GitLab-specific scopes

Scopes may be added to the GitLab OAuthenticator by overriding the scope list, like so:

c.GitLabOAuthenticator.scope = ['read_user']

The following scopes are implemented in GitLab 11.x:

api: Grants complete read/write access to the API, including all groups and projects. If no other scope is requested, this is the default. This is a very powerful set of permissions, it is recommended to limit the scope of authentication to something other than API.

read_user: Grants read-only access to the authenticated user’s profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.

read_repository: Grants read-only access to repositories on private projects using Git-over-HTTP (not using the API).

write_repository: Grants read-write access to repositories on private projects using Git-over-HTTP (not using the API).

read_registry: Grants read-only access to container registry images on private projects.

sudo: Grants permission to perform API actions as any user in the system, when authenticated as an admin user.

openid: Grants permission to authenticate with GitLab using OpenID Connect. Also gives read-only access to the user’s profile and group memberships.

profile: Grants read-only access to the user’s profile data using OpenID Connect.

email: Grants read-only access to the user’s primary email address using OpenID Connect.