[keycloak-user] force renewal of authentication

[xljbi20]

Hi

I have successfully set up x509 authentication for me as a user with 
openidconnect.
Starting a clean browsersession will prompt me for my certificate 
password to logon.

But next time I visit the same application my earlier session is reused, 
this is of course nice for the user but if the administrator wants to 
force a real renewed authentication it is not OK.

I have tried passing login=prompt but this makes no difference.
How can I force a real renewal?