Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

I've discovered a bug in how Zoho's API Console handles the OAuth 2.0 authorization flow when the state parameter contains pipe characters (|), and I'm hoping the Zoho team can address this in a future update.
The Issue
Zoho's OAuth 2.0 implementation for server-based client applications uses the standard authorization endpoint: 
https://accounts.zoho.com/oauth/v2/auth?response_type=code
    &client_id=<client_id>
    &scope=<scope>
    &redirect_uri=<redirect_uri>
    &access_type=offline
    &state=<state_value>
While Zoho's documentation does not explicitly list the state parameter, it is a standard part of the OAuth 2.0 specification (RFC 6749 Section 4.1.1) and is widely used for CSRF protection and maintaining application state through the authorization flow.
However, when the state parameter contains pipe characters (|), Zoho's authorization server fails to process the request correctly, preventing users from authorizing the connection. This occurs whether the pipe characters are URL-encoded (%7C) or left unencoded.
The Problem
The pipe character is a standard delimiter in multi-part state values, particularly when passing a combination of a CSRF token and a return URL. This behavior—failing on both encoded and unencoded pipe characters—is often indicative of overly restrictive input validation or a "leaky" WAF/Proxy layer that decodes parameters before the application logic can handle them.
State Value As Sent in URL Result
abc123xyz state=abc123xyz ✓ Works correctly
session_12345 state=session_12345 ✓ Works correctly
user|action|timestamp state=user|action|timestamp
(unencoded pipes)		 ✗ Authorization fails
user|action|timestamp state=user%7Caction%7Ctimestamp
(URL-encoded pipes)		 ✗ Authorization fails
user:action:timestamp state=user%3Aaction%3Atimestamp ? Not tested
Note: Pipe characters cause failures whether URL-encoded or not. Other special characters/delimiters have not been tested and may or may not exhibit similar issues.
RFC 6749 Compliance Issue
Section 4.1.1 - Authorization Request:
"state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback."
Section 4.1.2 - Authorization Response:
"state: REQUIRED if the 'state' parameter was present in the client authorization request. The exact value received from the client."
The RFC explicitly defines the state parameter as an opaque value. This means:
  • The Authorization Server should not be looking "inside" or parsing the string at all
  • The state value must pass through the authorization process unchanged
  • Any URL-encoded characters should be handled transparently
  • The exact value received must be returned to the client in the redirect
Key Point: By definition, an "opaque" parameter means the authorization server must treat it as a data blob—accepting it, storing it, and returning it without any interpretation or transformation.
Current Behavior vs Expected Behavior
Current Behavior Expected Behavior (Per RFC 6749)
1. Client sends: state=user|action|123
(or state=user%7Caction%7C123)
2. Zoho fails to parse the state parameter
3. Authorization server returns HTTP 400 Bad Request
4. User cannot authorize the connection 		1. Client sends: state=user|action|123

2. Zoho treats state as opaque data blob
3. User authorizes the connection
4. Redirect includes the exact value received:
state=user|action|123
(or consistently encoded as sent)
The Current Workaround (Suboptimal)
Important: The workarounds below only apply if you have control over the client application generating the OAuth request. If you're integrating with a third-party application that sets the state parameter (e.g., integration platforms, SaaS tools, enterprise software), you have no ability to modify the state value and therefore no workaround is available. You are completely blocked from completing the OAuth flow.
For developers who do control the client application, you must avoid pipe characters entirely: 
// Instead of using pipes as delimiters:
state = csrf_token + "|" + user_id + "|" + redirect_path;
// ❌ This breaks Zoho's authorization flow

