Additionally I should make it only option to auth in already working services.
Keycloak seems to be cool solution, it's used by Arch Linux and @fajfer gave me this url to check it out.