Bypass non-OIDC requests in the service worker

[Copilot]

ServiceWorker-handled fetches can retain stale CSP behavior for the worker lifetime and add noise by proxying unrelated requests. This adds an opt-in bypass so OIDC server and access-token target traffic continue through the worker while unrelated requests are handled by the browser.

• Configuration

  • Adds bypassAllNonOidcRequests to trusted domain object configuration.
  • Defaults to false to preserve existing behavior.

• Service worker fetch handling

  • When enabled, requests outside OIDC server URLs and configured access-token target domains return without event.respondWith(), letting the browser handle them directly.
  • OIDC server requests are never bypassed, including issuer, authorization, token, revocation, and userinfo URLs.
  • Configured accessTokenDomains requests are not bypassed so access token injection continues to work.
  • domains remains the fallback for access-token target matching when accessTokenDomains is not configured.
  • Bypass only activates after OIDC server configuration is initialized.

• Tests and docs

  • Adds focused coverage for bypass decisions, OIDC server request preservation, and access-token target domain preservation.
  • Documents the new option in package READMEs and migration guidance.

trustedDomains.default = {
  oidcDomains: ['https://demo.duendesoftware.com'],
  accessTokenDomains: ['https://www.myapi.com/users'],
  bypassAllNonOidcRequests: true,
};

[guillaume-chervet]

@copilot is it possible to intercept also accessTokenDomains request ?

[Copilot]

@copilot is it possible to intercept also accessTokenDomains request ?

Implemented in 2b15bce. With bypassAllNonOidcRequests enabled, configured accessTokenDomains (and domains fallback) are still intercepted so token injection continues to work; only requests outside OIDC and access-token domains are bypassed.