Workflows Tips #15: Sanitizing User Input, Error Handling, and Checking System Log for Access
Welcome to another Okta Workflows Tips post. Read all previous tips.
In this post:
- Use Construct card to sanitize user input
- Run another flow when an error occurs
- Check System Log to see who accessed your account
Use Construct card to sanitize user input
This tip is from Jacob Waters, MacAdmins Slack Community member, and a Senior IT Administrator at Albert.
If you are building a Slack Block in Workflows, it is recommended to use Object – Construct (or List – Construct) cards instead of a Text – Compose card. Especially if your block fields are populated by user input of any kind. It is possible for someone to input JSON and alter the JSON schema itself. Usually this breaks the JSON, but it can also make it possible to change the blocks enitrely. Unlike the Text – Compose card, the construct cards will correctly sanitize inputs. Here is a short example (not Slack specific).
The flow above takes one input (Make) and creates a JSON object using Object – Construct and Text – Compose cards to show the difference.
When you run the flow with correct input Tesla
, then the result from both cards is correct:
But if a user enters incorrect input such as {"thecar": "Tesla"}
:
Then the output from Text – Compose produces invalid JSON while the Object – Construct produces valid JSON (even if the actual input might not be application valid):
Invalid JSON output from Text – Compose card:
{ "Make": "{"thecar": "Tesla"}", "Model": "Model 3", "Year": "2021", "EV": true }
Even though the Make might not be correct, the JSON output from Object – Construct card is valid:
{ "Model": "Model 3", "Make": "{\"thecar\": \"Tesla\"}", "Year": 2021, "EV": true }
Run another flow when using Error Handling cards
This tip is from Jacob Waters, MacAdmins Slack Community member, and a Senior IT Administrator at Albert.
Most Workflows card support error handling. Click the gear icon (lower right) where you can set error handling options:
One option is to run another flow when an error occurs (Run another flow option).
Looking at Workflows documentation you can see that the error information is passed to the helper flow:
Run another Flow: Stop the flow with an error, but run a helper flow. If your helper flow accepts inputs, call a flow by clicking Choose Flow and selecting a helper flow from the Select flow dialog. The flow that’s called will be able to get the error details using the Error output field on the helper flow card.
https://help.okta.com/wf/en-us/Content/Topics/Workflows/build/set-error-handling.htm
Now this goes even further. This also works with Error Handling cards such as Error Handling – Return Error card:
In addition to the original error, message and message2 inputs are passed to the helper flow also:
You end up setting error handling for Error Handling – Return Error card (it’s like error handling for error handling).
Check System Log to see who accessed your account
This tip is from gbot, a low-code and API enthusiast, and a member of the MacAdmins Slack Community.
Schedule a 15 minutes scan of System Log to see if there is anything related to user.session.impersonation
(grant, revoke, initiate, etc). This is to ensure:
- We grant access to (Okta) support with valid reasons
- Support accesses our environment with valid reasons
A flow to do that looks like this:
Th flow makes a call to an Okta API (relative URL below) to check if there are any log entries in the past 15 minutes. If yes, a message is sent to a Slack channel.
The important part is in Text – Compose card where an API call is constructed to search the System Log for the specific events:
/api/v1/logs?filter=eventType sw "user.session.impersonation"&since=2022-04-08T20:45:50.311Z
Two resources to help you learn more:
📌 Try this step-by-step getting started tutorial: Build Your First Automation With Okta Workflows: Notify When User Is Suspended.
📌 All the Workflows resources (docs, tutorial, office hours, templates, office hours and more)
Related
Published on Java Code Geeks with permission by Max Katz , partner at our JCG program. See the original article here: Workflows Tips #15: Sanitizing User Input, Error Handling, and Checking System Log for Access Opinions expressed by Java Code Geeks contributors are their own. |