Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

I've discovered a bug in how Zoho's API Console handles the OAuth 2.0 authorization flow when the state parameter contains pipe characters (|), and I'm hoping the Zoho team can address this in a future update.
The Issue
Zoho's OAuth 2.0 implementation for server-based client applications uses the standard authorization endpoint: 
https://accounts.zoho.com/oauth/v2/auth?response_type=code
    &client_id=<client_id>
    &scope=<scope>
    &redirect_uri=<redirect_uri>
    &access_type=offline
    &state=<state_value>
While Zoho's documentation does not explicitly list the state parameter, it is a standard part of the OAuth 2.0 specification (RFC 6749 Section 4.1.1) and is widely used for CSRF protection and maintaining application state through the authorization flow.
However, when the state parameter contains pipe characters (|), Zoho's authorization server fails to process the request correctly, preventing users from authorizing the connection. This occurs whether the pipe characters are URL-encoded (%7C) or left unencoded.
The Problem
The pipe character is a standard delimiter in multi-part state values, particularly when passing a combination of a CSRF token and a return URL. This behavior—failing on both encoded and unencoded pipe characters—is often indicative of overly restrictive input validation or a "leaky" WAF/Proxy layer that decodes parameters before the application logic can handle them.
State Value As Sent in URL Result
abc123xyz state=abc123xyz ✓ Works correctly
session_12345 state=session_12345 ✓ Works correctly
user|action|timestamp state=user|action|timestamp
(unencoded pipes)		 ✗ Authorization fails
user|action|timestamp state=user%7Caction%7Ctimestamp
(URL-encoded pipes)		 ✗ Authorization fails
user:action:timestamp state=user%3Aaction%3Atimestamp ? Not tested
Note: Pipe characters cause failures whether URL-encoded or not. Other special characters/delimiters have not been tested and may or may not exhibit similar issues.
RFC 6749 Compliance Issue
Section 4.1.1 - Authorization Request:
"state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback."
Section 4.1.2 - Authorization Response:
"state: REQUIRED if the 'state' parameter was present in the client authorization request. The exact value received from the client."
The RFC explicitly defines the state parameter as an opaque value. This means:
  • The Authorization Server should not be looking "inside" or parsing the string at all
  • The state value must pass through the authorization process unchanged
  • Any URL-encoded characters should be handled transparently
  • The exact value received must be returned to the client in the redirect
Key Point: By definition, an "opaque" parameter means the authorization server must treat it as a data blob—accepting it, storing it, and returning it without any interpretation or transformation.
Current Behavior vs Expected Behavior
Current Behavior Expected Behavior (Per RFC 6749)
1. Client sends: state=user|action|123
(or state=user%7Caction%7C123)
2. Zoho fails to parse the state parameter
3. Authorization server returns HTTP 400 Bad Request
4. User cannot authorize the connection 		1. Client sends: state=user|action|123

2. Zoho treats state as opaque data blob
3. User authorizes the connection
4. Redirect includes the exact value received:
state=user|action|123
(or consistently encoded as sent)
The Current Workaround (Suboptimal)
Important: The workarounds below only apply if you have control over the client application generating the OAuth request. If you're integrating with a third-party application that sets the state parameter (e.g., integration platforms, SaaS tools, enterprise software), you have no ability to modify the state value and therefore no workaround is available. You are completely blocked from completing the OAuth flow.
For developers who do control the client application, you must avoid pipe characters entirely: 
// Instead of using pipes as delimiters:
state = csrf_token + "|" + user_id + "|" + redirect_path;
// ❌ This breaks Zoho's authorization flow

