diff --git a/course/auth.py b/course/auth.py
index bbabc0f309ed46b7461ae6b16bf764209e89b4c6..6cfed74bfab4e4db820b0e96d7a9b881446f8011 100644
--- a/course/auth.py
+++ b/course/auth.py
@@ -1256,16 +1256,20 @@ class AuthenticationTokenForm(StyledModelForm):
         super(AuthenticationTokenForm, self).__init__(*args, **kwargs)
         self.participation = participation
 
-        self.fields["restrict_to_participation_role"].queryset = (
-                participation.roles.all()
-                | ParticipationRole.objects.filter(
-                    id__in=[
+        allowable_role_ids = (
+                set(role.id for role in participation.roles.all())
+                | set(
                         prole.id
                         for prole in ParticipationRole.objects.filter(
                             course=participation.course)
                         if participation.has_permission(
-                            pperm.impersonate_role, prole.identifier)
-                    ]))
+                            pperm.impersonate_role, prole.identifier))
+                )
+
+        self.fields["restrict_to_participation_role"].queryset = (
+                ParticipationRole.objects.filter(
+                    id__in=list(allowable_role_ids)
+                    ))
 
         self.helper.add_input(Submit("create", _("Create")))