https://tailscale.com/kb/1054/dns#nameservers
and
https://tailscale.com/kb/1114/pi-hole#step-3-set-your-raspberry-pi-as-your-dns-server
Set tailscale to use your dns server to resolve your services (or all traffic if you prefer). Assuming your dns server is on 100.x.x.1:53, then put 100.x.x.1 as a nameserver.
I’ve been using Authelia with several OIDC integrations for a while now. Works great. They’ve released a huge update like a day ago too. Out of the ones you listed, it’s very lightweight too. The docs are a bit all over the place but it is quite comprehensive.
I did look at Zitadel and tried setting it up myself but I just couldn’t get it to work. The docs are a bit vague.