// Developers must use alternative approaches:
state = csrf_token + "_SEP_" + user_id + "_SEP_" + redirect_path;
// or
state = base64_encode(json_encode({"csrf": token, "user": id, "path": path}));
// or
state = csrf_token; // Store other data server-side keyed by CSRF token
Problems with these workarounds:
  • Requires refactoring existing codebases that use pipe delimiters
  • Base64 encoding increases state parameter length significantly, risking URL length limits (particularly in older browsers and some enterprise proxies which enforce ~2000 character limits)
  • Server-side storage approach adds complexity, database overhead, and potential race conditions
  • Inconsistent with how the same code works with other OAuth providers (Google, Microsoft, etc.)
  • Developers may not discover this issue until production deployment
  • Custom delimiters (like _SEP_) are non-standard and may conflict with actual data values
What Should Happen Instead
Proposed Solution:
Zoho's authorization server should properly handle URL-encoded pipe characters (%7C) in the state parameter, as required by RFC 6749. The state value must be treated as an opaque data blob.
Technical Requirement: Treat state as a Data Blob
1. Input Accept %7C (and other encoded characters) as valid parts of the query string without triggering validation errors or WAF rules
2. Persistence Store the string exactly as received during the user's login/consent session—do not decode, parse, or transform
3. Output Append the exact string back to the redirect_uri without additional transformations that might strip or corrupt the delimiters
This approach:
  • Complies with RFC 6749's requirement to return "the exact value received"
  • Follows the same behavior as other major OAuth providers
  • Requires no changes from client applications
  • Unblocks third-party integrations that cannot modify their state format
Real-World Impact
This limitation affects any integration where:
  • Third-party applications set the state parameter and cannot be modified (integration platforms, SaaS connectors, enterprise software)
  • Multi-tenant applications need to encode tenant ID and return URL in state
  • CSRF protection implementations combine security tokens with application state
  • Single Sign-On flows need to preserve original request context
  • Migration projects from other OAuth providers that used pipe delimiters

Critical Blocker: When the state parameter originates from a third-party system outside your control, there is no workaround available. The integration is completely impossible until this is fixed.

Security Note: The state parameter is critical for CSRF protection in OAuth flows. Forcing developers to change their state encoding approach may inadvertently introduce security vulnerabilities if not handled carefully.

Request to Zoho Team

Can this be addressed in a future update?

This is a standards compliance issue that impacts developers integrating with Zoho's API. For those who control their client application, the current implementation forces unnecessary workarounds. For those integrating third-party applications, the situation is worse:

1. Custom development
Refactor code to avoid pipe characters, creating Zoho-specific OAuth handling 		2. Third-party integrations
No workaround possible - integration is completely blocked

Users should not be blocked from integrating with Zoho due to non-standard OAuth implementation.

Community Input Requested: Has anyone else encountered this issue? Are there other special characters that cause similar problems with Zoho's OAuth implementation?

    • Sticky Posts

    • Deprecation of SMS-based multi-factor authentication (MFA) mode

      Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer

    Nederlandse Hulpbronnen


      • Recent Topics

      • filtering lookup field options based on information in another module.

        In our CRM system. We have the standard Accounts and Deals modules. We would like to introduce the ability to classify Accounts by Sector. Our desired functionality is to have a global list of all sectors that an Account can select, with the ability to

      • Service op locatie organiseren met Zoho FSM: waar lopen organisaties tegenaan?

        Bij organisaties met service teams op locatie merken we vaak dat de complexiteit niet zozeer in de planning zelf zit, maar in wat er rond die planning gebeurt. Denk aan opvolging na interventies, consistente servicerapporten, en het bijhouden van installaties

      • Introducing Assemblies and Kits in Zoho Inventory

        Hello customers, We’re excited to share a major revamp to Zoho Inventory that brings both clarity and flexibility to your inventory management experience! Presenting Assemblies and Kits We’re thrilled to introduce Assemblies and Kits, which replaces the

      • Does the ability exist to make tax on the customer profile mandatory?

        I am reaching out to inquire about the possibility of making the "Customer Tax" field mandatory when creating a new customer in Zoho. We want to ensure that all customers have their tax information recorded to maintain compliance with our internal processes.

      • email association with CRM

        Why is it 2024 (almost 2025) and Zoho has not figured out how to integrate email with CRM? It is so inconsistent at associating emails within CRM. I am an attorney. I have clients and work with other attorneys. Attorney John Doe is associated with multiple

      • Fix the speed

        It takes ages to load on every step even though my dataset is quite small.

      • Credit Note for Shipped and Fatoora pushed invoices

        We have shipped a Sales Order and created an Invoice. The Invoice is also pushed to Fatoora Now we need to create a credit note for the invoice When we try it, it says we need to create a Sales Return in the Zoho Books, we have already created a Sales

      • FSM - Timesheet entires for Internal Work

        Hi FSM Team, Several of my clients have asked how they can manage internal timesheets within Zoho FSM. Since their technicians already spend most of their day working in FSM, it would be ideal if they could log all working hours directly in the FSM app.

