You can call /authorize with prompt=login (prompt: 'login' if you’re using auth0.js)` and the login box will always appear (even if you’re already logged in).
One other approach would be to login the user with the “default” scopes (let’s say openid email profile) and create scopes for each one of the sensitive operations. Then, when you call your API, the scope won’t be there and you should redirect to the login page with the scope you created. This will also trigger a new login, because you’re adding more scopes to mix.
Does that solve your issue?