You can log in to Sandstorm using any email address.
Eventually, we plan to support logging in using a PGP key.
We see "internal user stores" (e.g. basic username/password with no connected email address) as problematic because a major design goal of Sandstorm is the ability to move data between hosts easily. Say you and five friends have been using Rocket.Chat on Sandstorm Oasis, and then you decide to transfer it to a self-hosted Sandstorm server -- or vice versa. It would be nice if after moving, Rocket.Chat can still recognize your five friends and being the same people, so that you don't lose your PM history and such. This is only possible by using some form of federated identities which all Sandstorm servers can independently authenticate. Username/password is inherently per-server so doesn't provide that.
It's not a bad option, and you make a decent case for that. However, the entire point of self-hosting for me is to be entirely self-reliant. Why would I use a github account to login to a Sandstorm Gitlab instance?
Well, it's entirely up to you what login mechanism you want to use, so if Github isn't what you want, then by all means don't use it. You can be completely self-reliant using email login, or eventually PGP login. But some people find Google and Github login convenient.
FWIW we're currently working on a change that will allow you to attach multiple such "identities" to a single account, after which we plan to open up the door to a lot more authentication providers, including other "open" federated options like OpenID or Shibboleth (as well as popular proprietary services like Twitter, Facebook, etc. -- again, it's up to each user to decide what's most convenient for them).
Probably at some point you'll be able to host your own IDP as a Sandstorm app, if that's what you want. Other Sandstorm servers would be able to rely on that IDP as well, so it meets the federated requirement.
