There is really no reason any developer should try to roll their own auth these days. OWASP has identified and enumerated all of the relevant info. It seems like negligence when a teacher/professor talks about building a web app without referencing the project.
But even if you use a third party, tying identity in to your application almost always still has to be rolled on your own right? So no matter how bulletproof the 3rd party solution, it’s likely that a tremendous number of vulnerabilities on an application basis could come from faulty auth integrations as well