Webauthn gssp : no user feedback for missing Metadata Statement #625
Description
When an invalid token is used for registration, an error is logged, but the user's UI is stuck at the registration screen.
A HTTP500 is returned to the browser, but should be used for generating a user facing error.
{
"status": "error",
"errorMessage": "The Metadata Statement for the AAGUID \u002241414755-4944-3031-3233-343536373839\u0022 is missing"
}
Aug 29 09:38:04 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"Matched route \"gssp_saml_sso\".","context":{"route":"gssp_saml_sso","route_parameters":{"_route":"gssp_saml_sso","_controller":"Surfnet\\GsspBundle\\Controller\\SSOController::sso"},"request_uri":"https://webauthn.xxxxxxxxxxxxxxx.nl/saml/sso?SAMLRequest=lVPRjtowEHy%2Fr4j8nsRJCAkW5ESPVkXiVHSBqupL5ZgFIhE79ToH9%2FeNE%2BA46XpVH7ObmZ2ZXY%2FvT9XBeQaNpZITEniUOCCF2pRyNyHr1Rc3JffZ3Rh5dajZtDF7%2BQS%2FG0DjtECJrGtMSKMlUxxLZJJXgMwIlk8fFyz0KKu1MkqoA7mBfIzgiKBNq4g489mE%2FBKDlIMYbIbpdjRIijih201aJFBEdAg8CbYQRDAcRZuYh0kYDwIRRinEfBjQmDjfL%2B5C626O2MBcouHStCUaxi5N3XC0ogmLUkYHP4kza%2F2VkpsOtTemRub7Ryi49e%2BZtht62OitUBJOxpMH33ryERVxphftD0piU4HOQT%2BXAtZPi1cu5O7u%2BC7RDrG%2BjvJFz%2BHeBLI8p%2FmplP2SPgqy6H9C9nW1WrrLb%2FmKZN0uWReDzv5XUAWGb7jhY%2F%2BW5Xwen08GpI0as7GFsXWremqMLoumpT6v33Z61RUXwOy0dg5DA3VTd10XrkSXmzlh2adnF3E8esfIU3rnh5QG%2Fo%2FHRS72UHG37NYq4BX1bxDxs97MW%2F19JReqbvOzoZ9eHlRjTyag5NI%2BPwXQ89lNku%2FGqGFXotHdTdlMt3%2FL9C3rpXYWcv2%2BfYnZ3R8%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=rMxiUiUg1BFxdG%2BsKWtZKLPehFZQX0whEdcCU20sZY7Zcw2Kvp1rNvciSJTeYuCqhvbPwNm5jJuvth7hIwsv97LUpd5R6ISOI7FpgyZp7cyp6QnbB9%2BovmsnhNXgzr3njjByxQUu9BroZF5BB3zz2ENi43Znd2D88LkdRFgtQDYY3L1A7Tk7UHFUEYYDDU8Y1fU7VfLaLhQkKv%2BvTHp0ZeIoC7ajc0r14988533LrFWcaDZuyt%2BtLET6mAxrnyYIyEVG1UL6WKioTk8gNC9IPD2mjootIPV%2B084oC8XFVJjBadGK5Dz1Dm01%2BezFscgw5XRhzrpFp0sPHNpFDiuSJg%3D%3D","method":"GET"},"level":200,"level_name":"INFO","channel":"request","datetime":"2025-08-29T09:38:04+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"766a38021560b9c588aca273d62db9a2"}}
Aug 29 09:38:04 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"Received sso request","context":{},"level":250,"level_name":"NOTICE","channel":"app","datetime":"2025-08-29T09:38:04+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"766a38021560b9c588aca273d62db9a2"}}
Aug 29 09:38:04 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"There is already state present, clear previous state","context":{},"level":300,"level_name":"WARNING","channel":"app","datetime":"2025-08-29T09:38:04+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"766a38021560b9c588aca273d62db9a2"}}
Aug 29 09:38:04 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"Processing AuthnRequest","context":{},"level":200,"level_name":"INFO","channel":"app","datetime":"2025-08-29T09:38:04+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"766a38021560b9c588aca273d62db9a2"}}
