Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)
I've discovered a bug in how Zoho's API Console handles the OAuth 2.0 authorization flow when the
state parameter contains pipe characters (|), and I'm hoping the Zoho team can address this in a future update.
The Issue
Zoho's OAuth 2.0 implementation for server-based client applications uses the standard authorization endpoint:
https://accounts.zoho.com/oauth/v2/auth?response_type=code
&client_id=<client_id>
&scope=<scope>
&redirect_uri=<redirect_uri>
&access_type=offline
&state=<state_value>
While Zoho's documentation does not explicitly list the
state parameter, it is a standard part of the OAuth 2.0 specification (RFC 6749 Section 4.1.1) and is widely used for CSRF protection and maintaining application state through the authorization flow.
However, when the
state parameter contains pipe characters (|), Zoho's authorization server fails to process the request correctly, preventing users from authorizing the connection. This occurs whether the pipe characters are URL-encoded (%7C) or left unencoded.
The Problem
The pipe character is a standard delimiter in multi-part
state values, particularly when passing a combination of a CSRF token and a return URL. This behavior—failing on both encoded and unencoded pipe characters—is often indicative of overly restrictive input validation or a "leaky" WAF/Proxy layer that decodes parameters before the application logic can handle them.
| State Value | As Sent in URL | Result |
|---|---|---|
abc123xyz |
state=abc123xyz |
✓ Works correctly |
session_12345 |
state=session_12345 |
✓ Works correctly |
user|action|timestamp |
state=user|action|timestamp(unencoded pipes) |
✗ Authorization fails |
user|action|timestamp |
state=user%7Caction%7Ctimestamp(URL-encoded pipes) |
✗ Authorization fails |
user:action:timestamp |
state=user%3Aaction%3Atimestamp |
? Not tested |
Note: Pipe characters cause failures whether URL-encoded or not. Other special characters/delimiters have not been tested and may or may not exhibit similar issues.
RFC 6749 Compliance Issue
According to RFC 6749 (The OAuth 2.0 Authorization Framework):
Section 4.1.1 - Authorization Request:
"state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback."
"state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback."
Section 4.1.2 - Authorization Response:
"state: REQUIRED if the 'state' parameter was present in the client authorization request. The exact value received from the client."
"state: REQUIRED if the 'state' parameter was present in the client authorization request. The exact value received from the client."
The RFC explicitly defines the
state parameter as an opaque value. This means:
- The Authorization Server should not be looking "inside" or parsing the string at all
- The state value must pass through the authorization process unchanged
- Any URL-encoded characters should be handled transparently
- The exact value received must be returned to the client in the redirect
Key Point: By definition, an "opaque" parameter means the authorization server must treat it as a data blob—accepting it, storing it, and returning it without any interpretation or transformation.
Current Behavior vs Expected Behavior
| Current Behavior | Expected Behavior (Per RFC 6749) |
|---|---|
1. Client sends: state=user|action|123(or state=user%7Caction%7C123)2. Zoho fails to parse the state parameter 3. Authorization server returns HTTP 400 Bad Request4. User cannot authorize the connection |
1. Client sends: state=user|action|1232. Zoho treats state as opaque data blob 3. User authorizes the connection 4. Redirect includes the exact value received: state=user|action|123(or consistently encoded as sent) |
The Current Workaround (Suboptimal)
Important: The workarounds below only apply if you have control over the client application generating the OAuth request. If you're integrating with a third-party application that sets the
state parameter (e.g., integration platforms, SaaS tools, enterprise software), you have no ability to modify the state value and therefore no workaround is available. You are completely blocked from completing the OAuth flow.
For developers who do control the client application, you must avoid pipe characters entirely:
// Instead of using pipes as delimiters:
state = csrf_token + "|" + user_id + "|" + redirect_path;
// ❌ This breaks Zoho's authorization flow
// Developers must use alternative approaches:
state = csrf_token + "_SEP_" + user_id + "_SEP_" + redirect_path;
// or
state = base64_encode(json_encode({"csrf": token, "user": id, "path": path}));
// or
state = csrf_token; // Store other data server-side keyed by CSRF tokenProblems with these workarounds:
- Requires refactoring existing codebases that use pipe delimiters
- Base64 encoding increases state parameter length significantly, risking URL length limits (particularly in older browsers and some enterprise proxies which enforce ~2000 character limits)
- Server-side storage approach adds complexity, database overhead, and potential race conditions
- Inconsistent with how the same code works with other OAuth providers (Google, Microsoft, etc.)
