Once you setup for Mattermost as an OAuth 2.0 provider you'll need to initiate the auth flow from your app to Mattermost in order to authorize and authenticate the user with the OAuth 2.0 app that you created, after that the app will be listed in the OAuth 2.0 apps in Account Settings. Note that giving access is the ability to authorize and authenticate with that app while OAuth 2.0 Authorized Apps refer to those that are being used by the user.
That being said, If you set the OAuth app as Trusted then you'll skip the page to authorize the app (that page is very much like the authorization page that GitLab presents when the user first login with the GitLab auth method).
The callback of the registered OAuth 2.0 app must be controlled by your app and that endpoint will receive the access_token that you can later use to make further Mattermost API calls.
So the flow should be something like this:
1. User goes to your app
2. User clicks on Login to Mattermost -> this will initiate the OAuth 2.0 flow with mattermost
3. user is redirected to /api/v3/oauth/authorize (this is the part where you need to use the client secret and client id)
-> in case the user is logged in this will present the authorization page unless you marked the app as trusted, but if the user is not logged into Mattermost yet, they will get a login page, in that page they will be able to choose GitLab as the login method
4. user gets redirected to your app with an access granted or denied, in the event of the access granted you'll receive a code per OAuth 2.0 specs
5. with the code received in the previous step user will be redirected to /api/v3/oauth/access_token following the OAuth 2.0 flow
6. finally user is redirected to the callback URI registered in the OAuth 2.0 app that you created in Mattermost and that endpoint will receive the access_token
7. Add the access_token to the Authorization header as Authorization Bearer <access_token> to any of the Mattermost apis
Does this help?