Aug 29 09:38:04 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"AuthnRequest processing complete, received AuthnRequest from \"https://sa-gw.xxxxxxxxxxxxxxx.nl/gssp/webauthn/metadata\", request ID: \"_c48aec4d68f947b570fd8b7eb306ea71fe13e693d5a272541c238e5a6105\"","context":{},"level":250,"level_name":"NOTICE","channel":"app","datetime":"2025-08-29T09:38:04+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"766a38021560b9c588aca273d62db9a2"}}
Aug 29 09:38:04 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"AuthnRequest stored in state","context":{},"level":200,"level_name":"INFO","channel":"app","datetime":"2025-08-29T09:38:04+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"766a38021560b9c588aca273d62db9a2"}}
Aug 29 09:38:04 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"Redirect user to the application registration route /registration","context":{},"level":250,"level_name":"NOTICE","channel":"app","datetime":"2025-08-29T09:38:04+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"766a38021560b9c588aca273d62db9a2"}}
Aug 29 09:38:04 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"Matched route \"app_identity_registration\".","context":{"route":"app_identity_registration","route_parameters":{"_route":"app_identity_registration","_controller":"Surfnet\\Webauthn\\Controller\\RegistrationController"},"request_uri":"https://webauthn.xxxxxxxxxxxxxxx.nl/registration","method":"GET"},"level":200,"level_name":"INFO","channel":"request","datetime":"2025-08-29T09:38:04+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"ea3612cb9154a430b1ad305e239244c8"}}
Aug 29 09:38:04 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"Verifying if there is a pending registration from SP","context":{"sari":"_c48aec4d68f947b570fd8b7eb306ea71fe13e693d5a272541c238e5a6105"},"level":200,"level_name":"INFO","channel":"app","datetime":"2025-08-29T09:38:04+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"ea3612cb9154a430b1ad305e239244c8"}}
Aug 29 09:38:04 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"There is a pending registration","context":{"sari":"_c48aec4d68f947b570fd8b7eb306ea71fe13e693d5a272541c238e5a6105"},"level":200,"level_name":"INFO","channel":"app","datetime":"2025-08-29T09:38:04+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"ea3612cb9154a430b1ad305e239244c8"}}
Aug 29 09:38:04 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"Verifying if registration is finalized","context":{"sari":"_c48aec4d68f947b570fd8b7eb306ea71fe13e693d5a272541c238e5a6105"},"level":200,"level_name":"INFO","channel":"app","datetime":"2025-08-29T09:38:04+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"ea3612cb9154a430b1ad305e239244c8"}}
