There's a difference though between farming out to a SaaS product like Auth0 and rolling your own. You should absolutely not try and write your own Oauth2 server unless you really, really know what you're doing. But there are a lot of options for self-hosted auth services that are rock solid and battle tested.
Depends on what you mean by maintain. If you use one of the well-supported open source solutions like Keycloak then it is very actively maintained with regular releases, bug fixes, new features (U2F support etc). But of course you need to run your own infrastructure (database, application servers, load balancer, maybe separate infinispan cluster if you want to go wild). If you don't have the operational capacity to do that then maybe a SaaS solution is right for you.
