diff --git a/README.md b/README.md
index faa700b..5b51eb1 100644
--- a/README.md
+++ b/README.md
@@ -22,3 +22,8 @@ Deploy using the `-c` flag to specify one or multiple compose files.
 ```
 docker stack deploy temporal --detach=true -c compose.yaml
 ```
+
+## Next Steps and notes
+
+- Need to better understand how static config files are managed in this setup.
+  - Are they baked into the image, or mounted at runtime? Where are they stored? What is a good default location?
\ No newline at end of file
diff --git a/oci-image/Containerfile b/oci-image/Containerfile
index ee4ea22..7a0953a 100644
--- a/oci-image/Containerfile
+++ b/oci-image/Containerfile
@@ -17,4 +17,5 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 	CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o /workspace/bin/temporal-server .
 
 FROM ${TEMPORAL_IMAGE} AS runtime
+WORKDIR /etc/temporal
 COPY --from=build /workspace/bin/temporal-server /usr/local/bin/temporal-server
diff --git a/oci-image/main.go b/oci-image/main.go
index 85495bb..959b80a 100644
--- a/oci-image/main.go
+++ b/oci-image/main.go
@@ -21,29 +21,23 @@ func main() {
 
 	logger := templog.NewCLILogger()
 
-	authorizer, err := authorization.GetAuthorizerFromConfig(&cfg.Global.Authorization)
-	if err != nil {
-		log.Fatalf("authorizer: %v", err)
-	}
-
-	claimMapper, err := authorization.GetClaimMapperFromConfig(&cfg.Global.Authorization, logger)
-	if err != nil {
-		log.Fatalf("claim mapper: %v", err)
-	}
-
-	audienceMapper, err := authorization.GetAudienceMapperFromConfig(&cfg.Global.Authorization)
-	if err != nil {
-		log.Fatalf("audience mapper: %v", err)
-	}
-
 	srv, err := temporal.NewServer(
 		temporal.ForServices(temporal.DefaultServices),
 		temporal.WithConfig(cfg),
 		temporal.WithLogger(logger),
 		temporal.InterruptOn(temporal.InterruptCh()),
-		temporal.WithAuthorizer(authorizer),
-		temporal.WithClaimMapper(func(*config.Config) authorization.ClaimMapper { return claimMapper }),
-		temporal.WithAudienceGetter(func(*config.Config) authorization.JWTAudienceMapper { return audienceMapper }),
+		temporal.WithAuthorizer(authorization.NewDefaultAuthorizer()),
+		temporal.WithClaimMapper(func(cfg *config.Config) authorization.ClaimMapper {
+			return authorization.NewDefaultJWTClaimMapper(
+				// token key provider - fetches public keys from the OIDC provider
+				authorization.NewDefaultTokenKeyProvider(&cfg.Global.Authorization, logger),
+				&cfg.Global.Authorization,
+				logger,
+			)
+		}),
+		temporal.WithAudienceGetter(func(cfg *config.Config) authorization.JWTAudienceMapper {
+			return authorization.NewAudienceMapper(cfg.Global.Authorization.Audience)
+		}),
 	)
 	if err != nil {
 		log.Fatalf("setup server: %v", err)