@BarryCarlyon I just did some testing and I think I found a way around that. Hopefully this makes sense.
When a user sign up for your service you just request really basic scopes. Then later on you can request access to more scopes to allow them to use certain features they want to use by including just the new scopes in that authorization request.
What this results in is having two sets of access and refresh tokens for the two times you requested access to different scopes.
This obviously isn’t ideal so what you can do is then send them through the oauth flow again with force verify set to false and in that request just include all of the scopes they have authorized across the two tokens and they’ll get redirected back to you automatically with a new combined token.