Don't add a "password required" notification for non-database auth via OIDC

data/users/__init__.py

@@ -174,6 +174,12 @@ class UserAuthentication(object):
     """
     return self.state.federated_service
 
+  @property
+  def requires_distinct_cli_password(self):
+    """ Returns whether this auth system requires a distinct CLI password to be created,
+        in-system, before the CLI can be used. """
+    return self.state.requires_distinct_cli_password
+
   @property
   def supports_encrypted_credentials(self):
     """ Returns whether this auth system supports using encrypted credentials. """

data/users/database.py

@@ -13,6 +13,11 @@ class DatabaseUsers(object):
   def supports_encrypted_credentials(self):
     return True
 
+  @property
+  def requires_distinct_cli_password(self):
+    # Since the database stores its own password.
+    return True
+
   def verify_credentials(self, username_or_email, password):
     """ Simply delegate to the model implementation. """
     result = model.user.verify_user(username_or_email, password)

data/users/federated.py

@@ -28,6 +28,11 @@ class FederatedUsers(object):
   def supports_encrypted_credentials(self):
     return True
 
+  @property
+  def requires_distinct_cli_password(self):
+    # Since the federated auth provides a password which works on the CLI.
+    return False
+
   def get_user(self, username_or_email):
     """ Retrieves the user with the given username or email, returning a tuple containing
         a UserInformation (if success) and the error message (on failure).

data/users/oidc.py

@@ -29,6 +29,11 @@ class OIDCInternalAuth(object):
   def federated_service(self):
     return None
 
+  @property
+  def requires_distinct_cli_password(self):
+    # Since the "password" is the generated ID token.
+    return False
+
   @property
   def supports_encrypted_credentials(self):
     # Since the "password" is already a signed JWT.