Another pitfall I can see is that many articles about OAuth authorization on client side don't talk about the client's Access Token validity verification at resource/api server side. I've found some talks/doc about "introspection" endpoint, but they are rare.

It's why have asked here this question in context of Laravel Socialite.