Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

I've discovered a bug in how Zoho's API Console handles the OAuth 2.0 authorization flow when the state parameter contains pipe characters (|), and I'm hoping the Zoho team can address this in a future update.
The Issue
Zoho's OAuth 2.0 implementation for server-based client applications uses the standard authorization endpoint: 
https://accounts.zoho.com/oauth/v2/auth?response_type=code
    &client_id=<client_id>
    &scope=<scope>
    &redirect_uri=<redirect_uri>
    &access_type=offline
    &state=<state_value>
While Zoho's documentation does not explicitly list the state parameter, it is a standard part of the OAuth 2.0 specification (RFC 6749 Section 4.1.1) and is widely used for CSRF protection and maintaining application state through the authorization flow.
However, when the state parameter contains pipe characters (|), Zoho's authorization server fails to process the request correctly, preventing users from authorizing the connection. This occurs whether the pipe characters are URL-encoded (%7C) or left unencoded.
The Problem
The pipe character is a standard delimiter in multi-part state values, particularly when passing a combination of a CSRF token and a return URL. This behavior—failing on both encoded and unencoded pipe characters—is often indicative of overly restrictive input validation or a "leaky" WAF/Proxy layer that decodes parameters before the application logic can handle them.
State Value As Sent in URL Result
abc123xyz state=abc123xyz ✓ Works correctly
session_12345 state=session_12345 ✓ Works correctly
user|action|timestamp state=user|action|timestamp
(unencoded pipes)		 ✗ Authorization fails
user|action|timestamp state=user%7Caction%7Ctimestamp
(URL-encoded pipes)		 ✗ Authorization fails
user:action:timestamp state=user%3Aaction%3Atimestamp ? Not tested
Note: Pipe characters cause failures whether URL-encoded or not. Other special characters/delimiters have not been tested and may or may not exhibit similar issues.
RFC 6749 Compliance Issue
Section 4.1.1 - Authorization Request:
"state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback."
Section 4.1.2 - Authorization Response:
"state: REQUIRED if the 'state' parameter was present in the client authorization request. The exact value received from the client."
The RFC explicitly defines the state parameter as an opaque value. This means:
  • The Authorization Server should not be looking "inside" or parsing the string at all
  • The state value must pass through the authorization process unchanged
  • Any URL-encoded characters should be handled transparently
  • The exact value received must be returned to the client in the redirect
Key Point: By definition, an "opaque" parameter means the authorization server must treat it as a data blob—accepting it, storing it, and returning it without any interpretation or transformation.
Current Behavior vs Expected Behavior
Current Behavior Expected Behavior (Per RFC 6749)
1. Client sends: state=user|action|123
(or state=user%7Caction%7C123)
2. Zoho fails to parse the state parameter
3. Authorization server returns HTTP 400 Bad Request
4. User cannot authorize the connection 		1. Client sends: state=user|action|123

2. Zoho treats state as opaque data blob
3. User authorizes the connection
4. Redirect includes the exact value received:
state=user|action|123
(or consistently encoded as sent)
The Current Workaround (Suboptimal)
Important: The workarounds below only apply if you have control over the client application generating the OAuth request. If you're integrating with a third-party application that sets the state parameter (e.g., integration platforms, SaaS tools, enterprise software), you have no ability to modify the state value and therefore no workaround is available. You are completely blocked from completing the OAuth flow.
For developers who do control the client application, you must avoid pipe characters entirely: 
// Instead of using pipes as delimiters:
state = csrf_token + "|" + user_id + "|" + redirect_path;
// ❌ This breaks Zoho's authorization flow

