Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

I've discovered a bug in how Zoho's API Console handles the OAuth 2.0 authorization flow when the state parameter contains pipe characters (|), and I'm hoping the Zoho team can address this in a future update.
The Issue
Zoho's OAuth 2.0 implementation for server-based client applications uses the standard authorization endpoint: 
https://accounts.zoho.com/oauth/v2/auth?response_type=code
    &client_id=<client_id>
    &scope=<scope>
    &redirect_uri=<redirect_uri>
    &access_type=offline
    &state=<state_value>
While Zoho's documentation does not explicitly list the state parameter, it is a standard part of the OAuth 2.0 specification (RFC 6749 Section 4.1.1) and is widely used for CSRF protection and maintaining application state through the authorization flow.
However, when the state parameter contains pipe characters (|), Zoho's authorization server fails to process the request correctly, preventing users from authorizing the connection. This occurs whether the pipe characters are URL-encoded (%7C) or left unencoded.
The Problem
The pipe character is a standard delimiter in multi-part state values, particularly when passing a combination of a CSRF token and a return URL. This behavior—failing on both encoded and unencoded pipe characters—is often indicative of overly restrictive input validation or a "leaky" WAF/Proxy layer that decodes parameters before the application logic can handle them.
State Value As Sent in URL Result
abc123xyz state=abc123xyz ✓ Works correctly
session_12345 state=session_12345 ✓ Works correctly
user|action|timestamp state=user|action|timestamp
(unencoded pipes)		 ✗ Authorization fails
user|action|timestamp state=user%7Caction%7Ctimestamp
(URL-encoded pipes)		 ✗ Authorization fails
user:action:timestamp state=user%3Aaction%3Atimestamp ? Not tested
Note: Pipe characters cause failures whether URL-encoded or not. Other special characters/delimiters have not been tested and may or may not exhibit similar issues.
RFC 6749 Compliance Issue
Section 4.1.1 - Authorization Request:
"state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback."
Section 4.1.2 - Authorization Response:
"state: REQUIRED if the 'state' parameter was present in the client authorization request. The exact value received from the client."
The RFC explicitly defines the state parameter as an opaque value. This means:
  • The Authorization Server should not be looking "inside" or parsing the string at all
  • The state value must pass through the authorization process unchanged
  • Any URL-encoded characters should be handled transparently
  • The exact value received must be returned to the client in the redirect
Key Point: By definition, an "opaque" parameter means the authorization server must treat it as a data blob—accepting it, storing it, and returning it without any interpretation or transformation.
Current Behavior vs Expected Behavior
Current Behavior Expected Behavior (Per RFC 6749)
1. Client sends: state=user|action|123
(or state=user%7Caction%7C123)
2. Zoho fails to parse the state parameter
3. Authorization server returns HTTP 400 Bad Request
4. User cannot authorize the connection 		1. Client sends: state=user|action|123

2. Zoho treats state as opaque data blob
3. User authorizes the connection
4. Redirect includes the exact value received:
state=user|action|123
(or consistently encoded as sent)
The Current Workaround (Suboptimal)
Important: The workarounds below only apply if you have control over the client application generating the OAuth request. If you're integrating with a third-party application that sets the state parameter (e.g., integration platforms, SaaS tools, enterprise software), you have no ability to modify the state value and therefore no workaround is available. You are completely blocked from completing the OAuth flow.
For developers who do control the client application, you must avoid pipe characters entirely: 
// Instead of using pipes as delimiters:
state = csrf_token + "|" + user_id + "|" + redirect_path;
// ❌ This breaks Zoho's authorization flow

