diff --git a/connector/gitlab/gitlab.go b/connector/gitlab/gitlab.go
index cc681a824a..85783b71b9 100644
--- a/connector/gitlab/gitlab.go
+++ b/connector/gitlab/gitlab.go
@@ -140,8 +140,9 @@ type gitlabConnector struct {
 
 // oauth2Config builds the OAuth2 client configuration and scopes for this connector.
 func (c *gitlabConnector) oauth2Config(scopes connector.Scopes) *oauth2.Config {
-	gitlabScopes := []string{scopeUser, scopeOpenID}
+	gitlabScopes := []string{scopeUser}
 	if c.groupsRequired(scopes.Groups) {
+		gitlabScopes = append(gitlabScopes, scopeOpenID)
 		if c.inheritedGroups {
 			gitlabScopes = append(gitlabScopes, scopeReadAPI)
 		}
diff --git a/connector/gitlab/gitlab_test.go b/connector/gitlab/gitlab_test.go
index 74007063e6..aba2e96056 100644
--- a/connector/gitlab/gitlab_test.go
+++ b/connector/gitlab/gitlab_test.go
@@ -180,7 +180,7 @@ func TestOAuth2ConfigScopesForInheritedGroups(t *testing.T) {
 	c := gitlabConnector{inheritedGroups: true}
 
 	cfg := c.oauth2Config(connector.Scopes{})
-	expectEquals(t, cfg.Scopes, []string{scopeUser, scopeOpenID})
+	expectEquals(t, cfg.Scopes, []string{scopeUser})
 
 	cfg = c.oauth2Config(connector.Scopes{Groups: true})
 	expectEquals(t, cfg.Scopes, []string{scopeUser, scopeOpenID, scopeReadAPI})