Aug 29 09:38:04 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"Return registration page for user attestation","context":{"sari":"_c48aec4d68f947b570fd8b7eb306ea71fe13e693d5a272541c238e5a6105"},"level":200,"level_name":"INFO","channel":"app","datetime":"2025-08-29T09:38:04+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"ea3612cb9154a430b1ad305e239244c8"}}
Aug 29 09:38:05 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"Matched route \"webauthn.controller.security.main.creation.options\".","context":{"route":"webauthn.controller.security.main.creation.options","route_parameters":{"_route":"webauthn.controller.security.main.creation.options","_controller":"webauthn.controller.security.main.creation.options"},"request_uri":"https://webauthn.xxxxxxxxxxxxxxx.nl/register/options","method":"POST"},"level":200,"level_name":"INFO","channel":"request","datetime":"2025-08-29T09:38:05+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"39a7c60e6f0a558ae2721cc465a1c997"}}
Aug 29 09:38:05 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"User Deprecated: Since web-auth/webauthn-lib 5.2.0: The parameter \"$optionStorage\" is deprecated since 5.2.0 and will be removed in 6.0.0. Please set \"null\" and use the global option storage instead.","context":{"exception":{"class":"ErrorException","message":"User Deprecated: Since web-auth/webauthn-lib 5.2.0: The parameter \"$optionStorage\" is deprecated since 5.2.0 and will be removed in 6.0.0. Please set \"null\" and use the global option storage instead.","code":0,"file":"/var/www/html/vendor/web-auth/webauthn-symfony-bundle/src/Controller/AttestationControllerFactory.php:37"}},"level":200,"level_name":"INFO","channel":"php","datetime":"2025-08-29T09:38:05+02:00","extra":{"art":"35247","server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"39a7c60e6f0a558ae2721cc465a1c997"}}
Aug 29 09:38:13 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"Matched route \"webauthn.controller.security.main.creation.result\".","context":{"route":"webauthn.controller.security.main.creation.result","route_parameters":{"_route":"webauthn.controller.security.main.creation.result","_controller":"webauthn.controller.security.main.creation.result"},"request_uri":"https://webauthn.xxxxxxxxxxxxxxx.nl/register","method":"POST"},"level":200,"level_name":"INFO","channel":"request","datetime":"2025-08-29T09:38:13+02:00","extra":{"server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"7720ed1c6119034b77c139e229abb046"}}
Aug 29 09:38:13 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"Authenticator failed.","context":{"exception":{"class":"Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException","message":"The Metadata Statement for the AAGUID \"41414755-4944-3031-3233-343536373839\" is missing","code":0,"file":"/var/www/html/vendor/web-auth/webauthn-symfony-bundle/src/Security/Http/Authenticator/WebauthnAuthenticator.php:283","previous":{"class":"Webauthn\\Exception\\AuthenticatorResponseVerificationException","message":"The