diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
index 1f41816d..058e1363 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -51,7 +51,7 @@ public class OidcTokenExchanger {
     private static final Logger log = LoggerFactory.getLogger(OidcTokenExchanger.class);
 
     private final OidcConfigRepository configRepository;
-    private final boolean tlsSkipVerify;
+    private final SecurityProperties securityProperties;
 
     private volatile String cachedIssuerUri;
     private volatile OIDCProviderMetadata providerMetadata;
@@ -60,10 +60,7 @@ public class OidcTokenExchanger {
     public OidcTokenExchanger(OidcConfigRepository configRepository,
                                SecurityProperties securityProperties) {
         this.configRepository = configRepository;
-        this.tlsSkipVerify = securityProperties.isOidcTlsSkipVerify();
-        if (tlsSkipVerify) {
-            log.warn("OIDC TLS skip-verify enabled for token exchanger");
-        }
+        this.securityProperties = securityProperties;
     }
 
     public record OidcUserInfo(String subject, String email, String name, List<String> roles, String idToken) {}
@@ -88,7 +85,7 @@ public class OidcTokenExchanger {
         );
 
         var httpRequest = tokenRequest.toHTTPRequest();
-        if (tlsSkipVerify) {
+        if (securityProperties.isOidcTlsSkipVerify()) {
             httpRequest.setSSLSocketFactory(InsecureTlsHelper.socketFactory());
             httpRequest.setHostnameVerifier(InsecureTlsHelper.hostnameVerifier());
         }
@@ -205,7 +202,7 @@ public class OidcTokenExchanger {
                     // .well-known/openid-configuration automatically, the user provides
                     // the complete URL.
                     URL discoveryUrl = new URI(issuerUri).toURL();
-                    try (InputStream in = InsecureTlsHelper.openStream(discoveryUrl, tlsSkipVerify)) {
+                    try (InputStream in = InsecureTlsHelper.openStream(discoveryUrl, securityProperties.isOidcTlsSkipVerify())) {
                         JSONObject json = (JSONObject) new JSONParser(JSONParser.DEFAULT_PERMISSIVE_MODE)
                                 .parse(in);
                         providerMetadata = OIDCProviderMetadata.parse(json);
@@ -226,7 +223,7 @@ public class OidcTokenExchanger {
                     OIDCProviderMetadata metadata = getProviderMetadata(issuerUri);
                     URL jwksUrl = metadata.getJWKSetURI().toURL();
                     JWKSource<SecurityContext> jwkSource;
-                    if (tlsSkipVerify) {
+                    if (securityProperties.isOidcTlsSkipVerify()) {
                         var retriever = new DefaultResourceRetriever(5000, 5000, 0, true,
                                 InsecureTlsHelper.socketFactory());
                         jwkSource = new RemoteJWKSet<>(jwksUrl, retriever);