policy_ uri
Registry Context
`policy_uri` is the URL of a human-readable privacy policy explaining how the deployment organization collects, uses, retains, and discloses personal data. The authorization server should display it to the end-user when provided, and it must point to a valid web page.
Technical Summary
In OAuth 2.0 Dynamic Client Registration, `policy_uri` is an optional URL-string client metadata field referencing a human-readable privacy policy document. It can be supplied as client metadata in registration requests and returned in registration responses.
When Used
When a client supplies a privacy policy URL as registration metadata or an authorization server returns or presents that metadata.
Normative Requirements
Authorization servers
RFC 7591 - Section 2
display the `policy_uri` URL to the end-user.
Condition: if `policy_uri` is provided
The authorization server SHOULD display this URL to the end-user if it is provided.
Unspecified actor
RFC 7591 - Section 2
ensure the value of `policy_uri` points to a valid web page.
The value of this field MUST point to a valid web page.
RFC 7591 - Section 2.2
represent `policy_uri` in multiple languages and scripts.
Condition: as client metadata referencing a human-readable value
Human-readable client metadata values and client metadata values that reference human-readable values MAY be represented in multiple languages and scripts.
parties using the field
RFC 7591 - Section 2.2
make assumptions about the language, character set, or script of an untagged `policy_uri` value.
Condition: if the field is sent without a language tag
parties using it MUST NOT make any assumptions about the language, character set, or script of the string value
RFC 7591 - Section 2.2
use an untagged `policy_uri` value as is wherever it is presented in a user interface.
Condition: if the field is sent without a language tag
the string value MUST be used as is wherever it is presented in a user interface.
Validation Guidance
Verify that `policy_uri` is a URL string that points to a valid web page.
Ensure the authorization server can display `policy_uri` to the end-user when supplied.
Permit locale-specific `policy_uri` members using BCP 47 language tags appended to the metadata name with `#`.
For an untagged `policy_uri`, do not infer its language, character set, or script, and preserve the value when presenting it in a user interface.
Reference
Details
- Entry Id
policy_uri - Client Metadata Name
policy_uri - Client Metadata Description
URL that points to a human-readable policy document for the client- Change Controller
IESG- Reference
RFC7591