Explain the flow of an OAuth 2.0 authorization code grant and where potential security vulnerabilities might arise.