- Developers may not discover this issue until production deployment
- Custom delimiters (like
_SEP_) are non-standard and may conflict with actual data values
What Should Happen Instead
Proposed Solution:
Zoho's authorization server should properly handle URL-encoded pipe characters (
%7C) in the state parameter, as required by RFC 6749. The state value must be treated as an opaque data blob.
Technical Requirement: Treat
state as a Data Blob
| 1. Input | Accept %7C (and other encoded characters) as valid parts of the query string without triggering validation errors or WAF rules |
| 2. Persistence | Store the string exactly as received during the user's login/consent session—do not decode, parse, or transform |
| 3. Output | Append the exact string back to the redirect_uri without additional transformations that might strip or corrupt the delimiters |
This approach:
- Complies with RFC 6749's requirement to return "the exact value received"
- Follows the same behavior as other major OAuth providers
- Requires no changes from client applications
- Unblocks third-party integrations that cannot modify their state format
Real-World Impact
This limitation affects any integration where:
- Third-party applications set the state parameter and cannot be modified (integration platforms, SaaS connectors, enterprise software)
- Multi-tenant applications need to encode tenant ID and return URL in state
- CSRF protection implementations combine security tokens with application state
- Single Sign-On flows need to preserve original request context
- Migration projects from other OAuth providers that used pipe delimiters
Critical Blocker: When the state parameter originates from a third-party system outside your control, there is no workaround available. The integration is completely impossible until this is fixed.
Security Note: The state parameter is critical for CSRF protection in OAuth flows. Forcing developers to change their state encoding approach may inadvertently introduce security vulnerabilities if not handled carefully.
Request to Zoho Team
Can this be addressed in a future update?
This is a standards compliance issue that impacts developers integrating with Zoho's API. For those who control their client application, the current implementation forces unnecessary workarounds. For those integrating third-party applications, the situation is worse:
|
1. Custom development Refactor code to avoid pipe characters, creating Zoho-specific OAuth handling |
2. Third-party integrations No workaround possible - integration is completely blocked |
Users should not be blocked from integrating with Zoho due to non-standard OAuth implementation.
Community Input Requested: Has anyone else encountered this issue? Are there other special characters that cause similar problems with Zoho's OAuth implementation?
📚 Documentation References:
- RFC Standard: RFC 6749 - The OAuth 2.0 Authorization Framework
- Zoho OAuth Docs: Make the Authorization Request - Zoho Creator API v2
- Related: Register Your Application - Zoho API Console
Access your files securely from anywhere
New to Zoho Recruit?
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Damien Cregan
Sticky Posts
Deprecation of SMS-based multi-factor authentication (MFA) mode
Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Automate pushing Zoho CRM backups into Zoho WorkDrive
Through our Zoho One subscription we have both Zoho CRM and Zoho WorkDrive. We have regular backups setup in Zoho CRM. Once the backup is created, we are notified. Since we want to keep these backups for more than 7 days, we manually download them. TheyHow to link tickets to a Vendor/Vendor Contact (not Customer) for Accounting Department?
Hi all, We’re configuring our Accounting department to handle tickets from both customers and vendors (our independent contractors). Right now, ticket association seems to be built around linking a ticket to a Customer / Customer Contact, but for vendor-originatedAutomation #7 - Auto-update Email Content to a Ticket
This is a monthly series where we pick some common use cases that have been either discussed or most asked about in our community and explain how they can be achieved using one of the automation capabilities in Zoho Desk. Email is one of the most commonlyLearner transcript Challenges.
Currently i am working on a Learner Transcript app for my employer using Zoho Creator. The app is expected to accept assessment inputs from tutors, go through an approval process and upon call up, displays all assessments associated with a learner inClient and Vendor Portal
Some clients like keeping tabs on the developments and hence would like to be notified of the progress. Continuous updates can be tedious and time-consuming. Zoho Sprints has now introduced a Client and Vendor Portal where you can add client users and#7 Tip of the week: Delegating approvals in Zoho People
With Zoho People, absences need not keep employees waiting with their approval requests. When you are not available at work, you can delegate approvals that come your way to your fellow workmate and let them take care of your approvals temporarily. Learn more!Trouble with using Apostrophe in Name of Customers and Vendors
We have had an ongoing issue with how the system recognizes an apostrophe in the name of customers and vendors. The search will not return any results for a name that includes the mark; ie one of our vendors names is "L'Heritage" and when entering theWhy am I seeing deleted records in Zoho Analytics syncing with Zoho CRM?
