📝(backend) improve user provisioning documentation

try to make explicit all implicit implementation's details
2025-12-19 11:25:35 +01:00
parent 4e6bc157b0
commit 10aac93c36
1 changed files with 9 additions and 1 deletions
--- a/src/backend/core/external_api/viewsets.py
+++ b/src/backend/core/external_api/viewsets.py
@@ -100,7 +100,15 @@ class ApplicationViewSet(viewsets.GenericViewSet):
                and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION
                and not settings.OIDC_USER_SUB_FIELD_IMMUTABLE
            ):
-                # Create a pending user without sub, but with an email.
+                # Create a provisional user without `sub`, identified by email only.
+                #
+                # This relies on Django LaSuite implicitly updating the `sub` field on the
+                # user's first successful OIDC authentication. If this stops working,
+                # check for behavior changes in Django LaSuite.
+                #
+                # `OIDC_USER_SUB_FIELD_IMMUTABLE` comes from Django LaSuite and prevents `sub`
+                # updates. We override its default value to allow setting `sub` for
+                # provisional users.
                user = models.User(
                    sub=None,
                    email=email,