docs: add OIDC identity migration guide

[benpsnyder]

Summary

• Adds an OIDC identity migration guide under Authentication.
• Explains that SpacetimeDB identity continuity depends on stable iss plus sub claims.
• Documents migration risks when moving from Keycloak, SpacetimeAuth, Auth0, Clerk, custom issuers, or app-owned auth brokers.
• Recommends stable application actors, identity-link tables, dual-issuer transition windows, explicit verification, and careful retirement of old issuers.
• Links the new guide from the authentication overview.

Why

This is a focused documentation slice from #5004. Teams replacing a centralized OIDC provider or introducing app-owned auth need a clear migration path that preserves authorization and auditability even when the resulting SpacetimeDB Identity changes.

The guide explains when identity can remain stable, when linked identities are required, and how reducers should resolve ctx.sender through application actor links instead of relying on raw provider identity alone.

Validation

• git diff --check
• pnpm --dir docs typecheck
• pnpm --dir docs build

The docs build passes. It still prints the existing docusaurus-plugin-llms-txt warning for /docs/ask-ai/ask-ai, which is unrelated to this change.

Refs #5004

[cloutiertyler]

Hi @benpsnyder, thanks for your contribution to the docs. We don't accept draft PRs in our repo to keep our PRs relatively neat and manageable, so I'm going to close this for now, at least until you have a complete PR for us to review.