I have done a data sync between Zoho CRM and Zoho Analytics, and the recycle bin is empty. Why do I see deleted leads/deals/contacts in Zoho Analytics if it doesn't exist in Zoho CRM? How can I solve this problem? ThanksNueva edición de "Ask The Expert" en Español Zoho Community
¡Hola Comunidad! ¿Te gustaría obtener respuestas en directo sobre Zoho CRM, Zoho Desk u otra solución dentro de nuestro paquete de CX (Experiencia del Cliente? Uno de nuestros expertos estará disponible para responder a todas tus preguntas durante nuestraHow to use MAIL without Dashboard?
Whenever I open Mail, it opens Dashboard. This makes Mail area very small and also I cannot manage Folders (like delete/rename) etc. I want to know if there is any way to open only Mail apps and not the Dashboard.Peppol: Accept Bill (Belgium)
Hi, This topic might help you if you're facing the same in Belgium. We are facing an issue while accepting a supplier bill received by Peppol in Zoho Books. There is a popup with an error message: This bill acceptance could not be completed, so it wasZoho Books is now integrated with Zoho Checkout
Hello everyone, We're glad to be announcing that Zoho Books is now integrated with Zoho Checkout. With this integration, you can now handle taxes and accounting on your payment pages with ease. An organization you create in Zoho Checkout can be added to Zoho Books and vice-versa. Some of the key features and benefits you will receive are: Seamless sync of customer and invoice data With the end-to-end integration, the customer and invoice details recorded via the payment pages from Zoho CheckoutSync Issue
My Current plan only allows me with 10,000 rows and it is getting sync failure how to control it without upgrading my planIs there API Doc for Zoho Survey?
Hi everyone, Is there API doc for Zoho Survey? Currently evaluating a solution - use case to automate survey administration especially for internal use. But after a brief search, I couldn't find API doc for this. So I thought I should ask here. ThanAdd Zoho PDF to Zoho One Tool Applications
It should be easy to add from here without the hassle of creating a web tab:JOB WISE INVOICE PROCESS
I WANT TO ENABLE JOB WISE TRACKING OF ALL SALES AND PURCHASEPDF Template have QTY as first column
I want to have the QTY of an item on the sales orders and invoices to be the first column, then description, then pricing. Is there a way to change the order? I went to the Items tab in settings but don't see how to change the order of the columns onRAG (Retrieval Augmented Generation) Type Q+A Environment with Zoho Learn
Hi All, Given the ability of Zoho Learn to function as a knowledge base / document repository type solution and given the rapid advancements that Zoho is making with Zia LLM, agentic capabilities etc. (not to mention the rapid progress in the broaderWelcome to the Zoho ERP Community Forum
Hello everyone, We are thrilled to launch Zoho ERP (India edition), a software to manage your business operations from end to end. We’ve created this community forum as a space for you to ask questions, comment answers, provide feedback, and share yourIn App Auto Refresh/Update Features
Hi, I am trying to use Zoho Creator for Restaurant management. While using the android apps, I reliased the apps would not auto refresh if there is new entries i.e new kitchen order ticket (KOT) from other users. The apps does received notification but would not auto refresh, users required to refresh the apps manually in order to see the new KOT in the apps. I am wondering why this features is not implemented? Or is this feature being considered to be implemented in the future? With theConsolidated report for multi-organisation
I'm hoping to see this feature to be available but couldn't locate in anywhere in the trial version. Is this supported? The main aim to go to ERP is to have visibility of the multi-organisation in once place. I'm hopeful for this.IMAP mail after specify date
Hi My customer's mail server is on premise and mail storage is very huge. So It never finish sync. and finally stop sync. Cloud CRM have a option like zoho mail sync mail after some date.Analytics <-> Invoice Connection DELETED by Zoho
Hi All, I am reaching out today because of a big issue we have at the moment with Zoho Analytics and Zoho Invoice. Our organization relies on Zoho Analytics for most of our reporting (operationnal teams). A few days ago we observed a sync issue with theClaude + MCP Server + Zoho CRM Integration – AI-Powered Sales Automation
Hello Zoho Community 👋 I’m excited to share a recent integration we’ve worked on at OfficehubTech: ✅ Claude + MCP Server + Zoho CRM This integration connects Zoho CRM with Claude AI through our custom MCP Server, enabling intelligent AI-driven responsesNotes badge as a quick action in the list view