// Developers must use alternative approaches:
state = csrf_token + "_SEP_" + user_id + "_SEP_" + redirect_path;
// or
state = base64_encode(json_encode({"csrf": token, "user": id, "path": path}));
// or
state = csrf_token; // Store other data server-side keyed by CSRF token
Problems with these workarounds:
  • Requires refactoring existing codebases that use pipe delimiters
  • Base64 encoding increases state parameter length significantly, risking URL length limits (particularly in older browsers and some enterprise proxies which enforce ~2000 character limits)
  • Server-side storage approach adds complexity, database overhead, and potential race conditions
  • Inconsistent with how the same code works with other OAuth providers (Google, Microsoft, etc.)
  • Developers may not discover this issue until production deployment
  • Custom delimiters (like _SEP_) are non-standard and may conflict with actual data values
What Should Happen Instead
Proposed Solution:
Zoho's authorization server should properly handle URL-encoded pipe characters (%7C) in the state parameter, as required by RFC 6749. The state value must be treated as an opaque data blob.
Technical Requirement: Treat state as a Data Blob
1. Input Accept %7C (and other encoded characters) as valid parts of the query string without triggering validation errors or WAF rules
2. Persistence Store the string exactly as received during the user's login/consent session—do not decode, parse, or transform
3. Output Append the exact string back to the redirect_uri without additional transformations that might strip or corrupt the delimiters
This approach:
  • Complies with RFC 6749's requirement to return "the exact value received"
  • Follows the same behavior as other major OAuth providers
  • Requires no changes from client applications
  • Unblocks third-party integrations that cannot modify their state format
Real-World Impact
This limitation affects any integration where:
  • Third-party applications set the state parameter and cannot be modified (integration platforms, SaaS connectors, enterprise software)
  • Multi-tenant applications need to encode tenant ID and return URL in state
  • CSRF protection implementations combine security tokens with application state
  • Single Sign-On flows need to preserve original request context
  • Migration projects from other OAuth providers that used pipe delimiters

Critical Blocker: When the state parameter originates from a third-party system outside your control, there is no workaround available. The integration is completely impossible until this is fixed.

Security Note: The state parameter is critical for CSRF protection in OAuth flows. Forcing developers to change their state encoding approach may inadvertently introduce security vulnerabilities if not handled carefully.

Request to Zoho Team

Can this be addressed in a future update?

This is a standards compliance issue that impacts developers integrating with Zoho's API. For those who control their client application, the current implementation forces unnecessary workarounds. For those integrating third-party applications, the situation is worse:

1. Custom development
Refactor code to avoid pipe characters, creating Zoho-specific OAuth handling 		2. Third-party integrations
No workaround possible - integration is completely blocked

Users should not be blocked from integrating with Zoho due to non-standard OAuth implementation.

Community Input Requested: Has anyone else encountered this issue? Are there other special characters that cause similar problems with Zoho's OAuth implementation?

    • Sticky Posts

    • Deprecation of SMS-based multi-factor authentication (MFA) mode

      Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer

      • Recent Topics

      • How Does Knowledge Base Search and Article Recommendation Work?

        Hello, I would like to understand how the Knowledge Base search engine works. Specifically, does it search based on: The article title only? The full article content? Both, the article and the content? Keywords? Tags? Also, how does the system determine

      • Bulk Delete Attachments

        Is there a way to bulk delete attachments on the form entries? our storage is full and deleting files one by one is pain taking process.

      • How do I sync multiple Google calendars?

        I'm brand new to Zoho and I figured out how to sync my business Google calendar but I would also like to sync my personal Google calendar. How can I do this so that, at the very least, when I have personal engagements like doctor's appointments, I can

      • Ability to Disable System Banner Messages in Chat Flow Control

        Dear Zoho SalesIQ Team, Greetings, We would like to request an enhancement related to the system banner messages in Zoho SalesIQ chat flow control. Current Behavior: SalesIQ allows configuring various automatic banner/system messages such as: Waiting

      • Idle Chat Reminders for Agent-Handled Conversations

        Dear Zoho SalesIQ Team, Greetings, We would like to request an enhancement to the Idle Chat Handling functionality in Zoho SalesIQ—specifically for chats that are handled by human agents after a bot-to-agent transfer. Current Behavior: In Zobot settings,

      • Snapchat

        Are there any plans to add Snapchat to Zoho Social or is there any API that we can use to integrate into Zoho.

      • Zoho Sign "An unexpected error occured" when clients trying to sign documents

        We are unable to have clients sign our documents. When attempting to complete the process an error appears saying "an unexpected error occured" and in the document history just shows "signing failure." We are at a complete standstill with no response

      • ¡Vuelven los Workshops Certificados de Zoho a España!

        ¡Hola usuarios de Español Zoho Community! Hace ya unos días que hemos dado la bienvenida al 2026, y promete ser un año de lo más emocionante. Y es que nos gustaría haceros nuestro particular regalo de Reyes, aunque lleguemos un poco tarde. 🎁 ¡Nos gustaría

      • How to list services on quote instead of products

        I need to create a customer facing estimate that displays our services. The default quote layout only allows products to be listed. Is there a way to correct this?

