944cd9
+#: fa7308da6bb547ae821995b6d7995ad1
 msgid "Force the nonce exchange during the authentication flows."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.OIDCSettings.REQUIRE_NONCE:3
-#: de680082bc4546a6883ff4826df0067b
+#: 0c8ebdd95ff84eca839a0b3e755815e8
 msgid "This adds security but may not be supported by all clients."
 msgstr ""
 
 #: ../../canaille/oidc/configuration.py:docstring of canaille.oidc.configuration.JWTSettings:1
-#: 750fbe7d77954d87855e68d3199c81e7
+#: 37bc9fb542044bd794610b97da9255f3
 msgid "JSON Web Token settings. Belong in the ``CANAILLE_OIDC.JWT`` namespace."
 msgstr ""
 
 #: ../../canaille/oidc/configuration.py:docstring of canaille.oidc.configuration.JWTSettings:3
-#: 03945dc4192c4f7abefbcd2b5c7c2bd9
+#: 13ef6c0a21924214b46130443a178a3b
 msgid "You can generate a RSA keypair with::"
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.JWTSettings.ALG:1
-#: d65a4aaf4cb64130ac59c97cddcffb0b
+#: d2bc59d1182f47bea20962eb0acc5690
 msgid "The key algorithm."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.JWTSettings.EXP:1
-#: c0c460480db94b1a9ebceea06528d426
+#: f282a838950942ea9e15a209546aece5
 msgid "The time the JWT will be valid, in seconds."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.JWTSettings.ISS:1
-#: 6501426215db4b27b7b5d217954ca6be
+#: 8ad74727c039426d84a5df7154d85088
 msgid "The URI of the identity provider."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.JWTSettings.KTY:1
-#: 3e338458e42e405fb025bfcfc53688f4
+#: cc46bfa52a58479ebeeabc645f0efbee
 msgid "The key type."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.JWTSettings.PRIVATE_KEY:1
-#: 27a15f235d63447884175edd85e55cf4
+#: 521a0d91f9c54a45b362036aeabf476b
 msgid "The private key."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.JWTSettings.PRIVATE_KEY:3
 #: ../../docstring of canaille.oidc.configuration.JWTSettings.PUBLIC_KEY:3
-#: 29d2c1b105e74d46b80db01b78954711
-#: 29d2c1b105e74d46b80db01b78954711
+#: 8f11d684881944cd8a2e7a7bcbb48c48
+#: 8f11d684881944cd8a2e7a7bcbb48c48
 msgid "If :py:data:`None` and debug mode is enabled, then an in-memory key will be used."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.configuration.JWTSettings.PUBLIC_KEY:1
-#: e88605c89e4b47989186fd27e5aff172
+#: f0f19ad86cb94cc7b63447e2a6d6ef56
 msgid "The public key."
 msgstr ""
 
 #: ../../canaille/oidc/configuration.py:docstring of canaille.oidc.configuration.JWTMappingSettings:1
-#: 235687b99f2c408aaf1c063061975f77
+#: 1380be8739ba4fbab5425af1c0253066
 msgid "Mapping between the user model and the JWT fields."
 msgstr ""
 
 #: ../../canaille/oidc/configuration.py:docstring of canaille.oidc.configuration.JWTMappingSettings:3
-#: ebe87d5efdaa458b97451b5ab4fdeb3d
+#: 6f4c5c2cbd07499c972d2f1ab29ffa1e
 msgid "Fields are evaluated with jinja. A ``user`` var is available."
 msgstr ""
 
 #: ../../canaille/backends/sql/configuration.py:docstring of canaille.backends.sql.configuration.SQLSettings:1
-#: b7ccdac0ebd14f47be2d77ea52bd75d7
+#: 8a43c250075c4918b0ce4204fa803047
 msgid "Settings related to the SQL backend."
 msgstr ""
 
 #: ../../canaille/backends/sql/configuration.py:docstring of canaille.backends.sql.configuration.SQLSettings:3
-#: 07e03b184cb54e0a92ca3a33033da5cd
+#: 038af6ccc90c4711bf2630c27656a810
 msgid "Belong in the ``CANAILLE_SQL`` namespace."
 msgstr ""
 
 #: ../../docstring of canaille.backends.sql.configuration.SQLSettings.DATABASE_URI:1
-#: 4d1ff118c1a44a50a962e527d1a8e2a2
+#: 1aacc345a8b74b12af594ae00bb018d6
 msgid "The SQL server URI. For example:"
 msgstr ""
 
 #: ../../docstring of canaille.backends.sql.configuration.SQLSettings.DATABASE_URI:6
-#: 4bb9ca2e412a461caacf1a146582247f
+#: 677e3555144149ed9ca260747ac80af7
 msgid "DATABASE_URI = \"postgresql://user:password@localhost/database_name\""
 msgstr ""
 
 #: ../../canaille/backends/ldap/configuration.py:docstring of canaille.backends.ldap.configuration.LDAPSettings:1
-#: e656ae1d120e45109618f653d29d845e
+#: 3f3caf7b34464a66a3616e93568df5d0
 msgid "Settings related to the LDAP backend."
 msgstr ""
 
 #: ../../canaille/backends/ldap/configuration.py:docstring of canaille.backends.ldap.configuration.LDAPSettings:3
-#: 9877879932a3406b87f9893f4a6bf8f3
+#: dfa0746894e344faa806b939a64e1bc4
 msgid "Belong in the ``CANAILLE_LDAP`` namespace."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.BIND_DN:1
-#: 96d852cc067c459cabfcc201a7271cf0
+#: 6bfbb516f18341ccb29ba837eee1182e
 msgid "The LDAP bind DN."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.BIND_PW:1
-#: 084f3814a8604375aed794d649845045
+#: 2f6f3c3c7b4946898c03f95709e8ada4
 msgid "The LDAP bind password."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.GROUP_BASE:1
-#: 8f56c7d2bfb348afbcc36de24398dfac
+#: 6d51a73361254d7b83fce929ae2b6b37
 msgid "The LDAP node under which groups will be looked for and saved."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.GROUP_BASE:3
-#: 58cf9c9e87464b709e4e8508577fbd63
+#: 59bb594131944870a7bdbffcec6cb47b
 msgid "For instance `\"ou=groups,dc=mydomain,dc=tld\"`."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.GROUP_CLASS:1
-#: 3b6a2121763e4302aa1780cb6d51d9d6
+#: 6ef1fa2af1cb49d48dc49e16da349186
 msgid "The object class to use for creating new groups."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.GROUP_NAME_ATTRIBUTE:1
-#: 10d8bb8232bf4b30b6c631847ea70b2b
+#: 6b02bb2acfa949848ac24822ba9e65a2
 msgid "The attribute to use to identify a group."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.GROUP_RDN:1
-#: 688132cb0d4e4f27973a02406d50edaa
+#: d4b05df5c7c44d4aa00e29be5efbe08b
 msgid "The attribute to identify an object in the Group DN."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.ROOT_DN:1
-#: 4428b1de4b664a55b077caa3969d6769
+#: 1dfee889fb7348d39a4fd73315b92f0f
 msgid "The LDAP root DN."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.TIMEOUT:1
-#: 5a175d6a66e445458ee6bc473d614a45
+#: bf016c8880b2441ebc1f7eb63c472e1f
 msgid "The LDAP connection timeout."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.URI:1
-#: 3172b80b5b86434699f226a3b713c52f
+#: f2d63d56281a4ac9bf59a566fca49efb
 msgid "The LDAP server URI."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.USER_BASE:1
-#: 0e03c3262f504b79b84847041ee442e5
+#: 2b9e8a84a0a741dba1b0eb8183d14a91
 msgid "The LDAP node under which users will be looked for and saved."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.USER_BASE:3
-#: e1d16301542b40929d9e65c9a949b303
+#: 7e3ac032d5bd418482f13ab7c81d1515
 msgid "For instance `ou=users,dc=mydomain,dc=tld`."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.USER_CLASS:1
-#: 92a1f8f8665848c9aaf4d5f9f1f3b6b7
+#: 5791e76405f94f38b07650cf43719cf8
 msgid "The object class to use for creating new users."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.USER_FILTER:1
-#: 228fcd64b4704fa0b4ea52ab85f48f08
+#: d5ccfe3b5d7e438389f98cad6718a9d0
 msgid "Filter to match users on sign in."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.USER_FILTER:3
-#: f61c66f7c0e94e67ae5a4ce5de0dc548
+#: 737d190e512f480a9227e6fe72f96c26
 msgid "For instance ``(|(uid={{ login }})(mail={{ login }}))``. Jinja syntax is supported and a ``login`` variable is available, containing the value passed in the login field."
 msgstr ""
 
 #: ../../docstring of canaille.backends.ldap.configuration.LDAPSettings.USER_RDN:1
-#: d49e7765b3d6440d9fdcb0ecb18c06c1
+#: b7d504ef3c74424abeccc8ad35072d0f
 msgid "The attribute to identify an object in the User DN."
 msgstr ""
 
-#: ../references/configuration.rst:90
-#: c4674c5a1b434e81944983c7ec2fb0f1
+#: ../references/configuration.rst:91
+#: d0a193b9740940ceac9bbb0b609c7b38
 msgid "Example file"
 msgstr ""
 
-#: ../references/configuration.rst:92
-#: 87c3dcb2ef5a4f649ec0fa9005449a79
+#: ../references/configuration.rst:93
+#: 380ab48a596a497789c004a25fd645c8
 msgid "Here is a configuration file example:"
 msgstr ""
 
 #: ../references/index.rst:2
-#: 51ac90bb647f41b69879253e3e7c475e
+#: 7aedfd273422477bb60f319eb4c1eb09
 msgid "References"
 msgstr ""
 
 #: ../references/models.rst:2
-#: bf9a972313e94c6aa0e72470dfc9677c
+#: 40ab2b878a534ca38780473aa8c0dd24
 msgid "Data models"
 msgstr ""
 
 #: ../references/models.rst:4
-#: 620f9112555349eba4cc5daecdb72217
+#: fc86419b230d4b3ea107617213675e38
 msgid "This reference details the data models used by Canaille. This is mostly useful for developers."
 msgstr ""
 
 #: ../../canaille/backends/models.py:docstring of canaille.backends.models.BackendModel:1
 #: ../../canaille/backends/models.py:docstring of canaille.backends.models.Model:1
-#: b407db3f81d14e789f9f7f2e2bec7613
-#: b29fcc3a6bdc4ee582d1e14851e430b7
+#: af7b8f2e8eae457f8451e659c3213675
+#: 0d1f4ecf6c974902b15375ec2f545d11
 msgid "Bases: :py:class:`object`"
 msgstr ""
 
 #: ../../canaille/backends/models.py:docstring of canaille.backends.models.BackendModel:1
-#: 664ca63468e648ddb0b2f2f957139ae9
+#: 5c4d9070fe3a46a695c06ef143b7b3e0
 msgid "The backend model abstract class."
 msgstr ""
 
 #: ../../canaille/backends/models.py:docstring of canaille.backends.models.BackendModel:3
-#: e16c978524f44a57affe6f2e15fdb5e2
+#: 51d88470412841bdb28daefe752259c8
 msgid "It details all the methods and attributes that are expected to be implemented for every model and for every backend."
 msgstr ""
 
 #: ../../canaille/backends/models.py:docstring of canaille.backends.models.Model:1
-#: 9f46b7e1801e4a57a346c598161cbdac
+#: 91a5b49dc4f54e4ba3acea5e80114ad6
 msgid "The model abstract class."
 msgstr ""
 
 #: ../../canaille/backends/models.py:docstring of canaille.backends.models.Model:3
-#: f4dad754b1d7448f842620b4f7b6069b
+#: 05f702c2e3324742a9840c46621f02e7
 msgid "It details all the common attributes shared by every models."
 msgstr ""
 
 #: ../../docstring of canaille.backends.models.Model.created:1
-#: 8685782e932b476a8b6f80256ebca659
+#: 55c80d78a6514379b68db68d53d08628
 msgid "The :class:`~datetime.datetime` that the resource was added to the service provider."
 msgstr ""
 
 #: ../../docstring of canaille.backends.models.Model.id:1
-#: 112d9fd0a032418682875fe5f5685fc8
+#: 6c1d3282e98e4d7b96213c626e92665a
 msgid "A unique identifier for a SCIM resource as defined by the service provider. Id will be :py:data:`None` until the :meth:`~canaille.backends.models.BackendModel.save` method is called."
 msgstr ""
 
 #: ../../docstring of canaille.backends.models.Model.id:5
-#: fe3e4be3b44b43ebbbd11fe81fdc2613
+#: 64c1848034b34d2086fa0d50e1b94a98
 msgid "Each representation of the resource MUST include a non-empty \"id\" value.  This identifier MUST be unique across the SCIM service provider's entire set of resources.  It MUST be a stable, non- reassignable identifier that does not change when the same resource is returned in subsequent requests.  The value of the \"id\" attribute is always issued by the service provider and MUST NOT be specified by the client.  The string \"bulkId\" is a reserved keyword and MUST NOT be used within any unique identifier value.  The attribute characteristics are \"caseExact\" as \"true\", a mutability of \"readOnly\", and a \"returned\" characteristic of \"always\".  See Section 9 for additional considerations regarding privacy."
 msgstr ""
 
 #: ../../canaille/backends/models.py:docstring of canaille.backends.models.Model.identifier:1
-#: 4f16f8a2628746e0bbb013e0ebdd53de
+#: bd6bdb35102f4e4d803a072d6c012255
 msgid "Returns a unique value that will be used to identify the model instance."
 msgstr ""
 
