pomerium: Error 500 for self hosted gitlab. could not retrieve groups

What happened?

After authentication, user is redirected to the page attached in the picture.

What did you expect to happen?

Successful login and be able to view httpbin.

How’d it happen?

1. Ran pomerium docker configuration.
2. I visited https://httpbin.localhost.pomerium.io, accepted my self signed cert
3. Was redirected to gitlab for auth. Successfully authenticated.
4. Saw error 500: could not retrieve groups Unauthorized

What’s your environment like?

• Pomerium version (retrieve with pomerium --version or /ping endpoint): 0.7
• Server Operating System/Architecture/Cloud: Docker on local machine

What’s your config.yaml?

Pomerium config

pomerium_debug: true
authenticate_service_url: https://authenticate.localhost.pomerium.io

certificate_file: "./cert.pem"
certificate_key_file: "./privkey.pem"

idp_provider: gitlab
idp_provider_url: "https://<snip>"
idp_scopes: "openid,read_user,profile,email"
idp_client_id: <snip>
idp_client_secret: <snip>

policy:
  - from: https://httpbin.localhost.pomerium.io
    to: https://httpbin.org

Docker compose

version: "3"
services:
  pomerium:
    image: pomerium/pomerium:v0.7.0
    environment:
      - COOKIE_SECRET=<snip>
    volumes:
      - ./authenticate.localhost.pomerium.io.crt:/pomerium/cert.pem:ro
      - ./authenticate.localhost.pomerium.io.key:/pomerium/privkey.pem:ro
      - ./config.yaml:/pomerium/config.yaml:ro
    ports:
      - 443:443

What did you see in the logs?

httputil: ErrorResponse error="Internal Server Error: oauth callback : error redeeming authenticate code: internal/identity: could not retrieve groups Unauthorized" ip=172.17.0.1

Additional context

I had to add the idp_scopesand restrict it to openid,read_user,profile,email since the default ones also included the api scope. Why should the app need that? I tried giving it that scope anyway, allowing it in gitlab, but that made no difference, I still had the same error.