Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

I've discovered a bug in how Zoho's API Console handles the OAuth 2.0 authorization flow when the state parameter contains pipe characters (|), and I'm hoping the Zoho team can address this in a future update.
The Issue
Zoho's OAuth 2.0 implementation for server-based client applications uses the standard authorization endpoint: 
https://accounts.zoho.com/oauth/v2/auth?response_type=code
    &client_id=<client_id>
    &scope=<scope>
    &redirect_uri=<redirect_uri>
    &access_type=offline
    &state=<state_value>
While Zoho's documentation does not explicitly list the state parameter, it is a standard part of the OAuth 2.0 specification (RFC 6749 Section 4.1.1) and is widely used for CSRF protection and maintaining application state through the authorization flow.
However, when the state parameter contains pipe characters (|), Zoho's authorization server fails to process the request correctly, preventing users from authorizing the connection. This occurs whether the pipe characters are URL-encoded (%7C) or left unencoded.
The Problem
The pipe character is a standard delimiter in multi-part state values, particularly when passing a combination of a CSRF token and a return URL. This behavior—failing on both encoded and unencoded pipe characters—is often indicative of overly restrictive input validation or a "leaky" WAF/Proxy layer that decodes parameters before the application logic can handle them.
State Value As Sent in URL Result
abc123xyz state=abc123xyz ✓ Works correctly
session_12345 state=session_12345 ✓ Works correctly
user|action|timestamp state=user|action|timestamp
(unencoded pipes)		 ✗ Authorization fails
user|action|timestamp state=user%7Caction%7Ctimestamp
(URL-encoded pipes)		 ✗ Authorization fails
user:action:timestamp state=user%3Aaction%3Atimestamp ? Not tested
Note: Pipe characters cause failures whether URL-encoded or not. Other special characters/delimiters have not been tested and may or may not exhibit similar issues.
RFC 6749 Compliance Issue
Section 4.1.1 - Authorization Request:
"state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback."
Section 4.1.2 - Authorization Response:
"state: REQUIRED if the 'state' parameter was present in the client authorization request. The exact value received from the client."
The RFC explicitly defines the state parameter as an opaque value. This means:
  • The Authorization Server should not be looking "inside" or parsing the string at all
  • The state value must pass through the authorization process unchanged
  • Any URL-encoded characters should be handled transparently
  • The exact value received must be returned to the client in the redirect
Key Point: By definition, an "opaque" parameter means the authorization server must treat it as a data blob—accepting it, storing it, and returning it without any interpretation or transformation.
Current Behavior vs Expected Behavior
Current Behavior Expected Behavior (Per RFC 6749)
1. Client sends: state=user|action|123
(or state=user%7Caction%7C123)
2. Zoho fails to parse the state parameter
3. Authorization server returns HTTP 400 Bad Request
4. User cannot authorize the connection 		1. Client sends: state=user|action|123

2. Zoho treats state as opaque data blob
3. User authorizes the connection
4. Redirect includes the exact value received:
state=user|action|123
(or consistently encoded as sent)
The Current Workaround (Suboptimal)
Important: The workarounds below only apply if you have control over the client application generating the OAuth request. If you're integrating with a third-party application that sets the state parameter (e.g., integration platforms, SaaS tools, enterprise software), you have no ability to modify the state value and therefore no workaround is available. You are completely blocked from completing the OAuth flow.
For developers who do control the client application, you must avoid pipe characters entirely: 
// Instead of using pipes as delimiters:
state = csrf_token + "|" + user_id + "|" + redirect_path;
// ❌ This breaks Zoho's authorization flow

