If you want to update the scope of an existing token, and if your authorization server provides a mechanism for this, just do it. Essentially, a specific authorization server implementation provides a web API for updating areas of existing access tokens ( /auth/token/update API, /auth/client/authorization/update API).
Whether access tokens are available or not depends on each implementation of the authorization server. For example, if the implementation type of the access token is "self-sufficient" (for example, JWT ), the access tokens are not changed. On the other hand, if the type is "random string" (in this case, the actual data is stored in the database behind the authorization server), access tokens can be modified. See “7.1. Presenting the access token” in “ Full-fledged OAuth and OpenID Connect Talking On Findings ” for details.
In some implementations of the authorization server, several access tokens are issued for one combination of user and client application, while other implementations issue only one access token for this combination. A specific authorization server implementation provides a configuration flag that allows you to select any of the behaviors, as shown below. See also this answer .
Which approach you should take depends on your use case. Find the authorization server implementation that is best for your use.