Gregory's ServerDefinitely. I used some of the hot new cloud-native projects in the OpenID connect / identity aware proxy / identity management space.
Some had glaringly obvious security bugs that remained undetected for months, only partial support for the required standards and a crappy documentation.
In the end it turned out apache with mod_openidc and keycloak were the boring but ultimately best (by far) solutions to the problem.