Hello all, We are introducing the Notes badge in the list view of all modules as a quick action you can perform for each record, in addition to the existing Activity badge. With this enhancement, users will have quick visibility into the notes associatedSearch Bar positioning
Why is the Search bar on the far right when everything is oriented towards the left?Basic Mass Update deluge schedule not working
I'm trying to create a schedule that will 'reset' a single field to 0 every morning - so that another schedule can repopulate with the day's calculation. I thought this would be fairly simple but I can't work out why this is failing : 1) I'm based inThe Social Playbook - January edition: Getting started with content creation
Social media isn’t just about posting some random content. It’s about why certain content works, how brands stand out, and what makes people pause mid-scroll. The Social Playbook is a monthly community series where we break all of that down. Through realImport Error: Empty values for mandatory fields - Closing Date
Hello, I've tried multiple times to import a CVS Potential list from another Zoho account. But the error message I get is: Empty values for mandatory fields - Closing Date There are valid dates in this field, so I don't understand why this error messagesAdding custom "lookup" fields in Zoho Customization
How can I add a second “lookup” field in Zoho? I’m trying to create another lookup that pulls from my Contacts, but the option doesn’t appear in the module customization sidebar. In many cases, a single work order involves multiple contacts. Ideally,Special characters (like â, â, æ) breaking when input in a field (encoding issue)
Hey everyone, We are currently dealing with a probably encoding issue when we populate a field (mostly but not exclusively, 'Last Name' for Leads and Contracts). If the user manually inputs special characters (like ä, â, á etc.) from Scandinavian languages,Customizable UI components in pages | Theme builder
Anyone know when these roadmap items are scheduled for release? They were originally scheduled for Q4 2025. https://www.zoho.com/creator/product-roadmap.htmlFeature Requests - Contact Coloured Picklist Visibility & Field Visibility During Ticket Creation
Hi Desk Team, I have 2 feature requests for you. Since Coloured Picklists are now available in Desk, It would be great if the colours were visible on the Related Details (Contact Information) when creating a ticket. In the screenshot below, I have 2 fieldsHow to integrate XML with Zoho CRM
Hi, I have an eCom service provider that gives me a dynamic XML that contains order information, clients, shipments... The XML link is the only thing I have. No Oath or key, No API get... I want to integrate it into Zoho CRM. I am not a developer norFeature Request - Ability to Customise Contact Info Card on Ticket Details View
Hi Desk Team, I've added a "Contact Priority" and "Account Prioirty" field and it would be very useful to agents if they could see that information in the Contact Info card on the Ticket Details view. It would be great if we could choose some fields toTax in Quote
Each row item in a quote has a tax value. At the total numbers at the bottom, there is also a Tax entry. If you select tax in both of the (line item, and the total), the tax doubles. My assumption is that the Tax total should be totalling the tax fromZoho Flow integration with Facebook Messenger and Whatsapp
Hi there, any plans of adding integrations with Facebook Messenger and Whatsapp into Zoho Flow? Seems that more and more business are delivering automated updates such as "your order is received", "your order has been shipped" and so on via these two platforms. Not sure if Whatsapp has the API access needed i am pretty sure that Facebook Messenger has... Kind regards Bo ThygesenReally want the field "Company" in the activities module!
Hi team! Something we are really missing is able to see the field Company when working in the activities module. We have a lot of tasks and need to see what company it's related to. It's really annoying to not be able to see it.🙈 Thx!Multi-currency and Products
One of the main reasons I have gone down the Zoho route is because I need multi-currency support. However, I find that products can only be priced in the home currency, We sell to the US and UK. However, we maintain different price lists for each.Campaigns unsubscribe/manage preferences links
Hi, Where can I edit the unscubscribe and manage preferences link in the footer of the email. I would like it so that when you click 'manage preferences' an form opens up that allows the person to choose what type of emails they do and don't wish toNext Page