Finally an OIDC backend that is official and works like charm. I tested it with keycloak. You can even map existing users to keycloak users when setting "User ID mappings" to "preferred_username". That is so great!
The only thing missing is making the OICD provider default.