Update GitLab provider docs (#1591)

* Update GitLab provider docs

Updates GitLab provider docs to reference self-hosted GitLab and provide additional clarity on required scopes.

* precommit fix

Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>

docs/docs/identity-providers/gitlab.md

@@ -19,21 +19,19 @@ This document describes the use of GitLab as an identity provider with Pomerium.
 
 ![create an application](./img/gitlab/gitlab-create-applications.png)
 
-3. Add a new application by setting the following parameters:
+1. Add a new application by setting the following parameters:
 
 Field        | Description
------------- | --------------------------------------------
+------------ | ---------------------------------------------------------------------------------
 Name         | The name of your web app
 Redirect URI | `https://${authenticate_service_url}/oauth2/callback`
-Scopes       | **Must** select the same as **[identity scopes]** option
+Scopes       | `openid` required; `read_api`, `profile`, `email` as necessary for your policies.
-
-If no scopes are set, you **must** select **openid**, **api**, **profile** and **email**.
 
 Your `Client ID` and `Client Secret` will be displayed like below:
 
 ![Gitlab OAuth Client ID and Secret](./img/gitlab/gitlab-credentials.png)
 
-4. Set `Client ID` and `Client Secret` in Pomerium's settings.
+1. Set `Client ID` and `Client Secret` in Pomerium's settings.
 
 ## Service Account
 
@@ -41,7 +39,6 @@ To use `allowed_groups` in a policy an `idp_service_account` needs to be set in
 
 ![Gitlab Personal Access Token](./img/gitlab/gitlab-personal-access-token.png)
 
-
 The format of the `idp_service_account` for Gitlab is a base64-encoded JSON document:
 
 ```json
@@ -52,20 +49,35 @@ The format of the `idp_service_account` for Gitlab is a base64-encoded JSON docu
 
 ## Pomerium Configuration
 
-Your configuration should look like the following example:
-
-```bash
-authenticate_service_url: https://authenticate.localhost.pomerium.io
-idp_provider: "gitlab"
-idp_client_id: "REDACTED"   // gitlab application ID
-idp_client_secret: "REDACTED"   // gitlab application secret
-idp_service_account: "REDACTED"   // gitlab service account
-```
-
 When a user first uses pomerium to login, they will be presented with an authorization screen similar to the following depending on the scope parameters setup:
 
 ![gitlab access authorization screen](./img/gitlab/gitlab-verify-access.png)
 
 Please be aware that [Group ID](https://docs.gitlab.com/ee/api/groups.html#details-of-a-group) will be used to affirm group(s) a user belongs to.
 
+### GitLab.com
+
+Your configuration should look like the following example:
+
+```
+authenticate_service_url: https://authenticate.localhost.pomerium.io
+idp_provider: "gitlab"
+idp_client_id: "REDACTED"   // gitlab application ID
+idp_client_secret: "REDACTED"   // gitlab application secret
+idp_service_account: "REDACTED"   // gitlab service account, base64 json
+```
+
+### Self-Hosted GitLab
+
+Self-hosted CE/EE instances should be configured as a generic OpenID Connect provider:
+
+```
+idp_provider: oidc
+idp_client_id: "REACTED"
+idp_client_secret: "REDACTED"
+idp_scopes: openid,email // Intersects with scopes
+idp_provider_url: https://gitlab.example.com // Base URL of GitLab instance
+idp_service_account: "REDACTED"   // gitlab service account, base64 json
+```
+
 [identity scopes]: ../../reference/readme.md#identity-provider-scopes