The Gatekeeper, or a project gating system
Go to file
James E. Blair 560fa563db Support auth in multiple tabs
By default the UserManager uses session storage for its authentication
credentials.  That is restricted to a single tab.  In order to support
using the same auth token in multiple tabs, we could switch that to
localStorage which is shared by all tabs of the same domain.  But then
if a user exited the browser, they might be surprised to find that they
were still logged in when restarting.  The typically short lifetime of
OIDC tokens mitigates that somewhat, but it's probably best not to
subvert that expectation anyway.

Instead, we can continue to use session storage by using a BroadcastChannel
to notify other tabs of login/out events and transfer the token info as
well.  This is a standard feature of modern browsers, but we're using
a library that wraps it for two reasons: it supports older browsers
with compatability workarounds if required, and it implements a leader
election protocol.  More on that in a minute.

We would also like to automatically renew tokens shortly before they
expire.  The UserManager has an automatic facility for that, but it
isn't multi-tab aware, so every tab would try to renew at the same time
if we used it.  Instead, we hook into the UserManager timer that fires
about one minute before token expiration and use the leader election to
decide which tab will renew the token.

We renew the token silently in the background with a hidden iframe.  In
this case, instead of using our normal auth callback page, we use a much
simpler "silent callback" which does not render the rest of our application.
This avoids confusion and reduces resource usage.

This also moves any remaining token lifecycle handling out of the Auth
component and into ZuulAuthProvider, so the division of responsibilities
is much simpler.

Change-Id: I17af1a98bf8d704dd7650109aa4979b34086e2fa
2021-11-18 17:40:04 +01:00
doc web UI: user login with OpenID Connect 2021-11-18 16:39:17 +01:00
etc Remove time database 2021-09-27 11:54:33 -07:00
playbooks Uncap concurrency in tests 2021-10-25 08:53:37 -07:00
releasenotes/notes web UI: user login with OpenID Connect 2021-11-18 16:39:17 +01:00
tests Load repo state from pipeline state on executors 2021-11-17 15:41:12 +01:00
tools Rely on bullseye image for skopeo in container image 2021-10-27 14:39:45 -07:00
web Support auth in multiple tabs 2021-11-18 17:40:04 +01:00
zuul Merge "Log and ignore exceptions in pipeline processing" 2021-11-18 07:56:23 +00:00
.coveragerc Revert "Revert "Switch to stestr"" 2018-05-17 08:33:40 -07:00
.dockerignore Add web/node_modules to dockerignore 2019-01-27 11:23:45 +01:00
.gitignore Use ZooKeeper TLS in tests 2021-03-08 06:49:57 -08:00
.gitreview OpenDev Migration Patch 2019-04-19 19:25:28 +00:00
.mailmap Fix pep8 E127 violations 2012-09-26 14:23:10 +00:00
.stestr.conf Revert "Revert "Switch to stestr"" 2018-05-17 08:33:40 -07:00
.zuul.yaml CI image requires consistency cleanup 2021-10-25 20:16:20 +00:00
COPYING Update README and add GPL license 2018-03-19 09:25:52 -07:00
Dockerfile Rely on bullseye image for skopeo in container image 2021-10-27 14:39:45 -07:00
LICENSE Initial commit. 2012-05-29 14:49:32 -07:00 Optimize canMerge using graphql 2020-02-28 09:43:56 +01:00
README.rst Support nodes setting 'auto' python-path 2019-09-19 10:28:53 +10:00
TESTING.rst Docs: fix stestr run example 2020-01-21 10:36:07 +01:00
bindep.txt Drop ambient capabilities when running bwrap 2021-11-01 19:13:37 +01:00
reno.yaml Add reno configuration settings 2020-07-22 08:45:46 -07:00
requirements.txt Pin to <3.0.0 2021-11-03 16:43:12 +01:00
setup.cfg Merge "Include database requirements by default" 2021-03-09 23:24:34 +00:00 Partial sync with OpenStack requirements. 2013-09-25 15:30:37 -07:00
test-requirements.txt github: more complete mocking for app setup 2021-09-23 19:53:48 +10:00
tox.ini Use all but one CPU when unittesting 2021-10-26 10:07:27 -07:00



Zuul is a project gating system.

The latest documentation for Zuul v3 is published at:

If you are looking for the Edge routing service named Zuul that is related to Netflix, it can be found here:

If you are looking for the Javascript testing tool named Zuul, it can be found here:

Getting Help

There are two Zuul-related mailing lists:


A low-traffic announcement-only list to which every Zuul operator or power-user should subscribe.


General discussion about Zuul, including questions about how to use it, and future development.

You will also find Zuul developers in the #zuul channel on Freenode IRC.


To browse the latest code, see: To clone the latest code, use git clone

Bugs are handled at:!/project/zuul/zuul

Suspected security vulnerabilities are most appreciated if first reported privately following any of the supported mechanisms described at

Code reviews are handled by gerrit at

After creating a Gerrit account, use git review to submit patches. Example:

# Do your commits
$ git review
# Enter your username if prompted

Join #zuul on Freenode to discuss development or usage.


Zuul is free software. Most of Zuul is licensed under the Apache License, version 2.0. Some parts of Zuul are licensed under the General Public License, version 3.0. Please see the license headers at the tops of individual source files.

Python Version Support

Zuul requires Python 3. It does not support Python 2.

Since Zuul uses Ansible to drive CI jobs, Zuul can run tests anywhere Ansible can, including Python 2 environments.