// Developers must use alternative approaches:
state = csrf_token + "_SEP_" + user_id + "_SEP_" + redirect_path;
// or
state = base64_encode(json_encode({"csrf": token, "user": id, "path": path}));
// or
state = csrf_token; // Store other data server-side keyed by CSRF token
Problems with these workarounds:
  • Requires refactoring existing codebases that use pipe delimiters
  • Base64 encoding increases state parameter length significantly, risking URL length limits (particularly in older browsers and some enterprise proxies which enforce ~2000 character limits)
  • Server-side storage approach adds complexity, database overhead, and potential race conditions
  • Inconsistent with how the same code works with other OAuth providers (Google, Microsoft, etc.)
  • Developers may not discover this issue until production deployment
  • Custom delimiters (like _SEP_) are non-standard and may conflict with actual data values
What Should Happen Instead
Proposed Solution:
Zoho's authorization server should properly handle URL-encoded pipe characters (%7C) in the state parameter, as required by RFC 6749. The state value must be treated as an opaque data blob.
Technical Requirement: Treat state as a Data Blob
1. Input Accept %7C (and other encoded characters) as valid parts of the query string without triggering validation errors or WAF rules
2. Persistence Store the string exactly as received during the user's login/consent session—do not decode, parse, or transform
3. Output Append the exact string back to the redirect_uri without additional transformations that might strip or corrupt the delimiters
This approach:
  • Complies with RFC 6749's requirement to return "the exact value received"
  • Follows the same behavior as other major OAuth providers
  • Requires no changes from client applications
  • Unblocks third-party integrations that cannot modify their state format
Real-World Impact
This limitation affects any integration where:
  • Third-party applications set the state parameter and cannot be modified (integration platforms, SaaS connectors, enterprise software)
  • Multi-tenant applications need to encode tenant ID and return URL in state
  • CSRF protection implementations combine security tokens with application state
  • Single Sign-On flows need to preserve original request context
  • Migration projects from other OAuth providers that used pipe delimiters

Critical Blocker: When the state parameter originates from a third-party system outside your control, there is no workaround available. The integration is completely impossible until this is fixed.

Security Note: The state parameter is critical for CSRF protection in OAuth flows. Forcing developers to change their state encoding approach may inadvertently introduce security vulnerabilities if not handled carefully.

Request to Zoho Team

Can this be addressed in a future update?

This is a standards compliance issue that impacts developers integrating with Zoho's API. For those who control their client application, the current implementation forces unnecessary workarounds. For those integrating third-party applications, the situation is worse:

1. Custom development
Refactor code to avoid pipe characters, creating Zoho-specific OAuth handling 		2. Third-party integrations
No workaround possible - integration is completely blocked

Users should not be blocked from integrating with Zoho due to non-standard OAuth implementation.

Community Input Requested: Has anyone else encountered this issue? Are there other special characters that cause similar problems with Zoho's OAuth implementation?

    • Sticky Posts

    • Deprecation of SMS-based multi-factor authentication (MFA) mode

      Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer

    Nederlandse Hulpbronnen


      • Recent Topics

      • Sales Order, Invoice and Payment numbers

        Hi zoho friends, it is me again, the slow learner. I'm wondering if there is a way to have it so the Sales order, invoice and payment numbers are all the same? It would be easier for me if they were the same number so there is not so many reference numbers

      • MS Teams for daily call operations

        Hello all, Our most anticipated and crucial update is finally here! Organizations using Microsoft Teams phone system can now integrate it effectively with Zoho CRM for tasks like dialling numbers and logging calls. We are enhancing our MS Teams functionality

      • Customer Satisfaction (CSAT) Report

        From data to decisions: A deep dive into ticketing system reports The customer satisfaction (CSAT) report helps teams understand how customers feel about their support experience, identify service gaps, and continuously improve the help desk. It turns

      • Timeline Tracking Support for records updates via module import and bulk write api

        Note: This update is currently available in Early Access and will soon be rolled out across all data centers (DCs) and for all editions of Zoho CRM. The update will be available to all users within your organization, regardless of their profiles or roles.

      • Shifts in Zoho People vs Zoho Shifts?

        Hello Zoho People Team, We hope you are doing well. We are evaluating the Shifts functionality within Zoho People and comparing it to the standalone Zoho Shifts product. We’ve encountered comments and discussions suggesting that the Shifts feature inside

      • Disable fields in During action in Blueprint?

        Hi there. I've tried field disable (setReadOnly(true)) using client script and the event is onMandatoryFormLoad on detail page, assuming it'll work on blueprint fields, but it bears no result. Is this the expected behaviour? That we can't do this yet?

      • Develop and publish a Zoho Recruit extension on the marketplace

        Hi, I'd like to develop a new extension for Zoho Recruit. I've started to use Zoho Developers creating a Zoho CRM extension. But when I try to create a new extension here https://sigma.zoho.com/workspace/testtesttestest/apps/new I d'ont see the option of Zoho Recruit (only CRM, Desk, Projects...). I do see extensions for Zoho Recruit in the marketplace. How would I go about to create one if the option is not available in sigma ? Cheers, Rémi.