// Developers must use alternative approaches:
state = csrf_token + "_SEP_" + user_id + "_SEP_" + redirect_path;
// or
state = base64_encode(json_encode({"csrf": token, "user": id, "path": path}));
// or
state = csrf_token; // Store other data server-side keyed by CSRF token
Problems with these workarounds:
  • Requires refactoring existing codebases that use pipe delimiters
  • Base64 encoding increases state parameter length significantly, risking URL length limits (particularly in older browsers and some enterprise proxies which enforce ~2000 character limits)
  • Server-side storage approach adds complexity, database overhead, and potential race conditions
  • Inconsistent with how the same code works with other OAuth providers (Google, Microsoft, etc.)
  • Developers may not discover this issue until production deployment
  • Custom delimiters (like _SEP_) are non-standard and may conflict with actual data values
What Should Happen Instead
Proposed Solution:
Zoho's authorization server should properly handle URL-encoded pipe characters (%7C) in the state parameter, as required by RFC 6749. The state value must be treated as an opaque data blob.
Technical Requirement: Treat state as a Data Blob
1. Input Accept %7C (and other encoded characters) as valid parts of the query string without triggering validation errors or WAF rules
2. Persistence Store the string exactly as received during the user's login/consent session—do not decode, parse, or transform
3. Output Append the exact string back to the redirect_uri without additional transformations that might strip or corrupt the delimiters
This approach:
  • Complies with RFC 6749's requirement to return "the exact value received"
  • Follows the same behavior as other major OAuth providers
  • Requires no changes from client applications
  • Unblocks third-party integrations that cannot modify their state format
Real-World Impact
This limitation affects any integration where:
  • Third-party applications set the state parameter and cannot be modified (integration platforms, SaaS connectors, enterprise software)
  • Multi-tenant applications need to encode tenant ID and return URL in state
  • CSRF protection implementations combine security tokens with application state
  • Single Sign-On flows need to preserve original request context
  • Migration projects from other OAuth providers that used pipe delimiters

Critical Blocker: When the state parameter originates from a third-party system outside your control, there is no workaround available. The integration is completely impossible until this is fixed.

Security Note: The state parameter is critical for CSRF protection in OAuth flows. Forcing developers to change their state encoding approach may inadvertently introduce security vulnerabilities if not handled carefully.

Request to Zoho Team

Can this be addressed in a future update?

This is a standards compliance issue that impacts developers integrating with Zoho's API. For those who control their client application, the current implementation forces unnecessary workarounds. For those integrating third-party applications, the situation is worse:

1. Custom development
Refactor code to avoid pipe characters, creating Zoho-specific OAuth handling 		2. Third-party integrations
No workaround possible - integration is completely blocked

Users should not be blocked from integrating with Zoho due to non-standard OAuth implementation.

Community Input Requested: Has anyone else encountered this issue? Are there other special characters that cause similar problems with Zoho's OAuth implementation?

    • Sticky Posts

    • Deprecation of SMS-based multi-factor authentication (MFA) mode

      Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer

    • Recent Topics

    • Zoho Books - New Interface keep details with PDF View

      Hello, The Zoho Books Interface has changed for estimates etc... One thing is causing issues though. Before the change, in PDF view you could see the detail information including custom fields entered for the estimate. Now, you have to switch between

    • Tip #52- Zoho Assist Downloads: Everything You Need in One Place- 'Insider Insights'

      Looking to start remote support sessions faster, manage unattended devices effortlessly, or join sessions without any hassle? The Zoho Assist Downloads Center has all the tools you need—across desktop, mobile, IoT, and browser environments. With our range

    • Condition based aggregate fields in subforms

      Hello everyone, We're excited to inform you about the latest enhancements made to our aggregate field capabilities in subforms; create aggregate fields based on conditions! An aggregate field is a column on which a mathematical function has been applied.

    • SalesInbox

      Sorry for saying this but SalesInbox is a really mess. BIG FAIL. Bad UX and VERY bad IMAP sync. I don't know how can someone use this to be more productive. It's just the oposite. I'm trying to use SalesInbox for a while but sales people do not have just sales activities so we still have to came back to the mail app anyway. Folders of SalesInbox are not in sync with folders of mail server (wich syncs Ok to mobile) and vice-versa wich leads to double work as now you have to cleanup 3 inboxes (Mail

    • Print labels on selected view

      How can I print labels for select view. Always defaults to ALL contacts when I select View = Mailing Labels. Thanks!!

    • Update CRM Price Books to include volume discounts as per Zoho Books/Inventory

      Once again, Zoho has 3 great products that all store information in different ways (which is not helpful when you attempt to integrate the 3 products - one of the best features of Zoho). Zoho CRM Price Books are basic at best. Zoho Books/Inventory Price

    • Tip #40- Strengthen Remote Support with IP-based Restrictions in Zoho Assist– ‘Insider Insights’

      Protecting sensitive data and preventing unauthorized access is a top priority for any organization. With IP-based restrictions in Zoho Assist, you can ensure that only users from trusted networks can initiate remote support sessions. Say your IT team

    • Printing Client Lists

      I was looking for a way to print out client lists based on the account. For example if I want all my contacts from company A on one sheet, how would I do this. Moderation Update (3rd December 2025): There are two challenges discussed in this thread. 1.

