diff --git a/Dockerfile b/Dockerfile
index 6e4948c4..d0c56d3f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -60,15 +60,18 @@ FROM ${RUNTIME_IMAGE}
 # Reload version
 ARG VERSION
 
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/oauth2-proxy /bin/oauth2-proxy
 COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem
 
 LABEL org.opencontainers.image.licenses=MIT \
       org.opencontainers.image.description="A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers." \
       org.opencontainers.image.documentation=https://oauth2-proxy.github.io/oauth2-proxy/ \
-      org.opencontainers.image.source=https://github.com/oauth2-proxy/oauth2-proxy \
+      org.opencontainers.image.source=https://github.com/opensourceways/oauth2-proxy \
       org.opencontainers.image.url=https://quay.io/oauth2-proxy/oauth2-proxy \
       org.opencontainers.image.title=oauth2-proxy \
       org.opencontainers.image.version=${VERSION}
 
+USER 2000:2000
+
 ENTRYPOINT ["/bin/oauth2-proxy"]
diff --git a/oauthproxy.go b/oauthproxy.go
index baae846a..75f0485e 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -85,8 +85,8 @@ type OAuthProxy struct {
 
 	SignInPath string
 
-	enableAuthRouters   bool
-	authRouters         []allowedRoute
+	enableAuthRouters    bool
+	authRouters          []allowedRoute
 	allowedRoutes        []allowedRoute
 	apiRoutes            []apiRoute
 	redirectURL          *url.URL // the url to receive requests at
diff --git a/pkg/apis/options/options.go b/pkg/apis/options/options.go
index 70a4d729..66abb8e6 100644
--- a/pkg/apis/options/options.go
+++ b/pkg/apis/options/options.go
@@ -64,8 +64,8 @@ type Options struct {
 	ForceJSONErrors          bool     `flag:"force-json-errors" cfg:"force_json_errors"`
 	EncodeState              bool     `flag:"encode-state" cfg:"encode_state"`
 	AllowQuerySemicolons     bool     `flag:"allow-query-semicolons" cfg:"allow_query_semicolons"`
-	EnableAuthRouters     bool     `flag:"enable-auth-routers" cfg:"enable_auth_routers"`
-	AuthRouters           []string `flag:"auth-routers" cfg:"auth_routers"`
+	EnableAuthRouters        bool     `flag:"enable-auth-routers" cfg:"enable_auth_routers"`
+	AuthRouters              []string `flag:"auth-routers" cfg:"auth_routers"`
 
 	SignatureKey    string `flag:"signature-key" cfg:"signature_key"`
 	GCPHealthChecks bool   `flag:"gcp-healthchecks" cfg:"gcp_healthchecks"`
diff --git a/pkg/providers/oidc/verifier.go b/pkg/providers/oidc/verifier.go
index 9fd521fd..92a05390 100755
--- a/pkg/providers/oidc/verifier.go
+++ b/pkg/providers/oidc/verifier.go
@@ -3,7 +3,6 @@ package oidc
 import (
 	"context"
 	"fmt"
-	"reflect"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 )
@@ -53,57 +52,5 @@ func (v *idTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*oidc.
 		return nil, fmt.Errorf("failed to parse default id_token claims: %v", err)
 	}
 
-	// if isValidAudience, err := v.verifyAudience(token, claims); !isValidAudience {
-	// 	return nil, err
-	// }
-
 	return token, err
 }
-
-func (v *idTokenVerifier) verifyAudience(token *oidc.IDToken, claims map[string]interface{}) (bool, error) {
-	for _, audienceClaim := range v.verificationOptions.AudienceClaims {
-		if audienceClaimValue, audienceClaimExists := claims[audienceClaim]; audienceClaimExists {
-
-			// audience claim value can be either interface{} or []interface{},
-			// as per spec `aud` can be either a string or a list of strings
-			switch audienceClaimValueType := audienceClaimValue.(type) {
-			case []interface{}:
-				token.Audience = v.interfaceSliceToString(audienceClaimValue)
-			case interface{}:
-				token.Audience = []string{audienceClaimValue.(string)}
-			default:
-				return false, fmt.Errorf("audience claim %s holds unsupported type %T",
-					audienceClaim, audienceClaimValueType)
-			}
-
-			return v.isValidAudience(audienceClaim, token.Audience, v.allowedAudiences)
-		}
-	}
-
-	return false, fmt.Errorf("audience claims %v do not exist in claims: %v",
-		v.verificationOptions.AudienceClaims, claims)
-}
-
-func (v *idTokenVerifier) isValidAudience(claim string, audience []string, allowedAudiences map[string]struct{}) (bool, error) {
-	for _, aud := range audience {
-		if _, allowedAudienceExists := allowedAudiences[aud]; allowedAudienceExists {
-			return true, nil
-		}
-	}
-
-	return false, fmt.Errorf(
-		"audience from claim %s with value %s does not match with any of allowed audiences %v",
-		claim, audience, allowedAudiences)
-}
-
-func (v *idTokenVerifier) interfaceSliceToString(slice interface{}) []string {
-	s := reflect.ValueOf(slice)
-	if s.Kind() != reflect.Slice {
-		panic(fmt.Sprintf("given a non-slice type %s", s.Kind()))
-	}
-	var strings []string
-	for i := 0; i < s.Len(); i++ {
-		strings = append(strings, s.Index(i).Interface().(string))
-	}
-	return strings
-}