This is generally a good idea as it reduces the severity of data leaks since it isn't possible to leak passwords, and is often more convenient for users to just login with an existing account. However for privacy reasons, some people don't like logging in with their Facebook or Google accounts to some sites, or wish to keep themselves anonymous, or want to have multiple accounts. I feel like the best option would be to have both OAuth and your own authentication.
You certainly should read up on some OWASP articles before you attempt to implement your own authentication, as they cover most web vulnerabilities and describe them in detail. Here's one to start you off https://www.owasp.org/index.php/Authentication_Cheat_Sheet. Unfortunately some small vulnerabilities aren't covered in the cheat sheet, such as timing attacks, which you can prevent by using constant time comparison functions.
Also I recommend using a hashing algorithm like scrypt, or bcrypt if scrypt is too memory intensive. Avoid using SHA or weaker hashing algorithms, as their use in authentication is often implemented incorrectly and can be brute forced relatively quickly. Algorithms like scrypt and bcrypt are intentionally resource intensive and slow to make brute forcing as slow as possible, and have a built in salt. scrypt is just a memory intensive variant of bcrypt to prevent brute forcing through the use of GPUs.