    • Qwen to be the default open source Generative AI model in Zoho Desk

      Hello everyone, At Zoho Desk, we will make the latest Qwen (30B parameters) the default LLM for our Generative AI features, including Answer Bot, Reply Assistant, and others. As a subsequent step, we will discontinue support for Llama (8B parameters).

    • ZOHO Blueprint and Workflow

      Hi, Correct me if i'm wrong, Blueprint triggers when a record that meets the criteria is created. It follows a specific transition that you will be setting up. Does blueprint work if the first state was triggered by a workflow? For example, In my custom module 1, I have a field named status. The statuses are 1, 2, 3 and 4. As soon as I create a new record, a workflow triggers that updates the status field to 1. Can a blueprint start from 2? My other concern is, can blueprint transitions work at the

    • Zoho CRM Participants Automatic - Invite Using Deluge

      Hi Zoho! Is there a way to make the invitations automatic via API? I'm using this one but it doesn't work or reflect in the CRM: participantUser = Map(); participantUser.put("type","email"); participantUser.put("participant",email); participantUser.put("invited",

    • Greek character in Deluxe script

      Hi, We have been using a script since 2022 which replaces characters in Greek contact names using replaceAll. Since this morning, all the Greek characters used in the script have turned to question marks. I tried retyping the characters, copy-pasting

    • Work Order Assignment for Engineers Handling Their Own Requests

      I’m setting up FSM for a business where there are multiple engineers, but each engineer handles their own process end-to-end receiving the service request, creating the work order, and completing the field service job. I noticed that I must create an

    • Experience Zoho Show on Mac now!

      Work today isn’t tied to a single place, time, or routine. It happens in cafes between meetings, on flights, or late at night when ideas strike. And when ins, your tools need to be ready, wherever you are. That’s why we built the Zoho Show app for Mac.

    • 【開催報告】東京 ユーザー交流会 Vol.4 | Zoho CRM 自動化のコツ ・Bookings のビジネス活用シーンとおすすめ機能を紹介

      ユーザーの皆さま、こんにちは。コミュニティチームの藤澤です。 11月28日(金)に新橋で「東京 ユーザー交流会 Vol.4」を開催しました。ご参加くださったユーザーの皆さま、ありがとうございました。ユーザー交流会の年内開催は、今回が最後でした。 この投稿では、当日のセッションの様子や使用した資料を紹介しています。残念ながら当日お越しいただけなかった方も、ぜひチェックしてみてください😊 ユーザー活用事例セッション:関数やクライアントスクリプトまで、CRMをもっと便利に Zoho CRM には、ワークフローやブループリントなど、さまざまな自動化に役立つ標準機能が備わっています。さらに、関数(Deluge)のようにスクリプトを記述して高度な自動化を実現することもできます。

    • Kiosk Button Actions

      I need to add an action to a Kiosk Button to loop me back to start the kiosk again and I am not sure what that looks like (function, etc.).

    • Dependent drop-downs... how?

      Good day. I have 2 different situations where I need a dependent drop-down field. First is for a subform, where I want to show related fields for a specific customer on the main form. In my case it is a parent whose children make use of our school transport

    • Reporting Limitation on Lead–Product Relation in Zoho CRM

      I noticed that Zoho CRM has a default Products related list under Leads. However, when I try to create a report for Lead–Product association, I’m facing some limitations. To fix this, I’m considering adding a multi-lookup field along with a custom related

    • Series Label in the Legend

      My legend reads 'Series 1' and 'Series 2'. From everything I read online, Zoho is supposed to change the data names if it's formatted correctly. I have the proper labels on the top of the columns and the right range selected. I assume it's something in

    • Dynamic Signature - Record owner

      Hi everyone, I’m using Zoho Writer merge templates from Zoho CRM and have two questions: Owner signature: How can I automatically insert the CRM record owner’s signature in the merged document? I’m not sure where this signature is stored or how to reference

    • Printing from Zoho Creator hosted on my own server to printers hosted on my clients local network

      Hello. Fairly new to Zoho Creator and looking for best options to be able to print from my application hosted on my own server to any printer hosted on my clients own local network. Any advice is welcome. Thank you.

