Spotify “Unexpected status: 400” when /api/token - Java

Question

When I make a HTTP POST request to Spotify Swap endpoint using Postman, the server is giving me a correct response containing a refresh token but I can't get the same response when hitting the endpoint using my Java app.

I made my Java app to generate the same request as the one generated through Postman when hitting directly the Spotify endpoint. When I listen to the TCP connection, I don't see any differences between both requests more than the auth code, that can't be reused.

The request using Postman with a_code looks like this:

    bash-3.2$ nc -l 127.0.0.1 1234
    POST /api/token HTTP/1.1
    Host: localhost:1234
    Connection: keep-alive
    Content-Length: 460
    Accept: */*
    Cache-Control: no-cache
    Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop
    Authorization: Basic <base64 encoded client_id:client_secret>
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
    Postman-Token: b089ac57-7dcd-f94a-f315-9f28f74ac9eb
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-GB,en-US;q=0.8,en;q=0.6

code=a_code&grant_type=authorization_code&redirect_uri=my-spotifyoauth%3A%2F%2Fspotifylogincallback%2Ffree

The request using my Java app with another_code (UPDATE):

POST /api/token HTTP/1.1
Authorization: Basic <base64 encoded client_id:client_secret>
Accept: */*
Connection: keep-alive
Cache-Control: no-cache
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 460
Host: localhost:1234
User-Agent: Apache-HttpClient/4.3.5 (java 1.5)

code=another_code&grant_type=authorization_code&redirect_uri=my-spotifyoauth%3A%2F%2Fspotifylogincallback%2Ffree

When I switch the endpoint from localhost:1234 to accounts.spotify.com, the non fake one, I get a 400 response from the server that I can´t figure out why.

POST https://accounts.spotify.com/api/token responded with status 400
> Accept-Encoding: gzip
< Server: nginx
< Date: Tue, 14 Mar 2017 17:08:34 GMT
< Content-Type: application/json
< Content-Length: 69
< Connection: keep-alive
< Keep-Alive: timeout=600
< {"error":"server_error","error_description":"Unexpected status: 400"}

Do you know why, even seeing the same request over TCP, the Spotify server response is different? How can I further debug this issue?

UPDATE: codes can't be reused, so they should different everytime a make a new request. My endpoint is invalidating any codes I'm sending through it. The second time I hit my endpoint using the same code I get the error: {"error":"invalid_grant","error_description":"Invalid authorization code"}

Answer 1

I think the devil is in the details. The request above is definitely from Postman, seeing it has a Postman-Token header. If you instead post what your Java app sends to your netcat, we could figure it out.

I could recreate the request with curl using your example above and it worked for me, and I instead saw, the more descriptive error message:

HTTP/1.1 400 Bad Request
{"error":"invalid_grant","error_description":"Authorization code expired"}

That also means you need to throw away that account or change your client_secret, because you posted it to stackoverflow, but I guess you already know that.