[keycloak-user] force renewal of authentication

Hi I have successfully set up x509 authentication for me as a user with openidconnect. Starting a clean browsersession will prompt me for my certificate password to logon. But next time I visit the same application my earlier session is reused, this is of course nice for the user but if the administrator wants to force a real renewed authentication it is not OK. I have tried passing login=prompt but this makes no difference. How can I force a real renewal?