diff --git a/idp/dex/provider.go b/idp/dex/provider.go
index a3e33dce2..2be302589 100644
--- a/idp/dex/provider.go
+++ b/idp/dex/provider.go
@@ -496,7 +496,17 @@ func (p *Provider) Storage() storage.Storage {
 // Handler returns the Dex server as an http.Handler for embedding in another server.
 // The handler expects requests with path prefix "/oauth2/".
 func (p *Provider) Handler() http.Handler {
-	return p.dexServer
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// NOTE: by default Dex will use the /logout route to only logout sessions, doesn't invalidate jwt tokens,
+		// to avoid confusion on users, we're not allowing for this, and only enable OIDC logout triggered through
+		// the dashboard which will invalidate both the session and the jwt token
+		if strings.HasSuffix(r.URL.Path, "/logout") && r.FormValue("id_token_hint") == "" {
+			http.Redirect(w, r, "/", http.StatusSeeOther)
+			return
+		}
+
+		p.dexServer.ServeHTTP(w, r)
+	})
 }
 
 // CreateUser creates a new user with the given email, username, and password.