Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

https://accounts.zoho.com/oauth/v2/auth?response_type=code
    &client_id=<client_id>
    &scope=<scope>
    &redirect_uri=<redirect_uri>
    &access_type=offline
    &state=<state_value>

// Instead of using pipes as delimiters:
state = csrf_token + "|" + user_id + "|" + redirect_path;
// ❌ This breaks Zoho's authorization flow

// Developers must use alternative approaches:
state = csrf_token + "_SEP_" + user_id + "_SEP_" + redirect_path;
// or
state = base64_encode(json_encode({"csrf": token, "user": id, "path": path}));
// or
state = csrf_token; // Store other data server-side keyed by CSRF token

• Topic Participants

• Damien Cregan

  

• Sticky Posts

• Deprecation of SMS-based multi-factor authentication (MFA) mode

  Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer

• Recent Topics

• CRM Percent custom fields: When will it show the % symbol and behave like %?

  1. Actually Percent custom fields fail to show the % symbol. 2. When in formulas Percent fields work like number: 100 x 5% = 5 ideal world 100 x 5% = 500 what happens actually 3. When importing Percent fields the % symbol has to be removed and the data

• How to use OR when filtering using two fields

  I want to create return a list of Account Names by filtering on Field1 = "yes" OR Field 2 = "no" I can't see how to use the OR in the filter.

• Subforms and automation

  If a user updates a field how do we create an automation etc. We have a field for returned parts and i want to get an email when that field is ticked. How please as Zoho tells me no automation on subforms. The Reason- Why having waited for ever for FSM

• Xero Billing Data (22 instances) - Zoho (CRM) - Single Source of Truth For Client Data & Notes

  Hi - I’m trying to build out a CRM for a Single Source of Truth Currently I have 22 Instances of Xero (for legal entity purposes - can’t consolidate to one) How would I be best placed to do this? Is it possible to have all the Xero instances (22) → Consolidated

• Select CRM Custom Module in Zoho Creator

  I have a custom module added in Zoho CRM that I would like to link in Zoho creator.  When I add the Zoho CRM field it does not show the new module.  Is this possible?  Do i need to change something in CRM to make it accesible in Creator?

• New 2026 Application Themes

  Love the new themes - shame you can't get a little more granular with the colours, ie 3 different colours so one for the dropdown menu background. Also, I did have our logo above the application name but it appears you can't change logo placement position

• Zoho Expense - Bi-Weekly Report Automation

  Hi Zoho Expense Team, My feature request is to please include an option to automate creation of reports bi-weekly (every 2 weeks)

• PDF Generator Upgrade

  Hi Team, What will happen if I don't make any changes for existing template. Zoho just ask us upgrade but haven't tell the benefit. Zoho Corporation

• 500 internal server error on opening an iframe through a deluge script

  Hi Team I am trying to open an external url in an iframe through my deluge script which is associated to a custom button . By doing this i am getting an "Internal Server Error" . Please can you help me with this.

• Zoho CRM Quotes – Subform and PDF/Writer Limitations

  Hello, I am encountering the following limitations in Zoho CRM Quotes: Custom product images cannot be uploaded in the subform – the image upload field cannot be added; only the file upload field is available. File upload placeholders cannot be used in

• Strange behavior in CRM Number Field – Characters allowed but not "e"?

  Hi everyone, Has anyone faced this strange issue in Zoho CRM? In a Number field, it is possible to type some characters, but the character "e" cannot be entered. This was really surprising to me. Normally, a number field should restrict all characters

• No background for video recordings, no playback speed, can't even playback longer recordings - have to download…

  Hi. We utilize heavily video messages on Slack, but wanted to migrate to Cliq with Zoho One, however very basic yet very frequently used feature is missing: backgrounds for video recordings and playback speed. We were not happy with Slack's 5 minute limits

• Support inefficiency

  We have been asking for support for a minor adjustment for 12 days now and we haven't got a single viable resolution from support team despite there are 19 emails going between our HR team and various support emails from Zoho. 1. they do not understand

• Can I export to PDF in Zoho Learn

  I have seen help pages where export to pdf options are available but I do not see that option available from the application. I see that exprt is available in my free trial version but that is only to html pages. I need to be able to export my manuals

• Zia capabilities now available in the Professional edition announcement

  Hello all! The Professional edition now supports a broader set of Zia capabilities, enabling teams to bring AI into more of their everyday CRM work. From writing assistance and summaries to setup support, predictions, and recommendations, Zia can now

• Where Do I set 24h time format in Cliq?

  Where Do I set 24h time format? Thanks

• This will be long, Please bear with me - Next Gen Layout - Search

  In general, I think that Zoho are going in the right direction with the Next Gen UI. The latest update brings some nice improvements and all-in-all from a user's perspective I think the improvements are generally very good. However, there are some areas

• Selecting all notes in a notebook

  In Windows11, I select a notebook and I get a list of notes, but only 30 notes. If I scroll down to the end, I get an additional 30 notes (and at the top it now shows 60 notes). I can keep doing this to eventually see all my notes but this is a real pain.

• Update latitude & longitude address field API

  How do I update the coordinates of an address field from a widget? I can't modify the latitude and longitude of the address field. I think the problem is how I'm writing formdata variable. zoho_init.then(function (data) { var queryParams = ZOHO.CREATOR.UTIL.getQueryParams();

• Filter Records in CRM API

  Hi Team, I’m currently working on a task to retrieve expired deals from the CRM. By “expired deals,” I mean deals where the closing date has already passed and the stage is not “Closed Won” or “Closed Lost” (i.e., all other stages). I tried using both

• User Name in Zoho Cliq Not Updating Across Apps?

