Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

I've discovered a bug in how Zoho's API Console handles the OAuth 2.0 authorization flow when the state parameter contains pipe characters (|), and I'm hoping the Zoho team can address this in a future update.
The Issue
Zoho's OAuth 2.0 implementation for server-based client applications uses the standard authorization endpoint: 
https://accounts.zoho.com/oauth/v2/auth?response_type=code
    &client_id=<client_id>
    &scope=<scope>
    &redirect_uri=<redirect_uri>
    &access_type=offline
    &state=<state_value>
While Zoho's documentation does not explicitly list the state parameter, it is a standard part of the OAuth 2.0 specification (RFC 6749 Section 4.1.1) and is widely used for CSRF protection and maintaining application state through the authorization flow.
However, when the state parameter contains pipe characters (|), Zoho's authorization server fails to process the request correctly, preventing users from authorizing the connection. This occurs whether the pipe characters are URL-encoded (%7C) or left unencoded.
The Problem
The pipe character is a standard delimiter in multi-part state values, particularly when passing a combination of a CSRF token and a return URL. This behavior—failing on both encoded and unencoded pipe characters—is often indicative of overly restrictive input validation or a "leaky" WAF/Proxy layer that decodes parameters before the application logic can handle them.
State Value As Sent in URL Result
abc123xyz state=abc123xyz ✓ Works correctly
session_12345 state=session_12345 ✓ Works correctly
user|action|timestamp state=user|action|timestamp
(unencoded pipes)		 ✗ Authorization fails
user|action|timestamp state=user%7Caction%7Ctimestamp
(URL-encoded pipes)		 ✗ Authorization fails
user:action:timestamp state=user%3Aaction%3Atimestamp ? Not tested
Note: Pipe characters cause failures whether URL-encoded or not. Other special characters/delimiters have not been tested and may or may not exhibit similar issues.
RFC 6749 Compliance Issue
Section 4.1.1 - Authorization Request:
"state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback."
Section 4.1.2 - Authorization Response:
"state: REQUIRED if the 'state' parameter was present in the client authorization request. The exact value received from the client."
The RFC explicitly defines the state parameter as an opaque value. This means:
  • The Authorization Server should not be looking "inside" or parsing the string at all
  • The state value must pass through the authorization process unchanged
  • Any URL-encoded characters should be handled transparently
  • The exact value received must be returned to the client in the redirect
Key Point: By definition, an "opaque" parameter means the authorization server must treat it as a data blob—accepting it, storing it, and returning it without any interpretation or transformation.
Current Behavior vs Expected Behavior
Current Behavior Expected Behavior (Per RFC 6749)
1. Client sends: state=user|action|123
(or state=user%7Caction%7C123)
2. Zoho fails to parse the state parameter
3. Authorization server returns HTTP 400 Bad Request
4. User cannot authorize the connection 		1. Client sends: state=user|action|123

2. Zoho treats state as opaque data blob
3. User authorizes the connection
4. Redirect includes the exact value received:
state=user|action|123
(or consistently encoded as sent)
The Current Workaround (Suboptimal)
Important: The workarounds below only apply if you have control over the client application generating the OAuth request. If you're integrating with a third-party application that sets the state parameter (e.g., integration platforms, SaaS tools, enterprise software), you have no ability to modify the state value and therefore no workaround is available. You are completely blocked from completing the OAuth flow.
For developers who do control the client application, you must avoid pipe characters entirely: 
// Instead of using pipes as delimiters:
state = csrf_token + "|" + user_id + "|" + redirect_path;
// ❌ This breaks Zoho's authorization flow