      • Syncing calendar with Google Calendar doesn't work when events are sent to auto repeat

        Hi... The ZOHO CRM -- GOOGLE CALENDAR sync is broken. If I create a single event on either side, sync works, but if I create an event with auto repeat on either side it doesn't work. Furthermore, events created before the sync don't show up in the calendar.

      • Invoice status on write-off is "Paid" - how do I change this to "Written off"

        HI guys, I want to write off a couple of outstanding invoices, but when I do this, the status of the invoices shows as "Paid". Clearly this is not the case and I need to be able to see that they are written off in the customer's history. Is there a way

      • Zoho Books - France

        L’équipe de Zoho France reçoit régulièrement des questions sur la conformité de ses applications de finances (Zoho Books/ Zoho Invoice) pour le marché français. Voici quelques points pour clarifier la question : Zoho Books est un logiciel de comptabilité

      • Creating meetings from an email

        Hi. Similar to Outlook, it would be helpful if a meeting can be scheduled from an email so that the attendees need not be manually entered every time it's created.

      • Please, make writer into a content creation tool

        I'm tired of relying on Google Docs. I'm actually considering moving to ClickUp, but if Writer were a good content creation tool instead of just a word processor, I would finally be able to move all my development within the Zoho ecosystem, rather than

      • ZohoSalesIQ.Chat cannot send messages

        Chat cannot send messages. Our app implements the customer service chat window functionality by integrating the Mobilisten SDK. Recently, we encountered an issue: after successful SDK initialization and visitor registration, when the `startWithQuestion`

      • Missed chats on WhatsApp closing after one minute

        Hi, we have added WhatsApp as a channel. However, if a chat is not picked up within 2mins, the chat is marked as missed and is closed within a minute. Why are they not staying in our "missed" queue for 24 hours as per our WhatsApp preference settings?

      • Feature Request: Add Tax ID Display on Event Tickets

        Hello Backstage Team, I’ve had several clients bring up an issue regarding tax compliance when creating events. For tax purposes, they are required to show their Tax ID on the event tickets. Currently, this isn’t an option, so they have to manually generate

      • Release Notes | January 2026

        We have rolled out a set of powerful new enhancements across Zoho Vertical Studio that bring several long-awaited capabilities to your applications. These updates focus on deeper customization, smarter automation, better reporting, and improved usability

      • Email Alias: To keep emails flowing without disruption

        Email Alias acts like a nickname for a user’s primary email address, allowing multiple email addresses to deliver messages into the same mailbox. Consider the scenario where an employee manages multiple responsibilities, such as responding to sales inquiries,

      • Zoho Sites - General Feedback

        Hi Everyone-- Quick question for discussion: is it me or is working with Zoho Sites like entering the Twilight Zone? I've built many sites over the years, but this platform seems impossible. I've spent an entire day and a half trying to get a simple one-color

      • Archive Option in Conversation View

        Hello, I have a suggestion\request to add an "Archive Thread" button in conversation view of Zoho Mail. The best suggestion I have is to put an "Archive Thread" button next to the "Label Entire Thread" button in conversation view. Most users don't just

      • Inventory "Bulk Actions" button - add more fields to "Bulk Update > Select a field"

        Can we not get a lot more actions that are commonly used by customers into the "More Actions" button on the Inventory list? More fields listed in the Bulk Update > Select A Field? Possible Bulk update Fields Preferred Supplier ( to quickly move items

      • Bulk upload image option in Zoho Commerce

        I dont know if I am not looking into it properly but is there no option to bulk upload images along with the products? Like after you upload the products, I will have to upload images one by one again? Can someone help me out here? And what should I enter

      • Function #11: Apply unused credits automatically to invoices

        Today, we bring you a custom function that automatically applies unused credits from excess payments, credit notes, and retainer payments to an invoice when it is created. Prerequisites: Create a Connection named "zbooks" to successfully execute the function.

