Auth: Support Gitlab OIDC scopes (#69890)

* draft gitlab openid

* mutualize id token extraction

* unexport fields

* user user info endpoint for retrieving indirect group memberships

* add to readme

* fix missing doc

* fix generic oauth wrong parameter

* log token

docs/sources/setup-grafana/configure-security/configure-authentication/gitlab/index.md

@@ -32,10 +32,7 @@ instance, if you access Grafana at `http://203.0.113.31:3000`, you should use
 http://203.0.113.31:3000/login/gitlab
 ```
 
-Finally, select `read_api` as the scope and submit the form. Note that if you're
-not going to use GitLab groups for authorization (i.e. not setting
-`allowed_groups`, see below), you can select `read_user` instead of `read_api` as
-the scope, thus giving a more restricted access to your GitLab API.
+Finally, select `openid`, `email` and `profile` as the scopes and submit the form.
 
 You'll get an _Application Id_ and a _Secret_ in return; we'll call them
 `GITLAB_APPLICATION_ID` and `GITLAB_SECRET` respectively for the rest of this
@@ -43,6 +40,11 @@ section.
 
 ## Enable GitLab in Grafana
 
+In this example, we'll assume you use the public `gitlab.com` instance, but you
+can use your own instance of GitLab instead by replacing `auth_url`, `token_url` with the URL of your instance.
+
+You can find these URLs in the `well known` configuration file of your GitLab instance, for example `https://gitlab.com/.well-known/openid-configuration`.
+
 Add the following to your Grafana configuration file to enable GitLab
 authentication:
 
@@ -53,10 +55,9 @@ allow_sign_up = true
 auto_login = false
 client_id = GITLAB_APPLICATION_ID
 client_secret = GITLAB_SECRET
-scopes = read_api
+scopes = openid email profile
 auth_url = https://gitlab.com/oauth/authorize
 token_url = https://gitlab.com/oauth/token
-api_url = https://gitlab.com/api/v4
 allowed_groups =
 role_attribute_path =
 role_attribute_strict = false
@@ -73,10 +74,6 @@ correct. For example in case you are serving Grafana behind a proxy.
 
 Restart the Grafana backend for your changes to take effect.
 
-If you use your own instance of GitLab instead of `gitlab.com`, adjust
-`auth_url`, `token_url` and `api_url` accordingly by replacing the `gitlab.com`
-hostname with your own.
-
 With `allow_sign_up` set to `false`, only existing users will be able to login
 using their GitLab account, but with `allow_sign_up` set to `true`, _any_ user
 who can authenticate on GitLab will be able to login on your Grafana instance;
@@ -145,10 +142,9 @@ allow_sign_up = true
 auto_login = false
 client_id = GITLAB_APPLICATION_ID
 client_secret = GITLAB_SECRET
-scopes = read_api
+scopes = openid email profile
 auth_url = https://gitlab.com/oauth/authorize
 token_url = https://gitlab.com/oauth/token
-api_url = https://gitlab.com/api/v4
 allowed_groups = example, foo/bar
 role_attribute_path = is_admin && 'Admin' || 'Viewer'
 role_attribute_strict = true