Composer API endpoint not accessable when group is set to `private`

When including a Private Group as Composer Repository the packages.json is not found due to missing authentication.

Composer Output:

$ composer update
Loading composer repositories with package information

                                                                                                                                             
  [Composer\Downloader\TransportException]                                                                                                   
  The "https://gitlab.XXXXXXXX.de/api/v4/group/83/-/packages/composer/packages.json" file could not be downloaded (HTTP/1.1 404 Not Found)  
                                                                                                                                             

update [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-dev] [--lock] [--no-custom-installers] [--no-autoloader] [--no-scripts] [--no-progress] [--no-suggest] [--with-dependencies] [--with-all-dependencies] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [-a|--classmap-authoritative] [--apcu-autoloader] [--ignore-platform-reqs] [--prefer-stable] [--prefer-lowest] [-i|--interactive] [--root-reqs] [--] [<packages>]...

I expect the packages.json to be available to public and to include only projects/packages a user is allowed to view/access.

/cc @trizzi @ggelatti

EDIT: Run composer update -vvv will output something like ...

Loading composer repositories with package information
Using HTTP basic authentication with username "XXXXXXXX"

This indicates that composer config gitlab-domains your.instance-domain.com needs to be set.

Edited Oct 04, 2020 by Jochen