I am a developer too, and it took me a while to accept that sometimes it’s best to give up total control over my code if that means having something done better and faster (one important learning for me was that developers’ job is to solve a problem for the business/organization, and that the applications developers write are just tools for solving those problems).
The vast majority of apps that are built in the world are enterprise apps. For those, I really think there’s no reason why developers need to build their own authentication system, given that organizations already have directories and integrating with them is much faster, cheaper, and safer.
For consumer apps (which really is a smaller number of apps in the grand scheme of things), there might be exceptions to the “always use external auth providers” rule, but I do think they’re fairly limited. The two I can think of are: when you absolutely need control over your users’ data completely because data is your business (e.g. if you’re building a social network); or when you are doing things like end-to-end cryptography that require you to derive a key on every login, and so you need control over the login flow.
Some of the points you present above sound a bit like spreading FUD (Fear, Uncertainty, Doubt). I’m sure that social providers like Facebook will use the data on your apps’ login to “sell it” to advertisers. However, other providers such as Azure AD, Auth0, Okta (among others) clearly promise not to do that, and they have that written in their terms (so it’s binding for them). I don’t know if these services actually have a “bazillion cookies”, but even if they did use cookies, that wouldn’t necessarily be a cause of concern: cookies are often necessary, and the bad cookies are the tracking ones only (and even then, it depends on how the data is used). Again, this goes back to my point that you should read the terms of the service you use, which will explain these practices.
Aside from that, a lot of the things you’re complaining about are actually solvable. If you want to use pop-ups rather than full-page redirects, you can do that (although, I find pop-ups to be much worse for the UX as they interrupt the flow). Because they all use open standards (OAuth 2.0 and OpenID Connect), you can use whatever third-party library you want to interact with them, or build your own (personally, I have built my own code to perform the OIDC flow, using third-party libraries just for validating the JWT). Being based on open standards also means that if something isn’t clear, you can find how others have solved the issue, maybe using other providers.