      • Best Email Backup Wizard in 2026

        While searching for an email backup solution, my main hesitation was reliability. As a user, I had already seen many tools that looked promising but failed when handling large mailboxes, skipped folders, or caused authentication issues during the backup

      • Subforms and automation

        If a user updates a field how do we create an automation etc. We have a field for returned parts and i want to get an email when that field is ticked. How please as Zoho tells me no automation on subforms. The Reason- Why having waited for ever for FSM

      • Allow Managers to Create Shifts for Their Departments in Zoho People

        Hello Zoho People Product Team, Greetings and hope you are doing well. This feature request is related to Zoho People - please don't move it to zoho one! We would like to submit a feature request regarding shift management permissions in Zoho People.

      • Zoho Learn and Zoho CRM integration

        I would like to see an integration between Zoho Learn and Zoho CRM. 1. To be able to add articles in a related list in all modules 2. Zia to suggest related articles in a Deal or Case or Lead 3. Ability to read / search articles during a call / follow

      • Maintain steady traffic to your domain: How Domain Aliasing helps

        Consider this scenario: An organization has its primary domain as administrator.com. Now it wants to shorten its domain to admin.com because it's simpler and easier to remember. However, changing the domain completely can cause the following problems:

      • Why Sharing Rules do Not support relative date comparison???

        I am creating a Sharing Rule and simply want to share where "Last Day of Coverage" (Date field) is Greater than TODAY (Starting Tomorrow). However, sharing rules don't have the option to compare a date field to a relative date (like today), only to Static

      • How do I migrate OLM file to Gmail?

        Migrating emails from Outlook for Mac to Gmail can be challenging because Gmail does not support OLM files directly. This limitation often causes confusion and delays, especially when users need quick access to important emails and mailbox data on a web-based

      • CRM x WorkDrive: File storage for new CRM signups is now powered by WorkDrive

        Availability Editions: All DCs: All Release plan: Released for new signups in all DCs. It will be enabled for existing users in a phased manner in the upcoming months. Help documentation: Documents in Zoho CRM Manage folders in Documents tab Manage files

      • Workflow rule only allows 10 workflow per module

        Apparently a Zoho professional edition only allows 10 workflow rules per module. This makes workflow allocation literally impossible while allocating potential to different members of the team. I have 15 licenses. Is there a way in which related alerts can be varied? In other words, is it possible to have different related alerts be triggered with different rule criteria. so if I say, if potential is 'x' then trigger related alert 'x' and if potential is 'y' then trigger related alert 'y' Thanks,

      • IF Statement in Zoho CRM Formula Field

        Hi, I am attempting to write a formula field that will give me one result if one statement AND another statement are true, then a different value if the first statement AND a different statement are true, else 0. Stated differently: if account = destination

      • CRM Percent custom fields: When will it show the % symbol and behave like %?

        1. Actually Percent custom fields fail to show the % symbol. 2. When in formulas Percent fields work like number: 100 x 5% = 5 ideal world 100 x 5% = 500 what happens actually 3. When importing Percent fields the % symbol has to be removed and the data

      • Free Webinar: Zoho Sign for Zoho Projects: Automate tasks and approvals with e-signatures

        Hi there! Handling multiple projects at once? Zoho Projects is your solution for automated and streamlined project management, and with the Zoho Sign extension, you can sign, send, and manage digital paperwork directly from your project workspace. Join

      • Automatically CC an address using Zoho CRM Email Templates

        Hi all - have searched but can't see a definitive answer. We have built multiple email templates in CRM. Every time we send this we want it to CC a particular address (the same address for every email sent) so that it populates the reply back into our

      • Editing the Ticket Properties column

        This is going to sound like a dumb question, but I cannot figure out how to configure/edit the sections (and their fields) in this column: For example, we have a custom "Resolution" field, which parked itself in the "Ticket Information" section of this

      • "Total Hours" on Employee Attendance Report

        I'm learning that in Zoho jargon, "total hours" does not include paid breaks. Or at least not the way that my setup is working. That seems a little weird to me, since most jurisdictions in the US don't differentiate between time spent on paid break and

      • Fixed assets in Zoho One?

