Scope for just OAuth

I was trying to set up OAuth integration for Jupiter Hub here: https://gitlab.com/bizops/jupyter-hub

And ran into an unfortunate issue. For some reason I needed to grant full api access to my account in order for OAuth to succeed. It looks like there is an OIDC role, but only selecting that didn't work for a simple OAuth implementation.

The impact is that an API token with full rights to my user account is now in project's secret variables, as well as deployed in Kubernetes as a Secret. Any master or above, or anyone with sufficient access to the cluster can now impersonate me with full access.

It would be great if we could limit this scope to just what is needed to authenticate users.