Once you get the code, try swapping out the code for a token using Incognito mode in whatever browser you are logged in with. It seems that if the browser maintains session state (eg. you being logged in), it will throw the bad client credentials message you are seeing on the second step where you swap out the code for a token.
Based on your example, you might run step 1 from a normal Chrome window, then open up Chrome Incognito (Ctrl+Shift+N) and execute step 2.
Alternatively, you could open up your Chrome Developer tools, open the Resources tab, expand Cookies and select the SmartThings entry, and delete the JSESSIONID cookie between each call.
After talking with a SmartThings engineer, the solution that we are using for SmartRules is that when you have the code and are requesting the token, you need to add a basic authorization header, using the client ID and client secret as username and password, respectively.
It seems odd that you would need to do that and I am curious what the reasoning is. I tested this with various tools last night and found that as long the request to swap out the code for a token is sent without the session information, then it would work every time.
Even issuing a basic HTTP GET request via raw TCP connection works fine:
GET /oauth/token?grant_type=authorization_code&client_id=CLIENTID&client_secret=CLIENTSECRET&code=THECODE&scope=app&redirect_uri=https%3A%2F%2Fgraph.api.smartthings.com%2Foauth%2Fcallback HTTP/1.1
Host: graph.api.smartthings.com
Cache-Control: no-cache
PS. I don’t recall having to open up a fresh browser session to get this to work in the past, so it does seem like something has changed. The OAuth workflow has worked for 9+ months with my Android app, SharpTools - I am effectively using fresh HTTP connections each time only adding the necessary headers when needed.