// Developers must use alternative approaches:
state = csrf_token + "_SEP_" + user_id + "_SEP_" + redirect_path;
// or
state = base64_encode(json_encode({"csrf": token, "user": id, "path": path}));
// or
state = csrf_token; // Store other data server-side keyed by CSRF token
Problems with these workarounds:
  • Requires refactoring existing codebases that use pipe delimiters
  • Base64 encoding increases state parameter length significantly, risking URL length limits (particularly in older browsers and some enterprise proxies which enforce ~2000 character limits)
  • Server-side storage approach adds complexity, database overhead, and potential race conditions
  • Inconsistent with how the same code works with other OAuth providers (Google, Microsoft, etc.)
  • Developers may not discover this issue until production deployment
  • Custom delimiters (like _SEP_) are non-standard and may conflict with actual data values
What Should Happen Instead
Proposed Solution:
Zoho's authorization server should properly handle URL-encoded pipe characters (%7C) in the state parameter, as required by RFC 6749. The state value must be treated as an opaque data blob.
Technical Requirement: Treat state as a Data Blob
1. Input Accept %7C (and other encoded characters) as valid parts of the query string without triggering validation errors or WAF rules
2. Persistence Store the string exactly as received during the user's login/consent session—do not decode, parse, or transform
3. Output Append the exact string back to the redirect_uri without additional transformations that might strip or corrupt the delimiters
This approach:
  • Complies with RFC 6749's requirement to return "the exact value received"
  • Follows the same behavior as other major OAuth providers
  • Requires no changes from client applications
  • Unblocks third-party integrations that cannot modify their state format
Real-World Impact
This limitation affects any integration where:
  • Third-party applications set the state parameter and cannot be modified (integration platforms, SaaS connectors, enterprise software)
  • Multi-tenant applications need to encode tenant ID and return URL in state
  • CSRF protection implementations combine security tokens with application state
  • Single Sign-On flows need to preserve original request context
  • Migration projects from other OAuth providers that used pipe delimiters

Critical Blocker: When the state parameter originates from a third-party system outside your control, there is no workaround available. The integration is completely impossible until this is fixed.

Security Note: The state parameter is critical for CSRF protection in OAuth flows. Forcing developers to change their state encoding approach may inadvertently introduce security vulnerabilities if not handled carefully.

Request to Zoho Team

Can this be addressed in a future update?

This is a standards compliance issue that impacts developers integrating with Zoho's API. For those who control their client application, the current implementation forces unnecessary workarounds. For those integrating third-party applications, the situation is worse:

1. Custom development
Refactor code to avoid pipe characters, creating Zoho-specific OAuth handling 		2. Third-party integrations
No workaround possible - integration is completely blocked

Users should not be blocked from integrating with Zoho due to non-standard OAuth implementation.

Community Input Requested: Has anyone else encountered this issue? Are there other special characters that cause similar problems with Zoho's OAuth implementation?

    • Sticky Posts

    • Deprecation of SMS-based multi-factor authentication (MFA) mode

      Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer

    • Recent Topics

    • Marketing Tip #15: Rank better with keyword-rich URLs for product pages

      Your product page URL is a small detail that can make a surprisingly big difference. Clean, readable URLs help in two ways: They’re easier for customers to trust and remember (no one likes clicking a link that looks messy or random). They help search

    • Conditional fields when converting a Lead and creating a Deal

      Hi, On my Deal page I have a field which has a rule against it. Depending on the value entered, depends on which further fields are displayed. When I convert a Lead and select for a Deal to be created as well, all fields are shown, regardless of the value

    • ATE Session on Payment Gateways: Our experts are live now. Post your questions now!

      Hello everyone, Our experts are all excited to answer all your questions related to payment workflows. Please feel free to join this session and learn more about this topic. If you have a query at anytime, please post them here.

    • Upload data deleted all Zoho form data that we manage

      Good morning. Let me introduce myself, I'm Iky from Indonesia. I'm experiencing an error or problem using Zoho Forms. I manage Zoho Forms, but I previously encountered an error when I misclicked the delete button in the upload format. It apparently deleted

    • ZOHO FORMにURL表示ができない

      初心者です。 ZOHO FORM で宿泊者名簿を作っています。 ゲストが、URLをクリックするとStripeで支払いができるようにURLを表示をしたいのですが、 上手くできません。 やり方が分かる方、ぜひ教えてください。

    • Custom module - change from autonumber to name

      I fear I know the answer to this already, but thought I'd ask the question. I created a custom module and instead of having a name as being the primary field, I changed it to an auto-number. I didn't realise that all searches would only show this reference.

    • No Automatic Spacing on the Notebook App?

