A 403 typically indicates a bad username/password [or in this case, client id + client secret] (a 403 is a forbidden error code).
Client ID and Client Secret don’t typically need a url encoder, but as it doesn’t contain special characters, that should be a no-op.
&client_secret=[your client secret]
&grant_type=authorization_code
&redirect_uri=[your registered redirect URI]
&code=[code received from redirect URI]
&state=[your provided unique token]```
I'd have to check my implementation, but I'm not sure if token should be url encoded.
Otherwise it looks good, with a general disclaimer that I don't typically work in java.
Provided your redirect url in your application is pointing at 'http://localhost:8000/token' that should be ok - but generally redirecting from an https endpoint (twitch auth) to an http endpoint (your local server) is a no-no, but shouldn't be deal breaking.