Ensure when logging in via OIDC when there's an existing non-OIDC account that there is an onboarding flow to merge these accounts

[alextreme]

As you've noticed, when logging in via OIDC this can clash with an existing User account (same sub/username/emailadres)

See if you can make this transition smoother by providing a one-time 'onboarding' process where the existing user account is reused for OIDC authentication. It would make sense to ask the user for their existing password to double-check that the user indeed is the same person before merging

The merging could be done both ways, @sjoerdie recommends keeping the existing User intact:

You can rename the existing username in django to the new “keycloak” username, we usually do that at openforms to keep audit logging etc. for users. It is just annoying because users have to log in once via keycloak because the account is only created then and you only then have the username. Or you have to make the username claim a predictable username (e.g. email)