That’s what I needed to know.
Forget about OAuth; the only point of it is to do authentication via third-parties where you don’t directly get the password.
If you remember only one thing you read today, please let it be this:
DO NOT STORE USER PASSWORDS IN THAT DATABASE
The majority of data breach horror stories you’ve read about in the news over the years have been caused by people doing that.
Instead, use a hash function, store and compare hashes. I use bcrypt. If you have a massive user base and strained hardware resources, and are willing to impose some pretty hardcore guidelines on minimum password length on your users, then you may be interested in this essay arguing for faster hash functions and longer passwords. Personally, I have not encountered a situation where that tradeoff makes sense for me, so I still stick with bcrypt.
So do continue to read about JWT. As you can see, there are a zillion implementations, including what looks like about 10 for PHP. I can’t speak to the details of those, because I use Go for my backends.
One final thing: make sure you have a SSL certificate for you web hosting so that you can use HTTPS to transport the login information securely. I use LetsEncrypt for this.