 #: ../../canaille/backends/models.py:docstring of canaille.backends.models.Model.identifier:4
-#: 570af0c54d8a4b9ca5e1180a154578c6
+#: 3ee0208a12e4453abe733d48f8046054
 msgid "This value will be used in URLs in canaille, so it should be unique and short."
 msgstr ""
 
 #: ../../docstring of canaille.backends.models.Model.last_modified:1
-#: a64d636f5ae843698bae18cbc27adae5
+#: 339106d4e64c4cce82c7b4eb3e783713
 msgid "The most recent :class:`~datetime.datetime` that the details of this resource were updated at the service provider."
 msgstr ""
 
 #: ../../docstring of canaille.backends.models.Model.last_modified:4
-#: 1478742051c64d3c8e8cb44b101c2337
+#: c7d7e9d90b744b41ac4899977c14174f
 msgid "If this resource has never been modified since its initial creation, the value MUST be the same as the value of :attr:`~canaille.backends.models.Model.created`."
 msgstr ""
 
@@ -4641,1023 +4856,1135 @@ msgstr ""
 #: ../../canaille/oidc/basemodels.py:docstring of canaille.oidc.basemodels.Client:1
 #: ../../canaille/oidc/basemodels.py:docstring of canaille.oidc.basemodels.Consent:1
 #: ../../canaille/oidc/basemodels.py:docstring of canaille.oidc.basemodels.Token:1
-#: 31058fb082044629ab68e330524f37d4
-#: 963c873782434df6bc7a6314e406858e
-#: ec3b5ed7c8e94f728377c74990bc94e6
-#: fac7abe230f5419eadc03a768bc0872c
-#: 1269097fb76b42c29248af6773628ec4
-#: 25aa111736e44c4ea89c97864274d146
+#: d3ae97f457864dbf953ac9a3cfc043e2
+#: c8d3896a864d4331a8d5532b312376db
+#: c1c3e9ca21a04c1d851e4a75082b1c90
+#: c1c3e9ca21a04c1d851e4a75082b1c90
+#: c1c3e9ca21a04c1d851e4a75082b1c90
+#: c1c3e9ca21a04c1d851e4a75082b1c90
 msgid "Bases: :py:class:`~canaille.backends.models.Model`"
 msgstr ""
 
 #: ../../canaille/core/models.py:docstring of canaille.core.models.Group:1
-#: d8d4759602c44e048e0d4f053dc5c895
+#: fcf6434c92de4c0e9ae1790f19a43d8c
 msgid "User model, based on the `SCIM Group schema <https://datatracker.ietf.org/doc/html/rfc7643#section-4.2>`_."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.Group.display_name:1
-#: f557ae62a380458ca1e212165ff7ebd2
+#: 6ae4c021384e45b3b90ca7840c9caa48
 msgid "A human-readable name for the Group."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.Group.display_name:3
 #: ../../docstring of canaille.oidc.basemodels.Client.client_id:1
-#: 3a782effac4c44f2b4084280c168f909
-#: 038998149ec146249f6cd7993b6ea7c2
+#: 94bf457053a8408a80e8157f385e6127
+#: 8ef14562e7c1440e89a45a65c05b07c4
 msgid "REQUIRED."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.Group.members:1
-#: 83c94299de834bb7899fc5d919567ddf
+#: 0b61dbdad02b48bbb9a9ace3f9ce130a
 msgid "A list of members of the Group."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.Group.members:3
-#: f8395458983d4efd966c1f2bd3e771dc
+#: 4f5d6c5417ce40c39617fed66f507f2d
 msgid "While values MAY be added or removed, sub-attributes of members are \"immutable\".  The \"value\" sub-attribute contains the value of an \"id\" attribute of a SCIM resource, and the \"$ref\" sub-attribute must be the URI of a SCIM resource such as a \"User\", or a \"Group\".  The intention of the \"Group\" type is to allow the service provider to support nested groups.  Service providers MAY require clients to provide a non-empty value by setting the \"required\" attribute characteristic of a sub-attribute of the \"members\" attribute in the \"Group\" resource schema."
 msgstr ""
 
 #: ../../canaille/core/models.py:docstring of canaille.core.models.User:1
-#: 3de74c338e4e45d4ada0909e1d6a2c1d
+#: ea9a3214f2fe40079b36d4acc3993d0b
 msgid "User model, based on the `SCIM User schema <https://datatracker.ietf.org/doc/html/rfc7643#section-4.1>`_, `Entreprise User Schema Extension <https://datatracker.ietf.org/doc/html/rfc7643#section-4.3>`_ and `SCIM Password Management Extension <https://datatracker.ietf.org/doc/html/draft-hunt-scim-password-mgmt-00.html>`_ draft. Attribute description is based on SCIM and put there for information purpose. The description may not fit the current implementation in Canaille."
 msgstr ""
 
 #: ../../canaille/core/models.py:docstring of canaille.core.models.User.can:1
-#: dd44c29c7f88458e923a6bdc89ff4bd8
+#: 50465e6a043e4772901bbc25136c15c7
 msgid "Whether or not the user has the :class:`~canaille.core.configuration.Permission` according to the :class:`configuration <canaille.core.configuration.ACLSettings>`."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.department:1
-#: d09b761f1c3d4bcda3c7c5841cb86768
+#: 300ebcf15c3d4ee8b50478aa38113f2f
 msgid "Identifies the name of a department."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.display_name:1
-#: 7a92e34396f14701a901c6342ba43372
+#: 44d18f2b6f5147d7bb381e18daf093e3
 msgid "The name of the user, suitable for display to end-users."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.display_name:3
-#: e89fec83b2eb42deaac70264489240e3
+#: c04b6da17ce14862afd1911eb9fda1fd
 msgid "Each user returned MAY include a non-empty displayName value.  The name SHOULD be the full name of the User being described, if known (e.g., \"Babs Jensen\" or \"Ms. Barbara J Jensen, III\") but MAY be a username or handle, if that is all that is available (e.g., \"bjensen\").  The value provided SHOULD be the primary textual label by which this User is normally displayed by the service provider when presenting it to end-users."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.emails:1
-#: 5383ce6b712040c4a0bba18c1bbef93d
+#: c7a7d69b175742f692f41bfdff6d3957
 msgid "Email addresses for the User."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.emails:3
-#: dcbfe09f878141a4bd5a20b9e2d9b6da
+#: 63f46cb0c21a4fa4b8b0a720c8d14248
 msgid "The value SHOULD be specified according to [RFC5321].  Service providers SHOULD canonicalize the value according to [RFC5321], e.g., \"bjensen@example.com\" instead of \"bjensen@EXAMPLE.COM\".  The \"display\" sub-attribute MAY be used to return the canonicalized representation of the email value. The \"type\" sub-attribute is used to provide a classification meaningful to the (human) user.  The user interface should encourage the use of basic values of \"work\", \"home\", and \"other\" and MAY allow additional type values to be used at the discretion of SCIM clients."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.employee_number:1
-#: 6cc0c003bd234628a0bc0a0c27cccaee
+#: 3c9e8a305a2e45188d1991241730c384
 msgid "A string identifier, typically numeric or alphanumeric, assigned to a person, typically based on order of hire or association with an organization."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.family_name:1
-#: db1cbc1b88a44555ac36431d951ed1bc
+#: dd49515b6ca4486487bbb848d32ec95d
 msgid "The family name of the User, or last name in most Western languages (e.g., \"Jensen\" given the full name \"Ms. Barbara Jane Jensen, III\")."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.formatted_address:1
-#: 19bb2c52eb2747a8bae2df988b0f3226
+#: f80305cee214421eb76ae29dd6697765
 msgid "The full mailing address, formatted for display or use with a mailing label."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.formatted_address:4
-#: aaf2f2de713c468a8388bd976795c621
+#: 85a0ba3e7b064d75b6bb0f9135fb23c1
 msgid "This attribute MAY contain newlines."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.formatted_name:1
-#: 6e02928b97a944b5929f0002f9c7b70c
+#: 4e458944ffe74d00bfc78e91f7f4b925
 msgid "The full name, including all middle names, titles, and suffixes as appropriate, formatted for display (e.g., \"Ms. Barbara Jane Jensen, III\")."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.given_name:1
-#: 0adf168d41024021aca8fcbf22e2b575
+#: f44fded253494128a007b56f7303dc14
 msgid "The given name of the User, or first name in most Western languages (e.g., \"Barbara\" given the full name \"Ms. Barbara Jane Jensen, III\")."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.groups:1
-#: ef755a48c32047c187a2405190a88b07
+#: e31e09adf6404439bf17d6aab21fff32
 msgid "A list of groups to which the user belongs, either through direct membership, through nested groups, or dynamically calculated."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.groups:4
-#: 0d7136476f7649ddad322de96971e938
+#: c05221c0bcca4718bfa6fdb9519fe95e
 msgid "The values are meant to enable expression of common group-based or role-based access control models, although no explicit authorization model is defined.  It is intended that the semantics of group membership and any behavior or authorization granted as a result of membership are defined by the service provider.  The canonical types \"direct\" and \"indirect\" are defined to describe how the group membership was derived.  Direct group membership indicates that the user is directly associated with the group and SHOULD indicate that clients may modify membership through the \"Group\" resource. Indirect membership indicates that user membership is transitive or dynamic and implies that clients cannot modify indirect group membership through the \"Group\" resource but MAY modify direct group membership through the \"Group\" resource, which may influence indirect memberships.  If the SCIM service provider exposes a \"Group\" resource, the \"value\" sub-attribute MUST be the \"id\", and the \"$ref\" sub-attribute must be the URI of the corresponding \"Group\" resources to which the user belongs.  Since this attribute has a mutability of \"readOnly\", group membership changes MUST be applied via the \"Group\" Resource (Section 4.2).  This attribute has a mutability of \"readOnly\"."
 msgstr ""
 
 #: ../../canaille/core/models.py:docstring of canaille.core.models.User.has_password:1
-#: 034f9fa73a5d455382726ac4b448c136
+#: 995c5dd87f84486b866861819560cddf
 msgid "Check whether a password has been set for the user."
 msgstr ""
 
+#: ../../docstring of canaille.core.models.User.hotp_counter:1
+#: b20ebcdbcb5844738f1587b2713c1ee3
+msgid "HMAC-based One Time Password counter, used for two-factor authentication."
+msgstr ""
+
+#: ../../docstring of canaille.core.models.User.last_otp_login:1
+#: aeffd6550ea64663ab67d8acca53691b
+msgid "A DateTime indicating when the user last logged in with a one-time password. This attribute is currently used to check whether the user has activated one-time password authentication or not."
+msgstr ""
+
 #: ../../docstring of canaille.core.models.User.locality:1
-#: 3d50110e459f4ba3b06af609c8f2bef8
+#: 6392444bc3f54ec2b7a2e6d76dcebfd9
 msgid "The city or locality component."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.lock_date:1
-#: bc9386fb2f7c41cc82308c45d919feb9
+#: 52b1f476fb584fa89da42a63597ba27d
 msgid "A DateTime indicating when the resource was locked."
 msgstr ""
 
 #: ../../canaille/core/models.py:docstring of canaille.core.models.User.locked:1
-#: 8f227ede6e584fda946d50e86049afcb
+#: 11adeee0c9264a899a29f6650947d5f9
 msgid "Whether the user account has been locked or has expired."
 msgstr ""
 
