diff --git a/oauth/services/gitlab.py b/oauth/services/gitlab.py
index 195ce177b..f05d9c617 100644
--- a/oauth/services/gitlab.py
+++ b/oauth/services/gitlab.py
@@ -30,6 +30,10 @@ class GitLabOAuthService(OAuthService):
     return slash_join(self._endpoint(), '/oauth/token')
 
   def validate_client_id_and_secret(self, http_client, app_config):
+    # We validate the client ID and secret by hitting the OAuth token exchange endpoint with
+    # the real client ID and secret, but a fake auth code to exchange. Gitlab's implementation will
+    # return `invalid_client` as the `error` if the client ID or secret is invalid; otherwise, it
+    # will return another error.
     url = self.token_endpoint()
     redirect_uri = self.get_redirect_uri(app_config, redirect_suffix='trigger')
     data = {