@jobcuatoi14, Since I work for FusionAuth, I obviously have a pretty strong opinion on this one. Beyond that, I still have a strong opinion as a developer in general. I will share with you my thoughts so you can take them under consideration.
I'm not going to tell you what you should and shouldn't do. Everyone's authentication strategy is their own decision. Personally, in general, I would recommend against building your own. Instead of listing reasons, I will pose questions for you to consider so you can come to your own conclusion.
-
Are you a security expert? If not, you will need to implement all the standards. Yes, you can use common libraries, but you will have to always stay up on the latest and greatest. Everyday you will need to check for vulnerabilities in every library you use. If something breaks, you will have to stop what you are doing on your core product and fix it. You also mentioned JWTs and there are many other well known standards out there such as OAuth. Knowing the recipe and executing it are two different things. You may read how to prepare Fugu, but do you really want to do that yourself or leave it to an expert?
-
Is authentication your product? If not, you will have to consider all the time you will be dedicating to authentication as a developer. How much better would your core product be if you spent that time focusing on it?
-
How much time do you have to dedicate to building your own auth? Even with standard libraries, you will have to build a lot. Probably more than you initially thought. I know you talked about using bcrypt for hashing, but are you aware of the concept of using salt with the passwords? If not, I would really recommend not doing it. If you are, that is just one more thing you will have to deal with. You mentioned the forgot password flow, but you will likely need other things like initial registration flow. What about updating user data in general?
-
What features do you need? Of course that comes down to what you are trying to protect. If you are just maintaining your small blog subscription, username and password may work. If it is more sensitive, you may need things like MFA. Will you need to allow social logins? Will you need to enforce password policies? Will you need to support passwordless login? Role Based Authentication?
-
Do you have time to maintain what you build on top of your core product? Once you have it built does not mean you can forget about it. Security is an evergreen process. The consequences of a lapse and impact on your product/company can only be measured by you.
I could go on and on, but I think for a forum post this gives a pretty good support of my recommendation.
Whatever issue you have with the other tools you mentioned or even FusionAuth itself, I would challenge you strongly to consider if the issue is easier to deal with than creating the whole system yourself. In my experience, it is usually easier to work around the issue than build your own.
I can't necessarily speak for the other products you have listed, but if you list some of your concerns with FusionAuth, I may be of some assistance.
Are you aware FusionAuth has a free Community Edition?
Also, I would recommend going through a FusionAuth Quickstart in the programming language of your choice to see how easy it is to get started.
Deciding which authentication to use is not a simple choice, I hoped this helped and didn't sound too "salesy".
I'd love to hear other's thoughts on this as well.