If no scope is specified it appears that gitlab.com defaults to 'api', which grants complete read/write access to the API including all groups and projects. That... is a lot. Setting the scope to 'read_user' works in my TLJH installation. Before setting the scope in TLJH, authentication would fail unless I'd granted api permission in my gitlab.com OAuth server application. After limiting the scope which my TLJH client requests, I can remove the api permission from my gitlab.com OAuth server application and authentication succeeds. It may be appropriate to make read_user scope be the default in oauthenticator/gitlab.py. Github appears to default to a much more limited and read-only set of permissions if no specific scope is requested, leaving the scope unset on github is reasonable. Leaving the scope unset on Gitlab seems less reasonable.
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments.