This is the first time I've heard of the "don't roll your own auth" crowd. You don't roll your own crypto (unless you're damn good at crypto, and most people aren't) but a simple username+bcrypt/argon2 solution works just fine for most applications.
You'll likely need to integrate with stuff like OIDC if you're planning to sell your software to enterprises with their own existing authentication mechanism (which isn't all that hard if you pick the right software stack as Apache and Nginx can do that layer for you!) but in other cases I don't see the need for it.
It's important to know your stuff when you're designing a security barrier, though. Good auth can be hard if your development framework doesn't already take care of edge cases. Things like JWT and refresh tokens can be a pain to get right and MFA can be even worse. Grabbing someone else's auth solution can sure be the quickest, easiest option, but there's no real need for all of that if your system doesn't need all that much complexity.
Personally, I would go with Keycloak or a similar product, but not integrate directly. With both Apache and Nginx you can let the web server do all the OpenID Connect work for you for paths you specify. All you need to do is take the header your reverse proxy hands you (make sure this can't be spoofed) and take that as your account ID. You'll have all the fancy enterprise features like MFA and LDAP integration at the ready if your customers demand it, but more importantly you don't need to bother with implementing refresh tokens, WebAuthn, TOTP generation, or password resets.
More importantly, this stuff can be hosted on your own hardware without any cloud subscriptions. You can outsource auth to an external provider later if you run into scaling issues, but you probably don't have to because servers are fast these days.
I think your 2nd/3rd lend favour towards "don't roll your own auth" - it's hard and more often than not there will be buggy implementations. People aren't good at crypto and they aren't good at authentication workflows either, when an application starts to scale it becomes a liability.
Building auth is hard, but so is properly integrating with external auth providers. You'll be surprised how many applications you'll find online that accept unsigned JWT tokens because many people don't know they need to turn those off. You also need to cater to the specifics of your auth solution (i.e. how to prevent spoofing, how it deals with brute force attempts, how to set up the proper session lengths). You end up learning about things like "OAuth 2 scopes" and other fun terminology that will have you become an expert in the specific auth solution you've chosen before you can reliably roll it out.
I'd guess that for most platforms that work with a simple username and password, rolling your own auth is probably a lot cheaper and easier. With 2FA this becomes trickier to pull off, but depending on your platform you may be able to build it in the same time it takes to properly configure, style, test, and document an external auth setup.
You'll likely need to integrate with stuff like OIDC if you're planning to sell your software to enterprises with their own existing authentication mechanism (which isn't all that hard if you pick the right software stack as Apache and Nginx can do that layer for you!) but in other cases I don't see the need for it.
It's important to know your stuff when you're designing a security barrier, though. Good auth can be hard if your development framework doesn't already take care of edge cases. Things like JWT and refresh tokens can be a pain to get right and MFA can be even worse. Grabbing someone else's auth solution can sure be the quickest, easiest option, but there's no real need for all of that if your system doesn't need all that much complexity.
Personally, I would go with Keycloak or a similar product, but not integrate directly. With both Apache and Nginx you can let the web server do all the OpenID Connect work for you for paths you specify. All you need to do is take the header your reverse proxy hands you (make sure this can't be spoofed) and take that as your account ID. You'll have all the fancy enterprise features like MFA and LDAP integration at the ready if your customers demand it, but more importantly you don't need to bother with implementing refresh tokens, WebAuthn, TOTP generation, or password resets.
More importantly, this stuff can be hosted on your own hardware without any cloud subscriptions. You can outsource auth to an external provider later if you run into scaling issues, but you probably don't have to because servers are fast these days.