      • Tip #60- Exploring Technician Console: Screen Resolution- 'Insider Insights'

        Hello Zoho Assist Community! Have you ever started a remote session and felt the screen quality wasn’t sharp enough for detailed work? A new user recently explored Zoho Assist after installing the trial version and running a few initial tests. While the

      • Right Moment, Right Message, Right Operator: Never Miss a High-Intent Lead

        Ever been on a website or app, thinking “Should I buy this or not?” and suddenly a friendly message “Hi! How can I help you?” pops up at the perfect moment? That’s not luck. That’s timing done right. Engaging right visitors at the right moment, with the

      • CRM x WorkDrive: We're rolling out the WorkDrive-powered file storage experience for existing users

        Release plan: Gradual rollout to customers without file storage add-ons, in this order: 1. Standalone CRM 2. CRM Plus and Zoho One DCs: All | Editions: All Available now for: - Standalone CRM accounts in Free and Standard editions without file storage

      • Zoho CRM Workflow Automation: Activate & Deactivate Workflows Using API

        Zoho has now enabled: ✅ Activate / Deactivate workflows using API ✅ Schedule workflow activation & deactivation This is extremely useful for real-world automation use cases 💡 🧩 My Use Case I created a scheduled automation that: ☀️ Activates workflows

      • {Action Required} Re-authenticate your Google Accounts to Continue Data Sync

        Hello Users! To align with Google’s latest updates on how apps access files in Google Drive, we’ve enhanced our integration to comply with the updated security and privacy standards, ensuring safer and more reliable access to your data. With this update,

      • Function #53: Transaction Level Profitability for Invoices

        Hello everyone, and welcome back to our series! We have previously provided custom functions for calculating the profitability of a quote and a sales order. There may be instances where the invoice may differ from its corresponding quote or sales order.

      • Project-Based Inventory Consumption and Proforma Invoice in Zoho ERP

        While working with customers across different industries, we have identified a few functional questions and gaps that commonly arise—especially for project-based and service-oriented businesses. Many organizations, such as those in shipping, construction,

      • [Free Webinar] Zoho RPA - OCR, PDF Automation, & More

        Hello Everyone! Greetings from the Zoho RPA Training Team! We’re excited to invite you to our upcoming webinar on the latest release updates for Zoho RPA, where we’ll unveil powerful new capabilities designed to make your automation journey smarter, faster,

      • Zobot Execution Logs & Run History (Similar to Zoho Flow)

        Dear Zoho SalesIQ Team, We would like to request an enhancement for Zoho SalesIQ Zobot: adding an execution log / run history, similar to what already exists in Zoho Flow. Reference: Zoho Flow In Zoho Flow, every execution is recorded in the History tab,

      • Global Search Settings

        I'd love a way to remove some modules from being included in the global search. This would allow use to provide a better user experience, limiting the global search to only those modules that are regularly used removing any models used for background

      • Card Location in Zobot

        Hello, when using the “Location” card in a codeless builder Zobot, the behavior in WhatsApp is inconsistent. When asking the user to share their location, they can type a message, which will return the message “Sorry, the entered location is invalid.

      • Automation Series: Auto-create Dependent Task on Status Change

        In Zoho Projects, you can automatically create and assign a dependent task when a task’s status is updated. This helps teams stay aligned, ensures reviews happen on time, and reduces manual effort. In this post, we’ll walk through an easy setup using

      • Languages in Zobot

        Hello, I have found a list of supported languages for the Zobot. The information specifies the languages are supported in the following 3 features: SalesIQ supports 34 different languages in the following features. Resources (Articles, FAQs, Small Talks)

      • Composite items inside of composite items; bill of materials needed

        Hi Zoho and Everyone, I am evaluating whether Zoho Inventory will work for my small business. I grow and harvest herbs and spices but also get from wholesalers. I use all these items to make herbal teas, but also sell them as individual items on my Shopify store and Etsy. I discovered the composite item bundling and am wondering if I could get some assistance since there is no bill of materials: Our herbal company's best selling tea is a sleepytime tea. Sleepytime Tea can be purchased in three weights

      • Action required: Reauthorizing your Google account in Zoho Sign for automatic cloud backup to Google Drive

        This is applicable to users who have already configured automatic cloud backup to Google Drive. Hi there! Google has mandated reauthorization of all preconfigured third-party integrations to ensure only the necessary scopes are shared as an improved security

      • Zoho CRM Layouts

        I have customised all our modules, Leads, Contacts and deals, and within them, I have created lots of different layouts depending on the type of Lead or contact, for example. Since the new Zoho UI came out, they have all disappeared. I have gone into

      • Next Page