Metadata Statement for the AAGUID \"41414755-4944-3031-3233-343536373839\" is missing","code":0,"file":"/var/www/html/vendor/web-auth/webauthn-lib/src/Exception/AuthenticatorResponseVerificationException.php:13"}},"authenticator":"Webauthn\\Bundle\\Security\\Http\\Authenticator\\WebauthnAuthenticator"},"level":200,"level_name":"INFO","channel":"security","datetime":"2025-08-29T09:38:13+02:00","extra":{"art":"85965","server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"7720ed1c6119034b77c139e229abb046"}}
Aug 29 09:38:13 docker1.test2.ams.surfconext.nl webauthn[905]: {"message":"Webauthn authentication request failed.","context":{"request":"POST /register HTTP/1.1\r\nAccept: application/json\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nAccept-Language: nl-NL,nl;q=0.9,en-NL;q=0.8,en;q=0.7,en-US;q=0.6\r\nAuthorization: \r\nContent-Length: 2884\r\nContent-Type: application/json\r\nCookie: lang=en; lang=en; stepup_locale=nl_NL; PHPSESSID=8464e0d25acdd8fe76f44de23fa1eda4\r\nCredentials: include\r\nDnt: 1\r\nHost: webauthn.xxxxxxxxxxxxxxx.nl\r\nMode: no-cors\r\nOrigin: https://webauthn.xxxxxxxxxxxxxxx.nl\r\nPriority: u=1, i\r\nReferer: https://webauthn.xxxxxxxxxxxxxxx.nl/registration\r\nSamesitesupport: samesite_supported\r\nSec-Ch-Ua: \"Not)A;Brand\";v=\"8\", \"Chromium\";v=\"138\", \"Google Chrome\";v=\"138\"\r\nSec-Ch-Ua-Mobile: ?0\r\nSec-Ch-Ua-Platform: \"Linux\"\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\nSec-Gpc: 1\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\r\nX-Forwarded-Host: webauthn.xxxxxxxxxxxxxxx.nl\r\nX-Forwarded-Port: 443\r\nX-Forwarded-Proto: https\r\nX-Forwarded-Server: 64774012d7f4\r\nX-Php-Ob-Level: 0\r\nX-Real-Ip: 145.100.191.122\r\nX-Tls-Client: TLS_AES_256_GCM_SHA384,TLSv1.3,h2\r\nCookie: lang=en; stepup_locale=nl_NL; PHPSESSID=8464e0d25acdd8fe76f44de23fa1eda4\r\n\r\n{\"id\":\"owBZASPDNr50MxGOBcE7xIEy5qzDcpzLFj34zQGsR0DYllS_4W1l_1OoFXbU_2ktbx8oxlWRl32xEezgH1KgZAnNPll9dw548OOtgpbxXhvZNqpv3kCMtXaxpOqwUd01bVy6Th9ZNTPyVkRJVEVkxpo5lRRoJa0eSNEcJDYpH3AvAFup7QbPMv2PVpbtw9E0mgVU9g4sMOBvO8qKn0u3G89vFXPW1t2bBXLuw8vknrPnN_SwDmNtlzsTP6VX4uDVGby3ln67Kyzglrz9HPLlvk6v4PU0zndHyVuczXaoIdKhYVnK3LPjvE9dJtB6coSKhB96QQzS1xuwQO1wtSpw0D-1QbJPzwHqcVbjFiAoiJKyCxuijVM2ZAsp-YBCp03QriHbFVOB_rABTK4e6_uIF07pvWJEIwJQBmC3eIj4Cwt-kvrsb6al5g\",\"rawId\":\"owBZASPDNr50MxGOBcE7xIEy5qzDcpzLFj34zQGsR0DYllS_4W1l_1OoFXbU_2ktbx8oxlWRl32xEezgH1KgZAnNPll9dw548OOtgpbxXhvZNqpv3kCMtXaxpOqwUd01bVy6Th9ZNTPyVkRJVEVkxpo5lRRoJa0eSNEcJDYpH3AvAFup7QbPMv2PVpbtw9E0mgVU9g4sMOBvO8qKn0u3G89vFXPW1t2bBXLuw8vknrPnN_SwDmNtlzsTP6VX4uDVGby3ln67Kyzglrz9HPLlvk6v4PU0zndHyVuczXaoIdKhYVnK3LPjvE9dJtB6coSKhB96QQzS1xuwQO1wtSpw0D-1QbJPzwHqcVbjFiAoiJKyCxuijVM2ZAsp-YBCp03QriHbFVOB_rABTK4e6_uIF07pvWJEIwJQBmC3eIj4Cwt-kvrsb6al5g\",\"response\":{\"attestationObject\":\"o