+#: ../../docstring of canaille.core.models.User.one_time_password:1
+#: 6e8fc6e79f3d45ac804673abaed8ae41
+msgid "One time password used for email or sms two-factor authentication."
+msgstr ""
+
+#: ../../docstring of canaille.core.models.User.one_time_password_emission_date:1
+#: 51fa37f2cd494b699222475514856ecf
+msgid "A DateTime indicating when the user last emitted an email or sms one-time password."
+msgstr ""
+
 #: ../../docstring of canaille.core.models.User.organization:1
-#: 39b14adbf8ad42b39c2cdd9fb0fcf96c
+#: 7f2c3e4f3c354bedbccde4710263b02f
 msgid "Identifies the name of an organization."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.password:1
-#: a4ec9a6f72834b47b82db401e1ebed2f
+#: 072e6b6f57ea480eb08da8b2014e78fc
 msgid "This attribute is intended to be used as a means to set, replace, or compare (i.e., filter for equality) a password.  The cleartext value or the hashed value of a password SHALL NOT be returnable by a service provider.  If a service provider holds the value locally, the value SHOULD be hashed.  When a password is set or changed by the client, the cleartext password SHOULD be processed by the service provider as follows:"
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.password:9
-#: 4a4c0608f0ac4739bbb358ebfffbc94c
+#: ad7fb50b57bf4a0eaf4e0e96899afad2
 msgid "Prepare the cleartext value for international language comparison.  See Section 7.8 of [RFC7644]."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.password:12
-#: 770cfb12f1c943188e281ef2e527ccb2
+#: 46d03fb43b2e40cc9f2ad6ea3dd511ff
 msgid "Validate the value against server password policy.  Note: The definition and enforcement of password policy are beyond the scope of this document."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.password:16
-#: 736bf805f27d4dfb8c1292b5afaca0be
+#: 72ece62774ba4f9c9ef5ddf163d12af4
 msgid "Ensure that the value is encrypted (e.g., hashed).  See Section 9.2 for acceptable hashing and encryption handling when storing or persisting for provisioning workflow reasons."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.password:20
-#: 605f5a91894e42ee9d14686ae2f346cd
+#: 094d9a68c6b743f3af8832f6fe75e71e
 msgid "A service provider that immediately passes the cleartext value on to another system or programming interface MUST pass the value directly over a secured connection (e.g., Transport Layer Security (TLS)).  If the value needs to be temporarily persisted for a period of time (e.g., because of a workflow) before provisioning, then the value MUST be protected by some method, such as encryption."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.password:28
-#: 198ed93545fe467ea461cef9a184362c
+#: a4f2fcdde65c4774a2cb672677275686
 msgid "Testing for an equality match MAY be supported if there is an existing stored hashed value.  When testing for equality, the service provider:"
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.password:32
-#: becd82e6d299471d94ab4906ce105218
+#: 7595e72df7db44f9b6c42796e830f12b
 msgid "Prepares the filter value for international language comparison.  See Section 7.8 of [RFC7644]."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.password:35
-#: ca91b3fdd3ae434dbb47d55b73ccbcb2
+#: 61b66fa2e8814634889657f8d0edfab0
 msgid "Generates the salted hash of the filter value and tests for a match with the locally held value."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.password:38
-#: 0c4d62a31f2d442981432c2f841abdac
+#: a7cfcbc3765b4f78a7155e4dd9415a1e
 msgid "The mutability of the password attribute is \"writeOnly\", indicating that the value MUST NOT be returned by a service provider in any form (the attribute characteristic \"returned\" is \"never\")."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.phone_numbers:1
-#: 636757499c76498ca8a1cbad6ea4fbb7
+#: 9c94598375724785b44ef15df37f51e4
 msgid "Phone numbers for the user."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.phone_numbers:3
-#: dabf654512714fda965fded70f74aeac
+#: 5dd8841664b34a61b816f4809063e0c2
 msgid "The value SHOULD be specified according to the format defined in [RFC3966], e.g., 'tel:+1-201-555-0123'.  Service providers SHOULD canonicalize the value according to [RFC3966] format, when appropriate.  The \"display\" sub-attribute MAY be used to return the canonicalized representation of the phone number value.  The sub- attribute \"type\" often has typical values of \"work\", \"home\", \"mobile\", \"fax\", \"pager\", and \"other\" and MAY allow more types to be defined by the SCIM clients."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.photo:1
-#: 27d8a36d06ce46858ed9974cfb3a9a9b
+#: 291043b969b54c499248e5cd4137ba46
 msgid "A URI that is a uniform resource locator (as defined in Section 1.1.3 of [RFC3986]) that points to a resource location representing the user's image."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.photo:5
-#: 8d0e8ca2555c48b0aad26fa7fdb102cf
+#: d20c5f4d9f154642a7e5197897542d16
 msgid "The resource MUST be a file (e.g., a GIF, JPEG, or PNG image file) rather than a web page containing an image.  Service providers MAY return the same image in different sizes, although it is recognized that no standard for describing images of various sizes currently exists.  Note that this attribute SHOULD NOT be used to send down arbitrary photos taken by this user; instead, profile photos of the user that are suitable for display when describing the user should be sent. Instead of the standard canonical values for type, this attribute defines the following canonical values to represent popular photo sizes: \"photo\" and \"thumbnail\"."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.postal_code:1
-#: ca9c10bc74eb4a2b90365bbd3473b1be
+#: 43d41ad405ca4db99f51e8c857e137e3
 msgid "The zip code or postal code component."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.preferred_language:1
-#: 5c7d29d6e6334161b21068010f566af2
+#: c8f7b6dd86d646f191246ff0070da604
 msgid "Indicates the user's preferred written or spoken languages and is generally used for selecting a localized user interface."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.preferred_language:4
-#: c45f7e1feb59446daa9dbea7cce24305
+#: 7bf574c66b664d229948814478d62a8a
 msgid "The value indicates the set of natural languages that are preferred. The format of the value is the same as the HTTP Accept-Language header field (not including \"Accept-Language:\") and is specified in Section 5.3.5 of [RFC7231].  The intent of this value is to enable cloud applications to perform matching of language tags [RFC4647] to the user's language preferences, regardless of what may be indicated by a user agent (which might be shared), or in an interaction that does not involve a user (such as in a delegated OAuth 2.0 [RFC6749] style interaction) where normal HTTP Accept-Language header negotiation cannot take place."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.profile_url:1
-#: 267adc8c4ecf4750a9db3464eb2b8573
+#: 1cb9deea306246f8a148e8cd469da0d8
 msgid "A URI that is a uniform resource locator (as defined in Section 1.1.3 of [RFC3986]) and that points to a location representing the user's online profile (e.g., a web page)."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.profile_url:5
-#: 7f227419ab034b3da8303fe94affeb6c
+#: 84b648830c3148ecb4e74a368b850c23
 msgid "URIs are canonicalized per Section 6.2 of [RFC3986]."
 msgstr ""
 
 #: ../../canaille/core/models.py:docstring of canaille.core.models.User.readable_fields:1
-#: e064888816ad4e228797af005daa0c1b
+#: 58a2e21fdb434721a2f63d42d309bdf5
 msgid "The fields the user can read according to the :class:`configuration <canaille.core.configuration.ACLSettings>` configuration."
 msgstr ""
 
 #: ../../canaille/core/models.py:docstring of canaille.core.models.User.readable_fields:4
-#: d51b5c9a3058444187f7f52aafcc57ce
+#: 13d48165549548f4b93daef3011da021
 msgid "This does not include the :attr:`writable <canaille.core.models.User.writable_fields>` fields."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.region:1
-#: 7781da46bb4f45c19d4061a73efd1860
+#: 6f59b77e31f04e928a5ba62b1e24e768
 msgid "The state or region component."
 msgstr ""
 
+#: ../../docstring of canaille.core.models.User.secret_token:1
+#: 976966fe6b494fa7881ec2bb7c992d48
+msgid "Unique token generated for each user, used for two-factor authentication."
+msgstr ""
+
 #: ../../docstring of canaille.core.models.User.street:1
-#: e15de46ed1a745e580399d0bf40e96b8
+#: 499ca20e98174187b6a7e067dc8bb99d
 msgid "The full street address component, which may include house number, street name, P.O."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.street:4
-#: 663a1b080f3646f5bbc30492beccda49
+#: 9da29eeb9a7749388ec24a3d730cdcca
 msgid "box, and multi-line extended street address information.  This attribute MAY contain newlines."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.title:1
-#: 96571ab69f47443087e9de7cdf2af3ef
+#: d210c0de6da84b4f8336209ae9719f87
 msgid "The user's title, such as \"Vice President\"."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.user_name:1
-#: 5a41c74aee6040d78b20e68feedbe91d
+#: 3fdb69a67da040b1bfb2682e3c8b99d4
 msgid "A service provider's unique identifier for the user, typically used by the user to directly authenticate to the service provider."
 msgstr ""
 
 #: ../../docstring of canaille.core.models.User.user_name:4
-#: 305c46ac8a734b4fb513c2da9c0bd78d
+#: 1028aa46fd5b4dc2b9315aabf36ab31c
 msgid "Often displayed to the user as their unique identifier within the system (as opposed to \"id\" or \"externalId\", which are generally opaque and not user-friendly identifiers).  Each User MUST include a non-empty userName value.  This identifier MUST be unique across the service provider's entire set of Users.  This attribute is REQUIRED and is case insensitive."
 msgstr ""
 
 #: ../../canaille/core/models.py:docstring of canaille.core.models.User.writable_fields:1
-#: f99945951b7f476484908fef5eb9bee4
+#: 6f4310b43c8c41af8069664ccee7283a
 msgid "The fields the user can write according to the :class:`configuration <canaille.core.configuration.ACLSettings>`."
 msgstr ""
 
+#: ../../canaille/core/models.py:docstring of canaille.core.models.string_code:1
+#: fc53171fc0944808ba403af52c2ba136
+msgid "Add leading 0 if the code length does not match the defined length."
+msgstr ""
+
+#: ../../canaille/core/models.py:docstring of canaille.core.models.string_code:3
+#: ae60e7010ca94353a14a569775471e8e
+msgid "For instance, parameter ``digit=6``, but ``code=123``, this method would return ``000123``::"
+msgstr ""
+
 #: ../../canaille/oidc/basemodels.py:docstring of canaille.oidc.basemodels.AuthorizationCode:1
-#: 470216f2acc344a9bc4fe9408cf38b4c
+#: a121e077c37d4a8cab594a0629893230
 msgid "OpenID Connect temporary authorization code definition."
 msgstr ""
 
