When a client secret is expired and therefore SSO cannot be used anymore, it would probably be good if it became disabled.