This will allow me to mark when an oauth token fails and surface it to the user so that they can re-up on their auth token.
I originally wasn't going to do passwords, but after struggling with webauthn I decided I'd just go for it. It simplifies the code a lot if I assert that I always have a password, displayname, etc.
