Restrict the auth token scope and enforce group membership
Apertis is in the process of opening GitLab registratio to the public: the assumption that all the GitLab users can be trusted is thus no longer valid.
Let administrators configure a set of groups: if the logging in user is a member of any of those let the login complete, otherwise fail and ignore the attempt.
Also switch to the openid scope and call the dedicated OAuth2 userinfo
endpoint rather than requiring the broad scope needed to call the
regular GitLabc API to get their username, see
https://docs.gitlab.com/ee/integration/openid_connect_provider.html