 #: ../../canaille/oidc/basemodels.py:docstring of canaille.oidc.basemodels.Client:1
-#: b0248a05ffa44100bfcf4e84de0e154b
+#: 176b8928ffc54ed0b7a4b727cdf50387
 msgid "OpenID Connect client definition, based on the `OAuth 2.0 Dynamic Client Registration protocols <https://datatracker.ietf.org/doc/html/rfc7591.html>`_ and the `OpenID Connect RP-Initiated Logout <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>`_ specifications."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.client_id:3
-#: 9630f3464163481993a425c28c308969
+#: 501569fe51a94e8b9cfee76865f5720a
 msgid "OAuth 2.0 client identifier string.  It SHOULD NOT be currently valid for any other registered client, though an authorization server MAY issue the same client identifier to multiple instances of a registered client at its discretion."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.client_id_issued_at:1
 #: ../../docstring of canaille.oidc.basemodels.Client.client_secret:1
 #: ../../docstring of canaille.oidc.basemodels.Client.post_logout_redirect_uris:1
-#: 05d209d5010c49c99c2e88fd070c5595
-#: b2cf2367cc664e0dbd0d237edd72509a
-#: 9da6221c08544d5b9c043002d77e9a04
+#: 155223b8bff641ed9a0375b3d458c5c9
+#: 155223b8bff641ed9a0375b3d458c5c9
+#: 155223b8bff641ed9a0375b3d458c5c9
 msgid "OPTIONAL."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.client_id_issued_at:3
-#: fb189c4d73054f559edc1f71e252013c
+#: 8f9ab854501246b68994edefd2c22365
 msgid "Time at which the client identifier was issued.  The time is represented as the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time of issuance."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.client_name:1
-#: 90b1171c71784152b30c868ce6a69e92
+#: 8610eab8370a4184937f0d1169b54c51
 msgid "Human-readable string name of the client to be presented to the end-user during authorization."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.client_name:4
-#: 2f438f6285d3455f81459326d3ed2a3d
+#: ce9a8c14a98f4a31b17100c0ca14c199
 msgid "If omitted, the authorization server MAY display the raw \"client_id\" value to the end-user instead.  It is RECOMMENDED that clients always send this field. The value of this field MAY be internationalized, as described in Section 2.2."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.client_secret:3
-#: b659e17a18ae49d6b460ce4bfd3ef720
+#: f737139e11a14b14be8545e1a2c5c0f6
 msgid "OAuth 2.0 client secret string.  If issued, this MUST be unique for each \"client_id\" and SHOULD be unique for multiple instances of a client using the same \"client_id\".  This value is used by confidential clients to authenticate to the token endpoint, as described in OAuth 2.0 [RFC6749], Section 2.3.1."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.client_secret_expires_at:1
-#: fe3efeb714e642038fddaee69b85a240
+#: 01979509cf224c5b8ba2127719435fc8
 msgid "REQUIRED if \"client_secret\" is issued."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.client_secret_expires_at:3
-#: 8224ead887464588a9b93fc320780f69
+#: 48959dbf918e45ba9c37a50f77a0adf9
 msgid "Time at which the client secret will expire or 0 if it will not expire.  The time is represented as the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time of expiration."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.client_uri:1
-#: c7ec8c5c04bd41fa87825f3d6f4e71b3
+#: 20f5972c57c540f6ab8392896c84be8c
 msgid "URL string of a web page providing information about the client."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.client_uri:3
-#: 8be313c7ec5848419e7a0062beefd60c
+#: 30041d9b4c124152a5c0443ff9b2191c
 msgid "If present, the server SHOULD display this URL to the end-user in a clickable fashion.  It is RECOMMENDED that clients always send this field.  The value of this field MUST point to a valid web page.  The value of this field MAY be internationalized, as described in Section 2.2."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.contacts:1
-#: 133418eefb1d484ba26f492838063c04
+#: 5cce7321f5e5400589f9393258dc3a4a
 msgid "Array of strings representing ways to contact people responsible for this client, typically email addresses."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.contacts:4
-#: 4c4d89f737af445da4e7eb5882887e00
+#: af06fcccdc594f869be314af985cf14c
 msgid "The authorization server MAY make these contact addresses available to end-users for support requests for the client.  See Section 6 for information on Privacy Considerations."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.grant_types:1
-#: 5105e93451e946fea6c3fd0b09c19683
+#: b4a5975375c641eaa946ccd90ce211a6
 msgid "Array of OAuth 2.0 grant type strings that the client can use at the token endpoint.  These grant types are defined as follows:"
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.grant_types:4
-#: 471bb398e08d45d588f320d2c25cb025
+#: bbc3935e899e47f3bafe281f1d888251
 msgid "\"authorization_code\": The authorization code grant type defined in OAuth 2.0, Section 4.1."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.grant_types:7
-#: c1785e60703f46e5a3a6e7131ba26894
+#: 64449ef0ca7f424c9fab46a991d69d96
 msgid "\"implicit\": The implicit grant type defined in OAuth 2.0, Section 4.2."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.grant_types:10
-#: 99ec3801466340bd83367ab92a351ac3
+#: f236e27b48c94daf906f45e1448426c6
 msgid "\"password\": The resource owner password credentials grant type defined in OAuth 2.0, Section 4.3."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.grant_types:13
-#: a62c7b8185ee4863aec423c5fe445ae5
+#: 9e81137e52f94762be9551134791deaf
 msgid "\"client_credentials\": The client credentials grant type defined in OAuth 2.0, Section 4.4."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.grant_types:16
-#: 2fd298fce6974e4da2f670da31280955
+#: e7293d36a66346228115f0e7a1db1628
 msgid "\"refresh_token\": The refresh token grant type defined in OAuth 2.0, Section 6."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.grant_types:19
-#: 2fb0f1de8f46429eb46970d53c954d91
+#: 8fcedc410abe4cb4ba32399205c1fdb4
 msgid "\"urn:ietf:params:oauth:grant-type:jwt-bearer\": The JWT Bearer Token Grant Type defined in OAuth JWT Bearer Token Profiles [RFC7523]."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.grant_types:23
-#: dd4f8e0551e048d599a3f95740ea3cf1
+#: 45a990b4f0c3428ca6b0f466163b444d
 msgid "\"urn:ietf:params:oauth:grant-type:saml2-bearer\": The SAML 2.0 Bearer Assertion Grant defined in OAuth SAML 2 Bearer Token Profiles [RFC7522]."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.grant_types:27
-#: 241768369988480b8f79cae93fa06ff4
+#: da938e538dfb4cbcb06eb0257bae0c5d
 msgid "If the token endpoint is used in the grant type, the value of this parameter MUST be the same as the value of the \"grant_type\" parameter passed to the token endpoint defined in the grant type definition.  Authorization servers MAY allow for other values as defined in the grant type extension process described in OAuth 2.0, Section 4.5.  If omitted, the default behavior is that the client will use only the \"authorization_code\" Grant Type."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.jwk:1
-#: 779d5b8c355f4e469d0880100f197dbd
+#: 61a94c54874e45c7b6d6a0080b303c06
 msgid "Client's JSON Web Key Set [RFC7517] document value, which contains the client's public keys."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.jwk:4
-#: 786a840808f042fdb3a97eb1bd7f7a98
+#: 878eeb4b93db4411b3227ebfce480fb2
 msgid "The value of this field MUST be a JSON object containing a valid JWK Set.  These keys can be used by higher-level protocols that use signing or encryption.  This parameter is intended to be used by clients that cannot use the \"jwks_uri\" parameter, such as native clients that cannot host public URLs.  The \"jwks_uri\" and \"jwks\" parameters MUST NOT both be present in the same request or response."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.jwks_uri:1
-#: 29bbb97b4b0545df84cf23ec1e6b14cf
+#: bdc8f6ae5aa54e2e8cd3968ba2b834e5
 msgid "URL string referencing the client's JSON Web Key (JWK) Set [RFC7517] document, which contains the client's public keys."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.jwks_uri:4
-#: 4021b5fbeabb464d938a3903ef7e718b
+#: f0514e0625524e80b9d71112f8f845fd
 msgid "The value of this field MUST point to a valid JWK Set document. These keys can be used by higher-level protocols that use signing or encryption.  For instance, these keys might be used by some applications for validating signed requests made to the token endpoint when using JWTs for client authentication [RFC7523].  Use of this parameter is preferred over the \"jwks\" parameter, as it allows for easier key rotation.  The \"jwks_uri\" and \"jwks\" parameters MUST NOT both be present in the same request or response."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.logo_uri:1
-#: 723f17b9b9df481394bcff341b2730b1
+#: a8573dc1a7474be593d58ac595763de8
 msgid "URL string that references a logo for the client."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.logo_uri:3
-#: 6b1a034be4f248e98f185c7a0ef2c3b5
+#: a2ca19d94ea94ee8b9938118fc25f1fa
 msgid "If present, the server SHOULD display this image to the end-user during approval. The value of this field MUST point to a valid image file.  The value of this field MAY be internationalized, as described in Section 2.2."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.policy_uri:1
-#: 92446c1f45fc4da9bf18fed32b046f26
+#: 14d06cf8a7e34fedad15b82247d69d39
 msgid "URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.policy_uri:5
 #: ../../docstring of canaille.oidc.basemodels.Client.tos_uri:5
-#: 470f3a6ebe5a470d97207d2d724d7a50
-#: d5127be355104a9b8e44b59d71a4e3ce
+#: 1ea0d5026129456fbbc197bfce61c98e
+#: 1ea0d5026129456fbbc197bfce61c98e
 msgid "The authorization server SHOULD display this URL to the end-user if it is provided.  The value of this field MUST point to a valid web page.  The value of this field MAY be internationalized, as described in Section 2.2."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.post_logout_redirect_uris:3
-#: 80775602163f4c4eae2aa73101fb4a59
+#: 50f7bef11f5244e4b91bdd115c92c874
 msgid "Array of URLs supplied by the RP to which it MAY request that the End-User's User Agent be redirected using the post_logout_redirect_uri parameter after a logout has been performed. These URLs SHOULD use the https scheme and MAY contain port, path, and query parameter components; however, they MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0 [RFC6749], and provided the OP allows the use of http RP URIs."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.redirect_uris:1
-#: 9864218626a9495d837ca07ecabe2e83
+#: e6a72fe3893b4db4adc05a9684a6dc4a
 msgid "Array of redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.redirect_uris:4
-#: a1f4e7a342764daf9b91f5c582e0d704
+#: d8400c42df344766b3fa56e4d0973700
 msgid "As required by Section 2 of OAuth 2.0 [RFC6749], clients using flows with redirection MUST register their redirection URI values. Authorization servers that support dynamic registration for redirect-based flows MUST implement support for this metadata value."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.response_types:1
-#: 2b675d8a76b64442baaf96288a99145f
+#: 8be6e16541944c6f9cad4f83c72a13b5
 msgid "Array of the OAuth 2.0 response type strings that the client can use at the authorization endpoint.  These response types are defined as follows:"
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.response_types:5
-#: 3f19f3d3bf244c669c336230f4e548e5
+#: 460f3e0ea3674308963d0510ac0d6444
 msgid "\"code\": The authorization code response type defined in OAuth 2.0, Section 4.1."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.response_types:8
-#: 8be17e9ef4c642a0a227974a40450da2
+#: a6be11c01465486aa6fc6d52b002b3c6
 msgid "\"token\": The implicit response type defined in OAuth 2.0, Section 4.2."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.response_types:11
-#: 3be1d7f3ab82407ebcf77c9ad6294934
+#: 0629b093e32248559987eb03c2802856
 msgid "If the authorization endpoint is used by the grant type, the value of this parameter MUST be the same as the value of the \"response_type\" parameter passed to the authorization endpoint defined in the grant type definition.  Authorization servers MAY allow for other values as defined in the grant type extension process is described in OAuth 2.0, Section 4.5.  If omitted, the default is that the client will use only the \"code\" response type."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.scope:1
-#: 99bf5a0735f3490eb63943c7926eb165
+#: c8200e01d757418294c72a8c1f4dd013
 msgid "String containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.scope:5
-#: d9c4d3be73ae454fbc08c0452c4cafba
+#: 6b5bfcb30b5443cea8e88e0e0074c1ff
 msgid "The semantics of values in this list are service specific.  If omitted, an authorization server MAY register a client with a default set of scopes."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.software_id:1
-#: ee3bd26091c94945b33584e781c19370
+#: c16d3f6118f24f639ffa8f395fb26d51
 msgid "A unique identifier string (e.g., a Universally Unique Identifier (UUID)) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.software_id:6
-#: 8fd0e02b12354b72b7175ade2536eac3
+#: dae7107648bc4e498d3924fdff934e29
 msgid "Unlike \"client_id\", which is issued by the authorization server and SHOULD vary between instances, the \"software_id\" SHOULD remain the same for all instances of the client software.  The \"software_id\" SHOULD remain the same across multiple updates or versions of the same piece of software.  The value of this field is not intended to be human readable and is usually opaque to the client and authorization server."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.software_version:1
-#: 2d69ee9b36d244ec98fb0ca3135ac74f
+#: c620c60307f64b08a6322573b5dd0561
 msgid "A version identifier string for the client software identified by \"software_id\"."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.software_version:4
-#: 0da082aab3354aad8196b87ea111796f
+#: e0c0f27106824081827201c50fb85ae7
 msgid "The value of the \"software_version\" SHOULD change on any update to the client software identified by the same \"software_id\".  The value of this field is intended to be compared using string equality matching and no other comparison semantics are defined by this specification.  The value of this field is outside the scope of this specification, but it is not intended to be human readable and is usually opaque to the client and authorization server.  The definition of what constitutes an update to client software that would trigger a change to this value is specific to the software itself and is outside the scope of this specification."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.token_endpoint_auth_method:1
-#: e666c285e9d0483a8b06ed07b9596fd1
+#: c226846c2d1c4874bf900ddd10cf4144
 msgid "String indicator of the requested authentication method for the token endpoint.  Values defined by this specification are:"
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.token_endpoint_auth_method:4
-#: 75019e0ffa134fe0a48fc885130c97ee
+#: aca79c0bc52744e0aedf325049fa2b15
 msgid "\"none\": The client is a public client as defined in OAuth 2.0, Section 2.1, and does not have a client secret."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.token_endpoint_auth_method:7
-#: 6d1fcab0de3a41e18101687e93c45444
+#: e63eaadeb384412199ed4f6ed7053e47
 msgid "\"client_secret_post\": The client uses the HTTP POST parameters as defined in OAuth 2.0, Section 2.3.1."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.token_endpoint_auth_method:10
-#: 75493a43244c4357842d2fdfa745f330
+#: 271a83d28e854ac0ba72171a974b346b
 msgid "\"client_secret_basic\": The client uses HTTP Basic as defined in OAuth 2.0, Section 2.3.1."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.token_endpoint_auth_method:13
-#: 070320a7585e4d9ba744cbaed1593208
+#: 20907504b16b4d2785df51328c1ef639
 msgid "Additional values can be defined via the IANA \"OAuth Token Endpoint Authentication Methods\" registry established in Section 4.2.  Absolute URIs can also be used as values for this parameter without being registered.  If unspecified or omitted, the default is \"client_secret_basic\", denoting the HTTP Basic authentication scheme as specified in Section 2.3.1 of OAuth 2.0."
 msgstr ""
 
 #: ../../docstring of canaille.oidc.basemodels.Client.tos_uri:1
-#: 95cc7b66c6da48e5a189a32abaa9c24e
+#: 00b5b754a5c5419f92fab486003e081a
 msgid "URL string that points to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client."
 msgstr ""
 
 #: ../../canaille/oidc/basemodels.py:docstring of canaille.oidc.basemodels.Consent:1
-#: bf6c359aadbc4404ba1967b1b8d26255
+#: a05f59c629e3458fbbf64e91e88819bf
 msgid "Long-term user consent to an application."
 msgstr ""
 
 #: ../../canaille/oidc/basemodels.py:docstring of canaille.oidc.basemodels.Token:1
-#: a20eaa516c854599a62222141346d76b
+#: 7b57192679024787a3be94302cb00b86
 msgid "OpenID Connect token definition."
 msgstr ""
 
 #: ../tutorial/databases.rst:4
-#: 2934007ee99c4b5096855dd9bf47208b
+#: 5748f2a24c36444993b0ac2c8ce280bb
 msgid "Canaille can read and save data in different databases. This page presents the different database backends and their specificities:"
 msgstr ""
 
 #: ../tutorial/databases.rst:10
-#: 4d8d9b1634cf47eca9c118b3af6173df
+#: 5d24828b6f5649039d526b7fb689db99
 msgid "Canaille comes with a lightweight inmemory backend by default. It is used when no other backend has been configured."
 msgstr ""
 
 #: ../tutorial/databases.rst:13
-#: 5383f833c2634382a279cf9c2e9efff5
+#: afdd59c782fc4a28851af9f8a3c24428
 msgid "This backend is only for test purpose and should not be used in production environments."
 msgstr ""
 
 #: ../tutorial/databases.rst:18
-#: 5c04f9416e954990a51ad770b994755d
+#: 883a0e443e914abb8edfe20bf57f1296
 msgid "Canaille can use any database supported by `SQLAlchemy <https://www.sqlalchemy.org/>`_, such as sqlite, postgresql or mariadb."
 msgstr ""
 
 #: ../tutorial/databases.rst:21
-#: 5cef0f1dda384284a256492c7b8dfcca
+#: 70e3f1710abf4134b85427a21dedeaa4
 msgid "It is used when the ``CANAILLE_SQL`` configuration parameter is defined. For instance:"
 msgstr ""
 
 #: ../tutorial/databases.rst:29
-#: cedc3bb2dba0427b93cf11791b189c96
+#: 30971ee8de5542819657f07c3e215be2
 msgid "You can find more details on the SQL configuration in the :class:`dedicated section <canaille.backends.sql.configuration.SQLSettings>`."
 msgstr ""
 
 #: ../tutorial/databases.rst:34
-#: fd9f8f823d184c72840274fd13de5b91
+#: da789ef60396408eb64b22001aaaf8fe
 msgid "Canaille can use OpenLDAP as its main database. It is used when the ``CANAILLE_LDAP`` configuration parameter is defined. For instance:"
 msgstr ""
 
