git-ecosystem · ldennington · Jun 1, 2022 · May 31, 2022 · Jun 1, 2022
diff --git a/docs/faq.md b/docs/faq.md
@@ -150,3 +150,17 @@ After revoking access, any tokens created by GCM will be invalidated and can no
 ### I used the install from source script to install GCM on my Linux distribution. Now how can I uninstall GCM and its dependencies?
 
 Please see full instructions [here](./linux-fromsrc-uninstall.md).
+
+### How do I revoke access for a GitLab OAuth application?
+
+There are some scenarios (e.g. updated scopes) for which you will need to manually revoke and re-authorize access for a GitLab OAuth application. You can do so by:
+
+1. Navigating to [the **Applications** page within your **User Settings**](https://gitlab.com/-/profile/applications).
+2. Scrolling to **Authorized applications**.
+3. Clicking the **Revoke** button next to the name of the application for which you would like to revoke access (Git Credential Manager is used here for demonstration purposes).
+
+   ![Button to revoke GitLab OAuth Application access](./img/gitlab-oauthapp-revoke.png)
+4. Waiting for a notification stating **The application was revoked access**.
+
+   ![Notifaction of successful revocation](./img/gitlab-oauthapp-revoked.png)
+5. Re-authorizing the application with the new scope (GCM should automatically initiate this flow for you next time access is requested).
diff --git a/docs/gitlab.md b/docs/gitlab.md
@@ -6,7 +6,7 @@ Git Credential Manager supports [gitlab.com](https://gitlab.com) out the box.
 
 To use on another instance, eg. `https://gitlab.example.com` requires setup and configuration:
 
-1. [Create an OAuth application](https://docs.gitlab.com/ee/integration/oauth_provider.html). This can be at the user, group or instance level. Specify a name and use a redirect URI of `http://127.0.0.1/`. _Unselect_ the 'Confidential' option, and ensure the 'Expire access tokens' option is selected. Set the scope to 'write_repository'.
+1. [Create an OAuth application](https://docs.gitlab.com/ee/integration/oauth_provider.html). This can be at the user, group or instance level. Specify a name and use a redirect URI of `http://127.0.0.1/`. _Unselect_ the 'Confidential' option, and ensure the 'Expire access tokens' option is selected. Set the 'write_repository' and 'read_repository' scopes.
 1. Copy the application ID and configure `git config --global credential.https://gitlab.example.com.GitLabDevClientId <APPLICATION_ID>`
 1. Copy the application secret and configure `git config --global credential.https://gitlab.example.com.GitLabDevClientSecret <APPLICATION_SECRET>`
 1. Configure authentication modes to include 'browser' `git config --global credential.https://gitlab.example.com.gitLabAuthModes browser`

diff --git a/docs/img/gitlab-oauthapp-revoke.png b/docs/img/gitlab-oauthapp-revoke.png
diff --git a/docs/img/gitlab-oauthapp-revoked.png b/docs/img/gitlab-oauthapp-revoked.png
diff --git a/src/shared/GitLab/GitLabHostProvider.cs b/src/shared/GitLab/GitLabHostProvider.cs
@@ -13,6 +13,7 @@ public class GitLabHostProvider : HostProvider
         private static readonly string[] GitLabOAuthScopes =
         {
             "write_repository",
+            "read_repository"
         };
 
         private readonly IGitLabAuthentication _gitLabAuth;