The only header that is being set is the Authorization header via HttpURLConnection.setRequestProperty.
I can't actually see the full request (is there a way to see the full request at the Openfire end?). It is using the same code for both requests which is weird why the first one for creating works and the second fails.
The username is an email address, I've tried escaping it using XmppStringUtils.escapeLocalpart, I've tried not escaping. I've tried url encoding it and I've tried url encoding it with escaping and without. I still get the same error.