 #: ../tutorial/databases.rst:52
-#: fcbc8501c455465daa5142894408bb38
+#: c64cf1c4f3664390a27dbef6f154878e
+msgid "If you want to use TOTP/HOTP authentication, you will need to add the ``oathHOTPToken`` class to the user :"
+msgstr ""
+
+#: ../tutorial/databases.rst:58
+#: aa4b16bc9b7946d7904708e1f424f53f
 msgid "You can find more details on the LDAP configuration in the :class:`dedicated section <canaille.backends.ldap.configuration.LDAPSettings>`."
 msgstr ""
 
-#: ../tutorial/databases.rst:55
-#: 2c710def18bc46539b2962ee1bde2bf6
-msgid "Currently, only the ``inetOrgPerson`` and ``groupOfNames`` schemas have been tested. If you want to use different schemas or LDAP servers, adaptations may be needed. Patches are welcome."
+#: ../tutorial/databases.rst:61
+#: faa136c2f11c4d79b3bbe652a901e785
+msgid "Currently, only the ``inetOrgPerson``, ``oathHOTPToken`` and ``groupOfNames`` schemas have been tested. If you want to use different schemas or LDAP servers, adaptations may be needed. Patches are welcome."
 msgstr ""
 
-#: ../tutorial/databases.rst:60
-#: b7014bf888504dcc865871e8275190f6
+#: ../tutorial/databases.rst:66
+#: 21591edbced444b499d300486e257a91
 msgid "OpenLDAP overlays integration"
 msgstr ""
 
-#: ../tutorial/databases.rst:62
-#: a67abbc0745e4c7e9353697969a4fbab
+#: ../tutorial/databases.rst:68
+#: 33eaffdc103c4d709fb434da45ecca39
 msgid "Canaille can integrate with several OpenLDAP overlays:"
 msgstr ""
 
-#: ../tutorial/databases.rst:65
-#: b1eebe57d90648b3b24cb48cb49c5436
+#: ../tutorial/databases.rst:71
+#: b542d311f0444aef936af14660f9ddd3
 msgid "memberof / refint"
 msgstr ""
 
-#: ../tutorial/databases.rst:67
-#: 6bb596696373483ab0a52f0e8169ab9e
+#: ../tutorial/databases.rst:73
+#: e3756a8fbe1d4c469d6df3b4504b73d9
 msgid "`memberof <https://www.openldap.org/doc/admin26/overlays.html#Reverse%20Group%20Membership%20Maintenance>`_ and `refint <https://www.openldap.org/doc/admin26/overlays.html#Referential%20Integrity>`_ overlays are needed for the Canaille group membership to work correctly."
 msgstr ""
 
-#: ../tutorial/databases.rst:71
-#: ../tutorial/databases.rst:94
-#: bff8a12ffd4b4d179d6938a046810186
-#: 1e58076e5c2148f8a2c71c79bb51c74a
+#: ../tutorial/databases.rst:77
+#: ../tutorial/databases.rst:100
+#: ../tutorial/databases.rst:123
+#: 9b7b5412ee544d7bbb97fc1e30152585
+#: 9b7b5412ee544d7bbb97fc1e30152585
+#: 9b7b5412ee544d7bbb97fc1e30152585
 msgid "Here is a configuration example compatible with canaille:"
 msgstr ""
 
-#: ../tutorial/databases.rst:73
-#: d8858049d6d44b7cae4cbd659f9f8ba2
+#: ../tutorial/databases.rst:79
+#: 1b8c284120b44c859cc9bd56b4c8e123
 msgid "memberof-config.ldif"
 msgstr ""
 
-#: ../tutorial/databases.rst:77
-#: 830059290ddc4cf1b2249c45fc303b98
+#: ../tutorial/databases.rst:83
+#: 3fc7e3d6f94f47579174c1ebcb598f6a
 msgid "refint-config.ldif"
 msgstr ""
 
-#: ../tutorial/databases.rst:81
-#: ../tutorial/databases.rst:104
-#: 4070700e524f481ba82662576453c6b3
-#: 41e7874f5db94dda8cd74ebed2fddc7c
+#: ../tutorial/databases.rst:87
+#: ../tutorial/databases.rst:110
+#: 39d5ac83d9724a36af9b2185453d86f3
+#: 39d5ac83d9724a36af9b2185453d86f3
 msgid "You can adapt and load those configuration files with:"
 msgstr ""
 
-#: ../tutorial/databases.rst:90
-#: e37e96d3eac048e191b4da59788b6096
+#: ../tutorial/databases.rst:96
+#: 359072b68f5d4338830ee414e509d7c2
 msgid "ppolicy"
 msgstr ""
 
-#: ../tutorial/databases.rst:92
-#: 88ed660b0098483fa77e880febad6b52
+#: ../tutorial/databases.rst:98
+#: a589837a0cf14ad3b8f8116f78356f76
 msgid "If the `ppolicy <https://www.ietf.org/archive/id/draft-behera-ldap-password-policy-11.html>`_ overlay is configured and the ``pwdEndTime`` attribute is available (since OpenLDAP 2.6), then account locking support will be enabled in canaille. To allow users to manage account expiration, they need to have a *write* permission on the :attr:`~canaille.core.models.User.lock_date` attribute."
 msgstr ""
 
-#: ../tutorial/databases.rst:96
-#: 0194f8cb96554ed9a209784cd1a5a10e
+#: ../tutorial/databases.rst:102
+#: fe864493f65b47008ba79f9154931883
 msgid "ppolicy-config.ldif"
 msgstr ""
 
-#: ../tutorial/databases.rst:100
-#: 09776d76a5c54f6eb7d79e15a0dbed82
+#: ../tutorial/databases.rst:106
+#: da19de8897bd448aaa8a8f6450974789
 msgid "ppolicy.ldif"
 msgstr ""
 
+#: ../tutorial/databases.rst:119
+#: ccb4fa4c948c461580569a7ec7a55885
+msgid "otp"
+msgstr ""
+
+#: ../tutorial/databases.rst:121
+#: 9b6afdb7651743a78e1955ef59319e29
+msgid "If the `otp <https://www.openldap.org/software/man.cgi?query=slapo-otp>`_ overlay is configured, you will be able to add one-time password authentication in canaille."
+msgstr ""
+
+#: ../tutorial/databases.rst:125
+#: fe864493f65b47008ba79f9154931883
+msgid "otp-config.ldif"
+msgstr ""
+
+#: ../tutorial/databases.rst:129
+#: 39d5ac83d9724a36af9b2185453d86f3
+msgid "You can adapt and load this configuration file with:"
+msgstr ""
+
+#: ../tutorial/databases.rst:136
+#: b0815f933dae41f8a18ffc5c389a8796
+msgid "You will also need to add the ``oathHOTPToken`` class to the user:"
+msgstr ""
+
 #: ../tutorial/deployment.rst:2
-#: f396d7b4fa884f55bf66b57b6c046fdb
+#: 968d6daab5054d1bbbaac721a53f21e6
 msgid "Deployment"
 msgstr ""
 
 #: ../tutorial/deployment.rst:5
-#: 2cbff8a64b41470396973c1f66482110
+#: 341af181b96a4e449f124bb22e58723a
 msgid "Application service"
 msgstr ""
 
 #: ../tutorial/deployment.rst:7
-#: d60be98207bd489299d7492480a091c5
+#: 856f5e097bd34696b59aa74f451a1a33
 msgid "After having finished Canaille installation you have to run it in a WSGI application server. Here are some WSGI server configuration examples you can pick. Do not forget to update the paths."
 msgstr ""
 
 #: ../tutorial/deployment.rst:11
-#: cf41e4599bea477a8b6742ed38c09555
+#: c2fc01d884054c2c9e9f3cf5b1e7fe01
 msgid "gunicorn"
 msgstr ""
 
 #: ../tutorial/deployment.rst:15
-#: 9f4888747a6d4f5d85d9b94bc2814aff
+#: 0734bfeb3d07400d85abe6f2412c506c
 msgid "Write a gunicorn configuration sample file."
 msgstr ""
 
 #: ../tutorial/deployment.rst:18
-#: beb61a6d85dc407c923f0a1797571b4b
+#: 12db5d68d59f42958e64d74cf0a8a852
 msgid "uwsgi"
 msgstr ""
 
 #: ../tutorial/deployment.rst:42
-#: 804b59080cfb46a5bece65e9dfe52ae4
+#: 7f42a8052b034e1e949f7308c1e80068
 msgid "Webserver"
 msgstr ""
 
 #: ../tutorial/deployment.rst:44
-#: 3fd8ef72a9db483aaa18397b136708a4
+#: 261287d315864e4e958aab6892250086
 msgid "Now you have to plug your WSGI application server to your webserver so it is accessible on the internet. Here are some webserver configuration examples you can pick:"
 msgstr ""
 
 #: ../tutorial/deployment.rst:48
-#: 40d9837c5cdd4c9faf94797e578e409d
+#: 05ce956efe26448abaa00732f791ac5d
 msgid "Nginx"
 msgstr ""
 
 #: ../tutorial/deployment.rst:114
-#: 5407fc49df8b4871a993d95ebe6b216e
+#: 71a5e5d57a9547909ea4a78f80883422
 msgid "Apache"
 msgstr ""
 
 #: ../tutorial/deployment.rst:153
-#: 9e1ca64c07984a218f094949ed99bc6e
+#: c0216d38c6e74ed08fd2478d61524206
 msgid "Recurrent jobs"
 msgstr ""
 
 #: ../tutorial/deployment.rst:155
-#: 283551b28f2d465a830885e57a802334
+#: 24d5e0ff3df449e49ec973125318f628
 msgid "You might want to clean up your database to avoid it growing too much. You can regularly delete expired tokens and authorization codes with:"
 msgstr ""
 
 #: ../tutorial/deployment.rst:164
-#: 3a91c9769ca04ed289ef4e08d71c84e0
+#: 615cedede7b348a39bef43b8a0296fb0
 msgid "Webfinger"
 msgstr ""
 
 #: ../tutorial/deployment.rst:166
-#: c0c2aa060ee743e797e0e0e69ed34aad
+#: 59c6373efd6040f2bc60ce6617810901
 msgid "You may want to configure a `WebFinger`_ endpoint on your main website to allow the automatic discovery of your Canaille installation based on the account name of one of your users. For instance, suppose your domain is ``mydomain.example`` and your Canaille domain is ``auth.mydomain.example`` and there is a user ``john.doe``. A third-party application could require to authenticate the user and ask them for a user account. The user would give their account ``john.doe@mydomain.example``, then the application would perform a WebFinger request at ``https://mydomain.example/.well-known/webfinger`` and the response would contain the address of the authentication server ``https://auth.mydomain.example``. With this information the third party application can redirect the user to the Canaille authentication page."
 msgstr ""
 
 #: ../tutorial/deployment.rst:168
-#: d4f07f118d4443bcbd44e55144cf4d1f
+#: ee64a42bf4104da2a68499149292566d
 msgid "The difficulty here is that the WebFinger endpoint must be hosted at the top-level domain (i.e. ``mydomain.example``) while the authentication server might be hosted on a sublevel (i.e. ``auth.mydomain.example``). Canaille provides a WebFinger endpoint, but if it is not hosted at the top-level domain, a web redirection is required on the ``/.well-known/webfinger`` path."
 msgstr ""
 
 #: ../tutorial/deployment.rst:170
-#: b305def4f6e74643b1c47e5491e46126
+#: a1aa4ace653f416eb673a5ac6f536199
 msgid "Here are configuration examples for Nginx or Apache:"
 msgstr ""
 
 #: ../tutorial/deployment.rst:172
-#: f07e30950c0443ea830fb6d01181cbce
+#: 54696b09f9de48daa0d752cab9cbbe60
 msgid "Nginx webfinger configuration for a top level domain"
 msgstr ""
 
 #: ../tutorial/deployment.rst:181
-#: f166862da12146e286d09f1189b44637
+#: 7277d41cdb83400ab68d06861f1bba9b
 msgid "Apache webfinger configuration for a top level domain"
 msgstr ""
 
 #: ../tutorial/deployment.rst:191
-#: ed7f25a6ab90437984c0249217556b7a
+#: 6c673a0168dc4f159d40898328555d97
 msgid "Create the first user"
 msgstr ""
 
 #: ../tutorial/deployment.rst:193
-#: e983e9c5998a475e9472c54742b25c9f
+#: 665633a1bc5a4185b3ac592a8e0d023d
 msgid "Once canaille is installed, soon enough you will need to add users. To create your first user you can use the :ref:`canaille create <cli_create>` CLI."
 msgstr ""
 
 #: ../tutorial/index.rst:2
-#: 40de96b13f0b46ba88769f9f0c91bece
+#: df05343770804349af328d9b3651f059
 msgid "Tutorial"
 msgstr ""
 
 #: ../tutorial/install.rst:2
-#: 990b0c4570294a4c914942072b835544
+#: a0eef22998554712a838c86b94681306
 msgid "Installation"
 msgstr ""
 
 #: ../tutorial/install.rst:6
-#: 1f5645b8ce114b08abc62b4f03e8d613
+#: 366d1de010774522b5947172c22d1d64
 msgid "Canaille is under heavy development and may not fit a production environment yet."
 msgstr ""
 
 #: ../tutorial/install.rst:8
-#: a76d3b71c19b4667a34e1d4b68261499
+#: 7ec1652a0617445681d3b44ab4ef6607
 msgid "The installation of canaille consist in several steps, some of which you can do manually or with command line tool:"
 msgstr ""
 
 #: ../tutorial/install.rst:11
-#: de05573555224e75869a68ac41471c97
+#: 39b5cccca7ae4928abc5ecac4466a670
 msgid "Get the code"
 msgstr ""
 
