OpenID id token contents and group memberships

Hello. I've searched for hours now and can't get the grasp on how to use OpenID scope with GitLab. I want to use

The ability to authenticate using GitLab, and read-only access to the user's profile information and group memberships

...so I registered an application checking "openid Authenticate using OpenID Connect".

When I authenticate I get an id_token (a JWT token) that should contain the data on groups etc. but it only contains:

{
  "iss": " ... URL of our GitLab instance ... ",
  "sub": "eab34251b705267400f70c71db44c145fa02cb574ea6eafa699e95ef5b08d097",
  "aud": "f59ef94c260a37bc50b088d3633a566f87741cf2141d9bde5197bc8d1780baa0",
  "exp": 1522226221,
  "iat": 1522226101,
  "auth_time": 1522221229
}

However, I also get an access_token (of type baerer) if I try using that token to GET /api/v4/user, the token does not have sufficient privileges:

{
  "error": "insufficient_scope",
  "error_description": "The request requires higher privileges than provided by the access token.",
  "scope": "read_user api"
}

❓ So, how do I get the list of user's groups and memberships ❓

If I ask for "read_user" scope and try to GET /api/v4/user, I get the identity correctly (but no group memberships).

What am I missing?