        Hi, We use Zoho Books and have the fixed asset option in it. I started a trial for Zoho One and I do not see that as an option. Is the books that is part of zoho one equivalent to Zoho Books Elite subscription or is it a lesser version? Thanks, Matt

      • Integration with...

        Dear Zoho Commerce team, Please could you consider the integration within Zoho Commerce / Inventory and Qapla'? (https://www.qapla.it/en/) This app is better than Aftership in many ways: - Aftership integration require PRO plan and price start from more

      • Repeat Column merge in ZOHO writer columns doesn't allow to set max columns per row

        I'm using ZOHO writer to merge data from a ZOHO CRM subform and I want it to make a table. We're using Insert Table for Column Repeat, because this is what we need. (Name of column (Teamname) and underneath that a list of names of teammembers). It works

      • Generate leads from instagram

        hello i have question. If connect instagram using zoho social, it is possible to get lead from instagram? example if someone send me direct message or comment on my post and then they generate to lead

      • Adding Markdown text using Zoho Desk API into the Knowledge Base

        Hi Zoho Community members, We currently maintain the documentation of out company in its website. This documentation is written in markdown text format and we would like to add it in Zoho Knowledge Base. Do you know if there is REST API functionality

      • Create case via email

        Good Afternoon, I have just registered and am taking a look around the system. Is it possible to create a case via email.  I.e. an employee/client/supplier emails a certain address and that auto generates the case which then prompts a member of staff

      • Need a Universal Search Option in Zohobooks

        Hello Zoho, Need a Universal Search Option in Zohobooks to search across all transactions in our books of accounts. Please do the needful Thanks

      • Locked Notebook

        Hi, I hadn't used my Notebook in some time and was refamiliarizing myself with it. I clicked a lock icon and now I can't unlock. When I hit the information or unlock icons I'm taken to a page with the notebook icon and a keyboard. When I type, nothing

      • Unable to produce monthly P&L reports for previous years

        My company just migrated to Books this year. We have 5+ years financial data and need to generate a monthly P&L for 2019 and a monthly P&L YTD for 2020. The latter is easy, but I'm VERY surprised to learn that default reports in Zoho Books cannot create

      • Hide fields only for creation

        Hello, I'd like to hide some fields only during the creation of a contact in Zoho CRM. In fact I have some fields that are automatically calculated thanks to an automation, so when my users create a contact I don't want them to fill those fields. I know

      • Issues with Zoho Sheet in Mac

        I have downloaded the Zoho App from App Store but It is failing to Save As, Open & Download Operations. App Store

      • Weekly Sales Summary

        Is it possible to generate a weekly report in Zoho Books to show -$$ amount of estimates generated -# of estimates generated by Salesperson -$$ amount of Sales Orders created -$$ amount of Invoices generated

      • Can I write a check in Zoho Books with no associated bill?

        This currently does not seem possible, and I have a client that desperately needs this function if I am able to convert them with Quickbooks. Thank you in advance for your reply. 

      • OpenAPI Specs are just plain wrong

        The provided yml files for generating the OpenAPI specs are absolutely riddled with errors and inconsistencies. From missing fields on the objects, to just incorrectly named resource objects. I'm having to go through and manually changing the spec to

      • About Meetings (Events module)

        I was working on an automation to cancel appointments in zoho flow , and in our case, we're using the Meetings module (which is called Events in API terms). But while working with it, I'm wondering what information I can display in the image where the

      • Custom Footer – Zoho Writer Document

        Hello everyone, I’m having an issue adding a custom footer in a Zoho Writer document. I would like to insert my company information (including a logo + address) in the footer. The problem is that when I add these elements, the main content of my pages

      • Report grouping

        I have added a grouping in a report but it is not working how i had expected. I wanted to group a summary on a field named Size but when i add the grouping the report is still showing me each record and making a summary at the bottom of the report. What

      • Social Media Simplified with Zoho Social: Preview your Instagram grid before posting

        For a platform like Instagram that relies on visual appeal, it's important that you plan your image and video content in a way that holds your audience's attention. Planning your grid ahead of time gives you the benefit of understanding how your posts

      • Next Page