 #: ../tutorial/install.rst:13
-#: 8d5ce5f2ad284774a673cad8e1be2cc5
+#: dd49fb118bd94e00810d55ca2e8e3c23
 msgid "As the moment there is no distribution package for canaille. However, it can be installed with the ``pip`` package manager. Let us choose a place for the canaille environment, like ``/opt/canaille/env``."
 msgstr ""
 
 #: ../tutorial/install.rst:24
-#: 5e8dbf51cc8e401d8e7f2738c4c1e500
+#: 8f98f8e76182487aba2f150e7af39150
 msgid "Extras"
 msgstr ""
 
 #: ../tutorial/install.rst:26
-#: ff09c579e2834394992e462c1a7830e6
+#: 364aff7067fe4ab0aea19ad6024893b1
 msgid "Canaille provides different package options:"
 msgstr ""
 
 #: ../tutorial/install.rst:28
-#: fba9a7d4ab8f42c1ba19ec58827c49bb
+#: 0b64d33198cf4965bf5ccec22054fc9b
 msgid "`front` provides all the things needed to produce the user interface;"
 msgstr ""
 
 #: ../tutorial/install.rst:29
-#: 3c368569b3434d0c8821fcc5aa2a9fcd
+#: 4f47aa89080f491e8f179aadf57a32e4
 msgid "`oidc` provides the dependencies to perform OAuth2/OIDC authentication;"
 msgstr ""
 
 #: ../tutorial/install.rst:30
-#: d2fa3adf12b04e879e8eb1ad5a86d131
+#: 07d747ece341493cbfdbaacd17b9640d
 msgid "`ldap` provides the dependencies to enable the LDAP backend;"
 msgstr ""
 
 #: ../tutorial/install.rst:31
-#: 9f0ac2527c844d26999ac4722b7a3062
+#: bebbbd7c0b5b4694b70dd571d6087a25
 msgid "`sqlite` provides the dependencies to enable the SQLite backend;"
 msgstr ""
 
 #: ../tutorial/install.rst:32
-#: 9f8652296fdd460d9d0885fd934a924f
+#: 1052d038f4154a29a0e27fd5c83f9abf
 msgid "`postgresql` provides the dependencies to enable the PostgreSQL backend;"
 msgstr ""
 
 #: ../tutorial/install.rst:33
-#: dba3b5d89e9e46c6b3774b01bf2ae122
+#: 0696511547b64f22b36c1b3c5ade382a
 msgid "`mysql` provides the dependencies to enable the MySQL backend;"
 msgstr ""
 
 #: ../tutorial/install.rst:34
-#: 3284b40cd5ff4177a9369e471dcd1de2
+#: 7ec9ca47bc1a487caeb4d706f0cabeec
 msgid "`sentry` provides sentry integration to watch Canaille exceptions;"
 msgstr ""
 
 #: ../tutorial/install.rst:35
-#: dfd39313c050407193deac1f01f23e54
-msgid "`all` provides all the extras above."
+#: 4e77c88c68b1404cbf1502574bc495af
+msgid "`otp` provides the dependencies to enable one-time password authentication;"
+msgstr ""
+
+#: ../tutorial/install.rst:36
+#: e81b3959980b47898233e6a778b6cfa4
+msgid "`sms` provides the dependencies to enable sms sending;"
 msgstr ""
 
 #: ../tutorial/install.rst:37
-#: 3d0f7f47cc1a469e9762578aed91f002
+#: 4355ba8d8f744ad6b49f6859e36d5276
+msgid "`all` provides all the extras above."
+msgstr ""
+
+#: ../tutorial/install.rst:39
+#: 2ad6fc294ad44e87a5c1b4389a8c280c
 msgid "They can be installed with:"
 msgstr ""
 
-#: ../tutorial/install.rst:44
-#: b7732a260ca84ba3a4130bd6cb0d1619
+#: ../tutorial/install.rst:46
+#: 59d5ecfe460d412ba993a785c0c20744
 msgid "Configure"
 msgstr ""
 
-#: ../tutorial/install.rst:46
-#: 86df5b7acf954ddfbb2982dbe0a51da1
+#: ../tutorial/install.rst:48
+#: 2bebd03f31724f66a8fc72e10fd4c00f
 msgid "Choose a path where to store your configuration file. You can pass any configuration path with the ``CONFIG`` environment variable."
 msgstr ""
 
-#: ../tutorial/install.rst:54
-#: 042753d9c5704f21b0da35d38a17a620
+#: ../tutorial/install.rst:56
+#: 6f15d23d18c245dc9d341399328f752e
 msgid "You should then edit your configuration file to adapt the values to your needs. Look at the configuration details in the :doc:`configuration <../references/configuration>` page."
 msgstr ""
 
-#: ../tutorial/install.rst:57
-#: a87138181fe64cd9891206619cad6d2d
+#: ../tutorial/install.rst:59
+#: ede066e9fd9345ac86aa519c3bc66495
 msgid "Install"
 msgstr ""
 
-#: ../tutorial/install.rst:59
-#: 2a7cde9a8ef54f6fb6b527734b5e471d
+#: ../tutorial/install.rst:61
+#: a888acd5f78142a88927d4585568a24a
 msgid "The :ref:`install command <cli_install>` will apply most of the things needed to get Canaille working. Depending on the configured :doc:`database <databases>` it will create the SQL tables, or install the LDAP schemas for instance."
 msgstr ""
 
-#: ../tutorial/install.rst:68
-#: faefbbda355349e19671492f478d3153
+#: ../tutorial/install.rst:70
+#: 1d9b520266704354910e893daaa1ac22
 msgid "Check"
 msgstr ""
 
-#: ../tutorial/install.rst:70
-#: ab77edb446f44686bf26ef04fbf3dc7d
+#: ../tutorial/install.rst:72
+#: da69d39139ef46eabe3e65ee743ad414
 msgid "After a manual installation, you can check your configuration file using the :ref:`check command <cli_install>`:"
 msgstr ""
 
+#: ../tutorial/provisioning.rst:2
+#: fad9f07edb234ac5b4edf0f1a2850469
+msgid "Provisioning"
+msgstr ""
+
+#: ../tutorial/provisioning.rst:4
+#: b34dc5e4480d4812abe1d615b40724ce
+msgid "Canaille partially implemnet the :rfc:`SCIM <7642>` provisioning protocol at the ``/scim/v2`` endpoint."
+msgstr ""
+
+#: ../tutorial/provisioning.rst:6
+#: b435649989a5462fb58feedb7deff9e7
+msgid "At the moment, only the server part is implemented. It allows client applications to manage user profiles directly in Canaille."
+msgstr ""
+
+#: ../tutorial/provisioning.rst:9
+#: cca65894cd064a69b7c8a4dc2b4bc5b2
+msgid "To allow clients to access the SCIM API, the client must have the ``client_credentials`` grant type configured. This allows clients to ask an authentication token on their own behalf and use this token to perform queries. Currently, user tokens are not supported."
+msgstr ""
+
+#: ../tutorial/provisioning.rst:15
+#: 5540926bcd3a4ff59b5c440933d22e93
+msgid "Some SCIM :ref:`features and endpoints <scim_unimplemented>` are not implemented. In addition to these, Canaille will implement in the future:"
+msgstr ""
+
+#: ../tutorial/provisioning.rst:18
+#: df30885f79fd424fb426110529797eeb
+msgid "Access control for clients on the SCIM API endpoint, to finely manage permissions depending on clients."
+msgstr ""
+
+#: ../tutorial/provisioning.rst:19
+#: e37b47a3e64940adbfecfffc6245bb5f
+msgid "Client-side implementation, to broadcast user and groups modifications among all the clients."
+msgstr ""
+
 #: ../tutorial/troubleshooting.rst:2
-#: d5cca3688aea45bb9ed015f84d324407
+#: a2179a1e932c44c59ec327cabf7a8b0e
 msgid "Troubleshooting"
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:5
-#: 584a62a0d78b4af391bfc8bd916e3934
+#: 46107d829fdc4718adf7b92192756f96
 msgid "The web interface throws useless error messages"
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:7
-#: acc3175f98324e73b0154a833f4291de
+#: 86ab63d58f8848b2a40435a2f048c12f
 msgid "Unless the current user has admin :class:`permissions <canaille.core.configuration.Permission>`, or the installation is in :attr:`~canaille.app.configuration.RootSettings.DEBUG` mode, error messages won't be too technical. For instance, you can see *The request you made is invalid*. To enable detailed error messages, you can **temporarily** enable the :attr:`~canaille.app.configuration.RootSettings.DEBUG` configuration parameter."
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:12
-#: 358b28e47d4a4b48ba2bde7ddd4bc5f3
+#: 988d674332bb4633b860095fe99420df
 msgid "How to manually install LDAP schemas?"
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:16
-#: 5e241c1fdd044454a5a27a9d4d609a6c
+#: 7be9fb2994f6417889820aac3fce6560
 msgid "Schema installation can be automatically done using the :ref:`install command <cli_install>`."
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:18
-#: fa20dff6817848489fee9434d3e8c154
+#: c8c1648f65d348d0a7d601357a849604
 msgid "As of OpenLDAP 2.4, two configuration methods are available:"
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:20
-#: 536b6d4fabea43d48240f3b1b4e256c6
+#: f37f56f196174ae895e792a933dfbea6
 msgid "The `deprecated <https://www.openldap.org/doc/admin26/slapdconf2.html>`_ one, based on a configuration file (generally ``/etc/ldap/slapd.conf``);"
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:21
-#: 2681e5ed98de4633ab3e958980570c61
+#: ae332fd671574a54b9f1ff1cce9ae3e0
 msgid "The new one, based on a configuration directory (generally ``/etc/ldap/slapd.d``)."
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:23
-#: e623df73a33a4425874322d64990dd09
+#: b9fe35e9d0654a4b831845bf9f027a33
 msgid "Depending on the configuration method you use with your OpenLDAP installation, you need to chose how to add the canaille schemas:"
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:26
-#: 7fa64ce5f9834bfc8a84a6b147776135
+#: 45557c5a90314b65aca27329fe4f334b
 msgid "Old fashion: Copy the schemas in your filesystem"
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:35
-#: 89ec7d1a5b9c488898dd0aeec512eb0f
+#: 4aa6e1b3b0154c4ca91a982f719c08b5
 msgid "New fashion: Use slapadd to add the schemas"
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:37
-#: cf355b0d0d224146b9aa9bde63c3285b
+#: 6ba05a570b0043078256af9a016309c4
 msgid "Be careful to stop your ldap server before running ``slapadd``"
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:46
-#: b688808b89a1486ea46f0a30671f0772
+#: 87adc4ca4b22405e948a90409bde21b0
 msgid "How to manually generate the OIDC keypair?"
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:50
-#: fe622e23c48a4ec0ba3a9e00e24cfb88
+#: 6770309338724a4aac6439943e58b66a
 msgid "The keypair generation can be automatically done using the :ref:`install command <cli_install>`."
 msgstr ""
 
 #: ../tutorial/troubleshooting.rst:52
-#: 2467c8ae6d2a4ba19056d44a89656984
+#: 2fad5ba8eca14ba293b910f7c82f5b34
 msgid "Canaille needs a key pair to sign OIDC tokens. You can customize those commands, as long as they match the ``JWT`` section of your configuration file."
 msgstr ""
 
 #: ../usecases.rst:4
-#: dde73820d8ff46128f0ae5a245d4f212
+#: 0012c5a2aeb84b40b7ccb861a1f8ea07
 msgid "Use cases"
 msgstr ""
 
 #: ../usecases.rst:6
-#: 936471ec6e494f839a45d1a5048ddbe9
+#: 8fce8afa30574f348ea6a4b5169592b6
 msgid "Canaille is a lightweight IAM for simple needs. Here are a few use cases you might recognize in, where Canaille would fit your needs."
 msgstr ""
 
 #: ../usecases.rst:10
-#: 0c06bc8fc0754db6bdfbae05fe718b2e
+#: e00eb880854f4c38a94285e1986b96d2
 msgid "OpenID Connect provider on top of a LDAP directory"
 msgstr ""
 
 #: ../usecases.rst:12
-#: 0ec337c5784a4dc296538609b9d75dd6
+#: 354d32ad706d463ab06aa17efae022cc
 msgid "Your organization has an historic :ref:`LDAP directory <feature_databases>` and you want to add a :ref:`OpenID Connect <feature_oidc>` :abbr:`SSO (Single Sign-On)` layer on top of it, so users can use all your application while signin-in only once, without any data migration."
 msgstr ""
 
 #: ../usecases.rst:15
-#: 35bb9bbb50064dc7a5383c9d5371adfd
+#: c80ba39e4d3d49aeb126a3a4b0cbf6ee
 msgid "Profile edition of LDAP users"
 msgstr ""
 
 #: ../usecases.rst:17
-#: 87226e31a4ef425585e8de20647d72a3
+#: f7042aa80b384749a2a1c93cdf9fb3b6
 msgid "Your organization has a :ref:`LDAP directory <feature_databases>` and you want to provide a way to your users to :ref:`edit their personal information <feature_profile_management>` by themselves, without requiring any administrator intervention."
 msgstr ""
 
 #: ../usecases.rst:20
-#: 22ec6d0c58ed413b80cd6aca23f637b6
+#: 2175f903fd7049408fb6f8bca3817ec0
 msgid "Password recovery with a LDAP directory"
 msgstr ""
 