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEcwRQIhAOHRFDAU9n4Ilc4LiFIdQ_7oBPRn4UDWCCoDTkiplAB0AiABvtScZr7rU6b_5G_OYiU_EWSA37RXfvQttg-y-fD_0GhhdXRoRGF0YVkBzO2PXejafo40pfaFLAsTHRvpbEhoIvGbgMndr5QD1ySqRQAAADtBQUdVSUQwMTIzNDU2Nzg5AUijAFkBI8M2vnQzEY4FwTvEgTLmrMNynMsWPfjNAaxHQNiWVL_hbWX_U6gVdtT_aS1vHyjGVZGXfbER7OAfUqBkCc0-WX13Dnjw462ClvFeG9k2qm_eQIy1drGk6rBR3TVtXLpOH1k1M_JWRElURWTGmjmVFGglrR5I0RwkNikfcC8AW6ntBs8y_Y9Wlu3D0TSaBVT2Diww4G87yoqfS7cbz28Vc9bW3ZsFcu7Dy-Ses-c39LAOY22XOxM_pVfi4NUZvLeWfrsrLOCWvP0c8uW-Tq_g9TTOd0fJW5zNdqgh0qFhWcrcs-O8T10m0HpyhIqEH3pBDNLXG7BA7XC1KnDQP7VBsk_PAepxVuMWICiIkrILG6KNUzZkCyn5gEKnTdCuIdsVU4H-sAFMrh7r-4gXTum9YkQjAlAGYLd4iPgLC36S-uxvpqXmpQECAyYgASFYIIhn0_D-HnWOgldqUWDLBkRymUnzJGcngmGlmg-djQ5eIlggO5GzCbj-0SX78RC_mljZ4ovJ6f8wPL2JOEiTx-7iV8I\",\"clientDataJSON\":\"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiYXIyZUNuMVRWeHVBbFZvUVg2WGpDcnlnQ2ZCRWFnWldrUTZYcVJSaHlteEtTSElZUFh6aFk2cjU5QTBET0R5QmFSU09xcG1fYVRNdTVhcDNZeVMtMEEiLCJvcmlnaW4iOiJodHRwczovL3dlYmF1dGhuLnRlc3QyLnN1cmZjb25leHQubmwiLCJjcm9zc09yaWdpbiI6ZmFsc2V9\",\"transports\":[],\"publicKeyAlgorithm\":-7,\"publicKey\":\"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiGfT8P4edY6CV2pRYMsGRHKZSfMkZyeCYaWaD52NDl47kbMJuP7RJfvxEL-aWNnii8np_zA8vYk4SJPH7uJXwg\",\"authenticatorData\":\"7Y9d6Np-jjSl9oUsCxMdG-lsSGgi8ZuAyd2vlAPXJKpFAAAAO0FBR1VJRDAxMjM0NTY3ODkBSKMAWQEjwza-dDMRjgXBO8SBMuasw3KcyxY9-M0BrEdA2JZUv-FtZf9TqBV21P9pLW8fKMZVkZd9sRHs4B9SoGQJzT5ZfXcOePDjrYKW8V4b2Taqb95AjLV2saTqsFHdNW1cuk4fWTUz8lZESVRFZMaaOZUUaCWtHkjRHCQ2KR9wLwBbqe0GzzL9j1aW7cPRNJoFVPYOLDDgbzvKip9LtxvPbxVz1tbdmwVy7sPL5J6z5zf0sA5jbZc7Ez-lV-Lg1Rm8t5Z-uyss4Ja8_Rzy5b5Or-D1NM53R8lbnM12qCHSoWFZytyz47xPXSbQenKEioQfekEM0tcbsEDtcLUqcNA_tUGyT88B6nFW4xYgKIiSsgsboo1TNmQLKfmAQqdN0K4h2xVTgf6wAUyuHuv7iBdO6b1iRCMCUAZgt3iI-AsLfpL67G-mpealAQIDJiABIVggiGfT8P4edY6CV2pRYMsGRHKZSfMkZyeCYaWaD52NDl4iWCA7kbMJuP7RJfvxEL-aWNnii8np_zA8vYk4SJPH7uJXwg\"},\"type\":\"public-key\",\"clientExtensionResults\":{},\"authenticatorAttachment\":\"cross-platform\"}","exception":{"class":"Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException","message":"The Metadata Statement for the AAGUID \"41414755-4944-3031-3233-343536373839\" is missing","code":0,"file":"/var/www/html/vendor/web-auth/webauthn-symfony-bundle/src/Security/Http/Authenticator/WebauthnAuthenticator.php:283","previous":{"class":"Webauthn\\Exception\\AuthenticatorResponseVerificationException","message":"The Metadata Statement for the AAGUID \"41414755-4944-3031-3233-343536373839\" is missing","code":0,"file":"/var/www/html/vendor/web-auth/webauthn-lib/src/Exception/AuthenticatorResponseVerificationException.php:13"}}},"level":200,"level_name":"INFO","channel":"app","datetime":"2025-08-29T09:38:13+02:00","extra":{"art":"85965","server":"webauthn.xxxxxxxxxxxxxxx.nl","application":"Webauthn","request_id":"7720ed1c6119034b77c139e229abb046"}}