Because they don't want your password and as a security company, I applaud that.
Account issues, recovery, support that can be manipulated, a single breach or bad password that grants access to their admin interfaces, implementing their own 2FA.
And, serious people want SSO anyway, and most people have some kind of authentication they can lean on.
You can make a stodgy password login if you want, or you can run a keycloak yourself.
If you don't want to run an OIDC provider for yourself, why would you want them to?
Genuinely I applaud the idea that they're SSO first, and have as little information as possible to handle things. If you don't like it; well, run your own, run headscale - or, use wireguard another way.
Not every company needs their own login system. I fucking hate it.