 #: ../usecases.rst:22
-#: 46f418970c7640f9ace069002ed337bd
+#: ee7ae8f8496c4ddd95b00953f0da7fc9
 msgid "Your organization has an historic :ref:`LDAP directory <feature_databases>` and you want to provide a way to your users to :ref:`recover their password <feature_password_recovery>` when they cannot remember it, without any administrator intervention."
 msgstr ""
 
 #: ../usecases.rst:25
-#: f44f325b29594fc7b31521d259e27d5f
+#: b270514f0fac465d9792c85a85c84525
 msgid "A lightweight IAM for unit testing"
 msgstr ""
 
 #: ../usecases.rst:27
-#: c9f537fbf3cd4b3cb0e6d140b8a2327b
+#: 88822c2e151f43a0b5dabed7616604b7
 msgid "You are :ref:`developing <feature_development>` an application relying on OAuth2 or OpenID Connect to authenticate the users. You don't want to mock the calls to the identity provider in your unit tests, but you want to :ref:`perform real OAuth2/OIDC requests <feature_testing>`, and test your application against different identity provider tunings."
 msgstr ""
 
 #: ../usecases.rst:30
-#: 5b9b8e07b9154150a105088cc630ce6a
+#: fe21632ea9034d16b4f5da19efa0b5ac
 msgid "A lightweight IAM for developing"
 msgstr ""
 
 #: ../usecases.rst:32
-#: 7a4ff703b94e4706b5123edb0c2abe51
+#: 5f85f539d8cf4500889c40f6774d6e55
 msgid "You are :ref:`developing <feature_development>` an application relying on OAuth2 or OpenID Connect to authenticate the users. You need a :ref:`IAM server to develop <feature_development>` locally, but your old computer cannot bear launching a full Keycloak in a Docker container."
 msgstr ""
 
 #: ../usecases.rst:35
-#: e594e15fba204d65a3f483c36e7c0aab
+#: f94e9269e0d84b20998a5dc33d17bca7
 msgid "A lightweight IAM for CIs"
 msgstr ""
 
 #: ../usecases.rst:37
-#: ff03e5a191564f90af81c7d210a3de24
+#: c59dd6c6c59a45b6b8cc4497275c35c1
 msgid "You are :ref:`developing <feature_development>` an application relying on OAuth2 or OpenID Connect to authenticate the users. You need a IAM server that could can populate with custom data, and integrate in your :ref:`continuous integration environment <feature_ci>`."
 msgstr ""
 
 #: ../usecases.rst:40
-#: 8a37de08f6594334a3ba6ed2f9a3b71e
+#: 30c0a6e8cd2f4ec1837b2147176bed17
 msgid "A CLI to quickly edit LDAP directory users"
 msgstr ""
 
 #: ../usecases.rst:42
-#: b9d55e6eeca547aabb9bbfef3998f6d2
+#: 884abc047ac34822b7b8fcd98ddb3f88
 msgid "Your organization has an historic :ref:`LDAP directory <feature_databases>`. You are tired to deal with *ldif* syntax to manage your users and group and would prefer a simple human-readable CLI."
 msgstr ""
diff --git a/doc/tutorial/index.rst b/doc/tutorial/index.rst
index 27abe826..30f25ad9 100644
--- a/doc/tutorial/index.rst
+++ b/doc/tutorial/index.rst
@@ -7,4 +7,5 @@ Tutorial
    install
    deployment
    databases
+   provisioning
    troubleshooting
diff --git a/doc/tutorial/provisioning.rst b/doc/tutorial/provisioning.rst
new file mode 100644
index 00000000..9f0e2081
--- /dev/null
+++ b/doc/tutorial/provisioning.rst
@@ -0,0 +1,19 @@
+Provisioning
+############
+
+Canaille partially implemnet the :rfc:`SCIM <7642>` provisioning protocol at the ``/scim/v2`` endpoint.
+
+At the moment, only the server part is implemented.
+It allows client applications to manage user profiles directly in Canaille.
+
+To allow clients to access the SCIM API, the client must have the ``client_credentials`` grant type configured.
+This allows clients to ask an authentication token on their own behalf and use this token to perform queries.
+Currently, user tokens are not supported.
+
+.. todo::
+
+   Some SCIM :ref:`features and endpoints <scim_unimplemented>` are not implemented.
+   In addition to these, Canaille will implement in the future:
+
+   - Access control for clients on the SCIM API endpoint, to finely manage permissions depending on clients.
+   - Client-side implementation, to broadcast user and groups modifications among all the clients.
diff --git a/tests/scim/conftest.py b/tests/scim/conftest.py
index bd939752..1f967112 100644
--- a/tests/scim/conftest.py
+++ b/tests/scim/conftest.py
@@ -71,4 +71,5 @@ def scim_client(app, oidc_client, oidc_token):
         Client(app),
         scim_prefix=bp.url_prefix,
         environ={"headers": {"Authorization": f"Bearer {oidc_token.access_token}"}},
+        check_response_status_codes=False,
     )
diff --git a/tests/scim/test_authentication.py b/tests/scim/test_authentication.py
deleted file mode 100644
index 12a1e88f..00000000
--- a/tests/scim/test_authentication.py
+++ /dev/null
@@ -1,45 +0,0 @@
-import datetime
-
-import pytest
-from scim2_client import SCIMResponseErrorObject
-from scim2_client.engines.werkzeug import TestSCIMClient
-from werkzeug.security import gen_salt
-from werkzeug.test import Client
-
-from canaille.app import models
-from canaille.scim.endpoints import bp
-
-
-def test_authentication_failure(app):
-    """Test authentication with an invalid token."""
-    scim_client = TestSCIMClient(
-        Client(app),
-        scim_prefix=bp.url_prefix,
-        environ={"headers": {"Authorization": "Bearer invalid"}},
-    )
-    with pytest.raises(SCIMResponseErrorObject):
-        scim_client.discover()
-
-
-def test_authentication_with_an_user_token(app, backend, oidc_client, user):
-    """Test authentication with an user token."""
-    scim_token = models.Token(
-        token_id=gen_salt(48),
-        access_token=gen_salt(48),
-        subject=user,
-        audience=[oidc_client],
-        client=oidc_client,
-        refresh_token=gen_salt(48),
-        scope=["openid", "profile"],
-        issue_date=datetime.datetime.now(datetime.timezone.utc),
-        lifetime=3600,
-    )
-    backend.save(scim_token)
-
-    scim_client = TestSCIMClient(
-        Client(app),
-        scim_prefix=bp.url_prefix,
-        environ={"headers": {"Authorization": f"Bearer {scim_token.access_token}"}},
-    )
-    with pytest.raises(SCIMResponseErrorObject):
-        scim_client.discover()
diff --git a/tests/scim/test_errors.py b/tests/scim/test_errors.py
new file mode 100644
index 00000000..26f96105
--- /dev/null
+++ b/tests/scim/test_errors.py
@@ -0,0 +1,76 @@
+import datetime
+
+from scim2_client.engines.werkzeug import TestSCIMClient
+from scim2_models import Error
+from scim2_models import Resource
+from werkzeug.security import gen_salt
+from werkzeug.test import Client
+
+from canaille.app import models
+from canaille.scim.endpoints import bp
+from canaille.scim.endpoints import get_resource_types
+from canaille.scim.endpoints import get_schemas
+from canaille.scim.endpoints import get_service_provider_config
+
+
+def test_authentication_failure(app):
+    """Test authentication with an invalid token."""
+    resource_models = [
+        Resource.from_schema(schema) for schema in get_schemas().values()
+    ]
+    scim_client = TestSCIMClient(
+        Client(app),
+        scim_prefix=bp.url_prefix,
+        environ={"headers": {"Authorization": "Bearer invalid"}},
+        service_provider_config=get_service_provider_config(),
+        resource_types=get_resource_types().values(),
+        resource_models=resource_models,
+    )
+    User = scim_client.get_resource_model("User")
+    error = scim_client.query(User, raise_scim_errors=False)
+    assert isinstance(error, Error)
+    assert not error.scim_type
+    assert error.status == 401
+
+
+def test_authentication_with_an_user_token(app, backend, oidc_client, user):
+    """Test authentication with an user token."""
+    scim_token = models.Token(
+        token_id=gen_salt(48),
+        access_token=gen_salt(48),
+        subject=user,
+        audience=[oidc_client],
+        client=oidc_client,
+        refresh_token=gen_salt(48),
+        scope=["openid", "profile"],
+        issue_date=datetime.datetime.now(datetime.timezone.utc),
+        lifetime=3600,
+    )
+    backend.save(scim_token)
+
+    resource_models = [
+        Resource.from_schema(schema) for schema in get_schemas().values()
+    ]
+    scim_client = TestSCIMClient(
+        Client(app),
+        scim_prefix=bp.url_prefix,
+        environ={"headers": {"Authorization": f"Bearer {scim_token.access_token}"}},
+        service_provider_config=get_service_provider_config(),
+        resource_types=get_resource_types().values(),
+        resource_models=resource_models,
+    )
+    User = scim_client.get_resource_model("User")
+    error = scim_client.query(User, raise_scim_errors=False)
+    assert isinstance(error, Error)
+    assert not error.scim_type
+    assert error.status == 401
+
+
+def test_invalid_payload(app, backend, scim_client):
+    # TODO: push this test in scim2-tester
+    scim_client.discover()
+    User = scim_client.get_resource_model("User")
+    error = scim_client.create(User(), raise_scim_errors=False)
+    assert isinstance(error, Error)
+    assert error.scim_type == "invalidValue"
+    assert error.status == 400
diff --git a/tests/scim/test_scim_tester.py b/tests/scim/test_scim_tester.py
index 3693d708..e6dd92e7 100644
--- a/tests/scim/test_scim_tester.py
+++ b/tests/scim/test_scim_tester.py
@@ -1,13 +1,7 @@
-import pytest
+from scim2_tester import Status
 from scim2_tester import check_server
 
 
-def test_scim_tester(scim_client, backend):
-    # currently the tester create empty groups because it cannot handle references
-    # but LDAP does not support empty groups
-    # https://github.com/python-scim/scim2-tester/issues/15
-
-    if "ldap" in backend.__class__.__module__:
-        pytest.skip()
-
-    check_server(scim_client, raise_exceptions=True)
+def test_scim_tester(scim_client):
+    results = check_server(scim_client, raise_exceptions=True)
+    assert all(result.status == Status.SUCCESS for result in results)
diff --git a/uv.lock b/uv.lock
index d17d33ce..7f8e0e91 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1636,38 +1636,38 @@ wheels = [
 
 [[package]]
 name = "scim2-client"
-version = "0.5.0"
+version = "0.5.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "scim2-models" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/4f/d0/06a2a68c8b6a840fd8020ebfaf0141e1eadff0a24b4a2ba87c1d0fb9607d/scim2_client-0.5.0.tar.gz", hash = "sha256:f485864c0148cbbddd6a4120a4b3c2553ca89a8076d5cf7bdfa8ad6aba2c1e6e", size = 85783 }
+sdist = { url = "https://files.pythonhosted.org/packages/60/a0/208fb622495b174cfa11f9e856c19db73f2bbf3859519704cd35ff39dfce/scim2_client-0.5.1.tar.gz", hash = "sha256:836451f91baf8f0f3c7061dcc043e892d4e607c55c5803e779adc112b4bc2722", size = 85832 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/4b/e3/195d64ace80effcb948773914b72a8705565afbd02471ac827b28dfa977a/scim2_client-0.5.0-py3-none-any.whl", hash = "sha256:9f290aafea88d4220372a4902a17b3e7ea4dbdae69dfe9489b938d8d7a7ac827", size = 22500 },
+    { url = "https://files.pythonhosted.org/packages/c8/9f/66b3c5a61b156856f1019538757063a96e9cdd11b9d4f812505148c66d29/scim2_client-0.5.1-py3-none-any.whl", hash = "sha256:bf5566da5704228d24eebc89cd8a2adb038b19099956996d1e450a1d40df2d14", size = 22507 },
 ]
 
 [[package]]
 name = "scim2-models"
-version = "0.2.10"
+version = "0.3.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "pydantic", extra = ["email"] },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/d6/ab/30c537635c2f4591db3a74acc90d8bd5a87107a01645f6c5a64c9f9e7619/scim2_models-0.2.10.tar.gz", hash = "sha256:1cbdaab551ec9fd06b3eaf4d1540f7c60cf065fdd6932ee5493e109d33163e2f", size = 131248 }
+sdist = { url = "https://files.pythonhosted.org/packages/d9/42/e7f986b1ebfba7f8b6105764aec0a8c526100b0d8bfd9e28cf08432ad693/scim2_models-0.3.0.tar.gz", hash = "sha256:a1db62385e7820e67c94fd758246815397eb3b3bd1bca797a2a3ef346e81d827", size = 132910 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/97/8c/ec957904e8e2d3f8cfa83c65f144aaa72527a816a485881eb7d5fb75968c/scim2_models-0.2.10-py3-none-any.whl", hash = "sha256:a8576a6c7a87bcfce9c5851f58ea1361ccbb6c53452cc96e70a2dda571cedcea", size = 39925 },
+    { url = "https://files.pythonhosted.org/packages/6a/ed/708165169928aae94a0596a557e4c674bcc781e429802fb951b9af1d21b1/scim2_models-0.3.0-py3-none-any.whl", hash = "sha256:1ff78d93b9ed0a4d89f04835777e1cee796e0d1881e71f8242a86af2ec9f0612", size = 40663 },
 ]
 