  We updated the name of a user in Zoho. (From Sue to Taylor) Her name has not been updated in Cliq on all apps. When in Zoho One, if I go to Cliq directly, it is correct, but if I am in another app, and the Cliq bar pops up on the bottom, it will be the

• Ability to Use Both AND and OR When Creating Rules (Advanced Conditions)

  I'd like to be able to use more complicated logic when setting up rules. E.g. in Zoho Mail, I can choose "Advanced conditions (AND/OR) to create a rule that can be applied to multiple subject lines from the same sender. But in Zoho TeamInbox, I will have

• Attaching files to emails within CRM Deals.

  Hello, We have recently started using the extension "Workdrive for CRM" (Related List) to view/store our documents for each Deal, instead of using Attachments. Overall it feels like a better way to go but the user experience is not so great when it comes

• Why I can't map Account Name from lead module to Account module?

  When I qualify a lead in the bluerprint, I use automated conversion in Blueprint to automatically create Contact, Account and Deal. the Deal record and contact record has been successfully created automatically as I expect, but I can't see any account

• Pause(1);

  I'm using scheduler to invoke an interaction via http post with an external service. The schedule code uses a for-each loop that runs so fast my external application's log files get messed-up (they are named by date-time stamp). What I'm suggesting is

• Release Notes | February 2026

  We have rolled out another set of enhancements in Vertical Studio during February 2026, bringing improvements to Canvas customization, reporting capabilities, and data access controls. Here is a summary of what was released during February 2026: Canvas

• Agentic Engineering with Zoho: The Next Evolution of Intelligent Systems

  The concept of Agentic Engineering is reshaping how modern systems are designed. It introduces a new layer to the way we think about artificial intelligence and system architecture. For years, most software systems have operated in a reactive way — responding

• Engenharia Agêntica e as soluções da Zoho

  O conceito de engenharia agêntica impacta diretamente como os sistemas são projetos. Este tema inseri mais uma camada a nossa idéia de inteligência artificial. Antes o desenvolvimento de sistemas operavam de forma reativa e dependente de comandos diretos,

• Effective project and task customization with CodeX

  Dear users, Beyond Task Lists is a series of articles aimed at showcasing the various customization capabilities of Zoho Projects. We'll discuss real life project management scenarios, use cases, and requirements that needs combining multiple features.

• Set expiration date on document and send reminder

  We have many company documents( for example business registration), work VISA documents. It will be nice if we can set a expiry date and set reminders ( for example 90 days, 60 days, 30 days etc.,) Does Zoho workdrive provide that option?

• Debit opening balances of vendors

  Dear colleagues: I am looking at the trial balance as on 31st March 2024, and punching opening balances (1st April 2024) in Zoho Books. Vendors have credit balances, by its nature, but some of our vendors have debit balances as well (e.g., we have paid

• Zoho Books emails suddenly going to Spam since 11 Nov 2025 (Gmail + now Outlook) — anyone else?

  Hi everyone, We migrated to Zoho Books in July 2025 and everything worked fine until 11 Nov 2025. Since then, Zoho Books system emails are landing in customers’ Spam (first Gmail, and now we’re seeing Outlook/Office 365 also starting to spam them). Impacted

• Client Portal ZOHO ONE

  Dear Zoho one is fantastic option for companies but it seems to me that it is still an aggregation of aps let me explain I have zoho books with client portal so client access their invoice then I have zoho project with client portal so they can access their project but not their invoice without another URL another LOGIN Are you planning in creating a beautiful UI portal for client so we can control access to client in one location to multiple aps at least unify project and invoice aps that would

• The Social Wall: February 2026

  Hello everyone, This month, we’re bringing you a mix of exciting toolkit enhancements and a few improvements across the web and iOS app, all designed to make your social media management simpler and smoother. File converter Images come in different formats,

• Zoho Mail and SalesInbox doesn't link to CRM record using Reply-To

  Hi, I've just set up SalesInbox, with the intention of using it for sales enquiries (instead of Desk, which I have been using until now). I've noticed that, unlike Desk, SalesInbox only uses the 'From' email address to attempt to link to a CRM contact

• Service line items

  Hello Latha, Could you please let me know the maximum number of service line items that can be added to a single work order? Thanks, Chethiya.

• Poor Search Results on Zoho CRM

  The search on Zoho CRM is quite poor. Salesforce has now published a new search, when will get this on Zoho? https://help.salesforce.com/s/articleView?id=data.c360_a_hybridsearch_index.htm&type=5

• How to use filters on all products page? Or even a category page?

  Hello, I am trying to create some filters so users can use filters to find products they are looking for. So what i am trying is to create a filter according to price lets say. So if i define it this way i am expecting to see this filter option on category

• Capture Last check-in date & days since

  I have two custom fields on my Account form, these are "Date of Last Check-In" and "Days Since Last Contact" Using a custom function how can I pull the date from the last check-in and display it in the field "Date of Last Check-In"? and then also display the number of days since last check-in in the "Days SInce Last Contact" field? I tried following a couple of examples but got myself into a bit of a muddle!

• Archiving Contacts

  How do I archive a list of contacts, or individual contacts?

• Next Page