      When I'm adding to notes on the app, I have to add spaces between words myself, rather than it automatically doing it. All my other apps add spacing, so it must be something with Zoho. Is there a setting I need to change, or something else I can do so

    • Holidays - Cannot Enter Two Holidays on Same Day

      I have a fairly common setup, where part-time employees receive 1/2 day's pay on a holiday and full-time employees receive a full day's pay. Historically, I've been able to accommodate this by entering two separate holidays, one that covers full-time

    • Zoho Bookings and Survey Integration through Flow

      I am trying to set up flows where once an appointment is marked as completed in Zoho Bookings, the applicable survey form would be sent to the customer. Problem is, I cannot customise flows wherein if Consultation A is completed, Survey Form A would be

    • Campaigns set up and execution assistance

      Hello Community, Can someone recommend a professional who can assist with the completion of my set up and deployment of Campaigns? Looking for a person or company that is not going to ask for big dollars up-front without a guarantee of performance to

    • Zobot with Plugs

      Hello, I am having a problem with Zobot using Plugs. Here is my current flow: When I run the flow, I should immediately see the messages from the initial cards (Send Message cards), then after running the plug, and finally, see the messages after the

    • Kaizen #223 - File Manager in CRM Widget Using ZRC Methods

      Hello, CRM Wizards! Here is what we are improving this week with Kaizen. we will explore the new ZRC (Zoho Request Client) introduced in Widget SDK v1.5, and learn how to use it to build a Related List Widget that integrates with Zoho WorkDrive. It helps

    • Remove Powered by Zoho at the footer

      Hi, I've read two past tickets regarding this but it seems that the instructions given are outdated. I assume the layout keeps on changing, which makes it frustrating for me to search high and low. Please let me know how exactly do I do this now? Th

    • Error AS101 when adding new email alias

      Hi, I am trying to add apple@(mydomain).com The error AS101 is shown while I try to add the alias.

    • No Need To Fix Something That Is Working

      Zoho Books is a great financial tool which helps businesses to become more efficient and productive with day-to-day operations. As such, every change, upgrade, improvement needs to be carefully thought before implemented in the software and I'm sure Zoho

    • Using email "importance" as workflow-criteria

      I'd like to set up a workflow that triggers if an incoming email has been flagged as "high importance" but I'm not seeing any way to do that. Hopefully I'm just missing something obvious...?

    • This domain is not allowed to add. Please contact support-as@zohocorp.com for further details

      I am trying to setup the free version of Zoho Mail. When I tried to add my domain, theselfreunion.com I got the error message that is the subject of this Topic. I've read your other community forum topics, and this is NOT a free domain. So what is the

    • What is Resolution Time in Business Hours

      HI, What is the formula used to find the total time spent by an agent on a particular ticket? How is Resolution Time in Business Hours calculated in Zohodesk? As we need to find out the time spent on the ticket's solution by an agent we seek your assistance

    • Check & Unchecked Task Segregation in Export

      It must have a feature to represent checked and unchecked tasks as [ ] and [✅] respectively when exporting it to Arratai or WhatsApp ; as Keep Notes by Google contains…

    • WorkDrive Download Issue

      My client has been sending me files via WorkDrive, which generally has worked fine. Recently files won't download at all. If you try and individually select and download a file, a popup will appear in the bottom right saying it's preparing and then it

    • Resolution Time Report

      From data to decisions: A deep dive into ticketing system reports What are time-based reports? Time-based reports are valuable tools that help us understand how well things are going by breaking down key metrics over specific periods. By tracking, measuring,

    • Support Custom Background in Zoho Cliq Video Calls and Meetings

      Hello Zoho Cliq Team, We hope you are doing well. We would like to request an enhancement to the video background capabilities in Zoho Cliq, specifically the ability to upload and use custom backgrounds. Current Limitation At present, Zoho Cliq allows

    • Add RTL (Right-to-Left) Text Direction Button in Zoho Cliq

      Greetings Zoho Team, We would like to request the addition of an RTL (Right-to-Left) text direction button in Zoho Cliq, similar to what is already available in other Zoho apps like Zoho Desk. Currently, while using Zoho Cliq with the English interface,

    • Enable Backgrounds and Video Filters for 1:1 Cliq Calls Across All Zoho Entry

      Hello Zoho Cliq Team, We hope you are doing well. We would like to request an enhancement related specifically to 1:1 video calls in Zoho Cliq. Current Behavior Zoho Cliq currently provides background and video filter options in the following scenarios:

    • Zoho Flow: Stripe a Zoho Marketing Automation

      Hola! Quiero hacer un flujo con Zoho Flow, para que cuando se haga un pago en Stripe, añada el lead en Zoho Marketing Automation. Lo he configurado, configurando el disparador como "Payment created" y mapeando el campo de Stripe "Receipt email address".

