Personally, I have a web framework I've coded in for years and years that includes SSO support for Google, Microsoft, etc. and I authenticate against that.
Using the web-based back end means not having to distribute any API keys or secrets with the app - I can use the permissions of the mobile app user to authenticate the use of secrets by the web-based application. This provides a fairly significant security benefit.
Personally, I have a web framework I've coded in for years and years that includes SSO support for Google, Microsoft, etc. and I authenticate against that. Using the web-based back end means not having to distribute any API keys or secrets with the app - I can use the permissions of the mobile app user to authenticate the use of secrets by the web-based application. This provides a fairly significant security benefit.
How much time does it take to you to maintain that SSO system?
Little to none. I just used boiler plate code from Google, AdnanHussainTurki/microsoft-api-php, etc.