// Developers must use alternative approaches:
state = csrf_token + "_SEP_" + user_id + "_SEP_" + redirect_path;
// or
state = base64_encode(json_encode({"csrf": token, "user": id, "path": path}));
// or
state = csrf_token; // Store other data server-side keyed by CSRF token
Problems with these workarounds:
  • Requires refactoring existing codebases that use pipe delimiters
  • Base64 encoding increases state parameter length significantly, risking URL length limits (particularly in older browsers and some enterprise proxies which enforce ~2000 character limits)
  • Server-side storage approach adds complexity, database overhead, and potential race conditions
  • Inconsistent with how the same code works with other OAuth providers (Google, Microsoft, etc.)
  • Developers may not discover this issue until production deployment
  • Custom delimiters (like _SEP_) are non-standard and may conflict with actual data values
What Should Happen Instead
Proposed Solution:
Zoho's authorization server should properly handle URL-encoded pipe characters (%7C) in the state parameter, as required by RFC 6749. The state value must be treated as an opaque data blob.
Technical Requirement: Treat state as a Data Blob
1. Input Accept %7C (and other encoded characters) as valid parts of the query string without triggering validation errors or WAF rules
2. Persistence Store the string exactly as received during the user's login/consent session—do not decode, parse, or transform
3. Output Append the exact string back to the redirect_uri without additional transformations that might strip or corrupt the delimiters
This approach:
  • Complies with RFC 6749's requirement to return "the exact value received"
  • Follows the same behavior as other major OAuth providers
  • Requires no changes from client applications
  • Unblocks third-party integrations that cannot modify their state format
Real-World Impact
This limitation affects any integration where:
  • Third-party applications set the state parameter and cannot be modified (integration platforms, SaaS connectors, enterprise software)
  • Multi-tenant applications need to encode tenant ID and return URL in state
  • CSRF protection implementations combine security tokens with application state
  • Single Sign-On flows need to preserve original request context
  • Migration projects from other OAuth providers that used pipe delimiters

Critical Blocker: When the state parameter originates from a third-party system outside your control, there is no workaround available. The integration is completely impossible until this is fixed.

Security Note: The state parameter is critical for CSRF protection in OAuth flows. Forcing developers to change their state encoding approach may inadvertently introduce security vulnerabilities if not handled carefully.

Request to Zoho Team

Can this be addressed in a future update?

This is a standards compliance issue that impacts developers integrating with Zoho's API. For those who control their client application, the current implementation forces unnecessary workarounds. For those integrating third-party applications, the situation is worse:

1. Custom development
Refactor code to avoid pipe characters, creating Zoho-specific OAuth handling 		2. Third-party integrations
No workaround possible - integration is completely blocked

Users should not be blocked from integrating with Zoho due to non-standard OAuth implementation.

Community Input Requested: Has anyone else encountered this issue? Are there other special characters that cause similar problems with Zoho's OAuth implementation?

    • Sticky Posts

    • Deprecation of SMS-based multi-factor authentication (MFA) mode

      Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer

    Nederlandse Hulpbronnen


      • Recent Topics

      • How to delete attachments form Zoho mail accounts

        I can't find a way to delete attachments from Zoho mail messages, either individually or in bulk. Searches here are providing conflicting results and often talk about workspace, whereas I am only interested in how to delete attachments that are seen with

      • Unable to fetch ticket by custom field value

        I'm trying to set up a Flow to fetch a ticket based on a custom field value. This seems like it should be pretty straightforward, but it's not working for me. I keep getting an error saying Zoho Desk says "Extra query parameter 'cf_creator_record_id'

      • Zoho Inventory - Composite Items - Assembly - Single Line Item Quantity of One

        Hi Zoho Inventory Team, Please consider relaxing the system rules which prevent an assembly items from consisting of a single line item and outputting a quantity of 1. A client I'm currently working with sells cosmetics and offers testers of their products

      • What's New in Zoho Inventory | Q2 2025

        Hello Customers, The second quarter have been exciting months for Zoho Inventory! We’ve introduced impactful new features and enhancements to help you manage inventory operations with even greater precision and control. While we have many more exciting

      • Zoho POS App Hanging Issue – Sales Becoming Difficult

        The Zoho POS app frequently hangs and becomes unresponsive during billing, making it very difficult to complete sales smoothly. This commonly happens while adding items, during checkout, or at payment time, especially during peak hours. These issues cause

      • Writing by Hand in "Write" Notes

        Hi there! I just downloaded this app a few moments ago, and I was wondering if there was a way to write things by hand in "Write" mode instead of just typing in the keyboard. It would make things a bit more efficient for me in this moment. Thanks!

      • "Spreadsheet Mode" for Fast Bulk Edits

        One of the challenges with using Zoho Inventory is when bulk edits need to be done via the UI, and each value that needs to be changed is different. A very common use case here is price changes. Often, a price increase will need to be implemented, and

      • SAML in Zoho One vs Zoho Accounts

        What is the difference between setting up SAML in Zoho Accounts: https://help.zoho.com/portal/en/kb/accounts/manage-your-organization/saml/articles/configure-saml-in-zoho-accounts ... vs SAML in Zoho One?: https://help.zoho.com/portal/en/kb/one/admin-guide/custom-authentication/setting-up-custom-authentication-with-popular-idps/articles/zohoone-customauthentication-azure

      • Zoho Inventory. Preventing Negative Stock in Sales Orders – Best Practices?

