What you want to do is the following:
- On session creation, you want to add a time stamp to the access token payload whose value will be the current time. This value indicates the last time the user was authenticated.
- On a route or API which requires a dangerous action, fetch the access token payload and check the value of the timestamp. If this value is before a certain time (say before 5 mins ago), then redirect the user to a screen asking them to relogin, or do some login challenge.
- Whichever login challenge you show, in it's API, once the login challenge is finished, you want to update the timestamp in the access token payload.