How Does Primavera Cloud Support OAuth 2.0?

Note: OAuth 2.0 support is currently only available if your Primavera Cloud instance is deployed on the government production Oracle Cloud (OC3).

OAuth 2.0 is the industry-standard protocol for authorization that allows third-party applications to access a user's data without exposing their credentials and is commonly used to provide secure API access and user authentication.

The OAuth 2.0 Authorization Framework was published as RFC 6749. You should be familiar with the concepts and terminology presented in this document.

Subsequently, several recent RFCs and articles related to OAuth have been released, providing guidance on best practices for the implementation of OAuth 2.0.

Some notable examples include:

• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants ( RFC 7523)
• Proof Key for Code Exchange by OAuth Public Clients ( RFC 7636)
• OAuth 2.0 for Native Apps ( RFC 8252)
• OAuth 2.0 Security Best Current Practice (draft)
• The OAuth 2.1 Authorization Framework (draft)

Oracle Construction and Engineering Lobby (or "Lobby" for short) supports OAuth 2.0 for Oracle Smart Construction Platform applications, including Oracle Primavera Cloud. This implementation is sometimes referred to as "Lobby OAuth".

Users authenticate with their Primavera Cloud account credentials.

Authorization Server

Lobby acts as the Authorization Server.

There is a single Lobby for all the government production Primavera Cloud instances (OC3).

The OC3 Lobby URL is: https://lobby.fedprd1.construction.ocs.oraclegovcloud.com/.

Integration Types

Lobby supports the following types of integrations:

• Web Server Application: A server-side user application delivering a user interface in a web browser.
  • This is a confidential client that uses the Authorization Code grant type.
• Installed Application: An application that a user installs onto their device, such as a Windows app, macOS app, mobile app, or a single-page app (SPA) running entirely in a web browser.
  • This is a public client that uses the Authorization Code grant type, plus Proof-Key for Code Exchange (PKCE).
• Non-Interactive Integration: An integration that has no user interaction.
  • This is a trusted client that uses the JWT Bearer (otherwise known as User Assertion) grant type.