1. Get StartedOracle Primavera Cloud REST API
  2. Security
  3. Authentication
  4. How Does Primavera Cloud Support OAuth 2.0?
  5. Register an OAuth Integration

Register an OAuth Integration

Every integration with Primavera Cloud APIs must be registered with Oracle. You will receive credentials that will be used to uniquely identify the integration.

Note: OAuth 2.0 support is currently only available if your Primavera Cloud instance is deployed on the government production Oracle Cloud (OC3).

To register an OAuth integration:

Step 1: Gather the Required Information

As described in the How Does Primavera Cloud Support OAuth 2.0? section, the following types of integration are supported:

  • Web Server Application: A server-side user application delivering a user interface in a web browser.
  • Installed Application: An application that a user installs onto their device, such as a Windows app, macOS app, mobile app, or a single-page app (SPA) running entirely in a web browser.
  • Non-Interactive Integration: An integration that has no user interaction.

Determine which one of these is most applicable to your integration. If you are unsure contact Oracle Support.

Lobby Organization IDs

Your integration must be provisioned for all users within your organization, and for this, you need to specify your Lobby Organization ID.

Unique Name

Every one of your integrations must be registered individually. Determine a name for your integration that will be unique and meaningful. If you think you will only ever have one integration with Oracle Primavera Cloud, you may simply use your organization name.

If you intend to build multiple integrations, consider a name that describes the purpose of the integration.

Redirect URLs

A Web Server Application or Installed Application registration must provide an endpoint (redirect URL) that the Lobby will call with the authorization code as part of the OAuth flow. If you are registering a Non-Interactive Integration, you do not require a redirect URL.

You may register a single redirect URL or multiple.

Check with your technical team for what redirect URL(s) need to be registered for your integration.

If you are registering an Installed Application, RFC 8252 states that should use either a Private-user URI scheme redirect or a Loopback redirect URI, each of which are described below.

A Private-user URI scheme redirect uses a custom URI scheme that has been registered on the device for your application, taking the form: scheme:/path

Here's an example:

com.example.app:/oauth2/callback

A Loopback redirect URI uses the "http" scheme with the loopback IP literal and whatever port the application is listening on, taking the form: http://127.0.0.1:{port}/{path}

Here's an example: 

http://127.0.0.1:54001/oauth2/callback

Note: If your Installed Application loops through a number of ports to find an available port for binding the callback, you may register a single loopback redirect URI with a wildcard (*) port identifier, rather than registering multiple redirect URIs.

Trusted Issuer Public Certificate

If you are registering a Non-Interactive Integration, you must upload the public certificate of the Trusted Issuer that will sign the User Assertion used to identify the user on behalf of whom your integration will access Primavera Cloud APIs.

If you are receiving the User Assertion from an external Identity Provider (IdP), the public certificate should be downloaded from that IdP. Otherwise, if your code will generate the User Assertion, the Oracle Java Key and Certificate Management Tool can be used to generate a self-signing key pair.

If not already, convert the public certificate into a PEM file (.pem) and create a ZIP file (.zip) containing only the PEM file.

Step 2: Submit the OAuth Client Authorization

Note: If you are registering in EA, ensure that you mention EA in the Subject and select the EA1 Instance only.

  • Visit the My Oracle Support portal or raise a service request (SR) and include the following details in the SR:
    • Lobby Organization IDs
    • Unique Name
    • Purpose of integration
    • Suggested short name for identification
    • Description
    • Client Type (one of Web Server Application, Installed Application, or Non-Interactive Integration)
    • Redirect URLs - If you have multiple redirect URLs, separate them with a semi-colon (;)

Step 3: Locate the Registered Client Credentials

Locate the client credentials of your registered integration. For more information, refer to the Find Your OAuth Credentials topic.

Step 4: Update Your Identity Provider Policy

You must add the registered integration to your Identity Provider (IdP) policy as described below.

  1. Login to your OCI Console.
  2. Select Security > IdP Policies in the menu to access Identity Provider Policies.
  3. Select the Idp Policy you are using forPrimavera Cloud.
  4. In the Resources section, from the menu, select Apps.
  5. Select the Add app button.
  6. Search for the application name you registered.
  7. Check the box for the application name you registered.
  8. Select on the Add app button.

If you have two-factor authentication configured for your organization:

  1. Login to your OCI Console.
  2. Select Security > Sign-On Policies in the menu to access sign-on policies.
  3. Select the sign-on policy you are using for Primavera Cloud.
  4. In the Resources section, from the menu, select Apps.
  5. Select the Add app button.
  6. Search for the application name you registered.
  7. Check the box for the application name you registered.
  8. Select the Add app button.