Debugging oauth2-generic configuration

I am struggling to find a working setup for your oauth2-generic provider in Omnibus Gitlab CE and wonder if there is an easy way to get more debug output. I enabled debug logging in gitlab-rails but this only got me so far.

This is my current configuration

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'oauth2_generic'
gitlab_rails['omniauth_block_auto_created_users'] = false
# gitlab_rails['omniauth_auto_link_ldap_user'] = false
# gitlab_rails['omniauth_auto_link_saml_user'] = false
# gitlab_rails['omniauth_external_providers'] = ['google_oauth2']
gitlab_rails['omniauth_providers'] = [
   {
     "name" => "oauth2_generic",
     "app_id" => "gitlab",
     "app_secret" => "***REDACTED***",
     "args" => {
       client_options: {
         "site" => "https://b****.*****.eu:8443",
         "user_info_url" => "/oauth2/userinfo",
         "authorize_url" => "/oauth2-as/oauth2-authz",
         "token_url" => "/oauth2/token"
       },
       user_response_structure: {
         id_path: 'sub'
       }
     }
   }
]

I get redirected fine to login with username and password but the redirect back to Gitlab returns this:

Judging by the logs Gitlab does not like the authorization code but I have no clue how to debug this any further:

Started POST "/users/auth/oauth2_generic" for 1**.1**.1**.1** at 2017-05-16 11:19:06 +0200
Processing by OmniAuth::RequestForgeryProtection::Controller#index as HTML
  Parameters: {"authenticity_token"=>"EtjCBkPM6NR****0YZSqWNQ=="}
Completed 200 OK in 1ms (ActiveRecord: 0.0ms)
Started GET "/users/auth/oauth2_generic/callback?code=[FILTERED]&state=734*****5fa2" for 1**.1**.1**.1** at 2017-05-16 11:19:10 +0200
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"code"=>"[FILTERED]", "state"=>"734*****5fa2"}

I'd be grateful for any pointers. Thank you!