If I had to guess maybe trusted proxies haven't been configured for Cloudflare preventing the Auth token from being accepted
I know Authentik supports managing access per role, it's how it's meant to be used. https://goauthentik.io/docs/applications#authorization
Seems they have a doc on setting it up with gitlab. https://goauthentik.io/integrations/services/gitlab/
The responses you get here are from people that have already perfected their setup so take them with a grain of salt.
I mean I have my setup running with Traefik, Crowdsec, Authentik and that's before the request even reaches the application.
2 months ago that was only Traefik.
A year before that I was using Nginx Proxy Manager instead of Traefik because it was easier to manage and understand.
Half the fun is evolving your homelab. Trying to start out with the full stack of things someone suggests is daunting and nearly impossible.
Take things one step at a time. And honestly if you don't understand what the documentation is talking about, YouTube videos are great. I've had to use it lots to understand how Authentik works but now I understand the docs
Having to connect everything via LDAP actually seems to be the more difficult way.
For managing Authentication but also authorization OpenID and SAML are easier to set up and easier to secure in my opinion. They also allow to manage multiple groups and permissions.
Unlike LDAP these options send you to the Auth server where you can centrally manage 2FA as well as additional login methods (e.g. if your company uses Gsuite, use that to log in)
Though I've had to use LDAP for some things as well, I went with Authentik since it can do all of these. Users and groups are easy to manage. And you can block access in Authentik already instead of having to manage access by group in each application
It really depends on your needs, with what you're describing a simple spreadsheet would be all you need.
But other companies need to integrate with certain systems that have authentication where you want to allow/disallow access. These are jobs for LDAP, SAML, OIDC providers. I personally use Authentik but there's Authelia and Keycloak as some examples.
But by no means are those as simple as checking a spreadsheet. But you wouldn't need to check a spreadsheet because it's integrated in your login page
Like other people have suggested, maybe it's a good idea with better featured options supporting many more authentication and authorization options.
My personal pick is Authentik as it supports working as an OpenID, SAML, RADIUS, LDAP, and proxy. While also supporting external users from the likes of LDAP