The golang/oauth2 library has a list of external connectors that require the client_id, client_secret to be sent as part of the body (instead of in a basic auth header) for all requests to the token endpoint. I'm not sure if something changed recently in gitlab, but it seems that our existing connector is broken, and adding https://www.gitlab.com to the list fixes it. Since this is a core golang library, the timeline for a fix might be long.

I started a topic on the golang-nuts forum and filed and issue with gitlab