    • Need Customer Item Inward Module along with QC

      Need Customer Item Inward Module along with QC 1. Using Transfer Orders hit the item balance sheet 2. Items without inventory it becomes difficult for tracking purpose. 3. Custom Modules become tedious to capture multiple items, item subforms are not

    • LESS_THAN_MIN_OCCURANCE - code 2945

      Hi I'm trying to post a customer record to creator API and getting this error message. So cryptic. Can someone please help? Thanks Varun

    • Zoho email

      I need a list of email addresses of all contacts on my zoho

    • Shift-Centric View for Assigning and Managing Shifts in Zoho People

      Hello Zoho People Product Team, Greetings and hope you are doing well. This feature request is related to Zoho People - please don't move it to zoho one! We would like to submit a feature request regarding the shift assignment and management view in Zoho

    • Introducing parent-child ticketing in Zoho Desk [Early access]

      Hello Zoho Desk users! We have introduced the parent-child ticketing system to help customer service teams ensure efficient resolution of issues involving multiple, related tickets. You can now combine repetitive and interconnected tickets into parent-child

    • cant upload images in signature- urgent help needed. ta!

      HI, I have been trying to insert the company logo in the signature. i have tried it several times since yesterday, the longest I waited was 1 hour and 12 minutes for the pop up window to upload a 180 KB .jpg file. what am i doing wrong.. an urgent reply

    • Add Ticket button in Home view

      When I go to the My Tickets or the Knowledge Base view in our Help Centre, the Add Ticket button is available, but not in the Home view. I would really like for it to be displayed in the Home view as well. Is this possible? Thanks.

    • Problem using Zoho Desk API

      Goodmorning, I am trying to use the Zoho Desk API to create a dashboard in Grafana, but I am having a problem. Following the instructions in the API documentation, I created the API Console application (server-based application). Then I created the string

    • Add zoho calendar to google calendar

      Hi I keep seeing instructions on how to sync Zoho CRM calendar with google calendar but no instructions on how to view Zoho calendar in my google calendar.

    • How to print a label from zoho creator app?

      Hello, I would like to print a label from zoho creator app record similar to attached one. Size 74mm x 102mm. I tried record template. It leaves plenty of space around the content and also I couldn't set the height of the page. So it is not printing properly. Could someone please direct me to right direction for this requirement?

    • City field suggestion in Zoho Books

      Hi team, We are using Customers module in Zoho Books. In the Address section, we want to understand whether the City field can show suggestions while typing using any API or built-in feature. For example, if a user types “Mum”, can the system suggest

    • Non-responsive views in Mobile Browser (iPad)

      Has anyone noticed that the creator applications when viewed in a mobile browser (iPad) lost its responsiveness? It now appears very small font size and need to zoom into to read contents. Obviously this make use by field staff quite difficult. This is not at all a good move, as lots of my users are depending on accessing the app in mobile devices (iPads), and very challenging and frustrating. 

    • How can I check all announce?

      Hiii, May I ask how can I check all the announce based on broadcast date instead of reply date based So that I will not will miss out any new function

    • What are the create bill API line item requiered fields

      While the following documentation says that the line items array is requiered it doesn't say what if any files are requiered in the array. Does anyone know? API documentation: https://www.zoho.com/inventory/api/v1/bills/#create-a-bill I'm trying to add

    • This user is not allowed to add in Zoho. Please contact support-as@zohocorp.com for further details

      Hello, Just signed up to ZOHO on a friend's recommendation. Got the TXT part (verified my domain), but whenever I try to add ANY user, I get the error: This user is not allowed to add in Zoho. Please contact support-as@zohocorp.com for further details I have emailed as well and writing here as well because when I searched, I saw many people faced the same issue and instead of email, they got a faster response here. My domain is: raisingreaderspk . com Hope this can be resolved.  Thank you

    • Next Page