[nullfield]

You’re looking at a section of the development market that, largely, is somewhat opaque AND has “few” experts vis a vis other disciplines-both for some of the reasons you mention (don’t roll your own) and for things like the difficulty of really doing it well versus people’s (company’s) lack of desire to reinvent the wheel on something that’s working.

All this leads to the lack of easily accessible (from a technical side) papers, training, etc., and let’s face it-being hard, plenty of people who can design and document and develop business systems wouldn’t handle the heavy math and dense papers well, or more importantly (and in line with your question) expand those naturally to “best practices”.

It’s far cheaper to let Google or Facebook handle your identity management for a cost between close-to-free to mostly-reasonable, and use Okta or the like if you want more control.

The best suggestion I can really offer, lame as it feels, is that outside deep immersion into that world and it’s papers and experts one should study open source implementations like Red Hat-backed Keycloak or Apereo CAS to see how they do it in the real world (I’m sure there are others; these just come to mind).