      • Add a way of clearing fields values in Flow actions

        It would be great if there was an option to set a field as Null when creating flows. I had an instance today where I just wanted to clear a long integer field in the CRM based on an action in Projects but I had to write a custom function. It would be

      • Role Management

        I am creating an analytics dashboard for a company that will be utilized by its various departments such as Finance, Marketing, and HR. My goal is to design the dashboard with separate tabs for each department. Additionally, I plan to implement role-based

      • Highlight a candidate who is "off limits"

        Hello: Is there a way to highlight a candidate who is "off limits"?  I would like to have the ability to make certain candidate and / or Client records highlighted in RED or something like that.   This would be used for example when we may have placed a candidate somewhere and we want everyone in our company to quickly and easily see that they are off limits.  The same would apply when we want to put a client or former client off limits so no one recruits out of there. How can this be done? Cheers,

      • Announcing new features in Trident for Windows (v.1.37.5.0)

        Hello Community! Trident for Windows just received a major update, with a range of capabilities that strengthen email security and enhance communication. This update focuses on making your mailbox safer and your overall email experience more reliable.

      • Early Payment Discount customize Text

        Hi, I’m currently using Zoho Books and am trying to customize the standard “Early Payment Discount” message that appears in the PDF invoice template. I’ve reviewed the documentation here: https://www.zoho.com/books/help/invoice/early-payment-discount.html

      • Deprecation of SMS-based multi-factor authentication (MFA) mode

        Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer

      • DKIM Now Mandatory - Changes to Zoho Forms Email Policies

        Hello Zoho Forms Users, This post is to inform you about an important update regarding the authentication of all email domains in your Zoho Forms account. This year, we are doubling down on our commitment to deliver a secure, seamless, and empowering

      • Call description in notes

        When completing a call, we type in the result of the call in the description. However, that does not show up under the notes history on the contact. We want to be able to see all the calls that have taken place for a contact wihtout having to go into

      • Email Address for Contact not Populating

        When I click "Send Mail" from a Contact's page, their email address does not auto populate the "To" field. How do I make this happen?

      • New in CRM: Dynamic filters for lookup fields

        Last modified on Oct 28, 2024: This feature was initially available only through Early Access upon request. It is now available to all users across all data centers, except for the IN DC. Users in the IN DC can temporarily request access using this form

      • Why hybrid project management might be the best fit for you?

        Project management techniques are designed to equip teams with proven methods for easy and efficient project execution. While management teams may have apprehensions about adopting the hybrid method of project management, we’ve compiled the top reasons

      • Allow all Company Users to view all projects, but only owner/admins can change projects

        I was wondering if there was a permission setting I could adjust to allow all our company users to see all projects created. Then, only the project owners and admins with the change permission. Thanks

      • Fail to send Email by deluge

        Hi, today I gonna update some email include details in deluge, while this msg pops up and restrict me to save but my rules has run for one year. can you tell me how to use one of our admin account or super admin account to send the email? I tried to update

      • Seeking help to be able to search on all custom functions that are defined

        Hello I have a lot of custom functions defined (around 200) and i would like to search some specific strings in the content of those. Is there a way to accomplish that? If not, is there a way to download all existing custom functions in some files locally

      • Totals for Sales Tax Report

        On the sales tax report, the column totals aren't shown for any column other than Total Tax. I can't think of a good reason that they shouldn't be included for the other columns, as well. It would help me with my returns, for sure. It seems ludicrous

      • Add Bulk Section / Grid Layout Duplicate Feature in Zoho Forms Builder

        Currently in Zoho Forms, users can only duplicate individual fields. There is no option to duplicate an entire section or two-column/grid layout with all internal fields. This becomes inefficient when building structured forms such as Family Details,

      • Leistungsdatum in Rechnungen (Zoho Books)

        Hallo, ist es irgendwie möglich den Leistungszeitraum in der Rechnung aufzuführen? Beste Grüße Aleks

      • Zoho Trident Windows - Streams Not Visible

        Namaste We’re having an issue with Streams not being visible in Trident (Windows), which is important for us as we share many emails internally. It appears that the feature to show Streams above the Inbox folder, as seen in the default mailbox view, is

      • Sales IQ Chat Widget is Only Displaying Last Name

        Can anyone suggest why the widget is only displaying "last name"?! We have the latest version of the wordpress plugin installed. Thanks Thanks!