        Dear Zoho Inventory Community, We’re a small business using Zoho Inventory with a team of sales managers. Unfortunately, some employees occasionally overlook stock levels during order processing, leading to negative inventory issues. Is there a way to

      • Deactivated Zoho One account can sign in

        I am concerned by the fact that deactivated users in Zoho One have the ability to sign in even after their account has been deactivated (not deleted). these inactive identities have no access to individual Zoho apps or data. based on my experience they

      • How can I reset the password for a user in Zoho Projects

        We need to reset the password for a user in Zoho Projects. I am the admin portal owner and there was nothing to be found to do this. very confusing.

      • How can I add a comment to an existing ticket via API?

        I need to add comments/notes to the history of an existing ticket using the API without overwriting the original ticket description. Thanks!

      • Marketer's Space: Proven tips to improve open rates – Part III

        Hello Marketers! Welcome back to another post in Marketer's Space! This is the final post in the "open rate series". In the first and second parts, we discussed topics ranging from sender domains to pre-headers—but we're not done yet. A few more important

      • MCP no longer works with Claude

        Anyone else notice Zoho MCP no longer works with Claude? I'm unable to turn this on in the claude chat. When I try to toggle it on, it just does nothing at all. I've tried in incognito, new browsers, etc. - nothing seems to work.

      • Attention Deluge Developers: Important Update Regarding "Send Email Deluge Task"

        Hi Deluge Users, We hope this message finds you well. We would like to inform you about a recent update on the Send emails deluge task. If you are using this deluge task (SalesIQ Scripts) for your Zobot, widgets, or form controllers to send emails, please

      • Zoho Social - Feature Request - Reviewer Role

        Hi Social Team, I've come across this with a couple of clients, where they need a role which can review and comment on posts but who has no access to create content. This is a kind of reviewer role. They just need to be able to see what content is scheduled

      • Zoho Books/Inventory - Update Marketplace Sales Order via API

        Hi everyone, Does anyone know if there is a way to update Sales Orders created from a marketplace intigration (Shopify in this case) via API? I'm trying to cover a scenario where an order is changed on the Shopify end and the changes must be reflected

      • Zoho Inventory / Finance Suite - Add feature to prevent duplicate values in Item Unit field

        I've noticed that a client has 2 values the same in the Unit field on edit/create Items. This surprised me as why would you have 2 units with the same name. Please consider adding a feature which prevents this as it seems to serve no purpose.

      • Kaizen #224 - Quote-driven Deal Reconciliation Using Zoho CRM Functions and Automation

        Hello everyone! Welcome back to another instalment in the Kaizen series. This post covers quote-driven deal reconciliation, emphasizing Functions and Automation to address practical sales challenges. Business Challenge Sales organizations often mark deals

      • BARCODE PICKLIST

        Hello! Does anyone know how the Picklist module works? I tried scanning the barcode using the UPC and EAN codes I added to the item, but it doesn’t work. Which barcode format does this module use for scanning?

      • Zoho Inventory - Allow Update of Marketplace Generated Sales Orders via API

        Hi Inventory Team, I was recently asked by a client to create an automation which updated a Zoho Inventory Sales Order if a Shopify Order was updated. I have created the script but I found that the request is blocked as the Sales Order was generated by

      • How do I create an update to the Cost Price from landed costs?

        Hi fellow Zoho Inventory battlers, I am new to Zoho inventory and was completely baffled to find that the cost price of products does not update when a new purchase order is received. The cost price is just made up numbers I start with when the product

      • Zoho OAuth Connector Deprecation and Its Impact on Zoho Desk

        Hello everyone, Zoho believes in continuously refining its integrations to uphold the highest standards of security, reliability, and compliance. As part of this ongoing improvement, the Zoho OAuth default connector will be deprecated for all Zoho services

      • VoC in Zoho CRM is now data savvy: Explore response drilldown, summary components and participation in CRM criteria

        VoC has all the goods when it comes to customer intelligence—which is why we're constantly enhancing it. We recently added the following: A customer drilldown component that shows you the list of prospects and customers behind a chart's attribute Expanded

      • How do I bulk archive my projects in ZOHO projects

        Hi, I want to archive 50 Projects in one go. Can you please help me out , How can I do this? Thanks kapil

      • Passing the CRM

        Hi, I am hoping someone can help. I have a zoho form that has a CRM lookup field. I was hoping to send this to my publicly to clients via a text message and the form then attaches the signed form back to the custom module. This work absolutely fine when

      • Can I add Conditional merge tags on my Templates?

