I have a suggestion regarding user authentication for services in two parts:
For services (current+future) that requires registration, make authentication unified via Disroot Account (LDAP-PWM). This makes things clear and simple.
Bring in the concept of 'Service Passwords' for Disroot Accounts (LDAP-PWM). Folks can create service-specific passwords in addition to main password.
This brings security benefits when users use multiple machines/clients. When a device is lost, the user can remotely end the session and revoke the passward that was used in that device. Therefore, the session on that device closes and the stored password becomes invalid.
For example, lets say I have nextcloud client running on my devices A and B, with different service-specific password. Then my device B gets stolen. I login into nextcloud from A and end session that runs on B. Also, I login into PWM and revoke the password used in B. Thus, even when one extracts the stored password on device B, it cannot be used to access my nextcloud.
May be we can implement modes in PWM. Single-Password Mode and Multi-Password Mode. People can have a choice of shifting between the two. If multi is enabled, the services will accept only service-specific password to authentication. In single mode, services accept only the main password .