Mobile Client Considerations

More and more often, clients look for a way to integrate their mobile and web applications with their RightNow instance. The ability to connect end-users directly to the support infrastructure is powerful, but the standard tools RightNow provides don't quite fit the bill.

Customer Portal Mobile Support

Customer Portal, while supporting mobile devices via pagesets, should use the now-standard practice of responsive design in its reference implementation. [UPDATE: The latest out-of-the-box theme is now responsive.] This would allow for a single pageset to be used, while serving different page layouts to devices with different screen sizes. There are trade-offs and considerations with this approach, which can be researched extensively online, but responsive design has been widely accepted as a web best-practice. So, this is an additional cost for clients who are looking for modern, responsive mobile support. I hope to see this functionality available as a standard base theme in new versions of Customer Portal.

SOAP API Security Considerations

From an integration perspective, the standard SOAP API that is currently available is not ideal for mobile or client application consumption. The lack of a lightweight REST API presents a hurdle to mobile developers; a RESTful API is on the roadmap, but currently no release date has been announced by Oracle to my knowledge. The SOAP API should only be used when connecting from a secure server to the RightNow system for the following reasons:

  1. There is no support for application-specific keys. With the recent addition of SAML 2.0 authentication in the February 2014 version, the authentication options became more secure than the previously required username/password for every request. But even with SAML certificates sent over SSL, there is still potential for the initial credentials to be intercepted. And because API accounts are simply staff account records with a permission bit set in RightNow, these credentials rarely change, so once a malicious user has API credentials, they may have access to the RightNow site indefinitely. And if the account credentials are changed manually, all clients connecting via these credentials will need to be updated.
  2. Only applicable to sites created prior to May 2013: Before the May 2013 release, API credentials were all-or-nothing and had the ability to create, read, update, destroy anything in the RightNow instance to which it had access. The account permission system has been upgraded in May 2013, but only for new instances from May 2013 moving forward. Clients upgrading to May 2013 or later will need to upgrade their permission system to have access to this granular control for API accounts.

Building a proxy to manage client authentication and requests solves these issues, given that it implements its own secure authentication and application-specific password mechanism:

Option 1 - External API Proxy Solution

In an external, secure system, build a proxy endpoint that connects to the RightNow API. This "gatekeeper" securely stores the RightNow API credentials and proxies requests between the client app and RightNow; it ensures that only the necessary requests for the app are processed, and should implement its own authentication and security.

Option 2 - Customer Portal API Proxy Solution

Use the RightNow Customer Portal framework to build a custom RESTful controller endpoint. This provides the same function as an external proxy, but housed in the RightNow infrastructure. Authentication and security should be built into this custom API. Network latency accessing this API will typically be less than the external proxy solution, because it is housed in the RightNow infrastructure, but additional Customer Portal sessions will be incurred.

UPDATE: Standard REST API Now Available!

As of the May 2015 version, Oracle has released a REST API for OSvC. While authentication and functionality is limited in the initial release, this is a great step towards better mobile support.

Categories : 

Comments

I just finished implementing a responsive design in CP using Bootstrap 3 and it worked great. Modern mobile browsers handle the desktop-version CP widgets perfectly. IMO, the mobile widgets are fugly and difficult to use. While it takes a little bit more consideration at design time, developing responsive pages take far less time than creating a second version of pages via page sets.

That is a pretty large undertaking! I really wish Oracle would push it OOB. I did see a demo site the other day that had a bunch of Bootstrap components and CSS in it, so hopefully they are thinking in that direction!

I've updated the above post to mention the standard REST API, made available in the May 2015 version!

UPDATE: The latest out-of-the-box CP theme now supports a responsive layout!

Zircon - This is a contributing Drupal Theme
Design by WeebPal.