 [[package]]
 name = "scim2-tester"
-version = "0.1.10"
+version = "0.1.13"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "scim2-client" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/25/e5/d2b682ab9c46da87622271126b7be53ab82650144bff50b2243f5593bca0/scim2_tester-0.1.10.tar.gz", hash = "sha256:bcfb8bd16d3f2101ae2ebdeb24e1865b6ed21b9120ad1ecb13f4a2628e26973c", size = 67237 }
+sdist = { url = "https://files.pythonhosted.org/packages/ac/c7/fa5672d24d68da5e1060e4f02ab946d7569457d1a5d969e72c0f6c9e78c6/scim2_tester-0.1.13.tar.gz", hash = "sha256:2697f1ca8938e9f4425b76803856f4053108fbe3aee65a1bff446ca178339319", size = 68200 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/4f/53/6e0bb75472cd621dc447c7cc93a45c0d4d0756e63d9f56ee9ea705710c1c/scim2_tester-0.1.10-py3-none-any.whl", hash = "sha256:9dfc8dfdab00d4d89d4ce8d4b0330c74eadfa482a52b66927c342cdef35547de", size = 17619 },
+    { url = "https://files.pythonhosted.org/packages/8a/4f/d81e4983089bf458c59a1dd85d8524adf77b5b0d9e7aba3f9f2057da0343/scim2_tester-0.1.13-py3-none-any.whl", hash = "sha256:88d1832c4d13b369184e2a0c1a1aed6b107679b591e47eab73441ba382cb5add", size = 18879 },
 ]
 
 [[package]]
@@ -2138,27 +2138,26 @@ wheels = [
 
 [[package]]
 name = "uv"
-version = "0.5.7"
+version = "0.5.8"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/ca/1c/8c40ec75c26656bec9ada97833a437b49fd443b5d6dfd61d6dda8ad90cbe/uv-0.5.7.tar.gz", hash = "sha256:4d22a5046a6246af85c92257d110ed8fbcd98b16824e4efa9d825d001222b2cb", size = 2356161 }
+sdist = { url = "https://files.pythonhosted.org/packages/14/31/24c4d8d0d15f5a596fefb39a45e5628e2a4ac4b9c0a6044b4710d118673a/uv-0.5.8.tar.gz", hash = "sha256:2ee40bc9c08fea0e71092838c0fc36df83f741807d8be9acf2fd4c4757b3171e", size = 2494559 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/d6/15/4d05061146ef1ff909458f75812633944a144ebadf73ccd38bef127adc6a/uv-0.5.7-py3-none-linux_armv6l.whl", hash = "sha256:fb4a3ccbe13072b98919413ac8378dd3e2b5480352f75c349a4f71f423801485", size = 14208956 },
-    { url = "https://files.pythonhosted.org/packages/ba/8f/dc99e8f026da8b3c74661ca60d424472b8fc73854be8dd0375c9a487474b/uv-0.5.7-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:a4fc62749bda8e7ae62212b1d85cdf6c7bad41918b3c8ac5a6d730dd093d793d", size = 14205195 },
-    { url = "https://files.pythonhosted.org/packages/fe/67/fba55047c34ceae31cf92f6286a8517749d8c86a2151620fccb4dfb01cba/uv-0.5.7-py3-none-macosx_11_0_arm64.whl", hash = "sha256:78c3c040e52c09a410b9788656d6e760d557f223058537081cb03a3e25ce89de", size = 13178700 },
-    { url = "https://files.pythonhosted.org/packages/5c/af/476c4d3486690e3cd6a9d1e040e350aefcd374b6adf919228594c9e0d9d2/uv-0.5.7-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:76b514c79136e779cccf90cce5d60f317a0d42074e9f4c059f198ef435f2f6ab", size = 13438725 },
-    { url = "https://files.pythonhosted.org/packages/a0/18/ab89b12e695e069f6a181f66fd22dfa66b3bb5b7508938a4d4a3bff6d214/uv-0.5.7-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:a45648db157d2aaff859fe71ec738efea09b972b8864feb2fd61ef856a15b24f", size = 13987146 },
-    { url = "https://files.pythonhosted.org/packages/60/72/0eedd9b4d25657124ee5715ec08a0b278716905dd4c2a79b2af5e742c421/uv-0.5.7-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c1e7b5bcc8b380e333e948c01f6f4c6203067b5de60a05f8ed786332af7a9132", size = 14513180 },
-    { url = "https://files.pythonhosted.org/packages/9c/b3/feef463577bb31f692b2e52fdce76865d297fe1a4ae48d2bad855b255a67/uv-0.5.7-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:737a06b15c4e6b8ab7dd0a577ba766380bda4c18ba4ecfcfff37d336f1b03a00", size = 15216614 },
-    { url = "https://files.pythonhosted.org/packages/99/dd/90e3360402610e1f687fc52c1c0b12906530986c7fe87d63414e0b8ac045/uv-0.5.7-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ba25eb99891b95b5200d5e369b788d443fae370b097e7268a71e9ba753f2af3f", size = 15005351 },
-    { url = "https://files.pythonhosted.org/packages/f2/c5/1fd7eafa61d2659ab4b27314e01eaa2cd62acb0f3a8bceb6420d38f3137f/uv-0.5.7-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:747c011da9f631354a1c89b62b19b8572e040d3fe01c6fb8d650facc7a09fdbb", size = 19537320 },
-    { url = "https://files.pythonhosted.org/packages/12/77/36eb833476111af75ecc624d103662aba650b2b3c47abf4df5917697a5b1/uv-0.5.7-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a141b40444c4184efba9fdc10abb3c1cff32154c7f8b0ad46ddc180d65a82d90", size = 14678070 },
-    { url = "https://files.pythonhosted.org/packages/a9/c6/7a70672f383ec639d178e0b1481048f181c05bbe372f23a66853a02e0346/uv-0.5.7-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:46b03a9a78438219fb3060c096773284e2f22417a9c1f8fdd602f0650b3355c2", size = 13637987 },
-    { url = "https://files.pythonhosted.org/packages/98/d1/a7c80c0a582344cf63ad17c8c344c9194a2f4475f6b522adbdb3b8cb6ac6/uv-0.5.7-py3-none-musllinux_1_1_armv7l.whl", hash = "sha256:13961a8116515eb288c4f91849fba11ebda0dfeec44cc356e388b3b03b2dbbe1", size = 13974519 },
-    { url = "https://files.pythonhosted.org/packages/84/23/55ef8f1fdd750aa1a123dac92bac249cbf8268bd9ab5b63b33580cd4dc23/uv-0.5.7-py3-none-musllinux_1_1_i686.whl", hash = "sha256:071b57c934bdee8d7502a70e9ea0739a10e9b2d1d0c67e923a09e7a23d9a181b", size = 14241488 },
-    { url = "https://files.pythonhosted.org/packages/e8/42/0cb96aa85849e55f3dcf4080fec1c13e75eb6179cbff630e4ded22b455f6/uv-0.5.7-py3-none-musllinux_1_1_ppc64le.whl", hash = "sha256:1c5b89c64fb627f52f1e9c9bbc4dcc7bae29c4c5ab8eff46da3c966bbd4caed2", size = 16082215 },
-    { url = "https://files.pythonhosted.org/packages/c5/d0/51e588ef932160f113a379781b7edf781d2a7e4667ff4a26b1f3146df359/uv-0.5.7-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:b79e32438390add793bebc41b0729054e375be30bc53f124ee212d9c97affc39", size = 14809685 },
-    { url = "https://files.pythonhosted.org/packages/cc/2b/5cc8622473e61b252211811ee6cb0471ac060dc4a36391747217a717a19a/uv-0.5.7-py3-none-win32.whl", hash = "sha256:d0600d2b2fbd9a9446bfbb7f03d88bc3d0293b949ce40e326429dd4fe246c926", size = 14074020 },
-    { url = "https://files.pythonhosted.org/packages/e1/e0/2ce3eb10fab05d900b3434dce09f59f5ac0689e52ca4979e3bfd32e71b61/uv-0.5.7-py3-none-win_amd64.whl", hash = "sha256:27c630780e1856a70fbeb267e1ed6835268a1b50963ab9a984fafa4184389def", size = 15842701 },
+    { url = "https://files.pythonhosted.org/packages/da/46/7a1310877b6ae012461c0bcc72629ee34a7c78749235ebf67d7856f24a91/uv-0.5.8-py3-none-linux_armv6l.whl", hash = "sha256:defd5da3685f43f74698634ffc197aaf9b836b8ba0de0e57b34d7bc74d856fa9", size = 14287864 },
+    { url = "https://files.pythonhosted.org/packages/0f/b5/d02c8ce6bf46d648e9ef912308718a30ecff631904ba03acd11e5ec6412d/uv-0.5.8-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:e146062e4cc39db334cbde38d56d2c6301dd9cf6739ce07ce5a4d71b4cbc2d00", size = 14290268 },
+    { url = "https://files.pythonhosted.org/packages/fb/5e/7277f92ee0aa8549e41152d9a0a7863d84e7b7b8de9b08cb397bfe1e37f6/uv-0.5.8-py3-none-macosx_11_0_arm64.whl", hash = "sha256:0f2bcdd00a49ad1669e217a2787448cac1653c9968d74bfa3732f3c25ca26f69", size = 13255149 },
+    { url = "https://files.pythonhosted.org/packages/08/5b/72be4ba38e8e6cd2be60e97fd799629228afd3f46404767b0e1cfcf1236e/uv-0.5.8-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:c91d0a2b8218af2aa0385b867da8c13a620db22077686793c7231f012cb40619", size = 13541600 },
+    { url = "https://files.pythonhosted.org/packages/4d/cb/92485fea5f3fffb0f93820fe808b56ceeef1020ae234f8e2ba64f091ed4e/uv-0.5.8-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:8058ab06d2f69355694f6e9a36edc45164474c516b4e2895bd67f8232d9022ed", size = 14090419 },
+    { url = "https://files.pythonhosted.org/packages/ac/b0/09a3a3d93299728485121b975a84b893aebdb6b712f65f43491bba7f82d0/uv-0.5.8-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c56022edc0f61febbdef89e6f699a0e991932c493b7293635b4814e102d040d2", size = 14638200 },
+    { url = "https://files.pythonhosted.org/packages/3c/52/1082d3ca50d336035b5ef6c54caa4936aa2a6ad050ea61fca3068dd986b3/uv-0.5.8-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:84f26ce1736d075d1df34f7c3f6b0b728cecd9a4da3e5160d5d887587830e7ce", size = 15336063 },
+    { url = "https://files.pythonhosted.org/packages/06/b5/d9d9a95646ca2404da11fa8f1e9953827ad793d8b92b65bb870f4c0de541/uv-0.5.8-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a7956787658fb9253fba49741886409402a48039bee64b1697397d27284919af", size = 15068797 },
+    { url = "https://files.pythonhosted.org/packages/96/18/f92f7bf7b8769f8010ae4a9b545a0a183a806133174f65c46996e23c8268/uv-0.5.8-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5989bbbbca072edc1875036c76aed74ec3dfc4741de7d1f060e181717efea6ac", size = 19540106 },
+    { url = "https://files.pythonhosted.org/packages/a4/d8/757959dc58abfbf09afe024fbcf1ffb639b8537ea830d09a99d0300ee53c/uv-0.5.8-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2b3076c79746d4f83257c9dea5ba0833b0711aeff8e6695670eadd140a0cf67f", size = 14760582 },
+    { url = "https://files.pythonhosted.org/packages/be/20/8b97777fbe6b983a845237c3132e4b540b9dcde73c2bc7c7c6f96ff46f29/uv-0.5.8-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:aa03c338e19456d3a6544a94293bd2905837ae22720cc161c83ea0fd13c3b09f", size = 13738416 },
+    { url = "https://files.pythonhosted.org/packages/b4/fe/fd462516eeb6d58acf5736ea4e7b1b397454344d99c9a0c279bb96436c7b/uv-0.5.8-py3-none-musllinux_1_1_armv7l.whl", hash = "sha256:8a8cbe1ffa0ef5c2f1c90622e07211a8f93f48daa2be1bd4592bb8cda52b0285", size = 14044658 },
+    { url = "https://files.pythonhosted.org/packages/be/d0/215c4fcd68e02f39c50557829365e75e60de2c246884753f1382bd75513e/uv-0.5.8-py3-none-musllinux_1_1_i686.whl", hash = "sha256:365eb6bbb551c5623a73b1ed530f4e69083016f70f0cf5ca1a30ec66413bcda2", size = 14359764 },
+    { url = "https://files.pythonhosted.org/packages/41/3e/3d96e9c41cee4acf16aee39f4cae81f5651754ac6ca383be2031efc90eeb/uv-0.5.8-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:56715389d240ac989af2188cd3bfc2b603d31b42330e915dacfe113b34d8e65b", size = 14943042 },
+    { url = "https://files.pythonhosted.org/packages/51/3e/3826d2e7c653649eec649262d5548b7ed6bdb5af7bed2a8bb5a127ac67bd/uv-0.5.8-py3-none-win32.whl", hash = "sha256:f8ade0430b6618ae0e21e52f61f6f3943dd6f3184ef6dc4491087b27940427f9", size = 14201492 },
+    { url = "https://files.pythonhosted.org/packages/2f/d3/8ab1383ceccbc9f31bb9a265f90dfda4f6214229768ea9608df8a8c66e15/uv-0.5.8-py3-none-win_amd64.whl", hash = "sha256:4a3325af8ed1effa7076967472c063b0000d609fd6f561c7751e43bab30297f1", size = 15995992 },
 ]
 
 [[package]]