Note: Removing client auth would in some cases make the same valid again. We have to keep reference of it to block it. This is only valid if you want to reuse the same tokens intentionally (and you are sure what you are doing is OK for your use case)