From 10aac93c36c1ec66fb1717391bbfbd64855152a2 Mon Sep 17 00:00:00 2001
From: lebaudantoine <lebaud.antoine131@gmail.com>
Date: Fri, 19 Dec 2025 11:25:35 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=93=9D(backend)=20improve=20user=20provis?=
 =?UTF-8?q?ioning=20documentation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

try to make explicit all implicit implementation's details
---
 src/backend/core/external_api/viewsets.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/backend/core/external_api/viewsets.py b/src/backend/core/external_api/viewsets.py
index c8d12667..a4ab2110 100644
--- a/src/backend/core/external_api/viewsets.py
+++ b/src/backend/core/external_api/viewsets.py
@@ -100,7 +100,15 @@ class ApplicationViewSet(viewsets.GenericViewSet):
                 and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION
                 and not settings.OIDC_USER_SUB_FIELD_IMMUTABLE
             ):
-                # Create a pending user without sub, but with an email.
+                # Create a provisional user without `sub`, identified by email only.
+                #
+                # This relies on Django LaSuite implicitly updating the `sub` field on the
+                # user's first successful OIDC authentication. If this stops working,
+                # check for behavior changes in Django LaSuite.
+                #
+                # `OIDC_USER_SUB_FIELD_IMMUTABLE` comes from Django LaSuite and prevents `sub`
+                # updates. We override its default value to allow setting `sub` for
+                # provisional users.
                 user = models.User(
                     sub=None,
                     email=email,