diff --git a/Dockerfile b/Dockerfile
index 07ffb61754a9664e2fc6a6cd7606fc59d1d4003d..0992b530ad454c5c67585b5170586a8ebdea403d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,16 +1,14 @@
-FROM golang:1.15.7-alpine3.12
+FROM golang:1.15.7-alpine3.13 AS builder
+
+WORKDIR /usr/local/src/dex
+
+RUN apk add --no-cache --update alpine-sdk
 
 ARG TARGETOS
 ARG TARGETARCH
 ARG TARGETVARIANT=""
 
-WORKDIR /usr/local/src/dex
-
-ENV GOOS=${TARGETOS} \
-  GOARCH=${TARGETARCH} \
-  GOARM=${TARGETVARIANT}
-
-RUN apk add --no-cache --update alpine-sdk
+ENV GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=${TARGETVARIANT}
 
 ARG GOPROXY
 
@@ -24,8 +22,6 @@ RUN make release-binary
 
 FROM alpine:3.13.0
 
-WORKDIR /
-
 # Dex connectors, such as GitHub and Google logins require root certificates.
 # Proper installations should manage those certificates, but it's a bad user
 # experience when this doesn't work out of the box.
@@ -33,17 +29,22 @@ WORKDIR /
 # OpenSSL is required so wget can query HTTPS endpoints for health checking.
 RUN apk add --no-cache --update ca-certificates openssl
 
-USER 1001:1001
+RUN mkdir -p /var/dex
+RUN chown -R 1001:1001 /var/dex
 
-COPY --from=0 /go/bin/dex /usr/local/bin/dex
+# Copy module files for CVE scanning / dependency analysis.
+COPY --from=builder /usr/local/src/dex/go.mod /usr/local/src/dex/go.sum /usr/local/src/dex/
+COPY --from=builder /usr/local/src/dex/api/v2/go.mod /usr/local/src/dex/api/v2/go.sum /usr/local/src/dex/api/v2/
 
-# Copy module dependencies for CVE scanning / dependency analysis.
-COPY go.mod go.sum                 /opt/dex/dependencies/
-COPY api/v2/go.mod api/v2/go.sum   /opt/dex/dependencies/api/v2/
+COPY --from=builder /go/bin/dex /usr/local/bin/dex
+
+USER 1001:1001
 
 # Import frontend assets and set the correct CWD directory so the assets
 # are in the default path.
-COPY web web
+COPY --from=builder /usr/local/src/dex/web /web
+
+USER 1001:1001
 
 ENTRYPOINT ["dex"]