Workflows Tips #15: Sanitizing User Input, Error Handling, and Checking System Log for Access

Welcome to another Okta Workflows Tips post. Read all previous tips.

In this post:

  • Use Construct card to sanitize user input
  • Run another flow when an error occurs
  • Check System Log to see who accessed your account

Use Construct card to sanitize user input

This tip is from Jacob WatersMacAdmins Slack Community member, and a Senior IT Administrator at Albert.

If you are building a Slack Block in Workflows, it is recommended to use Object – Construct (or List – Construct) cards instead of a Text – Compose card. Especially if your block fields are populated by user input of any kind. It is possible for someone to input JSON and alter the JSON schema itself. Usually this breaks the JSON, but it can also make it possible to change the blocks enitrely. Unlike the Text – Compose card, the construct cards will correctly sanitize inputs. Here is a short example (not Slack specific).

A flow with user input

The flow above takes one input (Make) and creates a JSON object using Object – Construct and Text – Compose cards to show the difference.

When you run the flow with correct input Tesla, then the result from both cards is correct:

Result with correct flow input

But if a user enters incorrect input such as {"thecar": "Tesla"}:

Running flow with invalid input

Then the output from Text – Compose produces invalid JSON while the Object – Construct produces valid JSON (even if the actual input might not be application valid):

Valid and invalid flow outputs

Invalid JSON output from Text – Compose card:

{
"Make": "{"thecar": "Tesla"}",
"Model": "Model 3",
"Year": "2021",
"EV": true
}

Even though the Make might not be correct, the JSON output from Object – Construct card is valid:

{
"Model": "Model 3",
"Make": "{\"thecar\": \"Tesla\"}",
"Year": 2021,
"EV": true
}

Run another flow when using Error Handling cards

This tip is from Jacob WatersMacAdmins Slack Community member, and a Senior IT Administrator at Albert.

Most Workflows card support error handling. Click the gear icon (lower right) where you can set error handling options:

Card error handling

One option is to run another flow when an error occurs (Run another flow option).

Looking at Workflows documentation you can see that the error information is passed to the helper flow:

Run another Flow: Stop the flow with an error, but run a helper flow. If your helper flow accepts inputs, call a flow by clicking Choose Flow and selecting a helper flow from the Select flow dialog. The flow that’s called will be able to get the error details using the Error output field on the helper flow card.

https://help.okta.com/wf/en-us/Content/Topics/Workflows/build/set-error-handling.htm

Now this goes even further. This also works with Error Handling cards such as Error Handling – Return Error card:

Setting up Return Error card
Setting up error handling for Return Error card

In addition to the original error, message and message2 inputs are passed to the helper flow also:

Data passed to helper flow from Return Error card

You end up setting error handling for Error Handling – Return Error card (it’s like error handling for error handling).

Check System Log to see who accessed your account

This tip is from gbot, a low-code and API enthusiast, and a member of the MacAdmins Slack Community.

Schedule a 15 minutes scan of System Log to see if there is anything related to user.session.impersonation (grant, revoke, initiate, etc). This is to ensure:

  • We grant access to (Okta) support with valid reasons
  • Support accesses our environment with valid reasons

A flow to do that looks like this:

A flow to check System Log for impersonation events

Th flow makes a call to an Okta API (relative URL below) to check if there are any log entries in the past 15 minutes. If yes, a message is sent to a Slack channel.

The important part is in Text – Compose card where an API call is constructed to search the System Log for the specific events:

/api/v1/logs?filter=eventType sw "user.session.impersonation"&since=2022-04-08T20:45:50.311Z

Two resources to help you learn more:

📌 Try this step-by-step getting started tutorial: Build Your First Automation With Okta Workflows: Notify When User Is Suspended.

📌 All the Workflows resources (docs, tutorial, office hours, templates, office hours and more)

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.