      • Shopify - Item sync from Zoho Inventory

        Hi team, We’ve connected Shopify with Zoho Inventory. We want that when an item is created in Zoho Inventory, it must create a product in Shopify. But currently, new items created in Zoho Inventory are not getting created in Shopify even after clicking

      • Bulk upload image option in Zoho Commerce

        I dont know if I am not looking into it properly but is there no option to bulk upload images along with the products? Like after you upload the products, I will have to upload images one by one again? Can someone help me out here? And what should I enter

      • Is it possible to setup bin locations WITHOUT mandating batch tracking?

        Hi fellow zoho users, I'm wondering if anyone else has a similar issue to me? I only have some products batch tracked (items with shelf life expiry dates) but I am trying to setup bin locations for my entire inventory so we can do stock counting easier.

      • Kill zoho meeting

        Saying the quiet part out loud. Can zoho please just give up on the idea that they can make a meeting platform and just make our workplace licenses cheaper when you remove it so people can switch to zoom or teams. Tired of the excuses, you guys cant make

      • Utilisation de Zoho en conformité avec l’article 286 du Code général des impôts (CGI)

        Cher(e) client(e), Conformément à l’article 286 du Code général des impôts (CGI) impose aux entreprises assujetties à la TVA d’utiliser des systèmes de caisse ou de gestion commerciale certifiés lorsqu’elles enregistrent des ventes à des particuliers.

      • Unable to Create Task as a Support Administrator

        Hello! I want to ask for help regarding creating tasks within the tickets. I am by default the Support Admin. I should be able to create tasks or activities right? But there's a prompt that I need to contact the Administrator. See photos for reference.

      • Introducing Forms in Zoho Sheet

        We hereby bring you the power of ​forms in Zoho Sheet. ​Now, build and create your own customized forms using Zoho Sheet. Be it compiling a questionnaire or rolling out a survey, Zoho Sheet can do it all for you. Forms is an excellent feature that helps you collect information in the simplest of ways and having it in Zoho Sheet takes it a notch higher. Build Simple yet Powerful forms Building forms using Zoho Sheet is fairly simple. The exclusive 'Form' tab lets you create one quickly. Whether you

      • Layout one survey question in a time & redirect next Page based on previous response

        I have doubt while, I am scripting survey on the Zoho where I redirecting to next page based on my previous response but didn’t get success on this. Please help me on this and tell me how I layout one survey questions in a time when I submit response

      • Zoho Bookings form pre-filled with Zoho Forms in

        Hi, I've got a contact page on my website and I'd like to have the option to book an appointment (redirected to zoho bookings page) after an option is submitted on the contact form. how would I go about doing this? thanks

      • Support “Other” Option with Free Text in Dropdown Fields

        Hello Zoho Bookings Team, Greetings, We would like to request an enhancement to the registration form fields in Zoho Bookings, specifically for dropdown fields. Current Limitation: At the moment, dropdown fields do not support an “Other” option that allows

      • Sending automated messages that appear in the ticket's conversation thread

        Good morning, esteemed Zoho Desk community, warm greetings Today I am here to raise the following problem, seeking a solution that I can implement: I need to implement an automation that allows me to send reminder messages to customers when I am waiting

      • Introducing parent-child ticketing in Zoho Desk [Early access]

        Hello Zoho Desk users! We have introduced the parent-child ticketing system to help customer service teams ensure efficient resolution of issues involving multiple, related tickets. You can now combine repetitive and interconnected tickets into parent-child

      • Payment Card or Identity form-fill from Vault?

        Hello! I'm working on replacing Bitwarden with Vault and one issue I've run into is that I can't find any option to fill address and payment forms from Payment Card or Identity info that has been saved in Vault. Is there a way to do this? Is it a planned

      • Next Page