        Hi I was wondering if I can use Conditional Mail Merge tags inside my Email templates/Quotes etc within the CRM? In spanish and in our business we use gender and academic degree salutations , ie: Dr., Dra., Sr., Srta., so the beginning of an email / letter

      • Zoho Browser??

        hai guys, this sounds awkward but can v get a ZOHO BROWSER same as zoho writer, etc. where i can browse websites @ home and continue browsing the same websites @ my office, as v have the option in Firefox, once i save and close the browser and again when i open it i will be getting the same sites. If u people r not clear with my explanation, plz let me know. Thanks, Sandeep  

      • Let’s Talk Recruit: LinkedIn Cheatsheet

        Welcome to the first edition of Let’s Talk Recruit for 2026. We are kicking off the year by revisiting one of the most asked about topics in Zoho Recruit. How our LinkedIn integrations actually work and how recruiters can get the most value from them.

      • Zoho Forms API

        Is there any way to get all form entry list using API? Looking forward to hear from you

      • Ability to Set Client Name During Portal Invitation

        Hi Zoho Team, We would like to suggest an important enhancement to the Zoho Creator Client Portal functionality. Zoho Creator recently introduced the option to set a client’s display name in the Client Portal settings, which is very helpful for creating

      • Move email between inboxes?

        Is it possible to move emails from one team inbox to another? We would like to be able to have a single "catch-all" inbox for incoming requests, and then move the email to the appropriate department inbox. I was hoping we would be able to accomplish this

      • PDF Attachment Option for Service Reports

        Hello Team, I would like to check with you all if there is an option to attach PDF documents to the service reports. When I try to attach a file, the system only allows the following formats: JPEG, JPG, and PNG. Could you please confirm whether PDF attachments

      • 【Zoho CRM】データ一覧画面でのメモのバッジ機能リリースのお知らせ

        ユーザーの皆さま、こんにちは。コミュニティチームの藤澤です。2026年度もゾーホーユーザーコミュニティをどうぞよろしくお願いいたします! 今回は「Zoho CRM アップデート情報」の中から、新機能のデータ一覧画面でのメモのバッジ機能をご紹介します。 目次 概要 メモのバッジ機能について メモの作成について メモに関する様々な処理について 最近追加したメモについて メモのバッジの非表示について クライアントスクリプトの対応 概要  メモのバッジ機能について 既存の活動バッジに加えて、すべてのタブのデータ一覧表示画面に、各データごとに利用できる「メモのバッジ」(キャプチャ内の赤枠部分)が新たに導入されました。

      • is it possible to add more than one Whatsapp Phone Number to be integrated to Zoho CRM?

        so I have successfully added one Whatsapp number like this from this User Interface it seems I can't add a new Whatsapp Number. I need to add a new Whatsapp Number so I can control the lead assignment if a chat sent to Whatsapp Phone Number 1 then assign

      • Can’t find fsm in zoho one

        Every other app is available to me in Zoho one except fsm

      • Posibility to add Emoticons on the Email Subject of Templates

        Hi I´ve tried to add Emoticons on the Subject line of Email templates, the emoticon image does show up before saving the template or if I add the Emoticon while sending an Individual email and placing it manually on the subject line. Emoticons also show

      • Task Deletion Restriction & Strict Stage Control

        Hello Zoho Community, We have the following two issues currently pending and under testing, for which we require a workable and reliable solution: 1. Task Deletion Restriction We are testing ways to ensure that staff users are not able to delete tasks

      • Unable to mass update a picklist field

        Hello, I have the records within our Accounts module divided between two account types: Parent Accounts & Member Accounts. I am attempting to mass update accounts from one picklist value to the other (within other specific criteria in our custom fields)

      • Process checklist in CRM

        Hi We've created a new sales process that I'm mapping into the CRM - issue I have is that some of the tasks / milestones I would like to capture require very simple tick box responses but there are quite a few under a variety of sub categories so I don't

      • Next Page