From 8573535b8c84c9352b9812767412e93e5cd233aa Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 24 Jan 2017 15:20:19 -0500
Subject: [PATCH] Add comment clarifying how we validate client {ID, secret} in
 Gitlab

---
 oauth/services/gitlab.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/oauth/services/gitlab.py b/oauth/services/gitlab.py
index 195ce177b..f05d9c617 100644
--- a/oauth/services/gitlab.py
+++ b/oauth/services/gitlab.py
@@ -30,6 +30,10 @@ class GitLabOAuthService(OAuthService):
     return slash_join(self._endpoint(), '/oauth/token')
 
   def validate_client_id_and_secret(self, http_client, app_config):
+    # We validate the client ID and secret by hitting the OAuth token exchange endpoint with
+    # the real client ID and secret, but a fake auth code to exchange. Gitlab's implementation will
+    # return `invalid_client` as the `error` if the client ID or secret is invalid; otherwise, it
+    # will return another error.
     url = self.token_endpoint()
     redirect_uri = self.get_redirect_uri(app_config, redirect_suffix='trigger')
     data = {