    • Add System Pre-Defined Lookup Field to Subform?

      Hi there! New to using Zoho, so this may already exist, but I'm having trouble figuring it out. Is there a way to get the system pre-defined Account Lookup field (in our case, renamed to Company Name), as the starting point for a subform? In our company,

    • Numbered / bullet point List in Zho Cliq

      Hi, is there a way to format chat messages in Cliq like this Topic 1 Hey, I finished this project yesterday etc... Topic 2 I am still working on this etc...

    • Cannot Access Subform Display Order in Deluge

      As highlighted in this community post, we still have to deal with the significant limitation of not being able to access the user-sorted order of subform rows through Deluge. This creates a major disconnect between the UI capabilities and backend automation,

    • How many groups in Zoho Mail can I make?

      I'm currently on the free plan, which has a limit of 10 users. Does that limit includes groups too? If not, what is the limit for groups? Thanks!

    • Feature Suggestion for Zoho Social: Auto-reply to Comments or Keywords

      Hi Zoho team, I'd like to suggest a very specific feature that would be extremely helpful for customer engagement: the ability to automatically send a reply to comments on posts — either all comments or those containing specific keywords. For example,

    • Already have Zoho account. Not letting me log in

      I already have a Zoho account that is associated with my Google email and my phone number. Even though I'm already logged in to Zoho, when I click on the mail icon to access my email, it takes me to the pricing page. When I click on the free option, it

    • ZOHO Mail App Not working

      There seems to be an issue with Zoho Mail App today. It is not connecting to server, internet is working fine, tried uninstalling app and reinstalling, loading circle keeps spinning round. Is there an update on the way?

    • facing error 550 5.4.6 while sending emails

      Please help me fix this issue

    • Allow Itemization for Recurring Expenses

      For whatever reason, one cannot itemize a Recurring Expense. This capability should be added. The use cases to support this are largely the same as what they were to allow for itemization in Expenses. Anything that would need to be itemized for a regular

    • Zoho reply to not working. just reply to my self

      Hello. i using on my wordpress website a contact form from Wsform. i can set the reply to email there. normally it works. but since i am using your wordpress plugin zoho mail it doesn`t work. its not using the reply to (email from customer). I just can

    • Can't receive any email from other platform

      Hello,everyone, i'm just join zoho and create two email accounts for my own business. I was using it to get a verified email from stripe, but can't receive it. and I use my private gmail account to send test email twice, first time show below reply, but

    • Your Incoming has been blocked and the emails will not be fetched in your Zoho account and POP Accounts

      Can some on help me regarding our account . thank you so much

    • Zoho Creator integration with Sage 50

      Hi, Wondering if anyone has had any experience connecting Zoho to Sage 50 and could share any information on this matter. Thank you.

    • Conditional Email Forwarding

      How can I set conditional email forwarding of the users? For example: Mail should be forwarded to a address only if it comes from a particular sender. So, I want such email forwarding, which forwards mails based on particular conditions, like the incoming

    • Incoming emails not appearing in Inbox

      Hello, I have an issue with incoming emails sent from my website (domain: h2ostop.si). Emails are visible in the Sent folder, which means they are successfully sent through Zoho SMTP, but they never appear in my Inbox. Nothing arrives in Inbox, Spam,

    • Email Opt Out Question

      Has the problem where if a customer is emailed opt out prevents you sending standard emails? For me this feature is simply to stop any email marketing and should not block people from receiving emails via Zoho mobile, which makes no sense.

    • Can No Longer Access Zoho Email Accounts from iPhone or iPad Apple Mail Apps ,.

      Keeps asking for password, Says ID or password incorrect. Tried creating a new app specific password. Same result. Is this possibly related to the server maintenance. Have verified all email settings, userid and password. This has worked for years until

    • Latest update caused issue in using marathi typingzoho

      With latest update now marathi typing does Not work in zohonotebook. I preferred zoho over other because it was supporting marathi font without any distortion.. But after new update,keyborad simply does not work

    • Login verification emails never received.

      I can't login to my account. You send a verification email, but it never arrives. This is a common problem, frequently caused by some relay point out there classifying the sender as a spammer. Is there anything I can do to bypass this? Maybe get a text

    • Next Page