I will just toss out some thoughts I have on in-house solutions:
It will probably take about 8-12 months total to fully implement and test a custom IdP with OAuth, OIDC, SAML, etc. (plus ensuring it is FIPS or SOC2 compliant) You’ll have to pen test regularly You’ll probably need a security audit on it yearly You’ll need to engage security researchers to continuously audit your code, APIs, etc. (pen testers are fine but security researchers find things pen testers don’t) You’ll need to monitor CVEs and new exploits to ensure you are safe (at the network, server, and app levels) You’ll need to maintain it for as long as it is in use You’ll need to keep it compliant with new specifications and security standardsUndertaking these tasks can work for some teams, but walk into it with eyes wide open. Nobody likes to have their auth credentials stolen, and you need to spend time and money to prevent it.