GitLab built-in authentication require the "api" scope of permission by default. This is a high level of permission, needed only when group synchronisation is enabled : otherwise "read_user" is enough.
Requiring useless high-level permission is a bad practice, and we should restrict the scope of granted permission as much as possible.
group synchronisation enabled : require "api" scope
group synchronisation disabled : require "read_user" scope