[keycloak-user] Question re app timeout

Does anyone know the answer to this? I want to setup up a Keycloak SSO for, say, five apps: only one of which is required (by U.S. State Law) to become logged out upon ten inactive minutes timeout. How can I achieve this in Keycloak? So for example: user signs in to Keycloak and begins working in APP1 then switches to APP2 and stays there for more than ten minutes. User re-visits APP1 which has been idle for more than ten minutes. By law he needs to re-authenticate to APP1 even though he remains already authenticated in Keycloak. How to force re-authentication for at least APP1? -Richard