diff --git a/pom.xml b/pom.xml
index 55d4eff..e395fe2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -82,6 +82,10 @@
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-security</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-oidc-client-filter</artifactId>
+    </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.dataformat</groupId>
       <artifactId>jackson-dataformat-yaml</artifactId>
diff --git a/src/main/java/org/commonjava/indy/service/security/jaxrs/CustomClientRequestFilter.java b/src/main/java/org/commonjava/indy/service/security/jaxrs/CustomClientRequestFilter.java
new file mode 100644
index 0000000..daaa358
--- /dev/null
+++ b/src/main/java/org/commonjava/indy/service/security/jaxrs/CustomClientRequestFilter.java
@@ -0,0 +1,52 @@
+/**
+ * Copyright (C) 2022 Red Hat, Inc. (https://github.com/Commonjava/indy-security)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.commonjava.indy.service.security.jaxrs;
+
+import io.quarkus.oidc.client.filter.runtime.AbstractOidcClientRequestFilter;
+import jakarta.annotation.Priority;
+import jakarta.ws.rs.Priorities;
+import jakarta.ws.rs.client.ClientRequestContext;
+import jakarta.ws.rs.ext.Provider;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.List;
+
+@Provider
+@Priority(Priorities.AUTHENTICATION)
+public class CustomClientRequestFilter
+        extends AbstractOidcClientRequestFilter
+{
+    @ConfigProperty(name = "indy_security.enabled")
+    boolean securityEnabled;
+
+    private static final List<String> nonAuthMethods = Arrays.asList("GET", "HEAD"); // skip auth for GET/HEAD requests
+
+    @Override
+    public void filter(ClientRequestContext requestContext) throws IOException
+    {
+        if ( securityEnabled )
+        {
+            String method = requestContext.getMethod().toUpperCase();
+            if ( nonAuthMethods.contains(method) )
+            {
+                return;
+            }
+            super.filter( requestContext );
+        }
+    }
+}