oauth2.dev

policy_uri

IESG

Registry Context

`policy_uri` is the URL of a human-readable privacy policy explaining how the deployment organization collects, uses, retains, and discloses personal data. The authorization server should display it to the end-user when provided, and it must point to a valid web page.

Technical Summary

In OAuth 2.0 Dynamic Client Registration, `policy_uri` is an optional URL-string client metadata field referencing a human-readable privacy policy document. It can be supplied as client metadata in registration requests and returned in registration responses.

When Used

When a client supplies a privacy policy URL as registration metadata or an authorization server returns or presents that metadata.

Normative Requirements

Authorization servers

SHOULD
1
  1. RFC 7591 - Section 2

    display the `policy_uri` URL to the end-user.

    Condition: if `policy_uri` is provided

    The authorization server SHOULD display this URL to the end-user if it is provided.

Unspecified actor

MUST
1
  1. RFC 7591 - Section 2

    ensure the value of `policy_uri` points to a valid web page.

    The value of this field MUST point to a valid web page.

MAY
1
  1. RFC 7591 - Section 2.2

    represent `policy_uri` in multiple languages and scripts.

    Condition: as client metadata referencing a human-readable value

    Human-readable client metadata values and client metadata values that reference human-readable values MAY be represented in multiple languages and scripts.

parties using the field

MUST NOT
1
  1. RFC 7591 - Section 2.2

    make assumptions about the language, character set, or script of an untagged `policy_uri` value.

    Condition: if the field is sent without a language tag

    parties using it MUST NOT make any assumptions about the language, character set, or script of the string value

MUST
1
  1. RFC 7591 - Section 2.2

    use an untagged `policy_uri` value as is wherever it is presented in a user interface.

    Condition: if the field is sent without a language tag

    the string value MUST be used as is wherever it is presented in a user interface.

Validation Guidance

error

Verify that `policy_uri` is a URL string that points to a valid web page.

warning

Ensure the authorization server can display `policy_uri` to the end-user when supplied.

info

Permit locale-specific `policy_uri` members using BCP 47 language tags appended to the metadata name with `#`.

error

For an untagged `policy_uri`, do not infer its language, character set, or script, and preserve the value when presenting it in a user interface.

Reference

Details

Entry Id
policy_uri
Client Metadata Name
policy_uri
Client Metadata Description
URL that points to a human-readable policy document for the client
Change Controller
IESG
Reference
RFC7591