Walk me through the flow of OAuth 2.0. Where are the most common security pitfalls when developers implement it?