Nope, that is a good idea because then you only need to create the user if they are actually trying to use the forum rather than pre-loading all users even if they might not use it.
On the Discourse side you could create a User Event webhook to sync with Know Your Company. Which will trigger:
When a user logs in, logs out, is created, approved or updated.
It would be nice if user events were more fine grained so that it only triggered on “updated”, but I guess you can just ignore all non “updated” events on the Know Your Company side.
Thinking about this though I’m not sure what you would key off of to know which user updated their email. SSO handles this because you pass in a “user_id”. I think with OAuth you can also pass in a “user_id” (oauth2_json_user_id_path) or some custom field that you could look up in Know Your Company to sync the email.
If an email is updated on the Know Your Company side you would issue an api request to update the email. You may have to find a good way to look up the user by external_id though, maybe this is an endpoint that can be added to your authenticator plugin.